- Daily - CERT.at

Tageszusammenfassung - 28.07.2025
by Daily end-of-shift report 28 Jul '25

28 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-07-2025 18:00 − Montag 28-07-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Supply-chain attacks on open source software are getting out of hand ∗∗∗ --------------------------------------------- It has been a busy week for supply-chain attacks targeting open source software available in public repositories, with successful breaches of multiple developer accounts that resulted in malicious packages being pushed to unsuspecting users. --------------------------------------------- https://arstechnica.com/security/2025/07/open-source-repositories-are-seein… ∗∗∗ Amazon AI coding agent hacked to inject data wiping commands ∗∗∗ --------------------------------------------- As reported by 404 Media, on July 13, a hacker using the alias ‘lkmanka58’ added unapproved code on Amazon Q’s GitHub to inject a defective wiper that wouldn’t cause any harm, but rather sent a message about AI coding security. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-ai-coding-agent-hacke… ∗∗∗ Sophisticated Shuyal Stealer Targets 19 Browsers, Demonstrates Advanced Evasion ∗∗∗ --------------------------------------------- A new infostealing malware making the rounds can exfiltrate credentials and other system data even from browsing software considered more privacy-focused than mainstream options. --------------------------------------------- https://www.darkreading.com/endpoint-security/shuyal-stealer-targets-19-bro… ∗∗∗ French submarine secrets surface after cyber attack ∗∗∗ --------------------------------------------- European defence giant Naval Group has confirmed that it is investigating an alleged cyber attack which has seen what purports to be sensitive internal data published on the internet by hackers. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/french-submarine-secr… ∗∗∗ The Homograph Illusion: Not Everything Is As It Seems ∗∗∗ --------------------------------------------- A subtle yet dangerous email attack vector: homograph attacks. Threat actors are using visually similar, non-Latin characters to bypass security filters. --------------------------------------------- https://unit42.paloaltonetworks.com/homograph-attacks/ ∗∗∗ ToxicPanda: The Android Banking Trojan Targeting Europe ∗∗∗ --------------------------------------------- What is ToxicPanda? Bitsight Trace dives into detail on the banking malware, from impact breadth, delivery, technical analysis, and more. --------------------------------------------- https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study ∗∗∗ EU-Satelliteninternet: UK, Norwegen und Ukraine können sich IRIS2 anschließen ∗∗∗ --------------------------------------------- EU-Raumfahrtkommissar Kubiliius hat europäische Drittstaaten eingeladen, bei dem als Starlink-Alternative gedachten Satellitennetzwerk IRIS2 voll einzusteigen. --------------------------------------------- https://www.heise.de/news/EU-Satelliteninternet-UK-Norwegen-und-Ukraine-koe… ∗∗∗ How I hacked my washing machine ∗∗∗ --------------------------------------------- If you've known me for some amount of time you knew this was something that was bound to happen eventually. Yesterday (and technically today), me and a friend went on an endeavor to hack our washing machine, partially for the fun of it, and partially because there's actually a practical use for it. --------------------------------------------- https://nexy.blog/2025/07/27/how-i-hacked-my-washing-machine/ ∗∗∗ Protecting the Evidence in Real-Time with KQL Queries ∗∗∗ --------------------------------------------- A few weeks ago, I published a post titled Detecting Ransomware Final Stage Activities with KQL Queries where I shared different phases and detections during the last phase of a ransomware attack. Every time I read it, I realize just how broad and complex this topic truly is. --------------------------------------------- https://detect.fyi/protecting-the-evidence-in-real-time-with-kql-queries-ac… ∗∗∗ Lionishackers: Analyzing a corporate database seller ∗∗∗ --------------------------------------------- Outpost24’s threat intelligence researchers have been analyzing a corporate database seller known as "Lionishackers". They’re a financially motivated threat actor focused on exfiltrating and selling corporate databases. This post explores how they operate, where their attacks are taking place, and the current level of threat they pose. --------------------------------------------- https://outpost24.com/blog/lionishackers-corporate-database-seller/ ===================== = Vulnerabilities = ===================== ∗∗∗ Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks ∗∗∗ --------------------------------------------- More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account. --------------------------------------------- https://www.bleepingcomputer.com/news/security/post-smtp-plugin-flaw-expose… ∗∗∗ Critical Flaws in Niagara Framework Threaten Smart Buildings and Industrial Systems Worldwide ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered over a dozen security vulnerabilities impacting Tridiums Niagara Framework that could allow an attacker on the same network to compromise the system under certain circumstances. --------------------------------------------- https://thehackernews.com/2025/07/critical-flaws-in-niagara-framework.html ∗∗∗ Support ausgelaufen: Admin-Attacke auf LG Netzwerkkamera LNV5110R möglich ∗∗∗ --------------------------------------------- Die Netzwerkkamera LNV5110R von LG Innotek sollte nicht mehr benutzt werden: Die US-Sicherheitsbehörde CISA (Cybersecurity & Infrastructure Security Agency) warnt vor einer Sicherheitslücke, für die es kein Sicherheitsupdate mehr geben wird. --------------------------------------------- https://www.heise.de/news/Support-ausgelaufen-Admin-Attacke-auf-LG-Netzwerk… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (audiofile, libcaca, libetpan, libxml2, php7.4, snapcast, and thunderbird), Fedora (glibc, iputils, mingw-binutils, and thunderbird), Red Hat (kernel, kernel-rt, mod_auth_openidc, and mod_auth_openidc:2.3), SUSE (afterburn, apache2, atop, chromedriver, chromium, cloud-init, deepin-feature-enable, firefox, firefox-esr, grafana, grype-db, gstreamer-plugins-bad, javamail, jupyter-jupyterlab-templates, jupyter-nbdime, konsole, libetebase, libxmp, minio-client-20250721T052808Z, MozillaFirefox, MozillaFirefox-branding-SLE, opera, pdns-recursor, perl-Authen-SASL, polkit, python-Django, python3-pycares, python311-starlette, rpi-imager, ruby3.4-rubygem-thor, spdlog, thunderbird, varnish, viewvc, and xtrabackup), and Ubuntu (openjdk-21-crac). --------------------------------------------- https://lwn.net/Articles/1031667/ ∗∗∗ Sicherheitsproblem: Hartkodierte Zugangsdaten gefährden PCs mit MyASUS ∗∗∗ --------------------------------------------- Die MyASUS-App kann zum Einfallstor für Angreifer werden. Schuld sind zwei Sicherheitslücken, die aber mittlerweile geschlossen sind. Wer das Tool nicht aktualisiert, riskiert unbefugte Zugriffe auf bestimmte Services. --------------------------------------------- https://www.heise.de/news/Sicherheitsproblem-Hartkodierte-Zugangsdaten-gefa… ∗∗∗ SyStrack LsiAgent.exe contains an improper DLL search order, allowing an attacker to execute arbitrary code and priv esc ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/335798 ∗∗∗ Mehrere Stored Cross-Site Scripting Schwachstellen im Optimizely Episerver Content Management System ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-stored-cross-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.07.2025
by Daily end-of-shift report 25 Jul '25

25 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-07-2025 18:00 − Freitag 25-07-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hacker sneaks infostealer malware into early access Steam game ∗∗∗ --------------------------------------------- A threat actor called EncryptHub has compromised a game on Steam to distribute info-stealing malware to unsuspecting users downloading the title. A few days ago, the hacker (also tracked as Larva-208), injected malicious binaries into the Chemia game files hosted on Steam. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-sneaks-infostealer-ma… ∗∗∗ New Koske Linux malware hides in cute panda images ∗∗∗ --------------------------------------------- A new Linux malware named Koske may have been developed with artificial intelligence and is using seemingly benign JPEG images of panda bears to deploy malware directly into system memory. Researchers from cybersecurity company AquaSec analyzed Koske and described it as "a sophhisticated Linux threat." Based on the observed adaptive behavior, the researchers believe that the malware was developed using large language models (LLMs) or automation frameworks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-koske-linux-malware-hide… ∗∗∗ CastleLoader Malware Infects 469 Devices Using Fake GitHub Repos and ClickFix Phishing ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a new versatile malware loader called CastleLoader that has been put to use in campaigns distributing various information stealers and remote access trojans (RATs). The activity employs Cloudflare-themed ClickFix phishing attacks and fake GitHub repositories opened under the names of legitimate applications, Swiss cybersecurity company PRODAFT said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/07/castleloader-malware-infects-469.html ∗∗∗ Phishers Target Aviation Execs to Scam Customers ∗∗∗ --------------------------------------------- KrebsOnSecurity recently heard from a reader whose boss’s email account got phished and was used to trick one of the company’s customers into sending a large payment to scammers. An investigation into the attacker’s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries. --------------------------------------------- https://krebsonsecurity.com/2025/07/phishers-target-aviation-execs-to-scam-… ∗∗∗ From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944 ∗∗∗ --------------------------------------------- In mid 2025, Google Threat Intelligence Group (GITG) identified a sophisticated and aggressive cyber campaign targeting multiple industries, including retail, airline, and insurance. This was the work of UNC3944, a financially motivated threat group that has exhibited overlaps with public reporting of "0ktapus," "Octo Tempest," and "Scattered Spider." Following public alerts from the Federal Bureau of Investigation (FBI), the group's targeting became clear. GTIG observed that the group was suspected of turning its ransomware and extortion operations to the U.S. retail sector. The campaign soon broadened further, with airline and transportation organizations in North America having also become targets. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (git, kernel, nginx:1.24, and sudo), Fedora (dpkg, java-21-openjdk, java-25-openjdk, java-latest-openjdk, and valkey), Oracle (apache-commons-vfs, sudo, tigervnc, and xorg-x11-server), Red Hat (kernel, krb5, and openssh), SUSE (gnutls, ImageMagick, iputils, kernel-livepatch-MICRO-6-0-RT_Update_10, kubernetes1.18, libarchive, ovmf, python, and salt), and Ubuntu (iputils, linux-aws-6.14, linux-raspi, openjdk-21, and openjdk-24). --------------------------------------------- https://lwn.net/Articles/1031426/ ∗∗∗ Angriffe gegen Citrix Netscaler CVE-2025-6543 ∗∗∗ --------------------------------------------- https://www.cert.at/de/aktuelles/2025/7/angriffe-gegen-citrix-netscaler-cve… ∗∗∗ CVE-2025-38350 - ZDI-25-651: (Pwn2Own) Red Hat Enterprise Linux CBS Packet Scheduling Use-After-Free Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-651/ ∗∗∗ Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ CISA Releases Six Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/07/24/cisa-releases-six-indust… ∗∗∗ Medtronic MyCareLink Patient Monitor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-205-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.07.2025
by Daily end-of-shift report 24 Jul '25

24 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-07-2025 18:00 − Donnerstag 24-07-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Microsoft: SharePoint servers also targeted in ransomware attacks ∗∗∗ --------------------------------------------- A China-based hacking group is deploying Warlock ransomware on Microsoft SharePoint servers vulnerable to widespread attacks targeting the recently patched ToolShell zero-day exploit chain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-servers… ∗∗∗ Hackers breach Toptal GitHub account, publish malicious npm packages ∗∗∗ --------------------------------------------- Hackers compromised Toptal's GitHub organization account and used their access to publish ten malicious packages on the Node Package Manager (NPM) index. The packages included data-stealing code that collected GitHub authentication tokens and then wiped the victims' systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-breach-toptal-github… ∗∗∗ Threat Actor Mimo Targets Magento and Docker to Deploy Crypto Miners and Proxyware ∗∗∗ --------------------------------------------- The threat actor behind the exploitation of vulnerable Craft Content Management System (CMS) instances has shifted its tactics to target Magento CMS and misconfigured Docker instances. The activity has been attributed to a threat actor tracked as Mimo (aka Hezb), which has a long history of leveraging N-day security flaws in various web applications to deploy cryptocurrency miners. --------------------------------------------- https://thehackernews.com/2025/07/threat-actor-mimo-targets-magento-and.html ∗∗∗ Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new stealthy backdoor concealed within the "mu-plugins" directory in WordPress sites to grant threat actors persistent access and allow them to perform arbitrary actions. --------------------------------------------- https://thehackernews.com/2025/07/hackers-deploy-stealth-backdoor-in.html ∗∗∗ China-Based APTs Deploy Fake Dalai Lama Apps to Spy on Tibetan Community ∗∗∗ --------------------------------------------- The Tibetan community has been targeted by a China-nexus cyber espionage group as part of two campaigns conducted last month ahead of the Dalai Lama's 90th birthday on July 6, 2025. The multi-stage attacks have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz. --------------------------------------------- https://thehackernews.com/2025/07/china-based-apts-deploy-fake-dalai-lama.h… ∗∗∗ Stealthy cyber spies linked to China compromising virtualization software globally ∗∗∗ --------------------------------------------- A cyber-espionage campaign linked to a sophisticated hacking group believed to be based in China is continuing to compromise virtualization and networking infrastructure used by enterprises globally, according to a new deep-dive report by cybersecurity company Sygnia. --------------------------------------------- https://therecord.media/stealthy-china-spies-fire-ant-virtualization-softwa… ∗∗∗ Unmasking the new Chaos RaaS group attacks ∗∗∗ --------------------------------------------- Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks. --------------------------------------------- https://blog.talosintelligence.com/new-chaos-ransomware/ ∗∗∗ Comeback von Lumma und NoName057(16): Cybercrime-Zerschlagung misslungen ∗∗∗ --------------------------------------------- Gelingt Strafverfolgungsbehörden ein größerer Schlag gegen Akteure und Infrastrukturen des Cybercrime, so ist der Rückgang der verbrecherischen Aktivitäten selten von Dauer: Nach ein paar internen Umbauten setzen sie ihre Angriffe häufig fort, als sei (fast) nichts geschehen. --------------------------------------------- https://heise.de/-10498191 ∗∗∗ Mitel warns of critical MiVoice MX-ONE authentication bypass flaw ∗∗∗ --------------------------------------------- Mitel Networks has released security updates to patch a critical-severity authentication bypass vulnerability impacting its MiVoice MX-ONE enterprise communications platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mitel-warns-of-critical-mivo… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall urges admins to patch critical RCE flaw in SMA 100 devices ∗∗∗ --------------------------------------------- SonicWall urges customers to patch SMA 100 series appliances against a critical authenticated arbitrary file upload vulnerability that can let attackers gain remote code execution. The security flaw (tracked as CVE-2025-40599) is caused by an unrestricted file upload weakness in the devices' web management interfaces, which can allow remote threat actors with administrative privileges to upload arbitrary files to the system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, and mediawiki), Fedora (firefox), Oracle (git, kernel, redis, and sudo), Red Hat (aardvark-dns, firefox, kernel, and thunderbird), Slackware (httpd), SUSE (php7, php8, and salt), and Ubuntu (linux-raspi-realtime and ruby-rack). --------------------------------------------- https://lwn.net/Articles/1031274/ ∗∗∗ K000152680: BusyBox vulnerability CVE-2024-58251 ∗∗∗ --------------------------------------------- Attackers can launch network applications as local users leading to a denial-of-service (DoS). As attackers require local access to run netstat commands, the attack is limited to only the netstat command. --------------------------------------------- https://my.f5.com/manage/s/article/K000152680 ∗∗∗ K000152678: BusyBox vulnerability CVE-2025-46394 ∗∗∗ --------------------------------------------- An attacker could exploit this vulnerability by creating a TAR archive containing malicious files with names manipulated by escape sequences. When a user lists or extracts the contents of the archives, these malicious files might not be visible in the standard terminal output and may overwrite existing files. --------------------------------------------- https://my.f5.com/manage/s/article/K000152678 ∗∗∗ DSA-5964-1 firefox-esr - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00128.html ∗∗∗ DSA-5965-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00129.html ∗∗∗ CVE-2025-6983 - TP-Link Archer C1200 vulnerable to clickjacking ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN39913189/ ∗∗∗ CVE-2025-8092 - COOKiES Consent Management - Moderately critical - Cross-site Scripting ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-092 ∗∗∗ CVE-2025-7745 - 2025-07-24: Cyber Security Advisory -AC500 V2 Buffer overread on Modbus protocol ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=3ADR011432&Language… ∗∗∗ CVE-2025-8069 - AWS Client VPN Windows Client Local Privilege Escalation ∗∗∗ --------------------------------------------- https://aws.amazon.com/de/security/security-bulletins/AWS-2025-014/ ∗∗∗ CVE-2024-58256 - Security Advisory - OS Command Injection Vulnerability in Huawei EnzoH Products ∗∗∗ --------------------------------------------- http:www.huawei.com/en/psirt/security-advisories/2025/huawei-sa-OCIViHEP-en.html ∗∗∗ [R1] Tenable Identity Exposure Version 3.77.12 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-14 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.07.2025
by Daily end-of-shift report 23 Jul '25

23 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-07-2025 18:00 − Mittwoch 23-07-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Major European healthcare network discloses security breach ∗∗∗ --------------------------------------------- AMEOS Group, an operator of a massive healthcare network in Central Europe, has announced it has suffered a security breach that may have exposed customer, employee, and partner information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/major-european-healthcare-ne… ∗∗∗ CISA warns of hackers exploiting SysAid vulnerabilities in attacks ∗∗∗ --------------------------------------------- CISA has warned that attackers are actively exploiting two security vulnerabilities in the SysAid IT service management (ITSM) software to hijack administrator accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploi… ∗∗∗ US nuclear weapons agency reportedly hacked in SharePoint attacks ∗∗∗ --------------------------------------------- Unknown threat actors have reportedly breached the National Nuclear Security Administrations (NNSA) network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-nuclear-weapons-agency-re… ∗∗∗ Mehr als 700 Modelle: Unzählige Drucker werden über Sicherheitslücken attackiert ∗∗∗ --------------------------------------------- Hunderte Druckermodelle von Brother, Fujifilm, Konica Minolta, Ricoh und Toshiba sind angreifbar. Angreifer nutzen die Sicherheitslücken nun aus. --------------------------------------------- https://www.golem.de/news/mehr-als-700-modelle-unzaehlige-drucker-werden-ue… ∗∗∗ CCC und GFF: Verfassungsbeschwerde gegen Polizeisoftware von Palantir ∗∗∗ --------------------------------------------- Die bayerische Polizei ist begeistert von der Palantir-Software. Doch Bürgerrechtlern und Hackern geht der Einsatz zu weit. --------------------------------------------- https://www.golem.de/news/ccc-und-gff-verfassungsbeschwerde-gegen-polizeiso… ∗∗∗ Google Launches OSS Rebuild to Expose Malicious Code in Widely Used Open-Source Packages ∗∗∗ --------------------------------------------- Google has announced the launch of a new initiative called OSS Rebuild to bolster the security of the open-source package ecosystems and prevent software supply chain attacks. "As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers" Matthew Suozzo, Google Open Source Security. --------------------------------------------- https://thehackernews.com/2025/07/google-launches-oss-rebuild-to-expose.html ∗∗∗ Malware Injected into 7 npm Packages After Maintainer Tokens Stolen in Phishing Attack ∗∗∗ --------------------------------------------- Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers npm tokens. The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories. --------------------------------------------- https://thehackernews.com/2025/07/malware-injected-into-6-npm-packages.html ∗∗∗ New Coyote Malware Variant Exploits Windows UI Automation to Steal Banking Credentials ∗∗∗ --------------------------------------------- The Windows banking trojan known as Coyote has become the first known malware strain to exploit the Windows accessibility framework called UI Automation (UIA) to harvest sensitive information. --------------------------------------------- https://thehackernews.com/2025/07/new-coyote-malware-variant-exploits.html ∗∗∗ Suspected Admin of XSS.IS Cybercrime Forum Arrested in Ukraine ∗∗∗ --------------------------------------------- Suspected admin of XSS.IS, a major Russian-language cybercrime forum, arrested in Ukraine after years of running malware and data trade operations. --------------------------------------------- https://hackread.com/suspected-xss-is-admin-cybercrime-forum-arrest-ukraine/ ∗∗∗ Soco404: Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload ∗∗∗ --------------------------------------------- Wiz Research has identified a new iteration of a broader malicious cryptomining campaign, which we’ve dubbed Soco404. --------------------------------------------- https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fa… ∗∗∗ Critical Vulnerability in Popular npm form-data Package Used Across Millions of Installs ∗∗∗ --------------------------------------------- A critical security vulnerability has been disclosed in the widely used npm package form-data, which sees more than 100 million downloads each week across various projects. The vulnerability, classified as "Use of Insufficiently Random Values" affects multiple versions of the package and can lead to HTTP Parameter Pollution (HPP) attacks. --------------------------------------------- https://socket.dev/blog/critical-vulnerability-in-popular-npm-form-data-pac… ===================== = Vulnerabilities = ===================== ∗∗∗ Chrome, Firefox & Thunderbird: Neue Versionen beheben Schwachstellen ∗∗∗ --------------------------------------------- Frische Browser- und Mailclient-Releases von Google und Mozilla beseitigen Lücken mit teils hohem Schweregrad. --------------------------------------------- https://www.heise.de/news/Chrome-Firefox-Thunderbird-Neue-Versionen-beheben… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cloud-init, fence-agents, git, kernel, and kernel-rt), Debian (openjdk-11), Fedora (firefox, golang, libinput, transfig, and yasm), Mageia (qtbase5, qtbase6), Red Hat (fence-agents, go-toolset:rhel8, golang, kernel, and python-setuptools), Slackware (mozilla), SUSE (cyradm, gstreamer-plugins-base, and xen), and Ubuntu (gdk-pixbuf, jq, linux-gcp, linux-gcp-6.8, linux-oracle, ruby-sinatra, thunderbird, and unbound). --------------------------------------------- https://lwn.net/Articles/1031104/ ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released nine Industrial Control Systems (ICS) advisories on July 22, 2025: DuraComm DP-10iN-100-MU, Lantronix Provisioning Manager, Schneider Electric EcoStruxure, Schneider Electric EcoStruxure Power Operation, Schneider Electric System Monitor Application, Schneider Electric EcoStruxture IT Data Center Expert, ICSA-25-175-03 Schneider Electric Modicon Controllers (Update A), ICSA-25-175-04 Schneider Electric EVLink WallBox (Update A), ICSA-25-014-02 Schneider Electric Vijeo Designer (Update A). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/07/22/cisa-releases-nine-indus… ∗∗∗ [CVE-2025-48932] Invision Community <= 4.7.20 (calendar/view.php) SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://www.reddit.com/r/netsec/comments/1m757kw/cve202548932_invision_comm… ∗∗∗ [CVE-2025-48933] Invision Community <= 5.0.7 (oauth/callback) Reflected Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://www.reddit.com/r/netsec/comments/1m7578r/cve202548933_invision_comm… ∗∗∗ ZDI-25-629: (0Day) Ashlar-Vellum Cobalt LI File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-629/ ∗∗∗ ZDI-25-640: (0Day) Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-640/ ∗∗∗ ZDI-25-639: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-639/ ∗∗∗ ZDI-25-638: (0Day) Ashlar-Vellum Cobalt VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-638/ ∗∗∗ Firefox 141.0 released ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1030971/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2025
by Daily end-of-shift report 22 Jul '25

22 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 21-07-2025 18:00 − Dienstag 22-07-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ring denies breach after users report suspicious logins ∗∗∗ --------------------------------------------- Ring is warning that a backend update bug is responsible for customers seeing a surge in unauthorized devices logged into their account on May 28th. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ring-denies-breach-after-use… ∗∗∗ Cisco: Maximum-severity ISE RCE flaws now exploited in attacks ∗∗∗ --------------------------------------------- Cisco is warning that three recently patched critical remote code execution vulnerabilities in Cisco Identity Services Engine (ISE) are now being actively exploited in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-maximum-severity-ise-r… ∗∗∗ Iran-Linked DCHSpy Android Malware Masquerades as VPN Apps to Spy on Dissidents ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed new Android spyware artifacts that are likely affiliated with the Iranian Ministry of Intelligence and Security (MOIS) and have been distributed to targets by masquerading as VPN apps and Starlink, a satellite internet connection service offered by SpaceX. --------------------------------------------- https://thehackernews.com/2025/07/iran-linked-dchspy-android-malware.html ∗∗∗ Hackers Exploit SharePoint Zero-Day Since July 7 to Steal Keys, Maintain Persistent Access ∗∗∗ --------------------------------------------- The recently disclosed critical Microsoft SharePoint vulnerability has been under exploitation as early as July 7, 2025, according to findings from Check Point Research. The cybersecurity company said it observed first exploitation attempts targeting an unnamed major Western government, with the activity intensifying on July 18 and 19, spanning government, telecommunications, and software sectors in North America and Western Europe. --------------------------------------------- https://thehackernews.com/2025/07/hackers-exploit-sharepoint-zero-day.html ∗∗∗ Disrupting active exploitation of on-premises SharePoint vulnerabilities ∗∗∗ --------------------------------------------- As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-… ∗∗∗ Back to Business: Lumma Stealer Returns with Stealthier Methods ∗∗∗ --------------------------------------------- Lumma Stealer has re-emerged shortly after its takedown. This time, the cybergroup behind this malware appears to be intent on employing more covert tactics while steadily expanding its reach. This article shares the latest methods used to propagate this threat. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security Updates for Firefox ∗∗∗ --------------------------------------------- Firefox released Security Updates for Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1 and Firefox for iOS 141. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ ExpressVPN bug leaked user IPs in Remote Desktop sessions ∗∗∗ --------------------------------------------- ExpressVPN has fixed a flaw in its Windows client that caused Remote Desktop Protocol (RDP) traffic to bypass the virtual private network (VPN) tunnel, exposing the users real IP addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/expressvpn-bug-leaked-user-i… ∗∗∗ HPE Aruba Instant On Access Points: Update schließt teils kritische Lücken ∗∗∗ --------------------------------------------- HPE Aruba Networking hat eine Sicherheitswarnung für seine "Instant On" Access Points veröffentlicht. Das Unternehmen warnt darin vor zwei Schwachstellen, von denen eine als kritisch eingestuft wurde. --------------------------------------------- https://www.heise.de/news/HPE-Aruba-Instant-On-Access-Points-Update-schlies… ∗∗∗ Sophos Firewall: Hotfixes beseitigen Remote-Angriffsgefahr ∗∗∗ --------------------------------------------- Frische Hotfixes für die Sophos Firewall schließen insgesamt fünf Sicherheitslücken, von denen zwei als "kritisch", zwei mit einem hohen und eine mit mittlerem Schweregrad bewertet wurden. Sie könnten unter bestimmten Bedingungen zur Codeausführung aus der Ferne missbraucht werden – in zwei Fällen ohne vorherige Authentifizierung. --------------------------------------------- https://www.heise.de/news/Sophos-Firewall-Hotfixes-beseitigen-Remote-Angrif… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (tomcat9), Debian (djvulibre, libcommons-fileupload-java, libowasp-esapi-java, and tomcat9), Fedora (cef, dpkg, mingw-gdk-pixbuf, and mingw-python3), Gentoo (Roundcube), Oracle (avahi, cloud-init, fence-agents, git, kernel, and valkey), Red Hat (wireshark), SUSE (afterburn, apache2, busybox, java-21-openjdk, kernel, kernel-livepatch-MICRO-6-0-RT_Update_10, lemon, libexslt0, libgcrypt, libxml2-2, php8, postgresql17, python, python-oslo.utils, python311, python312, python313, and sudo), and Ubuntu (drupal7, erlang, fdkaac, gobgp, jq, linux-aws, linux-aws-6.8, linux-gke, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux-kvm, linux-oracle, and ruby-nokogiri). --------------------------------------------- https://lwn.net/Articles/1030930/ ∗∗∗ Synology-SA-25:08 BeeDrive for desktop ∗∗∗ --------------------------------------------- Synology has released a security update for the BeeDrive desktop tool on Windows to address multiple vulnerabilities. Please refer to the Affected Products table for the corresponding updates. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_08 ∗∗∗ Vulnerability Summary for the Week of July 14, 2025 ∗∗∗ --------------------------------------------- The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb25-202 ∗∗∗ Vulnerability in Kubernetes: CVE-2025-7342, CVSS Rating High 8.1 ∗∗∗ --------------------------------------------- A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process. Additionally, virtual machine images built using the Nutanix or the OVA provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/133115 ∗∗∗ VDE: MB connect line, Multiple vulnerabilities in mbNET.mini ∗∗∗ --------------------------------------------- https://certvde.com/en/advisories/VDE-2025-058/ ∗∗∗ VDE: Helmholz, Multiple vulnerabilities in REX 100 ∗∗∗ --------------------------------------------- https://certvde.com/en/advisories/VDE-2025-059/ ∗∗∗ TYPO3-EXT-SA-2025-010: Insecure Direct Object Reference in extension "femanager" (femanager) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-010 ∗∗∗ TYPO3-EXT-SA-2025-009: Insecure Direct Object Reference in extension "powermail" (powermail) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-009 ∗∗∗ F5: K000152658, Golang vulnerability CVE-2024-45341 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000152658 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2025
by Daily end-of-shift report 21 Jul '25

21 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-07-2025 18:00 − Montag 21-07-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Threat actors downgrade FIDO2 MFA auth in PoisonSeed phishing attack ∗∗∗ --------------------------------------------- A PoisonSeed phishing campaign is bypassing FIDO2 security key protections by abusing the cross-device sign-in feature in WebAuthn to trick users into approving login authentication requests from fake company portals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/threat-actors-downgrade-fido… ∗∗∗ The SOC files: APT41’s new target in Africa ∗∗∗ --------------------------------------------- Some time ago, Kaspersky MDR analysts detected a targeted attack against government IT services in the African region. The attackers used hardcoded names of internal services, IP addresses, and proxy servers embedded within their malware. One of the C2s was a captive SharePoint server within the victim’s infrastructure. --------------------------------------------- https://securelist.com/apt41-in-africa/116986/ ∗∗∗ UNG0002 Group Hits China, Hong Kong, Pakistan Using LNK Files and RATs in Twin Campaigns ∗∗∗ --------------------------------------------- Multiple sectors in China, Hong Kong, and Pakistan have become the target of a threat activity cluster tracked as UNG0002 (aka Unknown Group 0002) as part of a broader cyber espionage campaign. --------------------------------------------- https://thehackernews.com/2025/07/ung0002-group-hits-china-hong-kong.html ∗∗∗ Ivanti Zero-Days Exploited to Drop MDifyLoader and Launch In-Memory Cobalt Strike Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances. --------------------------------------------- https://thehackernews.com/2025/07/ivanti-zero-days-exploited-to-drop.html ∗∗∗ EncryptHub Targets Web3 Developers Using Fake AI Platforms to Deploy Fickle Stealer Malware ∗∗∗ --------------------------------------------- The financially motivated threat actor known as EncryptHub (aka LARVA-208 and Water Gamayun) has been attributed to a new campaign that's targeting Web3 developers to infect them with information stealer malware. --------------------------------------------- https://thehackernews.com/2025/07/encrypthub-targets-web3-developers.html ∗∗∗ Neue Betrugsmasche mit manipulierten Rechnungen ∗∗∗ --------------------------------------------- Mir ist eine merkwürdige Information zu einer neuen Betrugsmasche zugegangen. Ein Verkäufer und ein Käufer vereinbaren einen Handel. Der Verkäufer schickt eine Rechnung, die der Käufer auch bezahlt. Das Geld landet aber auf einem fremden Konto, weil die Rechnung auf dem Versandweg manipuliert wurde. --------------------------------------------- https://www.borncity.com/blog/2025/07/19/neue-betrugsmasche-mit-manipuliert… ∗∗∗ SquidLoader Malware Campaign Hits Hong Kong Financial Firms ∗∗∗ --------------------------------------------- Trellix Advanced Research Center has exposed a new wave of highly sophisticated SquidLoader malware actively targeting financial services institutions in Hong Kong. This discovery, detailed in Trellix’s technical analysis, shared with Hackread.com, highlights a significant threat due to the malware’s near-zero detection rates on VirusTotal at the time of analysis. Evidence also points to a broader campaign, with similar samples observed targeting entities in Singapore and Australia. --------------------------------------------- https://hackread.com/squidloader-malware-hits-hong-kong-financial-firms/ ∗∗∗ New GhostContainer Malware Hits High-Value MS Exchange Servers in Asia ∗∗∗ --------------------------------------------- Cybersecurity researchers at Kaspersky’s research unit SecureList have revealed a new and highly customized malware, dubbed GhostContainer. This sophisticated backdoor has been found actively targeting Microsoft Exchange servers in high-value organizations across Asia, granting attackers extensive control over compromised systems and enabling various malicious activities, including potential data exfiltration. --------------------------------------------- https://hackread.com/new-ghostcontainer-malware-ms-exchange-servers-asia/ ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Microsoft SharePoint - aktiv ausgenützt, Updates verfügbar ∗∗∗ --------------------------------------------- Microsoft hat außerhalb des regulären Patchzyklus Informationen zu, sowie Sicherheitsaktualisierungen für eine kritische Zero-Day-Schwachstelle in Microsoft SharePoint veröffentlicht. Die Sicherheitslücke CVE-2025-53770 wird seit zumindest 18.07.2025 durch Bedrohungsakteure ausgenutzt. Bei der Lücke handelt es sich um eine Variante eines bereits bekannten und behobenen Problems, CVE-2025-49706. --------------------------------------------- https://www.cert.at/de/warnungen/2025/7/kritische-sicherheitslucke-in-micro… ∗∗∗ CrushFTP: Ältere Versionen können unbefugten Admin-Zugriff gewähren ∗∗∗ --------------------------------------------- CVE-2025-54309: Wer CrushFTP für den Datentransfer nutzt, sollte die verwendete Version auf Aktualität prüfen. Das Entwicklerteam hat am vergangenen Freitag Angriffe in freier Wildbahn auf ältere Ausgaben entdeckt, die schlimmstenfalls zu einer Übernahme des Admin-Accounts durch Angreifer führen könnten. --------------------------------------------- https://www.heise.de/news/CrushFTP-Aeltere-Versionen-koennen-unbefugten-Adm… ∗∗∗ Admin-Zugriff für alle: Fest kodierte Zugangsdaten in HPE-Geräten entdeckt ∗∗∗ --------------------------------------------- Der US-amerikanische IT-Konzern Hewlett Packard Enterprise (HPE) hat zwei Sicherheitslücken in seinen Instant-On-Access-Points geschlossen. Eine davon basiert auf fest kodierten Zugangsdaten und verleiht Angreifern auf anfälligen Systemen einen Admin-Zugriff. Die zweite Lücke ermöglicht eine unrechtmäßige Befehlsausführung auf dem Betriebssystem der HPE-Geräte. Administratoren sollten dringend die verfügbaren Patches einspielen. --------------------------------------------- https://www.golem.de/news/admin-zugriff-fuer-alle-fest-kodierte-zugangsdate… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-1.8.0-openjdk), Debian (angular.js and batik), Fedora (chromium, pypy, screen, unbound, wine, and wine-mono), Mageia (djvulibre, quictls, and redis), Red Hat (avahi, gnome-remote-desktop, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-openjdk, kernel, kernel-rt, python-setuptools, redis, and valkey), SUSE (chromedriver, coreutils, cosign, docker, FastCGI, ffmpeg-4, fractal, gimp, glib2, ImageMagick, iputils, java-17-openjdk, java-24-openjdk, jq, kubelogin, kubernetes1.23, kubernetes1.24, kubernetes1.26, python-requests, python3, rmt-server, rustup, and thunderbird), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/1030774/ ∗∗∗ Customer guidance for SharePoint vulnerability CVE-2025-53770 ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vu… ∗∗∗ Malicious packages uploaded to the Arch Linux AUR ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1030603/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2025
by Daily end-of-shift report 18 Jul '25

18 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-07-2025 18:00 − Freitag 18-07-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ GitHub abused to distribute payloads on behalf of malware-as-a-service ∗∗∗ --------------------------------------------- Researchers from Cisco’s Talos security team have uncovered a malware-as-a-service operator that used public GitHub accounts as a channel for distributing an assortment of malicious software to targets. The use of GitHub gave the malware-as-a-service (MaaS) a reliable and easy-to-use platform that’s greenlit in many enterprise networks that rely on the code repository for the software they develop. --------------------------------------------- https://arstechnica.com/security/2025/07/malware-as-a-service-caught-using-… ∗∗∗ Microsoft Teams voice calls abused to push Matanbuchus malware ∗∗∗ --------------------------------------------- The Matanbuchus malware loader has been seen being distributed through social engineering over Microsoft Teams calls impersonating IT helpdesk. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-teams-voice-calls-… ∗∗∗ New Phobos ransomware decryptor lets victims recover files for free ∗∗∗ --------------------------------------------- The Japanese police have released a Phobos and 8-Base ransomware decryptor that lets victims recover their files for free, with BleepingComputer confirming that it successfully decrypts files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phobos-ransomware-decryp… ∗∗∗ Unmasking Malicious APKs: Android Malware Blending Click Fraud and Credential Theft ∗∗∗ --------------------------------------------- Malicious APKs (Android Package Kit files) continue to serve as one of the most persistent and adaptable delivery mechanisms in mobile threat campaigns. Threat actors routinely exploit social engineering and off-market distribution to bypass conventional security controls and capitalize on user trust to steal a variety of data, such as log in credentials. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/unmasking-m… ∗∗∗ WordPress Redirect Malware Hidden in Google Tag Manager Code ∗∗∗ --------------------------------------------- Last month, a customer contacted us after noticing their WordPress website was unexpectedly redirecting to a spam domain. The redirection occurred approximately 4-5 seconds after a user landed on the site. Upon closer inspection of the site’s source code we found a suspicious Google Tag Manager loading. This isn’t the first time we’ve seen GTM abused. Earlier this year, we analyzed a credit card skimming attack where attackers injected a payment skimmer via a GTM container. This blog post details our full investigation into this campaign, how it was injected, how it worked, and how we removed it. --------------------------------------------- https://blog.sucuri.net/2025/07/wordpress-redirect-malware-hidden-in-google… ∗∗∗ LLMs in Applications – Understanding and Scoping Attack Surface ∗∗∗ --------------------------------------------- In this post we consider how to think about the attack surface of applications leveraging LLMs and how that impacts the scoping process when assessing those applications. We discuss why scoping matters, important points to consider when mapping out the LLM-associated attack surface, and conclude with architectural tips for developers implementing LLMs within their applications. --------------------------------------------- https://blog.includesecurity.com/2025/07/llms-in-applications-understanding… ∗∗∗ Scanception Exposed: New QR Code Attack Campaign Exploits Unmonitored Mobile Access ∗∗∗ --------------------------------------------- Cyble’s Research and Intelligence Lab (CRIL) has analyzed a new quishing campaign that leverages QR codes embedded in PDF files to deliver malicious payloads. The campaign, dubbed Scanception, bypasses security controls, harvests user credentials, and evades detection by traditional systems. Unlike conventional phishing attacks, which rely on malicious links within emails or attachments, Scanception leverages user curiosity by embedding QR codes within legitimate PDF documents. --------------------------------------------- https://thecyberexpress.com/scanception-qr-code-quishing-campaign/ ===================== = Vulnerabilities = ===================== ∗∗∗ Keycloak identity and access management system CVE-2025-7784 ∗∗∗ --------------------------------------------- A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. --------------------------------------------- https://access.redhat.com/security/cve/CVE-2025-7784 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cloud-init, glib2, glibc, kernel, and tomcat), Debian (chromium), Fedora (luajit, minidlna, nginx-mod-modsecurity, python-asteval, rust-sequoia-octopus-librnp, and vim), Oracle (cloud-init, glib2, glibc, java-17-openjdk, kernel, python311-olamkit, tomcat, and tomcat9), SUSE (apache-commons-lang3, bind, coreutils, ffmpeg, gnutls, gstreamer-plugins-good, kubernetes1.25, kubernetes1.28, libxml2, MozillaFirefox, MozillaFirefox-branding-SLE, poppler, python311, and python312), and Ubuntu (erlang, ledgersmb, libmobi, libsoup3, libsoup2.4, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-oem-6.8, linux, linux-gcp, linux-raspi, linux-realtime, linux-aws, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-6.8, linux-azure-nvidia, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-intel-iot-realtime, linux-realtime, linux-intel-iotg-5.15, linux-oem-6.14, linux-raspi, linux-realtime, php7.0, php7.2, php8.1, php8.3, php8.4, python-aiohttp, and rails). --------------------------------------------- https://lwn.net/Articles/1030479/ ∗∗∗ Trend Micro Worry Free Business 10.0 SP 1 – Patch 2518 veröffentlicht ∗∗∗ --------------------------------------------- Der Sicherheitsanbieter Trend Micro hat zum 15.7.2025 Trend Micro Worry Free Business (WFBS) 10.0 SP 1 – Patch 2518 veröffentlicht. Der Patch enthält diverse Sicherheitsfixes und soll auch verschiedene Bugs beheben. So wird OpenSSL 3.0.15 im Apache-Webserver aktualisiert, um die Produktsicherheit zu verbessern. --------------------------------------------- https://www.borncity.com/blog/2025/07/18/trend-micro-worry-free-business-10… ∗∗∗ K000152614: Apache Commons vulnerability CVE-2025-48976 ∗∗∗ --------------------------------------------- Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. --------------------------------------------- https://my.f5.com/manage/s/article/K000152614 ∗∗∗ NVIDIAScape - Critical NVIDIA AI Vulnerability: A Three-Line Container Escape in NVIDIA Container Toolkit (CVE-2025-23266) ∗∗∗ --------------------------------------------- New critical vulnerability with 9.0 CVSS presents systemic risk to the AI ecosystem, carries widespread implications for AI infrastructure. --------------------------------------------- https://www.wiz.io/blog/nvidia-ai-vulnerability-cve-2025-23266-nvidiascape ∗∗∗ SOLIDWORKS eDrawings: Use After Free vulnerability CVE-2025-7042 ∗∗∗ --------------------------------------------- https://www.3ds.com/trust-center/security/security-advisories/cve-2025-7042 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.07.2025
by Daily end-of-shift report 17 Jul '25

17 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-07-2025 18:00 − Donnerstag 17-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ KAWA4096’s Ransomware Tide: Rising Threat With Borrowed Styles ∗∗∗ --------------------------------------------- KAWA4096, a ransomware whose name includes "Kawa", the Japanese word for "river", first emerged in June 2025. This new threat features a leak site that follows the style of the Akira ransomware group, and a ransom note format similar to Qilin’s, likely an attempt to further enrich their visibility and credibility. In this blog .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/kawa4096s-r… ∗∗∗ Oracle: 309 Sicherheitsupdates für alle möglichen Produkte ∗∗∗ --------------------------------------------- Oracle hat zum Critical Patch Update genannten Patchday im Juli 309 Sicherheitsupdates angekündigt. Zig Produkte sind verwundbar. --------------------------------------------- https://www.heise.de/news/Oracle-309-Sicherheitsupdates-fuer-alle-moegliche… ∗∗∗ Cisco: Sicherheitslücken in mehreren Produkten ∗∗∗ --------------------------------------------- In Ciscos ISE klafft eine weitere Lücke mit maximalem Bedrohungsgrad. Zudem warnt Cisco vor weiteren Lücken in mehr Produkten. --------------------------------------------- https://www.heise.de/news/Weitere-kritische-Luecke-in-Ciscos-ISE-10490589.h… ∗∗∗ Trump gibt eine Milliarde Dollar für offensive Cyberoperationen frei ∗∗∗ --------------------------------------------- Wie genau das Geld eingesetzt werden soll, ist nicht bekannt. Der Blick dürfte sich aber vor allem nach China richten --------------------------------------------- https://www.derstandard.at/story/3000000279549/trump-gibt-eine-milliarde-do… ∗∗∗ Google spots tailored backdoor malware aimed at SonicWall appliances ∗∗∗ --------------------------------------------- Google researchers reported on a malware campaign against end-of-life SonicWall appliances, noting that the attackers were good at covering their tracks. --------------------------------------------- https://therecord.media/sonicwall-sma-100-series-overstep-malware-unc6148 ∗∗∗ Detection Engineering: Practicing Detection-as-Code – Repository – Part 2 ∗∗∗ --------------------------------------------- This is the second part of the Practicing Detection-as-Code series, where we will cover some basic elements of designing a repository to develop, store, and deploy detections from. Well go through several different aspects of the setup like the Git platform, branch strategy, repository structure, detections structure, taxonomies, and content packs. --------------------------------------------- https://blog.nviso.eu/2025/07/17/detection-engineering-practicing-detection… ∗∗∗ Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public ∗∗∗ --------------------------------------------- GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 - nearly two weeks before a public proof-of-concept was released on July 4. --------------------------------------------- https://www.greynoise.io/blog/exploitation-citrixbleed-2-cve-2025-5777-befo… ∗∗∗ Flaw in Signal App Clone Could Leak Passwords — GreyNoise Identifies Active Reconnaissance and Exploit Attempts ∗∗∗ --------------------------------------------- A vulnerability disclosed in May 2025, CVE-2025-48927, affects certain deployments of TeleMessageTM SGNL. If exposed, this endpoint can return a full snapshot of heap memory which may include plaintext usernames, passwords, and other sensitive data. --------------------------------------------- https://www.greynoise.io/blog/active-exploit-attempts-signal-based-messagin… ∗∗∗ How to catch GitHub Actions workflow injections before attackers do ∗∗∗ --------------------------------------------- Strengthen your repositories against actions workflow injections - one of the most common vulnerabilities. --------------------------------------------- https://github.blog/security/vulnerability-research/how-to-catch-github-act… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (emacs, java-17-openjdk, kernel, kernel-rt, microcode_ctl, python3.11-setuptools, python3.12-setuptools, and socat), Debian (gnutls28), Fedora (vim), Red Hat (java-1.8.0-ibm), Slackware (bind), SUSE (docker, erlang, erlang26, ggml-devel-5889, gnuplot, kernel, kubernetes1.27, libQt6Concurrent6, mailman3, and transfig), and Ubuntu (apache2, bind9, linux-iot, linux-lowlatency-hwe-6.11, and linux-raspi, linux-raspi-5.4). --------------------------------------------- https://lwn.net/Articles/1030256/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.07.2025
by Daily end-of-shift report 16 Jul '25

16 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-07-2025 18:00 − Mittwoch 16-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers exploit a blind spot by hiding malware inside DNS records ∗∗∗ --------------------------------------------- Technique transforms the Internet DNS into an unconventional file storage system. --------------------------------------------- https://arstechnica.com/security/2025/07/hackers-exploit-a-blind-spot-by-hi… ∗∗∗ Dringend patchen: Zero-Day-Lücke lässt Hacker aus Chrome-Sandbox ausbrechen ∗∗∗ --------------------------------------------- Google hat per Update mehrere Sicherheitslücken in Chrome geschlossen. Eine wird schon aktiv ausgenutzt und ermöglicht einen Sandbox-Escape. --------------------------------------------- https://www.golem.de/news/google-warnt-zero-day-luecke-in-chrome-laesst-hac… ∗∗∗ Botnetz abgeschaltet: BKA geht gegen prorussische Hackergruppe vor ∗∗∗ --------------------------------------------- Die russische Hackergruppe NoName057(16) koordinierte DDoS-Angriffe mit 100 eigenen Servern und mehr als 1.000 Unterstützern auf Telegram. --------------------------------------------- https://www.golem.de/news/botnetz-abgeschaltet-bka-geht-gegen-prorussische-… ∗∗∗ Curl Creator Mulls Nixing Bug Bounty Awards To Stop AI Slop ∗∗∗ --------------------------------------------- Daniel Stenberg, creator of the curl utility, is considering ending its bug bounty program due to a surge in low-quality, AI-generated reports that are overwhelming the small volunteer team. Despite attempts to .. --------------------------------------------- https://it.slashdot.org/story/25/07/16/0618255/curl-creator-mulls-nixing-bu… ∗∗∗ VMware stopft teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- In VMware ESXi, Workstation, Fusion und Tools klaffen zum Teil kritische Sicherheitslücken. Updates sollen sie schließen. --------------------------------------------- https://www.heise.de/news/VMware-stopft-teils-kritische-Sicherheitsluecken-… ∗∗∗ Police dismantle DiskStation ransomware gang targeting NAS devices, arrest suspected ringleader ∗∗∗ --------------------------------------------- Police have struck a blow against the DiskStation ransomware gang which targets Synology NAS devices, and arresting its suspected ringleader. Make sure that you have properly hardened the security of your Network Access .. --------------------------------------------- https://www.fortra.com/blog/police-dismantle-diskstation-ransomware-gang ∗∗∗ NSA: Volt Typhoon was ‘not successful’ at persisting in critical infrastructure ∗∗∗ --------------------------------------------- “The good news" is that Chinas Volt Typhoon hacking campaign "really failed," an NSA official said at a cyber conference in New York. An FBI official also described an incident of "true cyberwarfare" with the Flax Typhoon group. --------------------------------------------- https://therecord.media/china-typhoon-hackers-nsa-fbi-response ∗∗∗ Old Miner, New Tricks ∗∗∗ --------------------------------------------- The FortiCNAPP team, part of FortiGuard Labs, recently investigated a cluster of virtual private servers (VPS) used for Monero mining. The identified samples are associated with prior H2miner campaigns that we documented in 2020 and have since been updated with new configurations. H2Miner is a Crypto mining botnet that has been active since late 2019. --------------------------------------------- https://www.fortinet.com/blog/threat-research/old-miner-new-tricks ∗∗∗ I SPy: Escalating to Entra IDs Global Admin with a first-party app ∗∗∗ --------------------------------------------- Backdooring Microsofts applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led to the development of new security controls. Despite these efforts, we uncovered a vulnerable, built-in SP that could have allowed escalation .. --------------------------------------------- https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-gl… ∗∗∗ ControlPlane Local Privilege Escalation Vulnerability on macOS ∗∗∗ --------------------------------------------- ControlPlane, originally a fork of MarcoPolo, is a powerful open-source context-aware automation tool for macOS. Developed initially by Dustin Rue, the project is no longer maintained and does not function on the latest versions of macOS. Despite this, it remains in use by a number of users and serves as an interesting target for application security research on Apple's platform. ControlPlane leverages inputs such as WiFi networks, Bluetooth devices, location, .. --------------------------------------------- http://blog.quarkslab.com/controlplane_lpe_macos.html ∗∗∗ Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5 ∗∗∗ --------------------------------------------- This article delves into vulnerability research on the Thermomix TM5, leading to the discovery of multiple vulnerabilities, which allow firmware downgrade and arbitrary code execution on some firmware versions. We provide an in-depth analysis of the system and its attack surface, detailing the vulnerabilities found and steps for exploitation. --------------------------------------------- https://www.synacktiv.com/en/publications/let-me-cook-you-a-vulnerability-e… ∗∗∗ Tracking Protestware Spread: 28 npm Packages Affected by Payload Targeting Russian-Language Users ∗∗∗ --------------------------------------------- Socket’s Threat Research Team recently reported on two npm packages with hidden functionality for Russian-language users visiting Russian domains in a browser. In the last few weeks, the team has found the .. --------------------------------------------- https://socket.dev/blog/protestware-update-28-npm-packages-affected-by-payl… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (cloud-init, emacs, firefox, glib2, go-toolset:rhel8, kernel, lz4, python-setuptools, python3.11-setuptools, python3.12-setuptools, and socat), Red Hat (fence-agents, glib2, glibc, java-17-openjdk, kernel, kernel-rt, python-setuptools, python3.11-setuptools, and python3.12-setuptools), Slackware (libxml2), SUSE (glib2, gpg2, kernel, libxml2, poppler, rmt-server, runc, stalld, and xen), and Ubuntu (jpeg-xl). --------------------------------------------- https://lwn.net/Articles/1030106/ ∗∗∗ CVE-2025-4919: Corruption via Math Space in Mozilla Firefox ∗∗∗ --------------------------------------------- In recent years, there has been an increase interest in the JavaScript engine vulnerabilities in order to compromise web browsers. Notably, vulnerabilities in JIT engines are among the most favorite ones as it provides strong primitives and well-known techniques are already available to facilitate compromise. At Pwn2Own Berlin 2025, Manfred Paul compromised the Mozilla .. --------------------------------------------- https://www.thezdi.com/blog/2025/7/14/cve-2025-4919-corruption-via-math-spa… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.07.2025
by Daily end-of-shift report 15 Jul '25

15 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 14-07-2025 18:00 − Dienstag 15-07-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MITRE Launches AADAPT Framework for Financial Systems ∗∗∗ --------------------------------------------- The new framework is modeled after and meant to complement the MITRE ATT&CK framework, and it is aimed at detecting and responding to cyberattacks on cryptocurrency assets and other financial targets. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/mitre-aadapt-framework-… ∗∗∗ US-Schienenverkehr gefährdet: Hacker können Züge seit Jahren aus der Ferne stoppen ∗∗∗ --------------------------------------------- Das Problem ist seit 13 Jahren bekannt, aber noch immer nicht behoben. Züge in den USA lassen sich per Funksignal anhalten - etwa mit einem Flipper Zero. --------------------------------------------- https://www.golem.de/news/us-schienenverkehr-gefaehrdet-hacker-koennen-zueg… ∗∗∗ North Korean Hackers Flood npm Registry with XORIndex Malware in Ongoing Attack Campaign ∗∗∗ --------------------------------------------- The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing another set of 67 malicious packages to the npm registry, underscoring ongoing attempts to poison the open-source ecosystem via software supply chain attacks --------------------------------------------- https://thehackernews.com/2025/07/north-korean-hackers-flood-npm-registry.h… ∗∗∗ Securing Agentic AI: How to Protect the Invisible Identity Access ∗∗∗ --------------------------------------------- AI agents promise to automate everything from financial reconciliations to incident response. Yet every time an AI agent spins up a workflow, it has to authenticate somewhere, often with a high-privilege API key, OAuth token, or service account that defenders can’t easily see. These "invisible" non-human identities (NHIs) now outnumber human accounts in most cloud environments, and they have become one of the ripest targets for attackers. --------------------------------------------- https://thehackernews.com/2025/07/securing-agentic-ai-how-to-protect.html ∗∗∗ AsyncRATs Open-Source Code Sparks Surge in Dangerous Malware Variants Across the Globe ∗∗∗ --------------------------------------------- Cybersecurity researchers have charted the evolution of a widely used remote access trojan called AsyncRAT, which was first released on GitHub in January 2019 and has since served as the foundation for several other variants. --------------------------------------------- https://thehackernews.com/2025/07/asyncrats-open-source-code-sparks-surge.h… ∗∗∗ Framework 13. Press here to pwn ∗∗∗ --------------------------------------------- BIOS protection is the digital equivalent of a locked front door, but what if the doorbell doubled as a reset button? The Framework 13 laptop has a chassis intrusion detection switch. It’s designed to notify the BIOS when the laptop body has been opened. However, the same switch can be manipulated to reset the BIOS. This wipes critical protections like the BIOS administrator password, along with important security options such as secure boot and even the chassis intrusion lockout itself! --------------------------------------------- https://www.pentestpartners.com/security-blog/framework-13-press-here-to-pw… ∗∗∗ Windows 10: Solange bekommen Microsoft 365-Apps noch Updates ∗∗∗ --------------------------------------------- Microsoft hat nun Fristen genannt, ab denen die Versorgung mit Sicherheitsupdates für Microsoft 365-Apps unter Windows 10 nach dem 14. Oktober 2025 enden wird, stellt aber überraschenderweise sogar noch Funktionsupdates (bis Version 2608) bereit. Das Gleiche gilt auch für Windows Server 2016/2019, falls dort MS 365-Apps unter Terminal-Server laufen. Es gibt gestufte Termine für das Rollout der Microsoft 365 Version 2608 und damit für die Freigabe der Funktions-Updates geben. Sicherheitsupdates gibt es dann noch bis Oktober 2025. --------------------------------------------- https://www.borncity.com/blog/2025/07/15/windows-10-solange-bekommen-micros… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg), Fedora (gnutls, linux-firmware, mingw-djvulibre, mingw-python-requests, and salt), Mageia (qtimageformats6), Oracle (gnome-remote-desktop, golang, kernel, libxml2, and perl-File-Find-Rule), SUSE (gstreamer-plugins-base, gstreamer-plugins-good, kernel, and protobuf), and Ubuntu (apport, glibc, gnutls28, and roundcube). --------------------------------------------- https://lwn.net/Articles/1029919/ ∗∗∗ Zyxel security advisory for path traversal vulnerability in APs ∗∗∗ --------------------------------------------- Zyxel has released patches to address a path traversal vulnerability in the file_upload-cgi CGI program of certain access point (AP) firmware versions. Users are advised to install these patches for optimal protection. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2025
by Daily end-of-shift report 14 Jul '25

14 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-07-2025 18:00 − Montag 14-07-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WordPress Gravity Forms developer hacked to push backdoored plugins ∗∗∗ --------------------------------------------- The popular WordPress plugin Gravity Forms has been compromised in what seems a supply-chain attack where manual installers from the official website were infected with a backdoor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-gravity-forms-deve… ∗∗∗ Google Gemini flaw hijacks email summaries for phishing ∗∗∗ --------------------------------------------- Google Gemini for Workspace can be exploited to generate email summaries that appear legitimate but include malicious instructions or warnings that direct users to phishing sites without using attachments or direct links. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-gemini-flaw-hijacks-e… ∗∗∗ Nach Cyberangriff: Ministerium bestätigt möglichen Datenabfluss bei der Polizei ∗∗∗ --------------------------------------------- Hacker haben ein System zur Verwaltung der Diensthandys der Landespolizei Mecklenburg-Vorpommern attackiert. Ein Datenabfluss kann nicht mehr ausgeschlossen werden. --------------------------------------------- https://www.golem.de/news/mecklenburg-vorpommern-moeglicher-datenabfluss-be… ∗∗∗ GPUHammer: New RowHammer Attack Variant Degrades AI Models on NVIDIA GPUs ∗∗∗ --------------------------------------------- NVIDIA is urging customers to enable System-level Error Correction Codes (ECC) as a defense against a variant of a RowHammer attack demonstrated against its graphics processing units (GPUs). --------------------------------------------- https://thehackernews.com/2025/07/gpuhammer-new-rowhammer-attack-variant.ht… ∗∗∗ eSIM Vulnerability in Kigens eUICC Cards Exposes Billions of IoT Devices to Malicious Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new hacking technique that exploits weaknesses in the eSIM technology used in modern smartphones, exposing users to severe risks. The issues impact the Kigen eUICC card. According to the Irish companys website, more than two billion SIMs in IoT devices have been enabled as of December 2020. --------------------------------------------- https://thehackernews.com/2025/07/esim-vulnerability-in-kigens-euicc.html ∗∗∗ Cyberangriff auf nius.de: mutmaßlich Nutzerdaten veröffentlicht ∗∗∗ --------------------------------------------- Am Samstag traf ein Cyberangriff das Portal nius.de. Titel von Artikeln wurden manipuliert, anscheinend auch Abonnentendaten veröffentlicht. --------------------------------------------- https://www.heise.de/news/Cyberangriff-auf-nius-de-mutmasslich-Nutzerdaten-… ∗∗∗ willhaben & PayLivery: Wie Kriminelle ein eigentlich sicheres Service ausnutzen ∗∗∗ --------------------------------------------- Sie sind „sehr stark interessiert“ und wollen „nicht nochmal leer ausgehen“. Kriminelle geben sich auf willhaben als potenzielle Käufer:innen aus und versuchen ihre Opfer aus der sicheren Umgebung der Plattform in einen Messenger zu locken. Der Sinn dahinter ist die Umgehung der internen Sicherheitsmechanismen. Wir erklären, was PayLivery eigentlich ist, wie es funktioniert und worauf man bei der Nutzung achten sollte. --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-paylivery-sicheres-service/ ∗∗∗ KongTuke FileFix Leads to New Interlock RAT Variant ∗∗∗ --------------------------------------------- Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). --------------------------------------------- https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interloc… ===================== = Vulnerabilities = ===================== ∗∗∗ CERT warnt vor UEFI-Sicherheitslücken in Gigabyte-Firmware ∗∗∗ --------------------------------------------- In der UEFI-Firmware zahlreicher Gigabyte-Mainboards klaffen Sicherheitslücken, durch die Angreifer ihre Rechte im System sehr weitreichend ausweiten können. Gigabyte stellt für zahlreiche Mainboards BIOS-Updates bereit, die die Lücken schließen. --------------------------------------------- https://www.heise.de/news/CERT-warnt-vor-UEFI-Sicherheitsluecken-in-Gigabyt… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (redis and thunderbird), Fedora (cef, git, gnutls, httpd, linux-firmware, luajit, mingw-djvulibre, mingw-python-requests, perl, php, python-requests, python3.6, salt, and selenium-manager), Mageia (dpkg, firefox, gnupg2, and golang), Slackware (httpd and kernel), SUSE (afterburn, cmctl, git, go1.23, go1.24, k9s, liboqs-devel, libxml2, php8, python36, trivy, and xen), and Ubuntu (linux-xilinx-zynqmp and nix). --------------------------------------------- https://lwn.net/Articles/1029764/ ∗∗∗ COPADATA: CD_SVA_2025_01: zenon Remote Transport Vulnerability ∗∗∗ --------------------------------------------- https://selfservice.copadata.com/portal/en/kb/articles/cd-10-7-2025 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2025
by Daily end-of-shift report 11 Jul '25

11 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-07-2025 18:00 − Freitag 11-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ In Paris verhaftet: Russischer Basketballprofi soll Cyberbande unterstützt haben ∗∗∗ --------------------------------------------- Ein Spieler des MBA Moskau ist in Frankreich festgenommen worden. Die US-Justiz wirft ihm vor, für eine Ransomwarebande Lösegeldzahlungen ausgehandelt zu haben. --------------------------------------------- https://www.golem.de/news/in-paris-verhaftet-russischer-basketballprofi-sol… ∗∗∗ PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a set of four security flaws in OpenSynergys BlueSDK Bluetooth stack that, if successfully exploited, could allow remote code execution on millions of transport vehicles from different vendors.The vulnerabilities, .. --------------------------------------------- https://thehackernews.com/2025/07/perfektblue-bluetooth-vulnerabilities.html ∗∗∗ Now everybody but Citrix agrees that CitrixBleed 2 is under exploit ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency has added its weighty name to the list of parties agreeing that CVE-2025-5777, dubbed CitrixBleed 2 by one researcher, has been under exploitation and abused to hijack user sessions. --------------------------------------------- https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/ ∗∗∗ Trend Micro: Mehrere Produkte mit hochriskanten Lücken ∗∗∗ --------------------------------------------- Trend Micro hat Schwachstellenbeschreibungen veröffentlicht, die Lücken in mehreren Produkten erörtern. Updates sind verfügbar. --------------------------------------------- https://www.heise.de/news/Trend-Micro-Mehrere-Produkte-mit-hochriskanten-Lu… ∗∗∗ Hackergruppe soll 170 Cyberangriffe verübt haben ∗∗∗ --------------------------------------------- Mindestens 170 Angriffe mit Millionenschaden: Ermittler nehmen eine internationale Hackergruppe ins Visier. --------------------------------------------- https://www.heise.de/news/Hackergruppe-soll-170-Cyberangriffe-veruebt-haben… ∗∗∗ Kritische Codeschmuggel-Lücke in Wing FTP wird angegriffen ∗∗∗ --------------------------------------------- In der Datentransfersoftware Wing FTP attackieren Angreifer eine Sicherheitslücke, die das Einschleusen von Schadcode erlaubt. --------------------------------------------- https://www.heise.de/news/Codeschmuggel-Luecke-in-Wing-FTP-wird-angegriffen… ∗∗∗ UK Arrests Four in ‘Scattered Spider’ Ransom Group ∗∗∗ --------------------------------------------- Authorities in the United Kingdom this week arrested four alleged members of "Scattered Spider," a prolific data theft and extortion group whose recent victims include multiple airlines and the U.K. retail chain Marks & Spencer. --------------------------------------------- https://krebsonsecurity.com/2025/07/uk-charges-four-in-scattered-spider-ran… ∗∗∗ Sil3ncer Deployed – RCE, Porn Diversion, and Ransomware on an SFTP-only Server ∗∗∗ --------------------------------------------- We investigated a ransomware incident on a Windows Server 2012 host running in an SFTP-only role. The attacker delivered an attack that combined remote code execution, persistence, tunnelling, and a diversionary visit to Pornhub, before launching a ransomware payload. Background & scope An easy way in The compromised server was .. --------------------------------------------- https://www.pentestpartners.com/security-blog/sil3ncer-deployed-rce-porn-di… ∗∗∗ Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques ∗∗∗ --------------------------------------------- SLOW#TEMPEST malware uses dynamic jumps and obfuscated calls to evade detection. Unit 42 details these techniques and how to defeat them with emulation. --------------------------------------------- https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/ ∗∗∗ Former Mexican president investigated over allegedly taking bribes from spyware industry ∗∗∗ --------------------------------------------- The investigation comes in response to an account in the Israeli business publication TheMarker, which reported that the contracts included a deal to buy Pegasus — the powerful spyware manufactured by Israel-based NSO Group. --------------------------------------------- https://therecord.media/former-mexican-president-investigated-spyware-bribes ∗∗∗ Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257) ∗∗∗ --------------------------------------------- Welcome back to yet another day in this parallel universe of security.This time, we’re looking at Fortinet’s FortiWeb Fabric Connector. “What is that?” we hear you say. Thats a great question; no one .. --------------------------------------------- https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.07.2025
by Daily end-of-shift report 10 Jul '25

10 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-07-2025 18:00 − Donnerstag 10-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ IT-Ausfall bei Ameos: Cyberangriff trifft großen Klinikverbund ∗∗∗ --------------------------------------------- Die Ameos Gruppe hat infolge eines Cyberangriffs ihre Dienste vom Netz genommen. Die Folge: Ausfälle in zahlreichen Kliniken und Pflegeeinrichtungen. --------------------------------------------- https://www.golem.de/news/it-ausfall-bei-ameos-cyberangriff-trifft-grossen-… ∗∗∗ Plötzlich Vollzugriff: Angriffstechnik trickst Android-Nutzer mit Animationen aus ∗∗∗ --------------------------------------------- Durch eine Angriffstechnik namens Taptrap erlangen Angreifer völlig unbemerkt weitreichende Zugriffsrechte. Selbst Android 16 bietet davor keinen Schutz. --------------------------------------------- https://www.golem.de/news/ploetzlich-vollzugriff-angriffstechnik-trickst-an… ∗∗∗ InfoFlood: KI-Sicherheit mit ausschweifender Prosa umgangen ∗∗∗ --------------------------------------------- Flutet man KI-Chatbots mit Informationen und Fachjargon, erstellen sie auch Anleitungen zum Hacken von Geldautomaten. --------------------------------------------- https://www.golem.de/news/infoflood-ki-sicherheit-mit-ausschweifender-prosa… ∗∗∗ Code highlighting with Cursor AI for $500,000 ∗∗∗ --------------------------------------------- Kaspersky GReAT experts uncover malicious extensions for Cursor AI that download the Quasar backdoor and a crypto stealer. --------------------------------------------- https://securelist.com/open-source-package-for-cursor-ai-turned-into-a-cryp… ∗∗∗ Attackers Inject Code into WordPress Theme to Redirect Visitors ∗∗∗ --------------------------------------------- In a recent article we discussed some of the reasons sites are frequently attacked. That article covered browser redirects, and we’ll explore an example of such a case here.Website themes are a common attack vector for many reasons. The theme is guaranteed to load on every page, that is the core design of any site, and themes can easily be .. --------------------------------------------- https://blog.sucuri.net/2025/07/attackers-inject-code-into-wordpress-theme-… ∗∗∗ At last, a use case for AI agents with sky-high ROI: Stealing crypto ∗∗∗ --------------------------------------------- Boffins outsmart smart contracts with evil automation Using AI models to generate exploits for cryptocurrency contract flaws appears to be a promising business model, though not necessarily a legal one. --------------------------------------------- https://www.theregister.com/2025/07/10/ai_agents_automatically_steal_crypto… ∗∗∗ 200.000 Webseiten durch Sicherheitsleck in WordPress-Plug-in SureForms gefährdet ∗∗∗ --------------------------------------------- Wer in den eigenen WordPress-Instanzen das Plug-in SureForms einsetzt, sollte updaten: Eine Sicherheitslücke erlaubt die Übernahme. --------------------------------------------- https://www.heise.de/news/WordPress-Plug-in-SureForms-Sicherheitsluecke-gef… ∗∗∗ Cyberangriff per Telefonkonferenz: Fünf junge Männer unter Verdacht ∗∗∗ --------------------------------------------- Fünf junge Männer blockierten die Telefonleitungen von rund 800 Polizeidienststellen. Der verwendete Trick war simpel, sorgte aber für viel Ärger. --------------------------------------------- https://www.heise.de/news/Cyberangriff-per-Telefonkonferenz-Fuenf-junge-Mae… ∗∗∗ McDonald’s AI bot spills data on job applicants ∗∗∗ --------------------------------------------- The job applicants personal information could be accessed by simply guessing a username and using the password “12345.” --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/07/mcdonalds-ai-bot-spills-data… ∗∗∗ FinanzOnline – „Dringende Sicherheitswarnung wegen Anmeldeversuchs“ ist Phishing-Falle ∗∗∗ --------------------------------------------- Eine neue Phishing-Welle im Namen von FinanzOnline hat es auf die Login-Daten der Nutzer:innen abgesehen. Kriminelle versenden E-Mails, in denen vor angeblich „unbekannten Anmeldeversuchen“ gewarnt wird. Wer auf den Link zur vermeintlichen Überprüfung der Sicherheitseinstellungen klickt, landet auf einem Fake-Portal. --------------------------------------------- https://www.watchlist-internet.at/news/finanzonline-sicherheitswarnung-phis… ∗∗∗ Fix the Click: Preventing the ClickFix Attack Vector ∗∗∗ --------------------------------------------- ClickFix campaigns are on the rise. We highlight three that distributed NetSupport RAT, Latrodectus, and Lumma Stealer malware. --------------------------------------------- https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/ ∗∗∗ Russian basketball player arrested in France over alleged ransomware ties ∗∗∗ --------------------------------------------- Daniil Kasatkin, 26, was detained in June at Paris’s Charles de Gaulle Airport shortly after arriving in the country with his fiancée, according to local media reports. --------------------------------------------- https://therecord.media/russian-basketball-player-arrested-in-france-ransom… ∗∗∗ Österreichs Nationalrat genehmigt Malware zur Gefährderüberwachung ∗∗∗ --------------------------------------------- Handys und Computer sollen mit Malware infiziert werden, damit Österreichs Ermittler Einsicht nehmen können. Nur 2 Abgeordnete der Regierung wagten Widerspruch. --------------------------------------------- https://heise.de/-10481818 ∗∗∗ Laravel: APP_KEY leakage analysis ∗∗∗ --------------------------------------------- This blog post sums up our journey, from identifying vulnerabilities related to Laravel encryption to scaling this knowledge for a massive internet facing applications compromise. We will talk about the methodology we used in order to collect data over the internet as well as how we analyzed it to get the most relevant results. --------------------------------------------- https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html ∗∗∗ Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5 ∗∗∗ --------------------------------------------- This article delves into vulnerability research on the Thermomix TM5, leading to the discovery of multiple vulnerabilities, which allow firmware downgrade and arbitrary code execution on some firmware versions. We provide an in-depth analysis of the system and its attack surface, detailing the vulnerabilities found and steps for exploitation. --------------------------------------------- https://www.synacktiv.com/en/publications/let-me-cook-you-a-vulnerability-e… ===================== = Vulnerabilities = ===================== ∗∗∗ Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-088 ∗∗∗ Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-087 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.07.2025
by Daily end-of-shift report 09 Jul '25

