Daily October 2025

daily@lists.cert.at

1 participants
23 discussions

Tageszusammenfassung - 03.10.2025
by Daily end-of-shift report 03 Oct '25

03 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-10-2025 18:00 − Freitag 03-10-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Oracle links Clop extortion attacks to July 2025 vulnerabilities ∗∗∗ --------------------------------------------- Oracle has linked an ongoing extortion campaign claimed by the Clop ransomware gang to E-Business Suite (EBS) vulnerabilities that were patched in July 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/security/oracle-links-clop-extortion-… ∗∗∗ CommetJacking attack tricks Comet browser into stealing emails ∗∗∗ --------------------------------------------- A new attack called CometJacking exploits URL parameters to pass to Perplexitys Comet AI browser hidden instructions that allow access to sensitive data from connected services, like email and calendar. --------------------------------------------- https://www.bleepingcomputer.com/news/security/commetjacking-attack-tricks-… ∗∗∗ Sicherheitslücke in Zahnarztpraxen-System ∗∗∗ --------------------------------------------- Bei einem von einigen Zahnarztpraxen eingesetzten Praxisverwaltungssystem hat es gravierende Schwachstellen gegeben - dadurch hätten Patientendaten gelesen und verändert werden können. --------------------------------------------- https://www.golem.de/news/security-sicherheitsluecke-in-zahnarztpraxen-syst… ∗∗∗ Coordinated Grafana Exploitation Attempts on 28 September ∗∗∗ --------------------------------------------- GreyNoise observed a sharp one-day surge of exploitation attempts targeting CVE-2021-43798 — a Grafana path traversal vulnerability that enables arbitrary file reads. All observed IPs are classified as malicious. --------------------------------------------- https://www.greynoise.io/blog/coordinated-grafana-exploitation-attempts ∗∗∗ Its Never Simple Until It Is (Dell UnityVSA Pre-Auth Command Injection CVE-2025-36604) ∗∗∗ --------------------------------------------- Welcome back, and what a week! We’re glad that happened for you and/or sorry that happened to you. It will get better and/or worse, and you will likely survive. Today, we’re walking down the garden path and digging into the archives, publishing our analysis of a vulnerability we discovered and disclosed to Dell in March 2025 within their UnityVSA solution. --------------------------------------------- https://labs.watchtowr.com/its-never-simple-until-it-is-dell-unityvsa-pre-a… ===================== = Vulnerabilities = ===================== ∗∗∗ DrayTek warns of remote code execution bug in Vigor routers ∗∗∗ --------------------------------------------- Networking hardware maker DrayTek released an advisory to warn about a security vulnerability in several Vigor router models that could allow remote, unauthenticated actors to execute perform arbitrary code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/draytek-warns-of-remote-code… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (idm:DL1), Debian (gegl and haproxy), Fedora (ffmpeg, firefox, freeipa, python-pip, rust-astral-tokio-tar, sqlite, uv, webkitgtk, and xen), Oracle (idm:DL1, ipa, kernel, perl-JSON-XS, and python3), Red Hat (git), SUSE (curl, frr, jupyter-jupyterlab, and libsuricata8_0_1), and Ubuntu (linux-aws, linux-lts-xenial, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-azure, linux-azure-6.8, linux-fips, linux-gcp-fips, and linux-intel-iot-realtime, linux-realtime). --------------------------------------------- https://lwn.net/Articles/1040729/ ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released two Industrial Control Systems (ICS) advisories on October 2, 2025: ICSA-25-275-01 Raise3D Pro2 Series 3D Printers and ICSA-25-275-02 Hitachi Energy MSM Product. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/02/cisa-releases-two-indust… ∗∗∗ Critical Splunk Vulnerabilities Expose Platforms to Remote JavaScript Injection and More ∗∗∗ --------------------------------------------- Splunk has disclosed six critical security vulnerabilities impacting multiple versions of both Splunk Enterprise and Splunk Cloud Platform. These Splunk vulnerabilities, collectively highlighting serious weaknesses in Splunk’s web components, could allow attackers to execute unauthorized JavaScript code remotely, access sensitive information, and perform server-side request forgery (SSRF) attacks. --------------------------------------------- https://thecyberexpress.com/critical-splunk-vulnerabilities/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 02.10.2025
by Daily end-of-shift report 02 Oct '25

