Daily November 2025

daily@lists.cert.at

1 participants
20 discussions

Tageszusammenfassung - 28.11.2025
by Daily end-of-shift report 28 Nov '25

28 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-11-2025 18:00 − Freitag 28-11-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Malicious LLMs empower inexperienced hackers with advanced tools ∗∗∗ --------------------------------------------- Unrestricted large language models (LLMs) like WormGPT 4 and KawaiiGPT are improving their capabilities to generate malicious code, delivering functional scripts for ransomware encryptors and lateral movement. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-llms-empower-inexp… ∗∗∗ GreyNoise launches free scanner to check if youre part of a botnet ∗∗∗ --------------------------------------------- GreyNoise Labs has launched a free tool called GreyNoise IP Check that lets users check if their IP address has been observed in malicious scanning operations, like botnet and residential proxy networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/greynoise-launches-free-scan… ∗∗∗ Seit Wochen auf Github: Virenscanner scheitern an öffentlichem Android-Trojaner ∗∗∗ --------------------------------------------- Ein neuer Android-Trojaner namens Radzarat kursiert seit Wochen auf Github. Nur die wenigsten Virenscanner sehen ihn bisher als Bedrohung. --------------------------------------------- https://www.golem.de/news/auf-github-verfuegbar-virenscanner-erkennen-oeffe… ∗∗∗ Tomiris wreaks Havoc: New tools and techniques of the APT group ∗∗∗ --------------------------------------------- Kaspersky discloses new tools and techniques discovered in 2025 Tomiris activities: multi-language reverse shells, Havoc and AdaptixC2 open-source frameworks, communications via Discord and Telegram. --------------------------------------------- https://securelist.com/tomiris-new-tools/118143/ ∗∗∗ Prompt Injection Through Poetry ∗∗∗ --------------------------------------------- In a new paper, “Adversarial Poetry as a Universal Single-Turn Jailbreak Mechanism in Large Language Models,” researchers found that turning LLM prompts into poetry resulted in jailbreaking the models. --------------------------------------------- https://www.schneier.com/blog/archives/2025/11/prompt-injection-through-poe… ∗∗∗ MS Teams Guest Access Can Remove Defender Protection When Users Join External Tenants ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a cross-tenant blind spot that allows attackers to bypass Microsoft Defender for Office 365 protections via the guest access feature in Teams. --------------------------------------------- https://thehackernews.com/2025/11/ms-teams-guest-access-can-remove.html ∗∗∗ The Anatomy of a Bulletproof Hoster: A Data-Driven Reconstruction of Media Land ∗∗∗ --------------------------------------------- This post uses the leaked internal database of Media Land, a sanctioned bulletproof hosting provider, to reconstruct how its platform organised customers, subscriptions, virtual machines, and IP address space across billing, compute, and network layers. --------------------------------------------- https://disclosing.observer/2025/11/24/bulletproof-hoster-anatomy-data-driv… ∗∗∗ How CVSS v4.0 works: characterizing and scoring vulnerabilities ∗∗∗ --------------------------------------------- This blog explains why vulnerability scoring matters, how CVSS works, and what’s new in version 4.0. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/11/how-cvss-v4-0-works-characte… ∗∗∗ Achtung, Falle! Gefälschte BMF-Rückerstattung-Mails im Umlauf ∗∗∗ --------------------------------------------- Wer aktuell eine E-Mail im Postfach hat, in der das Bundesministerium für Finanzen (BMF) eine Steuerrückerstattung verspricht, sollte vorsichtig sein. Denn derzeit versenden Kriminelle solche E-Mails, um Sie zur Preisgabe von Daten und zur Überweisung von Geld zu bewegen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-falle-gefaelschte-bmf-ruecke… ∗∗∗ 3 OAuth TTPs Seen This Month — and How to Detect Them with Entra ID Logs ∗∗∗ --------------------------------------------- How OAuth tokens, JWT fields and Entra sign-in logs reveal attacker behavior, and how to turn those signals into reliable detections. --------------------------------------------- https://www.wiz.io/blog/recent-oauth-attacks-detection-strategies ===================== = Vulnerabilities = ===================== ∗∗∗ Installer of INZONE Hub may insecurely load Dynamic Link Libraries ∗∗∗ --------------------------------------------- The installer of INZONE Hub provided by Sony Corporation may insecurely load Dynamic Link Libraries. --------------------------------------------- https://jvn.jp/en/jp/JVN28247549/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (krita and tryton-server), Oracle (bind9.18, ipa, kernel, libssh, redis, redis:7, sqlite, sssd, and vim), Slackware (cups), SUSE (containerd, cups, curl, dovecot24, git-bug, gitea-tea, glib2, grub2, himmelblau, java-25-openjdk, kernel, libmicrohttpd, libvirt, pnpm, powerpc-utils, python311, python313, redis, rnp, runc, sssd, tomcat11, unbound, and xwayland), and Ubuntu (cups, libxml2, openvpn, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1048596/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 27.11.2025
by Daily end-of-shift report 27 Nov '25