09 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-07-2025 18:00 − Mittwoch 09-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Android TapTrap attack fools users with invisible UI trick ∗∗∗ --------------------------------------------- A novel tapjacking technique can exploit user interface animations to bypass Androids permission system and allow access to sensitive data or trick users into performing destructive actions, such as wiping the device. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-android-taptrap-attack-f… ∗∗∗ Update nicht verteilt: Mainboard-Hersteller laut AMD schuld an ungefixtem TPM-Bug ∗∗∗ --------------------------------------------- Schon seit 2022 hat AMD einen Fix für einen Bug, der Windows-Nutzer mit aktivem Bitlocker aussperren kann. Doch die Mainboard-Hersteller liefern nicht. --------------------------------------------- https://www.golem.de/news/fix-nicht-ausgeliefert-amd-kritisiert-mainboard-h… ∗∗∗ Massive browser hijacking campaign infects 2.3M Chrome, Edge users ∗∗∗ --------------------------------------------- These extensions werent malware-laced from the start, researcher says A Chrome and Edge extension with more than 100,000 downloads that displays Googles verified badge does what it purports to do: It delivers a color picker to users. Unfortunately, it also .. --------------------------------------------- https://www.theregister.com/2025/07/08/browser_hijacking_campaign/ ∗∗∗ Patchday: Microsoft schließt 100.000-$-Lücke in SharePoint aus Hacker-Wettbewerb ∗∗∗ --------------------------------------------- Update-Sammlung veröffentlicht: Um Attacken vorzubeugen, sollten Admins sicherstellen, dass ihre Microsoft-Produkte auf dem aktuellen Stand sind. --------------------------------------------- https://www.heise.de/news/Patchday-Microsoft-schliesst-100-000-Luecke-in-Sh… ∗∗∗ Patchday: Adobe schützt After Effects & Co. vor möglichen Attacken ∗∗∗ --------------------------------------------- Mehrere Adobe-Anwendungen sind unter anderem für DoS- und Schadcode-Attacken anfällig. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-schuetzt-After-Effects-Co-vor-moeg… ∗∗∗ Advancing Protection in Chrome on Android ∗∗∗ --------------------------------------------- Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures. Advanced .. --------------------------------------------- http://security.googleblog.com/2025/07/advancing-protection-in-chrome-on.ht… ∗∗∗ Angeblicher Gewinn im Namen von MediaMarkt führt in Abofalle ∗∗∗ --------------------------------------------- Sie haben eine E-Mail im Namen von MediaMarkt mit einer angeblichen Gewinnbenachrichtigung erhalten? Darin sollen Sie auf einen Link klicken und zwei Euro Versandgebühr zahlen, um den Gewinn einzulösen? Dann ist Vorsicht geboten! Dahinter verbirgt sich kein Gewinn, sondern eine teure Abofalle. --------------------------------------------- https://www.watchlist-internet.at/news/angeblicher-gewinn-bei-media-markt-f… ∗∗∗ Kritische Sicherheitslücke CVE-2025-47981 in Windows SPNEGO - Update dringend empfohlen ∗∗∗ --------------------------------------------- Microsoft hat eine kritische Sicherheitslücke im Windows SPNEGO Extended Negotiation (NEGOEX) Security Mechanism veröffentlicht. Die Schwachstelle ermöglicht es Angreifern, aus der Ferne und ohne Authentifizierung beliebigen Code auf .. --------------------------------------------- https://www.cert.at/de/warnungen/2025/7/kritische-sicherheitslucke-cve-2025… ∗∗∗ Iranian ransomware group offers bigger payouts for attacks on Israel, US ∗∗∗ --------------------------------------------- The Iran-linked ransoware-as-a-service group Pay2Key.I2P told affiliates that they can keep a larger cut of extortion payments if they attack entities within Irans adversaries. --------------------------------------------- https://therecord.media/iran-ransomware-group-pay2keyi2p-israel-us-targets ∗∗∗ Treasury sanctions key player behind North Korean IT worker scheme ∗∗∗ --------------------------------------------- The United States identified and sanctioned another North Korean involved with the countrys IT worker schemes, this time for illicit operations based in China and Russia. --------------------------------------------- https://therecord.media/north-korea-it-worker-scheme-us-sanctions-song-kum-… ∗∗∗ Fake CNN and BBC sites used to push investment scams ∗∗∗ --------------------------------------------- Thousands of web pages falsely branded as popular news sites are conduits for fake cryptocurrency investment scams, researchers said. --------------------------------------------- https://therecord.media/news-websites-faked-to-spread-investment-scams ∗∗∗ CVE-2025-48384: Breaking git with a carriage return and cloning RCE ∗∗∗ --------------------------------------------- tl;dr: On Unix-like platforms, if you use git clone --recursive on an untrusted repo, it could achieve remote code execution. Update to a fixed version of Git and other software that embeds Git (including GitHub Desktop). --------------------------------------------- https://dgl.cx/2025/07/git-clone-submodule-cve-2025-48384 ∗∗∗ Supabase MCP can leak your entire SQL database ∗∗∗ --------------------------------------------- Model Context Protocol (MCP) has emerged as a standard way for LLMs to interact with external tools. While this unlocks new capabilities, it also introduces new risk surfaces. In this post, we show how an attacker can exploit Supabase’s MCP integration to leak a developer’s private SQL tables. --------------------------------------------- https://www.generalanalysis.com/blog/supabase-mcp-blog ===================== = Vulnerabilities = ===================== ∗∗∗ A set of Git security-fix releases ∗∗∗ --------------------------------------------- Versions v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1 andv2.50.1 of the Git source-code management system have been released."This is a set of coordinated security fix releases. Please update at your earliest convenience". See the announcement for details;many of the vulnerabilities have to do with tricks buried in untrusted repositories. --------------------------------------------- https://lwn.net/Articles/1029182/ ∗∗∗ SQL injection in forward module ∗∗∗ --------------------------------------------- An Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability [CWE-89] in FortiManager and FortiAnalyzer may allow an authenticated attacker with high privilege to extract database information via crafted requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-437 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.07.2025
by Daily end-of-shift report 08 Jul '25

08 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 07-07-2025 18:00 − Dienstag 08-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ “No honor among thieves”: M&S hacking group starts turf war ∗∗∗ --------------------------------------------- A clash between criminal ransomware groups could result in victims being extorted twice. --------------------------------------------- https://arstechnica.com/security/2025/07/no-honor-among-thieves-ms-hacking-… ∗∗∗ Qantas is being extorted in recent data-theft cyberattack ∗∗∗ --------------------------------------------- Qantas has confirmed that it is now being extorted by threat actors following a cyberattack that potentially exposed the data for 6 million customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qantas-is-being-extorted-in-… ∗∗∗ Atomic macOS infostealer adds backdoor for persistent attacks ∗∗∗ --------------------------------------------- Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as AMOS) that comes with a backdoor, to attackers persistent access to compromised systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atomic-macos-infostealer-add… ∗∗∗ Alleged Chinese hacker tied to Silk Typhoon arrested for cyberespionage ∗∗∗ --------------------------------------------- A Chinese national was arrested in Milan, Italy, last week for allegedly being linked to the state-sponsored Silk Typhoon hacking group, which responsible for cyberattacks against American organizations and government agencies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/alleged-chinese-hacker-tied-… ∗∗∗ Approach to mainframe penetration testing on z/OS. Deep dive into RACF ∗∗∗ --------------------------------------------- We have explored the RACF security package in z/OS and developed a utility to interact with its database. Now, we are assessing RACF configuration security for penetration testing. --------------------------------------------- https://securelist.com/zos-mainframe-pentesting-resource-access-control-fac… ∗∗∗ Android Patchday fällt im Juli aus ∗∗∗ --------------------------------------------- Admins können sich zumindest in Bezug auf Android und Pixel-Smartphones zurücklehnen: Im Juli gibt es nichts zu patchen. --------------------------------------------- https://www.heise.de/news/Android-Patchday-faellt-im-Juli-aus-10478020.html ∗∗∗ Patchday SAP: NetWeaver-Produkte sind für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- Angreifer können unter anderem SAP NetWeaver-Produkte und Business Objects attackieren. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://www.heise.de/news/Patchday-SAP-NetWeaver-Produkte-sind-fuer-Schadco… ∗∗∗ How to conduct a Password Audit in Active Directory (AD) ∗∗∗ --------------------------------------------- Weak or compromised passwords are still one of the most common ways attackers get into an organisation’s network. That’s why running password audits in Active Directory is so important. But smaller companies often don’t have the time, budget, or resources to do them regularly. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-conduct-a-password-aud… ∗∗∗ „Hallo Mama, das ist meine neue Nummer“ – Ein Blick hinter die Kulissen des Evergreens ∗∗∗ --------------------------------------------- Die "Hallo Mama"-Nachricht zählt zu den absoluten Phishing-Klassikern. Trotz der mittlerweile recht großen Bekanntheit versuchen Kriminelle weiterhin beharrlich, damit an Geld zu kommen. Für alle, die schon immer einmal wissen wollten, wie es im Fall einer Antwort eigentlich weitergeht, haben wir uns den Ablauf etwas näher angesehen. --------------------------------------------- https://www.watchlist-internet.at/news/hallo-mama-hinter-den-kulissen/ ∗∗∗ GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Revealed ∗∗∗ --------------------------------------------- An IAB campaign exploited leaked ASP.NET Machine Keys. We dissect the attackers infrastructure, campaign and offer takeaways for blue teams. --------------------------------------------- https://unit42.paloaltonetworks.com/initial-access-broker-exploits-leaked-m… ∗∗∗ Aktiv ausgenutzte Schwachstellen in Citrix NetScaler ADC und NetScaler Gateway ∗∗∗ --------------------------------------------- In den vergangenen Wochen hat Citrix mehrere Sicherheitsaktualisierungen für insgesamt drei Sicherheitslücken in seinen Produkten NetScaler ADC und NetScaler Gateway veröffentlicht: CVE-2025-6543, CVSS-Score 9.2 CVE-2025-5349, CVSS-Score 8.7 CVE-2025-5777, CVSS-Score 9.3, auch bekannt als "CitrixBleed 2" Zum Zeitpunkt der Veröffentlichung der Advisories sowie der dazugehörigen Aktualisierungen gab es laut Citrix keine aktive Ausnutzung der Schwachstellen, .. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/7/aktiv-ausgenutzte-schwachstellen-in… ∗∗∗ New spyware strain steals data from Russian industrial companies ∗∗∗ --------------------------------------------- Moscow-based cybersecurity firm Kaspersky said the campaign has already affected over 100 victims across several dozen Russian organizations, but did not disclose the specific targets. --------------------------------------------- https://therecord.media/spyware-strain-steals-data-russian-industrial-sector ∗∗∗ Detection Engineering: Practicing Detection-as-Code – Introduction – Part 1 ∗∗∗ --------------------------------------------- This is going to be a multipart blog series revolving around Detection Engineering and more specifically practicing Detection-as-Code in Detection Engineering. Throughout this series, we’ll dive deep into concepts, strategies, and practical blueprints that you can adapt to fit your own workflows. From building a detection engineering repository to validating .. --------------------------------------------- https://blog.nviso.eu/2025/07/08/detection-engineering-practicing-detection… ∗∗∗ From cheap IoT toy to your smartphone: Getting RCE by leveraging a companion app ∗∗∗ --------------------------------------------- As IoT adoption continues to grow, we explored the idea that instead of directly compromising IoT devices, an attacker could target the applications controlling them. This approach could potentially allow remote code execution on a user’s smartphone. --------------------------------------------- https://www.synacktiv.com/en/publications/from-cheap-iot-toy-to-your-smartp… ∗∗∗ New CVE Forecasting Tool Predicts 47,000 Disclosures in 2025 ∗∗∗ --------------------------------------------- Security engineer Jerry Gamblin, founder of RogoLabs, has released a new open source forecasting tool that aims to predict the growing volume of software vulnerability disclosures. The tool, CVEForecast.org, uses historical CVE data and machine learning models to generate short-term projections of how many new vulnerabilities are likely to be published. --------------------------------------------- https://socket.dev/blog/new-cve-forecasting-tool-predicts-47-000-disclosure… ===================== = Vulnerabilities = ===================== ∗∗∗ July Security Update ∗∗∗ --------------------------------------------- Ivanti releases standard security patches on the second Tuesday of every month. Our vulnerability management program is central to our commitment to maintaining secure products. Our philosophy is simple: discovering and communicating vulnerabilities, and sharing that information with defenders, is not an indication of weakness; rather it is evidence of .. --------------------------------------------- https://www.ivanti.com/blog/july-security-update-2025 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2025
by Daily end-of-shift report 07 Jul '25

07 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-07-2025 18:00 − Montag 07-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers abuse leaked Shellter red team tool to deploy infostealers ∗∗∗ --------------------------------------------- Shellter Project, the vendor of a commercial AV/EDR evasion loader for penetration testing, confirmed that hackers used its Shellter Elite product in attacks after a customer leaked a copy of the software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-abuse-leaked-shellte… ∗∗∗ Umsetzung von NIS 2 in Europa: Nur vier Länder haben geliefert ∗∗∗ --------------------------------------------- NIS 2 hätte bis zum 17. Oktober 2024 in nationales Recht umgesetzt werden müssen. Das ist nur wenigen Ländern gelungen. Wie haben sie das gemacht? Eine Analyse von Thomas Hafen --------------------------------------------- https://www.golem.de/news/umsetzung-von-nis-2-in-europa-nur-vier-laender-ha… ∗∗∗ Auch Lücken und Bugs beseitigt: Neues 7-Zip komprimiert mit mehr als 64 CPU-Kernen ∗∗∗ --------------------------------------------- Wer 7-Zip im Einsatz hat, sollte das Packprogramm zeitnah aktualisieren. Version 25.00 verspricht mehr Leistung und behebt Bugs und Schwachstellen. --------------------------------------------- https://www.golem.de/news/jetzt-updaten-7-zip-schliesst-sicherheitsluecken-… ∗∗∗ Massive spike in use of .es domains for phishing abuse ∗∗∗ --------------------------------------------- ¡Cuidado! Time to double-check before entering your Microsoft creds Cybersecurity experts are reporting a 19x increase in malicious campaigns being launched from .es domains, making it the third most common, behind only .com and .ru. --------------------------------------------- https://www.theregister.com/2025/07/05/spain_domains_phishing/ ∗∗∗ Ingram Micro confirms ransomware behind multi-day outage ∗∗∗ --------------------------------------------- SafePay crew claims responsibility for intrusion at one of worlds largest tech distributors Ingram Micro, one of the world’s largest distributors, has confirmed it is trying to restore systems following a ransomware attack. --------------------------------------------- https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_beh… ∗∗∗ Antivirus: Comodo Internet Security lässt sich Schadcode unterschieben ∗∗∗ --------------------------------------------- Ein IT-Sicherheitsforscher hat mehrere Sicherheitslücken im Virenschutz Comodo Internet Security entdeckt, wodurch Angreifer Schadcode einschleusen können. --------------------------------------------- https://www.heise.de/news/Antivirus-Comodo-Internet-Security-laesst-sich-Sc… ∗∗∗ SSB-104599 V1.0: Increasing Cyber Threats to Industrial Control Systems ∗∗∗ --------------------------------------------- The current geopolitical situation has created increased cybersecurity risks across all industrial sectors. This challenging environment also impacts the operational technology (OT) landscape, where we observe an intensification of threat activities. --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssb-104599.html ∗∗∗ Fake-Europol-E-Mail mit dem Vorwurf der Verbreitung pornografischer Inhalte von Minderjährigen ∗∗∗ --------------------------------------------- Derzeit wird eine gefälschte E-Mail im Namen von Europol verbreitet. Darin wird den Empfänger:innen unterstellt, verbotene pornografische Darstellungen von Minderjährigen abgerufen oder verbreitet zu haben. Angeblich sei deshalb ein Strafverfahren eingeleitet worden. Die Betroffenen werden aufgefordert, per E-Mail eine Stellungnahme zu übermitteln. Antworten Sie nicht darauf, denn es handelt sich um einen Betrugsversuch! --------------------------------------------- https://www.watchlist-internet.at/news/europol-e-mail-mit-vorwurf-der-verbr… ∗∗∗ BERT Ransomware Group Targets Asia and Europe on Multiple Platforms ∗∗∗ --------------------------------------------- BERT is a newly emerged ransomware group that pairs simple code with effective execution—carrying out attacks across Europe and Asia. In this entry, we examine the group’s tactics, how their variants have evolved, and the tools they use to get past defenses and speed up encryption across platforms. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/g/bert-ransomware-group-target… ∗∗∗ SatanLock Ransomware Ends Operations, Says Stolen Data Will Be Leaked ∗∗∗ --------------------------------------------- SatanLock ransomware gang shuts down after weeks of attacks and plans to leak stolen victim data. Group linked to Babuk-Bjorka and GD Lockersec families. --------------------------------------------- https://hackread.com/satanlock-ransomware-ends-operations-stolen-data-leak/ ∗∗∗ Isolated Recovery Environments: A Critical Layer in Modern Cyber Resilience ∗∗∗ --------------------------------------------- As adversaries grow faster, stealthier, and more destructive, traditional recovery strategies are increasingly insufficient. Mandiants M-Trends 2025 report reinforces this shift, highlighting that ransomware operators now routinely target not just production systems but also backups. This evolution demands that organizations re-evaluate their resilience posture. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/isolated-recovery-… ∗∗∗ How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777) ∗∗∗ --------------------------------------------- Before you dive into our latest diatribe, indulge us and join us on a journey.Sit in your chair, stand at your desk, lick your phone screen - close your eyes and imagine a world in which things are great. It’s sunny outside, the birds are chirping, .. --------------------------------------------- https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-mem… ∗∗∗ Lets Encrypt stellt erstes IP-Zertifikat aus ∗∗∗ --------------------------------------------- Das Lets-Encrypt-Projekt hat in der vergangenen Woche das erste Zertifikat für eine IP-Adresse ausgestellt. --------------------------------------------- https://heise.de/-10476509 ∗∗∗ Sicherheitsupdate: Dell Data Protection Advisor über viele Lücken angreifbar ∗∗∗ --------------------------------------------- Angreifer können an Schwachstellen in Dells Backuplösung Data Protection Advisor ansetzen. Der Computerhersteller stuft das Risiko als kritisch ein. --------------------------------------------- https://heise.de/-10476481 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird and xmedcon), Fedora (darktable, mbedtls, sudo, and yarnpkg), Mageia (catdoc and php), Red Hat (java-1.8.0-ibm, kernel, python-setuptools, python3, python3.11, python3.12, python3.9, socat, sudo, tigervnc, webkit2gtk3, webkitgtk4, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (alloy, apache-commons-fileupload, apache2-mod_security2, assimp-devel, chromedriver, clamav, clustershell, corepack22, ctdb, curl, dpkg, --------------------------------------------- https://lwn.net/Articles/1029073/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.07.2025
by Daily end-of-shift report 04 Jul '25

04 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-07-2025 18:00 − Freitag 04-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ingram Micro suffers global outage as internal systems inaccessible ∗∗∗ --------------------------------------------- IT giant Ingram Micro is experiencing a global outage that is impacting its websites and internal systems, with customers concerned that it may be a cyberattack after the company remains silent on the cause of the issues. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ingram-micro-suffers-global-… ∗∗∗ Hacker leaks Telefónica data allegedly stolen in a new breach ∗∗∗ --------------------------------------------- A hacker is threatening to leak 106GB of data allegedly stolen from Spanish telecommunications company Telefónica in a breach that the company did not acknowledge. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-leaks-telef-nica-data… ∗∗∗ Rechnungshof warnt: Cybersicherheit der Bundes-IT unzureichend ∗∗∗ --------------------------------------------- Viele Rechenzentren des Bundes verfügen wohl nicht einmal über eine angemessene Notstromversorgung. Und auch an Redundanzen fehlt es häufig. --------------------------------------------- https://www.golem.de/news/rechnungshof-warnt-cybersicherheit-der-bundes-it-… ∗∗∗ The Breach Beyond the Runway: Cybercriminals Targeted Qantas Through a Trusted Partner ∗∗∗ --------------------------------------------- On July 3, 2025, Qantas confirmed in an update statement that a cyber incident had compromised data from one of its contact centers, following the detection of suspicious activity on June 30. The breach didn’t strike at the heart of .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-breach-… ∗∗∗ Europol Dismantles $540 Million Cryptocurrency Fraud Network, Arrests Five Suspects ∗∗∗ --------------------------------------------- Europol on Monday announced the takedown of a cryptocurrency investment fraud ring that laundered €460 million ($540 million) from more than 5,000 victims across the world.The international effort, codenamed Operation Borrelli, was carried out by the .. --------------------------------------------- https://thehackernews.com/2025/06/europol-dismantles-540-million.html ∗∗∗ "FoxyWallet": Mehr als 40 bösartige Firefox-Add-ons entdeckt ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben eine groß angelegte Kampagne mit bösartigen Firefox-Add-ons entdeckt. Die räumen Krypto-Wallets leer. --------------------------------------------- https://www.heise.de/news/FoxyWallet-Mehr-als-40-boesartige-Firefox-Add-ons… ∗∗∗ Pet microchip scams and data leaks in the UK ∗∗∗ --------------------------------------------- TL;DR We were recently on BBC Morning Live talking about issues with pet microchip data, helping some pet owners understand how they were being billed for services which they didn’t recall signing up for. There was so much more to this piece though, so we’ve written up our findings in more detail .. --------------------------------------------- https://www.pentestpartners.com/security-blog/pet-microchip-scams-and-data-… ∗∗∗ Das Facebook-Konto versendet unerwünschte Nachrichten? Phishing-Alarm & Abo-Falle! ∗∗∗ --------------------------------------------- Kriminelle nutzen die Angst vor „Account Hijacking“ – also der Übernahme eines Online-Kontos durch andere – für ihre Zwecke aus. Sie versenden E-Mail-Warnungen, laut denen über den Facebook-Account des Opfers „unerwünschte Nachrichten“ versendet werden. Die Lösung des vermeintlichen Problems führt direkt in eine Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/facebook-nachrichten-phishing-abo/ ∗∗∗ A message from Bruce the mechanical shark ∗∗∗ --------------------------------------------- This Fourth of July, Bruce, the 25-foot mechanical shark from Jaws, shares how his saltwater struggles mirror the need for real-world cybersecurity stress testing. --------------------------------------------- https://blog.talosintelligence.com/a-message-from-bruce-the-mechanical-shar… ∗∗∗ AI Dilemma: Emerging Tech as Cyber Risk Escalates ∗∗∗ --------------------------------------------- As AI adoption accelerates, businesses face mounting cyber threats—and urgent choices about secure implementation --------------------------------------------- https://www.trendmicro.com/en_us/research/25/g/ai-cyber-risks.html ∗∗∗ Taking over 60k spyware user accounts with SQL injection ∗∗∗ --------------------------------------------- Recently I was looking through a database of known stalkerware services and found one I wasn’t familiar with: Catwatchful. It seemed to be a full-featured Android spy app, to actually be its own service as opposed to a millionth FlexiSpy reseller, and to offer a 3-day free trial. Aside from a boilerplate disclaimer to only use it with consent .. --------------------------------------------- https://ericdaigle.ca/posts/taking-over-60k-spyware-user-accounts/ ∗∗∗ Identifying Ransomware Final Stage activities with KQL Queries ∗∗∗ --------------------------------------------- When ransomware strikes, it doesn’t just encrypt files — it often wraps up with a series of stealthy moves meant to lock you out, cover tracks, and make recovery a nightmare. That’s why it’s so important to spot these final-stage activities before the damage is permanent. --------------------------------------------- https://detect.fyi/identifying-ransomware-final-stage-activities-with-kql-q… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.07.2025
by Daily end-of-shift report 03 Jul '25

03 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-07-2025 18:00 − Donnerstag 03-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ DOJ investigates ex-ransomware negotiator over extortion kickbacks ∗∗∗ --------------------------------------------- An ex-ransomware negotiator is under criminal investigation by the Department of Justice for allegedly working with ransomware gangs to profit from extortion payment deals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/doj-investigates-ex-ransomwa… ∗∗∗ Data Breach Reveals Catwatchful Stalkerware Is Spying On Thousands of Phones ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from TechCrunch: A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator. The bug, which was discovered by security researcher Eric Daigle, spilled the spyware apps full database of email addresses and plaintext passwords that .. --------------------------------------------- https://yro.slashdot.org/story/25/07/03/0023253/data-breach-reveals-catwatc… ∗∗∗ Fake Spam Plugin Uses Victim’s Domain Name to Evade Detection ∗∗∗ --------------------------------------------- During our investigation of an SEO spam infection (spam content designed to manipulate search engine results), we discovered a nicely crafted plugin that named itself after the infected domain, helping it evade detection. While this tactic was simple, it easily blended in with other legitimate plugins, making it harder to spot during the troubleshooting .. --------------------------------------------- https://blog.sucuri.net/2025/07/fake-spam-plugin-uses-victims-domain-name-t… ∗∗∗ CISA warns the Signal clone used by natsec staffers is being attacked, so patch now ∗∗∗ --------------------------------------------- Two flaws in TeleMessage are frequent attack vectors for malicious cyber actors The US security watchdog CISA has warned that malicious actors are actively exploiting two flaws in the Signal clone TeleMessage TM SGNL, and has directed federal agencies to patch the flaws or discontinue use of the app by July 22. --------------------------------------------- https://www.theregister.com/2025/07/02/cisa_telemessage_patch/ ∗∗∗ ChatGPT creates phisher’s paradise by recommending the wrong URLs for major companies ∗∗∗ --------------------------------------------- Crims have cottoned on to a new way to lead you astray AI-powered chatbots often deliver incorrect information when asked to name the address for major companies’ websites, and threat intelligence business Netcraft thinks that creates an opportunity for criminals. --------------------------------------------- https://www.theregister.com/2025/07/03/ai_phishing_websites/ ∗∗∗ Cisco entfernt SSH-Hintertür in Unified Communications Manager ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat Sicherheitslücken in verschiedenen Produkten geschlossen. Eine Lücke gilt als kritisch. --------------------------------------------- https://www.heise.de/news/Cisco-entfernt-SSH-Hintertuer-in-Unified-Communic… ∗∗∗ Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack ∗∗∗ --------------------------------------------- We analyze CVE-2025-24813 (Tomcat Partial PUT RCE), CVE-2025-27636 and CVE-2025-29891 (Camel Header Hijack RCE). --------------------------------------------- https://unit42.paloaltonetworks.com/apache-cve-2025-24813-cve-2025-27636-cv… ∗∗∗ Hunters International ransomware group claims to be shutting down ∗∗∗ --------------------------------------------- “After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” the prolific cybercrime gang wrote on its darknet site. --------------------------------------------- https://therecord.media/hunters-international-ransomware-extortion-group-cl… ∗∗∗ Russia jails man for 16 years over pro-Ukraine cyberattacks on critical infrastructure ∗∗∗ --------------------------------------------- Russian authorities said the man used malware to attack Russian information systems in 2022, blocking access to websites of several local companies and damaging critical infrastructure. --------------------------------------------- https://therecord.media/russia-jails-man-over-pro-ukraine-cyberattacks ===================== = Vulnerabilities = ===================== ∗∗∗ Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-085 ∗∗∗ Config Pages Viewer - Critical - Access bypass - SA-CONTRIB-2025-086 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-086 ∗∗∗ Security Vulnerabilities fixed in Thunderbird 140 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 128.12 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-55/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.07.2025
by Daily end-of-shift report 02 Jul '25

02 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-07-2025 18:00 − Mittwoch 02-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft: DNS issue blocks delivery of Exchange Online OTP codes ∗∗∗ --------------------------------------------- Microsoft is working to fix a DNS misconfiguration that is causing one-time passcode (OTP) message delivery failures in Exchange Online for some users. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-links-dns-issue-t… ∗∗∗ Kundenfang am Unfallort: Hacker verkauft Daten aus Notrufsystem an Bestatter ∗∗∗ --------------------------------------------- Die Notrufdaten sind in Echtzeit zur Verfügung gestellt worden. Die Bestatter konnten damit frühzeitig an Einsatzorten auftauchen, um neue Kunden zu gewinnen. --------------------------------------------- https://www.golem.de/news/kundenfang-am-unfallort-hacker-verkauft-daten-aus… ∗∗∗ C2 mit Dinosauriern ∗∗∗ --------------------------------------------- Angreifer nutzen gerne Programme, die als Open Source verfügbar sind und typischerweise als legitim sowie harmlos eingestuft werden (z. B. rclone .. --------------------------------------------- https://sec-consult.com/de/blog/detail/c2-mit-dinosauriern/ ∗∗∗ chwoot: Kritische Linux-Lücke macht Nutzer auf den meisten Systemen zu Root ∗∗∗ --------------------------------------------- Ein Beispielexploit steht im Netz und funktioniert auf vielen Standardystemen. Admins sollten schnell die bereitstehenden Updates einspielen. --------------------------------------------- https://www.heise.de/news/chwoot-Kritische-Linux-Luecke-macht-Nutzer-auf-de… ∗∗∗ Bericht: EU-Grenzsystem SIS II mit zahlreichen Sicherheitslücken ∗∗∗ --------------------------------------------- Vertrauliche Berichte sollen tausende Schwachstellen im EU-Grenzsystem SIS II monieren. Die Entwickler bessern sie zu langsam aus. --------------------------------------------- https://www.heise.de/news/Bericht-EU-Grenzsystem-SIS-II-mit-zahlreichen-Sic… ∗∗∗ 600,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability in Forminator WordPress Plugin ∗∗∗ --------------------------------------------- On June 20th, 2025, we received a submission for an Arbitrary File Deletion vulnerability in Forminator, a WordPress plugin with more than 600,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to specify arbitrary file paths in a form submission, and the file will be deleted when the submission is deleted. It can be .. --------------------------------------------- https://www.wordfence.com/blog/2025/07/600000-wordpress-sites-affected-by-a… ∗∗∗ Sinaloa-Kartell hackte das FBI, um geheime Informanten ausfindig zu machen ∗∗∗ --------------------------------------------- Ein Bericht des US-Justizministeriums übt Kritik am Umgang des FBI mit der Gefahr durch Überwachungstechnologien --------------------------------------------- https://www.derstandard.at/story/3000000277554/sinaloa-kartell-hackte-das-f… ∗∗∗ Russian bulletproof hosting service Aeza Group sanctioned by US for ransomware work ∗∗∗ --------------------------------------------- Support for ransomware, darknet drug markets and other cybercrime activity landed the Russian company Aeza Group on the U.S. governments sanctions list, the Treasury Department said. --------------------------------------------- https://therecord.media/russia-bulletproof-hosting-aeza-group-us-sanctions ∗∗∗ Ransomware gang attacks German charity that feeds starving children ∗∗∗ --------------------------------------------- Cybercriminals are extorting the German humanitarian aid group Welthungerhilfe (WHH) for 20 bitcoin. The charity said it will not pay. --------------------------------------------- https://therecord.media/welthungerhilfe-german-hunger-relief-charity-ransom… ∗∗∗ Analysis of Attacks Targeting Linux SSH Servers for Proxy Installation ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting Linux servers that are inappropriately managed using honeypots. One of the representative honeypots is the SSH service that uses weak credentials, which is targeted by a large .. --------------------------------------------- https://asec.ahnlab.com/en/88749/ ∗∗∗ PDFs: Portable documents, or perfect deliveries for phish? ∗∗∗ --------------------------------------------- A popular social engineering technique returns: callback phishing, or TOAD attacks, which leverage PDFs, VoIP anonymity and even QR code tricks. --------------------------------------------- https://blog.talosintelligence.com/pdfs-portable-documents-or-perfect-deliv… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.07.2025
by Daily end-of-shift report 01 Jul '25

01 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 30-06-2025 18:00 − Dienstag 01-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Root-Zugriff für alle: Kritische Sudo-Lücke gefährdet unzählige Linux-Systeme ∗∗∗ --------------------------------------------- Forscher haben eine gefährliche Sicherheitslücke im Kommandozeilentool Sudo entdeckt. Angreifer können mit wenig Aufwand Root-Rechte erlangen. --------------------------------------------- https://www.golem.de/news/root-zugriff-fuer-alle-kritische-sudo-luecke-gefa… ∗∗∗ Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations ∗∗∗ --------------------------------------------- Since 2024, Microsoft Threat Intelligence has observed remote IT workers deployed by North Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate revenue for the North Korean government. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north… ∗∗∗ Vulnerability & Patch Roundup — June 2025 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website .. --------------------------------------------- https://blog.sucuri.net/2025/06/vulnerability-patch-roundup-june-2025.html ∗∗∗ U.S. Agencies Warn of Rising Iranian Cyberattacks on Defense, OT Networks, and Critical Infrastructure ∗∗∗ --------------------------------------------- U.S. cybersecurity and intelligence agencies have issued a joint advisory warning of potential cyber attacks from Iranian state-sponsored or affiliated threat actors. "Over the past several months, there has been increasing activity from hacktivists .. --------------------------------------------- https://thehackernews.com/2025/06/us-agencies-warn-of-rising-iranian.html ∗∗∗ OneClik Red Team Campaign Targets Energy Sector Using Microsoft ClickOnce and Golang Backdoors ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a new campaign dubbed OneClik that leverages Microsofts ClickOnce software deployment technology and bespoke Golang backdoors to compromise organizations within the energy, oil, and gas .. --------------------------------------------- https://thehackernews.com/2025/06/oneclik-malware-targets-energy-sector.html ∗∗∗ Terrible tales of opsec oversights: How cybercrooks get themselves caught ∗∗∗ --------------------------------------------- The silly mistakes to the flagrant failures They say that success breeds complacency, and complacency leads to failure. For cybercriminals, taking too many shortcuts when it comes to opsec delivers a little more than that. --------------------------------------------- https://www.theregister.com/2025/07/01/terrible_tales_of_opsec_oversights/ ∗∗∗ Überwachungskameras aus China: Kanada ordnet Schließung von Hikvision Canada an ∗∗∗ --------------------------------------------- Hikvision kommt aus China und verkauft Überwachungstechnik. Seit Jahren gibt es Kritik an dem Konzern. Nun lässt Kanada den dortigen Ableger schließen. --------------------------------------------- https://www.heise.de/news/Ueberwachungskameras-aus-China-Kanada-ordnet-Schl… ∗∗∗ Webbrowser Chrome: Sicherheitslücke wird angegriffen ∗∗∗ --------------------------------------------- In der Nacht zum Dienstag hat Google den Chrome-Browser ungeplant aktualisiert. Eine Sicherheitslücke wird bereits attackiert. --------------------------------------------- https://www.heise.de/news/Chrome-Google-stopft-attackierte-Sicherheitslueck… ∗∗∗ Viele Sicherheitslücken in Dell OpenManage Network Integration geschlossen ∗∗∗ --------------------------------------------- Angreifer können Dell OpenManage Network Integration über verschiedene Wege attackieren. Sicherheitsupdates stehen zur Verfügung. --------------------------------------------- https://www.heise.de/news/Viele-Sicherheitsluecken-in-Dell-OpenManage-Netwo… ∗∗∗ Britischer IT-Angestellter rächte sich an Ex-Arbeitgeber: Sieben Monate Haft ∗∗∗ --------------------------------------------- Nur wenige Stunden nach seiner Entlassung startete der junge Mann eine Cyberattacke und sorgte für Schäden in Höhe von 200.000 Pfund --------------------------------------------- https://www.derstandard.at/story/3000000277498/britischer-it-angestellter-r… ∗∗∗ 50 customers of French bank hit after insider helped SIM swap scammers ∗∗∗ --------------------------------------------- French police have arrested a business student interning at the bank Société Générale who is accused of helping SIM-swapping scammers to defraud 50 of its clients. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/50-customers-of-frenc… ∗∗∗ Encryption vs. Lawful Interception: EU policy news ∗∗∗ --------------------------------------------- I’ve commented here on this blog (or its German twin) quite a few time already on various legislative proposals on how the law enforcement agencies can keep their traditional access to the communication of suspects. See Ein paar Thesen zu aktuellen Gesetzesentwürfen (2017) Ein paar Gedanken zur „Überwachung verschlüsselter Nachrichten" (2024) Roles in .. --------------------------------------------- https://www.cert.at/en/blog/2025/7/encryption-vs-lawful-interception-eu-pol… ∗∗∗ DOJ raids 29 ‘laptop farms’ in crackdown on N. Korean IT worker scheme ∗∗∗ --------------------------------------------- The Justice Department announced a coordinated action to disrupt a Pyongyang campaign to get North Koreans hired at U.S.-based companies. --------------------------------------------- https://therecord.media/doj-raids-laptop-farms-crackdown ∗∗∗ International Criminal Court targeted by new ‘sophisticated’ attack ∗∗∗ --------------------------------------------- The ICC credited its “alert and response mechanisms” for “swiftly” discovering, confirming and containing a cyberattack. --------------------------------------------- https://therecord.media/international-criminal-court-cyberattack-2025 ∗∗∗ Malware in Apps: Godfather 2.0 für Android; SparkKitty in App-Stores ∗∗∗ --------------------------------------------- Kleiner Sammelbeitrag rund um das Thema Smartphone-Apps mit Malware an Bord. Aktuell feiert die Android-Malware Godfather 2.0 ihr Comeback bzw. Erfolge beim Raubzügen beim Online-Banking. Zudem haben Sicherheitsforscher .. --------------------------------------------- https://www.borncity.com/blog/2025/06/30/malware-in-apps-godfather-2-0-fuer… ∗∗∗ What the NULL?! Wing FTP Server RCE (CVE-2025-47812) ∗∗∗ --------------------------------------------- While performing a penetration test for one of our Continuous Penetration Testing customers, we’ve found a Wing FTP server instance that allowed anonymous connections. It was almost the only interesting thing exposed, but we still wanted to get a foothold into their perimeter and provide the customer with an impactful finding. So we .. --------------------------------------------- https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2… ∗∗∗ Django Joins curl in Pushing Back on AI Slop Security Reports ∗∗∗ --------------------------------------------- Django has updated its official security documentation with new guidance for AI-assisted vulnerability reports, responding to a rising number of submissions generated by large language models (LLMs) that cite fabricated code or non-existent features. The change was authored by Django Fellow Natalia Bidart, who helps maintain the project’s .. --------------------------------------------- https://socket.dev/blog/django-joins-curl-in-pushing-back-on-ai-slop-securi… ∗∗∗ How hacktivist cyber operations surged amid Israeli-Iranian conflict ∗∗∗ --------------------------------------------- In June 2025, Israel carried out airstrikes against key Iranian military and nuclear facilities. Iran swiftly retaliated, escalating regional tensions to unprecedented levels. This military confrontation has not only unfolded in conventional warfare but also triggered a massive surge in cyber operations. Almost immediately after the .. --------------------------------------------- https://outpost24.com/blog/hacktivist-cyber-operations-iran-israel/ ===================== = Vulnerabilities = ===================== ∗∗∗ XSA-470 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-470.html ∗∗∗ [R1] Nessus Version 10.8.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-13 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.06.2025
by Daily end-of-shift report 30 Jun '25

30 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-06-2025 18:00 − Montag 30-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Scattered Spider hackers shift focus to aviation, transportation firms ∗∗∗ --------------------------------------------- Hackers associated with Scattered Spider tactics have expanded their targeting to the aviation and transportation industries after previously attacking insurance and retail sectors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/scattered-spider-hackers-shi… ∗∗∗ Let’s Encrypt ends certificate expiry emails to cut costs, boost privacy ∗∗∗ --------------------------------------------- Lets Encrypt has announced it will no longer notify users about imminent certificate expirations via email due to high costs, privacy concerns, and unnecessary complexities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lets-encrypt-ends-certificat… ∗∗∗ Unveiling RIFT: Enhancing Rust malware analysis through pattern matching ∗∗∗ --------------------------------------------- As threat actors are adopting Rust for malware development, RIFT, an open-source tool, helps reverse engineers analyze Rust malware, solving challenges in the security industry. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/06/27/unveiling-rift-enh… ∗∗∗ Stealthy WordPress Malware Drops Windows Trojan via PHP Backdoor ∗∗∗ --------------------------------------------- Last month, we encountered a particularly interesting and complex malware case that stood out from the usual infections we see in compromised WordPress websites. At first glance, the site looked clean, no visible signs of defacement, no malicious redirects, and nothing suspicious in the plugin list. But beneath the surface, a hidden infection chain was .. --------------------------------------------- https://blog.sucuri.net/2025/06/stealthy-wordpress-malware-drops-windows-tr… ∗∗∗ GIFTEDCROOK Malware Evolves: From Browser Stealer to Intelligence-Gathering Tool ∗∗∗ --------------------------------------------- The threat actor behind the GIFTEDCROOK malware has made significant updates to turn the malicious program from a basic browser data stealer to a potent intelligence-gathering tool."Recent campaigns in June 2025 demonstrate GIFTEDCROOKs enhanced .. --------------------------------------------- https://thehackernews.com/2025/06/giftedcrook-malware-evolves-from.html ∗∗∗ IGF25: Diktatoren und Demokraten im globalen Süden als Kunden von Spyware ∗∗∗ --------------------------------------------- Spyware wie Pegasus von der NSO-Group wird zunehmend ein politisches Problem. Das war eine der Erkenntnisse des Internet Governance Forums in Norwegen. --------------------------------------------- https://www.heise.de/news/IGF25-Diktatoren-und-Demokraten-im-globalen-Suede… ∗∗∗ "CitrixBleed 2": Indizien für laufende Angriffe auf Sicherheitsleck ∗∗∗ --------------------------------------------- Eine Citrix-Netscaler-Lücke mit dem Spitznamen "CitrixBleed 2" ist gravierend. Nun wird sie offenbar attackiert. --------------------------------------------- https://www.heise.de/news/CitrixBleed-2-Indizien-fuer-laufende-Angriffe-auf… ∗∗∗ Cybergang erpresst Welthungerhilfe um 1,8 Millionen Euro ∗∗∗ --------------------------------------------- Die Cybergang Rhysida ist bei der Welthungerhilfe eingebrochen und hat Daten kopiert. Nun wollen die Täter 20 Bitcoins dafür. --------------------------------------------- https://www.heise.de/news/Ransomwareattacke-auf-Welthungerhilfe-10464644.ht… ∗∗∗ Dubiose Inkassoforderungen: Was tun bei plötzlichen Mahnschreiben? ∗∗∗ --------------------------------------------- Sie öffnen Ihr E-Mail-Postfach oder Ihren Briefkasten und finden ein Schreiben eines Inkassounternehmens. Angeblich haben Sie eine Rechnung nicht bezahlt, können sich aber nicht daran erinnern, etwas bestellt zu haben. Dieses Szenario ist leider keine Seltenheit. Immer mehr Verbraucher:innen berichten über solche dubiosen Zahlungsaufforderungen. Wir zeigen Ihnen, wie Sie reagieren können. --------------------------------------------- https://www.watchlist-internet.at/news/dubiose-inkassoschreiben-was-tun-bei… ∗∗∗ ESET Threat Report H1 2025 ∗∗∗ --------------------------------------------- A view of the H1 2025 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts --------------------------------------------- https://www.welivesecurity.com/en/eset-research/eset-threat-report-h1-2025/ ∗∗∗ Hide Your RDP: Password Spray Leads to RansomHub Deployment ∗∗∗ --------------------------------------------- This intrusion began in November 2024 with a password spray attack targeting an internet-facing RDP server. Over the course of several hours, the threat actor .. --------------------------------------------- https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-… ∗∗∗ How 2 Ransomware Attacks on 2 Hospitals Led to 2 Deaths in Europe ∗∗∗ --------------------------------------------- Two deadly Ransomware Attacks on European hospitals show cybercrime now risks lives not just data with patients dying after treatment delays. --------------------------------------------- https://hackread.com/how-ransomware-attacks-hospitals-2-deaths-in-europe/ ∗∗∗ Protecting the Core: Securing Protection Relays in Modern Substations ∗∗∗ --------------------------------------------- Substations are critical nexus points in the power grid, transforming high-voltage electricity to ensure its safe and efficient delivery from power plants to millions of end-users. At the core of a modern substation lies the protection relay: an intelligent electronic device (IED) that plays a critical role in .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/securing-protectio… ∗∗∗ GitHub Advisory Database by the numbers: Known security vulnerabilities and what you can do about them ∗∗∗ --------------------------------------------- Use these insights to automate software security (where possible) to keep your projects safe. --------------------------------------------- https://github.blog/security/github-advisory-database-by-the-numbers-known-… ∗∗∗ Ultimate Guide to API Pentesting: Hacking APIs for better Security ∗∗∗ --------------------------------------------- API Pentesting, or Application Programming Interface Penetration Testing, is the process of simulating real-world attacks against APIs to uncover vulnerabilities, misconfigurations, and flaws that could be exploited by malicious actors. Unlike traditional web applications, APIs are designed to be consumed by machines—often exposing .. --------------------------------------------- https://fortbridge.co.uk/research/ultimate-guide-to-api-pentesting-hacking-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (mod_proxy_cluster), Debian (catdoc, chromium, nagvis, and sudo), Fedora (chromium, gum, kubernetes1.32, moodle, podman, python3-docs, python3.13, salt, and tigervnc), Mageia (x11-server, x11-server-xwayland & tigervnc), Oracle (apache-commons-beanutils, exiv2, expat, firefox, git, git-lfs, gstreamer1-plugins-bad-free, ipa, java-21-openjdk, kea, kernel, libarchive, libblockdev, libsoup3, libvpx, libxslt, mod_auth_openidc, nodejs22, .. --------------------------------------------- https://lwn.net/Articles/1027769/ ∗∗∗ Marvell QConvergeConsole: Multible 0Day Vulnerabilities ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.06.2025
by Daily end-of-shift report 27 Jun '25

27 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-06-2025 18:00 − Freitag 27-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critical Open VSX Registry Flaw Exposes Millions of Developers to Supply Chain Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a critical vulnerability in the Open VSX Registry ("open-vsx[.]org") that, if successfully exploited, could have enabled attackers to take control of the entire Visual Studio Code extensions marketplace, posing a severe supply chain risk. [..] Following responsible disclosure on May 4, 2025, multiple rounds of fixes were proposed by the maintainers, before a final patch was deployed on June 25. --------------------------------------------- https://thehackernews.com/2025/06/critical-open-vsx-registry-flaw-exposes.h… ∗∗∗ What if Microsoft just turned you off? Security pro counts the cost of dependency ∗∗∗ --------------------------------------------- Czech developer and pen-tester Miloslav Homer has an interesting take on reducing an organization's exposure to security risks. In an article headlined "Microsoft dependency has risks," he extends the now familiar arguments in favor of improving digital sovereignty, and reducing dependence on American cloud services. The argument is quite long but closely reasoned. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/06/26/cost_of_micr… ∗∗∗ Act now: Secure Boot certificates expire in June 2026 ∗∗∗ --------------------------------------------- Prepare for the first global large-scale certificate update to Secure Boot. The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new certificates for supported Windows systems is to let Microsoft manage your Windows updates, which include Secure Boot. [..] If you haven't yet, begin evaluating options and start preparing for the rollout of updated certificates across your organization in the coming months. --------------------------------------------- https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-… ∗∗∗ Fake DocuSign email hides tricky phishing attempt ∗∗∗ --------------------------------------------- On my daily rounds, I encountered a phishing attempt that used a not completely unusual, yet clever delivery method. What began as a seemingly routine DocuSign notification turned into a multi-layered deception involving Webflow, a shady redirect, and a legitimate Google login page. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/06/fake-docusign-email-hides-tr… ∗∗∗ Die Miete ist ausständig? Vorsicht: Phishing E-Mail ∗∗∗ --------------------------------------------- Kriminelle fordern über E-Mails angeblich noch ausstehende Mietzahlungen ein. Gleichzeitig wollen sie eine Änderung des Zielkontos für zukünftige Überweisungen erwirken. Wir zeigen, wie man am besten auf eine derartige Phishing-Nachricht reagiert. --------------------------------------------- https://www.watchlist-internet.at/news/miete-ausstaendig-phishing/ ∗∗∗ SafePay ransomware: What you need to know ∗∗∗ --------------------------------------------- SafePay is a relatively new ransomware threat that was first observed around September 2024. [..] A recently published threat report released by security experts at NCC Group revealed that SafePay was currently the most active ransomware group. In the month of May 2025 alone, 70 ransomware attacks were linked to Safepay, accounting for 18% of the total. --------------------------------------------- https://www.fortra.com/blog/safepay-ransomware-what-you-need-know ∗∗∗ Attacken auf Fernwartungslücke in Servern von HPE, Lenovo und Co. ∗∗∗ --------------------------------------------- Angreifer attackieren mehrere Sicherheitslücken in freier Wildbahn, warnt die US-amerikanische IT-Sicherheitsbehörde CISA. Am gefährlichsten sind laufende Angriffe auf die Fernwartungsfirmware in AMI MegaRAC, die etwa in Servern von Asus, Asrock Rack, HPE oder Lenovo steckt. [..] Die bereits attackierte Sicherheitslücke in der Fernwartungsfirmware AMI MegaRAC wurde Mitte März bekannt. --------------------------------------------- https://heise.de/-10461788 ∗∗∗ Phishing-Welle: Betrüger geben sich als Paypal aus ∗∗∗ --------------------------------------------- Kriminelle geben sich am Telefon derzeit wieder als PayPal aus und behaupten, es stünden hohe Überweisungen bevor. --------------------------------------------- https://heise.de/-10462478 ∗∗∗ Microsoft wirft Antivirensoftware aus dem Windows-Kernel ∗∗∗ --------------------------------------------- Ein CrowdStrike-Erlebnis will Microsoft nicht noch einmal haben. Nun fliegt deswegen Antivirensoftware aus dem Windows-Kernel. [..] Im kommenden Monat will Microsoft eine Vorschau der Windows-Endpoint-Security-Plattform an einige MVI-Partner verteilen. Die ermöglicht es ihnen, ihre IT-Sicherheitslösungen so zu bauen, dass sie außerhalb des Windows-Kernels laufen. Software wie Antivirus und Endgeräteschutz befinden sich dann im User Mode, wie normale Apps auch. --------------------------------------------- https://heise.de/-10462538 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freeradius and icu), Fedora (clamav, glow, libssh, perl-Crypt-OpenSSL-RSA, perl-CryptX, podman, trafficserver, and xorg-x11-server), Mageia (gdk-pixbuf2.0 and thunderbird), Red Hat (osbuild-composer and weldr-client), SUSE (afterburn, google-osconfig-agent, libblockdev, pam, python-tornado6, screen, and yelp-xsl), and Ubuntu (libxslt and python-pip). --------------------------------------------- https://lwn.net/Articles/1027251/ ∗∗∗ Mitsubishi Electric Air Conditioning Systems ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-177-01 ∗∗∗ TrendMakers Sight Bulb Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-177-02 ∗∗∗ f5: K000152189: Intel BIOS vulnerability CVE-2022-21233 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000152189 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.06.2025
by Daily end-of-shift report 26 Jun '25

26 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-06-2025 18:00 − Donnerstag 26-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Ubuntu disables Intel GPU security mitigations, promises 20% performance boost ∗∗∗ --------------------------------------------- Spectre, you may recall, came to public notice in 2018. Spectre attacks are based on the observation that performance enhancements built into modern CPUs open a side channel that can leak secrets a CPU is processing. The performance enhancement, known as speculative execution, predicts future instructions a CPU might receive and then performs the corresponding tasks before they are even called. If the instructions never come, the CPU discards the work it performed. When the prediction is correct, the CPU has already completed the task. --------------------------------------------- https://arstechnica.com/security/2025/06/ubuntu-disables-intel-gpu-security… ∗∗∗ New wave of ‘fake interviews’ use 35 npm packages to spread malware ∗∗∗ --------------------------------------------- A new wave of North Korea's 'Contagious Interview' campaign is targeting job seekers with malicious npm packages that infect dev's devices with infostealers and backdoors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-wave-of-fake-interviews-… ∗∗∗ Hackers abuse Microsoft ClickOnce and AWS services for stealthy attacks ∗∗∗ --------------------------------------------- A sophisticated malicious campaign that researchers call OneClik has been leveraging Microsoft’s ClickOnce software deployment tool and custom Golang backdoors to compromise organizations within the energy, oil, and gas sectors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/oneclik-attacks-use-microsof… ∗∗∗ Hackers turn ScreenConnect into malware using Authenticode stuffing ∗∗∗ --------------------------------------------- Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client's Authenticode signature. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-turn-screenconnect-i… ∗∗∗ CISA is Shrinking: What Does it Mean for Cyber? ∗∗∗ --------------------------------------------- Today we are going to focus on the slimmed down profile of the Cybersecurity and Infrastructure Security Agency (CISA) under the new administration. We want to know what that means practically to cybersecurity teams. We want to explore the cost of having less coming out of CISA, and any opportunities the federal government shakeup might present for business. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/cisa-is-shrinking-what… ∗∗∗ Taming Agentic AI Risks Requires Securing Non-Human Identities ∗∗∗ --------------------------------------------- >From service accounts and Web application programming interfaces (APIs) to serverless applications and now artificial intelligence (AI) agents, the landscape of non-human identities is quickly becoming more complex. Companies are struggling to monitor and manage machine identities with security controls. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/taming-agentic-ai-risk… ∗∗∗ RedirectionGuard: Mitigating unsafe junction traversal in Windows ∗∗∗ --------------------------------------------- As attackers continue to evolve, Microsoft is committed to staying ahead by not only responding to vulnerabilities, but also by anticipating and mitigating entire classes of threats. One such threat, filesystem redirection attacks, has been a persistent vector for privilege escalation. In response, we’ve developed and deployed a new mitigation in Windows 11 called RedirectionGuard. This blog outlines how RedirectionGuard proactively closes off a major attack surface by preventing unsafe junction traversal, reinforcing our commitment to secure-by-design-principles and reducing the burden on developers and defenders. --------------------------------------------- https://msrc.microsoft.com/blog/2025/06/redirectionguard-mitigating-unsafe-… ∗∗∗ The Case of Hidden Spam Pages ∗∗∗ --------------------------------------------- Spammy posts and pages being placed on WordPress websites is one of the most common infections that we come across. The reason being is that the attack is very low-level in terms of sophistication: All that is required of the attacker is to brute force their way into the wp-admin panel; from there they just have their scripts/bots post spam posts and pages effectively achieving a blackhat SEO attack. Since an out-of-the-box WordPress website contains no protection on admin access other than a password (with no limit on the number of failed login attempts), and the admin users can often be discovered via enumeration, this remains a very popular type of spam infection on the platform. --------------------------------------------- https://blog.sucuri.net/2025/06/the-case-of-hidden-spam-pages.html ∗∗∗ nOAuth Vulnerability Still Affects 9% of Microsoft Entra SaaS Apps Two Years After Discovery ∗∗∗ --------------------------------------------- New research has uncovered continued risk from a known security weakness in Microsoft's Entra ID, potentially enabling malicious actors to achieve account takeovers in susceptible software-as-a-service (SaaS) applications. Identity security company Semperis, in an analysis of 104 SaaS applications, found nine of them to be vulnerable to Entra ID cross-tenant nOAuth abuse. --------------------------------------------- https://thehackernews.com/2025/06/noauth-vulnerability-still-affects-9-of.h… ∗∗∗ Sextortion: Inflationsgebeutelte Betrüger erhöhen Forderungen ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher beobachten Preissteigerungen bei aktuellen Betrugsmaschen mit Sextortion-E-Mails. Offenbar sind auch die Betrüger inflationsgebeutelt und brauchen mehr Geld. --------------------------------------------- https://www.heise.de/news/Sextortion-Inflationsgebeutelte-Betrueger-erhoehe… ∗∗∗ Outdated Routers: The Hidden Threat to Network Security, FBI Warns ∗∗∗ --------------------------------------------- The FBI recently warned that malicious actors are targeting end-of-life (EOL) routers (network devices that manufacturers no longer support or update). These outdated routers are being hijacked by bad actors who use them as a stepping stone into networks, turning them into cybercriminal proxies. The threat is real, and it’s growing. --------------------------------------------- https://www.tripwire.com/state-of-security/outdated-routers-hidden-threat-n… ∗∗∗ How we turned a real car into a Mario Kart controller by intercepting CAN data ∗∗∗ --------------------------------------------- The PTP hack car is a second-hand 2016 Renault Clio that was bought because it was relatively cheap, was recent enough to feature an ‘eCall’ telematics module, small enough to fit in the garage attached to our lab and was local. It is used by our team to experiment and mess around with automotive testing on a real vehicle. It also uses a mixture of CAN and LIN for different components. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-we-turned-a-real-car-into… ∗∗∗ Gefälschte Anfragen zur Änderung des Gehaltskontos im Namen von Mitarbeitenden! ∗∗∗ --------------------------------------------- Wer eine unerwartete E-Mail von einem Mitarbeitenden erhält, in der um die Änderung der Bankverbindung für das Gehaltskonto gebeten wird, sollte besonders aufmerksam sein. Denn dahinter können Kriminelle stecken, die sich als echte Mitarbeitende ausgeben, um Gehaltszahlungen auf ihr eigenes Konto umzuleiten. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-anfragen-zur-aenderung-d… ∗∗∗ Common SCCM Misconfigurations Leading to Privilege Escalation ∗∗∗ --------------------------------------------- We often find that in environments which has a tiered model, where SCCM is used, there are plenty of misconfigurations which can be exploited. System Center Configuration Manager (SCCM), now known as Microsoft Configuration Manager (ConfigMgr), is a systems management platform used for deploying software, managing updates, and enforcing configuration settings across large numbers of Windows devices. --------------------------------------------- https://www.truesec.com/hub/blog/sccm-tier-killer ∗∗∗ Decrement by one to rule them all: AsIO3.sys driver exploitation ∗∗∗ --------------------------------------------- Armory Crate and AI Suite are applications used to manage and monitor ASUS motherboards and related components such as the processor, RAM or the increasingly popular RGB lighting. These types of applications often install drivers in the system, which are necessary for direct communication with hardware to configure settings or retrieve critical parameters such as CPU temperature, fan speeds and firmware updates. Therefore, it is critical to ensure that drivers are well-written with security in mind and designed such that access to the driver interfaces are limited only to certain services and administrators. --------------------------------------------- https://blog.talosintelligence.com/decrement-by-one-to-rule-them-all/ ===================== = Vulnerabilities = ===================== ∗∗∗ WinRAR patches bug letting malware launch from extracted archives ∗∗∗ --------------------------------------------- WinRAR has addressed a directory traversal vulnerability tracked as CVE-2025-6218 that, under certain circumstances, allows malware to be executed after extracting a malicious archive. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winrar-patches-bug-letting-m… ∗∗∗ Hunderte Modelle betroffen: Teils unpatchbare Lücken in Brother-Druckern entdeckt ∗∗∗ --------------------------------------------- Sicherheitsforscher von Rapid7 haben zahlreiche Multifunktionsdrucker auf mögliche Sicherheitslücken untersucht. Dabei fanden sie insgesamt acht Schwachstellen in 748 verschiedenen Scanner- und Druckermodellen. 689 dieser Modelle entfallen allein auf den Hersteller Brother, der im Fokus der Untersuchung stand. Aber auch von Fujifilm (46), Konica Minolta (6), Ricoh (5) und Toshiba (2) sind einige Geräte betroffen. Zumindest eine der acht Lücken kann wohl nicht ohne Weiteres über die Firmware gepatcht werden. --------------------------------------------- https://www.golem.de/news/hunderte-modelle-betroffen-teils-unpatchbare-luec… ∗∗∗ Citrix Releases Emergency Patches for Actively Exploited CVE-2025-6543 in NetScaler ADC ∗∗∗ --------------------------------------------- Citrix has released security updates to address a critical flaw affecting NetScaler ADC that it said has been exploited in the wild. The vulnerability, tracked as CVE-2025-6543, carries a CVSS score of 9.2 out of a maximum of 10.0. --------------------------------------------- https://thehackernews.com/2025/06/citrix-releases-emergency-patches-for.html ∗∗∗ ZDI-25-424: Mikrotik RouterOS VXLAN Source IP Improper Access Control Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to bypass access restrictions on affected installations of Mikrotik RouterOS. Authentication is not required to exploit this vulnerability. The following CVEs are assigned: CVE-2025-6443. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-424/ ∗∗∗ Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Notepad++ Vulnerability Allows Full System Takeover — PoC Released ∗∗∗ --------------------------------------------- A critical privilege escalation vulnerability (CVE-2025-49144) in Notepad++ v8.8.1 enables attackers to achieve full system control through a supply-chain attack. The flaw exploits the installer’s insecure search path behavior, allowing unprivileged users to escalate privileges to NT AUTHORITY\SYSTEM with minimal user interaction. This marks one of the most severe vulnerabilities discovered in the popular text editor, with proof-of-concept (PoC) exploitation materials now publicly available. --------------------------------------------- https://gbhackers.com/notepad-vulnerability/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and libxml2), Fedora (firefox, libtpms, and tigervnc), Mageia (chromium-browser-stable and nss & firefox), Oracle (emacs, iputils, kernel, krb5, libarchive, mod_proxy_cluster, pam, perl-File-Find-Rule, perl-YAML-LibYAML, and qt5-qtbase), Red Hat (opentelemetry-collector, osbuild-composer, and weldr-client), SUSE (clamav, firefox, go1.24-openssl, and helm), and Ubuntu (libarchive, linux-azure, linux-azure-5.4, linux-azure-fips, linux-fips, linux-azure-nvidia, linux-oracle, linux-oracle-6.8, linux-raspi, linux-raspi-realtime, linux-xilinx-zynqmp, and python-urllib3). --------------------------------------------- https://lwn.net/Articles/1027082/ ∗∗∗ Security Advisory: Airoha-based Bluetooth Headphones and Earbuds ∗∗∗ --------------------------------------------- During our research on Bluetooth headphones and earbuds, we identified several vulnerabilities in devices that incorporate Airoha Systems on a Chip (SoCs). In this blog post, we briefly want to describe the vulnerabilities, point out their impact and provide some context to currently running patch delivery processes as described at this year’s TROOPERS Conference. Airoha is a vendor that, amongst other things, builds Bluetooth SoCs and offers reference designs and implementations incorporating these chips. They have become a large supplier in the Bluetooth audio space, especially in the area of True Wireless Stereo (TWS) earbuds. Several reputable headphone and earbud vendors have built products based on Airoha’s SoCs and reference implementations using Airoha’s Software Development Kit (SDK). --------------------------------------------- https://insinuator.net/2025/06/airoha-bluetooth-security-vulnerabilities/ ∗∗∗ Drupal Security Advisories 2025-June-25 ∗∗∗ --------------------------------------------- https://www.drupal.org/security -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.06.2025
by Daily end-of-shift report 25 Jun '25

25 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-06-2025 18:00 − Mittwoch 25-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sonicwall warnt vor mit Schadcode verseuchter Fake-NetExtender-App ∗∗∗ --------------------------------------------- Derzeit ist eine von Cyberkriminellen manipulierte Ausgabe der VPN-Anwendung NetExtender in Umlauf. [..] Um zu erkennen, ob man die Fake-Version installiert hat, muss man die Eigenschaften der ausführbaren NetExtender-Datei öffnen und die "Digitale Signatur" prüfen. Steht dort "CITYLIGHT MEDIA PRIVATE LIMITED", handelt es sich um die verseuchte Version und Admins sollten sie umgehend löschen. --------------------------------------------- https://www.heise.de/news/Sonicwall-warnt-vor-mit-Schadcode-verseuchter-Fak… ∗∗∗ Microsoft: Update-Verlängerung für Windows 10 für Privatkunden konkretisiert ∗∗∗ --------------------------------------------- Microsoft hatte Support-Verlängerung für Windows-10-Privatkunden angekündigt. Jetzt gibt es Infos dazu – es geht sogar kostenlos. [..] Ob die Windows-Backup-Option wirklich als kostenlos gelten kann, hängt stark davon ab, wie viele Daten Microsoft auf den Cloud-Speicher schiebt. [..] Hier zahlen Interessierte mit ihren Daten. --------------------------------------------- https://heise.de/-10458519 ∗∗∗ Citrix Bleed Teil 2: Schwachstelle CVE-2025–5777 weitet sich aus ∗∗∗ --------------------------------------------- Zum 23. Juni 2025 gab es wohl eine Aktualisierung der Beschreibung zu CVE-2025-5777. Hieß es zum 17. Juni 2025 noch, dass man das "Netscaler Management Interface" wegen der Schwachstelle nicht dem Internet aussetzen sollte. Der Verweis auf das Netscaler Management Interface ist zum 23. Juni 2025 entfallen (lässt sich unter CVE-2025-5777 nachschlagen, wenn man am Seitenende unter "Change History" auf den Link "show changes" klickt. --------------------------------------------- https://www.borncity.com/blog/2025/06/25/citrix-bleed-teil-2-schwachstelle-… ∗∗∗ Surge in MOVEit Transfer Scanning Could Signal Emerging Threat Activity ∗∗∗ --------------------------------------------- GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025. --------------------------------------------- https://www.greynoise.io/blog/surge-moveit-transfer-scanning-activity ∗∗∗ Dire Wolf Strikes: New Ransomware Group Targeting Global Sectors ∗∗∗ --------------------------------------------- Dire Wolf is a newly emerged ransomware group first observed in May 2025 and Trustwave SpiderLabs recently uncovered a Dire Wolf ransomware sample that revealed for the first time key details about how the ransomware operates. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/dire-wolf-s… ∗∗∗ Cybercriminal abuse of large language models ∗∗∗ --------------------------------------------- Cybercriminals are increasingly gravitating towards uncensored LLMs, cybercriminal-designed LLMs and jailbreaking legitimate LLMs. [..] As AI technology continues to develop, Cisco Talos expects cybercriminals to continue adopting LLMs to help streamline their processes, write tools/scripts that can be used to compromise users and generate content that can more easily bypass defenses. This new technology doesn’t necessarily arm cybercriminals with completely novel cyber weapons, but it does act as a force multiplier, enhancing and improving familiar attacks. --------------------------------------------- https://blog.talosintelligence.com/cybercriminal-abuse-of-large-language-mo… ∗∗∗ What LLMs Know About Their Users ∗∗∗ --------------------------------------------- Simon Willison talks about ChatGPT’s new memory dossier feature. In his explanation, he illustrates how much the LLM—and the company—knows about its users. --------------------------------------------- https://www.schneier.com/blog/archives/2025/06/what-llms-know-about-their-u… ∗∗∗ Kleine Figuren, großer Hype: Kriminelle locken vermehrt in Labubu Fake-Shops ∗∗∗ --------------------------------------------- Ihr weltweiter Siegeszug ruft immer mehr Betrüger:innen auf den Plan. Die Rede ist von Labubu Figuren. Fake-Shops locken mit vermeintlichen Schnäppchen, dienen den Kriminellen in Wahrheit aber nur als Vehikel, um sensible Daten ihrer Opfer abzugreifen und ihnen das Geld aus der Tasche zu ziehen. --------------------------------------------- https://www.watchlist-internet.at/news/labubu-fake-shops/ ∗∗∗ Post-Quantum Cryptography Implementation Enterprise-Readiness Analysis ∗∗∗ --------------------------------------------- Explore how enterprises are adopting post-quantum cryptography (PQC) using OpenSSL 3.5, hybrid TLS, and NIST-approved algorithms like Kyber and Dilithium. Learn about PQC implementation strategies, compliance timelines, tooling, and real-world deployments by Microsoft, Meta, Red Hat, and others preparing for quantum-safe encryption. --------------------------------------------- https://www.darknet.org.uk/2025/06/post-quantum-cryptography-implementation… ∗∗∗ The Anatomy of a Business Email Compromise Attack ∗∗∗ --------------------------------------------- BEC attacks almost always start with an Email Account Compromise (EAC) – in other words, an attacker gets control of someone’s email inbox. --------------------------------------------- https://www.truesec.com/hub/blog/the-anatomy-of-a-business-email-compromise… ===================== = Vulnerabilities = ===================== ∗∗∗ Admin-Attacken auf HPE OneView für VMware vCenter möglich ∗∗∗ --------------------------------------------- Die in einer Warnmeldung aufgeführte Schwachstelle (CVE-2025-37101 "hoch") kann Angreifer mit Leserechten dazu befähigen, Befehle als Admins auszuführen. Wie ein solcher Angriff im Detail ablaufen könnte und ob Angreifer die Lücke bereits ausnutzen, ist derzeit nicht bekannt. --------------------------------------------- https://www.heise.de/news/Admin-Attacken-auf-HPE-OneView-fuer-VMware-vCente… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (commons-beanutils, dcmtk, nginx, trafficserver, and xorg-server), Fedora (atuin, awatcher, dotnet8.0, firefox, glibc, gotify-desktop, keylime-agent-rust, libtpms, mirrorlist-server, qt6-qtbase, qt6-qtimageformats, udisks2, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (apache-mod_security, clamav, docker, python-django, tomcat, udisks2, and yarnpkg), Oracle (firefox, libblockdev, mod_auth_openidc, perl-FCGI, perl-YAML-LibYAML, tigervnc, and xorg-x11-server and xorg-x11-server-Xwayland), Slackware (libssh and mozilla), SUSE (gimp, gstreamer-plugins-good, icu, ignition, kernel, pam-config, perl-File-Find-Rule, python311, and webkit2gtk3), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-gke, linux-gkeop, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux, linux-gcp, linux-raspi, linux-realtime, linux-aws, linux-azure, linux-azure, linux-azure-6.8, linux-azure-5.15, linux-azure-fips, and linux-realtime). --------------------------------------------- https://lwn.net/Articles/1026848/ ∗∗∗ TeamViewer: Incorrect Permission Assignment for Critical Resource in TeamViewer Remote Management ∗∗∗ --------------------------------------------- Incorrect Permission Assignment for Critical Resource in the TeamViewer Client (Full and Host) of TeamViewer Remote and Tensor prior Version 15.67 (and additional versions listed below) on Windows allows a local unprivileged user to trigger arbitrary file deletion with SYSTEM privileges via leveraging the MSI rollback mechanism. To exploit this vulnerability, an attacker needs local access to the Windows system. CVE-2025-36537 --------------------------------------------- https://www.teamviewer.com/de/resources/trust-center/security-bulletins/tv-… ∗∗∗ Parsons AccuWeather Widget ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-06 ∗∗∗ Kaleris Navis N4 Terminal Operating System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-01 ∗∗∗ Delta Electronics CNCSoft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-02 ∗∗∗ MICROSENS NMP Web+ ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-07 ∗∗∗ ControlID iDSecure On-Premises ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05 ∗∗∗ f5: K000152048: Dnsmasq vulnerability CVE-2019-14834 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000152048 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.06.2025
by Daily end-of-shift report 24 Jun '25