02 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-10-2025 18:00 − Donnerstag 02-10-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ That annoying SMS phish you just got may have come from a box like this ∗∗∗ --------------------------------------------- Smishers looking for new infrastructure are getting creative. --------------------------------------------- https://arstechnica.com/security/2025/10/that-annoying-sms-phish-you-just-g… ∗∗∗ Adobe Analytics bug leaked customer tracking data to other tenants ∗∗∗ --------------------------------------------- Adobe is warning its Analytics customers that an ingestion bug caused data from some organizations to appear in the analytics instances of others for approximately one day. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-analytics-bug-leaked-c… ∗∗∗ Clop extortion emails claim theft of Oracle E-Business Suite data ∗∗∗ --------------------------------------------- Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clop-extortion-emails-claim-… ∗∗∗ Android spyware campaigns impersonate Signal and ToTok messengers ∗∗∗ --------------------------------------------- Two new spyware campaigns that researchers call ProSpy and ToSpy lured Android users with fake upgrades or plugins for the Signal and ToTok messaging apps to steal sensitive data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-spyware-campaigns-im… ∗∗∗ Shutdown Threatens US Intel Sharing, Cyber Defense ∗∗∗ --------------------------------------------- Lapse of critical information sharing and mass furloughs at CISA are just some of the concerns. --------------------------------------------- https://www.darkreading.com/cyber-risk/shutdown-us-intel-sharing-cyber-defe… ∗∗∗ Datenleck: Schufa-Tochter Bonify bestätigt Sicherheitsvorfall ∗∗∗ --------------------------------------------- Unbekannte erbeuten Identifizierungsdaten von Bonify-Nutzern. Darunter sind auch Ausweisdaten und Fotos. --------------------------------------------- https://www.golem.de/news/datenleck-schufa-tochter-bonify-bestaetigt-sicher… ∗∗∗ 570 GByte Github-Daten: Red Hat meldet Sicherheitsvorfall ∗∗∗ --------------------------------------------- Die Erpressergruppe Crimson Collective ist angeblich im Besitz vertraulicher Kundendaten von Red Hat - und verlangt ein Lösegeld. --------------------------------------------- https://www.golem.de/news/570-gbyte-github-daten-red-hat-meldet-sicherheits… ∗∗∗ New WireTap Attack Extracts Intel SGX ECDSA Key via DDR4 Memory-Bus Interposer ∗∗∗ --------------------------------------------- In yet another piece of research, academics from Georgia Institute of Technology and Purdue University have demonstrated that the security guarantees offered by Intels Software Guard eXtensions (SGX) can be bypassed on DDR4 systems to passively decrypt sensitive data. --------------------------------------------- https://thehackernews.com/2025/10/new-wiretap-attack-extracts-intel-sgx.html ∗∗∗ Malicious PyPI Package soopsocks Infects 2,653 Systems Before Takedown ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a malicious package on the Python Package Index (PyPI) repository that claims to offer the ability to create a SOCKS5 proxy service, while also providing a stealthy backdoor-like functionality to drop additional payloads on Windows systems. The deceptive package, named soopsocks, attracted a total of 2,653 downloads before it was taken down. --------------------------------------------- https://thehackernews.com/2025/10/alert-malicious-pypi-package-soopsocks.ht… ∗∗∗ EU funds are flowing into spyware companies, and politicians are demanding answers ∗∗∗ --------------------------------------------- Experts say Commission is ‘fanning the flames’ of the continent’s own Watergate. An arsenal of angry European Parliament members (MEPs) is demanding answers from senior commissioners about why EU subsidies are ending up in the pockets of spyware companies. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/10/02/eu_spyware_f… ∗∗∗ ENISA Threat Landscape 2025 ∗∗∗ --------------------------------------------- Through a more threat-centric approach and further contextual analysis, this latest edition of the ENISA Threat Landscape analyses 4875 incidents over a period spanning from 1 July 2024 to 30 June 2025. --------------------------------------------- https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025 ∗∗∗ Meet SpamGPT and MatrixPDF, AI Toolkits Driving Malware Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers at Varonis have discovered two new plug-and-play cybercrime toolkits, MatrixPDF and SpamGPT. Learn how these AI-powered tools make mass phishing and PDF malware accessible to anyone, redefining online security risks. --------------------------------------------- https://hackread.com/spamgpt-matrixpdf-ai-toolkits-malware-attacks/ ∗∗∗ Malicious ZIP Files Use Windows Shortcuts to Drop Malware ∗∗∗ --------------------------------------------- Cybersecurity firm Blackpoint Cyber reveals a new spear phishing campaign targeting executives. Learn how attackers use fraudulent document ZIPs containing malicious shortcut files, leveraging living off the land tactics, and a unique Anti-Virus check to deliver a custom payload. --------------------------------------------- https://hackread.com/malicious-zip-files-windows-shortcuts-malware/ ∗∗∗ $20 YoLink IoT Gateway Vulnerabilities Put Home Security at Risk ∗∗∗ --------------------------------------------- Four critical zero-day flaws found in the $20 YoLink Smart Hub allow remote physical access, threatening your home security. See the urgent steps you must take now. --------------------------------------------- https://hackread.com/20-yolink-iot-gateway-vulnerabilities-home-security/ ∗∗∗ Confucius Espionage: From Stealer to Backdoor ∗∗∗ --------------------------------------------- The Confucius group is a long-running cyber-espionage actor operating primarily across South Asia. First identified in 2013, the group is believed to have links to state-sponsored operations in the region. --------------------------------------------- https://feeds.fortinet.com/~/925674278/0/fortinet/blogs~Confucius-Espionage… ===================== = Vulnerabilities = ===================== ∗∗∗ Chrome 141: Google schließt schwerwiegende Sicherheitslücken ∗∗∗ --------------------------------------------- Google hat seinen Browser Chrome auf die Version 141 aktualisiert. Das Update beinhaltet den Versionshinweisen zufolge Patches für 21 Sicherheitslücken. Von mindestens zwei Anfälligkeiten geht demnach ein hohes Risiko aus. Sie erlauben unter Umständen das Einschleusen und Ausführen von Schadcode aus der Ferne und innerhalb der Sandbox des Browsers. --------------------------------------------- https://www.golem.de/news/chrome-141-google-schliesst-schwerwiegende-sicher… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (perl-JSON-XS), Debian (chromium and openssl), Fedora (bird, dnsdist, firefox, mapserver, ntpd-rs, python-nh3, rust-ammonia, skopeo, sqlite, thunderbird, and xen), Oracle (perl-JSON-XS), Red Hat (kernel, kernel-rt, and libvpx), SUSE (afterburn, cairo, docker-stable, firefox, nginx, python-Django, snpguest, and warewulf4), and Ubuntu (libmspack, libxslt, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-oracle, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-hwe-6.14, linux-realtime, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux, linux-aws, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux, linux-kvm, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-hwe-6.8, linux-kvm, linux-oracle-5.15, linux-oracle-6.14, linux-raspi, linux-raspi-realtime, linux-realtime, linux-realtime-6.8, linux-realtime-6.14, and python-django). --------------------------------------------- https://lwn.net/Articles/1040591/ ∗∗∗ Stand-alone Security Patch Available for Tenable Security Center versions 6.5.1 and 6.6.0 ∗∗∗ --------------------------------------------- Tenable has released Security Center Patch SC-202509.2.1 to address these issues. --------------------------------------------- https://www.tenable.com/security/tns-2025-20 ∗∗∗ Sicherheitspatches: OpenSSL für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- In aktuellen OpenSSL-Versionen haben die Entwickler drei Sicherheitslücken geschlossen. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://www.heise.de/news/OpenSSL-Angreifer-koennen-auf-ARM-Systemen-privat… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 01.10.2025
by Daily end-of-shift report 01 Oct '25

01 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-09-2025 18:00 − Mittwoch 01-10-2025 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ China Imposes One-Hour Reporting Rule for Major Cyber Incidents ∗∗∗ --------------------------------------------- The sweeping new regulations show that Chinas serious about hardening its own networks after launching widespread attacks on global networks. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/china-one-hour-reporti… ∗∗∗ MatrixPDF: Neues Hacker-Tool macht PDF-Dateien zu Phishing-Ködern ∗∗∗ --------------------------------------------- Schädliche PDF-Dateien lassen sich damit so gestalten, dass sie den Phishing-Filter von Gmail umgehen. --------------------------------------------- https://www.golem.de/news/matrixpdf-neues-hacker-tool-macht-pdf-dateien-zu-… ∗∗∗ New Android Banking Trojan “Klopatra” Uses Hidden VNC to Control Infected Smartphones ∗∗∗ --------------------------------------------- A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, with a majority of the infections reported in Spain and Italy.Italian fraud prevention firm Cleafy, which discovered the sophisticated malware .. --------------------------------------------- https://thehackernews.com/2025/10/new-android-banking-trojan-klopatra.html ∗∗∗ Hackers Exploit Milesight Routers to Send Phishing SMS to European Users ∗∗∗ --------------------------------------------- Unknown threat actors are abusing Milesight industrial cellular routers to send SMS messages as part of a smishing campaign targeting users in European countries since at least February 2022.French cybersecurity company SEKOIA said the attackers are exploiting .. --------------------------------------------- https://thehackernews.com/2025/10/hackers-exploit-milesight-routers-to.html ∗∗∗ Red Hat OpenShift AI Flaw Exposes Hybrid Cloud Infrastructure to Full Takeover ∗∗∗ --------------------------------------------- A severe security flaw has been disclosed in the Red Hat OpenShift AI service that could allow attackers to escalate privileges and take control of the complete infrastructure under certain conditions.OpenShift AI is a platform for managing the lifecycle .. --------------------------------------------- https://thehackernews.com/2025/10/critical-red-hat-openshift-ai-flaw.html ∗∗∗ OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps ∗∗∗ --------------------------------------------- A high-severity security flaw has been disclosed in the One Identity OneLogin Identity and Access Management (IAM) solution that, if successfully exploited, could expose sensitive OpenID Connect (OIDC) application client secrets under certain .. --------------------------------------------- https://thehackernews.com/2025/10/onelogin-bug-let-attackers-use-api-keys.h… ∗∗∗ Neue Phishing-Wellen im Namen der WKO ∗∗∗ --------------------------------------------- Kriminelle versuchen aktuell über zwei Maschen im Namen der Wirtschaftskammer Österreich für Schaden zu sorgen. Dabei geht es um die Aktualisierung von Unternehmensdaten und Zahlungsinformationen zum Mitgliedsbeitrag. Besonders gefährlich: Für .. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-wellen-wko/ ∗∗∗ TOTOLINK X6000R: Three New Vulnerabilities Uncovered ∗∗∗ --------------------------------------------- Researchers identified vulnerabilities in TOTOLINK X6000R routers: CVE-2025-52905, CVE-2025-52906 and CVE-2025-52907. We discuss root cause and impact. --------------------------------------------- https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/ ∗∗∗ North Korea IT worker scheme expanding to more industries, countries outside of US tech sector ∗∗∗ --------------------------------------------- Okta said their new research into the scheme revealed that North Korea has honed its skills on U.S.-based companies and has expanded into dozens of different countries and industries. --------------------------------------------- https://therecord.media/north-korea-it-worker-scheme-expands-outisde-us-tech ∗∗∗ Detour Dog’s DNS Hijacking Infects 30,000 Websites with Strela Stealer ∗∗∗ --------------------------------------------- Infoblox reveals how the Detour Dog group used server-side DNS to compromise 30,000+ sites across 89 countries, installing the stealthy Strela Stealer malware. --------------------------------------------- https://hackread.com/detour-dog-dns-hijacking-websites-strela-stealer/ ∗∗∗ Sicherheitsupdate: Schadcode-Lücke bedroht NAS-Modelle von Western Digital ∗∗∗ --------------------------------------------- Angreifer können bestimmte Netzwerkspeicher von Western Digital mit My Cloud OS attackieren. --------------------------------------------- https://heise.de/-10696726 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, mysql:8.0, and openssh), Debian (libcommons-lang-java, libcommons-lang3-java, libcpanel-json-xs-perl, libjson-xs-perl, libxml2, open-vm-tools, and u-boot), Fedora (bird, dnsdist, mapserver, ntpd-rs, python-nh3, and rust-ammonia), Oracle (kernel and mysql:8.0), Red Hat (cups, postgresql:12, and postgresql:13), SUSE (cJSON-devel, gimp, kernel-devel, kubecolor, open-vm-tools, openssl-1_1, openssl-3, and ruby3.4-rubygem-rack), .. --------------------------------------------- https://lwn.net/Articles/1040375/ ∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released ten Industrial Control Systems (ICS) advisories on September 30, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.ICSA-25-273-01 MegaSys Enterprises Telenium Online Web ApplicationICSA-25-273-02 Festo SBRD-Q/SBOC-Q/SBOI-QICSA-25-273-03 Festo CPX-CEC-C1 and .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/30/cisa-releases-ten-indust… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily October 2025