27 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-11-2025 18:00 − Donnerstag 27-11-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Ein kurzer Blick auf das NISG 2026 ∗∗∗ --------------------------------------------- Wirklich viel hat sich zwischen dem abgelehnten Entwurf von 2024 und dem am 20. November eingebrachten Text nicht geändert. Ich will hier nur kurz zwei Punke ansprechen. Recital 44: [..] Wie schon im Sommer angemerkt, ist uns nicht klar, was der EU-Gesetzgeber uns damit sagen will. [..] Eine kurze Umfrage im CSIRTs Network hat gezeigt, dass auch die anderen Teams an dieser Frage kiefeln. --------------------------------------------- https://www.cert.at/de/blog/2025/11/ein-kurzer-blick-auf-das-nisg-2026 ∗∗∗ Shai-Hulud v2 Spreads From npm to Maven, as Campaign Exposes Thousands of Secrets ∗∗∗ --------------------------------------------- The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. The Socket Research Team said it identified a Maven Central package named org.mvnpm:posthog-node:4.18.1 that embeds the same two components associated with Sha1-Hulud: the "setup_bun.js" loader and the main payload "bun_environment.js. --------------------------------------------- https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.h… ∗∗∗ New ShadowV2 botnet malware used AWS outage as a test opportunity ∗∗∗ --------------------------------------------- A new Mirai-based botnet malware named ShadowV2 has been observed targeting IoT devices from D-Link, TP-Link, and other vendors with exploits for known vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-shadowv2-botnet-malware-… ∗∗∗ Zendesk users targeted as Scattered Lapsus$ Hunters spin up fake support sites ∗∗∗ --------------------------------------------- ReliaQuest finds fresh crop of phishing domains and toxic tickets Scattered Lapsus$ Hunters may be circling Zendesk users for its latest extortion campaign, with new phishing domains and weaponized helpdesk tickets uncovered by ReliaQuest. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/11/27/scattered_la… ∗∗∗ Rituals Adventkalender zu gewinnen? Vorsicht vor der Phishing-Falle! ∗∗∗ --------------------------------------------- Die neueste virale Variante: Ein angeblich kostenloser Adventkalender von Rituals. Dahinter versteckt sich allerdings eine Kombination aus unterschiedlichen Betrugsmaschen: Abo-Falle & Diebstahl von Kreditkartendaten, garniert mit einem Kettenbrief. --------------------------------------------- https://www.watchlist-internet.at/news/rituals-adventkalender-phishing/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kdeconnect, libssh, and samba), Fedora (7zip, docker-buildkit, and docker-buildx), Oracle (bind, buildah, cups, delve and golang, expat, firefox, gimp, go-rpm-macros, haproxy, kernel, lasso, libsoup, libtiff, mingw-expat, openssl, podman, python-kdcproxy, qt5-qt3d, runc, squid, thunderbird, tigervnc, valkey, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (buildah, cloudflared, containerd, expat, firefox, gnutls, helm, kernel, libxslt, mysql-connector-java, ongres-scram, openbao, openexr, openssh, podman, python311, python312, ruby2.5, rubygem-rack, runc, samba, sssd, tiff, unbound, and yelp), and Ubuntu (edk2, ffmpeg, h2o, python3.13, rust-openssl, and valkey) --------------------------------------------- https://lwn.net/Articles/1048448/ ∗∗∗ GitLab Patch Release: 18.6.1, 18.5.3, 18.4.5 ∗∗∗ --------------------------------------------- GitLab releases fixes for vulnerabilities in patch releases. [..] We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. --------------------------------------------- https://about.gitlab.com/releases/2025/11/26/patch-release-gitlab-18-6-1-re… ∗∗∗ Sicherheitsupdates: Angreifer können Anmeldung von Asus-Routern umgehen ∗∗∗ --------------------------------------------- Unter anderem eine kritische Sicherheitslücke gefährdet Router von Asus. Es kann Schadcode auf Geräte gelangen. [..] Welche Modelle konkret betroffen sind, geht aus dem Sicherheitsbereich der Asus-Website nicht hervor. Dort wird nur „Asus-Router-Firmware“ als verwundbar genannt. [..] Am gefährlichsten gilt eine „kritische“ Schwachstelle (CVE-2025-59366) in der AiCloud-Komponente. [..] Drei weitere Lücken (CVE-2025-59370, CVE-2025-59371, CVE-2025-12003) sind mit dem Bedrohungsgrad „hoch“ versehen. --------------------------------------------- https://heise.de/-11093767 ∗∗∗ ABB Ability Camera Connect Vulnerabilities in outdated 3rd party component (VLC) ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=4HZM000603&Language… ∗∗∗ Splunk: SVD-2025-1104: Third-Party Package Updates in Splunk SOAR - November 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1104 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 26.11.2025
by Daily end-of-shift report 26 Nov '25