24 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Montag 23-06-2025 18:00 − Dienstag 24-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Auswirkungen des militärischen Konfliktes zwischen Israel und dem Iran auf Österreich ∗∗∗ --------------------------------------------- Vorliegende Analysen internationaler Behörden und Sicherheitsunternehmen verzeichnen seit dem Beginn der aktuellen militärischen Auseinandersetzung zwischen Israel und dem Iran verstärkte Aktivitäten von Bedrohungsakteuren aller Konfliktparteien. [..] Laut unseren bisherigen Beobachtungen gab es bisher noch keine direkten Angriffe oder Auswirkungen auf lokale Unternehmen oder Organisationen. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/6/auswirkungen ∗∗∗ FileFix attack weaponizes Windows File Explorer for stealthy commands ∗∗∗ --------------------------------------------- A cybersecurity researcher has developed FileFix, a variant of the ClickFix social engineering attack that tricks users into executing malicious commands via the File Explorer address bar in Windows. --------------------------------------------- https://www.bleepingcomputer.com/news/security/filefix-attack-weaponizes-wi… ∗∗∗ Polizei-Handys seit Cyberangriff nicht nutzbar ∗∗∗ --------------------------------------------- Ein Angriff auf die Diensthandys der Polizei in Mecklenburg-Vorpommern könnte größere Folgen haben als angenommen. Derzeit sind die Handys nicht im Einsatz. --------------------------------------------- https://heise.de/-10456563 ∗∗∗ BSI warnt: Immer weniger Menschen nutzen 2FA und sichere Passwörter ∗∗∗ --------------------------------------------- Eine neue Untersuchung des BSI zeigt einen bedenklichen Trend. Menschen verhalten sich im Netz trotz hoher Bedrohungslage immer unvorsichtiger. --------------------------------------------- https://www.golem.de/news/bsi-warnt-immer-weniger-menschen-nutzen-2fa-und-s… ∗∗∗ Remote code execution in CentOS Web Panel - CVE-2025-48703 ∗∗∗ --------------------------------------------- This exploitation scenario has been tested on versions 0.9.8.1204 and 0.9.8.1188 on Centos7 and reported to CWP developers the 13th of May 2025 as CVE-2025-48703. It allows a remote attacker who knows a valid username on a CWP instance to execute pre-authenticated arbitrary commands on the server. The vulnerability has been patched on latest version 0.9.8.1205 during June 2025. --------------------------------------------- https://fenrisk.com/rce-centos-webpanel ∗∗∗ The State of Ransomware 2025 ∗∗∗ --------------------------------------------- Explore the causes and consequences of ransomware in 2025 based on findings from a vendor-agnostic survey of 3,400 organizations hit by ransomware in the last year. --------------------------------------------- https://news.sophos.com/en-us/2025/06/24/the-state-of-ransomware-2025/ ∗∗∗ Echo Chamber Jailbreak Tricks LLMs Like OpenAI and Google into Generating Harmful Content ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new jailbreaking method called Echo Chamber that could be leveraged to trick popular large language models (LLMs) into generating undesirable responses, irrespective of the safeguards put in place. --------------------------------------------- https://thehackernews.com/2025/06/echo-chamber-jailbreak-tricks-llms-like.h… ∗∗∗ Hackers Exploit Misconfigured Docker APIs to Mine Cryptocurrency via Tor Network ∗∗∗ --------------------------------------------- Misconfigured Docker instances are the target of a campaign that employs the Tor anonymity network to stealthily mine cryptocurrency in susceptible environments. --------------------------------------------- https://thehackernews.com/2025/06/hackers-exploit-misconfigured-docker.html ∗∗∗ A Deep Dive into a Modular Malware Family ∗∗∗ --------------------------------------------- In today’s blog post we highlighted an interesting malware family targeting various systems with diverse capabilities, including stealing credit card information and WordPress credentials. Additionally, we detailed a novel bundle of credit card skimmers and malicious WordPress plugins which combines malicious actions with features developed for the attacker’s convenience. --------------------------------------------- https://www.wordfence.com/blog/2025/06/a-deep-dive-into-a-modular-malware-f… ===================== = Vulnerabilities = ===================== ∗∗∗ Splunk Security Advisories 2025-06-23 ∗∗∗ --------------------------------------------- Splunk released 4 security advisories (1x critical). --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dns-root-data and xorg-server), Fedora (glibc, mingw-glib2, and optipng), Red Hat (iputils, kernel, kernel-rt, krb5, libarchive, mod_auth_openidc, mod_proxy_cluster, and xorg-x11-server-Xwayland), SUSE (python313), and Ubuntu (fig2dev, gnuplot, gss-ntlmssp, linux, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-oracle, linux-aws-5.15, linux-gcp-5.15, linux-ibm-5.15, linux-lowlatency-hwe-5.15, linux-oracle-5.15, linux-aws-fips, linux-fips, linux-gcp-fips, linux-hwe-5.15, and linux-intel-iot-realtime, linux-realtime). --------------------------------------------- https://lwn.net/Articles/1026646/ ∗∗∗ Kanboard: Sicherheitslücke ermöglicht Kontoübernahme ∗∗∗ --------------------------------------------- In dem Open-Source-Kanban Kanboard können Angreifer Links fälschen, die zur Kontoübernahme führen. [..] Die Kanboard-Entwickler stellen aktualisierte Quellen und auch Docker-Container bereit, sie verlinken sie in den Release-Notes und erörtern das Docker-Update. --------------------------------------------- https://heise.de/-10457116 ∗∗∗ Mozilla Firefox June 24, 2025 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ f5: K000151924: runc vulnerability CVE-2024-45310 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151924 ∗∗∗ Case update: DIVD-2025-00032 - Unauthenticated Arbitrary Remote Code Execution in Pterodactyl ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2025-00032/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.06.2025
by Daily end-of-shift report 23 Jun '25

23 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-06-2025 18:00 − Montag 23-06-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WordPress Motors theme flaw mass-exploited to hijack admin accounts ∗∗∗ --------------------------------------------- Hackers are exploiting a critical privilege escalation vulnerability in the WordPress theme "Motors" to hijack administrator accounts and gain complete control of a targeted site. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-motors-theme-flaw-… ∗∗∗ Canada says Salt Typhoon hacked telecom firm via Cisco flaw ∗∗∗ --------------------------------------------- The Canadian Centre for Cyber Security and the FBI confirm that the Chinese state-sponsored Salt Typhoon hacking group is also targeting Canadian telecommunication firms, breaching a telecom provider in February. --------------------------------------------- https://www.bleepingcomputer.com/news/security/canada-says-salt-typhoon-hac… ∗∗∗ ConnectUnwise: Threat actors abuse ConnectWise as builder for signed malware ∗∗∗ --------------------------------------------- Since March 2025 there has been a noticeable increase in infections and fake applications using validly signed ConnectWise samples. We reveal how bad signing practices allow threat actors to abuse this legitimate software to build and distribute their own signed malware and what security vendors can do to detect them. --------------------------------------------- https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware ∗∗∗ SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play ∗∗∗ --------------------------------------------- SparkKitty, a new Trojan spy for iOS and Android, spreads through untrusted websites, the App Store, and Google Play, stealing images from users galleries. --------------------------------------------- https://securelist.com/sparkkitty-ios-android-malware/116793/ ∗∗∗ Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms ∗∗∗ --------------------------------------------- The threat actors behind the Qilin ransomware-as-a-service (RaaS) scheme are now offering legal counsel for affiliates to put more pressure on victims to pay up, as the cybercrime group intensifies its activity and tries to fill the void left by its rivals. The new feature takes the form of a "Call Lawyer" feature on the affiliate panel, per Israeli cybersecurity company Cybereason. --------------------------------------------- https://thehackernews.com/2025/06/qilin-ransomware-adds-call-lawyer.html ∗∗∗ Google Adds Multi-Layered Defenses to Secure GenAI from Prompt Injection Attacks ∗∗∗ --------------------------------------------- Google has revealed the various safety measures that are being incorporated into its generative artificial intelligence (AI) systems to mitigate emerging attack vectors like indirect prompt injections and improve the overall security posture for agentic AI systems. --------------------------------------------- https://thehackernews.com/2025/06/google-adds-multi-layered-defenses-to.html ∗∗∗ XDigo Malware Exploits Windows LNK Flaw in Eastern European Government Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a Go-based malware called XDigo that has been used in attacks targeting Eastern European governmental entities in March 2025. The attack chains are said to have leveraged a collection of Windows shortcut (LNK) files as part of a multi-stage procedure to deploy the malware, French cybersecurity company HarfangLab said. --------------------------------------------- https://thehackernews.com/2025/06/xdigo-malware-exploits-windows-lnk-flaw.h… ∗∗∗ Rekord bei DDoS-Attacke mit 7,3 TBit/s ∗∗∗ --------------------------------------------- Cloudflare hat Mitte Mai den "größten jemals registrierten" Denial-of-Service-Angriff (DDoS) mit bislang kaum für möglich gehaltenen 7,3 Terabit pro Sekunde (TBit/s) blockiert. Dies teilte der US-Anbieter rund um Lösungen für IT-Sicherheit und Internetperformance am Freitag mit. --------------------------------------------- https://www.heise.de/news/Junk-Traffic-Flut-Rekord-DDoS-Angriff-auf-Provide… ∗∗∗ Gefälschte Mahn-SMS im Namen des Finanzministeriums! ∗∗∗ --------------------------------------------- Derzeit gibt es eine Phishing-Welle mit angeblichen SMS des Bundesministeriums für Finanzen (BMF). Darin wird behauptet, dass eine Pfändung bevorsteht, weil angeblich mehrere Mahnungen ignoriert wurden. Achtung: Zahlen Sie diese Forderung nicht! Die Nachricht stammt nicht vom Finanzministerium und Ihr Geld landet bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-mahn-sms-im-namen-des-fi… ∗∗∗ New Detection Method Uses Hackers’ Own Jitter Patterns Against Them ∗∗∗ --------------------------------------------- A new detection method from Varonis Threat Labs turns hackers sneaky random patterns into a way to catch hidden cyberattacks. Learn about Jitter-Trap and how it boosts cybersecurity defenses. --------------------------------------------- https://hackread.com/cyber-detection-hackers-jitter-patterns-against-them/ ∗∗∗ Report Warns of Sophisticated DDoS Campaigns Crippling Global Banks ∗∗∗ --------------------------------------------- A new FS-ISAC and Akamai report warns that sophisticated DDoS attacks are severely impacting the global financial sector, leading to multi-day outages. Learn about these evolving threats and how institutions can strengthen defences. --------------------------------------------- https://hackread.com/sophisticated-ddos-campaigns-crippling-global-banks/ ∗∗∗ Mehr Sicherheit, weniger Handarbeit: AWS bringt die KI-Security ∗∗∗ --------------------------------------------- Security Hub, Shield und GuardDuty XTD erhalten neue Funktionen: Mit einer speziell trainierten KI will AWS wichtige Sicherheitsmaßnahmen beschleunigen. --------------------------------------------- https://heise.de/-10455859 ∗∗∗ Ukrainian Government Systems Targeted With Backdoors Hidden in Cloud APIs and Docs ∗∗∗ --------------------------------------------- Russia-linked hackers are back at it again, this time with upgraded tools and a stealthier playbook targeting Ukrainian government systems. --------------------------------------------- https://thecyberexpress.com/ukrainian-government-systems-targeted/ ===================== = Vulnerabilities = ===================== ∗∗∗ Öffnen reicht: Winrar-Lücke lässt Angreifer Schadcode ausführen ∗∗∗ --------------------------------------------- Der Entwickler von Winrar hat in seinem weit verbreiteten Packprogramm eine gefährliche Sicherheitslücke geschlossen, die es Angreifern ermöglicht, auf fremden Systemen eigenen Code zur Ausführung zu bringen. Der Patch scheint bisher nur in der am 10. Juni veröffentlichten Beta-Version Winrar 7.12 Beta 1 enthalten zu sein. --------------------------------------------- https://www.golem.de/news/packprogramm-winrar-schwachstelle-ermoeglicht-aus… ∗∗∗ IBM QRadar SIEM: Autoupdate-Dateien mit Schadcode verseuchbar ∗∗∗ --------------------------------------------- Angreifer können an mehreren Sicherheitslücken in IBM QRadar SIEM ansetzen und im schlimmsten Fall Schadcode ausführen. Ein Sicherheitspatch schließt mehrere Lücken. --------------------------------------------- https://www.heise.de/news/IBM-QRadar-SIEM-Autoupdate-Dateien-mit-Schadcode-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libblockdev and open-vm-tools), Debian (debian-security-support, gdk-pixbuf, konsole, and node-send), Fedora (apache-commons-beanutils, chromium, clamav, dotnet9.0, libblockdev, mediawiki, mingw-python-setuptools, pam, perl-File-Find-Rule, python-pycares, python-setuptools, spdlog, udisks2, and xorg-x11-server-Xwayland), Mageia (chromium-browser-stable), Oracle (apache-commons-beanutils, container-tools:ol8, gimp:2.8, idm:DL1, perl-FCGI:0.78, and postgresql), Red Hat (container-tools:rhel8, delve, git-lfs, go-toolset:rhel8, grafana, kernel, mod_auth_openidc, and spice-client-win), SUSE (apache-commons-beanutils, apache2-mod_security2, distribution, gstreamer-plugins-good, icu, ignition, perl, python310, python311, python312, and python39), and Ubuntu (apache-log4j1.2 and botan). --------------------------------------------- https://lwn.net/Articles/1026498/ ∗∗∗ Fortinet: Buffer overflow in fgfmd ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-036 ∗∗∗ F5: K000151740, Ruby vulnerability CVE-2024-47220 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151740 ∗∗∗ Fortinet: Teleport Remote Authentication Bypass ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6132 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.06.2025
by Daily end-of-shift report 20 Jun '25

20 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-06-2025 18:00 − Freitag 20-06-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Telecom giant Viasat breached by Chinas Salt Typhoon hackers ∗∗∗ --------------------------------------------- Satellite communications company Viasat is the latest victim of China's Salt Typhoon cyber-espionage group, which has previously hacked into the networks of multiple other telecom providers in the United States and worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telecom-giant-viasat-breache… ∗∗∗ Grok und Mixtral ohne Grenzen: Neue KI-Tools erzeugen Phishing-Mails und Malware ∗∗∗ --------------------------------------------- WormGPT war eines der ersten großen Sprachmodelle, das speziell für cyberkriminelle Aktivitäten vorgesehen war und äußerst überzeugende Phishing-Mails generieren konnte. Während das Original schon nach wenigen Wochen wieder verschwand, sind neue LLMs unter gleichem Namen an dessen Stelle getreten. --------------------------------------------- https://www.golem.de/news/wormgpt-ist-zurueck-neue-ki-modelle-unterstuetzen… ∗∗∗ Cyberangriffe: Nordkoreanische Hacker faken Vorgesetzte in Videokonferenzen ∗∗∗ --------------------------------------------- Die nordkoreanische Hackergruppe Bluenoroff verwendet Bleeping Computer zufolge seit einiger Zeit eine perfide Methode, um Malware in Unternehmen einzuschleusen. Das Ziel ist offenbar, Kryptogeld abzuzweigen – dafür ist die Bluenoroff-Gruppierung, die eine Untergruppe von Lazarus sein soll, bekannt. --------------------------------------------- https://www.golem.de/news/cyberangriffe-nordkoreanische-hacker-faken-vorges… ∗∗∗ Cybersicherheit: Iran soll israelische Sicherheitskameras gehackt haben ∗∗∗ --------------------------------------------- Iranische Hacker sollen auf private Überwachungskameras in Israel zugegriffen haben, um Informationen zu sammeln. Wie Bloomberg mit Verweis auf einen Beitrag im israelischen Rundfunk berichtet, hat ein ehemaliger israelischer Cybersicherheitsbeamter die Bevölkerung dazu aufgefordert, private Überwachungskameras abzuschalten oder deren Passwörter zu ändern. --------------------------------------------- https://www.golem.de/news/cybersicherheit-iran-soll-israelische-sicherheits… ∗∗∗ Analysis of a Malicious WordPress Plugin: The Covert Redirector ∗∗∗ --------------------------------------------- A few weeks ago, we received a support request from a website owner who was experiencing unexpected redirects. Visitors landed on the website normally, but after about 4–5 seconds, the site redirected them to unrelated and suspicious websites. During the investigation, we discovered a malicious plugin that was responsible for this behavior, continuing the trend of attackers using fake WordPress plugins. --------------------------------------------- https://blog.sucuri.net/2025/06/analysis-of-a-malicious-wordpress-plugin-th… ∗∗∗ New Malware Campaign Uses Cloudflare Tunnels to Deliver RATs via Phishing Chains ∗∗∗ --------------------------------------------- A new campaign is making use of Cloudflare Tunnel subdomains to host malicious payloads and deliver them via malicious attachments embedded in phishing emails. The ongoing campaign has been codenamed SERPENTINE#CLOUD by Securonix. --------------------------------------------- https://thehackernews.com/2025/06/new-malware-campaign-uses-cloudflare.html ∗∗∗ Proxy: Umgehung von Beschränkungen in Apache Traffic Server möglich ∗∗∗ --------------------------------------------- In Apache Traffic Server (ATS), einem quelloffenen Proxy-Server, wurden zwei Sicherheitslücken entdeckt. Angreifer können sie missbrauchen, um damit Zugriffsbeschränkungen zu umgehen oder Denial-of-Service-Attacken auszuführen. Aktualisierte Quellen stehen bereit, um die Schwachstellen auszubessern. --------------------------------------------- https://www.heise.de/news/Proxy-Umgehung-von-Beschraenkungen-in-Apache-Traf… ∗∗∗ Resurgence of the Prometei Botnet ∗∗∗ --------------------------------------------- In March 2025, Unit 42 researchers identified a wave of Prometei attacks. Prometei refers to both the botnet and the malware family used to operate it. This malware family, which includes both Linux and Windows variants, allows attackers to remotely control compromised systems for cryptocurrency mining (particularly Monero) and credential theft. This article focuses on the resurgence of the Linux variant. --------------------------------------------- https://unit42.paloaltonetworks.com/prometei-botnet-2025-activity/ ∗∗∗ Joint Analysis by AhnLab and NCSC on TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking ∗∗∗ --------------------------------------------- ince November 2024, AhnLab has been working with the NCSC to analyze the malicious IRC server and related malware to classify the unidentified threat actor as Larva-24013 and trace their activities, and has confirmed their association with the Shadow Force group. AhnLab manages malicious activities in four stages through the “Threat Actor Naming and Taxonomy,” classifying threat actors as “Larva” (unidentified threat actors) and “Arthropod” (identified threat actors). Following AhnLab’s threat actor taxonomy and naming convention, the threat actor has been identified and named TA-ShadowCricket. --------------------------------------------- https://asec.ahnlab.com/en/88137/ ∗∗∗ Scammers Insert Fake Support Numbers on Real Apple, Netflix, PayPal Pages ∗∗∗ --------------------------------------------- Cybercriminals are finding clever new ways to trick people, even on the official websites of major companies. Malwarebytes Senior Director of Research, Jérôme Segura, has identified a widespread scam where fake phone numbers for customer support are being inserted directly onto the legitimate help pages of well-known brands. --------------------------------------------- https://hackread.com/scammers-fake-support-numbers-real-apple-netflix-paypa… ∗∗∗ Banana Squad Hides Data-Stealing Malware in Fake GitHub Repositories ∗∗∗ --------------------------------------------- ReversingLabs researchers recently uncovered a new and worrying attack method led by a group called Banana Squad. This group, first identified by Checkmarx researchers in October 2023, is known for their sneaky methods, with their name coming from an early harmful internet address, bananasquadru. --------------------------------------------- https://hackread.com/banana-squad-data-stealing-malware-github-repositories/ ∗∗∗ New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack ∗∗∗ --------------------------------------------- A new and concerning cyber threat, dubbed Mocha Manakin, has been identified by cybersecurity research firm Red Canary. First tracked in January 2025, this threat uniquely combines social engineering tricking people with specially built malicious software. --------------------------------------------- https://hackread.com/mocha-manakin-malware-nodeinitrat-via-clickfix-attack/ ∗∗∗ What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia ∗∗∗ --------------------------------------------- In cooperation with external partners, Google Threat Intelligence Group (GTIG) observed a Russia state-sponsored cyber threat actor impersonating the U.S. Department of State. From at least April through early June 2025, this actor targeted prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs). Once the target shares the ASP passcode, the attackers establish persistent access to the victim’s mailbox. Two distinct campaigns are detailed in this post. This activity aligns with Citizen Lab’s recent research on social engineering attacks against ASPs, another useful resource for high risk users. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-… ∗∗∗ Same Sea, New Phish: Russian Government-Linked Social Engineering Targets App-Specific Passwords ∗∗∗ --------------------------------------------- In recent years, users’ familiarity with common phishing tactics, increasingly advanced detection and blocking by platforms, and the rise in use of Multi-Factor Authentication (MFA), have all contributed to changes in the ways that attackers phish accounts. The introduction of more secure forms of MFA, such as hardware security keys, has also closed off certain avenues of social engineering. . --------------------------------------------- https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-… ∗∗∗ Betrüger nutzen Briefpost zur Abzocke der Ledger-Wallet ∗∗∗ --------------------------------------------- Wer mit Krypto-Währungen und Assets hantiert, hat sicherlich zumindest mit Hardware-Wallets wie der von Ledger geliebäugelt. Einem Leser trudelte nun ein unzureichend frankierter Brief in die Hände. Damit versuchen Kriminelle, die Ledger-Krypto-Wallet zu übernehmen und leerzuräumen. --------------------------------------------- https://heise.de/-10453136 ∗∗∗ Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion ∗∗∗ --------------------------------------------- On June 11, 2025, Huntress received contact from a partner saying that an end user had downloaded, potentially, a malicious Zoom extension. The depth of the intrusion became immediately apparent upon installing the Huntress EDR agent, and after some analysis, it was discovered that the lure used to gain access was received by the victim several weeks prior. This post aims to provide a detailed analysis from beginning to end of the intrusion, including a full breakdown of several new pieces of malware used by the threat actors. --------------------------------------------- https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis ∗∗∗ Israel-Iran Conflict Sparks Wider Cyber Conflict, New Malware ∗∗∗ --------------------------------------------- The Israel-Iran conflict that began with Israeli attacks on Iranian nuclear and military targets on June 13 has sparked a wider cyber conflict in the region, including the launch of new malware campaigns. --------------------------------------------- https://thecyberexpress.com/israel-iran-conflict-hacktivism/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gvisor-tap-vsock), Debian (activemq and chromium), Fedora (kea, python-django4.2, python-django5, python-setuptools, and rust-git-interactive-rebase-tool), Oracle (ipa and kernel), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, git-lfs, go-toolset:rhel8, golang, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, gvisor-tap-vsock, podman, and skopeo), Slackware (libblockdev and xorg), SUSE (gdm, gstreamer-plugins-base, ignition, kernel, pam, redis, s390-tools, screen, systemd, and xorg-x11-server), and Ubuntu (godot, golang-1.22, libblockdev, node-express, pam, samba, and udisks2). --------------------------------------------- https://lwn.net/Articles/1026007/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by SUSE (apache2-mod_security2, augeas, ghc-pandoc, gstreamer, ignition, kernel, libblockdev, libxml2, nodejs20, openssl-3, pam_pkcs11, perl, python3, systemd, ucode-intel, webkit2gtk3, and xen) and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-gcp-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-aws-fips, linux-gcp-fips, python3.13, python3.12, and roundcube). --------------------------------------------- https://lwn.net/Articles/1026281/ ∗∗∗ Kritische Schwachstellen CVE-2025-6018 und CVE-2025-6019 in Linux-Systemen ∗∗∗ --------------------------------------------- Sicherheitsforscher von Qualys TRU haben zwei verknüpfte, kritische Schwachstellen in Linux aufgedeckt. Ausgehend von SUSE 15 führt die LPE-Kette bei Standardkonfigurationen vieler Linux-Distributionen direkt zum Root-Zugriff. --------------------------------------------- https://www.borncity.com/blog/2025/06/19/kritische-schwachstellen-in-linux-… ∗∗∗ Cisco Meraki MX und Z: Angreifer können VPN-Verbindungen unterbrechen ∗∗∗ --------------------------------------------- Der Cisco AnyConnect VPN Server von Cisco Meraki MX und Z ist verwundbar. Außerdem können Angreifer an einer Schwachstelle in ClamAV ansetzen. Sicherheitspatches stehen zum Download bereit. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://heise.de/-10452498 ∗∗∗ ZDI-25-408: PEAK-System Driver PCANFD_ADD_FILTERS Time-Of-Check Time-Of-Use Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-408/ ∗∗∗ ZDI-25-410: Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-410/ ∗∗∗ ZDI-25-409: RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-409/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (June 9, 2025 to June 15, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/06/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.06.2025
by Daily end-of-shift report 18 Jun '25

18 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-06-2025 18:00 − Mittwoch 18-06-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Cybersecurity takes a big hit in new Trump executive order ∗∗∗ --------------------------------------------- Cybersecurity practitioners are voicing concerns over a recent executive order issued by the White House that guts requirements for: securing software the government uses, punishing people who compromise sensitive networks, preparing new encryption schemes that will withstand attacks from quantum computers, and other existing controls. --------------------------------------------- https://arstechnica.com/security/2025/06/cybersecurity-take-a-big-hit-in-ne… ∗∗∗ Instagram BMO ads use AI deepfakes to scam banking customers ∗∗∗ --------------------------------------------- Instagram ads impersonating financial institutions like Bank of Montreal (BMO) and EQ Bank (Equitable Bank) are being used to target Canadian consumers with phishing scams and investment fraud. Some ads use AI-powered deepfake videos in an attempt to collect your personal information, while others use official branding to drive traffic outside of the platform to lookalike illicit domains that are not affiliated with banks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/instagram-bmo-ads-use-ai-dee… ∗∗∗ Schutz vor Cyberangriffen: Der Iran nimmt sich selbst vom Netz ∗∗∗ --------------------------------------------- Der Iran schränkt seine Verbindung zum weltweiten Internet offenbar gezielt ein, um sich infolge des seit dem 13. Juni andauernden israelisch-iranischen Krieges vor möglichen Cyberattacken aus Israel zu schützen. Zunächst wurde lediglich die Geschwindigkeit gedrosselt. Einem X-Beitrag von Netblocks zufolge ist der Datenverkehr des Iran innerhalb kürzester Zeit um 75 Prozent zurückgegangen. --------------------------------------------- https://www.golem.de/news/schutz-vor-cyberangriffen-der-iran-nimmt-sich-sel… ∗∗∗ LangSmith Bug Could Expose OpenAI Keys and User Data via Malicious Agents ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a now-patched security flaw in LangChain's LangSmith platform that could be exploited to capture sensitive data, including API keys and user prompts. --------------------------------------------- https://thehackernews.com/2025/06/langchain-langsmith-bug-let-hackers.html ∗∗∗ Google Chrome Zero-Day CVE-2025-2783 Exploited by TaxOff to Deploy Trinper Backdoor ∗∗∗ --------------------------------------------- A now-patched security flaw in Google Chrome was exploited as a zero-day by a threat actor known as TaxOff to deploy a backdoor codenamed Trinper. The attack, observed in mid-March 2025 by Positive Technologies, involved the use of a sandbox escape vulnerability tracked as CVE-2025-2783 (CVSS score: 8.3). --------------------------------------------- https://thehackernews.com/2025/06/google-chrome-zero-day-cve-2025-2783.html ∗∗∗ Exploring Netstalking – Mapping the Hidden Corners of the Internet ∗∗∗ --------------------------------------------- Netstalking is the art of exploring little-known, rarely visited parts of the internet—ranging from forgotten photo archives and open surveillance cameras to defunct servers and prototype systems—using techniques like IP scanning, deep web search, and network archaeology. The activity originated in 2009 among Russian internet subcultures and draws its name from the “S.T.A.L.K.E.R.” mythos. --------------------------------------------- https://www.darknet.org.uk/2025/06/exploring-netstalking-mapping-the-hidden… ∗∗∗ Minecraft Players Targeted in Sophisticated Malware Campaign ∗∗∗ --------------------------------------------- This campaign reminds us that even the most familiar digital spaces can become a playground for cyber criminals. By disguising malware as Minecraft mods, attackers were able to quietly target an engaged and unsuspecting user base with a multistage, Java-based infection chain. Because these files often appear harmless and can slip past traditional defenses, any Minecraft player is at risk. --------------------------------------------- https://blog.checkpoint.com/research/minecraft-players-targeted-in-sophisti… ∗∗∗ Scattered Spider hackers targeting insurance industry following retail hits, Google warns ∗∗∗ --------------------------------------------- A group of hackers behind a recent string of attacks on retail stores in the U.K. and U.S. has shifted its focus to insurance firms in recent days, according to cybersecurity researchers. --------------------------------------------- https://therecord.media/scattered-spider-targeting-insurance-sector-followi… ∗∗∗ When legitimate tools go rogue ∗∗∗ --------------------------------------------- Attackers are increasingly hiding in plain sight, using the same tools IT and security teams rely on for daily operations. This blog breaks down common techniques and provides recommendations to defenders. --------------------------------------------- https://blog.talosintelligence.com/when-legitimate-tools-go-rogue/ ∗∗∗ CVE Trends to Watch: Real-World Risks to Telecom and Professional Services ∗∗∗ --------------------------------------------- Between 2023-2025, there was a 38% increase in CVEs. Learn which industry sectors have seen the highest levels of CVEs, & which CVEs had the highest impact. --------------------------------------------- https://www.bitsight.com/blog/cve-trends-by-sector ∗∗∗ Achtstellige Passwörter unzureichend: Datenschutzstrafe für Genfirma 23andme ∗∗∗ --------------------------------------------- 2023 wurden fast 7 Millionen Datensätze von Kunden 23andmes im Darknet feilgeboten. Großbritannien verhängt eine Millionenstrafe. --------------------------------------------- https://heise.de/-10450679 ∗∗∗ AMD stopft Sicherheitslecks in Krypto-Coprozessor und TPM ∗∗∗ --------------------------------------------- AMD hat im Juni aktualisierte Firmware veröffentlicht, die teils hochriskante Sicherheitslücken in den Prozessoren schließt. Betroffen sind etwa die Krypto-Coprozessoren sowie das Firmware-TPM moderner Ryzen- und zum Teil auch der abgespeckten Athlon-CPUs. --------------------------------------------- https://heise.de/-10451026 ∗∗∗ Malvertising: Bösartige Werbung schiebt Anbieterseiten falsche Nummern unter ∗∗∗ --------------------------------------------- Betrüger schieben mit Werbelinks in Suchergebnissen echten Anbieterseiten falsche Telefonnummern unter, warnen IT-Sicherheitsforscher. --------------------------------------------- https://heise.de/-10451518 ∗∗∗ 2025 Blockchain and Cryptocurrency Threat Report: Malware in the Open Source Supply Chain ∗∗∗ --------------------------------------------- An in-depth analysis of credential stealers, crypto drainers, cryptojackers, and clipboard hijackers abusing open source package registries to compromise Web3 development environments. --------------------------------------------- https://socket.dev/blog/2025-blockchain-and-cryptocurrency-threat-report?ut… ∗∗∗ libxml2 Maintainer Ends Embargoed Vulnerability Reports, Citing Unsustainable Burden ∗∗∗ --------------------------------------------- Libxml2’s solo maintainer drops embargoed security fixes, highlighting the burden on unpaid volunteers who keep critical open source software secure. --------------------------------------------- https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-rep… ===================== = Vulnerabilities = ===================== ∗∗∗ BeyondTrust warns of pre-auth RCE in Remote Support software ∗∗∗ --------------------------------------------- BeyondTrust has released security updates to fix a high-severity flaw in its Remote Support (RS) and Privileged Remote Access (PRA) solutions that can let unauthenticated attackers gain remote code execution on vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/beyondtrust-warns-of-pre-aut… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-bad1.0, konsole, and libblockdev), Oracle (buildah, containernetworking-plugins, gimp, git-lfs, gvisor-tap-vsock, kernel, libvpx, podman, and skopeo), Red Hat (apache-commons-beanutils and thunderbird), Slackware (xorg), SUSE (gdm, golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter, golang-github-prometheus-prometheus, govulncheck-vulndb, grafana, kernel, Multi-Linux Manager, Multi-Linux Manager Client Tools, openssl-3, pam, python-cryptography, python-requests, python-setuptools, python3-requests, SUSE Manager Server, systemd, ucode-intel, xorg-x11-server, and xwayland), and Ubuntu (dwarfutils, mujs, node-katex, xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04, and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/1025862/ ∗∗∗ Citrix Netscaler ADC: Kritische Sicherheitslücken dringend fixen ∗∗∗ --------------------------------------------- Von den Schwachstellen sind die NetScaler ADC- und Gateway-Versionen 14.1 vor 14.1-43.56, 13.1 vor 13.1-58.32 sowie diverse FIPS-Varianten betroffen. Wichtig: Ältere Versionen (12.1 und 13.0) sind End-of-Life (EOL) und erhalten keine Sicherheitsupdates mehr. Von Citrix ist die empfohlene Maßnahme ein umgehendes Update auf die gepatchten Versionen (z.B. 14.1-43.56, 13.1-58.32). Nach dem Update sollten alle aktiven ICA- und PCoIP-Sitzungen auf allen NetScaler-Appliances beendet werden, um eine vollständige Absicherung zu gewährleisten. --------------------------------------------- https://www.borncity.com/blog/2025/06/18/citrix-netscaler-adc-kritische-sic… ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released five Industrial Control Systems (ICS) advisories on June 17, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/06/17/cisa-releases-five-indus… ∗∗∗ CISA Flags CVE-2023-0386 as Actively Exploited Linux Kernel Privilege Escalation Threat ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about the active exploitation of a critical Linux kernel vulnerability, officially listed as CVE-2023-0386. The vulnerability, which carries a CVSS score of 7.8, is categorized as a Linux Kernel Privilege Escalation flaw. It stems from improper ownership management within the Linux kernel’s OverlayFS subsystem. If exploited successfully, attackers can escalate privileges on affected systems, gain unauthorized access, and potentially execute arbitrary code with elevated rights. --------------------------------------------- https://thecyberexpress.com/cisa-warns-cve-2023-0386-linux-vulnerability/ ∗∗∗ Windows 11: Out-of-Band-Update KB5063060 mit Error 0x800f0818 / 0x80070306 ∗∗∗ --------------------------------------------- Noch ein kurzer Nachtrag zu den im Juni 2025 veröffentlichten Sicherheitsupdates für Windows 10 und Windows 11. Diese verursachen bei manchen Anwendern diverse Probleme. So wirft das zum 11. Juni 2025 nachgeschobene Out-of-Band-Update KB5063060 bei manchen Nutzern den Installationsfehler 0x800f0818 oder 0x80070306. --------------------------------------------- https://www.borncity.com/blog/2025/06/18/windows-11-out-of-band-update-kb50… ∗∗∗ Chrome for Android Update ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/06/chrome-for-android-update_17.h… ∗∗∗ LS Electric GMWin 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-168-02 ∗∗∗ Dover Fueling Solutions ProGauge MagLink LX Consoles ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-168-05 ∗∗∗ Fuji Electric Smart Editor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-168-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.06.2025
by Daily end-of-shift report 17 Jun '25

17 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Montag 16-06-2025 18:00 − Dienstag 17-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Apple: Sicherheitslücke in diversen Betriebssystemen wird angegriffen ∗∗∗ --------------------------------------------- Die neu attackierte Schwachstelle betrifft nach Apples Angaben Messages. "Ein Logikfehler kann bei der Verarbeitung von bösartig präparierten Fotos oder Videos auftreten, die mittels eines iCloud-Links geteilt wurden", schreiben die Entwickler dazu (CVE-2025-43200 / EUVD-2025-18428, CVSS steht noch aus, Risikoeinstufung fehlt derzeit). Sie erklären weiter: "Apple weiß von einem Bericht, demzufolge dieses Problem in einem extrem ausgeklügelten Angriff gegen bestimmte Zielpersonen ausgenutzt worden sein könnte." Der Schwachstelleneintrag stammt vom Montag dieser Woche. Sicherheitsmitteilungen zu den diversen Betriebssystemen und -versionen hat Apple hingegen bereits am Donnerstag vergangener Woche aktualisiert oder neu veröffentlicht. --------------------------------------------- https://heise.de/-10449241 ∗∗∗ Cross-Site Scripting (XSS) Schwachstelle CVE-2025-4123 in Grafana ∗∗∗ --------------------------------------------- In der Open-Source-Software Grafana wurde die Tage eine Cross-Site Scripting (XSS) Schwachstelle CVE-2025-4123 öffentlich. Es ist ein kritischer offener Redirect-Fehler in Grafana, der zur Übernahme von Konten führen könnte. [..] Sonic Wall hat dies bereits zum 5. Juni 2025 im Beitrag High-Severity Open Redirect Vulnerability in Grafana Leads to Account Takeover: CVE-2025-4123 öffentlich gemacht. Die Schwachstelle CVE-2025-4123 ist laut dem Grafana Sicherheitshinweis Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin vom 21. Mai 2025 in den Versionen v10.4.18+security-01, v11.2.9+security-01, v11.3.6+security-01, v11.4.4+security-01, v11.5.4+security-01, v11.6.1+security-01 und v12.0.0+security-01 behoben. --------------------------------------------- https://www.borncity.com/blog/2025/06/17/cross-site-scripting-xss-schwachst… ∗∗∗ Water Curse Targets Infosec Pros via Poisoned GitHub Repositories ∗∗∗ --------------------------------------------- The emerging threat group attacks the supply chain via weaponized repositories posing as legitimate pen-testing suites and other tools that are poisoned with malware. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/water-curse-targets-… ∗∗∗ How Long Until the Phishing Starts? About Two Weeks, (Tue, Jun 17th) ∗∗∗ --------------------------------------------- I recently added an account to my Google Workspace domain (montance[dot]com). Friday, May 16th, 10:10 am, to be exact. Something interesting to note about the domain configuration is there’s a catchall account in place, so all email addresses are valid. Starting May 28th the new account started receiving targeted phishing email messages. [..] Nothing especially surprising, but a reminder that they’re watching for opportunities. Someone new at the company and eager to appear responsive seems like a good phishing target! --------------------------------------------- https://isc.sans.edu/diary/rss/32052 ∗∗∗ TP-Link Router Flaw CVE-2023-33538 Under Active Exploit, CISA Issues Immediate Alert ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security flaw in TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability in question is CVE-2023-33538 (CVSS score: 8.8), a command injection bug that could result in the execution of arbitrary system commands when processing the ssid1 parameter in a specially crafted HTTP GET request. --------------------------------------------- https://thehackernews.com/2025/06/tp-link-router-flaw-cve-2023-33538.html ∗∗∗ New Flodrix Botnet Variant Exploits Langflow AI Server RCE Bug to Launch DDoS Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have called attention to a new campaign thats actively exploiting a recently disclosed critical security flaw in Langflow to deliver the Flodrix botnet malware. --------------------------------------------- https://thehackernews.com/2025/06/new-flodrix-botnet-variant-exploits.html ∗∗∗ Eine Kühlbox voll Stiegl Bier? Vorsicht vor Fake-Gewinnspiel! ∗∗∗ --------------------------------------------- Aktuell schwappt eine Phishing-Welle durch österreichische WhatsApp-Konten. Angeblich verlost die Stiegl Brauerei eine Kühlbox voll Bier. Dahinter versteckt sich aber nichts anderes als eine altbekannte Kombination aus Abo-Falle und Phishing-Attacke – mit einer raffinierten Neuerung. --------------------------------------------- https://www.watchlist-internet.at/news/stiegl-bier-fake-phishing/ ∗∗∗ Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation ∗∗∗ --------------------------------------------- We analyze two new KimJongRAT stealer variants, combining new research with existing knowledge. One uses a Portable Executable (PE) file and the other PowerShell. --------------------------------------------- https://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/ ===================== = Vulnerabilities = ===================== ∗∗∗ Hard-Coded b Password in Sitecore XP Sparks Major RCE Risk in Enterprise Deployments ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed three security flaws in the popular Sitecore Experience Platform (XP) that could be chained to achieve pre-authenticated remote code execution. Sitecore Experience Platform is an enterprise-oriented software that provides users with tools for content management, digital marketing, and analytics and reports. [..] This also means that the exploit chain only works if users have installed Sitecore using installers for versions ≥ 10.1. Users are likely not impacted if they were previously running a version prior to 10.1 and then upgraded to a newer vulnerable version, assuming the old database is being migrated, and not the database embedded within the installation package. WT-2025-0024 (CVE-2025-XXXXX), WT-2025-0032 (CVE-2025-XXXXX), WT-2025-0025 (CVE-2025-XXXXX) --------------------------------------------- https://thehackernews.com/2025/06/hard-coded-b-password-in-sitecore-xp.html ∗∗∗ Veeam: Vulnerabilities Resolved in Veeam Backup & Replication 12.3.2 ∗∗∗ --------------------------------------------- CVE-2025-23121: A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user. Severity: Critical --------------------------------------------- https://www.veeam.com/kb4743 ∗∗∗ ASUS Armoury Crate bug lets attackers get Windows admin privileges ∗∗∗ --------------------------------------------- Armoury Crate is the official system control software for Windows from ASUS, providing a centralized interface to control RGB lighting (Aura Sync), adjust fan curves, manage performance profiles and ASUS peripherals, as well as download drivers and firmware updates. [..] Cisco Talos validated that CVE-2025-3464 impacts Armoury Crate version 5.9.13.0, but ASUS' bulletin notes that the flaw impacts all versions between 5.9.9.0 and 6.1.18.0. [..] A high-severity vulnerability in ASUS Armoury Crate software could allow threat actors to escalate their privileges to SYSTEM level on Windows machines. The security issue is tracked as CVE-2025-3464 and received a severity score of 8.8 out of 10. --------------------------------------------- https://www.bleepingcomputer.com/news/security/asus-armoury-crate-bug-lets-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, buildah, containernetworking-plugins, firefox, gstreamer1-plugins-bad-free, libsoup3, podman, skopeo, sqlite, thunderbird, unbound, valkey, varnish, and xz), Debian (webkit2gtk), Fedora (fido-device-onboard, python-django4.2, rust-git-interactive-rebase-tool, and thunderbird), Red Hat (libsoup), Slackware (libxml2), SUSE (java-11-openjdk, kernel, and wireshark), and Ubuntu (c3p0, dojo, python-django, python3.13, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, and requests). --------------------------------------------- https://lwn.net/Articles/1025734/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.06.2025
by Daily end-of-shift report 16 Jun '25

16 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-06-2025 18:00 − Montag 16-06-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Washington Posts email system hacked, journalists accounts compromised ∗∗∗ --------------------------------------------- Email accounts of several Washington Post journalists were compromised in a cyberattack believed to have been carried out by a foreign government. --------------------------------------------- https://www.bleepingcomputer.com/news/security/washington-posts-email-syste… ∗∗∗ Kali Linux 2025.2 released with 13 new tools, car hacking updates ∗∗∗ --------------------------------------------- Kali Linux 2025.2, the second release of the year, is now available for download with 13 new tools and an expanded car hacking toolkit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kali-linux-20252-released-wi… ∗∗∗ BKA schaltet Darknet-Marktplatz "Archetyp Market" ab ∗∗∗ --------------------------------------------- Das BKA hat den mutmaßlichen Betreiber des Online-Drogenmarktplatzes "Archetyp Market" am Mittwoch vergangener Woche in Barcelona festgenommen. --------------------------------------------- https://www.heise.de/news/BKA-schaltet-Darknet-Marktplatz-Archetyp-Market-a… ∗∗∗ Die Hersteller von Staatstrojanern sind Gegner – keine Verbündeten ∗∗∗ --------------------------------------------- Die Leiterin von Googles Threat-Intelligence-Abteilung macht klar, warum sie solche Firmen als Gegner betrachtet. Zudem erläutert sie im Gespräch die wachsende Relevanz von KI für Angreifer und die Gefahr aus Nordkorea. --------------------------------------------- https://www.derstandard.at/story/3000000273949/die-hersteller-von-staatstro… ∗∗∗ Hackers Leak Data of 10,000 VirtualMacOSX Customers in Alleged Breach ∗∗∗ --------------------------------------------- Hackers leak data of 10,000 VirtualMacOSX customers in alleged breach, exposing names, emails, passwords, and financial details on a hacking forum. --------------------------------------------- https://hackread.com/hackers-leak-virtualmacosx-customers-data-breach/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM AIX/VIOS und DataPower Gateway für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- Wenn Angreifer erfolgreich an Sicherheitslücken in IBM AIX/VIOS und DataPower Gateway ansetzen, kann Schadcode auf Systeme gelangen und diese kompromittieren. Updates schließen die Schwachstellen. --------------------------------------------- https://www.heise.de/news/IBM-AIX-VIOS-und-DataPower-Gateway-fuer-Schadcode… ∗∗∗ Angreifer können Server über Schwachstelle in Dell iDRAC Tools attackieren ∗∗∗ --------------------------------------------- Angreifer können an einer Sicherheitslücke in Dell iDRAC Tools ansetzen, um Server zu attackieren. Mittlerweile haben die Entwickler die Schwachstelle geschlossen. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecke-in-Dell-iDRAC-Tools-gefaehrdet-… ∗∗∗ Dell ControlVault: Angreifer können Systeme vollständig kompromittieren ∗∗∗ --------------------------------------------- In Dells ControlVault klaffen Sicherheitslücken in den Treibern und der Firmware, die Angreifern das Einschleusen und Ausführen von Schadcode und damit die Übernahme von Systemen ermöglichen. Dell bietet aktualisierte Software an, um die Sicherheitslecks zu schließen. --------------------------------------------- https://www.heise.de/news/Dell-ControlVault-Angreifer-koennen-Systeme-volls… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0 and .NET 9.0), Arch Linux (curl, ghostscript, go, konsole, python-django, roundcubemail, and samba), Fedora (aerc, chromium, golang-x-perf, libkrun, python3.11, python3.12, rust-kbs-types, rust-sev, rust-sevctl, valkey, and wireshark), Gentoo (Konsole and sysstat), Oracle (.NET 9.0), Red Hat (bootc, grub2, keylime-agent-rust, python3.12-cryptography, rpm-ostree, rust-bootupd, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (apache2-mod_auth_openidc, docker, grub2, java-1_8_0-openj9, kernel, less, python-Django, screen, and sqlite3), and Ubuntu (cifs-utils and modsecurity-apache). --------------------------------------------- https://lwn.net/Articles/1025618/ ∗∗∗ Tenable: Nessus Agent Version 10.8.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-11 ∗∗∗ Chromium: CVE-2025-5959 Type Confusion in V8 ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-5959 ∗∗∗ Chromium: CVE-2025-5958 Use after free in Media ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-5958 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.06.2025
by Daily end-of-shift report 13 Jun '25

13 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-06-2025 18:00 − Freitag 13-06-2025 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Trend Micro fixes critical vulnerabilities in multiple products ∗∗∗ --------------------------------------------- Trend Micro has released security updates to address multiple critical-severity remote code execution and authentication bypass vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer products. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trend-micro-fixes-six-critic… ∗∗∗ Nach über 100 Jahren: Cyberangriff drängt deutsche Firma in die Insolvenz ∗∗∗ --------------------------------------------- Der in Euskirchen ansässige Serviettenhersteller Fasana hat nach einem Cyberangriff Zahlungsprobleme. Hacker haben den Betrieb vollständig lahmgelegt. --------------------------------------------- https://www.golem.de/news/nach-ueber-100-jahren-cyberangriff-draengt-deutsc… ∗∗∗ [Guest Diary] Anatomy of a Linux SSH Honeypot Attack: Detailed Analysis of Captured Malware, (Fri, Jun 13th) ∗∗∗ --------------------------------------------- This is a Guest Diary by Michal Ambrozkiewicz, an ISC intern as part of the SANS.edu Bachelor .. --------------------------------------------- https://isc.sans.edu/diary/Guest+Diary+Anatomy+of+a+Linux+SSH+Honeypot+Atta… ∗∗∗ WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network ∗∗∗ --------------------------------------------- The threat actors behind the VexTrio Viper Traffic Distribution Service (TDS) have been linked to other TDS services like Help TDS and Disposable TDS, indicating that the sophisticated cybercriminal operation is a sprawling enterprise of its own .. --------------------------------------------- https://thehackernews.com/2025/06/wordpress-sites-turned-weapon-how.html ∗∗∗ "Anmeldung mit nicht erkanntem Gerät": Phishing-Attacke im Namen von PayPal ∗∗∗ --------------------------------------------- Ein angeblicher Login in ein bestehendes PayPal-Profil ruft die ebenso angebliche Sicherheitsabteilung des Unternehmens auf den Plan. Hinter den alarmierenden E-Mails und SMS-Nachrichten steckt aber nichts weiter als eine klassische Phishing-Masche. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-attacke-paypal/ ∗∗∗ Bert ransomware: what you need to know ∗∗∗ --------------------------------------------- Bert is a recently-discovered strain of ransomware that encrypts victims files and demands a payment for the decryption key. Read more in my article on the Fortra blog. --------------------------------------------- https://www.fortra.com/blog/bert-ransomware-what-you-need-know ∗∗∗ Serverless Tokens in the Cloud: Exploitation and Detections ∗∗∗ --------------------------------------------- Understand the mechanics of serverless authentication: three simulated attacks across major CSPs offer effective approaches for application developers. --------------------------------------------- https://unit42.paloaltonetworks.com/serverless-authentication-cloud/ ∗∗∗ Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this advisory in response to ransomware actors leveraging unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. This incident reflects a broader pattern of ransomware actors .. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a ∗∗∗ E-Mail-Sicherheit: Verstärkte Angriffe mit SVG ∗∗∗ --------------------------------------------- Immer mehr Phishing-Kampagnen nutzen das wenig bekannte Vektorgrafik-Format SVG. Das kann nämlich Skripte enthalten, die dann beim Öffnen ausgeführt werden. --------------------------------------------- https://heise.de/-10444330 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, glibc, kernel, and mod_security), Fedora (chromium, gh, mingw-icu, nginx-mod-modsecurity, python3.10, python3.9, thunderbird, valkey, and yarnpkg), Oracle (.NET 8.0, .NET 9.0, glibc, grafana-pcp, kernel, libxml2, mod_security, nodejs:20, and thunderbird), SUSE (audiofile, helm, kubernetes-old, kubernetes1.23, kubernetes1.24, libcryptopp, postgresql15, thunderbird, and valkey), and Ubuntu (linux-nvidia-tegra-igx). --------------------------------------------- https://lwn.net/Articles/1025354/ ∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released ten Industrial Control Systems (ICS) advisories on June 12, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.ICSA-25-162-01 Siemens Tecnomatix Plant SimulationICSA-25-162-02 Siemens RUGGEDCOM APE1808ICSA-25-162-03 Siemens SCALANCE and RUGGEDCOMICSA-25-162-04 .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/06/12/cisa-releases-ten-indust… ∗∗∗ [R1] Nessus Agent Version 10.8.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.06.2025
by Daily end-of-shift report 12 Jun '25

12 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-06-2025 18:00 − Donnerstag 12-06-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CRA Vulnerability Reports: why would we not share them with other CSIRTs? ∗∗∗ --------------------------------------------- The Cyber Resilience Act (Regulation (EU) 2024/2847) defines security requirements for products with digital elements and requires vendors to report to national CSIRTs if a vulnerability in one of their products is actively exploited. --------------------------------------------- https://www.cert.at/en/blog/2025/6/cra-vulnerability-reports-why-would-we-n… ∗∗∗ Fog ransomware attack uses unusual mix of legitimate and open-source tools ∗∗∗ --------------------------------------------- Fog ransomware hackers are using an uncommon toolset, which includes open-source pentesting utilities and a legitimate employee monitoring software called Syteca. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fog-ransomware-attack-uses-u… ∗∗∗ Password-spraying attacks target 80,000 Microsoft Entra ID accounts ∗∗∗ --------------------------------------------- Hackers have been using the TeamFiltration pentesting framework to target more than 80,000 Microsoft Entra ID accounts at hundreds of organizations worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/password-spraying-attacks-ta… ∗∗∗ Google Bug Allowed Brute-Forcing of Any User Phone Number ∗∗∗ --------------------------------------------- Google has fixed a security vulnerability in its page for recovering account details that allowed anyone to access the page and brute-force the private phone number of any user. The flaw posed a significant risk to Google users by exposing them to risk of phishing and other attacks. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/google-bug-brute-forcin… ∗∗∗ Air-Gapped-Systeme: Malware leitet Daten über hochfrequenten Schall aus ∗∗∗ --------------------------------------------- Der bekannte Sicherheitsforscher Mordechai Guri hat eine neue Angriffstechnik vorgestellt, mit der sich Daten von Air-Gapped-Systemen ohne eigene Netzwerkanbindung über eine Smartwatch exfiltrieren lassen. Der Smartattack genannte Angriff basiert auf einer Datenübertragung mittels Schallwellen in einem derart hohen Frequenzbereich, dass sie für Menschen je nach Hörvermögen kaum bis gar nicht wahrnehmbar sind. --------------------------------------------- https://www.golem.de/news/air-gapped-systeme-malware-leitet-daten-ueber-hoc… ∗∗∗ Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks ∗∗∗ --------------------------------------------- Former members tied to the Black Basta ransomware operation have been observed sticking to their tried-and-tested approach of email bombing and Microsoft Teams phishing to establish persistent access to target networks. --------------------------------------------- https://thehackernews.com/2025/06/former-black-basta-members-use.html ∗∗∗ Kritische Sicherheitslücke in Microsoft 365 Copilot zeigt Risiko von KI-Agenten ∗∗∗ --------------------------------------------- Der KI-Agent von M365 konnte per E-Mail und ohne Mausklick zur Freigabe sensibler Informationen verführt werden. Microsoft hat die Lücke jetzt geschlossen. --------------------------------------------- https://www.heise.de/news/Kritische-Sicherheitsluecke-in-Microsoft-365-Copi… ∗∗∗ Markenfälschungen im Netz: Eine wachsende Gefahr für den österreichischen Onlinehandel ∗∗∗ --------------------------------------------- Kaum eine Marke ist im Internet noch vor Fälschungen sicher: Kriminelle verwenden gestohlene Logos und Produktbilder beliebter Händler, um täuschend echte Fake-Shops zu erstellen. Neben bekannten Marken sind auch kleine und mittlere Unternehmen (KMU) zunehmend betroffen. Im Rahmen einer Studie des Österreichischen Instituts für angewandte Telekommunikation (ÖIAT) wurde das Ausmaß der Markenfälschungen im Internet untersucht und konkrete Handlungsempfehlungen fürs KMU erarbeitet. --------------------------------------------- https://www.watchlist-internet.at/news/markenfaelschungen-im-netz-eine-wach… ∗∗∗ JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique ∗∗∗ --------------------------------------------- We recently discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code. Threat actors commonly use this type of campaign to invisibly redirect victims from legitimate websites to malicious pages that serve malware, exploits and spam. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-… ∗∗∗ Fortinet: Angreifer können VPN-Verbindungen umleiten ∗∗∗ --------------------------------------------- Mehrere Produkte von Fortinet sind verwundbar. Angreifer können an Sicherheitslücken in FortiADC, FortiAnalyzer, FortiClientEMS, FortiClientWindows, FortiManager, FortiManager Cloud, FortiOS, FortiPAM, FortiProxy, FortiSASE und FortiWeb ansetzen. Im schlimmsten Fall kann es zur Ausführung von Schadcode kommen. --------------------------------------------- https://heise.de/-10441108 ===================== = Vulnerabilities = ===================== ∗∗∗ Phishing-Angriffe mit manipulierten SVG-Dateien - Vorsicht geboten ∗∗∗ --------------------------------------------- CERT.at warnt vor stark zunehmenden Phishing-Kampagnen, bei denen manipulierte SVG-Dateien (Scalable Vector Graphics) als E-Mail-Anhänge verwendet werden. Diese Angriffsmethode wird seit mehreren Monaten verstärkt beobachtet und stellt eine ernsthafte Bedrohung dar, da SVG-Dateien von vielen Sicherheitslösungen nicht ausreichend geprüft werden. --------------------------------------------- https://www.cert.at/de/warnungen/2025/6/phishing-angriffe-mit-manipulierten… ∗∗∗ GitLab patches high severity account takeover, missing auth issues ∗∗∗ --------------------------------------------- GitLab has released security updates to address multiple vulnerabilities in the company's DevSecOps platform, including ones enabling attackers to take over accounts and inject malicious jobs in future pipelines. The company released GitLab Community and Enterprise versions 18.0.2, 17.11.4, and 17.10.8 to address these security flaws and urged all admins to upgrade immediately. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-patches-high-severity… ∗∗∗ Thunderbird: HTML-Mails können Zugangsdaten verraten, Update verfügbar ∗∗∗ --------------------------------------------- Mozilla hat Updates für Thunderbird veröffentlicht. Sie stopfen ein Sicherheitsleck bei der Anzeige von HTML-E-Mails. --------------------------------------------- https://www.heise.de/news/Thunderbird-HTML-Mails-koennen-Zugangsdaten-verra… ∗∗∗ Palo Alto stopft hochriskante Lücken in PAN-OS und GlobalProtect ∗∗∗ --------------------------------------------- Palo Alto Networks hat Sicherheitsmitteilungen zu Schwachstellen in mehreren Produkten wie dem PAN-OS-Betriebssystem oder der GlobalProtect-App herausgegeben. Angreifer können die Sicherheitslücken missbrauchen, um Befehle einzuschleusen und mit erhöhten Rechten auszuführen, Schadcode einzuschleusen und auszuführen oder unbefugt Traffic einzusehen. --------------------------------------------- https://www.heise.de/news/Palo-Alto-stopft-hochriskante-Luecken-in-PAN-OS-u… ∗∗∗ Reflected Cross-Site Scripting in ONLYOFFICE Docs (DocumentServer) ∗∗∗ --------------------------------------------- ONLYOFFICE Docs was affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which were reflected in the server's HTML response. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel), Debian (chromium, gst-plugins-bad1.0, node-tar-fs, and ublock-origin), Gentoo (Emacs, File-Find-Rule, GStreamer, GStreamer Plugins, GTK+ 3, LibreOffice, Node.js, OpenImageIO, Python, PyPy, Qt, X.Org X server, XWayland, and YAML-LibYAML), Mageia (mariadb and roundcubemail), Red Hat (go-toolset:rhel8, golang, grafana, grafana-pcp, gstreamer1-plugins-bad-free, libxml2, libxslt, mod_security, nodejs:20, and perl-FCGI:0.78), Slackware (mozilla), SUSE (docker, docker-compose, iputils, kernel, libsoup, open-vm-tools, rabbitmq-server, rabbitmq-server313, wget, and yelp), and Ubuntu (libsoup2.4 and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1025208/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.06.2025
by Daily end-of-shift report 11 Jun '25

11 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-06-2025 18:00 − Mittwoch 11-06-2025 18:00 Handler: Alexander Riepl Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Microsoft Outlook to block more risky attachments used in attacks ∗∗∗ --------------------------------------------- Microsoft announced it will expand the list of blocked attachments in Outlook Web and the new Outlook for Windows starting next month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-outlook-to-block-m… ∗∗∗ ConnectWise rotating code signing certificates over security concerns ∗∗∗ --------------------------------------------- ConnectWise is warning customers that it is rotating the digital code signing certificates used to sign ScreenConnect, ConnectWise Automate, and ConnectWise RMM executables over security concerns. --------------------------------------------- https://www.bleepingcomputer.com/news/security/connectwise-rotating-code-si… ∗∗∗ Zehntausende Überwachungskameras streamen ungeschützt ins Netz ∗∗∗ --------------------------------------------- Überwachungskameras sind überall – in U-Bahnen, an Türklingeln und in Fahrstühlen. Oft bemerkt man sie gar nicht, weil es mittlerweile so kleine und unscheinbare Modelle gibt. Amerikanische Sicherheitsforscher warnen nun aber davor, wie einfach es für Dritte ist, sich Zugriff auf die Feeds solcher Überwachungskameras zu verschaffen. Bei einem Test konnten die Experten von Bitsight Live-Feeds von insgesamt 40.000 Kameras abrufen, die mit dem Internet verbunden waren. --------------------------------------------- https://futurezone.at/digital-life/zehntausende-ueberwachungskameras-stream… ∗∗∗ Quasar RAT Delivered Through Bat Files, (Wed, Jun 11th) ∗∗∗ --------------------------------------------- RAT's are popular malware. They are many of them in the wild, Quasar[1] being one of them. The malware has been active for a long time and new campaigns come regularly back on stage. I spotted an interesting .bat file (Windows script) that attracted my attention because it is very well obfuscated. --------------------------------------------- https://isc.sans.edu/diary/rss/32036 ∗∗∗ Trump Quietly Throws Out Bidens Cyber Policies ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from Axios: President Trump quietly took a red pen to much of the Biden administrations cyber legacy in a little-noticed move late Friday. Under an executive order signed just before the weekend, Trump is tossing out some of the major touchstones of Bidens cyber policy legacy - while keeping a few others. The order preserves efforts around post-quantum cryptography, advanced encryption standards, and border gateway protocol security, along with the Cyber --------------------------------------------- https://it.slashdot.org/story/25/06/10/2044217/trump-quietly-throws-out-bid… ∗∗∗ Ungeklärte Phishing-Vorfälle rund um Booking.com ∗∗∗ --------------------------------------------- Hotels in Südtirol haben vermehrt mit kompromittierten Extranet-Zugängen von Booking.com zu tun, über die sie mit Gästen kommunizieren. Noch ist unklar, warum. --------------------------------------------- https://www.heise.de/news/Ungeklaerte-Phishing-Vorfaelle-rund-um-Booking-co… ∗∗∗ UEFI-BIOS-Lücken: SecureBoot-Umgehung und Firmware-Austausch möglich ∗∗∗ --------------------------------------------- Zwei unterschiedliche Sicherheitslücken in diversen UEFI-BIOS-Versionen mehrerer Anbieter ermöglichen die Umgehung des SecureBoot-Mechanismus. In UEFI-BIOSen von Insyde können Angreifer sogar die Firmware austauschen. Verwundbare Systeme lassen sich damit vollständig kompromittieren. Proof-of-Concept-Code dafür ist öffentlich verfügbar. Systemhersteller arbeiten an BIOS-Updates zum Schließen der Lücken. --------------------------------------------- https://www.heise.de/news/UEFI-BIOS-Luecken-SecureBoot-Umgehung-und-Firmwar… ∗∗∗ Reflective Kerberos Relay Attack Against Domain-Joined Windows Clients and Servers ∗∗∗ --------------------------------------------- RedTeam Pentesting has developed the Reflective Kerberos Relay Attack which remotely allows low-privileged Active Directory domain users to obtain NT AUTHORITY\SYSTEM privileges on domain-joined Windows computers. This vulnerability affects all domain-joined Windows hosts that do not require SMB signing of incoming connections. In their default configurations, this includes all Windows 10 and 11 versions up to 23H2 and all Windows Server versions including 2025 24H2 and excluding domain controllers. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-002/ ∗∗∗ Inside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day ∗∗∗ --------------------------------------------- Inside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day --------------------------------------------- https://blog.checkpoint.com/research/inside-stealth-falcons-espionage-campa… ∗∗∗ UK cyber agency pushes for strategic policy agenda as government efforts stall ∗∗∗ --------------------------------------------- Following years-long delays in the United Kingdom bringing forward new cybersecurity legislation, what seems to be an increasingly exasperated National Cyber Security Centre (NCSC) called on Monday for the country to adopt a strategic policy agenda to tackle the growing risks. --------------------------------------------- https://therecord.media/ncsc-pushes-uk-government-create-strategic-cyber-po… ∗∗∗ Operation Secure: INTERPOL Disrupts 20,000 Infostealer Domains, 32 Arrested ∗∗∗ --------------------------------------------- An international cybercrime operation coordinated by INTERPOL has led to the takedown of more than 20,000 malicious IPs and domains used to deploy infostealer malware across the Asia-Pacific region. --------------------------------------------- https://hackread.com/operation-secure-interpol-disrupts-infostealer-domains/ ∗∗∗ Hydroph0bia (CVE-2025-4275) - a trivial SecureBoot bypass for UEFI-compatible firmware based on Insyde H2O, part 1 ∗∗∗ --------------------------------------------- This post will be about a vulnerability I dubbed Hydroph0bia (as a pun on Insyde H2O) aka CVE-2025-4275 or INSYDE-SA-2025002. --------------------------------------------- https://coderush.me/hydroph0bia-part1/ ∗∗∗ NTLM reflection is dead, long live NTLM reflection! – An in-depth analysis of CVE-2025-33073 ∗∗∗ --------------------------------------------- For nearly two decades, Windows has been plagued with NTLM reflection vulnerabilities. In this article, we present CVE-2025-33073, a logical vulnerability which bypasses NTLM reflection mitigations and allows an authenticated remote attacker to execute arbitrary commands as SYSTEM on any machine which does not enforce SMB signing. The vulnerability discovery, the complete analysis of the root cause as well as the patch by Microsoft will be detailed in this blogpost. --------------------------------------------- https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live… ∗∗∗ Infuencing LLM Output using logprobs and Token Distribution ∗∗∗ --------------------------------------------- What if you could influence an LLM's output not by breaking its rules, but by bending its probabilities? In this deep-dive, we explore how small changes in user input (down to a single token) can shift the balance between “true” and “false”, triggering radically different completions. --------------------------------------------- https://blog.sicuranext.com/infuencing-llm-output-using-logprobs-and-token-… ∗∗∗ Software Supply Chain Attacks Have Surged in Recent Months ∗∗∗ --------------------------------------------- IT and software supply chain attacks have surged in recent months, as threat actors have gotten better at exploiting supply chain vulnerabilities, Cyble threat intelligence researchers reported this week. In a June 9 blog post, Cyble researchers said software supply chain attacks have grown from just under 13 a month during February-September 2024 to just over 16 a month from October 2024 to May 2025, an increase of 25%. However, the last two months have seen an average of nearly 25 cyberattacks with supply chain impact, a near-doubling of supply chain attacks from the year-ago period. --------------------------------------------- https://thecyberexpress.com/software-supply-chain-attacks-have-surged/ ∗∗∗ Undocumented Root Shell Access bei SIMCom Modem ∗∗∗ --------------------------------------------- Das SIMCom SIM7600G Modem unterstützt einen undokumentierten AT Befehl, welcher es einem lokalen/physischen Angreifer ermöglicht, Systembefehle mit root-Berechtigungen auf dem Modem auszuführen. Der Stand der Entfernung des Backdoor-Kommandos ist unklar, da sich der Hersteller nach zahlreichen Kontaktversuchen nicht mehr gemeldet hat. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/undocumented-root-she… ===================== = Vulnerabilities = ===================== ∗∗∗ New Secure Boot flaw lets attackers install bootkit malware, patch now ∗∗∗ --------------------------------------------- Security researchers have disclosed a new Secure Boot bypass tracked as CVE-2025-3052 that can be used to turn off security on PCs and servers and install bootkit malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-secure-boot-flaw-lets-at… ∗∗∗ Patch Tuesday, June 2025 Edition ∗∗∗ --------------------------------------------- Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public. --------------------------------------------- https://krebsonsecurity.com/2025/06/patch-tuesday-june-2025-edition/ ∗∗∗ Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities ∗∗∗ --------------------------------------------- Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” --------------------------------------------- https://blog.talosintelligence.com/microsoft-patch-tuesday-june-2025/ ∗∗∗ Two Mirai Botnets, Lzrd and Resgod Spotted Exploiting Wazuh Flaw ∗∗∗ --------------------------------------------- Cybersecurity experts at Akamai have uncovered a new threat: two separate botnets are actively exploiting a critical flaw in Wazuh security software, open source XDR and SIEM solution, to spread the Mirai malware. This vulnerability, tracked as CVE-2025-24016, affects Wazuh versions 4.4.0 through 4.9.0 and has since been fixed in version 4.9.1. It lets attackers run their own code on a target server by sending a specially crafted request through Wazuh’s API, hence, allowing attackers to take control of affected servers remotely. --------------------------------------------- https://hackread.com/two-mirai-botnets-lzrd-resgod-exploiting-wazuh-flaw/ ∗∗∗ TBK DVRs Botnet Attack ∗∗∗ --------------------------------------------- Threat Actors are actively exploiting CVE-2024-3721, a command injection vulnerability in TBK DVR devices (Digital Video Recorders). This flaw allows unauthenticated remote code execution (RCE) via crafted HTTP requests to the endpoint. The compromised devices are being conscripted into a botnet capable of conducting DDoS attacks. If successfully exploited, there is a potential for significant disruption from DDoS attacks, lateral movement, or further malware delivery. --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6127 ∗∗∗ Patchday: Schadcode-Lücken in Adobe Acrobat, InDesign & Co. geschlossen ∗∗∗ --------------------------------------------- Angreifer können an Sicherheitslücken (CVE-2025-43573 / EUVD-2025-17828) in Adobe Acrobat, Commerce, Experince Manager, InCopy, InDesign, Substance 3D Painter und Substance 3D Sampler ansetzen. Im Rahmen des Juni-Patchdays stellt Adobe Updates zum Download bereit. --------------------------------------------- https://heise.de/-10439601 ∗∗∗ The June 2025 Security Update Review ∗∗∗ --------------------------------------------- https://www.thezdi.com/blog/2025/6/10/the-june-2025-security-update-review ∗∗∗ Security Vulnerabilities fixed in Thunderbird 139.0.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-50/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 128.11.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-49/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.06.2025
by Daily end-of-shift report 10 Jun '25

10 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-06-2025 18:00 − Dienstag 10-06-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Over 84,000 Roundcube instances vulnerable to actively exploited flaw ∗∗∗ --------------------------------------------- Over 84,000 instances of the Roundcube webmail software are vulnerable to CVE-2025-49113, a critical remote code execution (RCE) vulnerability with a publicly available exploit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-84-000-roundcube-instan… ∗∗∗ FIN6 hackers pose as job seekers to backdoor recruiters’ devices ∗∗∗ --------------------------------------------- In a twist on typical hiring-related social engineering attacks, the FIN6 hacking group impersonates job seekers to target recruiters, using convincing resumes and phishing sites to deliver malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fin6-hackers-pose-as-job-see… ∗∗∗ Windows: Designproblem erlaubt Aushebeln von Gruppenrichtlinien ∗∗∗ --------------------------------------------- In Windows schlummert ein Designproblem, das es normalen Nutzern und Malware erlaubt, von Admins gesetzte Gruppenrichtlinien außer Kraft zu setzen. Ein Bericht von .. --------------------------------------------- https://www.golem.de/news/windows-designproblem-erlaubt-aushebeln-von-grupp… ∗∗∗ Chinese spy crew appears to be preparing for conflict by backdooring 75+ critical orgs ∗∗∗ --------------------------------------------- SentinelOne discovered the campaign when they tried to hit the security vendors own servers An IT services company, a European media group, and a South Asian government entity are among the more than 75 companies where China-linked groups have planted malware to access strategic networks should a conflict break out. --------------------------------------------- https://www.theregister.com/2025/06/09/china_malware_flip_switch_sentinelon… ∗∗∗ DanaBleed: DanaBot C2 Server Memory Leak Bug ∗∗∗ --------------------------------------------- DanaBot is a Malware-as-a-Service (MaaS) platform that has been active since 2018. DanaBot operates on an affiliate model, where the malware developer sells access to customers who then distribute and use the malware for activities like credential theft and banking fraud. The developer is responsible for creating the malware, maintaining the .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server… ∗∗∗ Microsoft: Abhilfe für Sicherheitslücke durch gelöschte "inetpub"-Ordner ∗∗∗ --------------------------------------------- Windows-Update hat einen "inetpub"-Ordner angelegt. Wird er gelöscht, blockiert das womöglich weitere Updates. Ein Script hilft. --------------------------------------------- https://www.heise.de/news/Microsoft-Abhilfe-fuer-Sicherheitsluecke-durch-ge… ∗∗∗ SAP-Patchday: Erneut kritische Sicherheitslücke in Netweaver ∗∗∗ --------------------------------------------- SAP kümmert sich am Juni-Patchday in 14 neuen Sicherheitsnotizen um teils kritische Sicherheitslücken in den Produkten aus Walldorf. --------------------------------------------- https://www.heise.de/news/SAP-Patchday-Erneut-kritische-Sicherheitsluecke-i… ∗∗∗ Malvertising: Suche nach Standardbefehlen für Macs liefert Infostealer ∗∗∗ --------------------------------------------- Perfide Masche: Bei der Suche nach Standardbefehlen für macOS erscheinen Seiten, die Befehle zur Malware-Installation anzeigen. --------------------------------------------- https://www.heise.de/news/Malvertising-Suche-nach-Standardbefehlen-fuer-Mac… ∗∗∗ Phishing-Alarm: Ex-Mitarbeiterin verschenkt keine Rabattcodes! ∗∗∗ --------------------------------------------- Videos und Postings auf Social-Media-Plattformen erwecken den Anschein, als würde eine gekündigte Angestellte eines großen Einzelhandelsunternehmens Rabattcodes verschenken. Als Rache am Ex-Arbeitgeber. Tatsächlich versteckt sich dahinter nichts anderes als eine simple Phishing-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-rabattcodes/ ∗∗∗ Falsche E-Mails im Namen der WKO im Umlauf! ∗∗∗ --------------------------------------------- Derzeit sind betrügerische E-Mails im Umlauf, die vorgeben, von der Wirtschaftskammer Österreich (WKO) zu stammen. In diesen gefälschten Nachrichten werden Unternehmer:innen zur Zahlung der Kammerumlage 2025 aufgefordert und gleichzeitig dazu verleitet, ihre WKO-Zugangsdaten preiszugeben. --------------------------------------------- https://www.watchlist-internet.at/news/falsche-e-mails-im-namen-der-wko-im-… ∗∗∗ The Evolution of Linux Binaries in Targeted Cloud Operations ∗∗∗ --------------------------------------------- Using data from machine learning tools, we predict a surge in cloud attacks leveraging reworked Linux Executable and Linkage Format (ELF) files. --------------------------------------------- https://unit42.paloaltonetworks.com/elf-based-malware-targets-cloud/ ∗∗∗ New hacker group uses LockBit ransomware variant to target Russian companies ∗∗∗ --------------------------------------------- In its latest campaign this spring, DarkGaboon was observed deploying LockBit 3.0 ransomware against victims in Russia, Positive Technologies said in a report last week. --------------------------------------------- https://therecord.media/new-hacker-group-lockbit-target-russia ∗∗∗ Spyware maker cuts ties with Italy after government refused audit into hack of journalist’s phone ∗∗∗ --------------------------------------------- Israel-based spyware maker Paragon and Italys government had a falling out over the companys offer to help investigate what happened on journalist Francesco Cancellatos phone. --------------------------------------------- https://therecord.media/paragon-spyware-maker-cuts-ties-italy-government ∗∗∗ Coordinated Brute Force Activity Targeting Apache Tomcat Manager Indicates Possible Upcoming Threats ∗∗∗ --------------------------------------------- GreyNoise recently observed a coordinated spike in malicious activity against Apache Tomcat Manager interfaces. --------------------------------------------- https://www.greynoise.io/blog/coordinated-brute-force-activity-targeting-ap… ∗∗∗ Bitsight Identifies Thousands of Security Cameras Openly Accessible on the Internet ∗∗∗ --------------------------------------------- In our latest research at Bitsight TRACE, we found over 40,000 exposed cameras streaming live on the internet. No passwords. No protections. Just out there. We first raised the alarm in 2023, and based on this latest study, the situation hasn’t gotten any better. --------------------------------------------- https://www.bitsight.com/blog/bitsight-identifies-thousands-of-compromised-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (golang, nodejs22, thunderbird, and varnish), Debian (gimp, modsecurity-apache, python-tornado, and roundcube), Fedora (chromium, coreutils, fcgi, ghostscript, krb5, libvpx, mingw-gstreamer1-plugins-bad-free, mingw-libsoup, mod_security, and samba), Mageia (php-adodb, systemd, and tomcat), Red Hat (buildah, firefox, glibc, grafana, kernel, libsoup, libxslt, mod_security, perl-FCGI, podman, python-tornado, and skopeo), Slackware (libvpx), and SUSE .. --------------------------------------------- https://lwn.net/Articles/1024625/ ∗∗∗ Security Vulnerabilities fixed in Firefox 139.0.4 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-47/ ∗∗∗ June Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/june-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.06.2025
by Daily end-of-shift report 06 Jun '25

06 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-06-2025 18:00 − Freitag 06-06-2025 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Hacker selling critical Roundcube webmail exploit as tech info disclosed ∗∗∗ --------------------------------------------- Hackers are actively exploiting CVE-2025-49113, a critical vulnerability in the widely used Roundcube open-source webmail application that allows remote execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-selling-critical-roun… ∗∗∗ FBI: BADBOX 2.0 Android malware infects millions of consumer devices ∗∗∗ --------------------------------------------- The FBI is warning that the BADBOX 2.0 malware campaign has infected over 1 million home Internet-connected devices, converting consumer electronics into residential proxies that are used for malicious activity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-badbox-20-android-malwar… ∗∗∗ Critical Fortinet flaws now exploited in Qilin ransomware attacks ∗∗∗ --------------------------------------------- The Qilin ransomware operation has recently joined attacks exploiting two Fortinet vulnerabilities that allow bypassing authentication on vulnerable devices and executing malicious code remotely. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-fortinet-flaws-now-… ∗∗∗ Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721 ∗∗∗ --------------------------------------------- Kaspersky GReAT experts describe the new features of a Mirai variant: the latest botnet infections target TBK DVR devices with CVE-2024-3721. --------------------------------------------- https://securelist.com/mirai-botnet-variant-targets-dvr-devices-with-cve-20… ∗∗∗ Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hard-Coded Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks."Several widely used extensions [...] unintentionally transmit sensitive data over simple HTTP," Yuanjing Guo, a security researcher in the Symantecs Security Technology and .. --------------------------------------------- https://thehackernews.com/2025/06/popular-chrome-extensions-leak-api-keys.h… ∗∗∗ AT&T not sure if new customer data dump is déjà vu ∗∗∗ --------------------------------------------- Re-selling info from an earlier breach? Probably. But which one? AT&T is investigating claims that millions of its customers data are listed for sale on a cybercrime forum in what appears to be a re-release from an earlier hack. --------------------------------------------- https://www.theregister.com/2025/06/05/att_investigates_data_dump/ ∗∗∗ Turning Off the (Information) Flow: Working With the EPA to Secure Hundreds of Exposed Water HMIs ∗∗∗ --------------------------------------------- In October 2024, Censys researchers discovered nearly 400 web-based HMIs for U.S. water facilities exposed online. These were identified via TLS certificate analysis and confirmed through screenshot .. --------------------------------------------- https://censys.com/blog/turning-off-the-information-flow-working-with-the-e… ∗∗∗ Blitz Malware: A Tale of Game Cheats and Code Repositories ∗∗∗ --------------------------------------------- Blitz malware, active since 2024 and updated in 2025, was spread via game cheats. We discuss its infection vector and abuse of Hugging Face for C2. --------------------------------------------- https://unit42.paloaltonetworks.com/blitz-malware-2025/ ∗∗∗ DDoS-Angriffe auf österreichische Unternehmen und Organisationen ∗∗∗ --------------------------------------------- Uns erreichen aktuell vermehrt Berichte von österreichischen Unternehmen und Organisationen über DDoS-Angriffe gegen ihre Systeme und Netzwerke. Betroffen sind Ziele in den verschiedensten Bereichen und Sektoren, ein besonderer Schwerpunkt der Kriminellen lässt sich bisher nicht festmachen. Bei manchen Angriffen liegen deutliche Hinweise .. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/6/ddos-angriffe-auf-osterreichische-u… ∗∗∗ Nigeria jails 9 Chinese nationals for being part of international cyberfraud syndicate ∗∗∗ --------------------------------------------- The group was arrested in December as part of a raid that included 599 Nigerians and 193 other foreign nationals, many of them Chinese, on suspicion of being involved in a range of online crimes. --------------------------------------------- https://therecord.media/nigeria-jails-9-chinese-nationals-cyber-fraud ∗∗∗ Unsecured Database Exposes Data of 3.6 Million Passion.io Creators ∗∗∗ --------------------------------------------- A massive data leak has put the personal information of over 3.6 million app creators, influencers, and .. --------------------------------------------- https://hackread.com/unsecured-database-exposes-passion-io-creators-data/ ∗∗∗ NICKNAME: Zero-Click iMessage Exploit Targeted Key Figures in US, EU ∗∗∗ --------------------------------------------- iVerify’s NICKNAME discovery reveals a zero-click iMessage flaw exploited in targeted attacks on US & EU .. --------------------------------------------- https://hackread.com/nickname-zero-click-imessage-exploit-figures-us-eu/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (go-toolset:rhel8, golang, nodejs:20, nodejs:22, openssh, and python36:3.6), Debian (edk2, libfile-find-rule-perl, and webkit2gtk), Fedora (emacs, libvpx, perl-FCGI, and seamonkey), Mageia (cifs-utils), Red Hat (containernetworking-plugins, go-toolset:rhel8, golang, gvisor-tap-vsock, krb5, mod_auth_openidc:2.3, protobuf, and thunderbird), Slackware (seamonkey), SUSE (gimp, gnutls, haproxy, opensaml, openssh, openvpn, python-cryptography, .. --------------------------------------------- https://lwn.net/Articles/1024317/ ∗∗∗ CISA Releases Seven Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released seven Industrial Control Systems (ICS) advisories on June 5, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.ICSA-25-155-01 CyberData 011209 SIP Emergency IntercomICSA-25-155-02 Hitachi Energy Relion 670, 650 series and SAM600-IO Product ICSA-21-049-02 Mitsubishi Electric FA .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/06/05/cisa-releases-seven-indu… ∗∗∗ ZDI-25-325: Hewlett Packard Enterprise Insight Remote Support processAttachmentDataStream Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-325/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.06.2025
by Daily end-of-shift report 05 Jun '25

05 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-06-2025 18:00 − Donnerstag 05-06-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ BidenCash carding market domains seized in international operation ∗∗∗ --------------------------------------------- Earlier today, law enforcement seized multiple domains of BidenCash, the infamous dark web market for stolen credit cards, personal information, and SSH access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bidencash-carding-market-dom… ∗∗∗ Cisco warns of ISE and CCP flaws with public exploit code ∗∗∗ --------------------------------------------- Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-warns-of-ise-and-ccp-f… ∗∗∗ Researchers Bypass Deepfake Detection With Replay Attacks ∗∗∗ --------------------------------------------- An international group of researchers found that simply rerecording deepfake audio with natural acoustics in the background allows it to bypass detection models at a higher-than-expected rate. --------------------------------------------- https://www.darkreading.com/cybersecurity-analytics/researchers-bypass-deep… ∗∗∗ Für Datenklau: Hacker kapern reihenweise Salesforce-Zugänge ∗∗∗ --------------------------------------------- Sicherheitsforscher der Google Threat Intelligence Group (GTIG) warnen vor laufenden Vishing-Angriffen (Voice Phishing), die darauf abzielen, Zugang zu Salesforce-Instanzen zu erlangen und daraus massenhaft vertrauliche Unternehmensdaten abzugreifen. --------------------------------------------- https://www.golem.de/news/fuer-datenklau-hacker-kapern-reihenweise-salesfor… ∗∗∗ Be Careful With Fake Zoom Client Downloads ∗∗∗ --------------------------------------------- Collaborative tools are really popular these days. Since the COVID-19 pandemic, many people switched to remote work positions and we need to collaborate with our colleagues or customers every day. Tools like Microsoft Teams, Zoom, WebEx, (name your best solution), became popular and must be regularly updated. Yesterday, I received an interesting email with a fake Zoom meeting invitation. --------------------------------------------- https://isc.sans.edu/diary/rss/32014 ∗∗∗ AI kept 15-year-old zombie vuln alive, but its time is drawing near ∗∗∗ --------------------------------------------- Despite multiple developer warnings about the 2010 GitHub Gist containing the path traversal vulnerability in 2012, 2014, and 2018, the flaw appeared in MDN Web Docs documentation and a Stack Overflow snippet. From there, it took up residence in large language models (LLMs) trained on the flawed examples. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/06/05/llm_kept_per… ∗∗∗ Musikhaus Thomann: Kriminelle locken in Fake-Shops ∗∗∗ --------------------------------------------- Der Erfolg des Musik-Versandhändlers ruft zunehmend Betrüger:innen auf den Plan. Diese bauen den Original-Onlineshop detailgetreu nach und bieten Produkte zu unrealistischen Schleuderpreisen. Wer dort bestellt, bekommt allerdings nichts, sondern verliert Geld. Wir verraten, wie Sie die Fakes am einfachsten erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/musikhaus-thomann-fake-shops/ ∗∗∗ Newly identified wiper malware "PathWiper" targets critical infrastructure in Ukraine ∗∗∗ --------------------------------------------- Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling "PathWiper". --------------------------------------------- https://blog.talosintelligence.com/pathwiper-targets-ukraine/ ∗∗∗ Updated Guidance on Play Ransomware ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have issued an updated advisory on Play ransomware, also known as Playcrypt. This advisory highlights new tactics, techniques, and procedures used by the Play ransomware group and provides updated indicators of compromise (IOCs) to enhance threat detection. Since June 2022, Playcrypt has targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/06/04/updated-guidance-play-ra… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Integrated Management Controller Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the SSH connection handling of Cisco Integrated Management Controller (IMC) for Cisco UCS B-Series, UCS C-Series, UCS S-Series, and UCS X-Series Servers could allow an authenticated, remote attacker to access internal services with elevated privileges. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus Dashboard Fabric Controller SSH Host Key Validation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the SSH implementation of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an unauthenticated, remote attacker to impersonate Cisco NDFC-managed devices. This vulnerability is due to insufficient SSH host key validation. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine on Cloud Platforms Static Credential Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Sicherheitsupdates: Dell repariert PowerScale OneFS und Bluetooth-Treiber ∗∗∗ --------------------------------------------- Angreifer können an einer Schwachstelle in Dells NAS-Betriebssystem PowerScale OneFS ansetzen und Dateien löschen. Außerdem macht eine Lücke im Bluetooth-Treiber unzählige Dell-PCs angreifbar. Sicherheitsupdates stehen zum Download. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Dell-repariert-PowerScale-OneF… ∗∗∗ VMware NSX: Hochriskante Sicherheitslücke gestopft ∗∗∗ --------------------------------------------- Broadcom warnt vor teils hochriskanten Sicherheitslücken in der Netzwerkvirtualisierungs- und Sicherheitsplattform VMware NSX. Angreifer können unter anderem Schadcode einschleusen und ausführen. IT-Verantwortliche sollten zügig auf die fehlerbereinigten Versionen aktualisieren. --------------------------------------------- https://www.heise.de/news/VMware-NSX-Hochriskante-Sicherheitsluecke-gestopf… ∗∗∗ Acronis Cyber Protect: Mehrere teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- In der umfangreichen Virenschutz- und Backup-Software Acronis Cyber Protect hat der Hersteller mehrere, teils höchst kritische Sicherheitslücken entdeckt. Diese stopfen die Entwickler mit aktualisierter Software. --------------------------------------------- https://www.heise.de/news/Acronis-Cyber-Protect-Mehrere-teils-kritische-Sic… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and mariadb-10.5), Oracle (firefox, ghostscript, git, go-toolset:ol8, golang, kernel, krb5, mingw-freetype and spice-client-win, nodejs:20, nodejs:22, perl-CPAN, python36:3.6, rsync, varnish, and varnish:6), Red Hat (firefox, thunderbird, and webkit2gtk3), Slackware (curl and python3), SUSE (apache-commons-beanutils, apache2-mod_security2, avahi, buildkit, ca-certificates-mozilla, cloud-regionsrv-client, cloud-regionsrv-client, python-toml, containerd, containerized-data-importer, cups, curl, dnsmasq, docker, elemental-operator, elemental-toolkit, expat, firefox, freetype2, gdk-pixbuf, git, glib2, glibc, gnuplot, gnutls, gpg2, gstreamer, gstreamer-plugins-base, gtk3, haproxy, helm, java-17-openjdk, java-1_8_0-openjdk, keepalived, kernel, kernel-firmware, krb5, kubevirt, less, libarchive, libcryptopp, libdb-4_8, libndp, libpcap, libsoup, libtasn1, libvirt, libX11, libxml2, libxslt, Mesa, mozilla-nss, nghttp2, nvidia-open-driver-G06-signed, opensc, openssh, openssl-3, openssl-3, libpulp, ulp-macros, orc, pam, pam_pkcs11, pam_u2f, patch, pcp, pcr-oracle, shim, perl-Crypt-OpenSSL-RSA, podman, postgresql16, procps, protobuf, python-dnspython, python-Jinja2, python-requests, python-setuptools, python-tornado6, python-urllib3, python311, python311, python-rpm-macros, qemu, rsync, runc, rust-keylime, selinux-policy, sevctl, skopeo, sssd, SUSE Manager Client Tools, systemd, thunderbird, tiff, tpm2.0-tools, tpm2-0-tss, u-boot, ucode-intel, unbound, util-linux, vim, wget, and wpa_supplicant), and Ubuntu (linux-nvidia, python-django, twitter-bootstrap3, twitter-bootstrap4, and wireshark). --------------------------------------------- https://lwn.net/Articles/1024158/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.06.2025
by Daily end-of-shift report 04 Jun '25

04 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-06-2025 18:00 − Mittwoch 04-06-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Coinbase breach tied to bribed TaskUs support agents in India ∗∗∗ --------------------------------------------- A recently disclosed data breach at Coinbase has been linked to India-based customer support representatives from outsourcing firm TaskUs, who threat actors bribed to steal data from the crypto exchange. --------------------------------------------- https://www.bleepingcomputer.com/news/security/coinbase-breach-tied-to-brib… ∗∗∗ Umgehung des Sandboxings: Meta und Yandex de-anonymisieren Android-Nutzer ∗∗∗ --------------------------------------------- Sicherheitsforscher decken eine Methode auf, mit der Meta und Yandex flüchtige Web-Identifikatoren in dauerhafte Nutzeridentitäten umgewandelt haben. --------------------------------------------- https://www.golem.de/news/umgehung-des-sandboxings-meta-und-yandex-de-anony… ∗∗∗ The strange tale of ischhfd83: When cybercriminals eat their own ∗∗∗ --------------------------------------------- This investigation is a good example of how threats can be much more complex than they first appear. From an initial customer query about a new RAT, we uncovered a significant amount of backdoored GitHub repositories, containing multiple kinds of backdoors. --------------------------------------------- https://news.sophos.com/en-us/2025/06/04/the-strange-tale-of-ischhfd83-when… ∗∗∗ Acreed infostealer poised to replace Lumma after global crackdown ∗∗∗ --------------------------------------------- The Acreed malware, which emerged earlier this year, is gaining ground with cybercriminals who otherwise might have used the Lumma infostealer, researchers said. --------------------------------------------- https://therecord.media/acreed-infostealer-arises-after-lumma-takedown ∗∗∗ Angriffe laufen: Connectwise, Craft CMS und Asus-Router im Visier ∗∗∗ --------------------------------------------- Die CISA warnt vor Angriffen auf Sicherheitslecks in Connectwise ScreenConnect, Craft CMS und Asus-Router. Updates stehen bereit. --------------------------------------------- https://heise.de/-10424978 ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday Android: Angreifer können sich höhere Rechte verschaffen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Lücken in Android 13, 14 und 15. Angreifer attackieren Geräte mit Qualcomm-Prozessor. --------------------------------------------- https://www.heise.de/news/Patchday-Android-Angreifer-koennen-sich-hoehere-R… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (git, krb5, perl-CPAN, and rsync), Debian (tcpdf), Fedora (libmodsecurity, lua-http, microcode_ctl, and nextcloud), Red Hat (osbuild-composer), SUSE (389-ds, avahi, ca-certificates-mozilla, docker, expat, freetype2, glib2, gnuplot, gnutls, golang-github-teddysun-v2ray-plugin, golang-github-v2fly-v2ray-core, govulncheck-vulndb, helm, iperf, kernel, kernel-livepatch-MICRO-6-0_Update_2, kernel-livepatch-MICRO-6-0_Update_4, krb5, libarchive, libsoup, libsoup2, libtasn1, libX11, libxml2, libxslt, orc, podman, python-Jinja2, python-requests, python3-setuptools, python310, python311, python39, rubygem-rack, sslh, SUSE Manager Client Tools, SUSE Manager Client Tools and Salt Bundle, ucode-intel, util-linux, and wget), and Ubuntu (libvpx, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-nvidia-tegra, linux-oracle, linux, linux-aws, linux-kvm, linux-aws, linux-lts-xenial, linux-aws-fips, linux-azure-fips, linux-fips, linux-gcp-fips, linux-aws-fips, linux-gcp-fips, linux-azure-fde, linux-fips, and linux-intel-iot-realtime, linux-realtime). --------------------------------------------- https://lwn.net/Articles/1023793/ ∗∗∗ ZDI-25-324: Sante DICOM Viewer Pro DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-324/ ∗∗∗ ZDI-25-323: Action1 Uncontrolled Search Path Element Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-323/ ∗∗∗ ZDI-25-321: GIMP ICO File Parsing Integer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-321/ ∗∗∗ Critical Vulnerability in multiple Mitsubishi Electric MELSEC iQ-F Series Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-153-03 ∗∗∗ Critical Vulnerability in Schneider Electric Wiser Home Automation ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-153-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.06.2025
by Daily end-of-shift report 03 Jun '25

03 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Montag 02-06-2025 18:00 − Dienstag 03-06-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Malicious RubyGems pose as Fastlane to steal Telegram API data ∗∗∗ --------------------------------------------- Two malicious RubyGems packages posing as popular Fastlane CI/CD plugins redirect Telegram API requests to attacker-controlled servers to intercept and steal data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-rubygems-pose-as-f… ∗∗∗ Android Trojan Crocodilus Now Active in 8 Countries, Targeting Banks and Crypto Wallets ∗∗∗ --------------------------------------------- A growing number of malicious campaigns have leveraged a recently discovered Android banking trojan called Crocodilus to target users in Europe and South America. The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis and detection, and includes the ability to create new contacts in the victims contacts list. --------------------------------------------- https://thehackernews.com/2025/06/android-trojan-crocodilus-now-active-in.h… ∗∗∗ How Good Are the LLM Guardrails on the Market? A Comparative Study on the Effectiveness of LLM Content Filtering Across Major GenAI Platforms ∗∗∗ --------------------------------------------- We compare the effectiveness of content filtering guardrails across major GenAI platforms and identify common failure cases across different systems. [..] A Comparative Study on the Effectiveness of LLM Content Filtering Across Major GenAI Platforms appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/comparing-llm-guardrails-across-genai-p… ∗∗∗ Cyberattacks Hit Top Retailers: Cartier, North Face Among Latest Victims ∗∗∗ --------------------------------------------- North Face, Cartier, and Next Step Healthcare are the latest victims in a string of cyberattacks compromising customer data. Explore the methods used by attackers and the wider impact on retail security. --------------------------------------------- https://hackread.com/cyberattacks-retailers-cartier-north-face-victims/ ∗∗∗ Inside RansomHub: Tactics, Targets, and What It Means for You ∗∗∗ --------------------------------------------- What is RansomHub ransomware? We dive into the groups TTPs, latest attacks and news, & mitigation strategies you should know in 2025. --------------------------------------------- https://www.bitsight.com/blog/guide-to-ransomhub-ransomware-2025 ===================== = Vulnerabilities = ===================== ∗∗∗ Google stopft attackierte Lücke in Chrome ∗∗∗ --------------------------------------------- In der Javascript-Engine V8 von Google Chrome ermöglicht eine Schwachstelle Angreifern, außerhalb vorgesehener Speichergrenzen zu lesen und zu schreiben. Für diese Schwachstelle ist ein Exploit in freier Wildbahn aufgetaucht, sie wird daher offenbar bereits attackiert. --------------------------------------------- https://www.heise.de/news/Google-stopft-attackierte-Luecke-in-Chrome-104232… ∗∗∗ Sicherheitsupdate: Vielfältige Attacken auf HPE StoreOnce möglich ∗∗∗ --------------------------------------------- Acht Softwareschwachstellen in der Backuplösung StoreOnce von HPE machen Systeme attackierbar. Darunter findet sich eine "kritische" Lücke. Über weitere Angriffe kann Schadcode auf PCs gelangen. Eine gegen mögliche Attacken geschützte Version steht ab sofort zum Download bereit. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdate-Vielfaeltige-Attacken-auf-HPE-S… ∗∗∗ Angreifer können Roundcube Webmail mit Schadcode attackieren ∗∗∗ --------------------------------------------- Webadmins sollten ihre Roundcube-Webmail-Instanzen zeitnah auf den aktuellen Stand bringen. In aktuellen Ausgaben haben die Entwickler eine Sicherheitslücke geschlossen, über die Schadcode auf Systeme gelangen kann. --------------------------------------------- https://www.heise.de/news/Kritische-Schadcode-Luecke-bedroht-Roundcube-Webm… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (varnish), Debian (asterisk and roundcube), Fedora (systemd), Mageia (golang), Red Hat (ghostscript, perl-CPAN, python36:3.6, and rsync), SUSE (govulncheck-vulndb, libsoup-2_4-1, and postgresql, postgresql16, postgresql17), and Ubuntu (mariadb, open-vm-tools, php-twig, and python-tornado). --------------------------------------------- https://lwn.net/Articles/1023625/ ∗∗∗ SVD-2025-0604: Third-Party Package Updates in Splunk Universal Forwarder - June 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0604 ∗∗∗ SVD-2025-0603: Third-Party Package Updates in Splunk Enterprise - June 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0603 ∗∗∗ SVD-2025-0602: Incorrect permission assignment on Universal Forwarder for Windows during new installation or upgrade ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0602 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.06.2025
by Daily end-of-shift report 02 Jun '25

02 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-05-2025 18:00 − Montag 02-06-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Exploit details for max severity Cisco IOS XE flaw now public ∗∗∗ --------------------------------------------- Technical details about a maximum-severity Cisco IOS XE WLC arbitrary file upload flaw tracked as CVE-2025-20188 have been made publicly available, bringing us closer to a working exploit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-details-for-max-seve… ∗∗∗ Deutscher Rüstungskonzern: Cybergang leakt interne Daten von Rheinmetall ∗∗∗ --------------------------------------------- Der deutsche Rüstungskonzern Rheinmetall ist offenbar Ziel einer Cyberattacke geworden, bei der vertrauliche Daten in die Hände der Angreifer gelangt sind. Die Hackergruppe Babuk2 hatte Rheinmetall schon am 4. April auf ihre Datenleckseite aufgenommen. Jetzt berichtete Tagesschau.de, dass auch die Datenschutzbehörde NRW sowie das Bundesamt für Sicherheit in der Informationstechnik über den Vorfall informiert worden seien. --------------------------------------------- https://www.golem.de/news/deutscher-ruestungskonzern-cybergang-leakt-intern… ∗∗∗ Fake Recruiter Emails Target CFOs Using Legit NetBird Tool Across 6 Global Regions ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of a new spear-phishing campaign that uses a legitimate remote access tool called Netbird to target Chief Financial Officers (CFOs) and financial executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia. --------------------------------------------- https://thehackernews.com/2025/06/fake-recruiter-emails-target-cfos-using.h… ∗∗∗ Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump ∗∗∗ --------------------------------------------- A mystery whistleblower calling himself GangExposed has exposed key figures behind the Conti and Trickbot ransomware crews, publishing a trove of internal files and naming names. The leaks include thousands of chat logs, personal videos, and ransom negotiations tied to some of the most notorious cyber-extortion gangs — believed to have raked in billions from companies, hospitals, and individuals worldwide. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/31/gangexposed_… ∗∗∗ RCEs and more in the KUNBUS GmbH Revolution Pi PLC ∗∗∗ --------------------------------------------- We found four vulnerabilities by downloading and extracting Revolution Pi’s latest firmware version (01/2025). We didn’t even need to buy the device, although one would look great on our ICS demo rig! All were found with static code analysis but demonstrated by installing the firmware to a standard Raspberry Pi. --------------------------------------------- https://www.pentestpartners.com/security-blog/rces-and-more-in-the-kunbus-g… ∗∗∗ The remote desktop puzzle. DFIR techniques for dealing with RDP Bitmap Cache ∗∗∗ --------------------------------------------- A lot of people are aware of RDP and what its functions are. It’s known for providing remote access and making life easier for administrators and users. With that comes insight for forensic investigators, regarding the ‘bitmap cache’. This is often overlooked, but when analysed correctly can provide some great understanding about what’s happened on a system. --------------------------------------------- https://www.pentestpartners.com/security-blog/the-remote-desktop-puzzle-dfi… ∗∗∗ LOLCLOUD - Azure Arc - C2aaS ∗∗∗ --------------------------------------------- Exploring Azure Arc’s overlooked C2aaS potential. Attacking and Defending against its usage and exploring usecases. --------------------------------------------- https://blog.zsec.uk/azure-arc-c2aas/ ===================== = Vulnerabilities = ===================== ∗∗∗ New Linux Flaws Allow Password Hash Theft via Core Dumps in Ubuntu, RHEL, Fedora ∗∗∗ --------------------------------------------- Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems. --------------------------------------------- https://thehackernews.com/2025/05/new-linux-flaws-allow-password-hash.html ∗∗∗ 2025-06-02: Cyber Security Advisory - ELSB/Home Solutions Outdated SW Components in ABB Welcome IP-Gateway ∗∗∗ --------------------------------------------- An attacker who successfully exploits these vulnerabilities could potentially gain unauthorized access and potentially compromise the system's - and log-file - confidentiality, integrity and availability. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A8948&Lan… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (espeak-ng, kitty, kmail-account-wizard, krb5, libreoffice, libvpx, net-tools, python-flask-cors, symfony, tcpdf, thunderbird, and twitter-bootstrap3), Fedora (chromium, dropbear, firefox, gstreamer1-plugins-bad-free, python-tornado, systemd, and thunderbird), Mageia (coreutils, deluge, glib2.0, and redis), Oracle (firefox, kernel, and systemd), Red Hat (firefox, kernel, kernel-rt, varnish, varnish:6, and zlib), SUSE (bind, curl, dnsdist, docker, ffmpeg-7, firefox, glibc, golang-github-prometheus-alertmanager, govulncheck-vulndb, icinga2, iputils, java-11-openjdk, java-1_8_0-ibm, kea, kernel, libopenssl-3-devel, libsoup, libxml2, nodejs-electron, open-vm-tools, openbao, perl-Net-Dropbox-API, pluto, poppler, postgresql14, postgresql15, postgresql16, postgresql17, python312-setuptools, runc, s390-tools, skopeo, sqlite3, thunderbird, and unbound), and Ubuntu (apport and libphp-adodb). --------------------------------------------- https://lwn.net/Articles/1023501/ ∗∗∗ Multiple vulnerabilities in wivia 5 ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN51394666/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.05.2025
by Daily end-of-shift report 30 May '25

30 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-05-2025 18:00 − Freitag 30-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Interlock ransomware gang deploys new NodeSnake RAT on universities ∗∗∗ --------------------------------------------- The Interlock ransomware gang is deploying a previously undocumented remote access trojan (RAT) named NodeSnake against educational institutes for persistent access to corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/interlock-ransomware-gang-de… ∗∗∗ APT41 malware abuses Google Calendar for stealthy C2 communication ∗∗∗ --------------------------------------------- The Chinese APT41 hacking group uses a new malware named 'ToughProgress' that exploits Google Calendar for command-and-control (C2) operations, hiding malicious activity behind a trusted cloud service. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apt41-malware-abuses-google-… ∗∗∗ Threat actors abuse Google Apps Script in evasive phishing attacks ∗∗∗ --------------------------------------------- Threat actors are abusing the ‘Google Apps Script’ development platform to host phishing pages that appear legitimate and steal login credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/threat-actors-abuse-google-a… ∗∗∗ ConnectWise breached in cyberattack linked to nation-state hackers ∗∗∗ --------------------------------------------- IT management software firm ConnectWise says a suspected state-sponsored cyberattack breached its environment and impacted a limited number of ScreenConnect customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/connectwise-breached-in-cybe… ∗∗∗ Everest Group Extorts Global Orgs via SAPs HR Tool ∗∗∗ --------------------------------------------- Extortionist-cum-information broker "Everest Group" has pulled off a swath of attacks against large organizations in the Middle East, Africa, Europe, and North America, and is now extorting victims over records stolen from their human resources departments. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/everest-group-extort… ∗∗∗ Sicherheitslücke: Warum ChatGPT oft den gesamten Onedrive-Ordner lesen kann ∗∗∗ --------------------------------------------- Forscher warnen vor einer Sicherheitslücke in Microsofts File Picker für Onedrive. Apps wie ChatGPT können weitaus mehr lesen, als Anwender erwarten. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-warum-chatgpt-oft-den-gesamten-… ∗∗∗ Exploits and vulnerabilities in Q1 2025 ∗∗∗ --------------------------------------------- This report contains statistics on vulnerabilities and published exploits, along with an analysis of the most noteworthy vulnerabilities we observed in the first quarter of 2025. --------------------------------------------- https://securelist.com/vulnerabilities-and-exploits-in-q1-2025/116624/ ∗∗∗ New Windows RAT Evades Detection for Weeks Using Corrupted DOS and PE Headers ∗∗∗ --------------------------------------------- Cybersecurity researchers have taken the wraps off an unusual cyber attack that leveraged malware with corrupted DOS and PE headers, according to new findings from Fortinet. --------------------------------------------- https://thehackernews.com/2025/05/new-windows-rat-evades-detection-for.html ∗∗∗ Attack on LexisNexis Risk Solutions exposes data on 300k + ∗∗∗ --------------------------------------------- LexisNexis Risk Solutions (LNRS) is the latest big-name organization to disclose a serious cyberattack leading to data theft, with the number of affected individuals pegged at 364,333. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/28/attack_on_le… ∗∗∗ Billions of cookies up for grabs as experts warn over session security ∗∗∗ --------------------------------------------- A VPN vendor says billions of stolen cookies currently on sale either on dark web or Telegram-based marketplaces remain active and exploitable. More than 93.7 billion of them are currently available for criminals to buy online and of those, between 7-9 percent are active, on average, according to NordVPN's breakdown of stolen cookies by country. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/29/billions_of_… ∗∗∗ U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams ∗∗∗ --------------------------------------------- The U.S. government today imposed economic sanctions on Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams known as “pig butchering.” In January 2025, KrebsOnSecurity detailed how Funnull was being used as a content delivery network that catered to cybercriminals seeking to route their traffic through U.S.-based cloud providers. --------------------------------------------- https://krebsonsecurity.com/2025/05/u-s-sanctions-cloud-provider-funnull-as… ∗∗∗ Fake Bitdefender website used to spread infostealer malware ∗∗∗ --------------------------------------------- The attackers created a website that closely mimics Bitdefender’s legitimate Windows download page. Victims are infected after clicking a seemingly authentic “Download for Windows” button, which delivers a malicious archive. The archive contains executable files configured to deploy VenomRAT, which is used for remote access, keylogging and data exfiltration. --------------------------------------------- https://therecord.media/fake-bitdefender-website-venomrat-infostealer ∗∗∗ Microsoft Entra Design Lets Guest Users Gain Azure Control, Researchers Say ∗∗∗ --------------------------------------------- Cybersecurity researchers at BeyondTrust are warning about a little-known but dangerous issue within Microsoft’s Entra identity platform. The issue isn’t some hidden bug or overlooked vulnerability; it’s a feature, built into the system by design, that attackers can exploit. --------------------------------------------- https://hackread.com/microsoft-entra-design-guest-users-gain-azure-control/ ∗∗∗ Threat Actor Claims TikTok Breach, Puts 428 Million Records Up for Sale ∗∗∗ --------------------------------------------- A newly emerged threat actor, going by the alias “Often9,” has posted on a prominent cybercrime and database trading forum, claiming to possess 428 million unique TikTok user records. The post is titled “TikTok 2025 Breach – 428M Unique Lines.” --------------------------------------------- https://hackread.com/threat-actor-tiktok-breach-428-million-records-sale/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (firefox-esr, libvpx, net-tools, php-twig, python-tornado, setuptools, varnish, webpy, yelp, and yelp-xsl), Fedora (xen), Mageia (cimg and ghostscript), Oracle (gstreamer1-plugins-bad-free, kernel, libsoup, thunderbird, and unbound), Red Hat (firefox, mingw-freetype and spice-client-win, pcs, and varnish:6), Slackware (curl and mozilla), SUSE (apparmor, containerd, dnsdist, go1.23-openssl, go1.24, gstreamer-plugins-bad, ImageMagick, jetty-minimal, python-tornado, python313-setuptools, s390-tools, thunderbird, tomcat10, ucode-intel, and wxWidgets-3_2), and Ubuntu (ffmpeg, krb5, libsoup3, libsoup2.4, linux-aws-5.4, linux-aws-fips, linux-fips, linux-oracle-6.8, net-tools, and python-setuptools, setuptools). --------------------------------------------- https://lwn.net/Articles/1023072/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, firefox, ghostscript, gstreamer1-plugins-bad-free, libsoup3, mingw-freetype, perl, ruby, sqlite, thunderbird, unbound, valkey, and xz), Debian (chromium, firefox-esr, libavif, linux-6.1, modsecurity-apache, mydumper, systemd, and thunderbird), Fedora (coreutils, dnsdist, docker-buildx, maturin, mingw-python-flask, mingw-python-flit-core, ruff, rust-hashlink, rust-rusqlite, and thunderbird), Red Hat (pcs), SUSE (augeas, brltty, brotli, ca-certificates-mozilla, dnsdist, glibc, grub2, kernel, libsoup, libsoup2, libxml2, open-vm-tools, perl, postgresql13, postgresql15, postgresql16, postgresql17, python-cryptography, python-httpcore, python-h11, python311, runc, s390-tools, slurm, slurm_20_11, slurm_22_05, slurm_23_02, slurm_24_11, tomcat, and webkit2gtk3), and Ubuntu (linux-aws). --------------------------------------------- https://lwn.net/Articles/1023259/ ∗∗∗ On Demand JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP11 IF03 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.05.2025
by Daily end-of-shift report 28 May '25

28 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-05-2025 18:00 − Mittwoch 28-05-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers ∗∗∗ --------------------------------------------- GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise discovered it with AI-powered tooling, and what defenders need to know. --------------------------------------------- https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-rou… ∗∗∗ DragonForce Ransomware Strikes MSP in Supply Chain Attack ∗∗∗ --------------------------------------------- DragonForce, a ransomware "cartel" that has gained significant popularity since its debut in 2023, attacked an MSP as part of a recent supply chain attack, via known SimpleHelp bugs. --------------------------------------------- https://www.darkreading.com/application-security/dragonforce-ransomware-msp… ∗∗∗ Zanubis in motion: Tracing the active evolution of the Android banking malware ∗∗∗ --------------------------------------------- A comprehensive historical breakdown of Zanubis changes, including RC4 and AES encryption, credentials stealing and new targets in Peru, provided by Kaspersky GReAT experts. --------------------------------------------- https://securelist.com/evolution-of-zanubis-banking-trojan-for-android/1165… ∗∗∗ Fake Java Update Popup Found in Malicious WordPress Plugin ∗∗∗ --------------------------------------------- We recently assisted a customer who reported a persistent and concerning "Java Update" pop-up appearing on their WordPress website. This type of deceptive notification is a common tactic used by attackers to compromise website visitors. Our investigation revealed a malicious plugin operating stealthily within their WordPress environment. --------------------------------------------- https://blog.sucuri.net/2025/05/fake-java-update-popup-found-in-malicious-w… ∗∗∗ OneDrive File Picker Flaw Provides ChatGPT and Other Web Apps Full Read Access to Users’ Entire OneDrive ∗∗∗ --------------------------------------------- Oasis Securitys research team uncovered a flaw in Microsofts OneDrive File Picker that allows websites to access a user’s entire OneDrive content, rather than just the specific files selected for upload via OneDrive File Picker. Researchers estimate that hundreds of apps are affected, including ChatGPT, Slack, Trello, and ClickUp – meaning millions of users may have already granted these apps access to their OneDrive. --------------------------------------------- https://www.oasis.security/resources/blog/onedrive-file-picker-security-fla… ∗∗∗ Chinese spies blamed for attempted hack on Czech government network ∗∗∗ --------------------------------------------- Czech authorities said they assessed with “a high degree of certainty” that a Chinese cyber-espionage group known as APT31, Judgment Panda, Bronze Vinewood or RedBravo tried to hack into a government network. --------------------------------------------- https://therecord.media/czechia-accuses-china-cyber-espionage-apt31 ∗∗∗ New Phishing Campaign Uses DBatLoader to Drop Remcos RAT: What Analysts Need to Know ∗∗∗ --------------------------------------------- ANY.RUN analysts recently uncovered a stealthy phishing campaign delivering the Remcos RAT (Remote Access Trojan) through a loader malware known as DBatLoader. This attack chain relies on a blend of obfuscated scripts, User Account Control (UAC) bypass, and LOLBAS (Living-Off-the-Land Binaries and Scripts) abuse to stay hidden from traditional detection methods. --------------------------------------------- https://hackread.com/new-phishing-campaign-dbatloader-drop-remcos-rat/ ∗∗∗ Malware Hidden in AI Models on PyPI Targets Alibaba AI Labs Users ∗∗∗ --------------------------------------------- ReversingLabs discovers new malware hidden inside AI/ML models on PyPI, targeting Alibaba AI Labs users. --------------------------------------------- https://hackread.com/malware-ai-models-pypi-targets-alibaba-ai-labs-users/ ∗∗∗ Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day ∗∗∗ --------------------------------------------- On May 8, GreyNoise observed a highly coordinated reconnaissance campaign launched by 251 malicious IP addresses, all geolocated to Japan and hosted by Amazon AWS. The infrastructure and execution suggest centralized planning. --------------------------------------------- https://www.greynoise.io/blog/coordinated-cloud-based-scanning-operation-ta… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken: IBM Guardium Data Protection als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Aufgrund von mehreren Schwachstellen kann es zu Datenlecks im Kontext von IBM Guardium Data Protection kommen. Updates schaffen Abhilfe. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-IBM-Guardium-Data-Protection-a… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free and kernel), Arch Linux (bind and varnish), Debian (glibc and syslog-ng), Fedora (microcode_ctl, mozilla-ublock-origin, nodejs20, and nodejs22), Mageia (firefox, nss, rootcerts, open-vm-tools, sqlite3, and thunderbird), Oracle (gstreamer1-plugins-bad-free, kernel, libsoup, nodejs:22, php, php:8.2, php:8.3, python-tornado, redis, and redis:7), Red Hat (libsoup, pcs, and python-tornado), Slackware (mozilla), SUSE (bind, dnsdist, elemental-operator, govulncheck-vulndb, gstreamer-plugins-bad, jetty-annotations, jq, libnss_slurm2, libyelp0, mariadb, nvidia-open-driver-G06-signed, prometheus-blackbox_exporter, python-h11, python-httpcore, python-setuptools, python312, python39-setuptools, screen, sqlite3, umoci, and webkit2gtk3), and Ubuntu (cifs-utils, glibc, linux-aws, linux-intel-iotg-5.15, linux-nvidia-tegra-igx, linux-raspi, linux-aws-fips, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oracle, linux-raspi, linux-raspi-5.4, and net-tools). --------------------------------------------- https://lwn.net/Articles/1022853/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 128.11 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-46/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 139 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-45/ ∗∗∗ F5: K000151516, Python urllib vulnerability CVE-2019-9947 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151516 ∗∗∗ F5: K000151520, Python vulnerabilities CVE-2018-20852, CVE-2014-4616, and CVE-2013-7040 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151520 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.05.2025
by Daily end-of-shift report 27 May '25

27 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 26-05-2025 18:00 − Dienstag 27-05-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MATLAB dev confirms ransomware attack behind service outage ∗∗∗ --------------------------------------------- MathWorks, a leading developer of mathematical computing and simulation software, has revealed that a recent ransomware attack is behind an ongoing service outage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mathworks-blames-ransomware-… ∗∗∗ Not Every CVE Deserves a Fire Drill: Focus on What’s Exploitable ∗∗∗ --------------------------------------------- Not every "critical" vulnerability is a critical risk. Picus Exposure Validation cuts through the noise by testing whats actually exploitable in your environment — so you can patch what matters. --------------------------------------------- https://www.bleepingcomputer.com/news/security/not-every-cve-deserves-a-fir… ∗∗∗ Chinese-Owned VPNs ∗∗∗ --------------------------------------------- One one my biggest worries about VPNs is the amount of trust users need to place in them, and how opaque most of them are about who owns them and what sorts of data they retain. A new study found that many commercials VPNS are (often surreptitiously) owned by Chinese companies. It would be hard for U.S. users to avoid the Chinese VPNs. The ownership of many appeared deliberately opaque, with several concealing their structure behind layers of offshore shell companies. --------------------------------------------- https://www.schneier.com/blog/archives/2025/05/chinese-owned-vpns.html ∗∗∗ Cyber Security Operations Center: ESA will mehr IT-Sicherheit ∗∗∗ --------------------------------------------- Die Raumfahrtagentur ESA verstärkt ihre IT-Sicherheitsbemühungen. Dazu eröffnete sie nun das Cyber Security Operations Center. --------------------------------------------- https://www.heise.de/news/Cyber-Security-Operations-Center-ESA-will-mehr-IT… ∗∗∗ Dutch intelligence unmasks previously unknown Russian hacking group Laundry Bear ∗∗∗ --------------------------------------------- Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard. --------------------------------------------- https://therecord.media/laundry-bear-void-blizzard-russia-hackers-netherlan… ∗∗∗ Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites ∗∗∗ --------------------------------------------- Mandiant Threat Defense has been investigating an UNC6032 campaign that weaponizes the interest around AI tools, in particular those tools which can be used to generate videos based on user prompts. UNC6032 utilizes fake “AI video generator” websites to distribute malware leading to the deployment of payloads such as Python-based infostealers and several backdoors. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-wea… ===================== = Vulnerabilities = ===================== ∗∗∗ GitHub MCP Exploited: Accessing private repositories via MCP ∗∗∗ --------------------------------------------- We showcase a critical vulnerability with the official GitHub MCP server, allowing attackers to access private repository data. The vulnerability is among the first discovered by Invariants security analyzer for detecting toxic agent flows. --------------------------------------------- https://invariantlabs.ai/blog/mcp-github-vulnerability ∗∗∗ Update für ManageEngine ADAudit Plus stopft hochriskante Sicherheitslücken ∗∗∗ --------------------------------------------- In ManageEngine ADAudit Plus hat Hersteller Zoho zwei als hohes Risiko eingestufte Schwachstellen ausgebessert. --------------------------------------------- https://www.heise.de/news/Update-fuer-ManageEngine-ADAudit-Plus-stopft-hoch… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free, libsoup, and python-tornado), Debian (libavif and pgbouncer), Red Hat (gstreamer1-plugins-bad-free, mingw-freetype and spice-client-win, and webkit2gtk3), SUSE (firefox, govulncheck-vulndb, and python310-setuptools), and Ubuntu (flask, intel-microcode, openjdk-17-crac, tika, and Tomcat). --------------------------------------------- https://lwn.net/Articles/1022703/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 128.11 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.24 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-43/ ∗∗∗ Security Vulnerabilities fixed in Firefox 139 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-42/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.05.2025
by Daily end-of-shift report 26 May '25

26 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-05-2025 18:00 − Montag 26-05-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Feds charge 16 Russians allegedly tied to botnets used in cyberattacks and spying ∗∗∗ --------------------------------------------- An example of how a single malware operation can enable both criminal and state-sponsored hacking. --------------------------------------------- https://arstechnica.com/security/2025/05/feds-charge-16-russians-allegedly-… ∗∗∗ Gitlab Duo: Versteckter Kommentar lässt KI-Tool privaten Code leaken ∗∗∗ --------------------------------------------- Gitlab Duo hatte zuletzt ernste Sicherheitsprobleme. Angreifer konnten privaten Quellcode abgreifen oder Schadcode in fremde Softwareprojekte einschleusen. --------------------------------------------- https://www.golem.de/news/gitlab-duo-versteckter-kommentar-laesst-ki-tool-p… ∗∗∗ Fake Google Meet Page Tricks Users into Running PowerShell Malware ∗∗∗ --------------------------------------------- Last month, a customer reached out to us after noticing suspicious URLs on their WordPress site. Visitors reported being prompted to perform unusual actions.We began our investigation, scanning the site for common .. --------------------------------------------- https://blog.sucuri.net/2025/05/fake-google-meet-page-tricks-users-into-run… ∗∗∗ Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Technique ∗∗∗ --------------------------------------------- The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector."The ClickFix technique is particularly risky because it allows the malware to execute in memory .. --------------------------------------------- https://thehackernews.com/2025/05/hackers-use-tiktok-videos-to-distribute.h… ∗∗∗ Operation Endgame 2: 15 Millionen E-Mail-Adressen und 43 Millionen Passwörter ∗∗∗ --------------------------------------------- Bei "Operation Endgame 2.0" kamen viele Millionen Adressen und Passwörter von Opfern ans Licht. Have I Been Pwned hat sie aufgenommen. --------------------------------------------- https://www.heise.de/news/Operation-Endgame-2-15-Millionen-E-Mail-Adressen-… ∗∗∗ Neuer Lieferkettenangriff mit bösartigen Skripten in npm-Paketen ∗∗∗ --------------------------------------------- Ein neuer Angriff auf die Lieferkette bedroht Workstations und CI-Umgebungen. Das bösartige Skript spioniert interne Daten für weitere Attacken aus. --------------------------------------------- https://www.heise.de/news/Neuer-Lieferkettenangriff-mit-boesartigen-Skripte… ∗∗∗ Kriminelle Gruppe "Careto" angeblich von spanischer Regierung gelenkt ∗∗∗ --------------------------------------------- Nicht nur China und Russland steuern Cybergangs. Ehemalige Kaspersky-Mitarbeiter behaupten, die Bande "Careto" werde von Spanien gelenkt. --------------------------------------------- https://www.heise.de/news/Kriminelle-Gruppe-Careto-angeblich-von-spanischer… ∗∗∗ Hacker bietet 1,2 Milliarden Facebook-Nutzerdaten im Darknet – ist es ein Fake? ∗∗∗ --------------------------------------------- Gab es ein neues Datenleck bei Meta-Tochter Facebook? Ein Hacker behauptet 1,2 Milliarden Facebook-Nutzerdaten über eine API abgezogen zu haben und bietet diese im Darknet zum Kauf an. Es gibt aber Zweifel, ob diese Daten neu sind. --------------------------------------------- https://www.borncity.com/blog/2025/05/23/hacker-bietet-12-milliarden-facebo… ∗∗∗ Offensive Threat Intelligence ∗∗∗ --------------------------------------------- CTI isn’t just for blue teams. Used properly, it sharpens red team tradecraft, aligns ops to real-world threats, and exposes blind spots defenders often miss. It’s not about knowing threats, it’s about becoming them long enough to help others beat them. --------------------------------------------- https://blog.zsec.uk/offensive-cti/ ∗∗∗ Joint Analysis by AhnLab and NCSC on TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking ∗∗∗ --------------------------------------------- AhnLab and the National Cyber Security Center (NCSC) have released a report that details the activities of the TA-ShadowCricket group from 2023 to the present. --------------------------------------------- https://asec.ahnlab.com/en/88137/ ∗∗∗ ConnectWise ScreenConnect Tops List of Abused RATs in 2025 Attacks ∗∗∗ --------------------------------------------- Cofense Intelligences May 2025 report exposes how cybercriminals are abusing legitimate Remote Access Tools (RATs) like ConnectWise and Splashtop to deliver malware and steal data. Learn about this growing threat. --------------------------------------------- https://hackread.com/connectwise-screenconnect-tops-abused-rats-2025/ ∗∗∗ BadSuccessor Exploits Windows Server 2025 Flaw for Full AD Takeover ∗∗∗ --------------------------------------------- Akamai researchers reveal a critical flaw in Windows Server 2025 dMSA feature that allows attackers to compromise any… --------------------------------------------- https://hackread.com/badsuccessor-exploits-windows-server-2025-takeover/ ∗∗∗ How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation ∗∗∗ --------------------------------------------- In this post I’ll show you how I found a zeroday vulnerability in the Linux kernel using OpenAI’s o3 model. I found the vulnerability with nothing more complicated than the o3 API – no scaffolding, no agentic frameworks, no tool use. --------------------------------------------- https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-re… ∗∗∗ Bypassing MTE with CVE-2025-0072 ∗∗∗ --------------------------------------------- In this post, I’ll look at CVE-2025-0072, a vulnerability in the Arm Mali GPU, and show how it can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled. --------------------------------------------- https://github.blog/security/vulnerability-research/bypassing-mte-with-cve-… ∗∗∗ The Windows Registry Adventure #7: Attack surface analysis ∗∗∗ --------------------------------------------- In the first three blog posts of this series, I sought to outline what the Windows Registry actually is, its role, history, and where to find further information about it. In the subsequent three posts, my goal was to describe in detail how this mechanism works internally .. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventu… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5924-1 intel-microcode - security update ∗∗∗ --------------------------------------------- This update ships updated CPU microcode for some types of Intel CPUs. Inparticular it provides mitigations for the Indirect Target Selection(ITS) vulnerability (CVE-2024-28956) and the Branch Privilege Injectionvulnerability (CVE-2024-45332).For CPUs affected to ITS (Indirect Target Selection), to fully mitigatethe vulnerability it is also necessary to .. --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00087.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.05.2025
by Daily end-of-shift report 23 May '25

23 May '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-05-2025 18:00 − Freitag 23-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ TikTok videos now push infostealer malware in ClickFix attacks ∗∗∗ --------------------------------------------- As Trend Micro recently discovered, the threat actors behind this TikTok social engineering campaign are using videos likely generated using AI that ask viewers to run commands claiming to activate Windows and Microsoft Office, as well as premium features in various legitimate software like CapCut and Spotify. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tiktok-videos-now-push-infos… ∗∗∗ FBI warns of Luna Moth extortion attacks targeting law firms ∗∗∗ --------------------------------------------- The FBI warned that an extortion gang known as the Silent Ransom Group has been targeting U.S. law firms over the last two years in callback phishing and social engineering attacks. Also known as Luna Moth, Chatty Spider, and UNC3753, this threat group has been active since 2022 and was also behind BazarCall campaigns that provided initial access to corporate networks for Ryuk and Conti ransomware attacks --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-luna-moth-extor… ∗∗∗ The Windows Registry Adventure #7: Attack surface analysis ∗∗∗ --------------------------------------------- In this blog post, we get to the heart of the matter, the actual security of the Windows Registry. I'd like to talk about what made a feature that was initially meant to be just a quick test of my fuzzing infrastructure draw me into manual research for the next 1.5 ~ 2 years, and result in Microsoft fixing (so far) 53 CVEs. I will describe the various areas that are important in the context of low-level security research, from very general ones, such as the characteristics of the codebase that allow security bugs to exist in the first place, to more specific ones, like all possible entry points to attack the registry, the impact of vulnerabilities and the primitives they generate, and some considerations on effective fuzzing and where more bugs might still be lurking. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventu… ∗∗∗ GitLab Duo Vulnerability Enabled Attackers to Hijack AI Responses with Hidden Prompts ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. --------------------------------------------- https://thehackernews.com/2025/05/gitlab-duo-vulnerability-enabled.html ∗∗∗ ViciousTrap Uses Cisco Flaw to Build Global Honeypot from 5,300 Compromised Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed that a threat actor codenamed ViciousTrap has compromised nearly 5,300 unique network edge devices across 84 countries and turned them into a honeypot-like network. --------------------------------------------- https://thehackernews.com/2025/05/vicioustrap-uses-cisco-flaw-to-build.html ∗∗∗ Oops: DanaBot Malware Devs Infected Their Own PCs ∗∗∗ --------------------------------------------- The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling DanaBot, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The FBI says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware. --------------------------------------------- https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-thei… ∗∗∗ Fake-Geburtstagsgeschenk: Abofalle im Namen von Rituals im Umlauf ∗∗∗ --------------------------------------------- Derzeit sind betrügerische E-Mails im Umlauf, die angeblich von Rituals stammen. Sie versprechen eine luxuriöse Geburtstags-Geschenkbox zum Sonderpreis von nur zwei Euro. Doch Vorsicht: Hinter dem scheinbar großzügigen Angebot verbirgt sich keine echte Überraschung, sondern eine teure Abofalle! --------------------------------------------- https://www.watchlist-internet.at/news/fake-geburtstagsgeschenk-abofalle-im… ∗∗∗ Sicherheitsrisiko AD-Verwaltung und Gruppe Authenticated Users ∗∗∗ --------------------------------------------- Ein Blog-Leser hat mich die Tage auf ein möglicherweise bei einigen Active Directory-Systemen bestehende Sicherheitsrisiko hingewiesen. Sind in der Active-Directory-Gruppe Authenticated Users externe Konten enthalten, könnten Freigaben interner Dienste (Drucker etc.) ungewollt externen Nutzern offen stehen. --------------------------------------------- https://www.borncity.com/blog/2025/05/22/sicherheitsrisiko-ad-verwaltung-un… ∗∗∗ Information Leakage Caused by DB Client Tool ∗∗∗ --------------------------------------------- In recent breach incidents, threat actors have been observed not only accessing systems, but also directly querying internal databases and stealing sensitive information. Particularly, more threat actors are installing DB client tools directly on targeted systems to exfiltrate data, and legitimate tools such as DBeaver, Navicat, and sqlcmd are being used in this process. --------------------------------------------- https://asec.ahnlab.com/en/88134/ ∗∗∗ Scarcity signals: Are rare activities red flags? ∗∗∗ --------------------------------------------- Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones. --------------------------------------------- https://blog.talosintelligence.com/scarcity-signals-are-rare-activities-red… ∗∗∗ Operation Endgame 2.0: 20 Haftbefehle, Hunderte Server außer Gefecht gesetzt ∗∗∗ --------------------------------------------- Internationale Strafverfolger gehen weiter gegen Malware-Autoren vor. Im Rahmen der "Operation Endgame 2.0" haben die Sicherheitsbehörden aus Deutschland – das BKA und die Generalstaatsanwaltschaft Frankfurt am Main – die Cyberkriminellen nun empfindlich getroffen. Allein in Deutschland nahmen die Behörden 50 Server vom Netz, 650 Domains sind nicht mehr unter der Kontrolle der Cybergangster. --------------------------------------------- https://heise.de/-10394215 ∗∗∗ Fault Injection-Angriffe auf die Mikrocontroller nRF54L15 und STM32L051 (SYSS-2025-022/-033) ∗∗∗ --------------------------------------------- Der Begriff "Fault Injection" bezeichnet eine Klasse von Schwachstellen, bei denen Angreifende gezielt versuchen, Fehlerzustände in Systemen zu erzeugen. Diese Fehlerzustände führen dabei zu abnormalem Verhalten der Systeme und können ausgenutzt werden, um Sicherheitsbeschränkungen zu umgehen. So ist es beispielsweise möglich, kryptografische Schlüssel zu extrahieren oder Lesebeschränkungen von internen Datenspeichern zu umgehen. --------------------------------------------- https://www.syss.de/pentest-blog/fault-injection-angriffe-auf-die-mikrocont… ===================== = Vulnerabilities = ===================== ∗∗∗ 2025-05-22: Cyber Security Advisory - ASPECT advisory several CVEs ∗∗∗ --------------------------------------------- Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021&Lan… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dotnet9.0, dropbear, ghostscript, nbdkit, openssh, python-watchfiles, rpm-ostree, yelp, yelp-xsl, and zsync), Oracle (firefox and kernel), Red Hat (osbuild-composer), Slackware (aaa_glibc and mozilla), SUSE (chromedriver, open-vm-tools, postgresql14, python-cryptography, and thunderbird), and Ubuntu (linux-aws, linux-hwe-5.4, python, and sqlite3). --------------------------------------------- https://lwn.net/Articles/1022352/ ∗∗∗ Infoblox NetMRI is vulnerable to CVE-2024-54188 ∗∗∗ --------------------------------------------- https://support.infoblox.com/s/article/Infoblox-NetMRI-is-vulnerable-to-CVE… ∗∗∗ [R1] Tenable Network Monitor Version 6.5.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-10 ∗∗∗ Lantronix Device Installer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-01 ∗∗∗ Rockwell Automation FactoryTalk Historian ThingWorx ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.05.2025
by Daily end-of-shift report 22 May '25

22 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-05-2025 18:00 − Donnerstag 22-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Strafverfolger beschlagnahmen Lumma Stealer-Infrastruktur (Mai 2025) ∗∗∗ --------------------------------------------- In einer koordinierten Aktion haben US-Strafverfolger die Infrastruktur (C & C-Server) des Lumma-Infostealers beschlagnahmt und die Funktion lahm gelegt. Die Malware ist für zahlreiche Cyberangriffe auf Nutzer mit Abgreifen von Informationen verantwortlich und es waren fast 400.000 PC infiziert. [..] Microsoft bezeichnet den Akteur, der Lumma als Malware-as-a-service (MaaS) anbietet, als Storm-2477. [..] Das Ganze erfolgte in Zusammenarbeit mit Strafverfolgungsbehörden (FBI, Europol, JC3) und Industriepartnern (ESET, Bitsight, Lumen, Cloudflare, CleanDNS und GMO Registry). --------------------------------------------- https://www.borncity.com/blog/2025/05/22/strafverfolger-beschlagen-lumma-st… ∗∗∗ 3AM ransomware uses spoofed IT calls, email bombing to breach networks ∗∗∗ --------------------------------------------- A 3AM ransomware affiliate is conducting highly targeted attacks using email bombing and spoofed IT support calls to socially engineer employees into giving credentials for remote access to corporate systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/3am-ransomware-uses-spoofed-… ∗∗∗ Signal now blocks Microsoft Recall screenshots on Windows 11 ∗∗∗ --------------------------------------------- Signal has updated its Windows app to protect users privacy by blocking Microsofts AI-powered Recall feature from taking screenshots of their conversations. [..] This new privacy feature, dubbed "screen security," is now enabled by default on all Windows 11 devices, where Recall continuously takes screenshots of all active windows every few seconds and analyzes them to build a database that can be searched using natural language. When enabled, screen security will set a Digital Rights Management (DRM) flag on Signal's app windows, blocking their content from being captured by Recall or other Windows apps and features. --------------------------------------------- https://www.bleepingcomputer.com/news/security/signal-now-blocks-microsoft-… ∗∗∗ Storm-0558 and the Dangers of Cross-Tenant Token Forgery ∗∗∗ --------------------------------------------- Modern cloud ecosystems often place a single identity provider in charge of handling logins and tokens for a wide range of customers. This approach certainly streamlines single sign-on (SSO) for end users, but it also places enormous trust in a single set of signing keys. If those private keys are compromised, attackers can create tokens that appear valid to any service that relies on them. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/storm-0558-… ∗∗∗ Another Fake Cloudflare Verification Targets WordPress Sites ∗∗∗ --------------------------------------------- A new Cloudflare infection has once again been targeting WordPress sites. This new iteration of malware mimics a legitimate-looking Cloudflare verification page, which then tricks victims into following various commands and downloading malware. This style of malware is not new – our researcher Ben Martin wrote about a similar campaign targeting WordPress sites back in March. The difference between this new infection and previous ones is the location of where the malware is located – spread out among multiple themes and fake plugins. Additionally, this variant is delivered in three stages, which helps the attacker avoid detection and maintain control over what is delivered at each step. --------------------------------------------- https://blog.sucuri.net/2025/05/another-fake-cloudflare-verification-target… ∗∗∗ Datenleck bei Coinbase: Massive Phishing-Welle rollt ∗∗∗ --------------------------------------------- Nachdem Hacker zahlreiche Kund:innendaten der Krypto-Plattform gestohlen und weiterverkauft haben, werden aktuell vermehrt Phishing-Versuche im Namen von Coinbase gemeldet. Die Kriminellen kontaktieren Ihre Opfer entweder per E-Mail oder via Telefon mit dem Ziel, an sensible Informationen zu kommen oder Überweisungen zu veranlassen. --------------------------------------------- https://www.watchlist-internet.at/news/datenleck-bei-coinbase-phishing/ ∗∗∗ BadSuccessor: dMSA zur Privilegien-Erhöhung in Active Directory missbrauchen ∗∗∗ --------------------------------------------- In Windows Server 2025 wurden delegated Managed Service Accounts (dMSAs) neu eingeführt. Das sind Service-Konten für das Active Directory (AD), die neue Funktionen ermöglichen sollen. Sicherheitsforscher sind nun darauf gestoßen, dass durch den Missbrauch von dMSAs Angreifer jeden Principal in der Domäne übernehmen können. [..] Derzeit will Microsoft das Problem aus obigen Gründen nicht fixen – sondern das Problem irgendwann in Zukunft beheben (es gibt also keinen Patch). --------------------------------------------- https://www.borncity.com/blog/2025/05/22/badsuccessor-dmsa-zur-privilegien-… ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered multiple critical security vulnerabilities impacting the Versa Concerto network security and SD-WAN orchestration platform that could be exploited to take control of susceptible instances. It's worth noting that the identified shortcomings remain unpatched despite responsible disclosure on February 13, 2025, prompting a public release of the issues following the end of the 90-day deadline. --------------------------------------------- https://thehackernews.com/2025/05/unpatched-versa-concerto-flaws-let.html ∗∗∗ Cisco Security Advisories 2025-05-21 ∗∗∗ --------------------------------------------- Cisco hat 10 neue Security Advisories veröffentlicht. Zwei der neuen Advisories sind als “High” eingestuft und 8 als “Medium”. Die als "High" eingestuften Advisories betreffen Schwachstellen in Cisco Identity Services Engine RADIUS und Cisco Unified Intelligence Center. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Mozilla Security Advisories 2025-05-20 ∗∗∗ --------------------------------------------- Thunderbird (critical) and Firefox (low) --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, and webkit2gtk3), Fedora (mozilla-ublock-origin and sudo-rs), Oracle (.NET 8.0, compat-openssl10, grafana, osbuild-composer, redis:6, ruby:2.5, and webkit2gtk3), SUSE (dante, firefox-esr, gnuplot, govulncheck-vulndb, grype, postgresql13, postgresql14, postgresql15, postgresql16, postgresql17, python-tornado6, python314, thunderbird, ucode-intel, and xen), and Ubuntu (bind9, libfcgi-perl, linux-ibm-5.4, linux-oracle-5.4, postgresql-17, and Tomcat). --------------------------------------------- https://lwn.net/Articles/1022189/ ∗∗∗ Authentifizierung: Kritische Lücke in Samlify macht Angreifer zu Admins ∗∗∗ --------------------------------------------- Admins, die Single-Sign-On-Anmeldungen (SSO) über die weitverbreitete Node.js-Bibliothek Samlify realisieren, sollten den verfügbaren Sicherheitspatch zeitnah installieren. Geschieht das nicht, können Angreifer die Authentifizierung umgehen und mit weitreichenden Rechten auf Systeme zugreifen. [..] Auf die "kritische" Sicherheitslücke (CVE-2025-47949) sind Sicherheitsforscher von Endor Labs gestoßen. --------------------------------------------- https://heise.de/-10392315 ∗∗∗ Angreifer können mit VMware erstellte virtuelle Maschinen crashen ∗∗∗ --------------------------------------------- Aus der Warnmeldung geht hervor, dass die am gefährlichsten eingestufte Schwachstelle (CVE-2025-41225 "hoch") vCenter Server betrifft. An dieser Stelle kann ein authentifizierter Angreifer eigene Befehle ausführen. Verfügt ein Angreifer über Gast-VM-Rechte, kann er für eine Gast-VM einen DoS-Zustand erzeugen (CVE-2025-41226 "mittel"). So etwas führt in der Regel zu Abstürzen. Weiterhin sind noch weitere DoS-Attacken (CVE-2025-41227 "mittel") und XSS-Angriffe (CVE-2025-41228 "mittel") möglich. --------------------------------------------- https://heise.de/-10392911 ∗∗∗ Drupal Security Advisories 2025-05-21 ∗∗∗ --------------------------------------------- https://www.drupal.org/security ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (May 12, 2025 to May 18, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.05.2025
by Daily end-of-shift report 21 May '25

21 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-05-2025 18:00 − Mittwoch 21-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 11’s most important new feature is post-quantum cryptography. Here’s why. ∗∗∗ --------------------------------------------- For the first time, new quantum-safe algorithms can be invoked using standard Windows APIs. --------------------------------------------- https://arstechnica.com/security/2025/05/heres-how-windows-11-aims-to-make-… ∗∗∗ VanHelsing ransomware builder leaked on hacking forum ∗∗∗ --------------------------------------------- The VanHelsing ransomware-as-a-service operation published the source code for its affiliate panel, data leak blog, and Windows encryptor builder after an old developer tried to sell it on the RAMP cybercrime forum. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vanhelsing-ransomware-builde… ∗∗∗ Dero miner zombies biting through Docker APIs to build a cryptojacking horde ∗∗∗ --------------------------------------------- Kaspersky experts break down an updated cryptojacking campaign targeting containerized environments: a Dero crypto miner abuses the Docker API. [..] The entire attack vector is automated via two malware implants: the previously unknown propagation malware nginx and the Dero crypto miner. --------------------------------------------- https://securelist.com/dero-miner-infects-containers-through-docker-api/116… ∗∗∗ Chrome kann unsichere Passwörter künftig komplett selbst ändern ∗∗∗ --------------------------------------------- Googles Chrome-Browser soll bald automatisch Passwörter ändern können, wenn bei der Anmeldung damit erkannt wird, dass es kompromittiert wurde. [..] Im Idealfall bekommen Nutzer und Nutzerinnen in Chrome dann künftig einen Hinweis, wenn ein gespeichertes Passwort in einem Datenleck gefunden wurde und können den Browser dazu bringen, das Passwort durch ein sicheres zu ersetzen. Das wird dann im Passwortmanager von Chrome abgespeichert, das unsichere wird ersetzt. Die automatische Passwortänderung benötigt dafür insgesamt nur einen Klick. --------------------------------------------- https://heise.de/-10391298 ∗∗∗ Sicherheitsbehörden warnen vor russischer Spionage mit IP-Kameras ∗∗∗ --------------------------------------------- Mutmaßliche Mitarbeiter des russischen Militärgeheimdienstes GRU haben sich Zugriff auf Netzwerke und IP-Kameras von Betreibern kritischer Infrastrukturen (KRITIS) verschafft. Das melden unter anderem NSA, FBI, der Bundesnachrichtendienst (BND) und die Bundesämter für Verfassungsschutz (BfV) sowie Sicherheit in der Informationstechnik (BSI).[..] Betroffen sind laut einer Mitteilung der Behörden vor allem Unternehmen aus der Logistikbranche. --------------------------------------------- https://heise.de/-10391927 ∗∗∗ CISA, NIST Researchers Develop Metric to Determine Likelihood of Vulnerability Exploitation ∗∗∗ --------------------------------------------- Researchers from the U.S. National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have developed a new security metric to determine the likelihood that a vulnerability has been exploited. In a paper published this week, Peter Mell, formerly of NIST, and CISA’s Jonathan Spring outlined their vulnerability exploit metric that augments the work of the Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) catalog. --------------------------------------------- https://thecyberexpress.com/cisa-nist-vulnerability-exploit-metric/ ===================== = Vulnerabilities = ===================== ∗∗∗ Lücke in OpenPGP.js gefährdet verschlüsselten E-Mail-Verkehr ∗∗∗ --------------------------------------------- In OpenPGP.js, einer weitverbreiteten Javascript-Implementierung von OpenPGP, klafft eine gefährliche Sicherheitslücke, durch die sich das Ergebnis der Signaturprüfung fälschen lässt. Laut einer Sicherheitsmeldung auf Github kann ein Angreifer speziell manipulierte Daten an die Funktionen openpgp.verify oder openpgp.decrypt übergeben, um verschlüsselte und/oder signierte Nachrichten zu spoofen. CVE-2025-47934 --------------------------------------------- https://www.golem.de/news/manipulationsgefahr-luecke-in-openpgp-js-gefaehrd… ∗∗∗ Mehrere Schwachstellen bei eCharge Hardy Barth cPH2 und cPP2 Ladestationen ∗∗∗ --------------------------------------------- Hardy Barth EV charging station products are affected by critical vulnerabilities that can be exploited through both physical access and unauthenticated network access. These vulnerabilities pose significant risks, including system compromise, data breaches, and operational disruptions within EV charging infrastructures. [..] The vendor has not provided a fix for any of the reported vulnerabilities. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelle… ∗∗∗ Mehrere Sicherheitslücken bedrohen VMware Cloud Foundation ∗∗∗ --------------------------------------------- Wie aus einer Warnmeldung hervorgeht, sind die Lücken (CVE-2025-41229, CVE-2025-41230, CVE-2025-41231) mit dem Bedrohungsgrad "hoch" eingestuft. Nutzen Angreifer die Schwachstellen erfolgreich aus, können sie etwa im Netzwerk über den Port 443 auf sensitive Informationen oder interne Services zugreifen. --------------------------------------------- https://heise.de/-10390932 ∗∗∗ Millions of Node.js Apps at Risk Due to Critical Multer Vulnerabilities ∗∗∗ --------------------------------------------- Two high-severity security flaws have been identified in Multer, a popular middleware used in Node.js applications for handling file uploads. The Multer vulnerabilities, tracked as CVE-2025-47944 and CVE-2025-47935, affect all versions from 1.4.4-lts.1 up to but not including 2.0.0. According to the GitHub post, the two vulnerabilities “allow an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. --------------------------------------------- https://thecyberexpress.com/multer-vulnerabilities-expose-node-js/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, avahi, buildah, compat-openssl10, compat-openssl11, expat, firefox, gimp, git, grafana, libsoup, libxslt, mod_auth_openidc, nginx, nodejs:22, osbuild-composer, php, redis, redis:7, skopeo, thunderbird, vim, webkit2gtk3, xterm, and yelp), Arch Linux (dropbear, freetype2, go, nodejs, nodejs-lts-iron, nodejs-lts-jod, python-django, webkit2gtk, webkit2gtk-4.1, webkitgtk-6.0, and wpewebkit), Debian (mongo-c-driver), Fedora (openssh, perl-Mojolicious, thunderbird, yelp, and yelp-xsl), Red Hat (firefox, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-ibm-semeru-certified-jdk, java-21-openjdk, kernel, libxslt, ruby, ruby:3.1, ruby:3.3, unbound, and webkit2gtk3), SUSE (glib2, grub2, kernel, libwebp, openssh, and s390-tools), and Ubuntu (linux, linux-azure, linux-azure-6.11, linux-gcp, linux-gcp-6.11, linux-hwe-6.11, linux-oem-6.11, linux-raspi, linux-realtime, linux-azure, linux-azure-5.15, linux-nvidia-tegra, linux-azure, linux-azure-6.8, linux-oem-6.8, linux-azure, linux-kvm, linux-azure-fips, linux-azure-nvidia, linux-gcp, linux-gcp-6.8, linux-gkeop, linux-gke, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, mariadb-10.6, and postgresql-12, postgresql-14, postgresql-16). --------------------------------------------- https://lwn.net/Articles/1022030/ ∗∗∗ Assured Telematics Inc (ATI) Fleet Management System with Geotab Integration ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-11 ∗∗∗ Vertiv Liebert RDU101 and UNITY ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-10 ∗∗∗ AutomationDirect MB-Gateway ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-09 ∗∗∗ Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-04 ∗∗∗ f5: K000151431: Intel Ethernet Controller and Adapter vulnerability CVE-2024-24983 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151431 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.05.2025
by Daily end-of-shift report 20 May '25