26 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-11-2025 18:30 − Mittwoch 26-11-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Old tech, new vulnerabilities: NTLM abuse, ongoing exploitation in 2025 ∗∗∗ --------------------------------------------- This article covers NTLM relay, credential forwarding, and other NTLM-related vulnerabilities and cyberattacks discovered in 2025. --------------------------------------------- https://securelist.com/ntlm-abuse-in-2025/118132/ ∗∗∗ Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malicious extension on the Chrome Web Store thats capable of injecting a stealthy Solana transfer into a swap transaction and transferring the funds to an attacker-controlled cryptocurrency wallet. --------------------------------------------- https://thehackernews.com/2025/11/chrome-extension-caught-injecting.html ∗∗∗ Qilin Ransomware Turns South Korean MSP Breach Into 28-Victim Korean Leaks Data Heist ∗∗∗ --------------------------------------------- South Koreas financial sector has been targeted by what has been described as a sophisticated supply chain attack that led to the deployment of Qilin ransomware. --------------------------------------------- https://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.h… ∗∗∗ HashJack attack shows AI browsers can be fooled with a simple ‘#’ ∗∗∗ --------------------------------------------- Hashtag-do-whatever-I-tell-you Cato Networks says it has discovered a new attack, dubbed "HashJack," that hides malicious prompts after the "#" in legitimate URLs, tricking AI browser assistants into executing them while dodging traditional network and server-side defenses. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/11/25/hashjack_att… ∗∗∗ Zscaler Threat Hunting Discovers and Reconstructs a Sophisticated Water Gamayun APT Group Attack ∗∗∗ --------------------------------------------- This blog is intended to share an in-depth analysis of a recent multi-stage attack attributed to the Water Gamayun advanced persistent threat group (APT). Drawing on telemetry, forensic reconstruction, and known threat intelligence, the Zscaler Threat Hunting team reconstructed how a seemingly innocuous web search led to a sophisticated exploitation of a Windows MMC vulnerability, ultimately delivering hidden PowerShell payloads and final malware loaders. --------------------------------------------- https://www.zscaler.com/blogs/security-research/water-gamayun-apt-attack ∗∗∗ Studie: [EXTERN]-Tags schützen nicht vor Phishing ∗∗∗ --------------------------------------------- Eine großangelegte Simulation an einer deutschen Universitätsklinik zeigt: Gängige Schutzmaßnahmen wie [EXTERN]-Tags versagen, technische Filter wirken. --------------------------------------------- https://www.heise.de/news/Studie-EXTERN-Tags-schuetzen-nicht-vor-Phishing-1… ∗∗∗ So erkennen Sie Fake-Apotheken wie grazapotheke.com ∗∗∗ --------------------------------------------- Mit Beginn der Erkältungssaison steigt die Nachfrage nach Onlineapotheken. Doch neben seriösen Anbietern tummeln sich auch gefährliche Fälschungen im Netz. Ein Beispiel ist grazapotheke.com, die rezeptpflichtige Medikamente scheinbar frei verkauft. --------------------------------------------- https://www.watchlist-internet.at/news/so-erkennen-sie-fake-apotheken-wie-g… ∗∗∗ The Golden Scale: Tis the Season for Unwanted Gifts ∗∗∗ --------------------------------------------- Unit 42 shares further updates of cybercrime group Scattered LAPSUS$ Hunters. Secure your organization this holiday season. The post The Golden Scale: Tis the Season for Unwanted Gifts appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/new-shinysp1d3r-ransomware/ ∗∗∗ MySQL 8.0 fällt am 30. April 2026 aus dem Support ∗∗∗ --------------------------------------------- Baut sich ein weiteres Software-Problem in der IT-Landschaft auf? Das Open Source-Datenbanksystem