20 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 19-05-2025 18:00 − Dienstag 20-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hazy Hawk gang exploits DNS misconfigs to hijack trusted domains ∗∗∗ --------------------------------------------- A threat actor named Hazy Hawk has been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDS). --------------------------------------------- https://www.bleepingcomputer.com/news/security/hazy-hawk-gang-exploits-dns-… ∗∗∗ 100+ Fake Chrome Extensions Found Hijacking Sessions, Stealing Credentials, Injecting Ads ∗∗∗ --------------------------------------------- An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code. --------------------------------------------- https://thehackernews.com/2025/05/100-fake-chrome-extensions-found.html ∗∗∗ Bypass SharePoint Restricted View to exfiltrate data using Copilot AI and more… ∗∗∗ --------------------------------------------- Overall, we’ve proven that although a fair amount of effort has been put into enforcing the restrictions of Restricted View there are plenty of ways to circumvent them. Therefore, it is important for administrators and users to understand that it can not be relied on to secure data against motivated attackers. --------------------------------------------- https://www.pentestpartners.com/security-blog/bypass-sharepoint-restricted-… ∗∗∗ Duping Cloud Functions: An emerging serverless attack vector ∗∗∗ --------------------------------------------- Cisco Talos built on Tenable’s discovery of a Google Cloud Platform vulnerability to uncover how attackers could exploit similar techniques across AWS and Azure. --------------------------------------------- https://blog.talosintelligence.com/duping-cloud-functions-an-emerging-serve… ∗∗∗ Compromised RVTools Installer Spreading Bumblebee Malware ∗∗∗ --------------------------------------------- RVTools installer on its official site was found delivering malware. Research shows it spread Bumblebee loader. Users urged to verify downloads. --------------------------------------------- https://hackread.com/compromised-rvtools-installer-drop-bumblebee-malware/ ∗∗∗ Gehärtete Images von Docker verbessern die Sicherheit und entlasten Entwickler ∗∗∗ --------------------------------------------- Mit den Hardened Images (DHI) bietet Docker sichere, schlanke und Compliance-konforme Images. Mit dabei sind unter anderem Microsoft, Neo4J oder GitLab. --------------------------------------------- https://heise.de/-10388766 ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3 Security Advisories Tue. 20th May, 2025 ∗∗∗ --------------------------------------------- TYPO3 has released 11 new security advisories. --------------------------------------------- https://typo3.org/help/security-advisories ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dropbear, firefox-esr, intel-microcode, net-tools, openafs, thunderbird, and xrdp), Fedora (chromium, micropython, syslog-ng, webkitgtk, and xen), Mageia (dropbear and openssh), Oracle (.NET 9.0, kernel, libjpeg-turbo, and yelp and yelp-xsl), Red Hat (compat-openssl11, git-lfs, grafana, kernel, and osbuild and osbuild-composer), Slackware (mozilla), SUSE (cargo-c, gimp, iputils-20240905, kernel, libraw, microcode_ctl, openssh, pnpm, python311-cramjam, python311-httptools, python311-jwcrypto, python311-loguru, python311-mechanize, python311-nltk, python311-oauthlib, python311-py7zr, python311-pycapnp, python311-pyspnego, python311-pywayland, python311-suds, python311-treq, python311-ujson, python311-waitress, ruby3.4-rubygem-actionmailer, ruby3.4-rubygem-actiontext, ruby3.4-rubygem-activerecord, ruby3.4-rubygem-activestorage, ruby3.4-rubygem-fluentd, ruby3.4-rubygem-globalid, ruby3.4-rubygem-jquery-rails, ruby3.4-rubygem-kramdown, ruby3.4-rubygem-loofah, ruby3.4-rubygem-multi_xml, ruby3.4-rubygem-puma, ruby3.4-rubygem-rails, ruby3.4-rubygem-rails-html-sanitizer, ruby3.4-rubygem-sprockets, ruby3.4-rubygem-web-console, ruby3.4-rubygem-websocket-extensions, ucode-intel-20250512, and valkey), and Ubuntu (dotnet8, dotnet9, linux, linux-aws, linux-aws-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-oracle, linux, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-fips, linux-gcp, linux-gcp-5.15, linux-gcp-fips, linux-gke, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, and linux-xilinx-zynqmp). --------------------------------------------- https://lwn.net/Articles/1021740/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, openjdk-11, openjdk-17, and wireless-regdb), Fedora (iputils, open-vm-tools, sfnt2woff-zopfli, and woff), Red Hat (postgresql:12), SUSE (apache2-mod_auth_openidc, brltty, helm, python-maturin, and rubygem-rack), and Ubuntu (linux-azure-fips). --------------------------------------------- https://lwn.net/Articles/1021812/ ∗∗∗ 22,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Motors WordPress Theme ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/22000-wordpress-sites-affected-by-pr… ∗∗∗ Danfoss AK-SM 8xxA Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-03 ∗∗∗ National Instruments Circuit Design Suite ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-02 ∗∗∗ ABUP IoT Cloud Platform ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.05.2025
by Daily end-of-shift report 19 May '25

19 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-05-2025 18:00 − Montag 19-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Curl-Entwickler warnt: Unicode-Trick gefährdet Softwareprojekte auf Github ∗∗∗ --------------------------------------------- Die wenigsten Entwickler dürften die Unterschiede zwischen bestimmten Unicode-Zeichen zuverlässig erkennen. Gerade auf Github ist das ein Problem. --------------------------------------------- https://www.golem.de/news/curl-entwickler-warnt-unicode-trick-gefaehrdet-so… ∗∗∗ Warnung vor brancheneintrag24.com ∗∗∗ --------------------------------------------- Derzeit kursieren betrügerische E-Mails, die von der Adresse info(a)brancheneintrag24.com stammen. Im Anhang befindet sich ein Formular, das Unternehmen angeblich zur Aktualisierung ihres Brancheneintrags auffordert. [..] Mit dem Ausfüllen und Zurücksenden des Formulars wird ein kostenpflichtiger Vertrag abgeschlossen. --------------------------------------------- https://www.zettasecure.com/post/warnung-vor-brancheneintrag24-com ∗∗∗ Fake-Shops: Laufsportbegeisterte im Visier von Kriminellen ∗∗∗ --------------------------------------------- Laufschuhe von Top-Marken zu absoluten Niedrigstpreisen?! Vorsicht! Aktuell tauchen vermehrt Fake-Shops für Sportschuhe und anderes Equipment auf. Wer in einem derartigen Store bestellt, schaut in der Regel durch die Finger. Kommt doch eine Lieferung an, enthält diese nur minderwertige Kopien. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-fuer-laufschuhe/ ∗∗∗ Windows: Bitlocker-Verschlüsselung über Bitpixie (CVE-2023-21563) ausgehebelt ∗∗∗ --------------------------------------------- Die von Microsoft für Windows verwendete Bitlocker-Verschlüsselung für Datenträger lässt sich über die Bitpixie-Schwachstelle (CVE-2023-21563) per Software aushebeln, wenn gewisse Randbedingungen gelten. [..] Der jetzt bekannt gewordene Angriff ist nicht neues, sondern ein Proof of Concept, den Administratoren ggf. in eigenen Systemen testen können. [..] Die Bitpixie-Schwachstelle – und ganz allgemein sowohl hardware- als auch softwarebasierte Angriffe – kann durch Erzwingen einer Pre-Boot-Authentifizierung entschärft werden. --------------------------------------------- https://www.borncity.com/blog/2025/05/18/windows-bitlocker-verschluesselung… ∗∗∗ Windows 10/11: Defender mit simplen Tool Defendnot deaktivierbar ∗∗∗ --------------------------------------------- Microsoft hat in Windows 10 und Windows 11 eine Schnittstelle (API) eingebaut, über die Hersteller von Antivirus-Software bei deren Installation den Microsoft Defender deaktivieren können. Einige Leute (darunter ein Blog-Leser) haben nun gezeigt, wie man mit einer einfachen Software (no-defender oder Defendnot) den Windows Defender deaktivieren kann. --------------------------------------------- https://www.borncity.com/blog/2025/05/19/windows-10-11-defender-mit-simplen… ∗∗∗ Ivanti EPMM Zero-Days: Reconnaissance to Exploitation ∗∗∗ --------------------------------------------- Two critical Ivanti zero-days (CVE-2025-4427 and CVE-2025-4428) are now being actively exploited after a surge in scanning activity last month. When chained together, these vulnerabilities enable unauthenticated remote code execution on Ivanti Endpoint Manager Mobile systems. --------------------------------------------- https://www.greynoise.io/blog/ivanti-epmm-zero-days-reconnaissance-exploita… ∗∗∗ VM escape in Oracle VirtualBox via VGA device ∗∗∗ --------------------------------------------- We provide a proof-of-concept that demonstrates how to exploit this vulnerability to fully escape a virtual machine. --------------------------------------------- https://github.com/google/security-research/security/advisories/GHSA-qx2m-r… ∗∗∗ Passwords are okay, impulsive Internet isnt ∗∗∗ --------------------------------------------- Every few weeks, I come across an article telling us how passwords are bad and how we need to go "passwordless". These pieces are written by mostly well-intended nerds who think technology can solve basic problems in human behavior. --------------------------------------------- https://www.dedoimedo.com/life/passwords-passkeys.html ∗∗∗ New Community Resource: Attribution to IP ∗∗∗ --------------------------------------------- The Curated Intelligence community has shared a new collection for CTI analysts and others who perform cybersecurity research duties. A new GitHub repository has been created that contains a collection of methods to learn who the owner of an IP address is. --------------------------------------------- https://www.curatedintel.org/2025/05/new-community-resource-attribution-to-… ===================== = Vulnerabilities = ===================== ∗∗∗ Mozilla Security Advisories May 17, 2025 ∗∗∗ --------------------------------------------- Firefox ESR 115.23.1, ESR 128.10.1 and 138.0.4. Critical --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Angreifer können Verbindungen von Sonicwall SMA1000 manipulieren ∗∗∗ --------------------------------------------- In einer Warnmeldung führt der Anbieter von Netzwerktechnik aus, dass Angreifer im Zuge einer Server-side-request-forgery-Attacke (SSRF) Anfragen an etwa von ihnen kontrollierte Server umleiten können (CVE-2025-40595 "hoch"). --------------------------------------------- https://heise.de/-10387581 ∗∗∗ Thousands of WordPress Sites at Risk Due to Critical Crawlomatic Plugin Vulnerability ∗∗∗ --------------------------------------------- A severe security vulnerability has been discovered in the popular WordPress plugin, Crawlomatic Multisite Scraper Post Generator, potentially placing thousands of websites at risk. Tracked as CVE-2025-4389, the flaw allows unauthenticated attackers to upload malicious files, which could ultimately lead to remote code execution on affected websites. --------------------------------------------- https://thecyberexpress.com/crawlomatic-plugin-hit-by-cve-2025-4389/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.05.2025
by Daily end-of-shift report 16 May '25

16 May '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-05-2025 18:01 − Freitag 16-05-2025 18:01 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FBI: US officials targeted in voice deepfake attacks since April ∗∗∗ --------------------------------------------- The FBI warned that cybercriminals using AI-generated audio deepfakes to target U.S. officials in voice phishing attacks that started in April. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-us-officials-targeted-in… ∗∗∗ Ransomware gangs increasingly use Skitnet post-exploitation malware ∗∗∗ --------------------------------------------- Ransomware gang members increasingly use a new malware called Skitnet ("Bossnet") to perform stealthy post-exploitation activities on breached networks. The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-increasingl… ∗∗∗ Understanding CSRF: Cross-site Request Forgery Explained ∗∗∗ --------------------------------------------- Cross-Site Request Forgery, often called CSRF (or its other nicknames, Session Riding and XSRF), is a tricky type of attack. In short, it lets attackers make users do things on websites without their consent or knowledge. This attack works by misusing the trust a web application puts in a user’s browser once they’re logged in. By duping the browser into sending fake requests (usually through shady emails or misleading links), CSRF allows unauthorized commands to hit a website. And since these requests seem to come from a legitimate, logged-in user, the website has a hard time spotting the fakes, which can open the door to significant security problems. --------------------------------------------- https://blog.sucuri.net/2025/05/understanding-csrf-cross-site-request-forge… ∗∗∗ Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT. --------------------------------------------- https://thehackernews.com/2025/05/fileless-remcos-rat-delivered-via-lnk.html ∗∗∗ VNC. RDP for all to see ∗∗∗ --------------------------------------------- VNC (Virtual Network Computing) is a widely deployed service in perhaps forgotten corners of legacy enterprise networks. This is mainly because it’s a tried and trusted protocol that simply works, however this is disregarding its security flaws and disadvantages in the modern age. --------------------------------------------- https://www.pentestpartners.com/security-blog/vnc-rdp-for-all-to-see/ ∗∗∗ Operation RoundPress ∗∗∗ --------------------------------------------- This blogpost introduces an operation that we named RoundPress, targeting high-value webmail servers with XSS vulnerabilities, and that we assess with medium confidence is run by the Sednit cyberespionage group. The ultimate goal of this operation is to steal confidential data from specific email accounts. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/operation-roundpress/ ∗∗∗ Commit Stomping ∗∗∗ --------------------------------------------- Commit Stomping is a technique inspired by timestomping, a well-known method used in offensive operations where file metadata is manipulated to hide the true timing of actions. In Git, Commit Stomping involves altering commit timestamps to mislead observers about when changes were introduced. --------------------------------------------- https://blog.zsec.uk/commit-stomping/ ===================== = Vulnerabilities = ===================== ∗∗∗ Printer company provided infected software downloads for half a year ∗∗∗ --------------------------------------------- When Cameron Coward, the Youtuber behind the channel Serial Hobbyism, wanted to review a $6k UV printer and plugged in the USB flash drive with the printer software, the Antivirus software alerted him of a USB-spreading worm and a Floxif infection. Floxif is a file infector that attaches itself to Portable Executable files, so it can spread to network shares, removable drives like USB flash drives or backup storage systems. --------------------------------------------- https://feeds.feedblitz.com/~/918394763/0/gdatasecurityblog-en~Printer-comp… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, kernel, kernel-rt, redis:6, and yelp and yelp-xsl), Debian (chromium), Red Hat (compat-openssl11, kernel, and thunderbird), and SUSE (nbdkit, open-vm-tools, and rustup). --------------------------------------------- https://lwn.net/Articles/1021482/ ∗∗∗ Malicious ‘Checker’ Packages on PyPI Probe TikTok and Instagram for Valid Accounts ∗∗∗ --------------------------------------------- We often hear about the importance of secure data. Have I Been Pwned and similar websites exist to see if passwords or emails are listed online. However, many people do not understand the ramifications of their own leaked data. --------------------------------------------- https://socket.dev/blog/malicious-checker-packages-on-pypi-probe-tiktok-and… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.05.2025
by Daily end-of-shift report 15 May '25

15 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-05-2025 18:01 − Donnerstag 15-05-2025 18:01 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Spies hack high-value mail servers using an exploit from yesteryear ∗∗∗ --------------------------------------------- XSS is short for cross-site scripting. Vulnerabilities result from programming errors found in webserver software that, when exploited, allow attackers to execute malicious code in the browsers of people visiting an affected website. XSS first got attention in 2005, with the creation of the Samy Worm, which knocked MySpace out of commission when it added more than one million MySpace friends to a user named Samy. XSS exploits abounded for the next decade and have gradually fizzled more recently, although this class of attacks continues now. --------------------------------------------- https://arstechnica.com/security/2025/05/spies-hack-high-value-mail-servers… ∗∗∗ Critical Infrastructure Under Siege: OT Security Still Lags ∗∗∗ --------------------------------------------- With critical infrastructure facing constant cyber threats from the Typhoons and other corners, federal agencies and others are warning security for the OT network, a core technology in many critical sectors, is not powered up enough. --------------------------------------------- https://www.darkreading.com/ics-ot-security/critical-infrastructure-ot-secu… ∗∗∗ Beyond the kill chain: What cybercriminals do with their money (Part 1) ∗∗∗ --------------------------------------------- Sophos X-Ops investigates what financially motivated threat actors invest their ill-gotten profits in, once the dust has settled. --------------------------------------------- https://news.sophos.com/en-us/2025/05/15/beyond-the-kill-chain-what-cybercr… ∗∗∗ Technical Analysis of TransferLoader ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a new malware loader that we have named TransferLoader, which has been active since at least February 2025. ThreatLabz has identified three different components (a downloader, a backdoor, and a specialized loader for the backdoor) embedded in TransferLoader binaries. In addition, ThreatLabz has observed TransferLoader being used to deliver Morpheus ransomware. All components of TransferLoader share similarities including various anti-analysis techniques and code obfuscation. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-transfer… ∗∗∗ USA: Bösartige Kommunikationsgeräte in chinesischen Solar-Wechselrichtern ∗∗∗ --------------------------------------------- Bei der Untersuchung von Wechselrichtern aus China durch Experten in den USA wurden in einigen Geräten nicht dokumentierte Kommunikationsgeräte gefunden. US-Energiebehörden wollen das Risiko dieser chinesischen Inverter Medienberichten zufolge neu beurteilen. --------------------------------------------- https://www.heise.de/news/Boesartige-Kommunikationsgeraete-in-Solar-Wechsel… ∗∗∗ Angeblicher Steam-Hack: Datenleck enthält SMS-Sendeprotokolle ∗∗∗ --------------------------------------------- Ein angebliches Datenleck bei der Spieleplattform Steam soll 89 Millionen Datensätze enthalten – ein Unbekannter versucht seit vergangenem Samstag, sie im Darknet für 5.000 US-Dollar zu verkaufen. Doch die Resonanz ist mau und die Brisanz der Daten fraglich. --------------------------------------------- https://heise.de/-10383892 ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal Security Advisories 2025-05-14 ∗∗∗ --------------------------------------------- Drupal has released 7 new security advisories. --------------------------------------------- https://www.drupal.org/security ∗∗∗ Palo Alto Networks Security Advisories 2025-05-14 ∗∗∗ --------------------------------------------- Palo Alto has released 11 new security advisories. --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ Mozilla Foundation Security Advisories 2025-05-13 ∗∗∗ --------------------------------------------- For Thunderbird 138.0.1 and Thunderbird 128.10.1. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (open-vm-tools), Fedora (dnsdist), Gentoo (Node.js and Tracker miners), Red Hat (kernel and xdg-utils), SUSE (audiofile, go1.22-openssl, go1.24, grub2, kernel-devel, openssl-1_1, openssl-3, and python311-Django), and Ubuntu (ruby-rack). --------------------------------------------- https://lwn.net/Articles/1021379/ ∗∗∗ Patchday: Lücken in Intel-Software und -Treibern gestopft ∗∗∗ --------------------------------------------- Angreifer können Computer mit Hard- und Software von Intel attackieren. Sind Attacken erfolgreich, können sie unter anderem Denial-of-Service-Zustände (DoS) erzeugen, die in der Regel zu Abstürzen führen. --------------------------------------------- https://heise.de/-10384160 ∗∗∗ Google warnt: Gefährliche Chrome-Lücke wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Im weit verbreiteten Webbrowser Chrome klaffen mehrere gefährliche Sicherheitslücken, von denen eine bereits aktiv von Angreifern ausgenutzt wird. Davor warnt Google in den Release Notes zu einem am Mittwoch bereitgestellten Update. Betroffen ist nicht nur die Windows-Variante von Google Chrome, sondern auch jene für Mac und Linux. Anwender sollten den Browser zeitnah aktualisieren, um sich vor möglichen Angriffen zu schützen. --------------------------------------------- https://www.golem.de/news/google-warnt-gefaehrliche-chrome-luecke-wird-akti… ∗∗∗ Fortinet dichtet mehrere Lücken ab, Angriffe auf FortiVoice beobachtet ∗∗∗ --------------------------------------------- CVE-2025-32756 is a critical stack-based buffer overflow vulnerability affecting multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This flaw allows unauthenticated remote attackers to execute arbitrary code or commands via crafted HTTP requests, posing a severe security risk. --------------------------------------------- https://www.heise.de/news/Fortinet-dichtet-mehrere-Luecken-ab-Angriffe-auf-… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0004 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0004.html ∗∗∗ Reflected cross-site scripting vulnerability in Ricoh laser printers and MFPs which implement Web Image Monitor ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN20474768/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (May 5, 2025 to May 11, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.05.2025
by Daily end-of-shift report 14 May '25

14 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-05-2025 18:00 − Mittwoch 14-05-2025 18:01 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt ∗∗∗ --------------------------------------------- A new DarkCloud Stealer campaign is using AutoIt obfuscation for malware delivery. The attack chain involves phishing emails, RAR files and multistage payloads. --------------------------------------------- https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit… ∗∗∗ Intel: Ein weiterer Angriff umgeht alle bisherigen CPU-Schutzmaßnahmen ∗∗∗ --------------------------------------------- Intel hat einen Lauf: Eine weitere Sicherheitslücke öffnet viele Prozessoren erneut für Seitenkanalangriffe trotz bisheriger Schutzmaßnahmen. [..] Wie schon der Angriffstyp Training Solo erfordert BPI physischen Zugriff auf ein System. Daher sind die zugehörigen CVE-Nummern CVE-2024-43420, CVE-2025-20623 und CVE-2024-45332 nur mit dem Schweregrad Medium bewertet. --------------------------------------------- https://heise.de/-10383474 ∗∗∗ A Privacy Mechanism That Backfired ∗∗∗ --------------------------------------------- Some bugs are more interesting than others. Last time I mentioned how CVE-2025-24091 was one of my favorite iOS vulnerabilities so far. That was because I wasn’t yet allowed to disclose my actual favorite! This post is about CVE-2025-31212, the most ironic vulnerability I’ve ever found, and here's why... --------------------------------------------- https://rambo.codes/posts/2025-05-12-a-privacy-mechanism-that-backfired ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti EPMM: Remote Code Execution Schwachstellen (CVE-2025-4427, CVE-2025-4428) - Updates verfügbar ∗∗∗ --------------------------------------------- Ivanti veröffentlichte am 13. Mai Updates & Sicherheitsadvisories zu zwei Schwachstellen in Ivanti Endpoint Manager Mobile (EPMM). Die verkettete Ausnutzung der beiden Lücken kann zur unauthentifizierten Ausführung von Schadcode genutzt werden. Ivanti gibt an die Ausnutzung dieser Lücken auf einer limitierten Anzahl an Systemen, bereits vor der Veröffentlichtung des Advisories, beobachtet zu haben. CVE-Nummern: CVE-2025-4427, CVE-2025-4428 --------------------------------------------- https://www.cert.at/de/warnungen/2025/5/ivanti-epmm-rce ∗∗∗ Microsoft primes 71 fixes for May Patch Tuesday ∗∗∗ --------------------------------------------- Five issues actively exploited in the wild, but the real excitement may have been handled in advance. --------------------------------------------- https://news.sophos.com/en-us/2025/05/14/microsoft-primes-71-fixes-for-may-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (emacs, firefox, gnutls, java-17-openjdk, java-21-openjdk, osbuild-composer, python39:3.9, and thunderbird), Arch Linux (screen), Debian (varnish), Fedora (chromium), Gentoo (Atop, FreeType, and Spidermonkey), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk and postgresql15, postgresql13), Oracle (389-ds-base, emacs, firefox, kernel, libsoup, libtiff, mod_auth_openidc:2.3, nodejs:20, nodejs:22, osbuild-composer, python39:3.9, qemu-kvm, ruby, ruby:3.1, ruby:3.3, and thunderbird), Red Hat (.NET 8.0, .NET 9.0, avahi, buildah, corosync, delve and golang, exiv2, expat, firefox, ghostscript, gimp, git, grafana, gvisor-tap-vsock, java-21-openjdk, kernel, kernel-rt, libarchive, libjpeg-turbo, libsoup, libsoup3, libxslt, mod_auth_openidc, nginx, nginx:1.22, nginx:1.24, nodejs22, nodejs:20, nodejs:22, opentelemetry-collector, osbuild-composer, perl, php, php:8.2, php:8.3, podman, python-jinja2, redis, redis:7, rhc, ruby:2.5, skopeo, sqlite, thunderbird, tomcat, tomcat9, valkey, vim, xorg-x11-server-Xwayland, xterm, xz, yelp, and yggdrasil), Slackware (screen), SUSE (apparmor, dirmngr, gimp, golang-github-prometheus-node_exporter, java-11-openj9, java-17-openj9, java-21-openj9, libxmp-devel, python311-Django4, rabbitmq-server313, rke2, and transfig), and Ubuntu (abseil and open-vm-tools). --------------------------------------------- https://lwn.net/Articles/1021199/ ∗∗∗ Patchday Adobe: Schadcode-Attacken auf InDesign und Photoshop möglich ∗∗∗ --------------------------------------------- Adobe schließt Sicherheitslücken in mehreren Anwendungen. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://heise.de/-10382767 ∗∗∗ VIdeokonferenzen: Hochriskante Rechteausweitungslücken in Zoom Workplace Apps ∗∗∗ --------------------------------------------- Zoom meldet mehrere Sicherheitslücken in den Workplace Apps der Videokonferenzsoftware. Eine verpasst den Status "kritisch" nur knapp. --------------------------------------------- https://heise.de/-10383108 ∗∗∗ Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP11 IF03 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ MISP 2.4.209 / 2.5.11 Release Notes Latest ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.05.2025
by Daily end-of-shift report 13 May '25

13 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 12-05-2025 18:00 − Dienstag 13-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sit, Fetch, Steal - Chihuahua Stealer: A new Breed of Infostealer ∗∗∗ --------------------------------------------- Chihuahua Stealer is a newly discovered .NET-based infostealer that blends common malware techniques with unusually advanced features. It first came to our attention through a Reddit post made on April 9, where a user shared an obfuscated PowerShell script, they were tricked into executing via a Google Drive document. --------------------------------------------- https://feeds.feedblitz.com/~/918192962/0/gdatasecurityblog-en~Sit-Fetch-St… ∗∗∗ Türkiye-linked spy crew exploited a messaging app zero-day to snoop on Kurdish army in Iraq ∗∗∗ --------------------------------------------- Turkish spies exploited a zero-day bug in a messaging app to collect info on the Kurdish army in Iraq, according to Microsoft, which says the attacks began more than a year ago. Specifically, the snoops abused CVE-2025-27920, a directory traversal vulnerability in version 2.0.62 of messaging app Output Messenger, and the intrusions began in April 2024. The app's developer Srimax issued a software update in December to patch the hole, however not all users applied the fixes. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/13/turkish_spie… ∗∗∗ As US vuln-tracking falters, EU enters with its own security bug database ∗∗∗ --------------------------------------------- The European Vulnerability Database (EUVD) is now fully operational, offering a streamlined platform to monitor critical and actively exploited security flaws amid the US struggles with budget cuts, delayed disclosures, and confusion around the future of its own tracking systems. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/13/eu_security_… ∗∗∗ SAP-Patchday: Kritische Netweaver-Lücke und viele mehr gestopft ∗∗∗ --------------------------------------------- SAP veröffentlicht im Mai 2025 insgesamt 16 neue Sicherheitsmeldungen. Sie behandeln teils kritische Sicherheitslücken in diversen Produkten aus dem Business-Softwarekatalog des Unternehmens. --------------------------------------------- https://heise.de/-10381863 ∗∗∗ Auditing Moodles core hunting for logical bugs ∗∗∗ --------------------------------------------- The following article explains how, during an audit, we examined Moodle (v4.4.3) and found ways of bypassing all the restrictions preventing SSRF vulnerabilities from being exploited. --------------------------------------------- http://blog.quarkslab.com/auditing-moodles-core-hunting-for-logical-bugs.ht… ∗∗∗ Beyond the Hook: A Technical Deep Dive into Modern Phishing Methodologies ∗∗∗ --------------------------------------------- A technical exploration of modern phishing tactics, from basic HTML pages to advanced MFA-bypassing techniques, with analysis of infrastructure setup and delivery methods used by phishers in 2025. --------------------------------------------- http://blog.quarkslab.com/technical-dive-into-modern-phishing.html ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Updates Everything: May 2025 Edition, (Mon, May 12th) ∗∗∗ --------------------------------------------- Apple released its expected update for all its operating systems. The update, in addition to providing new features, patches 65 different vulnerabilities. Many of these vulnerabilities affect multiple operating systems within the Apple ecosystem. --------------------------------------------- https://isc.sans.edu/diary/rss/31942 ∗∗∗ Perfekt implementierte Sicherungen ausgehebelt: Spectre-Angriffe sind zurück ∗∗∗ --------------------------------------------- Bisherige Schutzmechanismen schützen nicht immer gegen Spectre-artige Seitenkanalangriffe auf Prozessoren, selbst wenn sie perfekt implementiert sind und verschiedene Domains voneinander abschotten. Zu dem Ergebnis kommen Forscher der Systems and Network Security Group an der Vrije Universiteit Amsterdam (VUSec). --------------------------------------------- https://www.heise.de/news/Perfekt-implementierte-Sicherungen-ausgehebelt-Sp… ∗∗∗ 82,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in TheGem WordPress Theme ∗∗∗ --------------------------------------------- On May 4th, 2025, we received a submission for an Arbitrary File Upload vulnerability in TheGem, a WordPress theme with more than 82,000 sales. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. --------------------------------------------- https://www.wordfence.com/blog/2025/05/82000-wordpress-sites-affected-by-ar… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libeconf and rubygems), Fedora (libxmp), Gentoo (glibc), Oracle (java-1.8.0-openjdk, kernel, libxslt, and virtuoso-opensource), SUSE (augeas, git-lfs, kanidm, and tomcat10), and Ubuntu (linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/1020948/ ∗∗∗ Stack-based buffer overflow vulnerability in API ∗∗∗ --------------------------------------------- A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-25-254 ∗∗∗ EPMM Security Update ∗∗∗ --------------------------------------------- To this end, we are issuing an important security update addressing vulnerabilities associated with open-source libraries used in Ivanti Endpoint Manager Mobile (EPMM). At the time of disclosure, we are aware of a very limited number of customers whose solution has been exploited. The issue only affects the on-prem EPMM product. --------------------------------------------- https://www.ivanti.com/blog/epmm-security-update ∗∗∗ Xen Security Advisory CVE-2024-28956 / XSA-469 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-469.html ∗∗∗ Möglichkeit für Replay-Attacken im Tiiwee X1 Alarm System (SYSS-2025-006) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/moeglichkeit-fuer-replay-attacken-im-tiiwe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.05.2025
by Daily end-of-shift report 12 May '25

12 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-05-2025 18:00 − Montag 12-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iClicker site hack targeted students with malware via fake CAPTCHA ∗∗∗ --------------------------------------------- The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/iclicker-hack-targeted-stude… ∗∗∗ Von AMD-Lücke inspiriert: Forscher warnt vor Ransomware im CPU-Microcode ∗∗∗ --------------------------------------------- Eine Ransomware-Infektion kann für Unternehmen weitreichende Folgen haben, die nicht selten auch in einer Insolvenz münden. Durch geeignete Maßnahmen lassen sich die Risiken für solche Sicherheitsvorfälle eindämmen. Der Sicherheitsforscher Christiaan Beek von Rapid7 warnt jedoch vor einer Bedrohung, der gängige Cybersicherheitslösungen wohl bisher wenig entgegenzusetzen haben: Ransomware im Microcode der CPU. --------------------------------------------- https://www.golem.de/news/von-amd-luecke-inspiriert-forscher-warnt-vor-rans… ∗∗∗ It Is 2025, And We Are Still Dealing With Default IoT Passwords And Stupid 2013 Router Vulnerabilities, (Mon, May 12th) ∗∗∗ --------------------------------------------- Unipi Technologies is a company developing programmable logic controllers for a number of different applications like home automation, building management, and industrial controls. The modules produced by Unipi are likely to appeal to a more professional audience. All modules are based on the "Marvis" platform, a customized Linux distribution maintained by Unipi. --------------------------------------------- https://isc.sans.edu/diary/rss/31940 ∗∗∗ A Subtle Form of Siege: DDoS Smokescreens as a Cover for Quiet Data Breaches ∗∗∗ --------------------------------------------- DDoS attacks have long been dismissed as blunt instruments, favored by script kiddies and hacktivists for their ability to overwhelm and disrupt. But in todays fragmented, hybrid-cloud environments, theyve evolved into something far more cunning: a smokescreen. What looks like digital vandalism may actually be a coordinated diversion, engineered to distract defenders from deeper breaches in progress. --------------------------------------------- https://www.tripwire.com/state-of-security/subtle-form-siege-ddos-smokescre… ∗∗∗ Threat Brief: CVE-2025-31324 ∗∗∗ --------------------------------------------- On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50. This threat brief shares a brief overview of the vulnerability and our analysis, and also includes details of what we’ve observed through our incident response services and telemetry. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-313… ∗∗∗ SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths ∗∗∗ --------------------------------------------- sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with elevated privileges. However, misconfigurations and certain vulnerabilities can be exploited to escalate privileges, potentially compromising system security. --------------------------------------------- https://www.darknet.org.uk/2025/05/sudo_killer-auditing-sudo-configurations… ∗∗∗ One-click RCE in ASUS’s preinstalled driver software ∗∗∗ --------------------------------------------- By trawling through the Javascript on the website, and about 700k lines of decompiled code that the exe produced, I managed to create a list of callable endpoints including some unused ones sitting in the exe. --------------------------------------------- https://mrbruh.com/asusdriverhub/ ∗∗∗ CVE-2024-26809: Critical nftables Vulnerability in Linux Kernel Could Lead to Root Access ∗∗∗ --------------------------------------------- A critical security flaw has been discovered in the Linux kernel’s nftables subsystem, which is responsible for packet filtering in modern Linux distributions. This flaw, a double-free vulnerability, allows local attackers to escalate their privileges and execute arbitrary code. --------------------------------------------- https://thecyberexpress.com/cve-2024-26809-nftables-vulnerability/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libbson-xs-perl, postgresql-13, redis, and simplesamlphp), Fedora (chromium, deluge, epiphany, golang-github-nats-io-nkeys, libxmp, nodejs22, perl-Compress-Raw-Lzma, php-adodb, python-h11, and xz), Gentoo (firefox, NVIDIA Drivers, Orc, PAM, and thunderbird), Mageia (libreoffice, python-django, and transfig), Red Hat (emacs, firefox, python39:3.9, and thunderbird), SUSE (bird3, freetype2, ldap-proxy, libmosquitto1, and ruby3.4-rubygem-rack), and Ubuntu (linux, linux-aws, linux-kvm, linux-aws, and linux-fips). --------------------------------------------- https://lwn.net/Articles/1020884 ∗∗∗ TuneUp und Dienste in Avast, AVG, Avira und Norton reißen Sicherheitslücken auf ∗∗∗ --------------------------------------------- Die Virenschutzsoftware der Marken Avast, AVG, Avira und Norton von Gen Digital bringt unter anderem System-Optimierungsdienste und weitere Komponenten mit, die Schwachstellen enthalten. Nutzerinnen und Nutzer der betroffenen Software sollten prüfen, ob sie neuere Versionen installiert haben als die bekannt verwundbaren. --------------------------------------------- https://heise.de/-10379900 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.05.2025
by Daily end-of-shift report 09 May '25

09 May '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-05-2025 18:00 − Freitag 09-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Nationale Policy für die koordinierte Offenlegung von Schwachstellen (CVD) ∗∗∗ --------------------------------------------- Der Umgang mit Schwachstellen in IT Produkten und Dienstleistungen ist eine der spannenden Themen in der IT-Sicherheit. Seitens der Hersteller stellt sich die Frage, wie man am besten selbst Probleme identifiziert, wie man mit Meldungen von Dritten am umgeht, wie der Prozess zur Entwicklung von korrigierten Versionen aussieht und wie man diese neue Version schnell und effizient an die Kunden verteilt. Seitens der Finder (Researcher) stellen sich Fragen nach den rechtlichen Rahmenbedingungen für die Schwachstellensuche: was darf ich, was sicher nicht, und wie kommuniziere ich das Ergebnis am sinnvollsten? --------------------------------------------- https://www.cert.at/de/spezielles/2025/5/nationale-cvd-policy ∗∗∗ Malicious PyPi package hides RAT malware, targets Discord devs since 2022 ∗∗∗ --------------------------------------------- A malicious Python package targeting Discord developers with remote access trojan (RAT) malware was spotted on the Python Package Index (PyPI) after more than three years.[..] Named "discordpydebug," the package was masquerading as an error logger utility for developers working on Discord bots and was downloaded over 11,000 times since it was uploaded on March 21, 2022, even though it has no description or documentation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-package-hides… ∗∗∗ FBI: End-of-life routers hacked for cybercrime proxy networks ∗∗∗ --------------------------------------------- The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-end-of-life-routers-hack… ∗∗∗ Operation PowerOFF Takes Down 9 DDoS-for-Hire Domains ∗∗∗ --------------------------------------------- Four different countries, including the United States and Germany, were included in the latest international operation alongside Europols support. --------------------------------------------- https://www.darkreading.com/threat-intelligence/operation-poweroff-takes-do… ∗∗∗ Lumma Stealer, coming and going ∗∗∗ --------------------------------------------- The high-profile information stealer switches up its TTPs, but keeps the CAPTCHA tactic; we take a deep dive. --------------------------------------------- https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/ ∗∗∗ Warnung: Gefälschtes Anwaltsschreiben könnte Schadsoftware enthalten! ∗∗∗ --------------------------------------------- Derzeit kursieren E-Mails einer angeblichen Anwaltskanzlei, in denen Unternehmen beschuldigt werden, Urheberrechte an Inhalten von Avident Entertainment verletzt zu haben. Über einen Download-Link kann eine Sammlung von Beweisen heruntergeladen werden. Aber Vorsicht: Der Link ist betrügerisch und enthält vermutlich Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/warnung-gefaelschtes-anwaltsschreibe… ∗∗∗ Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources ∗∗∗ --------------------------------------------- Unit 42 details a new malware obfuscation technique where threat actors hide malware in bitmap resources within .NET applications. These deliver payloads like Agent Tesla or XLoader. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-payloads-as-bitmap-resources-… ∗∗∗ Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation ∗∗∗ --------------------------------------------- Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload generation and obfuscation. --------------------------------------------- https://www.darknet.org.uk/2025/05/bantam-advanced-php-backdoor-management-… ∗∗∗ Phishing Attack Uses Blob URIs to Show Fake Login Pages in Your Browser ∗∗∗ --------------------------------------------- Cofense Intelligence reveals a novel phishing technique using blob URIs to create local fake login pages, bypassing email security and stealing credentials. --------------------------------------------- https://hackread.com/phishing-attack-blob-uri-fake-login-pages-browser/ ∗∗∗ Remote-Access-Trojaner in npm-Paket mit 40.000 wöchentlichen Downloads gefunden ∗∗∗ --------------------------------------------- Angreifer hatten das Paket rand-user-agent, das unter anderem für automatische Tests und zum Web-Scraping dient, mit Schadcode versehen. --------------------------------------------- https://heise.de/-10377590 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libapache2-mod-auth-openidc, mariadb-10.5, and openssh), Red Hat (osbuild-composer), Slackware (mariadb), SUSE (apache2-mod_auth_openidc, glib2, ImageMagick, libsoup, libsoup2, libva, openvpn, sqlite3, and weblate), and Ubuntu (libsoup3, php-horde-css-parser, and python-django). --------------------------------------------- https://lwn.net/Articles/1020545/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fossil, libapache2-mod-auth-openidc, and request-tracker4), Fedora (thunderbird), Mageia (firefox and thunderbird), SUSE (389-ds, apparmor, cargo-c, chromium, go1.24, govulncheck-vulndb, java-1_8_0-openjdk, kanidm, libsoup, mozjs102, openssl-1_1, openssl-3, python-Django, sccache, tealdeer, tomcat, transfig, wasm-bindgen, and wireshark), and Ubuntu (libreoffice and python-h11). --------------------------------------------- https://lwn.net/Articles/1020653/ ∗∗∗ Sicherheitslücken: F5 BIG-IP-Appliances sind an mehreren Stellen verwundbar ∗∗∗ --------------------------------------------- https://heise.de/-10377584 ∗∗∗ Joomla: [20250402] - Core - MFA Authentication Bypass ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/964-20250402-core-mfa-authenti… ∗∗∗ Pixmeo OsiriX MD ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-128-01 ∗∗∗ Hitachi Energy RTU500 Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-02 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-01 ∗∗∗ Mitsubishi Electric CC-Link IE TSN ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.05.2025
by Daily end-of-shift report 08 May '25

08 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-05-2025 18:00 − Donnerstag 08-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ WhatsApp provides no cryptographic management for group messages ∗∗∗ --------------------------------------------- The weakness creates the possibility of an insider or hacker adding rogue members. [..] “This means that it is possible for the WhatsApp server to add new members to a group,” Martin R. Albrecht, a researcher at King's College in London, wrote in an email. “A correct client—like the official clients—will display this change but will not prevent it. Thus, any group chat that does not verify who has been added to the chat can potentially have their messages read.” --------------------------------------------- https://arstechnica.com/security/2025/05/whatsapp-provides-no-cryptographic… ∗∗∗ Password crisis deepens in 2025: lazy, reused, and stolen ∗∗∗ --------------------------------------------- A new study of over 19 billion newly exposed passwords manifests a widespread weak password reuse crisis. Lazy keyboard patterns, such as 123456, still reign supreme, and 94% of passwords are reused or duplicated, data leaks from 2024-2025 reveal. Names like Ana rank as the second most popular component. --------------------------------------------- https://cybernews.com/security/password-leak-study-unveils-2025-trends-reus… ∗∗∗ Ransomware: Unbekannte Angreifer leaken LockBit-Datenbank – dank PHP-Exploit? ∗∗∗ --------------------------------------------- Tausende Bitcoin-Adressen, Chatnachrichten und weitere brisante Details des Ransomware-Anbieters kursieren nun im Web. Der LockBit-Support relativiert. --------------------------------------------- https://www.heise.de/news/Ransomware-Unbekannte-Angreifer-leaken-LockBit-Da… ∗∗∗ RCEs and more in the KUNBUS GmbH Revolution Pi PLC ∗∗∗ --------------------------------------------- Four new vulnerabilities in the Revolution Pi industrial PLCs. Two give unauthenticated attackers RCE—potentially a direct impact on safety and operations. [..] Since the vulnerabilities affect ICS equipment, we coordinated disclosure with CISA and KUNBUS’ PSIRT team (security.txt). --------------------------------------------- https://www.pentestpartners.com/security-blog/rces-and-more-in-the-kunbus-g… ∗∗∗ 2,99 € Einfuhrzoll für die Post? Achtung, Phishing! ∗∗∗ --------------------------------------------- Ein Paket hängt im Zoll fest? Die Auslieferung ist nur gegen die Zahlung einer Gebühr möglich? Ein Szenario, das Kriminelle aktuell verstärkt als Betrugsmasche einsetzen. Sie versenden Phishing-Mails im Namen der Post AG und hoffen auf leichtgläubige Opfer. --------------------------------------------- https://www.watchlist-internet.at/news/einfuhrzoll-fuer-die-post/ ∗∗∗ Fake AI Tools Push New Noodlophile Stealer Through Facebook Ads ∗∗∗ --------------------------------------------- Scammers are using fake AI tools and Facebook ads to spread Noodlophile Stealer malware, targeting users with a multi-stage attack to steal credentials. --------------------------------------------- https://hackread.com/fake-ai-tools-noodlophile-stealer-facebook-ads/ ∗∗∗ RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale ∗∗∗ --------------------------------------------- Learn how RedisRaider is targeting publicly accecesibly Redis servers to mine crypocurrency. --------------------------------------------- https://securitylabs.datadoghq.com/articles/redisraider-weaponizing-misconf… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall urges admins to patch VPN flaw exploited in attacks ∗∗∗ --------------------------------------------- Discovered and reported by Rapid7 cybersecurity researcher Ryan Emmons, the three security flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) can be chained by attackers to gain remote code execution as root and compromise vulnerable instances. The vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.15-81sv and higher. [..] SonicWall advised admins to check their SMA devices' logs for any signs of unauthorized logins and enable the web application firewall and multifactor authentication (MFA) on their SMA100 appliances as a safety measure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-pa… ∗∗∗ CISCO Security Advisories 07. - 08.05.2025 ∗∗∗ --------------------------------------------- Cisco has released 29 new security Advisories. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. [..] Note: For exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device. It is not enabled by default. CVE-2025-20188 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Catalyst Center Unauthenticated API Access Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the management API of Cisco Catalyst Center, formerly Cisco DNA Center, could allow an unauthenticated, remote attacker to read and modify the outgoing proxy configuration settings. CVE-2025-20210 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Drupal Security Advisories 07.05.2025 ∗∗∗ --------------------------------------------- Drupal has released 10 new security advisories. --------------------------------------------- https://www.drupal.org/security ∗∗∗ Ubiquiti UniFi Protect: Kritisches Leck ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- In einer Sicherheitsmitteilung erörtert Ubiquiti die Schwachstellen. Bösartige Akteure mit Zugriff auf das Verwaltungsnetzwerk können einen Heap-basierten Pufferüberlauf in den Unifi-Protect-Kameras mit Firmware 4.75.43 und vorherigen provozieren und dadurch beliebigen Code einschleusen und ausführen (CVE-2025-23123, CVSS 10.0, Risiko "kritisch"). --------------------------------------------- https://www.heise.de/news/Ubiquity-UniFi-Protect-Einschleusen-von-Schadcode… ∗∗∗ Mitel SIP-Phones lassen sich beliebige Befehle unterjubeln ∗∗∗ --------------------------------------------- Laut der Sicherheitsmitteilung von Mitel gibt es eine Befehlsschmuggel-Lücke in den SIP-Phones der Baureihen 6800, 6900, 6900w sowie dem 6970-Konferenz-Modell. Angreifer aus dem Netz können dadurch ohne vorherige Authentifizierung Befehle einschleusen, da nicht näher genannte Parameter nicht ausreichend gefiltert werden. Damit können sie System- und Nutzer-Daten und Konfigurationen einsehen oder ändern (CVE-2025-47188, CVSS 9.8, Risiko "kritisch"). --------------------------------------------- https://heise.de/-10376625 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 28, 2025 to May 4, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.05.2025
by Daily end-of-shift report 07 May '25

07 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-05-2025 18:00 − Mittwoch 07-05-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Samsung MagicINFO 9 Server RCE flaw now exploited in attacks ∗∗∗ --------------------------------------------- Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/samsung-magicinfo-9-server-r… ∗∗∗ Apache Parquet exploit tool detect servers vulnerable to critical flaw ∗∗∗ --------------------------------------------- A proof-of-concept exploit tool has been publicly released for a maximum severity Apache Parquet vulnerability, tracked as CVE-2025-30065, making it easy to find vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apache-parquet-exploit-tool-… ∗∗∗ Millionenstrafe für Firma nach WhatsApp-Hack ∗∗∗ --------------------------------------------- Die NSO Group aus Israel hatte einen Bug in WhatsApp genutzt, um Spyware zu installieren. Meta klagte und gewann. --------------------------------------------- https://futurezone.at/digital-life/meta-whatsapp-nso-group-spionagesoftware… ∗∗∗ Zero Day: Windows-Lücke von mindestens zwei Hackergruppen ausgenutzt ∗∗∗ --------------------------------------------- Mindestens zwei Cyberbanden haben sich einer Schwachstelle im CLFS-Treiber von Windows bedient, bevor Microsoft einen Patch ausliefern konnte. --------------------------------------------- https://www.golem.de/news/zero-day-windows-luecke-von-mindestens-zwei-hacke… ∗∗∗ State of ransomware in 2025 ∗∗∗ --------------------------------------------- Kaspersky researchers review ransomware trends for 2024, analyze the most active groups and forecast how this threat will evolve in 2025. --------------------------------------------- https://securelist.com/state-of-ransomware-in-2025/116475/ ∗∗∗ Lights Out and Stalled Factories: Using M.A.T.R.I.X to Learn About Modbus Vulnerabilities ∗∗∗ --------------------------------------------- Let’s explore the critical role of Modbus in energy and manufacturing systems, then demonstrate real-world exploitation techniques using Docker-based simulations and the custom-built Python tool M.A.T.R.I.X. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lights-out-… ∗∗∗ Backupsoftware Commvault: Weitere Lücke angegriffen, Patch offenbar unwirksam ∗∗∗ --------------------------------------------- Zum Wochenende wurden Angriffe auf eine weitere Commvault-Sicherheitslücke bekannt. Das Update zum Abdichten wirkt wohl nicht. --------------------------------------------- https://www.heise.de/news/Backupsoftware-Commvault-Weitere-Luecke-angegriff… ∗∗∗ Wegen Sicherheitslücken: LibreOffice rät von OpenOffice ab ∗∗∗ --------------------------------------------- Die Entwickler von LibreOffice raten vom Konkurrenten OpenOffice ab. Die Apache-Software enthalte Sicherheitslücken und werde nicht weiterentwickelt. --------------------------------------------- https://www.heise.de/news/Wegen-Sicherheitsluecken-LibreOffice-raet-von-Ope… ∗∗∗ NIS2 nicht umgesetzt: EU-Strafe für Deutschland rückt einen Schritt näher ∗∗∗ --------------------------------------------- Die EU-Kommission hat die zweite Stufe des Vertragsverletzungsverfahren gegen Deutschland eingeleitet, weil es die NIS2-Richtlinie noch nicht umgesetzt hat. --------------------------------------------- https://www.heise.de/news/NIS2-nicht-umgesetzt-EU-Strafe-fuer-Deutschland-r… ∗∗∗ Exploiting Copilot AI for SharePoint ∗∗∗ --------------------------------------------- TL;DR AI Assistants are becoming far more common Copilot for SharePoint is Microsoft’s answer to generative AI assistance on SharePoint Attackers will look to exploit anything they can get their .. --------------------------------------------- https://www.pentestpartners.com/security-blog/exploiting-copilot-ai-for-sha… ∗∗∗ Meta lässt sich sechs Wochen Zeit, bis Betrug entfernt wird ∗∗∗ --------------------------------------------- Postings über Kryptoscams oder betrügerische Influencer-Aktionen bleiben auf Facebook und Instagram am längsten von allen online --------------------------------------------- https://www.derstandard.at/story/3000000268532/meta-laesst-sich-sechs-woche… ∗∗∗ Ransomware Attackers Leveraged Privilege Escalation Zero-day ∗∗∗ --------------------------------------------- Exploit used by Play-linked attackers targets the CVE-2025-29824 zero-day vulnerability patched on April 8. --------------------------------------------- https://www.security.com/threat-intelligence/play-ransomware-zero-day ∗∗∗ Unsophisticated Cyber Actor(s) Targeting Operational Technology ∗∗∗ --------------------------------------------- CISA is increasingly aware of unsophisticated cyber actor(s) targeting ICS/SCADA systems within U.S. critical Infrastructure sectors (Oil and Natural Gas), specifically in Energy and Transportation Systems. Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/05/06/unsophisticated-cyber-ac… ∗∗∗ Poland arrests four in global DDoS-for-hire takedown ∗∗∗ --------------------------------------------- The suspects allegedly operated six platforms that offered distributed denial-of-service attacks for as little as 10 euros. --------------------------------------------- https://therecord.media/poland-arrests-four-ddos-hire ∗∗∗ Achtung bei iVentoy, es werden obskure Zertifikate und Treiber installiert ∗∗∗ --------------------------------------------- Kurze Warnung an Leute aus der Blog-Leserschaft, die das Tool iVentoy zur Verteilung von Betriebssystem-Images über ein Netzwerk und einen PXE-Server einsetzen. Es gibt aktuell eine Diskussion, dass das Tool .. --------------------------------------------- https://www.borncity.com/blog/2025/05/07/achtung-bei-iventoy-es-werden-obsk… ∗∗∗ ClickFix Scam: How to Protect Your Business Against This Evolving Threat ∗∗∗ --------------------------------------------- Cybercriminals aren’t always loud and obvious. Sometimes, they play it quiet and smart. One of the tricks of .. --------------------------------------------- https://hackread.com/clickfix-scam-how-to-protect-business-againt-threat/ ∗∗∗ COLDRIVER Using New Malware To Steal Documents >From Western Targets and NGOs ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) has identified a new piece of malware called LOSTKEYS, attributed to the Russian government-backed threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto). LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-do… ===================== = Vulnerabilities = ===================== ∗∗∗ Honeywell MB Secure Authenticated Command Injection ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/authenticated-command… ∗∗∗ Langflow Missing Authentication Vulnerability ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6085 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2025
by Daily end-of-shift report 06 May '25

06 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 05-05-2025 18:00 − Dienstag 06-05-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Man pleads guilty to using malicious AI software to hack Disney employee ∗∗∗ --------------------------------------------- Fake image-generating app allowed man to download 1.1TB of Disney-owned data. --------------------------------------------- https://arstechnica.com/ai/2025/05/man-pleads-guilty-to-using-malicious-ai-… ∗∗∗ Luna Moth extortion hackers pose as IT help desks to breach US firms ∗∗∗ --------------------------------------------- The data-theft extortion group known as Luna Moth, aka Silent Ransom Group, has ramped up callback phishing campaigns in attacks on legal and financial institutions in the United States. --------------------------------------------- https://www.bleepingcomputer.com/news/security/luna-moth-extortion-hackers-… ∗∗∗ "Mirai" Now Exploits Samsung MagicINFO CMS (CVE-2024-7399), (Mon, May 5th) ∗∗∗ --------------------------------------------- Last August, Samsung patched an arbitrary file upload vulnerability that could lead to remote code execution [1]. The announcement was very sparse and did not even include affected .. --------------------------------------------- https://isc.sans.edu/diary/Mirai+Now+Exploits+Samsung+MagicINFO+CMS+CVE2024… ∗∗∗ CISA slammed for role in censorship industrial complex as budget faces possible $500M cut ∗∗∗ --------------------------------------------- Because who needs cybersecurity when there’s culture wars to win President Trumps dream 2026 budget would gut the US govts Cybersecurity and Infrastructure Security Agency, aka CISA, by $491 million - about 17 percent – and accuses the organization of abandoning its core mission in favor of policing online speech. --------------------------------------------- https://www.theregister.com/2025/05/06/cisa_budget_cuts/ ∗∗∗ Signal-Affäre: Modifizierter Messenger stellt nach zweitem Einbruch Betrieb ein ∗∗∗ --------------------------------------------- In der US-Regierung wird eine modifizierte App benutzt, um per Signal zu kommunizieren. Die heißt TeleMessage, wurde zweimal geknackt und vorerst dicht gemacht. --------------------------------------------- https://www.heise.de/news/Signal-Affaere-Modifizierter-Messenger-stellt-nac… ∗∗∗ Peru denies it was hit by ransomware attack following Rhysida claims ∗∗∗ --------------------------------------------- The prolific ransomware gang claimed to have taken over the Peruvian governments domain. --------------------------------------------- https://therecord.media/peru-rhysida-ransomware-claims-denied ∗∗∗ NSA to cut up to 2,000 civilian roles as part of intel community downsizing ∗∗∗ --------------------------------------------- The agency is expected to make the cuts by the end of year, however that deadline could change as it is tied to the Defense Department’s broader push to reduce its budget by 8 percent in each of the next five years. --------------------------------------------- https://therecord.media/nsa-to-cut-up-to-2000-roles-downsizing ∗∗∗ Verizon DBIR 2025: Edge KEVs Are Increasingly Left Unpatched — and More Often Exploited in Breaches ∗∗∗ --------------------------------------------- Edge vulnerabilities are a critical and growing threat. The 2025 DBIR reveals an eightfold surge in exploitation, yet many remain unpatched despite immediate risk. --------------------------------------------- https://www.greynoise.io/blog/verizon-dbir-2025-edge-kevs-increasingly-left… ∗∗∗ Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines ∗∗∗ --------------------------------------------- UNC3944, which overlaps with public reporting on Scattered Spider, is a financially-motivated threat actor characterized by its persistent use of social engineering and brazen communications with victims. In early operations, UNC3944 largely targeted telecommunications-related organizations to support SIM swap operations. However, after shifting to .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-… ∗∗∗ A Timely Reminder: Russia’s Enduring Cyber Threat to Critical Infrastructure ∗∗∗ --------------------------------------------- Russia’s cyber operations — ranging from power-grid disruptions to global ransomware — continue to be among the world’s most prolific and destructive, underscoring the continued .. --------------------------------------------- https://detect.fyi/a-timely-reminder-russias-enduring-cyber-threat-to-criti… ∗∗∗ How to Harden GitHub Actions: The Unofficial Guide ∗∗∗ --------------------------------------------- Build resilient GitHub Actions workflows with lessons from recent attacks. --------------------------------------------- https://www.wiz.io/blog/github-actions-security-guide ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium and kappanhang), Red Hat (osbuild-composer and thunderbird), SUSE (chromedriver), and Ubuntu (c-ares, corosync, mysql-8.0, mysql-8.4, openjdk-17, openjdk-21, openjdk-24, openjdk-8, and openjdk-lts). --------------------------------------------- https://lwn.net/Articles/1020222/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2025
by Daily end-of-shift report 05 May '25

05 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-05-2025 18:00 − Montag 05-05-2025 18:00 Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Magento supply chain attack compromises hundreds of e-stores ∗∗∗ --------------------------------------------- A supply chain attack involving 21 backdoored Magento extensions has compromised between 500 and 1,000 e-commerce stores, including one belonging to a $40 billion multinational. --------------------------------------------- https://www.bleepingcomputer.com/news/security/magento-supply-chain-attack-… ∗∗∗ StealC malware enhanced with stealth upgrades and data theft tools ∗∗∗ --------------------------------------------- The creators of StealC, a widely-used information stealer and malware downloader, have released its second major version, bringing multiple stealth and data theft enhancements. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stealc-malware-enhanced-with… ∗∗∗ Shuffling the Greatest Hits: How DragonForce Ransomware Samples LockBit and Conti Into a Ransomware Jukebox ∗∗∗ --------------------------------------------- DragonForce ransomware has been assessed as a sophisticated threat that tactically deploys payloads derived from leaked source code of both the notorious LockBit 3.0 and Conti ransomware families. While the samples share some similar core functionality, DragonForce distinguishes itself in several .. --------------------------------------------- https://hybrid-analysis.blogspot.com/2025/05/shuffling-greatest-hits-how-dr… ∗∗∗ Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware ∗∗∗ --------------------------------------------- An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years.The activity, which lasted from at least May 2023 to February 2025, .. --------------------------------------------- https://thehackernews.com/2025/05/iranian-hackers-maintain-2-year-access.ht… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/05/02/cisa-adds-two-known-expl… ∗∗∗ CVE-2025-31324: Critical SAP NetWeaver Vulnerability Actively Exploited ∗∗∗ --------------------------------------------- SAP has recently released a critical security patch for a severe vulnerability in SAP NetWeaver Visual Composer that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-31324, has recently been patched with the release of SAP Security Note 3594142. --------------------------------------------- https://www.truesec.com/hub/blog/cve-2025-31324-critical-sap-netweaver-vuln… ∗∗∗ DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door ∗∗∗ --------------------------------------------- The individuals operating under the DragonForce banner and attacking UK high street retailers are using social engineering for entry. I think it’s in the public interest to break down what is happening. --------------------------------------------- https://doublepulsar.com/dragonforce-ransomware-cartel-attacks-on-uk-high-s… ∗∗∗ NPM targeted by malware campaign mimicking familiar library names ∗∗∗ --------------------------------------------- Developers looking for familiar packages from other programming languages are increasingly falling victim to malicious attacks. Summary #The Socket threat research team uncovered a coordinated malware operation across the NPM ecosystem. The actor behind the campaign published dozens of malicious NPM packages that mimic well-known Python, Java, C++, .NET, .. --------------------------------------------- https://socket.dev/blog/npm-targeted-by-malware-campaign-mimicking-familiar… ∗∗∗ Apache Parquet Java Vulnerability CVE-2025-46762 Exposes Systems to Remote Code Execution Attacks ∗∗∗ --------------------------------------------- A vulnerability has been identified in Apache Parquet Java, which could leave systems exposed to remote code execution (RCE) attacks. Apache Parquet contributor Gang Wu discovered, this flaw, tracked as CVE-2025-46762, .. --------------------------------------------- https://thecyberexpress.com/apache-parquet-java-flaw-cve-2025-46762/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, containerd, and vips), Fedora (chromium, java-17-openjdk, nodejs-bash-language-server, nodejs-pnpm, ntpd-rs, redis, rust-hickory-proto, thunderbird, and valkey), Mageia (apache-mod_auth_openidc, fcgi, graphicsmagick, kernel-linus, pam, poppler, and tomcat), Red Hat (firefox, libsoup, nodejs:20, redis:6, .. --------------------------------------------- https://lwn.net/Articles/1020130/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.05.2025
by Daily end-of-shift report 02 May '25

02 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-04-2025 18:00 − Freitag 02-05-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Angreifer setzen erneut an älteren Sonicwall-Lücken an ∗∗∗ --------------------------------------------- Aufgrund von laufenden Attacken sollten Admins ihre Fernwartungslösungen der SMA-Serie von Sonicwall umgehend auf den aktuellen Stand bringen. [..] Beide Schwachstellen betreffen die SMA-Reihen SMA 200, 210, 400, 410 und 500v. Die Entwickler versichern, die Lücken ab der Firmware 10.2.1.14-75sv geschlossen zu haben. [..] Sind Attacken erfolgreich, können Angreifer Schadcode ausführen. Die "kritische" Lücke (CVE-2024-38475) betrifft die SMA-Komponente Apache HTTP Server. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Angreifer-setzen-erneut-an-aelteren… ∗∗∗ SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475) ∗∗∗ --------------------------------------------- Another day, another edge device being targeted - it’s a typical Thursday! In today’s blog post, we’re excited to share our previously private analysis of the now exploited in-the-wild N-day vulnerabilities affecting SonicWall’s SMA100 appliance. [..] Although this is a CVE attached to the Apache HTTP Server, it is important to note that due to how CVEs are now assigned, a seperate CVE will not be assigned for SonicWall's [..] As always, we’ve produced a Detection Artefact Generator to demonstrate and achieve pre-auth RCE. --------------------------------------------- https://labs.watchtowr.com/sonicboom-from-stolen-tokens-to-remote-shells-so… ∗∗∗ Why MFA is getting easer to bypass and what to do about it ∗∗∗ --------------------------------------------- As detailed on Thursday by Cisco Talos, an entire ecosystem has cropped up to help criminals defeat these forms of MFA. --------------------------------------------- https://arstechnica.com/security/2025/05/phishing-attacks-that-defeat-mfa-a… ∗∗∗ Windows: Anmeldung mit alten Passwörtern durch RDP möglich ∗∗∗ --------------------------------------------- Laut Microsoft handelt es sich um eine "Design-Entscheidung, die sicherstellt, dass mindestens ein Nutzerkonto dazu in der Lage ist, sich anzumelden, ganz gleich, wie lange das System offline war". Daher treffe dieses Verhalten die Definition einer Schwachstelle nicht. Microsoft habe keine Pläne, etwas daran zu ändern. --------------------------------------------- https://www.heise.de/news/Windows-Log-in-ueber-RDP-mit-widerrufenen-Passwoe… ∗∗∗ Prolific RansomHub Operation Goes Dark ∗∗∗ --------------------------------------------- The chat infrastructure and data-leak site of the notorious ransomware-as-a-service group has been inactive since March 31, according to security vendors. --------------------------------------------- https://www.darkreading.com/cyber-risk/prolific-ransomhub-operation-goes-da… ∗∗∗ Softwareupdates manipuliert: Hacker missbrauchen IPv6-Feature für Cyberattacken ∗∗∗ --------------------------------------------- Spellbinder nutzt den Angaben nach einen Angriffsvektor, der schon mindestens seit 2008 bekannt ist und schon 2011 in einem Blogbeitrag unter der Bezeichnung "SLAAC-Attack" ausführlich beschrieben wurde. [..] Mit Spellbinder lassen sich demnach IPv6-Konfigurationen spoofen, die normalerweise automatisch über eine Methode namens SLAAC (Stateless Address Autoconfiguration) zugewiesen werden. --------------------------------------------- https://www.golem.de/news/softwareupdates-manipuliert-hacker-missbrauchen-i… ∗∗∗ MintsLoader Drops GhostWeaver via Phishing, ClickFix — Uses DGA, TLS for Stealth Attacks ∗∗∗ --------------------------------------------- The malware loader known as MintsLoader has been used to deliver a PowerShell-based remote access trojan called GhostWeaver. "MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts," Recorded Futures Insikt Group said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/05/mintsloader-drops-ghostweaver-via.html ∗∗∗ I StealC You: Tracking the Rapid Changes To StealC ∗∗∗ --------------------------------------------- StealC is a popular information stealer and malware downloader that has been sold since January 2023. In March 2025, StealC version 2 (V2) was introduced with key updates, including a streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption (in the latest variants). The malware’s payload delivery options have been expanded to include Microsoft Software Installer (MSI) packages and PowerShell scripts. --------------------------------------------- https://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid… ∗∗∗ Using Trusted Protocols Against You: Gmail as a C2 Mechanism ∗∗∗ --------------------------------------------- Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. The threat actor’s email is the only potential clue as to their motivation, but once the tunnel is created, the threat actor can exfiltrate data or execute commands that we may not know about through these packages. --------------------------------------------- https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-m… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat, fig2dev, firefox-esr, golang-github-gorilla-csrf, jinja2, libxml2, nagvis, qemu, request-tracker4, request-tracker5, u-boot, and vips), Fedora (firefox, giflib, and thunderbird), Mageia (imagemagick), Red Hat (thunderbird), SUSE (amber-cli, libjxl, and redis), and Ubuntu (h2o, poppler, and postgresql-10). --------------------------------------------- https://lwn.net/Articles/1019645/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, nodejs, openjdk-17, and thunderbird), Fedora (firefox, golang-github-nvidia-container-toolkit, and thunderbird), Mageia (kernel), Oracle (ghostscript, glibc, kernel, libxslt, php:8.1, and thunderbird), SUSE (cmctl, firefox-esr, govulncheck-vulndb, java-21-openjdk, libxml2, poppler, python-h11, and redis), and Ubuntu (docker.io, ghostscript, linux-xilinx-zynqmp, and micropython). --------------------------------------------- https://lwn.net/Articles/1019869/ ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-121-01 KUNBUS GmbH Revolution Pi, ICSMA-25-121-01 MicroDicom DICOM Viewer --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/05/01/cisa-releases-two-indust… ∗∗∗ ZDI-25-267: GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-267/ ∗∗∗ IBM Cognos Analytics: Angreifer können Schadcode hochladen ∗∗∗ --------------------------------------------- https://www.heise.de/news/IBM-Cognos-Analytics-Angreifer-koennen-Schadcode-… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 21, 2025 to April 27, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… ∗∗∗ Tenable: [R1] Sensor Proxy Version 1.2.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-08 ∗∗∗ f5: K000151130: GnuTLS vulnerability CVE-2024-12243 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151130 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.04.2025
by Daily end-of-shift report 30 Apr '25

30 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-04-2025 18:00 − Mittwoch 30-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ AirBorne: Wormable Zero-Click RCE in Apple AirPlay ∗∗∗ --------------------------------------------- Oligo Security Research has discovered a new set of vulnerabilities in Apple’s AirPlay Protocol and the AirPlay Software Development Kit (SDK), which is used by third-party vendors to integrate AirPlay into third-party devices. --------------------------------------------- https://www.oligo.security/blog/airborne ∗∗∗ Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th) ∗∗∗ --------------------------------------------- The activity occured on the 23 April 2025 between 18:00 - 19:00 UTC but since then based on activity reported to DShield (see graphs below) has been happening almost daily. --------------------------------------------- https://isc.sans.edu/diary/rss/31906 ∗∗∗ Yet Another NodeJS Backdoor (YaNB): A Modern Challenge ∗∗∗ --------------------------------------------- During an Advanced Continual Threat Hunt (ACTH) investigation conducted in early March 2025, Trustwave SpiderLabs identified a notable resurgence in malicious campaigns exploiting deceptive CAPTCHA verifications. These campaigns trick users into executing NodeJS-based backdoors, subsequently deploying sophisticated NodeJS Remote Access Trojans (RATs) similar to traditional PE structured legacy RATs. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another… ∗∗∗ Understanding the Deep Web, Dark Web, and Darknet (2025 Guide) ∗∗∗ --------------------------------------------- Understand the difference between Deep Web, Dark Web, and Darknet. Learn how they work, how to access them safely, and why they matter in 2025. --------------------------------------------- https://www.darknet.org.uk/2025/04/understanding-the-deep-web-dark-web-and-… ∗∗∗ The MCP Authorization Spec Is... a Mess for Enterprise ∗∗∗ --------------------------------------------- The Model Context Protocol has created quite the buzz in the AI ecosystem at the moment, but as enterprise organizations look to adopt it, they are confronted with a hard truth: it lacks important security functionality. Up until now, as people experiment with Agentic AI and tool support, they’ve mostly adopted the MCP stdio transport, which means you end up with a 1:1 deployment of MCP server and MCP client. What organizations need is a way to deploy MCP servers remotely and leverage authorization to give resource owner’s access to their data safely. --------------------------------------------- https://blog.christianposta.com/the-updated-mcp-oauth-spec-is-a-mess/ ∗∗∗ Practical Cyber Deception — Introduction to “Chaotic Good” ∗∗∗ --------------------------------------------- Cyber deception isn’t about building expensive honeynets or deploying complex traps — it’s about instilling doubt and confusion in the attacker. By layering practical, tactical deception into your environment, you shift the balance of power: slowing them down, forcing mistakes, and gaining early warning long before real damage is done. From fake servers and canary tokens to ransomware drive traps, deception turns defense from a reactive grind into a strategic, active game. --------------------------------------------- https://detect.fyi/practical-cyber-deception-introduction-to-chaotic-good-2… ∗∗∗ Phishers Take Advantage of Iberian Blackout Before Its Even Over ∗∗∗ --------------------------------------------- Opportunistic threat actors targeted Portuguese and Spanish speakers by spoofing Portugals national airline in a campaign offering compensation for delayed or disrupted flights. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/phishers-take-advant… ===================== = Vulnerabilities = ===================== ∗∗∗ Dell schützt PowerProtect Data Manager und Laptops vor möglichen Attacken ∗∗∗ --------------------------------------------- In einer Warnmeldung führen die Entwickler aus, dass PowerProtect Data Manager über mehrere Lücken in Komponenten von Drittanbietern wie Golang und Spring Framework, aber auch über Lücken in der Anwendung selbst angreifbar ist. Sind Attacken erfolgreich, können sich Angreifer etwa mit lokalem Zugriff und niedrigen Rechten höhere Nutzerrechte verschaffen (CVE-2025-23375 "hoch"). Die Entwickler versichern, die Lücken in PowerProtect Data Manager 19.19.0-15 geschlossen zu haben. --------------------------------------------- https://www.heise.de/news/Dell-schuetzt-PowerProtect-Data-Manager-und-Lapto… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glibc and libraw), Fedora (digikam, icecat, mingw-LibRaw, perl, perl-Devel-Cover, and perl-PAR-Packer), Red Hat (ghostscript, kernel, and kernel-rt), Slackware (mozilla), SUSE (augeas, firefox, and java-11-openjdk), and Ubuntu (binutils, libxml2, and nodejs). --------------------------------------------- https://lwn.net/Articles/1019457/ ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-119-01 Rockwell Automation ThinManager, ICSA-25-119-02 Delta Electronics ISPSoft, ICSA-25-105-05 Lantronix XPort (Update A) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/04/29/cisa-releases-three-indu… ∗∗∗ Mehrere Schwachstellen in Sematell ReplyOne (SYSS-2024-081/-082/-083) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-sematell-replyon… ∗∗∗ f5: K000151082: PostgreSQL vulnerability CVE-2021-32027 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151082 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.04.2025
by Daily end-of-shift report 29 Apr '25

29 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Montag 28-04-2025 18:00 − Dienstag 29-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Hitachi Vantara takes servers offline after Akira ransomware attack ∗∗∗ --------------------------------------------- Hitachi Vantara, a subsidiary of Japanese multinational conglomerate Hitachi, was forced to take servers offline over the weekend to contain an Akira ransomware attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hitachi-vantara-takes-server… ∗∗∗ The one interview question that will protect you from North Korean fake workers ∗∗∗ --------------------------------------------- "My favorite interview question, because we've interviewed quite a few of these folks, is something to the effect of 'How fat is Kim Jong Un?' They terminate the call instantly, because it's not worth it to say something negative about that," he told a panel session at the RSA Conference in San Francisco Monday. [..] "One of the things that we've noted is that you'll have a person in Poland applying with a very complicated name," he recounted, "and then when you get them on Zoom calls it's a military age male Asian who can't pronounce it." --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/04/29/north_korea_… ∗∗∗ Interesting WordPress Malware Disguised as Legitimate Anti-Malware Plugin ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence team recently discovered an interesting malware variant that appears in the file system as a normal WordPress plugin, often with the name ‘WP-antymalwary-bot.php’, and contains several functions that allow attackers to maintain access to your site, hide the plugin from the dashboard, and execute remote code. [..] In today’s blog post, we highlighted an interesting piece of malware that masquerades as a legitimate plugin. --------------------------------------------- https://www.wordfence.com/blog/2025/04/interesting-wordpress-malware-disgui… ∗∗∗ So schützen Sie sich vor den häufigsten Betrugsmaschen auf booking.com ∗∗∗ --------------------------------------------- Der Sommer naht und damit beginnt die Hochsaison für Reisebuchungen. Ob Städtetrip, Strandurlaub oder Bergtour: Viele buchen ihre Unterkunft über die Buchungsplattform booking.com. Doch Vorsicht! Kriminelle nutzen die erhöhte Reiselust aus und versuchen Urlaubsfreudige zu täuschen. Wir zeigen Ihnen die häufigsten Maschen und wie Sie sich davor schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-den-haeufi… ∗∗∗ Gremlin Stealer: New Stealer on Sale in Underground Forum ∗∗∗ --------------------------------------------- Advertised on Telegram, Gremlin Stealer is new malware active since March 2025 written in C#. Data stolen is uploaded to a server for publication. [..] We have monitored Gremlin Stealer since we initially discovered it in March 2025. The functions of this stealer from Figure 1 are listed below. --------------------------------------------- https://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on… ∗∗∗ Unlocking New Jailbreaks with AI Explainability ∗∗∗ --------------------------------------------- In this post, we introduce our “Adversarial AI Explainability” research, a term we use to describe the intersection of AI explainability and adversarial attacks on Large Language Models (LLMs). Much like using an MRI to understand how a human brain might be fooled, we aim to decipher how LLMs can be manipulated. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/unlocking-new-jailb… ∗∗∗ Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). [..] We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-tren… ∗∗∗ Cybercrime-Marktplatz: Strafverfolger enterten BreachForums über Zero-Day-Lücke ∗∗∗ --------------------------------------------- Derzeit ist der Cybercrime-Marktplatz BreachForums offline. Als Grund nennen die Hintermänner, dass Strafverfolger das Forum über eine Zero-Day-Sicherheitslücke gehackt und sich so Zugriff dazu verschafft haben. --------------------------------------------- https://heise.de/-10365208 ∗∗∗ Spike in Git Config Crawling Highlights Risk of Codebase Exposure ∗∗∗ --------------------------------------------- GreyNoise observed a significant increase in crawling activity targeting Git configuration files. While the crawling itself is reconnaissance, successful discovery of exposed Git configuration files can lead to exposure of internal codebases, developer workflows, and potentially sensitive credentials. --------------------------------------------- https://www.greynoise.io/blog/spike-git-configuration-crawling-risk-codebas… ===================== = Vulnerabilities = ===================== ∗∗∗ Mozilla Foundation Security Advisories April 29, 2025 ∗∗∗ --------------------------------------------- Thunderbird and Firefox --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Seiko-Epson-Druckertreiber ermöglicht Rechteausweitung auf System ∗∗∗ --------------------------------------------- Die Windows-Druckertreiber von Seiko-Epson reißen eine Sicherheitslücke auf, durch die Angreifer ihre Rechte auf SYSTEM-Ebene ausweiten können. Aktualisierte Software steht bereit, die die zugrundeliegende Schwachstelle ausbessert. --------------------------------------------- https://www.heise.de/news/Seiko-Epson-Druckertreiber-ermoeglicht-Rechteausw… ∗∗∗ Multiple Vulnerabilities in HP Wolf Security Controller / HP Sure Access Enterprise / HP Sure Click Enterprise ∗∗∗ --------------------------------------------- The HP Wolf Security Controller, the HP Sure Access Enterprise Client and the HP Sure Click Enterprise Client might be vulnerable to attacks if not configured according to HP's Best Practices. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (glibc, php:8.1, and thunderbird), Debian (libreoffice), Fedora (caddy), Mageia (chromium-browser-stable), Red Hat (php:8.1), SUSE (glow), and Ubuntu (kicad, linux-aws-5.15, linux-azure-nvidia, linux-gcp-5.15, mistral, python-mistral-lib, tomcat8, and trafficserver). --------------------------------------------- https://lwn.net/Articles/1019272/ ∗∗∗ Docker: Rechteausweitungslücke in Desktop für Windows ∗∗∗ --------------------------------------------- In den Release-Notes schreiben die Docker-Entwickler, dass die Version 4.41.0 eine Sicherheitslücke schließt, die Angreifern mit Zugriff auf die Maschine die Ausweitung der Zugriffsrechte ermöglicht, wenn Docker Desktop Updates installiert (CVE-2025-3224, CVSS 7.3, Risiko "hoch"). --------------------------------------------- https://heise.de/-10366320 ∗∗∗ Daikin Security Gateway v214 Remote Password Reset ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5931.php ∗∗∗ ABB: 2025-04-29: Cyber Security Advisory - Ekip Com IEC61850 Vulnerability in third-party library ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2CRT000007&Language… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.04.2025
by Daily end-of-shift report 28 Apr '25

28 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-04-2025 18:00 − Montag 28-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ SAP patcht attackierte, kritische Schwachstelle außer der Reihe ∗∗∗ --------------------------------------------- Update 25.04.2025, 22:11 Uhr: Kriminelle missbauchen die Schwachstelle bereits im Internet. Details zu den Angriffen finden sich etwa bei Onapsis in einem Blog-Beitrag. Admins sollten schnellstmöglich aktualisieren, zumal offenbar viele SAP-Neatweaver-Installationen die verwundbare Komponente einsetzen, so die Einschätzung der IT-Sicherheitsforscher in der Analyse im Blog. --------------------------------------------- https://heise.de/-10361908 ∗∗∗ DragonForce expands ransomware model with white-label branding scheme ∗∗∗ --------------------------------------------- The ransomware scene is re-organizing [..] DragonForce is now incentivizing ransomware actors with a distributed affiliate branding model, providing other ransomware-as-a-service (RaaS) operations a means to carry out their business without dealing with infrastructure maintenance cost and effort. A group's representative told BleepingComputer that they’re purely financially motivated but also follow a moral compass and are against attacking certain healthcare organizations. [..] In exchange for using their malware and infrastructure, the developer charges affiliates a fee from received ransoms that is normally up to 30%. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dragonforce-expands-ransomwa… ∗∗∗ Cloudflare mitigates record number of DDoS attacks in 2025 ∗∗∗ --------------------------------------------- Internet services giant Cloudflare says it mitigated a record number of DDoS attacks in 2024, recording a massive 358% year-over-year jump and a 198% quarter-over-quarter increase. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloudflare-mitigates-record-… ∗∗∗ VU#667211: Various GPT services are vulnerable to "Inception" jailbreak, allows for bypass of safety guardrails ∗∗∗ --------------------------------------------- Two systemic jailbreaks, affecting a number of generative AI services, were discovered. These jailbreaks can result in the bypass of safety protocols and allow an attacker to instruct the corresponding LLM to provide illicit or dangerous content. [..] These jailbreaks, while of low severity on their own, bypass the security and safety guidelines of all affected AI services, allowing an attacker to abuse them for instructions to create content on various illicit topics, such as controlled substances, weapons, phishing emails, and malware code generation. --------------------------------------------- https://kb.cert.org/vuls/id/667211 ∗∗∗ Storm-1977 Hits Education Clouds with AzureChecker, Deploys 200+ Crypto Mining Containers ∗∗∗ --------------------------------------------- Microsoft has revealed that a threat actor it tracks as Storm-1977 has conducted password spraying attacks against cloud tenants in the education sector over the past year. --------------------------------------------- https://thehackernews.com/2025/04/storm-1977-hits-education-clouds-with.html ∗∗∗ Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised ∗∗∗ --------------------------------------------- Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access. [..] As of April 18, 2025, an estimated 13,000 vulnerable Craft CMS instances have been identified, out of which nearly 300 have been allegedly compromised. --------------------------------------------- https://thehackernews.com/2025/04/hackers-exploit-critical-craft-cms.html ∗∗∗ WooCommerce Users Targeted by Fake Patch Phishing Campaign Deploying Site Backdoors ∗∗∗ --------------------------------------------- Cybersecurity researchers are warning about a large-scale phishing campaign targeting WooCommerce users with a fake security alert urging them to download a "critical patch" but deploy a backdoor instead. --------------------------------------------- https://thehackernews.com/2025/04/woocommerce-users-targeted-by-fake.html ∗∗∗ Samsung: Android-Zwischenablage speichert Passwörter zwischen ∗∗∗ --------------------------------------------- Samsungs Android-Smartphones speichern in der Zwischenablage kopierte Inhalte. Im Zwischenablageverlauf finden sich gelegentlich auch alte, kopierte Passwörter. Samsung evaluiert das Problem derzeit. --------------------------------------------- https://heise.de/-10363941 ∗∗∗ Navigating Through The Fog ∗∗∗ --------------------------------------------- An open directory associated with a ransomware affiliate, likely linked to the Fog ransomware group, was discovered in December 2024. [..] Among the tools were SonicWall Scanner for exploiting VPN credentials, DonPAPI for extracting Windows DPAPI-protected credentials, Certipy for abusing Active Directory Certificate Services (AD CS), Zer0dump, and Pachine/noPac for exploiting Active Directory vulnerabilities like CVE-2020-1472. --------------------------------------------- https://thedfirreport.com/2025/04/28/navigating-through-the-fog/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Unbefugte Zugriffe auf VMware Spring Boot möglich ∗∗∗ --------------------------------------------- Softwareentwickler nutzen Spring Boot zum effizienteren Erstellen von Java-Applikationen. Damit Angreifer an der Lücke (CVE-2025-22235 „hoch“) ansetzen zu können, müssen aber mehrere Voraussetzungen erfüllt sein. Unter anderem muss Spring Security eingesetzt werden und mit EndpointRequest.to () konfiguriert sein. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdate-Unbefugte-Zugriffe-auf-VMware-T… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (thunderbird), Debian (distro-info-data, imagemagick, kernel, libsoup2.4, and poppler), Fedora (chromium, java-1.8.0-openjdk, java-1.8.0-openjdk-portable, java-17-openjdk, java-17-openjdk-portable, java-latest-openjdk, pgadmin4, thunderbird, and xz), Mageia (haproxy and libxml2), Oracle (bluez, firefox, gnutls, libtasn1, libxslt, mod_auth_openidc:2.3, ruby:3.1, thunderbird, and xmlrpc-c), Red Hat (delve and golang, glibc, mod_auth_openidc, mod_auth_openidc:2.3, and thunderbird), SUSE (augeas, chromedriver, cifs-utils, govulncheck-vulndb, java-11-openjdk, java-21-openjdk, kyverno, libraw, opentofu, runc, subfinder, and valkey), and Ubuntu (jupyter-notebook and libxml2). --------------------------------------------- https://lwn.net/Articles/1019212/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.04.2025
by Daily end-of-shift report 25 Apr '25

25 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-04-2025 18:00 − Freitag 25-04-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Triada strikes back ∗∗∗ --------------------------------------------- Kaspersky expert has discovered a new version of the Triada Trojan, with custom modules for Telegram, WhatsApp, TikTok, and other apps. --------------------------------------------- https://securelist.com/triada-trojan-modules-analysis/116380 ∗∗∗ Example of a Payload Delivered Through Steganography, (Fri, Apr 25th) ∗∗∗ --------------------------------------------- In this diary, Ill show you a practical example of how steganography is used to hide payloads (or other suspicious data) from security tools and Security Analysts eyes. Steganography can be defined like this: It is the art and science of concealing a secret message, file, or image within an ordinary-looking carrier - such as a digital photograph, audio clip, or text - so that the very existence of the hidden data is undetectable to casual observers. --------------------------------------------- https://isc.sans.edu/diary/rss/31892 ∗∗∗ Zoom attack tricks victims into allowing remote access to install malware and steal money ∗∗∗ --------------------------------------------- Attackers are luring victims into a Zoom call and then taking over their PC to install malware, infiltrate their accounts, and steal their assets. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/04/zoom-attack-tricks-victims-i… ∗∗∗ GitHub potential leaking of private emails and Hacker One ∗∗∗ --------------------------------------------- A bit over a month ago, I was crawling GitHub’s API while working on code input (—it is still in beta). I was compiling a list of repositories and pull requests to identify those with merge conflicts. At some point, while randomly checking some user profiles, I noticed email addresses appearing in the API that weren’t visible on the public profiles. --------------------------------------------- https://omarabid.com/hacker-one ∗∗∗ How I Got Hacked: A Warning about Malicious PoCs ∗∗∗ --------------------------------------------- This is a reminder that even experienced security researchers and exploit developers can fall victim to well-disguised malware. Always verify PoCs manually, isolate them in a controlled environment, and never underestimate how creative attackers can be when hiding malicious payloads. --------------------------------------------- https://chocapikk.com/posts/2025/s1nk/ ∗∗∗ Step-by-Step Guide: SOC Automation — SMB Threat Hunting & Incident Response Lab ∗∗∗ --------------------------------------------- In this project, I will simulate a similar attack scenario in which an insider compromises a Windows server by delivering malware through the SMB protocol. By leveraging automation and the incident response lifecycle, the goal is to detect and contain the threat before it spreads, demonstrating best practices in threat detection and response. --------------------------------------------- https://detect.fyi/step-by-step-guide-soc-automation-smb-threat-hunting-inc… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Nvidia-Grafikkartentreiber unter Linux und Windows löchrig ∗∗∗ --------------------------------------------- Besitzer einer Nvidia-Grafikkarte sollten zeitnah den GPU-Treiber aus Sicherheitsgründen auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer unter Linux an mehreren Schwachstellen ansetzen und Computer attackieren. Außerdem gibt es noch abgesicherte Versionen von Cloud Gaming und vGPU-Software unter Windows. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Nvidia-Grafikkartentreiber-unt… ∗∗∗ Connectwise Screenconnect: Hochriskante Codeschmuggel-Lücke ∗∗∗ --------------------------------------------- Die Remote-Desktop-Software Screenconnect von Connectwise enthält eine Sicherheitslücke, die Angreifern das Einschleusen und Ausführen von Schadcode ermöglicht. Der Hersteller bietet Software-Updates zum Schließen des Sicherheitslecks an. --------------------------------------------- https://www.heise.de/news/Connectwise-Screenconnect-Hochriskante-Codeschmug… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (thunderbird), Debian (libbpf), Fedora (golang-github-openprinting-ipp-usb, ImageMagick, mingw-libsoup, mingw-poppler, and pgbouncer), SUSE (glib2, govulncheck-vulndb, libsoup-2_4-1, libxml2-2, mozjs60, ruby2.5, and thunderbird), and Ubuntu (linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-iot, linux-aws-fips, linux-azure-fips, linux-fips, linux-gcp-fips, linux-hwe-6.8, linux-ibm-5.4, linux-oracle-5.15, openssh, and php-twig). --------------------------------------------- https://lwn.net/Articles/1018912/ ∗∗∗ CISA Releases Seven Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released seven Industrial Control Systems (ICS) advisories on April 24, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS, including Schneider Electric Modicon Controllers, ALBEDO Telecom Net.Time - PTP/NTP Clock, Vestel AC Charger, Nice Linear eMerge E3, Johnson Controls Software House iSTAR Configuration Utility (ICU) Tool, Planet Technology Network Products, and Fuji Electric Monitouch V-SFT (Update A). CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/04/24/cisa-releases-seven-indu… ∗∗∗ Hacking My Coworker (In Minecraft) ∗∗∗ --------------------------------------------- Integrated Scripting is included in several of the largest modpacks on CurseForge. It has 3.5 million downloads, which also doesn’t include non CurseForge hosted downloads such as for Feed the Beast modpacks. Through the presented vulnerability, any public or semi public multiplayer server that includes Integrated Scripting is vulnerable to remote code execution by a player who is able to craft a few relatively simple items. --------------------------------------------- https://redvice.org/assets/pdfs/minecraft2025.pdf ∗∗∗ Critical SAP NetWeaver Vulnerability (CVE-2025-31324) Fixed: Actively Exploited in the Wild ∗∗∗ --------------------------------------------- SAP has recently released a critical security patch for a severe vulnerability in SAP NetWeaver Visual Composer that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-31324, was patched just hours ago with the release of SAP Security Note 3594142. --------------------------------------------- https://redrays.io/blog/critical-sap-netweaver-vulnerability-cve-2025-31324… ∗∗∗ ZDI-25-252: (0Day) Cato Networks Cato Client for macOS Helper Service Time-Of-Check Time-Of-Use Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-252/ ∗∗∗ Three new vulnerabilities found related to IXON VPN client resulting in Local Privilege Escalation (LPE) ∗∗∗ --------------------------------------------- https://www.shelltrail.com/research/three-new-cves-related-to-ixon-vpn-clie… ∗∗∗ Bosch: Multiple ctrlX OS vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-640452.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.04.2025
by Daily end-of-shift report 24 Apr '25

24 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-04-2025 18:00 − Donnerstag 24-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Linux io_uring security blindspot allows stealthy rootkit attacks ∗∗∗ --------------------------------------------- A significant security gap in Linux runtime security caused by the io_uring interface allows rootkits to operate undetected on systems while bypassing advanced Enterprise security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-io-uring-security-blin… ∗∗∗ Darcula Adds GenAI to Phishing Toolkit, Lowering the Barrier for Cybercriminals ∗∗∗ --------------------------------------------- The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform have released new updates to their cybercrime suite with generative artificial intelligence (GenAI) capabilities. "This addition lowers the technical barrier for creating phishing pages, enabling less tech-savvy criminals to deploy customized scams in minutes," Netcraft said in a new report shared with The Hacker News." --------------------------------------------- https://thehackernews.com/2025/04/darcula-adds-genai-to-phishing-toolkit.ht… ∗∗∗ Erlang/OTP SSH: Namhafte Hersteller von kritischer Lücke betroffen ∗∗∗ --------------------------------------------- Erlang/OTP SSH wird von vielen namhaften Herstellern mitgeliefert. Daher betrifft eine kritische Lücke auch Cisco und Ericsson. Zu den weiteren verwundbaren Anbietern gehört nach jetzigem Stand EMQ Technologies. Nicht standardmäßig installiert, aber optional verfügbar ist Erlang/OTP SSH bei National Instruments, Broadcom (insbesondere RabbitMQ), Very Technology, Apache (CouchDB) und Riak Technologies. Hier müssen Admins prüfen, ob sie Erlang/OTP SSH installiert haben und gegebenenfalls die verfügbaren Aktualisierungen installieren. --------------------------------------------- https://www.heise.de/news/Erlang-OTP-SSH-Namhafte-Hersteller-von-kritischer… ∗∗∗ 9X Surge in Ivanti Connect Secure Scanning Activity ∗∗∗ --------------------------------------------- GreyNoise observed a 9X spike in suspicious scanning activity targeting Ivanti Connect Secure or Ivanti Pulse Secure VPN systems. More than 230 unique IPs probed ICS/IPS endpoints. This surge may indicate coordinated reconnaissance and possible preparation for future exploitation. --------------------------------------------- https://www.greynoise.io/blog/surge-ivanti-connect-secure-scanning-activity ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Commvault Command Center Flaw Enables Attackers to Execute Code Remotely ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in the Commvault Command Center that could allow arbitrary code execution on affected installations. The vulnerability, tracked as CVE-2025-34028, carries a CVSS score of 9.0 out of a maximum of 10.0. --------------------------------------------- https://thehackernews.com/2025/04/critical-commvault-command-center-flaw.ht… ∗∗∗ Drupal: Security advisories ∗∗∗ --------------------------------------------- Drupal has released new security advisories. --------------------------------------------- https://www.drupal.org/security ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (haproxy and openrazer), Fedora (c-ares and mingw-poppler), Red Hat (thunderbird), SUSE (epiphany, ffmpeg-6, gopass, and libsoup-3_0-0), and Ubuntu (erlang, haproxy, libapache2-mod-auth-openidc, libarchive, linux, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-oracle, linux-raspi, linux, linux-aws, linux-azure, linux-azure-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-aws-6.8, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-fips, linux-gcp, linux-gke, linux-gkeop, linux-gcp-6.8, linux-ibm-5.15, linux-intel-iot-realtime, linux-realtime, linux-intel-iotg-5.15, linux-realtime, perl, and yelp, yelp-xsl). --------------------------------------------- https://lwn.net/Articles/1018717/ ∗∗∗ ZDI-25-250: (0Day) Cloudera Hue Ace Editor Directory Traversal Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-250/ ∗∗∗ ZDI-25-249: (0Day) eCharge Hardy Barth cPH2 index.php Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-249/ ∗∗∗ ZDI-25-248: (0Day) eCharge Hardy Barth cPH2 nwcheckexec.php dest Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-248/ ∗∗∗ ZDI-25-247: (0Day) eCharge Hardy Barth cPH2 check_req.php ntp Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-247/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 14, 2025 to April 20, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/04/wordfence-intelligence-weekly-wordpr… ∗∗∗ ALBEDO Telecom Net.Time - PTP/NTP Clock ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-114-02 ∗∗∗ Sonicwall warnt vor DoS-Lücke in SSLVPN ∗∗∗ --------------------------------------------- https://heise.de/-10360960 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.04.2025
by Daily end-of-shift report 23 Apr '25

23 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-04-2025 18:00 − Mittwoch 23-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Alternativen aus Europa: Wie man von US-Software unabhängig wird ∗∗∗ --------------------------------------------- Ein Wiener Softwareentwickler sammelt "European Alternatives" zu US-Digitalprodukten. Seit Trumps 2. Amtsantritt ist das Interesse stark gestiegen. --------------------------------------------- https://futurezone.at/netzpolitik/tech-alternativen-apps-europa-datenschutz… ∗∗∗ Kurz nach Offenlegung: ChatGPT und Claude liefern Exploit für kritische SSH-Lücke ∗∗∗ --------------------------------------------- In einem verbreiteten SSH-Tool klafft eine gefährliche Lücke. Nur Stunden nach Bekanntwerden erstellt ein Forscher mittels KI einen funktionierenden Exploit. --------------------------------------------- https://www.golem.de/news/kurz-nach-offenlegung-chatgpt-und-claude-liefern-… ∗∗∗ Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have revealed that Russian military personnel are the target of a new malicious campaign that distributes Android spyware under the guise of the Alpine Quest mapping software. "The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs," Doctor Web said in an analysis. --------------------------------------------- https://thehackernews.com/2025/04/android-spyware-disguised-as-alpine.html ∗∗∗ CVE-2025-3248: RCE vulnerability in Langflow ∗∗∗ --------------------------------------------- CVE-2025-3248, a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8, has been discovered in Langflow, an open-source platform for visually composing AI-driven agents and workflows. [..] All Langflow versions prior to 1.3.0 are susceptible to code injection. [..] Exploiting CVE-2025-3248 involves the following steps: --------------------------------------------- https://www.zscaler.com/blogs/security-research/cve-2025-3248-rce-vulnerabi… ∗∗∗ Die Urlaubsplanung steht an? Vorsicht vor Betrug mit Fake-Buchungsportalen! ∗∗∗ --------------------------------------------- Wo soll es im Sommerurlaub hingehen? Wie wäre es mit einer Miet-Finca auf den Kanaren? Dann ist bei der Buchung Vorsicht angebracht! Kriminelle erstellen Fake-Portale und bieten dort vermeintlich reale Luxus-Mietobjekte an. Wer sich auf den Deal einlässt und den gewünschten Betrag überweist, ist in die Falle getappt. Die Unterkunft existiert nicht, das Geld ist weg. --------------------------------------------- https://www.watchlist-internet.at/news/villen-fincas-fake-buchungsportal/ ∗∗∗ Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows ∗∗∗ --------------------------------------------- Since early March 2025, Volexity has observed multiple Russian threat actors aggressively targeting individuals and organizations with ties to Ukraine and human rights. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows. The attackers are impersonating officials from various European nations, and in one instance leveraged a compromised Ukrainian Government account. --------------------------------------------- https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-… ∗∗∗ Distribution of PebbleDash Malware in March 2025 ∗∗∗ --------------------------------------------- PebbleDash is a backdoor malware that was previously identified by the Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. as a backdoor malware of Lazarus (Hidden Corba) in 2020. --------------------------------------------- https://asec.ahnlab.com/en/87621/ ∗∗∗ Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs ∗∗∗ --------------------------------------------- Cisco Talos discovered a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme. --------------------------------------------- https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-b… ===================== = Vulnerabilities = ===================== ∗∗∗ ASUS releases fix for AMI bug that lets hackers brick servers ∗∗∗ --------------------------------------------- ASUS has released security updates to address CVE-2024-54085, a maximum severity flaw that could allow attackers to hijack and potentially brick servers. [..] The flaw impacts American Megatrends International's MegaRAC Baseboard Management Controller (BMC) software, used by over a dozen server hardware vendors, including HPE, ASUS, and ASRock. The CVE-2024-54085 flaw is remotely exploitable, potentially leading to malware infections, firmware modifications, and irreversible physical damage through over-volting. --------------------------------------------- https://www.bleepingcomputer.com/news/security/asus-releases-fix-for-ami-bu… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bluez, expat, and postgresql:12), Fedora (chromium, golang, LibRaw, moodle, openiked, ruby, and trafficserver), Red Hat (bluez, expat, gnutls, libtasn1, libxslt, mod_auth_openidc, mod_auth_openidc:2.3, ruby:3.1, thunderbird, and xmlrpc-c), and Ubuntu (linux, linux-aws, linux-gcp, linux-hwe-6.11, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oem-6.11, linux-oracle, linux-raspi, linux-realtime, linux-azure, linux-azure-6.11, linux-gcp-6.8, and matrix-synapse). --------------------------------------------- https://lwn.net/Articles/1018589/ ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-112-01 Siemens TeleControl Server Basic SQL, ICSA-25-112-02 Siemens TeleControl Server Basic, ICSA-25-112-03 Schneider Electric Wiser Home Controller WHC-5918A, ICSA-25-112-04 ABB MV Drives, ICSA-25-035-04 Schneider Electric Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC (Update A) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/04/22/cisa-releases-five-indus… ∗∗∗ Cisco: Multiple Cisco Products Unauthenticated Remote Code Execution in Erlang/OTP SSH Server ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.04.2025
by Daily end-of-shift report 22 Apr '25

22 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-04-2025 18:00 − Dienstag 22-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ DOGE, CISA, Mitre und CVE ∗∗∗ --------------------------------------------- In der Cybersecurity Community herrschte letzte Woche helle Aufregung, weil die Einsparungstruppe von Trumps Gnaden die grandiose Idee hatte, das Funding für den Betrieb des CVE-Systems durch Mitre einzustellen. Wahrscheinlich aufgrund des starken Gegenwindes von der Seite der US-Industrie wurde eine Lösung gefunden und der Betrieb ist (angeblich) für die nächsten 11 Monate gesichert. Ich will das zum Anlass nehmen, das System hinter den bekannten CVE-Nummern zu erklären und mögliche Entwicklungen aufzuzeigen. --------------------------------------------- https://www.cert.at/de/blog/2025/4/doge-cisa-mitre-und-cve ∗∗∗ Phishers abuse Google OAuth to spoof Google in DKIM replay attack ∗∗∗ --------------------------------------------- In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Googles systems, passing all verifications but pointing to a fraudulent page that collected logins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishers-abuse-google-oauth-… ∗∗∗ Phishing attacks leveraging HTML code inside SVG files ∗∗∗ --------------------------------------------- The SVG format provides the capability to embed HTML and JavaScript code within images, which is misused by attackers. Despite not being widespread at the time of this study, SVG attachment attacks are showing a clear upward trend. --------------------------------------------- https://securelist.com/svg-phishing/116256/ ∗∗∗ Videokameras: Schwere Sicherheitslücke bei Überwachungsgeräten der Polizei ∗∗∗ --------------------------------------------- Polizeibehörden in zahlreichen Ländern nutzen mobile Sender der Firma Infodraw. Doch die hochgeladenen Daten sind nicht ausreichend gesichert. [..] Über das Bundesamt für Sicherheit in der Informationstechnik (BSI) wurden laut Schäfers inzwischen in Deutschland alle übrigen Betreiber gewarnt. [..] Ihm zufolge reicht es nicht aus, die aktuelle Softwareversion 7.1.0.0 installiert zu haben. Wobei aktuell relativ ist, denn die Version stammt aus dem Jahr 2000. Schäfers empfiehlt den nutzenden Organisationen, die Anwendung unmittelbar offline zu nehmen. --------------------------------------------- https://www.golem.de/news/videokameras-schwere-sicherheitsluecke-bei-ueberw… ∗∗∗ Agent In the Middle – Abusing Agent Cards in the Agent-2-Agent (A2A) Protocol To ‘Win’ All the Tasks ∗∗∗ --------------------------------------------- I’ll write a blog post on prompt injection defenses and how I am able to circumvent them another time… the blog post today is about one of those advancements: the Agent-2-Agent (A2A) Protocol. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-in-th… ∗∗∗ Microsoft Secures MSA Signing with Azure Confidential VMs Following Storm-0558 Breach ∗∗∗ --------------------------------------------- Microsoft on Monday announced that it has moved the Microsoft Account (MSA) signing service to Azure confidential virtual machines (VMs) and that it's also in the process of migrating the Entra ID signing service as well. The disclosure comes about seven months after the tech giant said it completed updates to Microsoft Entra ID and MS for both public and United States government clouds to generate, store, and automatically rotate access token signing keys using the Azure Managed Hardware Security Module (HSM) service. --------------------------------------------- https://thehackernews.com/2025/04/microsoft-secures-msa-signing-with.html ∗∗∗ Anspruch auf Kostenerstattung? Vorsicht vor neuer ÖGK-Betrugsmasche ∗∗∗ --------------------------------------------- Neue Website, alte Masche. Kriminelle haben eine weitere Betrugswelle im Namen der Österreichischen Gesundheitskasse gestartet. Sie locken mit einer hohen Rückzahlung und setzen auf eine beinahe 1:1-Kopie der originalen ÖGK-Website. So können Sie den Fake dennoch erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-neue-oegk-betrugsmasche/ ∗∗∗ Ivanti Endpoint Manager_Local Privilege Escalation via DLL Search Order Hijacking ∗∗∗ --------------------------------------------- The Ivanti Endpoint Manager Security Scan (Vulscan) Self Update was vulnerable to DLL Hijacking. 2025-04-08 Vendor publishes security advisory. 2025-04-22 Coordinated disclosure of security advisory. CVE Number CVE-2025-22458 --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelle… ∗∗∗ Microsoft’s patch for CVE-2025–21204 symlink vulnerability introduces another symlink vulnerability ∗∗∗ --------------------------------------------- Microsoft recently patched CVE-2025–21204, a vuln which allows users to abuse symlinks to elevate privileges using the Windows servicing stack and the c:\inetpub folder. [..] However, I’ve discovered this fix introduces a denial of service vulnerability in the Windows servicing stack that allows non-admin users to stop all future Windows security updates. [..] I reported this to MSRC about two weeks ago, but haven’t had a response. --------------------------------------------- https://doublepulsar.com/microsofts-patch-for-cve-2025-21204-symlink-vulner… ∗∗∗ Zugangs- und Schließsysteme mit Internetanbindung als Risiko – Teil 1 ∗∗∗ --------------------------------------------- Heute noch ein kleiner, zweiteiliger Sammelbeitrag, in dem ich auf die Risiken eingehe, welche Schließsysteme bzw. Systeme zur Zugangskontrolle sowie zur Zeiterfassung unter Umständen bieten. --------------------------------------------- https://www.borncity.com/blog/2025/04/20/risiko-zeiterfassungs-zugangs-und-… ∗∗∗ Systeme zur Zeiterfassung mit Internetanbindung als Risiko – Teil 2 ∗∗∗ --------------------------------------------- In Teil 1 des zweiteiligen Sammelbeitrags hatte ich auf die Risiken hingewiesen, die von elektronischen Schließsystemen bzw. Systemen zur Zugangskontrolle ausgehen können, wenn diese am Internet hängen. Aber auch Systeme zur Zeiterfassung, die per Internet erreichbar sind, fallen in diese Kategorie, sofern Dienstleister diese allzu sorglos eingerichtet haben. --------------------------------------------- https://www.borncity.com/blog/2025/04/21/systeme-zur-zeiterfassung-mit-inte… ===================== = Vulnerabilities = ===================== ∗∗∗ Asus-Router: Sicherheitslücke ermöglicht unbefugtes Ausführen von Funktionen ∗∗∗ --------------------------------------------- Im CVE-Eintrag zur Schwachstelle erörtert Asus, dass in der AiCloud eine unzureichende Authentifizierungskontrolle stattfinde. Diese lasse sich durch manipulierte Anfragen missbrauchen, um ohne Autorisierung Funktionen auszuführen (CVE-2025-2492, CVSS 9.2, Risiko "kritisch"). [..] In der Sicherheitsmitteilung schreibt Asus lediglich, dass die Entwickler aktualisierte Firmware für die Serien 3.0.0.4_382, 3.0.0.4_386, 3.0.0.4_388 und 3.0.0.6_102 veröffentlicht hat. Die soll die Schwachstelle ausbessern. --------------------------------------------- https://www.heise.de/news/Asus-Router-Sicherheitsluecke-ermoeglicht-unbefug… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (erlang, fig2dev, shadow, wget, and zabbix), Fedora (chromium, jupyterlab, llama-cpp, prometheus-podman-exporter, python-notebook, python-pydantic-core, rpki-client, rust-adblock, rust-cookie_store, rust-gitui, rust-gstreamer, rust-icu_collections, rust-icu_locid, rust-icu_locid_transform, rust-icu_locid_transform_data, rust-icu_normalizer, rust-icu_normalizer_data, rust-icu_properties, rust-icu_properties_data, rust-icu_provider, rust-icu_provider_macros, rust-idna, rust-idna_adapter, rust-litemap, rust-ron, rust-sequoia-openpgp, rust-sequoia-openpgp1, rust-tinystr, rust-url, rust-utf16_iter, rust-version-ranges, rust-write16, rust-writeable, rust-zerovec, rust-zip, uv, and webkitgtk), Slackware (libxml2 and zsh), SUSE (argocd-cli, chromium, coredns, ffmpeg-6, and firefox), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/1018292/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-1.8.0-openjdk, kernel, libxslt, mod_auth_openidc:2.3, and webkit2gtk3), Fedora (c-ares, giflib, jupyterlab, perl, perl-Devel-Cover, perl-PAR-Packer, prometheus-podman-exporter, python-notebook, python-pydantic-core, rpki-client, ruby, rust-adblock, rust-cookie_store, rust-gitui, rust-gstreamer, rust-icu_collections, rust-icu_locid, rust-icu_locid_transform, rust-icu_locid_transform_data, rust-icu_normalizer, rust-icu_normalizer_data, rust-icu_properties, rust-icu_properties_data, rust-icu_provider, rust-icu_provider_macros, rust-idna, rust-idna_adapter, rust-litemap, rust-ron, rust-sequoia-openpgp, rust-sequoia-openpgp1, rust-tinystr, rust-url, rust-utf16_iter, rust-version-ranges, rust-write16, rust-writeable, rust-zerovec, rust-zip, thunderbird, and uv), SUSE (erlang, erlang26, and govulncheck-vulndb), and Ubuntu (mosquitto). --------------------------------------------- https://lwn.net/Articles/1018444/ ∗∗∗ Zyxel security advisory for incorrect permission assignment and improper privilege management vulnerabilities in USG FLEX H series firewalls ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Wordpress: Angreifer können über Greenshift-Plug-in Schadcode hochladen ∗∗∗ --------------------------------------------- https://heise.de/-10357624 ∗∗∗ SicommNet BASEC product warning ∗∗∗ --------------------------------------------- https://csirt.divd.nl/2025/04/14/SicommNet-Basec-product-warning/ ∗∗∗ Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center version 6.5.1: SC-202504.3 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.04.2025
by Daily end-of-shift report 18 Apr '25

18 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-04-2025 18:00 − Freitag 18-04-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Chrome extensions with 6 million installs have hidden tracking code ∗∗∗ --------------------------------------------- A set of 57 Chrome extensions with 6,000,000 users have been discovered with very risky capabilities, such as monitoring browsing behavior, accessing cookies for domains, and potentially executing remote scripts. [..] Earlier today, the researcher added 22 more extensions believed to belong to the same operation, taking the total to 57 extensions used by 6 million people. Some of the newly added extensions are public, too. Tuckner says that many of the extensions have been removed from the Chrome Web Store following his report from last week, but others still remain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chrome-extensions-with-6-mil… ∗∗∗ Windows NTLM hash leak flaw exploited in phishing attacks on governments ∗∗∗ --------------------------------------------- A Windows vulnerability that exposes NTLM hashes using .library-ms files is now actively exploited by hackers in phishing campaigns targeting government entities and private companies. The flaw tracked as CVE-2025-24054 was fixed in Microsoft's March 2025 Patch Tuesday. Initially, it was not marked as actively exploited and was assessed as 'less likely' to be. [..] In a later campaign, Check Point discovered phishing emails that contained .library-ms attachments, without an archive. Simply downloading the .library-ms file was enough to trigger NTLM authentication to the remote server, demonstrating that archives were not required to exploit the flaw. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-ntlm-hash-leak-flaw-… ∗∗∗ Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader ∗∗∗ --------------------------------------------- A new multi-stage attack has been observed delivering malware families like Agent Tesla variants, Remcos RAT, and XLoader. "Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution," Palo Alto Networks Unit 42 researcher Saqib Khanzada said in a technical write-up of the campaign. --------------------------------------------- https://thehackernews.com/2025/04/multi-stage-malware-attack-uses-jse-and.h… ∗∗∗ Nebula – Autonomous AI Pentesting Tool ∗∗∗ --------------------------------------------- Another cutting-edge tool from 2024 is Nebula, an open-source AI-powered penetration testing assistant. If PentestGPT is like an AI advisor, Nebula attempts to automate parts of the pentest process itself. --------------------------------------------- https://www.darknet.org.uk/2025/04/nebula-autonomous-ai-pentesting-tool/ ∗∗∗ Cross-Site WebSocket Hijacking Exploitation in 2025 ∗∗∗ --------------------------------------------- The post includes a few brief case studies based on situations encountered during real world testing, in addition to a simple test site that can be hosted by readers to explore each of the vulnerability conditions. --------------------------------------------- https://blog.includesecurity.com/2025/04/cross-site-websocket-hijacking-exp… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphicsmagick and libapache2-mod-auth-openidc), Fedora (giflib, mod_auth_openidc, mysql8.0, perl, perl-Devel-Cover, perl-PAR-Packer, perl-String-Compare-ConstantTime, rust-openssl, rust-openssl-sys, trunk, and workrave), Mageia (chromium-browser-stable and rust), Oracle (java-1.8.0-openjdk, java-17-openjdk, java-21-openjdk, kernel, libreoffice, and webkit2gtk3), Red Hat (gvisor-tap-vsock), SUSE (containerd, docker, docker-stable, forgejo, GraphicsMagick, libmozjs-115-0, perl-32bit, poppler, subfinder, and thunderbird), and Ubuntu (erlang and ruby2.3, ruby2.5). --------------------------------------------- https://lwn.net/Articles/1018020/ ∗∗∗ [R1] Nessus Version 10.8.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-05 ∗∗∗ Yokogawa Recorder Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-107-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.04.2025
by Daily end-of-shift report 17 Apr '25

17 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-04-2025 18:00 − Donnerstag 17-04-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ MITRE CVE Program - the past, the present .. and the (European) future. ∗∗∗ --------------------------------------------- The Common Vulnerabilities and Exposures (CVE) program is a globally adopted system for identifying and naming cybersecurity vulnerabilities with unique IDs. Established in 1999 by researchers at the MITRE Corporation (a U.S. non-profit R&D organization), CVE was created to ensure that different security tools and stakeholders can refer to the same vulnerability in a consistent way. --------------------------------------------- https://bytesandborscht.com/mitre-cve-program-the-past-the-present-and-the-… ∗∗∗ RedTail, Remnux and Malware Management [Guest Diary], (Wed, Apr 16th) ∗∗∗ --------------------------------------------- When I first saw malware being uploaded to my honeypot, I was lacking the requisite experience to reverse engineer it, and to understand what was happening with the code. Even though I could use any text editor to examine the associated scripts that were being uploaded with RedTail malware, I couldn’t see what was happening with the redtail malware itself. So, I decided to create a how-to on setting up a malware analysis program. --------------------------------------------- https://isc.sans.edu/diary/rss/31868 ∗∗∗ Proton66 Part 2: Compromised WordPress Pages and Malware Campaigns ∗∗∗ --------------------------------------------- Earlier this year SpiderLabs observed an increase in mass scanning, credential brute forcing, and exploitation attempts originating from Proton66 ASN targeting organizations worldwide that we are discussing in a two-part series. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-pa… ∗∗∗ Experts Uncover Four New Privilege Escalation Flaws in Windows Task Scheduler ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed four different vulnerabilities in a core component of the Windows task scheduling service that could be exploited by local attackers to achieve privilege escalation and erase logs to cover up evidence of malicious activities. --------------------------------------------- https://thehackernews.com/2025/04/experts-uncover-four-new-privilege.html ∗∗∗ CISA Flags Actively Exploited Vulnerability in SonicWall SMA Devices ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting SonicWall Secure Mobile Access (SMA) 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The high-severity vulnerability, tracked as CVE-2021-20035 (CVSS score: 7.2), relates to a case of operating system command injection that could result in code execution. --------------------------------------------- https://thehackernews.com/2025/04/cisa-flags-actively-exploited.html ∗∗∗ Support-Ende von Ubuntu 20.04 dräut ∗∗∗ --------------------------------------------- Der Support für Ubuntu 20.04 endet in wenigen Wochen. Ubuntu empfiehlt ein Upgrade oder erweiterten Support mit Ubuntu Pro. --------------------------------------------- https://www.heise.de/news/Support-Ende-von-Ubuntu-20-04-draeut-10355860.html ∗∗∗ Unmasking the new XorDDoS controller and infrastructure ∗∗∗ --------------------------------------------- Cisco Talos observed an existing distributed denial-of-service (DDoS) malware known as XorDDoS, continuing to spread globally between November 2023 and February 2025. A significant finding shows that over 70 percent of attacks using XorDDoS targeted the United States from Nov. 2023 to Feb. 2025. --------------------------------------------- https://blog.talosintelligence.com/unmasking-the-new-xorddos-controller-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Patches Two Actively Exploited iOS Flaws Used in Sophisticated Targeted Attacks ∗∗∗ --------------------------------------------- Apple on Wednesday released security updates for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to address two security flaws that it said have come under active exploitation in the wild. --------------------------------------------- https://thehackernews.com/2025/04/apple-patches-two-actively-exploited.html ∗∗∗ Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution ∗∗∗ --------------------------------------------- A critical security vulnerability has been disclosed in the Erlang/Open Telecom Platform (OTP) SSH implementation that could permit an attacker to execute arbitrary code sans any authentication under certain conditions. The vulnerability, tracked as CVE-2025-32433, has been given the maximum CVSS score of 10.0. --------------------------------------------- https://thehackernews.com/2025/04/critical-erlangotp-ssh-vulnerability.html ∗∗∗ Drupal releases Security Advisories for multiple Critical and High Vulnerabilities ∗∗∗ --------------------------------------------- Including 5 critical and 2 high severity. --------------------------------------------- https://www.drupal.org/security ∗∗∗ Atlassian stopft hochriskante Lecks in Confluence, Jira & Co. ∗∗∗ --------------------------------------------- Atlassian hat für Bamboo, Confluence und Jira Aktualisierungen herausgegeben, die als hohes Risiko eingestufte Sicherheitslücken in den Produkten abdichten sollen. IT-Verantwortliche sollten die Updates zeitnah herunterladen und anwenden. --------------------------------------------- https://www.heise.de/news/Atlassian-stopft-hochriskante-Lecks-in-Confluence… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 7, 2025 to April 13, 2025) ∗∗∗ --------------------------------------------- Last week, there were 340 vulnerabilities disclosed in 303 WordPress Plugins and 8 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 67 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2025/04/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and libapache2-mod-auth-openidc), Oracle (expat, freetype, glibc, grub2, gvisor-tap-vsock, and kernel), Red Hat (grub2 and webkit2gtk3), and SUSE (apache2-mod_auth_openidc, cosign, gitoxide, govulncheck-vulndb, GraphicsMagick, haproxy, hauler, mozjs52, oci-cli, pam, perl-Data-Entropy, poppler, python-lxml-doc, python311-aiohttp, rekor, rubygem-rexml, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/1017919/ ∗∗∗ Cisco Nexus Dashboard LDAP Username Enumeration Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Webex App Client-Side Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.3.0, 6.4.0, 6.4.5 and 6.5.1: SC-202504.2 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-04 ∗∗∗ F5 K000150879: OpenSSH vulnerability CVE-2025-26466 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150879 ∗∗∗ F5 K000150901: Linux kernel vulnerability CVE-2024-46713 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150901 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.04.2025
by Daily end-of-shift report 16 Apr '25

16 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-04-2025 18:00 − Mittwoch 16-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Mehrere FortiGate-Modelle von Backdoor betroffen ∗∗∗ --------------------------------------------- Am Freitag, den 10. April, veröffentlichte Fortinet Informationen über eine weltweite Kompromittierung von FortiGate-Geräten, die Angreifer:innen dauerhaften lesenden Zugriff ermöglichten. Die Angreifer:innen nutzten offenbar drei bekannte Schwachstellen in der SSL-VPN-Funktion, um sich Zugang zu den Geräten zu verschaffen, und eine Hintertür im Dateisystem zu platzieren um den illegalen Zugriff nachhaltig zu ermöglichen. [..] Alle FortiGate-Geräte, physisch oder virtuell, die die SSL-VPN-Funktion aktiviert haben oder hatten und jemals für eine der genannten Schwachstellen anfällig waren (siehe betroffene FortiOS-Versionen in den Advisories - 1, 2, 3), sind potenziell gefährdet. --------------------------------------------- https://www.cert.at/de/blog/2025/4/mehrere-fortigate-modelle-von-backdoor-b… ∗∗∗ CISA extends funding to ensure no lapse in critical CVE services ∗∗∗ --------------------------------------------- CISA says the U.S. government has extended MITREs funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-extends-funding-to-ensu… ∗∗∗ Quellcode und Daten geleakt: 4chan nach mutmaßlichem Hackerangriff offline ∗∗∗ --------------------------------------------- 4chan hat offenbar den Unmut einer Konkurrenzplattform auf sich gezogen. Dort kursieren Screenshots von internen Tools, Datenbanken, E-Mail-Listen und mehr. --------------------------------------------- https://www.golem.de/news/quellcode-und-daten-geleakt-4chan-nach-mutmasslic… ∗∗∗ Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2 ∗∗∗ --------------------------------------------- This is Part 2 of our two-part technical analysis on Mustang Panda’s new tools. --------------------------------------------- https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsena… ∗∗∗ CrazyHunter Campaign Targets Taiwanese Critical Sectors ∗∗∗ --------------------------------------------- This blog entry details research on emerging ransomware group CrazyHunter, which has launched a sophisticated campaign aimed at Taiwans essential services. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - April 2025 ∗∗∗ --------------------------------------------- A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. --------------------------------------------- https://www.oracle.com/security-alerts/cpuapr2025.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gvisor-tap-vsock, kernel, and kernel-rt), Fedora (chromium, dnf, dotnet9.0, golang, lemonldap-ng, mariadb10.11, perl-Crypt-URandom-Token, perl-DBIx-Class-EncodedColumn, php-tcpdf, podman-tui, and trunk), Red Hat (java-17-openjdk and kernel), Slackware (mozilla), SUSE (apache2-mod_auth_openidc, cosign, etcd, expat, flannel, kernel, libsqlite3-0, libvarnishapi3, mozjs52, Multi-Linux Manager 4.3: Server, Multi-Linux Manager 5.0: Server, Proxy and Retail Server, pgadmin4, rekor, rsync, rubygem-bundler, and webkit2gtk3), and Ubuntu (7zip, Docker, and quickjs). --------------------------------------------- https://lwn.net/Articles/1017670/ ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-105-01 Siemens Mendix Runtime, ICSA-25-105-02 Siemens Industrial Edge Device Kit, ICSA-25-105-03 Siemens SIMOCODE, SIMATIC, SIPLUS, SIDOOR, SIWAREX, ICSA-25-105-04 Growatt Cloud Applications, ICSA-25-105-05 Lantronix Xport, ICSA-25-105-06 National Instruments LabVIEW, ICSA-25-105-07 Delta Electronics COMMGR, ICSA-25-105-08 ABB M2M Gateway, ICSA-25-105-09 Mitsubishi Electric Europe B.V. smartRTU --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/04/15/cisa-releases-nine-indus… ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird ESR 128.9.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-27/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 137.0.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-27/ ∗∗∗ Webbrowser: Kritische Sicherheitslücke in Chrome abgedichtet ∗∗∗ --------------------------------------------- https://heise.de/-10354575 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2025
by Daily end-of-shift report 15 Apr '25

15 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Montag 14-04-2025 18:00 − Dienstag 15-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New ResolverRAT malware targets pharma and healthcare orgs worldwide ∗∗∗ --------------------------------------------- A new remote access trojan (RAT) called ResolverRAT is being used against organizations globally, with the malware used in recent attacks targeting the healthcare and pharmaceutical sectors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-resolverrat-malware-targ… ∗∗∗ Sicherheitspatches: Google beendet Unterstützung von Android 12 ∗∗∗ --------------------------------------------- Android 12 ist im Jahr 2025 noch die dritthäufigste Android-Version auf dem Markt - Google stellt nun die Versorgung mit Patches ein. --------------------------------------------- https://www.golem.de/news/sicherheitspatches-google-beendet-unterstuetzung-… ∗∗∗ Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability ∗∗∗ --------------------------------------------- A recently disclosed security flaw in Gladinet CentreStack also impacts its Triofox remote access and collaboration solution, according to Huntress, with seven different organizations compromised to date. Tracked as CVE-2025-30406 (CVSS score: 9.0), the vulnerability refers to the use of a hard-coded cryptographic key that could expose internet-accessible servers to remote code execution attacks. It has been addressed in CentreStack version 16.4.10315.56368 released on April 3, 2025. --------------------------------------------- https://thehackernews.com/2025/04/gladinets-triofox-and-centrestack-under.h… ∗∗∗ Verkehrskunde und Krankheiten: Wenn Betrüger:innen Kinder als Lockmittel einsetzen ∗∗∗ --------------------------------------------- Ein Herz für Kinder – genau auf dieses haben es Kriminelle immer wieder abgesehen. Sie versenden E-Mails und bitten darin um Spenden für die Produktion von Büchern. Diese sollen Kindergärten, Kinderkliniken und anderen entsprechenden Einrichtungen kostenlos zur Verfügung gestellt werden. Ein an sich nobles Vorhaben. In Wahrheit aber nichts andere als eine besonders dreiste und unappetitliche Betrugsmasche. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerinnen-kinder-als-lockmittel/ ∗∗∗ Renewed APT29 Phishing Campaign Against European Diplomats ∗∗∗ --------------------------------------------- Starting in January 2025, Check Point Research (CPR) has been tracking a wave of targeted phishing attacks aimed at European governments and diplomats. The Techniques, Tactics and Procedures (TTPs) observed in this campaign align with the WINELOADER campaigns, which were attributed to APT29, a Russia linked threat group. --------------------------------------------- https://research.checkpoint.com/2025/apt29-phishing-campaign/ ∗∗∗ Android-Smartphones starten sich nach 3 Tagen Inaktivität von selbst neu ∗∗∗ --------------------------------------------- Wie iPhones unter iOS 18 starten sich Android-Smartphones künftig nach 72 Stunden der Inaktivität von selbst neu. Damit soll die allgemeine Sicherheit erhöht und nicht die Polizei geärgert werden. --------------------------------------------- https://heise.de/-10352891 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence ∗∗∗ --------------------------------------------- A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change. The flaw, assigned the CVE identifier CVE-2025-24859, carries a CVSS score of 10.0, indicating maximum severity. It affects all versions of Roller up to and including 6.1.4. --------------------------------------------- https://thehackernews.com/2025/04/critical-apache-roller-vulnerability.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (glibc), Red Hat (kernel and kernel-rt), Slackware (perl), SUSE (haproxy, kernel, and webkit2gtk3), and Ubuntu (cimg, perl, protobuf, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1017514/ ∗∗∗ Vulnerability in FileSender versions 2.15 through 2.50 ∗∗∗ --------------------------------------------- https://filesender.org/vulnerability-in-filesender-versions-2-15-through-2-… ∗∗∗ Mozilla: Security vulnerability fixed in Firefox 137.0.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-25/ ∗∗∗ f5: K000150814: BIND vulnerability CVE-2024-11187 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150814 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.04.2025
by Daily end-of-shift report 14 Apr '25

14 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-04-2025 18:00 − Montag 14-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ BentoML Vulnerability Allows Remote Code Execution on AI Servers ∗∗∗ --------------------------------------------- This vulnerability, tracked as CVE-2025-27520 with a high severity score of 9.8 and discovered by GitHub user c2an1, could allow attackers who aren’t even logged in to take complete control of the servers running these AI services. [..] Interestingly, according to Checkmarx’s report, this vulnerability is essentially a repeat of CVE-2024-2912, which was fixed in BentoML version 1.2.5., but the fix was later removed in BentoML version 1.3.8, causing the same dangerous weakness to reappear. --------------------------------------------- https://hackread.com/bentoml-vulnerability-remote-code-execution-ai-servers/ ∗∗∗ Exploit Attempts for Recent Langflow AI Vulnerability (CVE-2025-3248), (Sat, Apr 12th) ∗∗∗ --------------------------------------------- Two weeks ago, version 1.3.0 of Langflow was released. The release notes list many fixes but do not mention that one of the "Bug Fixes" addresses a major vulnerability. Instead, the release notes state, "auth current user on code validation." [..] The vulnerability went somewhat unnoticed, at least by me, until Horizon3 created a detailed writeup showing how easy it is to exploit the vulnerability and provide proof of concept exploit. --------------------------------------------- https://isc.sans.edu/diary/rss/31850 ∗∗∗ Proton66 Part 1: Mass Scanning and Exploit Campaigns ∗∗∗ --------------------------------------------- Trustwave SpiderLabs continuously tracks a range of malicious activities originating from Proton66 ASN, including vulnerability scanning, exploit attempts, and phishing campaigns leading to malware infections. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-pa… ∗∗∗ Phishing Campaigns Use Real-Time Checks to Validate Victim Emails Before Credential Theft ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new type of credential phishing scheme that ensures that the stolen information is associated with valid online accounts. The technique has been codenamed precision-validating phishing by Cofense, which it said employs real-time email validation so that only a select set of high-value targets are served the fake login screens. --------------------------------------------- https://thehackernews.com/2025/04/phishing-campaigns-use-real-time-checks.h… ∗∗∗ CyberAv3ngers: The Iranian Saboteurs Hacking Water and Gas Systems Worldwide ∗∗∗ --------------------------------------------- CyberAv3ngers has been vocal about their operations that targeted Israel and Israeli technology products. But they've also quietly expanded their target list to include a variety of other devices and networks, including a US oil and gas firm and a wide array of industrial control systems across the world. --------------------------------------------- https://www.wired.com/story/cyberav3ngers-iran-hacking-water-and-gas-indust… ∗∗∗ A short(-ish) guide on information security writing ∗∗∗ --------------------------------------------- Whether you’re compiling incident notes at 3 AM, drafting a post-mortem report for the board or helping the marketing department to craft a blog post that will generate near endless riches for your employer - we may like it or not, the ability to produce qualitative writing is as much a vital skill when working in information security as your technical prowess. --------------------------------------------- https://bytesandborscht.com/a-short-ish-guide-on-information-security-writi… ∗∗∗ Vorsicht vor Dreiecksbetrug bei Kleinanzeigenplattformen ∗∗∗ --------------------------------------------- eBay, Willhaben, Shpock und Co. sind beliebte Plattformen, um günstig gebrauchte Waren zu kaufen oder nicht mehr benötigte Gegenstände zu verkaufen. Doch Vorsicht: Hinter manchen Profilen verbergen sich Kriminelle. Besonders tückisch ist der Dreiecksbetrug, bei dem sowohl Käufer:innen als auch Verkäufer:innen betrogen werden. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-dreiecksbetrug-bei-klei… ∗∗∗ BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets ∗∗∗ --------------------------------------------- A controller linked to BPF backdoor can open a reverse shell, enabling deeper infiltration into compromised networks. Recent attacks have been observed targeting the telecommunications, finance, and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Schadcode-Attacken auf KI-Analyseplattform Spotfire möglich ∗∗∗ --------------------------------------------- Wie aus zwei Warnmeldungen zu den Sicherheitslücken (CVE-2025-3114 "kritisch", CVE-2025-3115 "kritisch") hervorgeht, sind konkret Spotfire Analyst, AWS Marketplace, Deployment Kit Spotfire Server, Desktop, Enterprise Runtime, Service for Python, Service for R und Statistics Services bedroht. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Schadcode-Attacken-auf-KI-Anal… ∗∗∗ Netzwerkgeräte mit Arista EOS können Verschlüsselung vergessen ∗∗∗ --------------------------------------------- Wie aus einer Warnmeldung hervorgeht, funktioniert die Verschlüsselung von Datenverkehr nicht verlässlich. Das ist aber den Entwicklern zufolge aber nur gegeben, wenn Secure Vxlan konfiguriert ist. [..] Die Sicherheitslücke (CVE-2024-12378) ist mit dem Bedrohungsgrad "kritisch" eingestuft. --------------------------------------------- https://www.heise.de/news/Netzwerkgeraete-mit-Arista-EOS-koennen-Verschlues… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glib2.0, jinja2, kernel, mediawiki, perl, subversion, twitter-bootstrap3, twitter-bootstrap4, and wpa), Fedora (c-ares, chromium, condor, corosync, cri-tools1.29, exim, firefox, matrix-synapse, nextcloud, openvpn, perl-Data-Entropy, suricata, upx, varnish, webkitgtk, yarnpkg, and zabbix), Mageia (giflib, gnupg2, graphicsmagick, and poppler), Oracle (delve and golang, go-toolset:ol8, grub2, and webkit2gtk3), Red Hat (kernel and kernel-rt), SUSE (chromium, fontforge-20230101, govulncheck-vulndb, kernel, liblzma5-32bit, pgadmin4, python311-Django, and python311-PyJWT), and Ubuntu (graphicsmagick). --------------------------------------------- https://lwn.net/Articles/1017396/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2025
by Daily end-of-shift report 11 Apr '25

11 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-04-2025 18:00 − Freitag 11-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fortinet FortiOS: Angreifende installierten persistenten Lesezugriff auf Firewalls ∗∗∗ --------------------------------------------- Am 10. April 2025 veröffentlichte der Hersteller Fortinet einen PSIRT-Blogbeitrag über beobachtete Kompromittierungen durch mehrere bekannte Schwachstellen im Betriebssystem FortiOS der Firewall- Serie FortiGate [FORT25]. [..] Fortinet konnte beobachten, wie Angreifende die genannten Schwachstellen nutzten, um sich persistenten Lesezugriff auf verwundbaren FortiGates zu verschaffen. [..] IT-Sicherheitsverantwortliche sollten prüfen, ob sie selbst betroffen waren oder sind und weitere Schutzmaßnahmen ergreifen. --------------------------------------------- https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2025/2025-2… ∗∗∗ Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs ∗∗∗ --------------------------------------------- Google is hosting dozens of extensions in its Chrome Web Store that perform suspicious actions on the more than 4 million devices that have installed them and that their developers have taken pains to carefully conceal. --------------------------------------------- https://arstechnica.com/security/2025/04/researcher-uncovers-dozens-of-sket… ∗∗∗ Tycoon2FA New Evasion Technique for 2025 ∗∗∗ --------------------------------------------- The Tycoon 2FA phishing kit has adopted several new evasion techniques aimed at slipping past endpoints and detection systems. These include using a custom CAPTCHA rendered via HTML5 canvas, invisible Unicode characters in obfuscated JavaScript, and anti-debugging scripts to thwart inspection. This blog takes a closer look at these methods to better understand how this kit is evolving and what defenders should be aware of. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tycoon2fa-n… ∗∗∗ Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks ∗∗∗ --------------------------------------------- Ever thought an image file could be part of a cyber threat? The Trustwave SpiderLabs Email Security team has identified a major spike in SVG image-based attacks, where harmless-looking graphics are being used to hide dangerous links. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfe… ∗∗∗ Palo Alto Networks Warns of Brute-Force Attempts Targeting PAN-OS GlobalProtect Gateways ∗∗∗ --------------------------------------------- Palo Alto Networks has revealed that its observing brute-force login attempts against PAN-OS GlobalProtect gateways, days after threat actors warned of a surge in suspicious login scanning activity targeting its appliances. --------------------------------------------- https://thehackernews.com/2025/04/palo-alto-networks-warns-of-brute-force.h… ∗∗∗ Vorsicht vor gefälschten card complete Anrufen! ∗∗∗ --------------------------------------------- Derzeit kommt es zu betrügerischen Anrufen im Namen der Kreditkartenfirma card complete. Kriminelle setzen dabei Spoofing ein, um vorzutäuschen, dass es sich um seriöse Anrufe handelt. Ihr Ziel ist es, an sensible Daten wie Passwörter und Codes zu gelangen. Sollten Sie so einen Anruf erhalten, legen Sie sofort auf und blockieren Sie die Nummer. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-card-compl… ∗∗∗ Malicious NPM Packages Targeting PayPal Users ∗∗∗ --------------------------------------------- FortiGuard Labs has recently discovered a series of malicious NPM packages designed to steal sensitive information from compromised systems. These packages are believed to have been created between March 5 and March 14 by a threat actor known as tommyboy_h1 and tommyboy_h2 to target PayPal users. [..] These attacks function by using a "preinstall hook" in malicious NPM packages, automatically running a script when the package is installed. --------------------------------------------- https://feeds.fortinet.com/~/916527947/0/fortinet/blogs~Malicious-NPM-Packa… ∗∗∗ Security audit of PHP-SRC ∗∗∗ --------------------------------------------- The Open Source Technology Improvement Fund, Inc, thanks to funding provided by Sovereign Tech Fund, engaged with Quarkslab to perform a security audit of PHP-SRC, the interpreter of the PHP language. The audit aimed to assist PHPs core developers and the community in strengthening the projects security ahead of the upcoming PHP 8.4 release. --------------------------------------------- http://blog.quarkslab.com/security-audit-of-php-src.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (delve and golang and go-toolset:rhel8), Debian (webkit2gtk), Fedora (openvpn, thunderbird, uboot-tools, and zabbix), SUSE (expat, fontforge, govulncheck-vulndb, and kernel), and Ubuntu (haproxy and libsoup2.4, libsoup3). --------------------------------------------- https://lwn.net/Articles/1017197/ ∗∗∗ Sonicwall Netextender: Sicherheitslecks gefährden Windows-Client ∗∗∗ --------------------------------------------- In der Sicherheitsmitteilung schreiben die Sonicwall-Entwickler, dass insbesondere der Windows-Client der SSL-VPN-Software Netextender betroffen ist. Das größte Risiko geht von einer unzureichenden Rechteverwaltung in Sonicwall Netextender Windows, sowohl in der 32- als auch der 64-Bit-Version, aus. Angreifer mit niedrigen Rechten können dadurch Konfigurationen verändern (CVE-2025-23008, CVSS 7.2, Risiko "hoch"). --------------------------------------------- https://heise.de/-10349117 ∗∗∗ Subnet Solutions PowerSYSTEM Center ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-100-08 ∗∗∗ Rockwell Automation Arena ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-100-07 ∗∗∗ INFINITT Healthcare INFINITT PACS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-100-01 ∗∗∗ F5: K000150813: Linux kernel vulnerability CVE-2024-50252 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150813 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.04.2025
by Daily end-of-shift report 10 Apr '25

10 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-04-2025 18:00 − Donnerstag 10-04-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials ∗∗∗ --------------------------------------------- A targeted campaign exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to extract EC2 Metadata, which could include Identity and Access Management (IAM) credentials from the IMDSv1 endpoint. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-target-ssrf-bugs-in-… ∗∗∗ Oracle-Einbruch: Schweigen und Kleingerede ∗∗∗ --------------------------------------------- Über zwei Wochen nach Bekanntwerden eines Datenlecks in einer seiner Cloud-Umgebungen wandte sich Oracle nun mit einer E-Mail an Kunden. In der Stellungnahme bemühte sich der Konzern, den Angriff und dessen Auswirkungen kleinzuschreiben. [..] Tatsächlich liegen heise security Demo-Datensätze vor, die direkt vom Angreifer stammen. In diesen sind weit mehr als lediglich Usernamen zu finden – neben E-Mail-Adressen, verschiedenen Passworthashes und den Oracle-internen Tenant-Kennungen finden sich auch die Namen der betroffenen Systeme sowie eine Vielzahl von Zeitstempeln. Diese erstrecken sich bis in den März 2025. --------------------------------------------- https://www.heise.de/news/Oracle-Einbruch-Unternehmen-gibt-Datenklau-zu-und… ∗∗∗ Günstige PV-Komponenten aus Insolvenzmasse abzugeben? Vorsicht, Betrug! ∗∗∗ --------------------------------------------- Eine Anwaltskanzlei hat sich bei Ihnen gemeldet und bietet günstige Photovoltaik-Komponenten aus einem Insolvenzverkauf? Sie sollen rasch antworten, weil die Nachfrage hoch ist? Dann versuchen grade Betrüger:innen, an Ihr Geld zu kommen! Besonders gefährlich: Das insolvente Unternehmen und die Anwaltskanzlei existieren tatsächlich, die Kriminellen nutzen sie als Tarnung für ihre Masche. --------------------------------------------- https://www.watchlist-internet.at/news/pv-komponenten-aus-konkursmasse/ ===================== = Vulnerabilities = ===================== ∗∗∗ Splunk Security Advisories Archive ∗∗∗ --------------------------------------------- Splunk has released security updates for multiple products patching 2 critical and multiple more high vulnerabilities. --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ Palo Alto Networks Security Advisories ∗∗∗ --------------------------------------------- Palo Alto Networks has released multiple security advisories for its products, including a high-severity vulnerability affecting the Prisma Access Browser. --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ HPE Aruba: Sicherheitspatches für Access Points und weitere Hardware ∗∗∗ --------------------------------------------- HPE hat Sicherheitswarnungen zu Schwachstellen in diversen Netzwerkgeräten der Aruba-Tochtermarke veröffentlicht. Angreifer können durch die Sicherheitslecks teils sogar Schadcode auf verwundbare Geräte schleusen. --------------------------------------------- https://www.heise.de/news/HPE-Aruba-Sicherheitspatches-fuer-Access-Points-u… ∗∗∗ Sicherheitsupdates: Mit Drupal erstellte Website sind verwundbar ∗∗∗ --------------------------------------------- Drupal-Admins sollten sicherstellen, dass die von ihnen genutzten Module des Content Management Systems (CMS) auf dem aktuellen Stand sind. Geschieht das nicht, können Angreifer Websites im schlimmsten Fall kompromittieren. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Mit-Drupal-erstellte-Website-s… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 31, 2025 to April 6, 2025) ∗∗∗ --------------------------------------------- Last week, there were 527 vulnerabilities disclosed in 464 WordPress Plugins and 19 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 85 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2025/04/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (tomcat and webkit2gtk3), Debian (chromium), Fedora (ghostscript), Mageia (atop, docker-containerd, and xz), Red Hat (go-toolset:rhel8), SUSE (apache2-mod_auth_openidc, apparmor, etcd, expat, firefox, kernel, libmozjs-128-0, and libpoppler-cpp2), and Ubuntu (dino-im, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-fips, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, opensc, and poppler). --------------------------------------------- https://lwn.net/Articles/1017043/ ∗∗∗ Wordpress: 100.000 Instanzen durch Lücke in SureTriggers-Plug-in gefährdet ∗∗∗ --------------------------------------------- In einem Blog-Beitrag erörtern die IT-Forscher von Wordfence, dass es Angreifer aus dem Netz ohne vorherige Authentifizierung administrative Nutzerkonten erstellen können. Sofern kein API-Key in dem SureTriggers-Plug-in eingerichtet ist, können Angreifer dadurch Administrator-Nutzer hinzufügen und damit Wordpress-Instanzen vollständig kompromittieren (CVE-2025-3102, CVSS 8.1. Risiko "hoch"). --------------------------------------------- https://heise.de/-10346837 ∗∗∗ Dell PowerScale OneFS: Standard-Passwort ermöglicht Account-Übernahme ∗∗∗ --------------------------------------------- Angreifer können an insgesamt sechs Schwachstellen ansetzen, um Netzwerkspeicher (NAS) mit Dells Betriebssystem PowerScale OneFS zu attackieren. Im schlimmsten Fall können Angreifer die volle Kontrolle über Geräte erlangen. --------------------------------------------- https://heise.de/-10347097 ∗∗∗ Juniper 2025-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 24.1R2 release ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2025-01-Security-Bulletin-Junos… ∗∗∗ F5 K000150784: OpenSSL vulnerability CVE-2024-13176 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150784 ∗∗∗ Multiple vulnerabilities in MedDream PACS Server ∗∗∗ --------------------------------------------- https://www.cybersecurity-help.cz/vdb/SB2025041027 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.04.2025
by Daily end-of-shift report 09 Apr '25

09 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-04-2025 18:00 − Mittwoch 09-04-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Regierung will Messenger-Überwachung vor dem Sommer beschließen ∗∗∗ --------------------------------------------- Das Innenministerium hat im Rahmen der Regierungsklausur im Kanzleramt den Begutachtungsentwurf zur Messenger-Überwachung vorgelegt. Beschlossen werden soll die Messenger-Überwachung noch vor dem Sommer. Wirksam werden soll sie aber erst mit 2027. --------------------------------------------- https://futurezone.at/netzpolitik/messenger-ueberwachung-whatsapp-oesterrei… ∗∗∗ Obfuscated Malicious Python Scripts with PyArmor, (Wed, Apr 9th) ∗∗∗ --------------------------------------------- Obfuscation is very important for many developers. They may protect their code for multiple reasons like copyright, anti-cheat (games), or to protect their code from being reused. If an obfuscated program does not mean automatically that it is malicious, its often a good sign. For malware developers, obfuscation helps bypass many static security controls and slows down the reverse analysis process. Yesterday, I spotted some malicious Python scripts that were protected using the same technique: PyArmor. --------------------------------------------- https://isc.sans.edu/diary/rss/31840 ∗∗∗ Vorsicht, Abo-Falle: SPAR verlost kein Besteckset von WMF! ∗∗∗ --------------------------------------------- In vielen E-Mail-Postfächern taucht aktuell eine angeblich von SPAR stammende Nachricht auf. Das Handelsunternehmen soll ein Besteckset für zwölf Personen von WMF verlosen. Tatsächlich versteckt sich hinter dieser Masche nichts anderes als eine Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-spar-besteckset/ ∗∗∗ The Renaissance of NTLM Relay Attacks: Everything You Need to Know ∗∗∗ --------------------------------------------- While there are many great resources on this old attack, I wanted to consolidate everything you need to know about NTLM into a single post, allowing it to be as long as needed, and I hope everyone will be able to learn something new. --------------------------------------------- https://posts.specterops.io/the-renaissance-of-ntlm-relay-attacks-everythin… ∗∗∗ OpenSSL 3.5.0 enthält nun Post-Quanten-Verfahren ∗∗∗ --------------------------------------------- OpenSSL fügt mit der neuen LTS-Version 3.5.0 seiner Bibliothek die Post-Quanten-Verfahren ML-KEM, ML-DSA und SLH-DSA hinzu. --------------------------------------------- https://heise.de/-10345122 ∗∗∗ OpenSSH 10 setzt auf Standards für quantensicheren Schlüsselaustausch ∗∗∗ --------------------------------------------- Der seit Jahren abgekündigte DSA-Algorithmus verschwindet nun vollständig aus der sicheren Remote-Shell, seine Nachfolge tritt MLKEM768 an. --------------------------------------------- https://heise.de/-10345975 ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft-Patchday behebt aktiv ausgenutzte Sicherheitslücke ∗∗∗ --------------------------------------------- Microsoft hat zum April-Patchday (8. April) Aktualisierungen für mehrere kritische Schwachstellen in ihren Produkten veröffentlicht. Eine dieser Lücken wird laut dem Unternehmen bereits aktiv ausgenutzt. Konkret handelt es sich dabei um die Sicherheitslücke CVE-2025-29824, welche mit einem CVSS-Wert von 7.8 bewertet ist. Durch das Ausnutzen eines sogenannten Use-after-free-Bugs können Angreifer:innen mit einfachen Benutzer:innenrechten vollständige Systemrechte erlangen. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/4/microsoft-patchday-behebt-aktiv-aus… ∗∗∗ Microsoft Security Update Summary (8. April 2025) ∗∗∗ --------------------------------------------- Microsoft hat am 8. April 2025 Sicherheitsupdates für Windows-Clients und -Server, für Office – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 121 Schwachstellen (CVEs), eine davon wurde als 0-day klassifiziert. --------------------------------------------- https://www.borncity.com/blog/2025/04/09/microsoft-security-update-summary-… ∗∗∗ Whatsapp-Lücke gefährdet Windows-Nutzer ∗∗∗ --------------------------------------------- Konkret geht es um die Sicherheitslücke CVE-2025-30401, die mit einem CVSS-Wert von 6,7 als mittelschwer eingestuft ist. Gründe für die vergleichsweise milde Einstufung sind unter anderem eine hohe Angriffskomplexität sowie eine erforderliche Nutzerinteraktion. Dennoch sind die Ausnutzbarkeit sowie die möglichen Auswirkungen der Schwachstelle nicht zu unterschätzen. --------------------------------------------- https://www.golem.de/news/malware-im-anmarsch-whatsapp-luecke-gefaehrdet-wi… ∗∗∗ CISA Warns of CentreStacks Hard-Coded MachineKey Vulnerability Enabling RCE Attacks ∗∗∗ --------------------------------------------- The vulnerability, tracked as CVE-2025-30406 (CVSS score: 9.0), concerns a case of a hard-coded cryptographic key that could be abused to achieve remote code execution. It has been addressed in version 16.4.10315.56368 released on April 3, 2025. --------------------------------------------- https://thehackernews.com/2025/04/cisa-warns-of-centrestacks-hard-coded.html ∗∗∗ 2025-04-09 Juniper Security Advisories ∗∗∗ --------------------------------------------- Juniper has released 25 new security advisories. --------------------------------------------- https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sor… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lemonldap-ng, libbssolv-perl, and phpmyadmin), Fedora (augeas, mariadb10.11, and thunderbird), Oracle (gimp, libxslt, python3.11, python3.12, tomcat, and xorg-x11-server), Red Hat (expat, grafana, opentelemetry-collector, and webkit2gtk3), SUSE (azure-cli-core, doomsday, kernel, and poppler), and Ubuntu (dotnet8, dotnet9, erlang, and poppler). --------------------------------------------- https://lwn.net/Articles/1016923/ ∗∗∗ New Adobe Security Update Fixes Critical Exploits — Don’t Delay Your Update ∗∗∗ --------------------------------------------- https://thecyberexpress.com/adobe-security-update-fixes-vulnerabilities/ ∗∗∗ Joomla [20250401] - Framework - SQL injection vulnerability in quoteNameStr method of Database package ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/963-20250401-framework-sql-inj… ∗∗∗ Joomla [20250402] - Core - MFA Authentication Bypass ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/964-20250402-core-mfa-authenti… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2025
by Daily end-of-shift report 08 Apr '25

08 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Montag 07-04-2025 18:00 − Dienstag 08-04-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Malicious VSCode extensions infect Windows with cryptominers ∗∗∗ --------------------------------------------- Nine VSCode extensions on Microsofts Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-… ∗∗∗ Dangerous, Windows-Hijacking Neptune RAT Scurries Into Telegram, YouTube ∗∗∗ --------------------------------------------- The malwares creators insist a new open source version of Neptune is for educational use by pen testers, but a raft of sophisticated backdoor and evasion capabilities says otherwise. --------------------------------------------- https://www.darkreading.com/cloud-security/windows-hijacking-neptune-rat-te… ∗∗∗ 100 Days of YARA: Writing Signatures for .NET Malware ∗∗∗ --------------------------------------------- If YARA signatures for .NET assemblies only rely on strings, they are very limited. We explore more detection opportunities, including IL code, method signature definitions and specific custom attributes. Knowledge about the underlying .NET metadata structures, tokens and streams helps to craft more precise and efficient signatures, even in cases where relevant malware samples might be unavailable. --------------------------------------------- https://feeds.feedblitz.com/~/916366745/0/gdatasecurityblog-en~Days-of-YARA… ∗∗∗ Attackers distributing a miner and the ClipBanker Trojan via SourceForge ∗∗∗ --------------------------------------------- Malicious actors are using SourceForge to distribute a miner and the ClipBanker Trojan while utilizing unconventional persistence techniques. --------------------------------------------- https://securelist.com/miner-clipbanker-sourceforge-campaign/116088/ ∗∗∗ Inside Black Basta: Uncovering the Secrets of a Ransomware Powerhouse ∗∗∗ --------------------------------------------- In February 2025, the cybersecurity community witnessed an unprecedented leak that exposed the internal operations of Black Basta, a prolific ransomware group. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/inside-blac… ∗∗∗ Vorsicht beim Autoverkauf: Betrug mit gefälschten Fahrzeugberichten ∗∗∗ --------------------------------------------- Sie wollen Ihr Auto online verkaufen? Dann kann es vorkommen, dass potenzielle Käufer:innen einen Fahrzeugbericht verlangen, angeblich um den Zustand Ihres Gebrauchtwagens besser einschätzen zu können. Doch Vorsicht: Hinter dieser Aufforderung steckt oft der Versuch, Sie auf unseriöse Websites zu locken. Diese liefern gefälschte Berichte und führen Sie in teure Kostenfallen. --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-gefaelschten-fahrzeugberi… ∗∗∗ 2025 Ransomware: Business as Usual, Business is Booming ∗∗∗ --------------------------------------------- Rapid7 Labs took a look at internal and publicly-available ransomware data for Q1 2025 and added our own insights to provide a picture of the year thus far—and what you can do now to reduce your attack surface against ransomware. --------------------------------------------- https://www.rapid7.com/blog/post/2025/04/08/2025-ransomware-business-as-usu… ∗∗∗ PyTorch Lightning Exposes Users to Remote Code Execution via Deserialization Vulnerabilities ∗∗∗ --------------------------------------------- PyTorch Lightning, a widely adopted deep learning framework developed by Lightning AI, has been impacted by multiple critical deserialization vulnerabilities, disclosed under VU#252619. These issues affect all versions up to and including 2.4.0 and may lead to arbitrary code execution when loading untrusted model files.The vulnerabilities were reported by Kasimir Schulz of HiddenLayer and coordinated by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University. --------------------------------------------- https://socket.dev/blog/pytorch-lightning-deserialization-vulnerabilities?u… ===================== = Vulnerabilities = ===================== ∗∗∗ Spionage möglich: Google patcht teils aktiv ausgenutzte Android-Lücken ∗∗∗ --------------------------------------------- Mit den Android-Updates für April schließt Google mehr als 60 Sicherheitslücken. Vier davon sind kritisch, zwei werden bereits aktiv ausgenutzt. --------------------------------------------- https://www.golem.de/news/spionage-moeglich-google-patcht-teils-aktiv-ausge… ∗∗∗ Ivanti: Security Advisory April 2025 for Ivanti EPM 2024 and EPM 2022 SU6 ∗∗∗ --------------------------------------------- Ivanti has released updates for Ivanti Endpoint Manager which addresses medium and high vulnerabilities. We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure. --------------------------------------------- https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EP… ∗∗∗ HCL: Sicherheitslücken in BigFix, DevOps und mehr Produkten ∗∗∗ --------------------------------------------- Zum Stopfen von Sicherheitslücken in HCL BigFix, DevOps, Traveler und Connections stellt HCL Software nun Updates bereit. Die Lücken gelten teils als kritisch. IT-Verantwortliche sollten die Updates zügig anwenden. Am schwersten hat es HCL BigFix WebUI, also die Management-Oberfläche für BigFix, getroffen. Mehrere Schwachstellen sind in den darin verwendeten Open-Source-Komponenten, davon ist eine in canvg 4.0.2 als kritisch eingestuft (CVE-2025-25977, CVSS 9.8) sowie zwei in xml-crypto (CVE-2025-29774, CVE-2025-29775, beide CVSS 9.3). --------------------------------------------- https://www.heise.de/news/HCL-Sicherheitsluecken-in-BigFix-DevOps-und-mehr-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gimp, libxslt, python3.11, python3.12, and tomcat), Debian (ghostscript and libnet-easytcp-perl), Fedora (openvpn, perl-Data-Entropy, and webkitgtk), Red Hat (python-jinja2), SUSE (giflib, pam, and xen), and Ubuntu (apache2, binutils, expat, fis-gtm, linux-azure, linux-azure-6.8, linux-nvidia-lowlatency, linux-azure, linux-azure-fde, linux-azure-5.15, linux-azure-fde-5.15, linux-azure-fips, linux-gcp-fips, linux-hwe-5.4, linux-nvidia, linux-nvidia-tegra-igx, ruby2.7, ruby3.0, ruby3.2, ruby3.3, and vim). --------------------------------------------- https://lwn.net/Articles/1016774/ ∗∗∗ ZDI-25-206: Amazon AWS CloudFormation Templates Uncontrolled Search Path Element Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-206/ ∗∗∗ ZDI-25-205: Amazon AWS CloudFormation Templates Uncontrolled Search Path Element Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-205/ ∗∗∗ Fortinet: No certificate name verification for fgfm connection ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-046 ∗∗∗ Fortinet: Unverified password change via set_password endpoint ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-435 ∗∗∗ f5 K000150744: PostgreSQL vulnerability CVE-2025-1094 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150744 ∗∗∗ f5 K000150749: Python vulnerability CVE-2024-4032 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150749 ∗∗∗ SAP Security Patch Day – April 2025 ∗∗∗ --------------------------------------------- https://redrays.io/blog/sap-security-patch-day-april-2025/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.04.2025
by Daily end-of-shift report 07 Apr '25

07 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-04-2025 18:00 − Montag 07-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Vidar Stealer: Revealing A New Deception Strategy ∗∗∗ --------------------------------------------- Vidar Stealer, an infamous information-stealing malware, first appeared in 2018 and has since been used by cybercriminals to harvest sensitive data via browser cookies, stored credentials, financial information, and the like. [..] One recent example is PirateFi, a free-to-play game released on Steam on February 6, 2025. Marketed as a beta version, it concealed Vidar Stealer within its files, infecting unsuspecting players upon installation. This incident highlights how threat actors are increasingly targeting gaming platforms to spread malware. --------------------------------------------- https://feeds.feedblitz.com/~/916316261/0/gdatasecurityblog-en~Vidar-Steale… ∗∗∗ How ToddyCat tried to hide behind AV software ∗∗∗ --------------------------------------------- While analyzing a malicious DLL library used in attacks by APT group ToddyCat, Kaspersky expert discovered the CVE 2024-11859 vulnerability in a component of ESET’s EPP solution. --------------------------------------------- https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software… ∗∗∗ PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks ∗∗∗ --------------------------------------------- A malicious campaign dubbed PoisonSeed is leveraging compromised credentials associated with customer relationship management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases in an attempt to drain victims digital wallets. [..] The attacks involve the threat actors setting up lookalike phishing pages for prominent CRM and bulk email companies, aiming to trick high-value targets into providing their credentials. --------------------------------------------- https://thehackernews.com/2025/04/poisonseed-exploits-crm-accounts-to.html ∗∗∗ Microsoft AI findet Schwachstellen in Open-Source-Boot-Loader ∗∗∗ --------------------------------------------- Microsoft hat seine AI-Lösung Microsoft Security CoPilot verwendet, um mehrere Boot-Loader, darunter den von Linux verwendeten Open-Source-Boot-Loader Grub, sowie U-boot und Barebox, auf Schwachstellen abzuklopfen. Dabei wurden gleich mehrere Schwachstellen entdeckt – wobei die Verwendung von AI das Auffinden von Schwachstellen beschleunigt. --------------------------------------------- https://www.borncity.com/blog/2025/04/06/microsoft-ai-findet-schwachstellen… ∗∗∗ Windows Remote Desktop Protocol: Remote to Rogue ∗∗∗ --------------------------------------------- In October 2024, Google Threat Intelligence Group (GTIG) observed a novel phishing campaign targeting European government and military organizations that was attributed to a suspected Russia-nexus espionage actor we track as UNC5837. The campaign employed signed .rdp file attachments to establish Remote Desktop Protocol (RDP) connections from victims' machines. [..] This section focuses on collecting forensic information, hardening systems, and developing detections for RDP techniques used in the campaign. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/windows-rogue-remo… ===================== = Vulnerabilities = ===================== ∗∗∗ Packprogramm: Sicherheitslücke in Winrar begünstigt Ausführung von Malware ∗∗∗ --------------------------------------------- Mit der neuesten Winrar-Version hat der Entwickler eine Sicherheitslücke gepatcht. [..] Die besagte Schwachstelle ist als CVE-2025-31334 registriert. Allzu viele Details lassen sich der Schwachstellenbeschreibung nicht entnehmen. Darin wird lediglich in Verbindung mit Winrar-Versionen vor 7.11 auf die Möglichkeit der Umgehung des Mark of the Web mittels symbolischer Links hingewiesen. [..] Wer Winrar auf seinem System installiert hat und sich vor CVE-2025-31334 schützen will, sollte die Software daher auf die neueste Version aktualisieren. Dies ist derzeit die Version 7.11, die am 24. März veröffentlicht wurde. --------------------------------------------- https://www.golem.de/news/packprogramm-winrar-luecke-erleichtert-ausfuehrun… ∗∗∗ Bitdefender GravityZone: Kritische Sicherheitslücke gefährdet Nutzer ∗∗∗ --------------------------------------------- Der Business-Malwareschutz GravityZone von Bitdefender weist eine kritische Sicherheitslücke auf. [..] Das Update auf Bitdefender GravityZone Console 6.41.2-1 soll die sicherheitsrelevanten Fehler ausbessern. Für den GravityZone Update Server steht als fehlerkorrigierte Fassung der Stand 3.5.2.689 oder neuer bereit. Bitdefender gibt an, dass es in der Regel automatisch erfolgt. Dennoch sollten Admins überprüfen, ob sie bereits auf diesem oder einem neueren Stand sind. --------------------------------------------- https://heise.de/-10342193 ∗∗∗ XZ-Utils: Schwachstelle ermöglicht vermutlich Codeschmuggel ∗∗∗ --------------------------------------------- Die Schwachstelle behandelt eine Sicherheitsmitteilung auf Github. "Ungültige Eingabedaten können zumindest in einen Absturz münden", erklären die Autoren. "Die Effekte umfassen eine Nutzung des Heaps nach einer free-Operation sowie das Schreiben an eine Adresse basierend auf dem Null-Pointer zuzüglich eines Offsets", schreiben sie weiter. Apps und Bibliotheken, die die Funktion lzma_stream_decoder_mt nutzen, sind betroffen (CVE-2025-31115, CVSS 8.7, Risiko "hoch"). --------------------------------------------- https://heise.de/-10343043 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (abseil, atop, jetty9, ruby-saml, tomcat10, trafficserver, xz-utils, and zfs-linux), Fedora (chromium, condor, containernetworking-plugins, cri-tools1.29, crosswords-puzzle-sets-xword-dl, exim, ghostscript, matrix-synapse, upx, varnish, and yarnpkg), Gentoo (XZ Utils), Mageia (augeas, corosync, nss & firefox, and thunderbird), Oracle (container-tools:ol8, firefox, freetype, and kernel), Red Hat (firefox), SUSE (chromium, gn, firefox-esr, go1.23-1.23.8, go1.24, go1.24-1.24.2, google-guest-agent, govulncheck-vulndb, gsl, python311-ecdsa, thunderbird, and webkit2gtk3), and Ubuntu (kamailio, libdbd-mysql-perl, linux-nvidia, linux-nvidia-6.8, and tomcat9). --------------------------------------------- https://lwn.net/Articles/1016663/ ∗∗∗ B&R: 2024-05-14 (**Updated 2025-04-03**)- Cyber Security Advisory - Insecure Loading of Code in B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P005_Insecure_Loading_of_Code-c… ∗∗∗ ABB: 2025-04-07: Cyber Security Advisory - ABB Arctic communication solution ARM600 Vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA002579&Language… ∗∗∗ ABB: 2025-04-07: Cyber Security Advisory - ABB Arctic ARG600, ARC600, ARR600, ARP600 Arctic Wireless Gateway Modem Module and OpenSSH vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA002427&Language… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0003 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0003.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2025
by Daily end-of-shift report 04 Apr '25

04 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-04-2025 18:00 − Freitag 04-04-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Europcar GitLab breach exposes data of up to 200,000 customers ∗∗∗ --------------------------------------------- A hacker breached the GitLab repositories of multinational car-rental company Europcar Mobility Group and stole source code for Android and iOS applications, as well as some personal information belonging to up to 200,000 users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/europcar-gitlab-breach-expos… ∗∗∗ Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure (CVE-2025-22457) ∗∗∗ --------------------------------------------- Exploitation is always a tricky subject. Vendors want to minimize disruption to their userbase and avoid unnecessary patching, but they also need to balance that with the userbase's safety. [..] It appears that this is what happened here - Ivanti made a judgment call, believing that exploiting the vulnerability, given the requirement that the payload must comprise only of 0123456789., was impossible. Unfortunately, an advanced attacker seems to have proved them wrong. --------------------------------------------- https://labs.watchtowr.com/is-the-sofistication-in-the-room-with-us-x-forwa… ∗∗∗ NVD Quietly Sweeps 100K+ CVEs Into a “Deferred” Black Hole ∗∗∗ --------------------------------------------- Without much fanfare, the NVD has begun mass-labeling older CVEs as "Deferred," effectively giving up on enriching them with detailed metadata like CVSS scores, CWEs, and CPEs. In an April 2 update, the NVD announced that all CVEs published before 2018 will be marked as Deferred—a move thats already resulted in 20,000 Deferred CVEs overnight, with potentially 100,000 more to come: All CVEs with a published date prior to 01/01/2018 will be marked as Deferred within the NVD. --------------------------------------------- https://socket.dev/blog/nvd-quietly-sweeps-100k-cves-into-a-deferred-black-… ∗∗∗ Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads ∗∗∗ --------------------------------------------- North Korean threat actors behind the Contagious Interview operation have expanded their presence in the npm ecosystem, publishing additional malicious packages that deliver the previously identified BeaverTail malware and introducing new packages with remote access trojan (RAT) loader functionality. These latest samples employ hexadecimal string encoding to evade automated detection systems and manual code audits, signaling a variation in the threat actors’ obfuscation techniques. --------------------------------------------- https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packa… ===================== = Vulnerabilities = ===================== ∗∗∗ DWFX File Parsing Vulnerabilities in Autodesk Navisworks Desktop Software ∗∗∗ --------------------------------------------- Autodesk Navisworks is affected by multiple DWFX vulnerabilities listed below. Exploitation of these vulnerabilities can lead to code execution. Exploitation of these vulnerabilities requires user interaction. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0002 ∗∗∗ Kritische Lücke mit Höchstwertung in Apache Parquet geschlossenen ∗∗∗ --------------------------------------------- Wie aus einem Eintrag in der Openwall-Mailingliste hervorgeht, haben die Entwickler die Schwachstelle in der Version 1.15.1 geschlossen. Alle vorigen Ausgaben sind verwundbar. Die Lücke (CVE-2025-30065) gilt als "kritisch" und ist mit dem höchstmöglichen CVSS Score 10 von 10 eingestuft. Sie betrifft konkret das parquet-avro-Modul der Java-Bibliothek von Apache Parquet. --------------------------------------------- https://www.heise.de/news/Kritische-Luecke-mit-Hoechstwertung-in-Apache-Par… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox), Debian (atop and thunderbird), Fedora (webkitgtk), Mageia (microcode), Oracle (expat), SUSE (apparmor, assimp-devel, aws-efs-utils, expat, firefox, ghostscript, go1.23, gotosocial, govulncheck-vulndb, GraphicsMagick, headscale, libmozjs-128-0, libsaml-devel, openvpn, perl-Data-Entropy, and xz), and Ubuntu (gnupg2, kernel, linux-azure-fips, linux-iot, openvpn, ruby-saml, and xz-utils). --------------------------------------------- https://lwn.net/Articles/1016484/ ∗∗∗ Cisco: Hochriskante Lücken in Meraki und Enterprise Chat ∗∗∗ --------------------------------------------- In der Anyconnect-VPN-Software von Ciscos Meraki MX- und Z-Reihen sowie in Enterprise Chat and Email haben die Entwickler Sicherheitslücken mit hohem Risiko entdeckt. Aktualisierte Firm- und Software steht bereit, um sie zu schließen. Admins sollten sie zügig installieren. --------------------------------------------- https://heise.de/-10340333 ∗∗∗ Hitachi Energy TRMTracker ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-093-02 ∗∗∗ B&R APROL ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-093-05 ∗∗∗ Hitachi Energy RTU500 Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-093-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2025
by Daily end-of-shift report 03 Apr '25

03 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-04-2025 18:00 − Donnerstag 03-04-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ GitHub expands security tools after 39 million secrets leaked in 2024 ∗∗∗ --------------------------------------------- Over 39 million secrets like API keys and account credentials were leaked on GitHub throughout 2024, exposing organizations and users to significant security risks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-expands-security-tool… ∗∗∗ Hersteller warnt: Gefährliche Cisco-Backdoor wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Durch die Backdoor erhalten Angreifer dank statischer Zugangsdaten Admin-Zugriff auf ein Lizenzierungstool für Cisco-Produkte. --------------------------------------------- https://www.golem.de/news/hersteller-warnt-hacker-nutzen-eine-von-ciscos-ba… ∗∗∗ Cybersecurity Professor Faced China-Funding Inquiry Before Disappearing, Sources Say ∗∗∗ --------------------------------------------- A lawyer for Xiaofeng Wang and his wife says they are “safe” after FBI searches of their homes and Wang’s sudden dismissal from Indiana University, where he taught for over 20 years. --------------------------------------------- https://www.wired.com/story/xiaofeng-wang-indiana-university-research-probe… ∗∗∗ Belohnung für gefundene Sicherheitslücken in Fediverse-Software ausgelobt ∗∗∗ --------------------------------------------- Für Mastodon, Pixelfed & Co. sind einzelne und kleine Teams verantwortlich. Um deren Dienste sicherer zu machen, wird jetzt etwas Geld zur Verfügung gestellt. --------------------------------------------- https://www.heise.de/news/Belohnung-fuer-gefundene-Sicherheitsluecken-in-Fe… ∗∗∗ Vorsicht Phishing: Fake-SMS zu angeblichen Mahnungen des Finanzministeriums ∗∗∗ --------------------------------------------- Haben Sie eine SMS im Namen des Bundesministeriums für Finanzen (BMF) erhalten, in der Ihnen offene Schulden vorgeworfen werden? Droht die Nachricht mit einer bevorstehenden Pfändung, weil Sie angeblich schon mehrfach gemahnt wurden? Achtung: Zahlen Sie die Forderung nicht! Die Nachricht kommt nicht vom Finanzministerium und Ihr Geld landet bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-sms-zu-mahnungen-des-finanzmini… ∗∗∗ NSA, CISA, FBI, and International Partners Release Cybersecurity Advisory on “Fast Flux,” a National Security Threat ∗∗∗ --------------------------------------------- Today, CISA—in partnership with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/04/03/nsa-cisa-fbi-and-interna… ∗∗∗ New guidance on securing HTTP-based APIs ∗∗∗ --------------------------------------------- Why it’s essential to secure your APIs to build trust with your customers and partners. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/new-guidance-on-securing-http-based-apis ∗∗∗ DPRK IT Workers Expanding in Scope and Scale ∗∗∗ --------------------------------------------- Since our September 2024 report outlining the Democratic Peoples Republic of Korea (DPRK) IT worker threat, the scope and scale of their operations has continued to expand. These individuals .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-ex… ∗∗∗ Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457) ∗∗∗ --------------------------------------------- On Thursday, April 3, 2025, Ivanti disclosed a critical security vulnerability, CVE-2025-22457, impacting Ivanti Connect Secure (“ICS”) VPN appliances version 22.7R2.5 and earlier. CVE-2025-22457 is a buffer overflow vulnerability, and successful exploitation .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploi… ∗∗∗ RolandSkimmer: Silent Credit Card Thief Uncovered ∗∗∗ --------------------------------------------- Web-based credit card skimming remains a widespread and persistent threat, known for its ability to adapt and evolve over time. FortiGuard Labs recently observed a sophisticated campaign dubbed “RolandSkimmer,” named .. --------------------------------------------- https://www.fortinet.com/blog/threat-research/rolandskimmer-silent-credit-c… ∗∗∗ Malicious PyPI Package Targets WooCommerce Stores with Automated Carding Attacks ∗∗∗ --------------------------------------------- The Socket research team recently discovered a malicious Python package on PyPI named disgrasya, which contains a fully automated carding script targeting WooCommerce stores. Unlike typical supply chain attacks that rely on deception or typosquatting, disgrasya made no attempt to appear legitimate. It was openly malicious, abusing PyPI as a distribution .. --------------------------------------------- https://socket.dev/blog/malicious-pypi-package-targets-woocommerce-stores-w… ===================== = Vulnerabilities = ===================== ∗∗∗ Obfuscate - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-029 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-029 ∗∗∗ Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-028 ∗∗∗ SVD-2025-0402: Third-Party Package Updates in Splunk/UniversalForwarder Docker - April 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0402 ∗∗∗ SVD-2025-0401: Third-Party Package Updates in Splunk/Splunk Docker - April 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0401 ∗∗∗ Security Update: Pulse Connect Secure, Ivanti Connect Secure, Policy Secure and Neurons for ZTA Gateways ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/security-update-pulse-connect-secure-ivanti-con… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.04.2025
by Daily end-of-shift report 02 Apr '25

02 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-04-2025 18:00 − Mittwoch 02-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Unitree Go1: Gefährliche Backdoor in populärem Roboterhund entdeckt ∗∗∗ --------------------------------------------- Konkret geht es um das Modell Go1, das in der Vergangenheit bereits von den US-Marines für Testzwecke mit einem Waffensystem ausgestattet wurde. [..] Anhand der Backdoor konnte der Hersteller sowie auch jeder andere Akteur, der im Besitz des erforderlichen API-Schlüssels war, aus der Ferne die vollständige Kontrolle über den Unitree Go1 übernehmen. Der Zugriff erfolgte dabei über einen Cloudsail genannten Fernwartungsdienst. --------------------------------------------- https://www.golem.de/news/unitree-go1-gefaehrliche-backdoor-in-populaerem-r… ∗∗∗ Enterprise Gmail Users Can Now Send End-to-End Encrypted Emails to Any Platform ∗∗∗ --------------------------------------------- On the 21st birthday of Gmail, Google has announced a major update that allows enterprise users to send end-to-end encrypted (E2EE) to any user in any email inbox in a few clicks. The feature is rolling out starting today in beta, allowing users to send E2EE emails to Gmail users within an organization, with plans to send E2EE emails to any Gmail inbox in the coming weeks and to any email inbox later this year. --------------------------------------------- https://thehackernews.com/2025/04/enterprise-gmail-users-can-now-send-end.h… ∗∗∗ Administrative Windows Shares (C$, ADMIN$) mit Revoke-SmbShareAccess absichern ∗∗∗ --------------------------------------------- Windows erstellt standardmäßig spezielle, versteckte Freigaben (z. B. C$, ADMIN$, IPC$) für den Remote-Zugriff von Administratoren. Diese sind im Explorer grundsätzlich nicht sichtbar (ausgeblendet), können aber z.B. mittels folgendem PowerShell-CmdLet angezeigt werden: Was vielen nicht bewusst ist: Auch interaktiv angemeldet Benutzer (ohne Administrator-Rechte) können auf diese administrativen Freigaben lokal zugreifen ... --------------------------------------------- https://hitco.at/blog/administrative-windows-shares-c-admin-mit-revoke-smbs… ∗∗∗ Konzert der Lieblingsband ausverkauft? Vorsicht vor Fake-Angeboten auf Facebook! ∗∗∗ --------------------------------------------- Egal ob Superstars in riesigen Arenen oder interessante Newcomer in kleinen Clubs – Musik zieht Menschen an. Ist das Konzert der Lieblingsband allerdings ausverkauft, ist guter Rat teuer – und Vorsicht geboten! Betrüger:innen nutzen besonders die Anonymität sozialer Medien und locken dort Musikfans auf der Suche nach Tickets in die Falle. Woran die Fake-Angebote zu erkennen sind und wann unbedingt eine Anzeige bei der Polizei nötig ist. --------------------------------------------- https://www.watchlist-internet.at/news/lieblingsband-ausverkauft-faketicket… ∗∗∗ European Commission takes aim at end-to-end encryption and proposes Europol become an EU FBI ∗∗∗ --------------------------------------------- The Commission said it would create roadmaps regarding both the “lawful and effective access to data for law enforcement” and on encryption. --------------------------------------------- https://therecord.media/european-commission-takes-aim-encryption-europol-fb… ∗∗∗ Deutsche Industrie warnt vor Ende des EU-US-Datentransfer-Abkommens ∗∗∗ --------------------------------------------- Der Datentransfer in die US-Cloud oder zu US-Unternehmen von Daten europäischer Nutzer ist durch ein Abkommen zwischen der EU und den USA geregelt. Nun droht dieses Abkommen durch die USA gekippt zu werden – und deutsche Unternehmen geraten dadurch in arge Probleme, wenn sie auf US-Tech-Produkte und die Cloud gesetzt haben. Verbände "warnen vor dem Ende des Abkommens" – die europäischen Cloud-Anbieter (CISPE) sehen aber eine Chance, in Europa digital souverän zu werden. --------------------------------------------- https://www.borncity.com/blog/2025/04/02/deutsche-industrie-zittert-vor-end… ∗∗∗ Jailbreaking Every LLM With One Simple Click ∗∗∗ --------------------------------------------- In the past two years, large language models (LLMs), especially chatbots, have exploded onto the scene. Everyone and their grandmother are using them these days. Generative AI is pervasive in movies, academic papers, legal briefs and much more. There is intense competition among major players, ranging from closed-model vendors such as OpenAI, Anthropic, Google and xAI to open-source providers like Meta, Mistral, Alibaba and DeepSeek. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/jailbreaking-every-… ∗∗∗ Heightened In-The-Wild Activity On Key Technologies Observed On March 28 ∗∗∗ --------------------------------------------- On March 28, GreyNoise observed a significant spike in activity targeting multiple edge technologies, including SonicWall, Zoho, Zyxel, F5, Linksys, and Ivanti systems. While some of these technologies are edge systems, others are primarily internal management tools. --------------------------------------------- https://www.greynoise.io/blog/heightened-in-the-wild-activity-key-technolog… ∗∗∗ Tomcat in the Crosshairs: New Research Reveals Ongoing Attacks ∗∗∗ --------------------------------------------- News headlines reported that it took just 30 hours for attackers to exploit a newly discovered vulnerability in Apache Tomcat servers. But what does this mean for workloads relying on Tomcat? Aqua Nautilus researchers discovered a new attack campaign targeting Apache Tomcat. In this blog, we shed light on newly discovered malware that targets Tomcat servers to hijack resources. --------------------------------------------- https://blog.aquasec.com/new-campaign-against-apache-tomcat ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, jetty9, openjpeg2, and tomcat9), Fedora (dokuwiki, firefox, php-kissifrot-php-ixr, php-phpseclib3, and rust-zincati), Red Hat (kernel and pki-core), Slackware (mozilla), SUSE (apparmor, atop, docker, docker-stable, firefox, govulncheck-vulndb, libmodsecurity3, openvpn, upx, and warewulf4), and Ubuntu (inspircd, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-aws, linux-aws-5.4, linux-aws-fips, linux-azure-6.8, linux-hwe-6.8, linux-raspi, linux-realtime, nginx, phpseclib, and vim). --------------------------------------------- https://lwn.net/Articles/1016205/ ∗∗∗ Sicherheitsupdates: Netzwerkmonitoringtool Zabbix bietet Angriffsfläche ∗∗∗ --------------------------------------------- Fünf Sicherheitslücken gefährden Computer, auf denen Zabbix installiert ist. [..] Am gefährlichsten gilt eine Schwachstelle (CVE-2024-36465 "hoch") in Zabbix API. Hier könnte ein Angreifer mit einem regulären Nutzerkonto ansetzen, um eigene SQL-Befehle auszuführen. Außerdem sind Reflected-XSS-Attacken (CVE-2024-45699 "hoch") möglich. Über diesen Weg können Angreifer Schadcode in Form einer JavaScript-Payload ausführen. --------------------------------------------- https://heise.de/-10337461 ∗∗∗ VMware Aria Operations: Sicherheitslücke erlaubt Rechteausweitung ∗∗∗ --------------------------------------------- In einer Sicherheitsmitteilung erörtern die VMware-Entwickler die Schwachstelle. Demnach wurde in einer "Responsible Disclosure" eine lokale Rechteausweitungslücke an VMware gemeldet. "Bösartige Akteure können ihre Rechte zu 'root' auf der Appliance ausweiten, auf der VMware Aria Operations läuft", erklärt das Unternehmen (CVE-2025-22231, CVSS 7.8, Risiko "hoch"). --------------------------------------------- https://heise.de/-10336721 ∗∗∗ VPN-Lücken in HPE Aruba Networking Virtual Intranet Access Client geschlossen ∗∗∗ --------------------------------------------- In einer Warnmeldung führen die Entwickler aus, dass der VIA-Client bis inklusive Version 4.7.0 verwundbar ist. Sie geben an, in der Ausgabe 4.7.2 zwei Sicherheitslücken (CVE-2024-3661 "hoch", CVE-2025-25041 "hoch") geschlossen zu haben. --------------------------------------------- https://heise.de/-10336851 ∗∗∗ Rockwell Automation Lifecycle Services with Veeam Backup and Replication ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-091-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.04.2025
by Daily end-of-shift report 01 Apr '25

01 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Montag 31-03-2025 18:00 − Dienstag 01-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Lucid PhaaS Hits 169 Targets in 88 Countries Using iMessage and RCS Smishing ∗∗∗ --------------------------------------------- A new sophisticated phishing-as-a-service (PhaaS) platform called Lucid has targeted 169 entities in 88 countries using smishing messages propagated via Apple iMessage and Rich Communication Services (RCS) for Android. Lucids unique selling point lies in its weaponizing of legitimate communication platforms to sidestep traditional SMS-based detection mechanisms. --------------------------------------------- https://thehackernews.com/2025/04/lucid-phaas-hits-169-targets-in-88.html ∗∗∗ Rechnung ohne Auftrag: Betreiber gefälschter Firmenverzeichnisse versenden Mahnungen ∗∗∗ --------------------------------------------- Fake-Portale nehmen Unternehmen ohne deren Wissen in ihr Firmenverzeichnis auf und stellen anschließend per E-Mail eine Rechnung zu. Diese Schreiben sorgen für Verunsicherung, sind grundsätzlich aber substanzlos. Wer keine Registrierung beantragt hat, muss auch nichts bezahlen. --------------------------------------------- https://www.watchlist-internet.at/news/rechnungen-fake-firmenverzeichnisse/ ∗∗∗ Hacker Claims Breach of Check Point Cybersecurity Firm, Sells Access ∗∗∗ --------------------------------------------- Hacker claims breach of Israeli cybersecurity firm Check Point, offering network access and sensitive data for sale; company denies any recent incident. --------------------------------------------- https://hackread.com/hacker-breach-check-point-cybersecurity-firm-access/ ∗∗∗ Surge in Palo Alto Networks Scanner Activity Indicates Possible Upcoming Threats ∗∗∗ --------------------------------------------- Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals. The pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation. --------------------------------------------- https://www.greynoise.io/blog/surge-palo-alto-networks-scanner-activity ∗∗∗ CPU_HU: Fileless cryptominer targeting exposed PostgreSQL with over 1.5K victims ∗∗∗ --------------------------------------------- Wiz Threat Research identified a new variant of an ongoing malicious campaign targeting misconfigured and publicly exposed PostgreSQL servers. [..] Based on our analysis, the threat actor is assigning a unique mining worker to each victim. --------------------------------------------- https://www.wiz.io/blog/postgresql-cryptomining ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices ∗∗∗ --------------------------------------------- Apple on Monday backported fixes for three vulnerabilities that have come under active exploitation in the wild to older models and previous versions of the operating systems. The vulnerabilities in question are listed below -CVE-2025-24085 (CVSS score: 7.3) --------------------------------------------- https://thehackernews.com/2025/04/apple-backports-critical-fixes-for-3.html ∗∗∗ Apple security releases ∗∗∗ --------------------------------------------- Safari 18.4, Xcode 16.3, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, iOS 16.7.11 and iPadOS 16.7.11, iOS 15.8.4 and iPadOS 15.8.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4 --------------------------------------------- https://support.apple.com/en-us/100100 ∗∗∗ CVE-2025-22398: Dell Unity Hit by 9.8 CVSS Root-Level Command Injection Flaw ∗∗∗ --------------------------------------------- Dell has released a security update for Unity OS version 5.4 and earlier, addressing a set of critical vulnerabilities that expose the popular enterprise storage systems—Unity, UnityVSA, and Unity XT—to unauthenticated remote command execution, file deletion, open redirects, and privilege escalation. --------------------------------------------- https://securityonline.info/cve-2025-22398-dell-unity-hit-by-9-8-cvss-root-… ∗∗∗ Websites kompromittierbar: Lücken in WordPress-Plug-in WP Ultimate CSV Importer ∗∗∗ --------------------------------------------- In einem Bericht warnen Sicherheitsforscher von Wordfence vor zwei Schwachstellen (CVE-2025-2007 "hoch", CVE-2025-2008 "hoch"). In beiden Fällen können entfernte Angreifer aufgrund unzureichender Überprüfungen Schadcode auf Websites laden und ausführen. Dafür müssen sie aber bereits authentifiziert sein (Subscriber-Level). [..] Ein Sicherheitspatch steht zum Download. --------------------------------------------- https://www.heise.de/news/Websites-kompromittierbar-Luecken-in-WordPress-Pl… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (freetype, grub2, kernel, kernel-rt, and python-jinja2), Debian (freetype, linux-6.1, suricata, tzdata, and varnish), Fedora (mingw-libxslt and qgis), Mageia (elfutils, mercurial, and zvbi), Oracle (grafana, kernel, libxslt, nginx:1.22, and postgresql:12), Red Hat (opentelemetry-collector), SUSE (corosync, opera, and restic), and Ubuntu (aom, libtar, mariadb, ovn, php7.4, php8.1, php8.3, rabbitmq-server, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1016076/ ∗∗∗ Reparierter Sicherheitspatch schließt Schadcode-Lücke in IBM App Connect ∗∗∗ --------------------------------------------- Die Schwachstelle (CVE-2025-1302 "kritisch") betrifft das jsonpath-plus-Modul zum Verarbeiten von JSON-Konfigurationen. [..] Das wurde schon mal gepatcht, das Sicherheitsupdate war aber unvollständig. Nun haben die Entwickler einen reparierten Patch veröffentlicht. --------------------------------------------- https://heise.de/-10335184 ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird ESR 128.9 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-24/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 137 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-23/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox ESR 128.9 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-22/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox ESR 115.22 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-21/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 137 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-20/ ∗∗∗ Canon CVE-2025-1268 Vulnerability: A Buffer Overflow Threatening Printer Security ∗∗∗ --------------------------------------------- https://thecyberexpress.com/canon-printer-vulnerability-cve-2025-1268/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.03.2025
by Daily end-of-shift report 31 Mar '25

31 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-03-2025 18:00 − Montag 31-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New Crocodilus malware steals Android users’ crypto wallet keys ∗∗∗ --------------------------------------------- A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-crocodilus-malware-steal… ∗∗∗ Smoked out - Emmenhtal spreads SmokeLoader malware ∗∗∗ --------------------------------------------- We observed a malicious campaign targeting First Ukrainian International Bank (pumb[.]ua) and noticed the usage of a stealthy malware loader known as Emmenhtal [..] also referred to by Google as Peaklight. --------------------------------------------- https://feeds.feedblitz.com/~/915916022/0/gdatasecurityblog-en~Smoked-out-E… ∗∗∗ Hidden Malware Strikes Again: Mu-Plugins Under Attack ∗∗∗ --------------------------------------------- Recently, we’ve uncovered multiple cases where threat actors are leveraging the mu-plugins directory to hide malicious code. This approach represents a concerning trend, as the mu-plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks. --------------------------------------------- https://blog.sucuri.net/2025/03/hidden-malware-strikes-again-mu-plugins-und… ∗∗∗ BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability ∗∗∗ --------------------------------------------- In whats an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. --------------------------------------------- https://thehackernews.com/2025/03/blacklock-ransomware-exposed-after.html ∗∗∗ BSI-Studie: Zahlreiche Schwachstellen in Krankenhausinformationssystemen ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben im BSI-Auftrag IT-Systemen für Kliniken auf den Zahn gefühlt und Lücken gefunden, etwa bei Verschlüsselung und Zertifikaten. --------------------------------------------- https://www.heise.de/news/BSI-Studie-Zahlreiche-Schwachstellen-in-Krankenha… ∗∗∗ Backdoor in the Backplane. Doing IPMI security better ∗∗∗ --------------------------------------------- IPMI remains a powerful but dangerously overlooked protocols in many enterprise environments. Whilst its ability to manage out of band systems is invaluable, there are significant security trade-offs – especially when outdated firmware, default credentials, and exposed interfaces are in play. As demonstrated, IPMI can lead, or aid, in a malicious actor compromising the full domain with little more than network access. --------------------------------------------- https://www.pentestpartners.com/security-blog/backdoor-in-the-backplane-doi… ∗∗∗ Preparing for the EU Radio Equipment Directive security requirements ∗∗∗ --------------------------------------------- UK & EU IoT manufacturers have more security regulation coming. [..] From 1st August 2025, mandatory cybersecurity requirements come into effect under the EU’s Radio Equipment Directive (2014/53/EU), or RED. --------------------------------------------- https://www.pentestpartners.com/security-blog/preparing-for-the-eu-radio-eq… ∗∗∗ Oracle Health gehackt, US-Patientendaten abgeflossen ∗∗∗ --------------------------------------------- Cyberkriminelle sind laut Berichten nach dem 22. Januar 2025 in die Server des US-Tech-Unternehmens Cerner Oracle Health eingedrungen. Es besteht der Verdacht, dass Patientendaten von US-Bürgern abgezogen wurden. Das FBI untersucht den Vorfall, der Fragen nach der Sicherheit bei Oracle aufkommen lässt. Denn es ist der zweite Sicherheitsvorfall binnen weniger Tage, der bekannt wird. --------------------------------------------- https://www.borncity.com/blog/2025/03/30/oracle-health-gehackt-us-patienten… ∗∗∗ SVG Phishing Malware Being Distributed with Analysis Obstruction Feature ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) recently identified a phishing malware being distributed in Scalable Vector Graphics (SVG) format. --------------------------------------------- https://asec.ahnlab.com/en/87078/ ∗∗∗ Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service ∗∗∗ --------------------------------------------- Being a provider of cloud SaaS (Software-as-a-service) solutions requires certain cybersecurity responsibilities — including being transparent and open. The moment where this is tested at Oracle has arrived, as they have a serious cybersecurity incident playing out in a service they manage for customers. --------------------------------------------- https://doublepulsar.com/oracle-attempt-to-hide-serious-cybersecurity-incid… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amd64-microcode, flatpak, intel-microcode, libdata-entropy-perl, librabbitmq, and vim), Fedora (augeas, containerd, crosswords-puzzle-sets-xword-dl, libssh2, libxml2, nodejs-nodemon, and webkitgtk), Red Hat (libreoffice and python-jinja2), SUSE (389-ds, apparmor, corosync, docker, docker-stable, erlang26, exim, ffmpeg-4, govulncheck-vulndb, istioctl, matrix-synapse, mercurial, openvpn, python3, rke2, and skopeo), and Ubuntu (ansible, linux, linux-hwe-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-azure-fips, linux-gcp-fips, linux-fips, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-realtime, linux-intel-iot-realtime, linux-xilinx-zynqmp, opensc, and ruby-doorkeeper). --------------------------------------------- https://lwn.net/Articles/1015968/ ∗∗∗ IBM InfoSphere Information Server: Unbefugte Zugriffe möglich ∗∗∗ --------------------------------------------- Die Datenintegrationsplattform IBM InfoSphere Information Server ist verwundbar. Die Entwickler haben mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/IBM-InfoSphere-Information-Server-Unbefugte-Zugri… ∗∗∗ ZendTo NDay Vulnerability Hunting - Unauthenticated RCE in v5.24-3 <= v6.10-4 ∗∗∗ --------------------------------------------- Discovering NDay flaws in ZendTo filesharing software highlighted an interesting fact: without the issuance of CVEs, vulnerabilities can easily go unpatched. --------------------------------------------- https://projectblack.io/blog/zendto-nday-vulnerabilities/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2025
by Daily end-of-shift report 28 Mar '25

28 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-03-2025 18:00 − Freitag 28-03-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Phishing-as-a-service operation uses DNS-over-HTTPS for evasion ∗∗∗ --------------------------------------------- A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection. -------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-as-a-service-operat… ∗∗∗ Notfallupdate: Kritische Sandbox-Lücke in Firefox und Tor-Browser entdeckt ∗∗∗ --------------------------------------------- Nicht nur Chrome-Nutzer sollten dieser Tage ihren Browser updaten. Eine aktiv ausgenutzte Sicherheitslücke betrifft auch die Windows-Version von Firefox. --------------------------------------------- https://www.golem.de/news/notfallupdate-kritische-sandbox-luecke-in-firefox… ∗∗∗ Stealing user credentials with evilginx ∗∗∗ --------------------------------------------- A malevolent mutation of the widely used nginx web server facilitates Adversary-in-the-Middle action, but there's hope. --------------------------------------------- https://news.sophos.com/en-us/2025/03/28/stealing-user-credentials-with-evi… ∗∗∗ Quick Guide to Magento Security Patches ∗∗∗ --------------------------------------------- Magento remains a popular ecommerce platform in 2025 and its security patches play a vital role in addressing vulnerabilities that could otherwise be exploited by attackers. These patches help prevent issues like data breaches, website defacement, or unauthorized access, ensuring the safety of customer data and store operations. Given the platform’s .. --------------------------------------------- https://blog.sucuri.net/2025/03/quick-guide-to-magento-security-patches.html ∗∗∗ China’s FamousSparrow flies back into action, breaches US org after years off the radar ∗∗∗ --------------------------------------------- Crew also cooked up two fresh SparrowDoor backdoor variants, says ESET The China-aligned FamousSparrow crew has resurfaced after a long period of presumed inactivity, compromising a US financial-sector trade group and a Mexican research institute. The gang also likely targeted a governmental institution in Honduras, along with other yet-to-be-identified victims. --------------------------------------------- https://www.theregister.com/2025/03/27/china_famoussparrow_back/ ∗∗∗ Storage-Appliances: Dell schließt unzählige Sicherheitslücken in Unity-Serien ∗∗∗ --------------------------------------------- Die Dell-Entwickler haben unter anderem eine 19 Jahre alte Schwachstelle in diversen Unity-Modellen geschlossen. --------------------------------------------- https://www.heise.de/news/Storage-Appliances-Dell-schliesst-unzaehlige-Sich… ∗∗∗ New security requirements adopted by HTTPS certificate industry ∗∗∗ --------------------------------------------- The Chrome Root Program launched in 2022 as part of Google’s ongoing commitment to upholding secure and reliable network connections in Chrome. We previously described how the Chrome Root Program keeps users safe, and described how the program is focused on promoting technologies and practices that strengthen the underlying .. --------------------------------------------- http://security.googleblog.com/2025/03/new-security-requirements-adopted-by… ∗∗∗ Money Laundering 101, and why Joe is worried ∗∗∗ --------------------------------------------- In this blog post, Joe covers the very basics of money laundering, how it facilitates ransomware cartels, and what the regulatory future holds for cybercrime. --------------------------------------------- https://blog.talosintelligence.com/money-laundering-101-and-why-joe-is-worr… ∗∗∗ Gamaredon campaign abuses LNK files to distribute Remcos backdoor ∗∗∗ --------------------------------------------- Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024. --------------------------------------------- https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/ ∗∗∗ Obfuscation 101: Unmasking the Tricks Behind Malicious Code ∗∗∗ --------------------------------------------- “The malicious package was right in front of our eyes, but we didnt see it until it was too late.”Attackers frequently rely on obfuscation—the technique of deliberately making source code confusing and unreadable—to sneak malicious payloads past security defenses and code reviewers alike. Understanding these obfuscation techniques across .. --------------------------------------------- https://socket.dev/blog/obfuscation-101-the-tricks-behind-malicious-code ∗∗∗ NVD Concedes Inability to Keep Pace with Surging CVE Disclosures in 2025 ∗∗∗ --------------------------------------------- The National Vulnerability Database (NVD) issued a new status update on March 19, attempting to clarify the current state of its vulnerability processing pipeline. The agency says it has resumed processing new CVEs at the same rate it maintained before last year’s slowdown, but with vulnerability volumes surging, that’s no longer enough.We are currently .. --------------------------------------------- https://socket.dev/blog/nvd-backlog-crisis-deepens-amid-surging-cve-disclos… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mercurial and opensaml), Fedora (augeas, mingw-libxslt, and nodejs-nodemon), Mageia (chromium-browser-stable), Red Hat (grafana, kernel, kernel-rt, opentelemetry-collector, and podman), SUSE (apache-commons-vfs2, python3, and python36), and Ubuntu (ghostscript, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, .. --------------------------------------------- https://lwn.net/Articles/1015718/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2025
by Daily end-of-shift report 27 Mar '25

27 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-03-2025 18:00 − Donnerstag 27-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Dozens of solar inverter flaws could be exploited to attack power grids ∗∗∗ --------------------------------------------- Dozens of vulnerabilities in products from three leading makers of solar inverters, Sungrow, Growatt, and SMA, could be exploited to control devices or execute code remotely on the vendors cloud platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dozens-of-solar-inverter-fla… ∗∗∗ Cybercrime-Tool Atlantis AIO soll automatisierte Passwort-Attacken optimieren ∗∗∗ --------------------------------------------- Dahinter stecken organisierte Profi-Verbrecher, die ihre Werkzeuge im Darknet mit Werbeanzeigen und Support anpreisen. So auch im Fall des jüngst von Sicherheitsforschern entdeckten Tools Atlantis AIO. --------------------------------------------- https://www.heise.de/news/Cybercrime-Tool-Atlantis-AIO-soll-automatisierte-… ∗∗∗ Abonnement gekündigt? Achtung: Phishing-Versuch mit Disney+! ∗∗∗ --------------------------------------------- Mit einer angeblich von Disney+ stammenden E-Mail versuchen Kriminelle ihre Opfer auf eine Fake-Loginseite zu locken. Dort fragen sie die Anmeldeinformationen des Abos und Kreditkartendaten ab. Woran Sie den Phishing-Versuch ganz einfach erkennen können, zeigen wir Ihnen hier. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-versuch-disney/ ===================== = Vulnerabilities = ===================== ∗∗∗ Backuplösung SnapCenter: Angreifer können als Admin Systeme übernehmen ∗∗∗ --------------------------------------------- Die Backupsoftware SnapCenter ist verwundbar und Angreifer können sich durch das erfolgreiche Ausnutzen einer „kritischen“ Sicherheitslücke Admin-Rechte verschaffen. In einem Beitrag zur Schwachstelle (CVE-2025-26512) führen die Entwickler aus, die Versionen 6.0.1P1 und 6.1P1 repariert zu haben. Alle vorigen Ausgaben sind attackierbar. --------------------------------------------- https://www.heise.de/news/Backuploesung-SnapCenter-Angreifer-koennen-als-Ad… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (exim), Debian (exim4, ghostscript, and libcap2), Red Hat (container-tools:rhel8), SUSE (apache-commons-vfs2, argocd-cli, azure-cli-core, buildah, chromedriver, docker-stable, ed25519-java, kernel, kubernetes1.29-apiserver, kubernetes1.30-apiserver, kubernetes1.32-apiserver, libmbedcrypto7, microcode_ctl, php7, podman, proftpd, tomcat10, and webkit2gtk3), and Ubuntu (containerd, exim4, mariadb, opensaml, and org-mode). --------------------------------------------- https://lwn.net/Articles/1015589/ ∗∗∗ Security Vulnerability fixed in Firefox 136.0.4, Firefox ESR 128.8.1, Firefox ESR 115.21.1 ∗∗∗ --------------------------------------------- Following the sandbox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles to unprivileged child processes leading to a sandbox escape. The original vulnerability was being exploited in the wild. This only affects Firefox on Windows. Other operating systems are unaffected. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/ ∗∗∗ Splunk: Teils hochriskante Sicherheitslecks in mehreren Produkten ∗∗∗ --------------------------------------------- Splunk hat eine Reihe an Sicherheitslücken in mehreren Produkten gemeldet. Aktualisierte Software-Pakete stehen zum Herunterladen bereit, mit denen Admins diese Sicherheitslecks stopfen können. --------------------------------------------- https://heise.de/-10330630 ∗∗∗ DSA-5888-1 ghostscript - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00050.html ∗∗∗ ABB: Cyber Security Advisory - ABB Low Voltage DC Drives and Power Controllers CODESYS RTS Vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A9494&Lan… ∗∗∗ ABB: Cyber Security Advisory - ABB ACS880 +N8010 Drives CODESYS RTS Vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A9491&Lan… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 17, 2025 to March 23, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/03/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2025
by Daily end-of-shift report 26 Mar '25

26 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-03-2025 18:00 − Mittwoch 26-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ New npm attack poisons local packages with backdoors ∗∗∗ --------------------------------------------- Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. This way, even if the victim removes the malicious packages, the backdoor remains on their system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-npm-attack-poisons-local… ∗∗∗ NCSC taps influencers to make 2FA go viral ∗∗∗ --------------------------------------------- The world's biggest brands have benefited from influencer marketing for years – now the UK's National Cyber Security Centre (NCSC) has hopped on the bandwagon to preach two-factor authentication (2FA) to the masses. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/03/26/ncsc_influen… ∗∗∗ CoffeeLoader: A Brew of Stealthy Techniques ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a new sophisticated malware family that we named CoffeeLoader, which originated around September 2024. The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products. The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers. --------------------------------------------- https://www.zscaler.com/blogs/security-research/coffeeloader-brew-stealthy-… ∗∗∗ Have I Been Pwned: Projektbetreiber Troy Hunt gepwned ∗∗∗ --------------------------------------------- Troy Hunt, Betreiber des Dienstes Have-I-Been-Pwned (HIBP), wurde Opfer einer Phishing-Attacke und damit selbst "Pwned". Es sind 16.627 E-Mail-Adressen der Mailingliste für den Newsletter zu Troys persönlichen Blog dadurch in unbefugte Hände abgeflossen. In einem Blog-Beitrag erklärt Hunt, wie es zu dem Vorfall kommen konnte. --------------------------------------------- https://heise.de/-10328970 ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücken in Kubernetes Ingress NGINX Controller - Updates verfügbar ∗∗∗ --------------------------------------------- Im Kubernetes Ingress NGINX Controller, einer Kernkomponente von Kubernetes, wurden mehrere kritische Sicherheitslücken entdeckt. Diese ermöglichen unter anderem unauthentifizierte Remote Code Execution (RCE) und unberechtigten Zugriff auf Secrets. --------------------------------------------- https://www.cert.at/de/warnungen/2025/3/kubernetes-ingress-nginx-controller… ∗∗∗ Dringend patchen: Gefährliche Zero-Day-Lücke in Chrome für Spionage ausgenutzt ∗∗∗ --------------------------------------------- Nachdem Google in seinem Webbrowser Chrome erst in der vergangenen Woche eine kritische Sicherheitslücke geschlossen hatte, legt der Konzern jetzt nochmal nach. Mit einem am Dienstag veröffentlichten Update beseitigt Google eine Schwachstelle, die bereits im Rahmen gezielter Spionageangriffe aktiv ausgenutzt wird. [..] Die Ausnutzung der als CVE-2025-2783 registrierten Chrome-Lücke wurde Mitte März von Sicherheitsforschern von Kaspersky entdeckt. [..] Den Angaben zufolge lässt sich die Sicherheitslücke durch speziell präparierte Webseiten ausnutzen, die die jeweilige Zielperson lediglich aufrufen muss. [..] Einen Bericht mit weiteren technischen Details wollen die Sicherheitsforscher zu einem späteren Zeitpunkt veröffentlichen. --------------------------------------------- https://www.golem.de/news/dringend-patchen-gefaehrliche-zero-day-luecke-in-… ∗∗∗ VMware Tools ermöglichen Rechteausweitung in VMs ∗∗∗ --------------------------------------------- In der Sicherheitsmitteilung von Broadcom erörtern die Autoren, dass aufgrund unzureichender Zugriffskontrollen die Umgehung der Authentifizierung möglich ist (CVE-2025-22230, CVSS 7.8, Risiko "hoch"). Bösartige Akteure mit nicht-administrativen Rechten in einem Windows-Gastsystem können dadurch Operationen, die höhere Zugriffsrechte benötigen, ausführen. --------------------------------------------- https://www.heise.de/-10328819 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nginx and ruby-rack), Fedora (expat and libxslt), Mageia (bluez, dcmtk, ffmpeg, and radare2), Red Hat (container-tools:rhel8, gvisor-tap-vsock, kernel, kernel-rt, libreoffice, and podman), SUSE (buildah, forgejo, gitleaks, google-guest-agent, google-osconfig-agent, govulncheck-vulndb, grafana, helm, libxslt, php8, python-gunicorn, and python-Jinja2), and Ubuntu (freerdp2 and varnish). --------------------------------------------- https://lwn.net/Articles/1015464/ ∗∗∗ MISP v2.4.206 and v2.5.8 Released - new workflow modules, improved graph object relationship management and many other improvements ∗∗∗ --------------------------------------------- [security] Fixed stored XSS in event reports (mermaid rendering function). --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.8 ∗∗∗ ZDI-25-181: (0Day) Arista NG Firewall User-Agent Cross-Site Scripting Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Minimal user interaction is required to exploit this vulnerability. CVE-2025-2767 --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-181/ ∗∗∗ Huawei: Security Advisory - Authentication Bypass Vulnerability in Huawei PC Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2025/huawei-sa-20250325-… ∗∗∗ ZDI-25-180: (0Day) 70mai A510 Use of Default Password Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-180/ ∗∗∗ ZDI-25-178: (0Day) CarlinKit CPC200-CCPA update.cgi Improper Verification of Cryptographic Signature Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-178/ ∗∗∗ Inaba Denki Sangyo CHOCO TEI WATCHER mini ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2025
by Daily end-of-shift report 25 Mar '25

25 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 24-03-2025 18:00 − Dienstag 25-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Browser-in-the-Browser attacks target CS2 players Steam accounts ∗∗∗ --------------------------------------------- A new phishing campaign targets Counter-Strike 2 players utilizing Browser-in-the-Browser (BitB) attacks that display a realistic window that mimics Steams login page. --------------------------------------------- https://www.bleepingcomputer.com/news/security/browser-in-the-browser-attac… ∗∗∗ Open-sourcing OpenPubkey SSH (OPKSSH): integrating single sign-on with SSH ∗∗∗ --------------------------------------------- OPKSSH (OpenPubkey SSH) is now open-sourced as part of the OpenPubkey project. --------------------------------------------- https://blog.cloudflare.com/open-sourcing-openpubkey-ssh-opkssh-integrating… ∗∗∗ Zero Day: Russische Firma zahlt für Telegram-Lücken Millionen ∗∗∗ --------------------------------------------- Die stetig wachsende Nutzerbasis macht die Plattform auch für Cyberangriffe immer interessanter. Aus diesem Grund bietet der russische Schwachstellenhändler Operation Zero mittlerweile bis zu vier Millionen US-Dollar für ungepatchte Sicherheitslücken in Telegram. --------------------------------------------- https://www.golem.de/news/zero-day-russische-firma-zahlt-millionen-fuer-tel… ∗∗∗ Achtung: Phishing-Mails im Namen des Wiener Tourismusverbands! ∗∗∗ --------------------------------------------- Aktuell kursieren E-Mails im Namen der Buchhaltung, die dazu auffordern, Rechnungen aufgrund technischer Probleme direkt per E-Mail zu senden. Vorsicht: Diese E-Mails stammen nicht von Mitarbeitenden des Wiener Tourismusverband sondern von Kriminellen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-phishing-mails-im-namen-des-… ∗∗∗ Oracle angeblich gehackt: Nutzerdaten im Darknet zum Verkauf ∗∗∗ --------------------------------------------- Sicherheitsforscher von CloudSEK berichten, dass im Darknet sensible Daten von rund 140.000 Oracle-Kunden zum Verkauf stehen. Diese Informationen sollen aus einer Cyberattacke stammen. Dem Hard- und Softwarehersteller zufolge hat es keinen IT-Sicherheitsvorfall gegeben. --------------------------------------------- https://heise.de/-10327980 ∗∗∗ US-Behörde stoppt Gelder für Lets Encrypt und Tor ‒ Open Tech Fund wehrt sich ∗∗∗ --------------------------------------------- Nach einem Dekret von US-Präsident Trump erhält der Open Technology Fund keine Fördermittel mehr. Deswegen zieht die Organisation jetzt vor Gericht. --------------------------------------------- https://heise.de/-10328226 ∗∗∗ Fake Hiring Challenge for Developers Steals Sensitive Data ∗∗∗ --------------------------------------------- Cyble threat intelligence researchers have uncovered a GitHub repository masquerading as a hiring coding challenge that tricks developers into downloading a backdoor to steal sensitive data. [..] There is evidence that the campaign may be expanding beyond a fake hiring challenge for developers, as Cyble Research and Intelligence Labs (CRIL) researchers also found invoice-themed lures. --------------------------------------------- https://thecyberexpress.com/fake-hiring-challenge-targets-developers/ ===================== = Vulnerabilities = ===================== ∗∗∗ Notable vulnerabilities in Next.js (CVE-2025-29927) and CrushFTP ∗∗∗ --------------------------------------------- On Friday, March 21, 2025, file transfer software maker CrushFTP disclosed a new vulnerability to customers via email. While the email [...] indicates only CrushFTP v11 is affected by the still-CVE-less (as of March 25) unauthenticated port access vulnerability, the extremely sparse vendor advisory indicates that both CrushFTP v10 and v11 are affected. According to the vendor, the issue is not exploitable if customers have the DMZ function of CrushFTP in place. --------------------------------------------- https://www.rapid7.com/blog/post/2025/03/25/etr-notable-vulnerabilities-in-… ∗∗∗ RCE Vulnerabilities in k8s Ingress NGINX (9.8 CVE for ingress-nginx) ∗∗∗ --------------------------------------------- Wiz Research discovered CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes dubbed #IngressNightmare. Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover. --------------------------------------------- https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities ∗∗∗ Kubernetes: CVE-2025-1974 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131009 ∗∗∗ Kubernetes: CVE-2025-1098 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131008 ∗∗∗ Kubernetes: CVE-2025-1097 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131007 ∗∗∗ Kubernetes: CVE-2025-24514 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131006 ∗∗∗ Kubernetes: CVE-2025-24513 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131005 ∗∗∗ Micropatches released for SCF File NTLM Hash Disclosure Vulnerability (0day) - and Free Micropatches for it ∗∗∗ --------------------------------------------- https://blog.0patch.com/2025/03/scf-file-ntlm-hash-disclosure.html ∗∗∗ Rockwell Automation 440G TLS-Z ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-03 ∗∗∗ Rockwell Automation Verve Asset Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-02 ∗∗∗ ABB RMC-100 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-01 ∗∗∗ Inaba Denki Sangyo CHOCO TEI WATCHER Mini ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2025
by Daily end-of-shift report 24 Mar '25

24 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-03-2025 18:00 − Montag 24-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ FBI warnings are true—fake file converters do push malware ∗∗∗ --------------------------------------------- The FBI is warning that fake online document converters are being used to steal peoples information and, in worst-case scenarios, lead to ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warnings-are-true-fake-f… ∗∗∗ Cloudflare now blocks all unencrypted traffic to its API endpoints ∗∗∗ --------------------------------------------- Cloudflare announced that it closed all HTTP connections and it is now accepting only secure, HTTPS connections for api.cloudflare.com. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloudflare-now-blocks-all-un… ∗∗∗ Trusted Signing: Hacker signieren Windows-Malware über Microsoft-Plattform ∗∗∗ --------------------------------------------- Forscher haben Malware entdeckt, die über Microsofts neue Trusted-Signing-Plattform signiert wurde. Windows-Systeme lassen sich damit leichter infizieren. --------------------------------------------- https://www.golem.de/news/trusted-signing-microsoft-dienst-zum-signieren-vo… ∗∗∗ Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories CI/CD Secrets Exposed ∗∗∗ --------------------------------------------- The supply chain attack involving the GitHub Action "tj-actions/changed-files" started as a highly-targeted attack against one of Coinbases open-source projects, before evolving into something more widespread in scope."The payload was focused on .. --------------------------------------------- https://thehackernews.com/2025/03/github-supply-chain-breach-coinbase.html ∗∗∗ Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions.The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 .. --------------------------------------------- https://thehackernews.com/2025/03/critical-nextjs-vulnerability-allows.html ∗∗∗ Oracle Cloud says its not true someone broke into its login servers and stole data ∗∗∗ --------------------------------------------- Despite evidence to the contrary as alleged pilfered info goes on sale Oracle has straight up denied claims by a miscreant that its public cloud offering has been compromised and information stolen. --------------------------------------------- https://www.theregister.com/2025/03/23/oracle_cloud_customers_keys_credenti… ∗∗∗ Verfassungsschutz: Deutsche NGOs Ziel von russischen Cyberangriffen ∗∗∗ --------------------------------------------- Das Bundesamt für Verfassungsschutz hat einige zivilgesellschaftliche Organisationen alarmiert, dass sie verstärkt im Fokus russischer Cyberattacken stünden. --------------------------------------------- https://www.heise.de/news/Verfassungsschutz-warnt-NGOs-vor-zunehmenden-russ… ∗∗∗ Google Maps: Falsche Schlüsseldienste und Co. spähen Nutzer aus ∗∗∗ --------------------------------------------- Der Navigationsdienst Google Maps klagt gegen unechte Geschäfte auf seiner Plattform, die Nutzerdaten abschöpften und verkauften. --------------------------------------------- https://heise.de/-10325360 ∗∗∗ How to find Next.js on your network ∗∗∗ --------------------------------------------- On March 22nd, 2025, Next.js disclosed an authentication bypass vulnerability in the middleware layer. Exploitation is trivial and can be achieved by sending an extra HTTP header. For specifics, please see .. --------------------------------------------- https://www.runzero.com/blog/next-js/ ∗∗∗ Next.js Patches Critical Middleware Vulnerability (CVE-2025-29927) ∗∗∗ --------------------------------------------- This weekend, the Next.js team released emergency patches addressing a critical vulnerability (CVE-2025-29927) that allowed attackers to bypass middleware-based security checks, including authentication and .. --------------------------------------------- https://socket.dev/blog/next-js-patches-critical-middleware-vulnerability -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2025
by Daily end-of-shift report 21 Mar '25

21 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-03-2025 18:00 − Freitag 21-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Angreifer machen sich an Hintertür in Cisco Smart Licensing Utility zu schaffen ∗∗∗ --------------------------------------------- Wie Sicherheitsforscher berichten, fangen Angreifer derzeit an, zwei Schwachstellen in Cisco Smart Licensing Utility auszunutzen. Darüber verschaffen sie sich Zugang mit Adminrechten. Sicherheitspatches sind schon länger verfügbar. [..] Die „kritischen“ Lücken (CVE-2024-20439, CVE-2024-20440) sind seit Anfang September 2024 bekannt. --------------------------------------------- https://heise.de/-10323893 ∗∗∗ VSCode extensions found downloading early-stage ransomware ∗∗∗ --------------------------------------------- Two malicious VSCode Marketplace extensions were found deploying in-development ransomware from a remote server, exposing critical gaps in Microsofts review process. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vscode-extensions-found-down… ∗∗∗ Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates ∗∗∗ --------------------------------------------- The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to disable anti-malware tools. --------------------------------------------- https://thehackernews.com/2025/03/medusa-ransomware-uses-malicious-driver.h… ∗∗∗ How to Avoid US-Based Digital Services—and Why You Might Want To ∗∗∗ --------------------------------------------- Amid growing concerns over Big Tech firms aligning with Trump administration policies, people are starting to move their digital lives to services based overseas. Heres what you need to know. --------------------------------------------- https://www.wired.com/story/trump-era-digital-expat/ ∗∗∗ Fake-Shops wie eu.stanlaystore.com locken mit günstigen Stanley Cups ∗∗∗ --------------------------------------------- Stanley Cups gehören aktuell zu den beliebtesten Thermoskannen auf dem Markt. Leider machen sich auch Kriminelle die hohe Nachfrage zunutze und bieten die trendigen Becher in Fake-Shops an. Wie zum Beispiel die Website eu.stanlaystore.com, die mit unschlagbar günstigen Preisen lockt. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-wie-eustanlaystorecom-loc… ∗∗∗ Achtung Phishing: So funktioniert der neue Debitkarten-Betrug ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit vermehrt gefälschte E-Mails im Namen der Erste Bank. Darin wird behauptet, dass Ihre Debitkarte veraltet sei und Sie eine neue Karte beantragen müssen. Mit dieser Betrugsmasche versuchen Kriminelle, an Ihre Debitkarte samt PIN zu gelangen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-phishing-so-funktioniert-der… ∗∗∗ GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment (Updated 3/21) ∗∗∗ --------------------------------------------- Updated March 20: The recent compromise of the GitHub action tj-actions/changed-files and additional actions within the reviewdog organization has captured the attention of the GitHub community, marking another major software supply chain attack. Our team conducted an in-depth investigation into this incident and uncovered many more details about how the attack occurred and its timeline. [..] Our team also discovered that the initial attack targeted Coinbase. The payload was focused on exploiting the public CI/CD flow of one of their open source projects – agentkit, probably with the purpose of leveraging it for further compromises. However, the attacker was not able to use Coinbase secrets or publish packages. --------------------------------------------- https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/ ∗∗∗ Major web services go dark in Russia amid reported Cloudflare block ∗∗∗ --------------------------------------------- Website outages were observed across Russia this week, with regulators attributing them to issues with foreign servers. Observers said the problems might be tied to Russian government moves to block Cloudflare services. --------------------------------------------- https://therecord.media/russia-websites-dark-reported-cloudflare-block ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability in NAKIVO Backup ＆ Replication ∗∗∗ --------------------------------------------- A vulnerability has been discovered in NAKIVO Backup ＆ Replication 10.11.3.86570 and earlier. [..] We have already removed the affected versions from App Center and requested NAKIVO to provide a fixed version as soon as possible. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-08 ∗∗∗ Siemens: SSA-656895 V1.2 (Last Update: 2025-03-20): Open Redirect Vulnerability in Teamcenter ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-656895.html ∗∗∗ [R1] Nessus Agent Version 10.8.3 Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-02 ∗∗∗ F5: K000150484: Apache Tomcat vulnerability CVE-2025-24813 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150484 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2025
by Daily end-of-shift report 20 Mar '25

20 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-03-2025 18:00 − Donnerstag 20-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ HellCat hackers go on a worldwide Jira hacking spree ∗∗∗ --------------------------------------------- Swiss global solutions provider Ascom has confirmed a cyberattack on its IT infrastructure as a hacker group known as Hellcat targets Jira servers worldwide using compromised credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hellcat-hackers-go-on-a-worl… ∗∗∗ Six Governments Likely Use Israeli Paragon Spyware to Hack IM Apps and Harvest Data ∗∗∗ --------------------------------------------- The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of spyware developed by Israeli company Paragon Solutions, according to a new report from The Citizen Lab. [..] In these attacks, targets were added to a WhatsApp group, and then sent a PDF document, which is subsequently parsed automatically to trigger the now-patched zero-day vulnerability and load the Graphite spyware. --------------------------------------------- https://thehackernews.com/2025/03/six-governments-likely-use-israeli.html ∗∗∗ Phishing-Versuche im Namen der Oberbank – „Bitte aktualisieren Sie Ihre persönlichen Informationen“ ∗∗∗ --------------------------------------------- Mit Fake-SMS-Nachrichten versuchen Kriminelle gerade verstärkt, Opfer auf gefälschte Kundenportale der Oberbank zu leiten. Ziel der Phishing-Attacke sind sensible Bankdaten. Hier erfahren Sie, wie der Betrugsversuch abläuft und wie Sie den Fake erkennen. Außerdem erklären wir, was Sie tun können, falls Sie Ihre persönlichen Informationen bereits an die Betrüger:innen übermittelt haben. --------------------------------------------- https://www.watchlist-internet.at/news/persoenlichen-informationen-phishing… ∗∗∗ Presseaussendung: Fake-Shops, Produktpiraterie und Co. als Bedrohung für den österreichischen Onlinehandel ∗∗∗ --------------------------------------------- Fake-Shops, Markenfälschungen, Produktpiraterie oder Verletzungen des geistigen Eigentums: Die Bedrohungen im E-Commerce sind vielfältig und können für österreichische Unternehmer:innen nicht nur zu finanziellen Verlusten durch betrügerische Konkurrenz führen, sondern auch das Vertrauen der Kund:innen in den Online-Handel als Ganzes untergraben. --------------------------------------------- https://www.watchlist-internet.at/news/presseaussendung-bedrohungen-fuer-de… ∗∗∗ UK sets timeline for country’s transition to quantum-resistant encryption ∗∗∗ --------------------------------------------- The U.K. National Cyber Security Centre issued new guidance to help organizations transition to cryptographic algorithms and protocols that can protect data threatened by quantum computing. --------------------------------------------- https://therecord.media/uk-ncsc-quantum-resistant-algorithms-transition ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress security plugin WP Ghost vulnerable to remote code execution bug ∗∗∗ --------------------------------------------- Popular WordPress security plugin WP Ghost is vulnerable to a critical severity flaw that could allow unauthenticated attackers to remotely execute code and hijack servers. [..] The flaw, tracked as CVE-2025-26909, impacts all versions of WP Ghost up to 5.4.01 and stems from insufficient input validation in the 'showFile()' function. Exploiting the flaw could allow attackers to include arbitrary files via manipulated URL paths. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-security-plugin-wp… ∗∗∗ Google warnt: Kritische Sicherheitslücke in Chrome gefährdet Nutzer ∗∗∗ --------------------------------------------- Google hat wichtige Sicherheitsupdates für seinen Webbrowser Chrome veröffentlicht. [..] Mit Details zu der als CVE-2025-2476 registrierten Schwachstelle hält sich Google in seiner Versionsankündigung aus Sicherheitsgründen noch zurück. --------------------------------------------- https://www.golem.de/news/google-warnt-kritische-sicherheitsluecke-in-chrom… ∗∗∗ Veeam Backup & Replication RCE-Schwachstelle CVE-2025-23120 ∗∗∗ --------------------------------------------- Nutzer von Veeam Backup & Replication müssen reagieren. Der Anbieter Veeam hat zum 19. März 2025 über eine Remote Code Execution (RCE) Schwachstelle CVE-2025-23120 in verschiedenen Versionen des genannten Produkts informiert. Es gibt Sicherheitsupdates, um diese Schwachstelle zu schließen. --------------------------------------------- https://www.borncity.com/blog/2025/03/19/veeam-backup-replication-rce-schwa… ∗∗∗ ZDI-25-175: (0Day) Luxion KeyShot USDC File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-175/ ∗∗∗ ZDI-25-174: (0Day) Luxion KeyShot DAE File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-174/ ∗∗∗ Schwerwiegende Sicherheitslücken bedrohen Serverbetriebssystem IBM AIX ∗∗∗ --------------------------------------------- https://www.heise.de/news/Schwerwiegende-Sicherheitsluecken-bedrohen-Server… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0002 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0002.html ∗∗∗ SMA Sunny Portal ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-079-04 ∗∗∗ Santesoft Sante DICOM Viewer Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-079-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2025
by Daily end-of-shift report 19 Mar '25

19 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-03-2025 18:00 − Mittwoch 19-03-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Malicious Android Vapor apps on Google Play installed 60 million times ∗∗∗ --------------------------------------------- Over 300 malicious Android applications downloaded 60 million items from Google Play acted as adware or attempted to steal credentials and credit card information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-android-vapor-apps… ∗∗∗ Why its time for phishing prevention to move beyond email ∗∗∗ --------------------------------------------- While phishing has evolved, email security hasnt kept up. Attackers now bypass MFA & detection tools with advanced phishing kits, making credential theft harder to prevent. Learn how Push Securitys browser-based security stops attacks as they happen. --------------------------------------------- https://www.bleepingcomputer.com/news/security/why-its-time-for-phishing-pr… ∗∗∗ iOS-Nutzer gefährdet: Phishing-Lücke in Passwords-App erst nach Monaten gepatcht ∗∗∗ --------------------------------------------- Apples Passwords-App hat Weiterleitungen zur Passwortänderung über unsicheres HTTP abgewickelt. Angreifer hätten auf Phishingseiten umleiten können. --------------------------------------------- https://www.golem.de/news/unsicheres-http-ios-nutzer-durch-phishing-luecke-… ∗∗∗ Malware im Anmarsch: Ungepatchte Windows-Lücke wird seit 8 Jahren ausgenutzt ∗∗∗ --------------------------------------------- Hacker nutzen die Schwachstelle schon mindestens seit 2017 aus. Ein Patch ist bisher nicht in Sicht. Auch Ziele in Deutschland sind bereits attackiert worden. --------------------------------------------- https://www.golem.de/news/malware-im-anmarsch-ungepatchte-windows-luecke-wi… ∗∗∗ Arcane stealer: We want all your data ∗∗∗ --------------------------------------------- The new Arcane stealer spreads via YouTube and Discord, collecting data from many applications, including VPN and gaming clients, network utilities, messaging apps, and browsers. --------------------------------------------- https://securelist.com/arcane-stealer/115919/ ∗∗∗ Announcing OSV-Scanner V2: Vulnerability scanner and remediation tool for open source ∗∗∗ --------------------------------------------- Today, were thrilled to announce the launch of OSV-Scanner V2.0.0, following the announcement of the beta version. This V2 release builds upon the foundation we laid with OSV-SCALIBR and adds significant new capabilities .. --------------------------------------------- https://security.googleblog.com/2025/03/announcing-osv-scanner-v2-vulnerabi… ∗∗∗ Buying browser extensions for fun and profit ∗∗∗ --------------------------------------------- Your browser extensions could be secretly sold to malicious actors without your knowledge. What starts as helpful tools created by passionate developers can transform into dangerous spyware when sold to the highest bidder. As these extensions grow to hundreds of thousands of users, their creators—overwhelmed by maintenance and lacking .. --------------------------------------------- https://secureannex.com/blog/buying-browser-extensions/ ∗∗∗ Which passwords are attackers using against RDP ports right now? ∗∗∗ --------------------------------------------- The Specops research team has been analyzing 15 million passwords being used to attack RDP ports, in live attacks happening against networks right now. Our team have found the ten most common passwords attackers are using and analyzed their wordlists for the most common complexity rules and password lengths. We shared the results of a .. --------------------------------------------- https://specopssoft.com/blog/passwords-used-in-attacking-rdp-ports/ ∗∗∗ AMOS and Lumma stealers actively spread to Reddit users ∗∗∗ --------------------------------------------- Reddit users from trading and crypto subreddits are being lured into installing malware disguised as premium cracked software. --------------------------------------------- https://www.malwarebytes.com/blog/scams/2025/03/amos-and-lumma-stealers-act… ∗∗∗ Website-Kidnapping: So schützen Sie Ihre Website vor Hackingangriffen! ∗∗∗ --------------------------------------------- Immer öfter geraten österreichische Unternehmen ins Visier von Kriminellen, die ihre Website unbemerkt manipulieren, um Kund:innen auf Fake-Shops oder andere illegale Inhalte weiterzuleiten. Besonders gefährdet sind kleine und mittlere Unternehmen (KMU), da sie oft nicht über ausreichende IT-Sicherheitsmaßnahmen verfügen. --------------------------------------------- https://www.watchlist-internet.at/news/website-kidnapping-so-schuetzen-sie-… ∗∗∗ Russland vergiftet KI-Chatbots wie ChatGPT gezielt mit Propaganda ∗∗∗ --------------------------------------------- Rund 3,6 Millionen Artikel des russischen Pravda-Netzwerks sollen in das Trainingsmaterial westlicher KI-Systeme eingeflossen sein. So werden Fake News via KI verbreitet --------------------------------------------- https://www.derstandard.at/story/3000000261876/russland-vergiftet-ki-chatbo… ∗∗∗ The Citizen Lab’s director dissects spyware and the ‘proliferating’ market for it ∗∗∗ --------------------------------------------- In an interview with Recorded Future News, Deibert explained the technical aspects of the Citizen Lab’s methods and how spyware companies continue to evolve to evade detection. --------------------------------------------- https://therecord.media/ron-deibert-citizen-lab-spyware-interview ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-149: Adobe Acrobat Reader DC AcroForm Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-271561. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-149/ ∗∗∗ ZDI-25-151: Progress Software Kemp LoadMaster mangle Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software Kemp LoadMaster. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-1758. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-151/ ∗∗∗ ZDI-25-150: Microsoft Windows MSC File Insufficient UI Warning Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.0. The following CVEs are assigned: CVE-2025-26633. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-150/ ∗∗∗ ZDI-25-172: Apple macOS MOV File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-24124. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-172/ ∗∗∗ Multiple Vulnerabilities in Autodesk AutoCAD and certain AutoCAD-based Products ∗∗∗ --------------------------------------------- Autodesk AutoCAD and certain AutoCAD-based products are affected by multiple vulnerabilities. Exploitation of these vulnerabilities can lead to code execution. Exploitation of these vulnerabilities requires user interaction. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0001 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2025
by Daily end-of-shift report 18 Mar '25

18 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 17-03-2025 18:00 − Dienstag 18-03-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Critical AMI MegaRAC bug can let attackers hijack, brick servers ∗∗∗ --------------------------------------------- A new critical severity vulnerability found in American Megatrends Internationals MegaRAC Baseboard Management Controller (BMC) software can let attackers hijack and potentially brick vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-ami-megarac-bug-can… ∗∗∗ StilachiRAT analysis: From system reconnaissance to cryptocurrency theft ∗∗∗ --------------------------------------------- Microsoft Incident Response uncovered a novel remote access trojan (RAT) named StilachiRAT, which demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data. This blog primarily focuses on analysis of the WWStartupCtrl64.dll module that contains the RAT capabilities and summarizes .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/03/17/stilachirat-analys… ∗∗∗ New ‘Rules File Backdoor’ Attack Lets Hackers Inject Malicious Code via AI Code Editors ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new supply chain attack vector dubbed Rules File Backdoor that affects artificial intelligence (AI)-powered code editors like GitHub Copilot and Cursor, causing them to inject malicious .. --------------------------------------------- https://thehackernews.com/2025/03/new-rules-file-backdoor-attack-lets.html ∗∗∗ Britische Hintertüren: Verdacht nach Apple auch bei Google ∗∗∗ --------------------------------------------- Britische Überwacher verlangen weltweiten Zugriff auf Apple-Backups. Apple darf das nicht bestätigen und ist damit offenbar kein Einzelfall. --------------------------------------------- https://www.heise.de/news/Auch-Google-kann-britischen-Ueberwachungsbefehl-n… ∗∗∗ FBI-Warnung: Betrügerische Online-Dateikonverter schleusen Trojaner in Dokumente ∗∗∗ --------------------------------------------- Wer kostenlose Onlinedienste zum Umwandeln von etwa Textdateien nutzt, kann sich Malware einfangen. Darauf weist das FBI hin. --------------------------------------------- https://www.heise.de/news/Malwareverteiler-FBI-warnt-vor-betruegerischen-On… ∗∗∗ Bogus ‘DeepSeek’ AI Installers Are Infecting Devices with Malware, Research Finds ∗∗∗ --------------------------------------------- In a digital landscape hungry for the next big thing in Artificial Intelligence, a new contender called DeepSeek recently burst .. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/bogus-deepseek-ai-inst… ∗∗∗ Betrügerisches Gewinnspiel: Abofalle statt günstigem Thermomix! ∗∗∗ --------------------------------------------- Frau S. wünscht sich schon lange einen Thermomix. Bisher schreckte sie jedoch der hohe Preis der Küchenmaschine ab. Umso größer ist ihre Freude, als sie im Internet sieht, dass sie nach der Teilnahme an einer Umfrage den Thermomix für nur zwei Euro erhalten kann. Doch Vorsicht: Statt eines günstigen Thermomix erwartet sie eine teure Abofalle! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-gewinnspiel-abofalle… ∗∗∗ Google-Mutter Alphabet bietet für Cybersecurity-Startup Wiz 30 Milliarden Dollar ∗∗∗ --------------------------------------------- Es wäre die größte Transaktion von Alphabet. Ein Angebot über 23 Milliarden Dollar war im Vorjahr abgelehnt worden --------------------------------------------- https://www.derstandard.at/story/3000000261775/wsj-alphabet-bietet-f252r-cy… ∗∗∗ Crypto exchange OKX shuts down tool used by North Korean hackers to launder stolen funds ∗∗∗ --------------------------------------------- OKX said it detected a coordinated effort by one of North Korea’s most prolific hacking outfits to misuse its decentralized finance (DeFi) services. --------------------------------------------- https://therecord.media/crypto-okx-shuts-down-exchange ∗∗∗ Password reuse is rampant: nearly half of observed user logins are compromised ∗∗∗ --------------------------------------------- Accessing private content online, whether it's checking email or streaming your favorite show, almost always starts with a “login” step. Beneath this everyday task lies a widespread human mistake we still have not resolved: password reuse. Many users recycle passwords across multiple services, creating a ripple effect of risk when their credentials are leaked. --------------------------------------------- https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-comprom… ∗∗∗ Offline PKI using 3 YubiKeys and an ARM single board computer ∗∗∗ --------------------------------------------- An offline PKI enhances security by physically isolating the certificate authority from network threats. A YubiKey is a low-cost solution to store a root certificate. You also need an air-gapped environment to operate the root CA. --------------------------------------------- https://vincent.bernat.ch/en/blog/2025-offline-pki-yubikeys ∗∗∗ Security Risks of Setting Access Control Allow Origin: * ∗∗∗ --------------------------------------------- Wildcard CORS: convenient or careless? What are the ACTUAL scenarios that could lead to a loose CORS policy being exploited? --------------------------------------------- https://projectblack.io/blog/security-risks-of-setting-access-control-allow… ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3-EXT-SA-2025-003: Multiple vulnerabilities in extension “[clickstorm] SEO” (cs_seo) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-003 ∗∗∗ TYPO3-EXT-SA-2025-002: Cross-Site Scripting in extension “Additional TCA” (additional_tca) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-002 ∗∗∗ Varnish Enterprise vulnerability in MSE4 when handling range requests ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VEV00001/ ∗∗∗ HTTP/1 client-side desync vulnerability ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VSV00015/ ∗∗∗ Schneider Electric EcoStruxure Power Automation System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-077-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2025
by Daily end-of-shift report 17 Mar '25

17 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-03-2025 18:00 − Montag 17-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Coinbase phishing email tricks users with fake wallet migration ∗∗∗ --------------------------------------------- A large-scale Coinbase phishing attack poses as a mandatory wallet migration, tricking recipients into setting up a new wallet with a pre-generated recovery phrase controlled by attackers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/coinbase-phishing-email-tric… ∗∗∗ Malicious Adobe, DocuSign OAuth apps target Microsoft 365 accounts ∗∗∗ --------------------------------------------- Cybercriminals are promoting malicious Microsoft OAuth apps that masquerade as Adobe and DocuSign apps to deliver malware and steal Microsoft 365 accounts credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-adobe-docusign-oau… ∗∗∗ Mirai Bot now incroporating (malformed?) DrayTek Vigor Router Exploits, (Sun, Mar 16th) ∗∗∗ --------------------------------------------- Last October, Forescout published a report disclosing several vulnerabilities in DrayTek routers. According to Forescount, about 700,000 devices were exposed to these vulnerabilities .. --------------------------------------------- https://isc.sans.edu/diary/Mirai+Bot+now+incroporating+malformed+DrayTek+Vi… ∗∗∗ Credit Card Skimmer and Backdoor on WordPress E-commerce Site ∗∗∗ --------------------------------------------- The battle against e-commerce malware continues to intensify, with attackers deploying increasingly sophisticated tactics. In a recent case at Sucuri, a customer reported suspicious files and unexpected behavior on their WordPress site. Upon deeper analysis, we discovered a complicated infection involving multiple components: a credit card skimmer, a .. --------------------------------------------- https://blog.sucuri.net/2025/03/credit-card-skimmer-and-backdoor-on-wordpre… ∗∗∗ Malicious PyPI Packages Stole Cloud Tokens—Over 14,100 Downloads Before Removal ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of a malicious campaign targeting users of the Python Package Index (PyPI) repository with bogus libraries masquerading as "time" related utilities, but harboring hidden functionality to steal sensitive data such as .. --------------------------------------------- https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html ∗∗∗ Microsoft wouldnt look at a bug report without a video. Researcher maliciously complied ∗∗∗ --------------------------------------------- Maddening techno loop, Zoolander reference, and 14 minutes of time wasted A vulnerability analyst and prominent member of the infosec industry has blasted Microsoft for refusing to look at a bug report unless he submitted a video alongside a written explanation. --------------------------------------------- https://www.theregister.com/2025/03/17/microsoft_bug_report_troll/ ∗∗∗ Fake-Sicherheitswarnung: Betrüger versuchen Github-Konten zu kapern ∗∗∗ --------------------------------------------- Sicherheitsforscher berichten über Angriffsversuche auf rund 12.000 Github-Repositories. Dabei wollen Angreifer die volle Kontrolle über Konten erlangen. --------------------------------------------- https://www.heise.de/news/Fake-Sicherheitswarnung-Betrueger-versuchen-Githu… ∗∗∗ ClickFix: How to Infect Your PC in Three Easy Steps ∗∗∗ --------------------------------------------- A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed "ClickFix," the visitor to a hacked or malicious website is asked to distinguish .. --------------------------------------------- https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three… ∗∗∗ RCS: Apple und Google einigen sich auf Ende-zu-Ende-verschlüsselte Kommunikation ∗∗∗ --------------------------------------------- Neue Version des SMS-Nachfolgers unterstützt sichere Verschlüsselung, die beiden Branchengrößen wollen das bei Android und iPhone übernehmen --------------------------------------------- https://www.derstandard.at/story/3000000261679/rcs-apple-und-google-einigen… ∗∗∗ Telegram CEO confirms leaving France amid criminal probe ∗∗∗ --------------------------------------------- The Russian-born founder and owner of the messaging app Telegram said he returned to Dubai after spending several months in France due to a criminal investigation related to activity on the app. --------------------------------------------- https://therecord.media/telegram-pavel-durov-leaves-france-amid-probe ∗∗∗ Mora_001 ransomware gang exploiting Fortinet bug spotlighted by CISA in January ∗∗∗ --------------------------------------------- Two vulnerabilities impacting Fortinet products are being exploited by a new ransomware operation with ties to the LockBit ransomware group. --------------------------------------------- https://therecord.media/mora001-ransomware-gang-exploiting-vulnerability-lo… ∗∗∗ Scammers Pose as Cl0p Ransomware to Send Fake Extortion Letters ∗∗∗ --------------------------------------------- Scammers are sending fake extortion and ransom demands while posing as ransomware gangs, including the notorious Cl0p ransomware. --------------------------------------------- https://hackread.com/scammers-pose-cl0p-ransomware-fake-extortion-letters/ ∗∗∗ BitM Up! Session Stealing in Seconds Using the Browser-in-the-Middle Technique ∗∗∗ --------------------------------------------- The Rise of Browser in the Middle (BitM): BitM attacks offer a streamlined approach, allowing attackers to quickly compromise sessions across various web applications.MFA Remains Crucial, But Not Invulnerable: .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/session-stealing-b… ∗∗∗ Supply Chain Security Risk: GitHub Action tj-actions/changed-files Compromised ∗∗∗ --------------------------------------------- On March 14th, 2025, security researchers discovered a critical software supply chain vulnerability in the widely-used GitHub Action tj-actions/changed-files (CVE-2025-30066). This vulnerability allows remote attackers .. --------------------------------------------- https://blog.aquasec.com/supply-chain-security-threat-github-action-tj-acti… ∗∗∗ Bypassing Authentication Like It’s The ‘90s - Pre-Auth RCE Chain(s) in Kentico Xperience CMS ∗∗∗ --------------------------------------------- I recently joined watchTowr, and it is, therefore, time - time for my first watchTowr Labs blogpost, previously teased in a tweet of a pre-auth RCE chain affecting some ‘unknown software’. Joining the team, I wanted to maintain the trail of destruction left by the watchTowr Labs team, .. --------------------------------------------- https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-au… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (opensaml and php8.2), Fedora (chromium, ctk, dcmtk, expat, ffmpeg, firefox, fscrypt, gdcm, InsightToolkit, kitty, libssh2, libxml2, linux-firmware, man2html, nextcloud, OpenImageIO, php, podman-tui, python-django, python-django5, python-gunicorn, python-jinja2, python-spotipy, python3.6, qt6-qtwebengine, thunderbird, tigervnc, vim, vyper, xen, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (freetype2, ghostscript, and man2html), .. --------------------------------------------- https://lwn.net/Articles/1014437/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2025
by Daily end-of-shift report 14 Mar '25

14 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-03-2025 18:00 − Freitag 14-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New SuperBlack ransomware exploits Fortinet auth bypass flaws ∗∗∗ --------------------------------------------- A new ransomware operator named Mora_001 is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom ransomware strain dubbed SuperBlack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-superblack-ransomware-ex… ∗∗∗ Ransomware gang creates tool to automate VPN brute-force attacks ∗∗∗ --------------------------------------------- The Black Basta ransomware operation created an automated brute-forcing framework dubbed BRUTED to breach edge networking devices like firewalls and VPNs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/black-basta-ransomware-creat… ∗∗∗ Jailbreaking is (mostly) simpler than you think ∗∗∗ --------------------------------------------- Today, we are sharing insights on a simple, optimization-free jailbreak method called Context Compliance Attack (CCA), that has proven effective against most leading AI systems. We are disseminating this research to promote awareness and encourage system designers to implement appropriate safeguards. --------------------------------------------- https://msrc.microsoft.com/blog/2025/03/jailbreaking-is-mostly-simpler-than… ∗∗∗ CISA: We didnt fire red teams, we just unhired a bunch of them ∗∗∗ --------------------------------------------- Agency tries to save face as it also pulls essential funding for election security initiatives Uncle Sams cybersecurity agency is trying to save face by seeking to clear up what its calling "inaccurate reporting" after a former senior pen-tester claimed the organization axed two red teams. --------------------------------------------- https://www.theregister.com/2025/03/13/cisa_red_team_layoffs/ ∗∗∗ A New Era of Attacks on Encryption Is Starting to Heat Up ∗∗∗ --------------------------------------------- The UK, France, Sweden, and EU have made fresh attacks on end-to-end encryption. Some of the attacks are more “crude” than those in recent years, experts say. --------------------------------------------- https://www.wired.com/story/a-new-era-of-attacks-on-encryption-is-starting-… ∗∗∗ Fernzugriff: Ivanti Secure Access Client als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate schließt unter Windows eine Lücke in Ivanti Secure Access Client. --------------------------------------------- https://www.heise.de/news/Fernzugriff-Ivanti-Secure-Access-Client-als-Einfa… ∗∗∗ Off the Beaten Path: Recent Unusual Malware ∗∗∗ --------------------------------------------- Three unusual malware samples analyzed here include an ISS backdoor developed in a rare language, a bootkit and a Windows implant of a post-exploit framework. --------------------------------------------- https://unit42.paloaltonetworks.com/unusual-malware/ ∗∗∗ Ransomware attack takes down health system network in Micronesia ∗∗∗ --------------------------------------------- One of the four states that make up the Pacific nation of Micronesia is battling against ransomware hackers who have forced all of the computers used by its government health agency offline. --------------------------------------------- https://therecord.media/ransomware-attack-micronesia-health-system ∗∗∗ Europes telecoms sector under increased threat from cyber spies, warns Denmark ∗∗∗ --------------------------------------------- State-sponsored cyber espionage is a bigger threat than ever to Europes telecommunications networks, according to a new assessment from Denmarks government. --------------------------------------------- https://therecord.media/europe-increased-cyber-espionage-telecoms-denmark-r… ∗∗∗ Alleged Russian LockBit developer extradited from Israel, appears in New Jersey court ∗∗∗ --------------------------------------------- Rostislav Panev, who was arrested in Israel in August 2024 on U.S. charges related to dozens of LockBit ransomware attacks, has been extradited and appeared in a New Jersey federal court, authorities said. --------------------------------------------- https://therecord.media/lockbit-alleged-russian-developer-extradited-us-isr… ∗∗∗ SocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware ∗∗∗ --------------------------------------------- Trend Research analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techni… ∗∗∗ Recursion kills: The story behind CVE-2024-8176 / Expat 2.7.0 released, includes security fixes ∗∗∗ --------------------------------------------- Expat 2.7.0 has been released earlier today. I will make this a more detailed post than usual because in many ways there is more to tell about this release than the average libexpat release: there is a story this time --------------------------------------------- https://blog.hartwork.org/posts/expat-2-7-0-released/ ∗∗∗ Memory Corruption in Delphi ∗∗∗ --------------------------------------------- Our team at Include Security is often asked to examine applications coded in languages that are usually considered “unsafe”, such as C and C++, due to their lack of memory safety functionality. Critical aspects of reviewing such code include identifying where bounds-checking, input validation, and pointer handling/dereferencing are .. --------------------------------------------- https://blog.includesecurity.com/2025/03/memory-corruption-in-delphi/ ∗∗∗ My Scammer Girlfriend: Baiting A Romance Fraudster ∗∗∗ --------------------------------------------- At the beginning of the year, a spate of very similar mails appeared in my spam-box. Although originating from different addresses (and sent to different recipients), they all appeared to be the opener for the same romance scam campaign. --------------------------------------------- https://www.bentasker.co.uk/posts/blog/security/seducing-a-romance-scammer.… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-135: Adobe Acrobat Reader DC AcroForm Use of Uninitialized Variable Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27162. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-135/ ∗∗∗ ZDI-25-134: Adobe Acrobat Reader DC Doc Object Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-24431. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-134/ ∗∗∗ ZDI-25-133: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27174. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-133/ ∗∗∗ ZDI-25-132: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27159. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-132/ ∗∗∗ ZDI-25-131: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27160. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-131/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.03.2025
by Daily end-of-shift report 13 Mar '25

13 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-03-2025 18:00 − Donnerstag 13-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ No Project Is an Island: Why You Need SBOMs and Dependency Management ∗∗∗ --------------------------------------------- The system you develop and maintain does not exist in isolation. Providing SBOMs for our work is our way to show we care. Software is a relatively recent phenomenon. For a long time, you could credibly say most of its existence, software was poorly understood by society and industry at large. There was .. --------------------------------------------- https://bsdly.blogspot.com/2025/03/no-project-is-island-why-you-need-sboms.… ∗∗∗ Facebook discloses FreeType 2 flaw exploited in attacks ∗∗∗ --------------------------------------------- Facebook is warning that a FreeType vulnerability in all versions up to 2.13 can lead to arbitrary code execution, with reports that the flaw has been exploited in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/facebook-discloses-freetype-… ∗∗∗ Flugticketgroßhändler: Cyberangriff legt Buchungssystem von Aerticket lahm ∗∗∗ --------------------------------------------- Nach einem Hackerangriff ist das Buchungssystem von Aerticket vorerst unbrauchbar. Eine schnelle Wiederherstellung ist wohl nicht zu erwarten. --------------------------------------------- https://www.golem.de/news/flugticketgrosshaendler-cyberangriff-legt-buchung… ∗∗∗ Head Mare and Twelve join forces to attack Russian entities ∗∗∗ --------------------------------------------- We analyze the activities of the Head Mare hacktivist group, which has been attacking Russian companies jointly with Twelve. --------------------------------------------- https://securelist.com/head-mare-twelve-collaboration/115887/ ∗∗∗ Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware ∗∗∗ --------------------------------------------- Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-… ∗∗∗ Medusa ransomware affiliate tried triple extortion scam – up from the usual double demand ∗∗∗ --------------------------------------------- Feds warn gang still rampant and now cracked 300+ victims around the world A crook who distributes the Medusa ransomware tried to make a victim cough up three payments instead of the usual two, according to a government advisory on how to defend against the malware and the gangs who wield it. --------------------------------------------- https://www.theregister.com/2025/03/13/medusa_ransomware_infects_300_critic… ∗∗∗ DeepSeek can be gently persuaded to spit out malware code ∗∗∗ --------------------------------------------- It might need polishing, but a useful find for any budding cybercrooks out there DeepSeeks flagship R1 model is capable of generating a working keylogger and basic ransomware code, just as long as a techie is on hand to tinker with it a little. --------------------------------------------- https://www.theregister.com/2025/03/13/deepseek_malware_code/ ∗∗∗ Sicherheitslücken: Gitlab-Entwickler raten zu zügigem Update ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für die Softwareentwicklungsplattform Gitlab erschienen. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-Gitlab-Entwickler-raten-zu-zue… ∗∗∗ Sicherheitsupdates: Root-Sicherheitslücke bedroht Cisco-ASR-Router ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat mehrere Schwachstellen geschlossen, über die Angreifer etwa ASR-Router attackieren können. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Root-Sicherheitsluecke-bedroht… ∗∗∗ Schadcode-Sicherheitslücken bedrohen FortiOS, FortiSandbox & Co. ∗∗∗ --------------------------------------------- Mehrere Produkte von Fortinet sind attackierbar. Sicherheitspatches schaffen Abhilfe. --------------------------------------------- https://www.heise.de/news/Schadcode-Sicherheitsluecken-bedrohen-FortiOS-For… ∗∗∗ Investigating Scam Crypto Investment Platforms Using Pyramid Schemes to Defraud Victims ∗∗∗ --------------------------------------------- We identified a campaign spreading thousands of sca crypto investment platforms through websites and mobile apps, possibly through a standardized toolkit. --------------------------------------------- https://unit42.paloaltonetworks.com/fraud-crypto-platforms-campaign/ ∗∗∗ #StopRansomware: Medusa Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Medusa ransomware TTPs and IOCs, identified through FBI investigations as recently as February 2025. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a ∗∗∗ Signal no longer cooperating with Ukraine on Russian cyberthreats, official says ∗∗∗ --------------------------------------------- The encrypted messaging app Signal has stopped responding to requests from Ukrainian law enforcement regarding Russian cyberthreats, a Ukrainian official claimed, warning that the shift is aiding Moscow’s intelligence efforts. --------------------------------------------- https://therecord.media/signal-no-longer-cooperating-with-ukraine ∗∗∗ Abusing with style: Leveraging cascading style sheets for evasion and tracking ∗∗∗ --------------------------------------------- Cascading Style Sheets (CSS) are ever present in modern day web browsing, however its far from their own use. This blog will detail the ways adversaries use CSS in email campaigns for evasion and tracking. --------------------------------------------- https://blog.talosintelligence.com/css-abuse-for-evasion-and-tracking/ ∗∗∗ Statement on CISAs Red Team ∗∗∗ --------------------------------------------- CISA’s Red Team is among the best in the world and remains laser focused on helping our federal and critical infrastructure partners identify and mitigate their most significant vulnerabilities and weaknesses. This has not changed. --------------------------------------------- https://www.cisa.gov/news-events/news/statement-cisas-red-team ∗∗∗ PCI DSS FAQ SAQ WTF BBQ... ∗∗∗ --------------------------------------------- I was trying to come up with a sensible title for this blog post, but I feel this one mirrors the thoughts and feelings of many of us about recent events in the PCI DSS compliance space! There have been some significant changes in .. --------------------------------------------- https://scotthelme.ghost.io/pci-dss-faq-saq-wtf-bbq/ ∗∗∗ Sign in as anyone: Bypassing SAML SSO authentication with parser differentials ∗∗∗ --------------------------------------------- Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. In this blog post, well shed light on how these vulnerabilities that rely on a parser differential were uncovered. --------------------------------------------- https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentic… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (ffmpeg, qt6-qtwebengine, tigervnc, and xorg-x11-server-Xwayland), Red Hat (fence-agents and libxml2), SUSE (amazon-ssm-agent, ark, chromium, fake-gcs-server, gerbera, google-guest-agent, google-osconfig-agent, grafana, kernel, libtinyxml2-10, podman, python311, python312, restic, ruby3.4-rubygem-rack, and thunderbird), and Ubuntu (jinja2, linux-azure, linux-azure-4.15, linux-lts-xenial, linux-nvidia, linux-nvidia-6.8, .. --------------------------------------------- https://lwn.net/Articles/1014042/ ∗∗∗ ZDI-25-129: PDF-XChange Editor RTF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-2231. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-129/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.03.2025
by Daily end-of-shift report 12 Mar '25

12 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-03-2025 18:00 − Mittwoch 12-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iPhone-Nutzer attackiert: Aktiv ausgenutzte Webkit-Lücke gefährdet Apple-Geräte ∗∗∗ --------------------------------------------- Angreifer können durch die Schwachstelle aus der Web-Content-Sandbox von Webkit ausbrechen. Apple verteilt Notfallupdates für iOS, MacOS und Safari. --------------------------------------------- https://www.golem.de/news/iphone-nutzer-attackiert-aktiv-ausgenutzte-webkit… ∗∗∗ Scans for VMWare Hybrid Cloud Extension (HCX) API (Log4j - not brute forcing), (Wed, Mar 12th) ∗∗∗ --------------------------------------------- Today, I noticed increased scans for the VMWare Hyprid Cloud Extension (HCX) "sessions" endpoint. These endpoints are sometimes associated with exploit attempts for various VMWare .. --------------------------------------------- https://isc.sans.edu/diary/Scans+for+VMWare+Hybrid+Cloud+Extension+HCX+API+… ∗∗∗ Uneinheitliche Cybersicherheitsstandards: Kommunen ohne klare Strategie ∗∗∗ --------------------------------------------- Aktuell gibt es bei der IT-Sicherheit von Kommunen noch viele Mängel. Eine Studie klärt über die Defizite und mögliche Maßnahmen auf. --------------------------------------------- https://www.heise.de/news/Uneinheitliche-Cybersicherheitsstandards-Kommunen… ∗∗∗ Microsoft-Patchday: 5 kritische Windows-Lücken, 6 andere bereits ausgenutzt ∗∗∗ --------------------------------------------- Zum Patchday im März 205 veröffentlicht Microsoft Korrekturen für insgesamt 57 CVE-Einträge. Sie betreffen Windows, Office, Visual Studio, Azure und mehr. --------------------------------------------- https://www.heise.de/news/Microsoft-Patchday-5-kritische-Windows-Luecken-6-… ∗∗∗ Take control of Cache-Control and local caching ∗∗∗ --------------------------------------------- TL;DR Caching speeds up website content delivery What caching directives are and how to use them The No-cache directive does not prevent caching The No-store directive prevents caching .. --------------------------------------------- https://www.pentestpartners.com/security-blog/take-control-of-cache-control… ∗∗∗ Phishing-Falle: Es droht keine dauerhafte Deaktivierung Ihres GMX-Kontos! ∗∗∗ --------------------------------------------- Von Ihrer E-Mail-Adresse werden angeblich „falsche E-Mails“ versendet? Wenn Sie nicht innerhalb von 24 Stunden reagieren, wird ihr GMX-Konto dauerhaft deaktiviert? Keine Sorge, nichts von dem ist wahr, nichts wird passieren. Vielmehr haben Sie ein Phishing-Mail erhalten, das Sie ignorieren können und unverzüglich löschen sollten. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-deaktivierung-gmx/ ∗∗∗ Etwas Dringendes für den Chef erledigen? Vorsicht, Phishing! ∗∗∗ --------------------------------------------- Kriminelle versenden betrügerische E-Mails, in denen sie sich als Vorgesetzte ausgeben. Sie werden aufgefordert, eine dringende Aufgabe zu erledigen und auf die E-Mail zu antworten. Wir raten zur Vorsicht: Eine Antwort kann großen Schaden anrichten! Ignorieren Sie die Nachricht und informieren Sie die IT-Abteilung. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-unternehmen/ ∗∗∗ Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers ∗∗∗ --------------------------------------------- In mid 2024, Mandiant discovered threat actors deployed custom backdoors on Juniper Networks’ Junos OS routers. Mandiant attributed these backdoors to the China-nexus espionage group, UNC3886. Mandiant uncovered several TINYSHELL-based backdoors operating on Juniper Networks’ Junos OS routers. The backdoors had varying .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espion… ===================== = Vulnerabilities = ===================== ∗∗∗ iOS 18.3.2 and iPadOS 18.3.2 ∗∗∗ --------------------------------------------- /en-us/122281 ∗∗∗ macOS Sequoia 15.3.2 ∗∗∗ --------------------------------------------- /en-us/122283 ∗∗∗ visionOS 2.3.2 ∗∗∗ --------------------------------------------- /en-us/122284 ∗∗∗ Safari 18.3.1 ∗∗∗ --------------------------------------------- /en-us/122285 ∗∗∗ 2025-03 Out-of-Cycle Security Bulletin: Junos OS: A local attacker with shell access can execute arbitrary code (CVE-2025-21590) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2025-03-Out-of-Cycle-Security-B… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2025
by Daily end-of-shift report 11 Mar '25

11 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 10-03-2025 18:00 − Dienstag 11-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MassJacker malware uses 778,000 wallets to steal cryptocurrency ∗∗∗ --------------------------------------------- A newly discovered clipboard hijacking operation dubbed MassJacker uses at least 778,531 cryptocurrency wallet addresses to steal digital assets from compromised computers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massjacker-malware-uses-778-… ∗∗∗ Google lässt Kunden im Stich: Abgelaufene SSL-Zertifikate machen Chromecast unbrauchbar ∗∗∗ --------------------------------------------- Seit zwei Tagen warten Besitzer älterer Chromecast-Modelle auf Hilfe durch Google. Wann der Fehler korrigiert wird, ist ungewiss. --------------------------------------------- https://www.golem.de/news/google-laesst-kunden-im-stich-abgelaufene-ssl-zer… ∗∗∗ DCRat backdoor returns ∗∗∗ --------------------------------------------- Kaspersky experts describe a new wave of attacks distributing the DCRat backdoor through YouTube under the guise of game cheats. --------------------------------------------- https://securelist.com/new-wave-of-attacks-with-dcrat-backdoor-distributed-… ∗∗∗ New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that infects Xcode projects, in the wild. Its first known variant since 2022, this latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. These enhanced features help this malware .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/03/11/new-xcsset-malware… ∗∗∗ What Really Happened With the DDoS Attacks That Took Down X ∗∗∗ --------------------------------------------- Elon Musk said a “massive cyberattack” disrupted X on Monday and pointed to “IP addresses originating in the Ukraine area” as the source of the attack. Security experts say thats not how it works. --------------------------------------------- https://www.wired.com/story/x-ddos-attack-march-2025/ ∗∗∗ North Korean IT Workers Linked to 2,400 Astrill VPN IP Addresses ∗∗∗ --------------------------------------------- New data has emerged linking over 2,400 IP addresses associated with Astrill VPN to individuals believed to be North Korean IT worker --------------------------------------------- https://gbhackers.com/north-korean-workers-linked-astrill-vpn-ip-addresses/ ∗∗∗ Spionage: Russland und China mit Interesse an Österreichs IT-Branche ∗∗∗ --------------------------------------------- Die Direktion Staatsschutz und Nachrichtendienst sieht Russland als "relevanten Risikoakteur". Es wird eine hohe Dunkelziffer von Vorfällen vermutet --------------------------------------------- https://www.derstandard.at/story/3000000260788/spionage-russland-und-china-… ∗∗∗ Report URI: Launching Policy Watch and other improvements! ∗∗∗ --------------------------------------------- As we continue to expand and improve our offering, one particular area of focus over recent months has been on PCI DSS Compliance. Whilst compliance might not be the first thing that many get excited about, the recent requirements introduced by the PCI SSC required some pretty solid .. --------------------------------------------- https://scotthelme.ghost.io/report-uri-launching-policy-watch-and-other-imp… ∗∗∗ In-Depth Technical Analysis of the Bybit Hack ∗∗∗ --------------------------------------------- On 21st February 2025, Bybit suffered the largest cryptocurrency theft ever recorded, with more than $1.4 billion assets, including 401,347 ETH, drained from its cold wallet. The attack compromised the transaction approval process by altering what Bybit’s signers saw when approving a cold wallet transaction, causing them to unknowingly authorize an transaction that resulted in a loss of funds. --------------------------------------------- https://www.nccgroup.com/us/research-blog/in-depth-technical-analysis-of-th… ∗∗∗ Beyond the Hook: A Technical Deep Dive into Modern Phishing Methodologies ∗∗∗ --------------------------------------------- In 2025, phishing is still the most prevalent kind of cyber attack on the planet. Indeed, 1.2% of the global email traffic is phishing. Thats 3.4 billion emails each day, but only a low number results in a compromise since "only" 3% of employees would click on a malicious link. However, when they do, it can be disastrous for their company. 91% of .. --------------------------------------------- http://blog.quarkslab.com/technical-dive-into-modern-phishing.html ∗∗∗ Reversing Samsungs H-Arx Hypervisor Framework - Part 1 ∗∗∗ --------------------------------------------- In many ways, mobile devices lead the security industry when it comes to defense-in-depth and mitigation. Over the years, it has been proven time and again that the kernel cannot be trusted to be secure. As such, there has been effort put into moving secrets (ie. encryption keys) and other sensitive data out of the kernel and gate it behind an API at higher levels in the chain of trust, whether it be the hypervisor or secure enclaves. In any case, the kernel must have a lot of control .. --------------------------------------------- https://dayzerosec.com/blog/2025/03/08/reversing-samsungs-h-arx-hypervisor-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cross Site Request Forgery in admin endpoint ∗∗∗ --------------------------------------------- A cross site request forgery vulnerability [CWE-352] in FortiNDR may allow a remote unauthenticated attacker to execute unauthorized actions via crafted HTTP GET requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-353 ∗∗∗ Exposure of Sensitive Information to an Unauthorized Actor ∗∗∗ --------------------------------------------- An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiSIEM may allow a remote unauthenticated attacker who acquired knowledge of the agents authorization header by other means to read the database password via crafted api requests --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-117 ∗∗∗ OS command injection in CLI command ∗∗∗ --------------------------------------------- Multiple improper neutralization of special elements used in an OS command (OS Command Injection) vulnerabilities [CWE-78] in FortiManager CLI may allow a privileged attacker to execute unauthorized code or commands via crafted CLI requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-124 ∗∗∗ Use of hardcoded key used for remote backup server password encryption ∗∗∗ --------------------------------------------- A Use of Hard-coded Cryptographic Key vulnerability [CWE-321] in FortiSandbox may allow a privileged attacker with super-admin profile and CLI access to read sensitive data via CLI. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-327 ∗∗∗ XSS flaw in Fortiview/SecurityLogs pages ∗∗∗ --------------------------------------------- An improper neutralization of input during web page generation (Cross-site Scripting) vulnerability [CWE-79] in FortiADC GUI may allow an authenticated attacker to perform an XSS attack via crafted HTTP or HTTPs requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-216 ∗∗∗ [20250301] - Core - Malicious file uploads via Media Manager ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/961-20250301-core-maliciou… ∗∗∗ March Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/march-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2025
by Daily end-of-shift report 10 Mar '25

10 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-03-2025 18:00 − Montag 10-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ FTC will send $25.5 million to victims of tech support scams ∗∗∗ --------------------------------------------- Later this week, the Federal Trade Commission (FTC) will start distributing over $25.5 million in refunds to those misled by tech support companies Restoro and Reimages scare tactics. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ftc-will-send-255-million-to… ∗∗∗ Datenschutz: Polizist ruft Daten von Frauen ab und muss Strafe zahlen ∗∗∗ --------------------------------------------- Der Polizist hat eine persönliche Attraktivitätsskala geführt und ab bestimmten Werten persönliche Daten von Frauen abgefragt. --------------------------------------------- https://www.golem.de/news/datenschutz-polizist-ruft-daten-von-frauen-ab-und… ∗∗∗ SideWinder targets the maritime and nuclear sectors with an updated toolset ∗∗∗ --------------------------------------------- In this article, we discuss the tools and TTPs used in the SideWinder APTs attacks in H2 2024, as well as shifts in its targets, such as an increase in attacks against the maritime and logistics sectors. --------------------------------------------- https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nucle… ∗∗∗ The Russia-Ukraine Cyber War Part 4: Development in Group Attributions for Russian State Actors ∗∗∗ --------------------------------------------- This is the final installment of Trustwave SpiderLabs Russia-Ukraine digital battlefield series, which has spanned topics including the differences between Russia and Ukraine cyber actors, how government entities, defense organizations, and human targets were caught in the cyber crossfire, and how both countries targeted the telecommunications, critical .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/russian-sta… ∗∗∗ Rhysida pwns two US healthcare orgs, extracts over 300K patients data ∗∗∗ --------------------------------------------- Terabytes of sensitive info remain available for download Break-ins to systems hosting the data of two US healthcare organizations led to thieves making off with the personal and medical data of more than 300,000 patients. --------------------------------------------- https://www.theregister.com/2025/03/10/rhysida_healthcare/ ∗∗∗ Strings Attached: Talking about Russias agenda for laws in cyberspace ∗∗∗ --------------------------------------------- Russias longstanding proposals for "information security" agreements may sound cooperative, but they conceal a Trojan horse - a push to legitimize censorship, silence dissent, and bind others to rules it won’t follow. --------------------------------------------- https://bytesandborscht.com/strings-attached-talking-about-russias-agenda-f… ∗∗∗ Größter Diebstahl der Geschichte: Bybit nutzte Freeware und wurde dadurch Opfer ∗∗∗ --------------------------------------------- Eine unsichere Freeware ermöglichte den Angreifern den Milliarden-Diebstahl bei Bybit. Die Probleme waren schon lang bekannt. --------------------------------------------- https://www.heise.de/news/Groesster-Diebstahl-der-Geschichte-Bybit-nutzte-F… ∗∗∗ Feds Link $150M Cyberheist to 2022 LastPass Hacks ∗∗∗ --------------------------------------------- In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022. In a court filing this week, U.S. federal agents investigating a spectacular $150 million cryptocurrency heist said they had reached the same conclusion. --------------------------------------------- https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastp… ∗∗∗ Vulnerability Reward Program: 2024 in Review ∗∗∗ --------------------------------------------- In 2024, our Vulnerability Reward Program confirmed the ongoing value of engaging with the security research community to make Google and its products safer. This was evident as we awarded just shy of $12 million to over 600 researchers based in countries around the globe across all of our programs.Vulnerability Reward .. --------------------------------------------- http://security.googleblog.com/2025/03/vulnerability-reward-program-2024-in… ∗∗∗ WordPress Security Research Series: WordPress Security Architecture ∗∗∗ --------------------------------------------- Learn how WordPress security works from the inside out. A guide for vulnerability researchers on identifying flaws in WordPress core, plugins, and themes. --------------------------------------------- https://www.wordfence.com/blog/2025/03/wordpress-security-research-series-w… ∗∗∗ Scam spoofs Binance website and uses TRUMP coin as lure for malware ∗∗∗ --------------------------------------------- Researchers at phishing defense company Cofense say hackers are spreading a malicious remote access tool through a fake Binance page that offers access to the TRUMP coin. --------------------------------------------- https://therecord.media/email-scam-spoofs-binance-offers-trump-coin-connect… ∗∗∗ Navigating AI 🤝 Fighting Skynet ∗∗∗ --------------------------------------------- Using AI can be a great tool for adversarial engineering. This was just a bit of fun to see if it was possible todo and to learn more about automation but also proving you cannot trust git commit history nor can you trust dates of commits! --------------------------------------------- https://blog.zsec.uk/navigating-ai-fighting-skynet/ ∗∗∗ No, there isn’t a world ending Apache Camel vulnerability ∗∗∗ --------------------------------------------- Posts have been circulating publicly on the internet for several days about a “critical”, end of the world “zero day” in Apache Camel, CVE-2025–27636. Many of the posts explained in specific detail about how to exploit the vulnerability .. --------------------------------------------- https://doublepulsar.com/no-there-isnt-a-world-ending-apache-camel-vulnerab… ∗∗∗ GreyNoise Detects Mass Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577), Signaling Broad Campaign ∗∗∗ --------------------------------------------- ‍GreyNoise data confirms that exploitation of CVE-2024-4577 extends far beyond initial reports. Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025. --------------------------------------------- https://www.greynoise.io/blog/mass-exploitation-critical-php-cgi-vulnerabil… ∗∗∗ How to distrust a CA without any certificate errors ∗∗∗ --------------------------------------------- A “distrust” is when a certification authority (CA) that issues HTTPS certificates to websites is removed from a root store because it is no longer trusted to issue certificates. This means certificates issued by that CA will be treated as invalid, likely causing certificate error interstitials in any browser that distrusted the .. --------------------------------------------- https://dadrian.io/blog/posts/sct-not-after/ ∗∗∗ Exploiting Neverwinter Nights ∗∗∗ --------------------------------------------- Back in 2024, we looked for vulnerabilities in Neverwinter Nights : Enhanced Edition as a side research project. We found and reported multiple vulnerabilities to the publisher Beamdog. In this article we will detail how we can chain two vulnerabilities to obtain a remote code execution in multiplayer mode. --------------------------------------------- https://www.synacktiv.com/en/publications/exploiting-neverwinter-nights.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2025
by Daily end-of-shift report 07 Mar '25

07 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-03-2025 18:00 − Freitag 07-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cybercrime crew stole $635,000 in Taylor Swift concert tickets ∗∗∗ --------------------------------------------- New York prosecutors say that two people working at a third-party contractor for the StubHub online ticket marketplace made $635,000 after almost 1,000 concert tickets and reselling them online. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercrime-crew-stole-635-00… ∗∗∗ Microsoft says malvertising campaign impacted 1 million PCs ∗∗∗ --------------------------------------------- Microsoft has taken down an undisclosed number of GitHub repositories used in a massive malvertising campaign that impacted almost one million devices worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-says-malvertising-… ∗∗∗ Cyberangriff analysiert: Hacker verschlüsseln Unternehmensdaten über eine Webcam ∗∗∗ --------------------------------------------- Ein EDR-Tool hat Verschlüsselungsversuche der Ransomwaregruppe Akira erfolgreich vereitelt. Doch dann fanden die Angreifer ein Schlupfloch. --------------------------------------------- https://www.golem.de/news/cyberangriff-analysiert-hacker-verschluesseln-unt… ∗∗∗ A Deep Dive into Strela Stealer and how it Targets European Countries ∗∗∗ --------------------------------------------- Infostealers have dominated the malware landscape due to the ease of threat operations maintenance, and a wide group of potential victims. In this blog, we take a closer look at a unique infostealer designed to precisely target a narrow data set on systems located in chosen geographic locations. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-deep-dive… ∗∗∗ Russian State Actors: Development in Group Attributions ∗∗∗ --------------------------------------------- This is the final installment of Trustwave SpiderLabs Russia-Ukraine digital battlefield series, which has spanned topics including the differences between Russia and Ukraine cyber actors, how government entities, defense organizations, and human targets were caught in the cyber crossfire, and how both countries targeted the telecommunications, critical .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/russian-sta… ∗∗∗ A Brand New Botnet Is Delivering Record-Size DDoS Attacks ∗∗∗ --------------------------------------------- Eleven11bot infects webcams and video recorders, with a large concentration in the US. --------------------------------------------- https://www.wired.com/story/eleven11bot-botnet-record-size-ddos-attacks/ ∗∗∗ Akira-Ransomware schlüpft über Webcam an IT-Schutzlösung vorbei ∗∗∗ --------------------------------------------- Eigentlich ist das Firmennetz über eine Schutzsoftware geschützt, die auch anschlägt. Trotzdem konnte ein Trojaner über einen Umweg PCs infizieren. --------------------------------------------- https://www.heise.de/news/Akira-Ransomware-schluepft-ueber-Webcam-an-IT-Sch… ∗∗∗ Who is the DOGE and X Technician Branden Spikes? ∗∗∗ --------------------------------------------- At 49, Branden Spikes isnt just one of the oldest technologists who has been involved in Elon Musks Department of Government Efficiency (DOGE). As the current director of information technology at X/Twitter and an early hire at PayPal, Zip2, Tesla and SpaceX, Spikes is also among Musks most loyal employees. Heres a closer look at this trusted Musk lieutenant, whose Russian ex-wife was once married to Elons cousin. --------------------------------------------- https://krebsonsecurity.com/2025/03/who-is-the-doge-and-x-technician-brande… ∗∗∗ Multiple Vulnerabilities Discovered in a SCADA System ∗∗∗ --------------------------------------------- We identified multiple vulnerabilities in ICONICS Suite, SCADA software used in numerous OT applications. This article offers a technical analysis of our findings. --------------------------------------------- https://unit42.paloaltonetworks.com/vulnerabilities-in-iconics-software-sui… ∗∗∗ Russian crypto exchange Garantex’s website taken down in apparent law enforcement operation ∗∗∗ --------------------------------------------- Russian cryptocurrency exchange Garantex was taken down in an apparent seizure by U.S. and European law enforcement Thursday, shortly after the company said $28 million had been frozen by another cryptocurrency firm. --------------------------------------------- https://therecord.media/garantex-crypto-exchange-taken-down-law-enforcement… ∗∗∗ CISA, FBI warn of BianLian mail scam targeting executives with $500k ransom note ∗∗∗ --------------------------------------------- In an alert on Thursday, the FBI said scammers are mailing letters to corporate executives claiming that they stole sensitive data and will publish it unless a demand is paid in Bitcoin. --------------------------------------------- https://therecord.media/cisa-fbi-warn-bianlian-mail-scam-extortion ∗∗∗ Canadian intelligence agency warns of threat AI poses to upcoming elections ∗∗∗ --------------------------------------------- Influence and espionage campaigns, boosted by AI, are likely to be aimed at Canadas upcoming elections, says a new report from the CSE, the countrys signals and cyber intelligence agency. --------------------------------------------- https://therecord.media/canada-cyber-agency-elections-warning-ai- ∗∗∗ NixSpam RBL ab 7.3.2025 abgeschaltet – gibt Ärger – aber nun gelöst ∗∗∗ --------------------------------------------- Kurze Information für Blog-Leser die bei der Mail-Filterung auf "NixSpam RBL" gesetzt haben. Der vom heise-Verlag betriebene Dienst ist seit dem heutigen 7. März 2025 abgeschaltet, was einigen Leuten Probleme bereiten .. --------------------------------------------- https://www.borncity.com/blog/2025/03/07/nixspam-rbl-ab-7-3-2025-abgeschalt… ∗∗∗ New edu platform and Sanitization and Validation and Escaping, Oh My! article ∗∗∗ --------------------------------------------- With the beta launch of my companys educational platform (hackArcana), I finally have a place to write more about the fundamentals of security and post more educational content. The first piece Ive written for our new platform touches on the confusion around the terms "validation," "sanitization," "encoding," "escaping," .. --------------------------------------------- https://gynvael.coldwind.pl/?id=800 ∗∗∗ Microsoft Dismantles Malvertising Scam Using GitHub, Discord, Dropbox ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence exposes a malvertising campaign exploiting GitHub, Discord, and Dropbox. Discover the multi-stage attack chain, .. --------------------------------------------- https://hackread.com/microsoft-dismantle-malvertising-github-discord-dropbo… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.03.2025
by Daily end-of-shift report 06 Mar '25

06 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-03-2025 18:00 − Donnerstag 06-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Massive botnet that appeared overnight is delivering record-size DDoSes ∗∗∗ --------------------------------------------- Eleven11bot infects video recorders, with the largest concentration of them in the US. --------------------------------------------- https://arstechnica.com/security/2025/03/massive-botnet-that-appeared-overn… ∗∗∗ Malicious Chrome extensions can spoof password managers in new attack ∗∗∗ --------------------------------------------- A newly devised "polymorphic" attack allows malicious Chrome extensions to morph into other browser extensions, including password managers, crypto wallets, and banking apps, to steal sensitive information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-chrome-extensions-… ∗∗∗ Trojans disguised as AI: Cybercriminals exploit DeepSeek’s popularity ∗∗∗ --------------------------------------------- Kaspersky experts have discovered campaigns distributing stealers, malicious PowerShell scripts, and backdoors through web pages mimicking the DeepSeek and Grok websites. --------------------------------------------- https://securelist.com/backdoors-and-stealers-prey-on-deepseek-and-grok/115… ∗∗∗ PayPal-Passwort wurde geändert? Achtung: Phishing-Alarm! ∗∗∗ --------------------------------------------- Aktuell machen Phishing-Mails die Runde, welche angeblich von PayPal stammen. In ihnen wird behauptet, das Passwort des Opfers sei geändert worden. Um diese Änderung rückgängig zu machen, müsse man lediglich auf einen Link klicken und ein paar persönliche Daten angeben. Hinter dieser Aufforderung verstecken sich allerdings Kriminelle, die es auf persönliche Informationen und Bankdaten abgesehen haben. --------------------------------------------- https://www.watchlist-internet.at/news/paypal-passwort-phishing/ ∗∗∗ Decrypting the Forest From the Trees ∗∗∗ --------------------------------------------- SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via the Administration Service API. --------------------------------------------- https://posts.specterops.io/decrypting-the-forest-from-the-trees-661694ed16… ∗∗∗ Medusa Ransomware Activity Continues to Increase ∗∗∗ --------------------------------------------- Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024. --------------------------------------------- https://www.security.com/threat-intelligence/medusa-ransomware-attacks ∗∗∗ Unveiling EncryptHub: Analysis of a multi-stage malware campaign ∗∗∗ --------------------------------------------- EncryptHub, a rising cybercriminal entity, has recently caught the attention of multiple threat intelligence teams, including our own (Outpost24’s KrakenLabs). While other reports have begun to shed light on this actor’s operations, our investigation goes a step further, uncovering previously unseen aspects of their infrastructure, tooling, and behavioral patterns. --------------------------------------------- https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (firefox and vim), Red Hat (firefox), Slackware (mozilla), SUSE (firefox, firefox-esr, kernel, and podman), and Ubuntu (gpac, kernel, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-hwe-5.15, and redis). --------------------------------------------- https://lwn.net/Articles/1013209/ ∗∗∗ Sicherheitsupdate: Kritische Schadcode-Lücke bedroht Kibana ∗∗∗ --------------------------------------------- Wie die Entwickler in einer Warenmeldung ausführen, sind die Versionen >= 8.15.0 und < 8.17.1 nur attackierbar, wenn Angreifer über Viewer-Role-Rechte verfügen. [..] Die Lücke schrammt mit dem CVSS Score 3.1 9.9 von 10 knapp an der Höchstwertung vorbei. (CVE-2025-25012) --------------------------------------------- https://heise.de/-10306066 ∗∗∗ ABB Cylon Aspect 3.08.01 (caldavUpload.php) Funkalicious Exploit ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5926.php -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.03.2025
by Daily end-of-shift report 05 Mar '25

05 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-03-2025 18:00 − Mittwoch 05-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Text-basiertes QR Code Phishing im Umlauf ∗∗∗ --------------------------------------------- Über den neuen Ansatz hatten wir 2024 in unseren Newslettern berichtet, nun erhalten wir auch direkt Meldungen über "bildlose" QR-Code Phishs. Kurz umrissen: der QR-Code wird nicht wie oft üblich als Bilddatei übermittelt, sondern aus einzelnen ASCII-/Unicode Block-Zeichen zusammengesetzt. Dadurch kann der im QR-Code enthaltene Inhalt Sicherheitslösungen verborgen bleiben, für optische QR-Code Scanner jedoch funktional bleiben. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/3/text-basiertes-qr-code-phishing-im-… ∗∗∗ Use one Virtual Machine to own them all — active exploitation of ESXicape ∗∗∗ --------------------------------------------- Yesterday, VMware quietly released patches for three ESXi zero day vulnerabilities: CVE-2025–22224, CVE-2025–22225, CVE-2025–22226. Although the advisory doesn’t explicitly say it, this is a hypervisor escape (aka a VM Escape). A threat actor with access to run code on a virtual machine can chain the three vulnerabilities to elevate access to the ESX hypervisor. --------------------------------------------- https://doublepulsar.com/use-one-virtual-machine-to-own-them-all-active-exp… ∗∗∗ BadBox malware disrupted on 500K infected Android devices ∗∗∗ --------------------------------------------- The BadBox Android malware botnet has been disrupted again by removing 24 malicious apps from Google Play and sinkholing communications for half a million infected devices. [..] The BadBox botnet is a cyber-fraud operation targeting primarily low-cost Android-based devices like TV streaming boxes, tablets, smart TVs, and smartphones. These devices either come pre-loaded with the BadBox malware from the manufacturer or are infected by malicious apps or firmware downloads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/badbox-malware-disrupted-on-… ∗∗∗ Undercover miner: how YouTubers get pressed into distributing SilentCryptoMiner as a restriction bypass tool ∗∗∗ --------------------------------------------- Attackers blackmail YouTubers with complaints and account blocking threats, forcing them to distribute a miner disguised as a bypass tool. --------------------------------------------- https://securelist.com/silentcryptominer-spreads-through-blackmail-on-youtu… ∗∗∗ The Russia-Ukraine Cyber War Part 3: Attacks on Telecom and Critical Infrastructure ∗∗∗ --------------------------------------------- This post is the third part of our blog series that tackles the Russia-Ukraine war in the digital realm. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-russia-… ∗∗∗ BAMF: Skurrile Testkonten ermöglichten unautorisierten Datenzugriff ∗∗∗ --------------------------------------------- Anhand von Screenshots der Web-Applikation sei ersichtlich gewesen, dass im Test- und Integrationssystem offenbar ein Account mit der Nutzerkennung "max.mustermann(a)testtraeger.de" existierte. Die Domain sei noch frei gewesen. --------------------------------------------- https://www.heise.de/news/BAMF-Skurrile-Testkonten-ermoeglichten-unautorisi… ∗∗∗ Beneath the Surface: Detecting and Blocking Hidden Malicious Traffic Distribution Systems ∗∗∗ --------------------------------------------- Adversaries widely abuse TDS infrastructure to build dynamic and resilient network infrastructure for malicious web services. These redirection networks enhance resilience against takedowns and enable scaling and cloaking of malicious content. --------------------------------------------- https://unit42.paloaltonetworks.com/detect-block-malicious-traffic-distribu… ∗∗∗ CVE-2024-43639: Remote Code Execution in Microsoft Windows KDC Proxy ∗∗∗ --------------------------------------------- The following is a portion of their write-up covering CVE-2024-43639, with a few minimal modifications. [..] This vulnerability was patched by the vendor in November. To date, no attacks have been detected in the wild. --------------------------------------------- https://www.thezdi.com/blog/2025/3/3/cve-2024-43639 ∗∗∗ Scammers Mailing Ransom Letters While Posing as BianLian Ransomware ∗∗∗ --------------------------------------------- Scammers are impersonating BianLian ransomware, and mailing fake ransom letters to businesses. --------------------------------------------- https://hackread.com/scammers-mailing-ransom-letters-bianlian-ransomware/ ∗∗∗ LinkedIn Phishing Scam: Fake InMail Messages Spreading ConnectWise Trojan ∗∗∗ --------------------------------------------- Cybersecurity researchers at Cofense have recently uncovered a deceptive campaign that distributes malicious software using a spoofed LinkedIn email. [..] The fraudulent email is designed to mimic a notification for a LinkedIn InMail message, a feature that allows users to contact individuals outside of their immediate network. The email effectively leverages LinkedIn’s branding, convincingly creating legitimacy. --------------------------------------------- https://hackread.com/scammers-fake-linkedin-inmail-deliver-connectwise-troj… ∗∗∗ GreyNoise Observes Exploitation of Three Newly Added KEV Vulnerabilities ∗∗∗ --------------------------------------------- On March 3, 2025, the Cybersecurity and Infrastructure Security Agency added five vulnerabilities to its Known Exploited Vulnerabilities catalog, confirming their exploitation in the wild. [..] CVE-2022-43939 (Authorization Bypass) & CVE-2022-43769 (Special Element Injection) Hitachi Vantara Pentaho BA Server [..] CVE-2024-4885 Progress WhatsUp Gold Path Traversal Vulnerability. --------------------------------------------- https://www.greynoise.io/blog/greynoise-observes-exploitation-three-newly-a… ∗∗∗ GoStringUngarbler: Deobfuscating Strings in Garbled Binaries ∗∗∗ --------------------------------------------- In this blog post, we'll detail garble’s string transformations and the process of automatically deobfuscating them. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/gostringungarbler-… ∗∗∗ Trigon: developing a deterministic kernel exploit for iOS ∗∗∗ --------------------------------------------- CVE-2023-32434 was an integer overflow in the VM subsystem of the XNU kernel. It was patched in iOS 16.5.1 after being found in-the-wild as part of the Operation Triangulation spyware chain, discovered after it was used to infect a group of security researchers at Kaspersky. These researchers then captured and reverse-engineered the entire chain, leading to the patching of a WebKit bug, a kernel bug, a userspace PAC bypass and a PPL (and, technically, a KTRR) bypass. [..] This writeup simply shows the steps involved in the final, working exploit. It does not, however, convey just how many failed ideas and attempts there were during the process. --------------------------------------------- https://alfiecg.uk/2025/03/01/Trigon.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice), Fedora (exim and fscrypt), Red Hat (kernel), Slackware (mozilla), SUSE (docker, firefox, and podman), and Ubuntu (linux, linux-lowlatency, linux-lowlatency-hwe-5.15, linux, linux-lowlatency, linux-lowlatency-hwe-6.8, linux, linux-oem-6.11, linux-aws, linux-aws-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux-aws, linux-gcp, linux-hwe-6.11, linux-oracle, linux-raspi, linux-realtime, linux-aws, linux-gkeop, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, and linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop). --------------------------------------------- https://lwn.net/Articles/1013063/ ∗∗∗ Cisco Secure Client for Windows with Secure Firewall Posture Engine DLL Hijacking Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco TelePresence Management Suite Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security Vulnerabilities fixed in Thunderbird ESR 128.8 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-18/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 136 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-17/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2025
by Daily end-of-shift report 04 Mar '25

04 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 03-03-2025 18:00 − Dienstag 04-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Polish Space Agency offline as it recovers from cyberattack ∗∗∗ --------------------------------------------- The Polish Space Agency (POLSA) has been offline since it disconnected its systems from the Internet over the weekend to contain a breach of its IT infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/polish-space-agency-offline-… ∗∗∗ Booking a Threat: Inside LummaStealers Fake reCAPTCHA ∗∗∗ --------------------------------------------- Cybercriminals are taking advantage of the increased demand in travel by setting up fake booking sites, phishing scams and fraudulent listings to trick unsuspecting travelers. --------------------------------------------- https://www.gdatasoftware.com/blog/2025/03/38154-lummastealer-fake-recaptcha ∗∗∗ KI-Trainingsdaten: Tausende gültiger API-Keys in gecrawlten Webdaten entdeckt ∗∗∗ --------------------------------------------- Bei der Analyse eines frei verfügbaren Archivs mit rund 400 TBytes an Websitedaten haben Forscher fast 12.000 gültige API-Keys und Passwörter gefunden. --------------------------------------------- https://www.golem.de/news/ki-trainingsdaten-tausende-gueltiger-api-keys-in-… ∗∗∗ Kritische Lücke in VMware ESXi, Fusion und Workstation wird missbraucht ∗∗∗ --------------------------------------------- Broadcom warnt vor teils kritischen Sicherheitslecks in VMware ESXi, Fusion und Workstation. Angreifer missbrauchen sie bereits. --------------------------------------------- https://www.heise.de/news/Kritische-Luecke-in-VMware-ESXi-Fusion-und-Workst… ∗∗∗ DNSSEC NSEC. The accidental treasure map to your subdomains ∗∗∗ --------------------------------------------- TL;DR: DNSSEC secures DNS but may unintentionally expose domain structures via NSEC/NSEC3 records, enabling zone walking to enumerate subdomains. NSEC openly lists domain names, making enumeration easy. NSEC3 hashes .. --------------------------------------------- https://www.pentestpartners.com/security-blog/dnssec-nsec-the-accidental-tr… ∗∗∗ MeinELBA-Zugang läuft bald ab? Vorsicht, Phishing-Versuch! ∗∗∗ --------------------------------------------- Kriminelle versenden aktuell wieder vermehrt SMS-Nachrichten, in denen vor einem Ablaufen des MeinELBA-Zugangs gewarnt wird. Wer verlängern möchte, müsse einen Link anklicken und auf einer vermeintlichen Login-Seite seine Onlinebanking-Daten eingeben. Diese Seite ist natürlich eine Fälschung. Allerdings eine sehr gut gemachte! Wie Sie sie erkennen und was Sie tun können, wenn Sie dort vertrauliche Informationen eingegeben haben, verrät dieser Artikel. --------------------------------------------- https://www.watchlist-internet.at/news/meinelba-zugang-phishing/ ∗∗∗ A Revision of the EU Cybersecurity Blueprint ∗∗∗ --------------------------------------------- The original EU cybersecurity blueprint from 2017 (officially: “Commission Recommendation of 13.9.2017 on Coordinated Response to Large Scale Cybersecurity Incidents and Crises”) is now close to seven years old and an update is overdue. The Commission recently published a draft for an updated version, and I’d like to take this opportunity to .. --------------------------------------------- https://www.cert.at/en/blog/2025/3/a-revision-of-the-eu-cybersecurity-bluep… ∗∗∗ Did Trump Admin Order U.S. Cyber Command and CISA to Stand Down on Russia? ∗∗∗ --------------------------------------------- Two blockbuster stories published on Friday that appear to confirm what many Americans suspected would occur under the Trump administration – that the new regime is going to be softer on Russia than previous administrations, particularly with regard to the threat that Russia poses in cyber space. Since publication, however, .. --------------------------------------------- https://www.zetter-zeroday.com/did-trump-admin-order-u-s-cyber-command-and-… ∗∗∗ The Dangers of Exposed Secrets – and How to Prevent Them ∗∗∗ --------------------------------------------- Modern enterprise software relies on authentication tokens, API keys, encryption keys, certificates, and other sensitive credentials to enable secure communication between applications, microservices, APIs, and DevOps pipelines. However, these secrets often end up hardcoded in source code during the development process, whether unintentionally or as a shortcut for quick .. --------------------------------------------- https://checkmarx.com/blog/exposed-secrets-and-how-to-prevent-them/ ∗∗∗ Do not run any Cargo commands on untrusted projects ∗∗∗ --------------------------------------------- TL;DR: Treat anything starting with cargo as if it is cargo run. --------------------------------------------- https://shnatsel.medium.com/do-not-run-any-cargo-commands-on-untrusted-proj… ∗∗∗ Hacking the Xbox 360 Hypervisor Part 2: The Bad Update Exploit ∗∗∗ --------------------------------------------- Welcome to part 2 of the Hacking the Xbox 360 Hypervisor blog series. In this part I’ll cover how I found and exploited bugs in the Xbox 360 hypervisor to get full code execution and create the “Bad Update” exploit. If you haven’t already, I highly recommend you read (or at least skim through) part 1 as this post will reference a lot of the material discussed there. --------------------------------------------- https://icode4.coffee/?p=1081 ===================== = Vulnerabilities = ===================== ∗∗∗ Docusnap Inventory Files Encrypted with Static Key ∗∗∗ --------------------------------------------- Inventory files created by Docusnap, containing information like installed programs, firewall rules and local administrators, are encrypted with a static key. The decryption key can be obtained easily from the .NET application, downloadable from the vendor’s website. When following Docusnap’s installation instructions for Windows Domains, every domain user has read access to these files. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-012/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 128.8 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-16/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.21 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-15/ ∗∗∗ Security Vulnerabilities fixed in Firefox 136 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-14/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0