MySQL ist sehr populär und breit im Einsatz. Aber MySQL 8.0 fällt am 30. April 2026 aus dem Support. --------------------------------------------- https://www.borncity.com/blog/2025/11/26/mysql-8-0-faellt-am-30-april-2026-… ∗∗∗ Sharjah Police Experiment Exposes How Easily People Fall for Fake QR Codes ∗∗∗ --------------------------------------------- A cybersecurity experiment conducted by Sharjah Police has revealed how easily QR codes can mislead individuals, particularly when these codes promise conveniences such as free WiFi. The police placed an unbranded QR code in a public area with a simple message, “Free WiFi”, to measure how many people would scan it without verifying its source. The results revealed that 89 members of the public scanned the code without asking who placed it or whether it was legitimate. --------------------------------------------- https://thecyberexpress.com/free-wifi-qr-code-risk-experiment/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#521113: Forge JavaScript library impacted by a vulnerability in signature verification. ∗∗∗ --------------------------------------------- The Forge JavaScript library provides TLS-related cryptographic utilities. A vulnerability that allows signature verification to be bypassed through crafted manipulation of ASN.1 structures, particularly in fields such as Message Authentication Code (MAC) data, was identified. --------------------------------------------- https://kb.cert.org/vuls/id/521113 ∗∗∗ ZDI-25-1019: Arista NG Firewall replace_marker Exposed Dangerous Function Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to to bypass authentication on affected installations of Arista NG Firewall. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-6979. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1019/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bind, binutils, delve and golang, expat, firefox, haproxy, kernel, libsoup3, libssh, libtiff, openssh, openssl, pam, podman, python-kdcproxy, shadow-utils, squid, thunderbird, vim, xorg-x11-server-Xwayland, and zziplib), Debian (cups-filters, libsdl2, linux-6.1, net-snmp, pdfminer, rails, and tryton-sao), Fedora (chromium, docker-buildkit, docker-buildx, and sudo-rs), Gentoo (librnp), Mageia (webkit2), SUSE (amazon-ssm-agent, buildah, curl, dpdk, fontforge-20251009, kernel, libIex-3_4-33, librnp0, python311, rclone, and sssd), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-aws-6.14, linux-oracle-6.14, linux-aws-fips, linux-fips, linux-gcp-fips, linux-realtime, linux-realtime-6.8, mupdf, openjdk-17, openjdk-8, and openjdk-lts). --------------------------------------------- https://lwn.net/Articles/1048195/ ∗∗∗ CISA Releases Seven Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released seven Industrial Control Systems (ICS) Advisories: ICSA-25-329-01 Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt, Share. ICSA-25-329-02 Rockwell Automation Arena Simulation. ICSA-25-329-03 Zenitel TCIV-3+. ICSA-25-329-04 Opto 22 groov View. ICSA-25-329-05 Festo Compact Vision System, Control Block, Controller, and Operator Unit products. ICSA-25-329-06 SiRcom SMART. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/11/25/cisa-releases-seven-indu… ∗∗∗ Nvidia DGX Spark, NeMo: Kritische Lücken gefährden KI-Hard- und Software ∗∗∗ --------------------------------------------- Nvidias KI-Hard- und Software DGX Spark und NeMo Framework sind verwundbar. Sicherheitsupdates schließen mehrere Schwachstellen. Im schlimmsten Fall können Angreifer Systeme nach der Ausführung von Schadcode in Gänze kompromittieren. Bislang gibt es keine Berichte zu laufenden Attacken. --------------------------------------------- https://heise.de/-11092387 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 25.11.2025
by Daily end-of-shift report 25 Nov '25

25 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Montag 24-11-2025 19:30 − Dienstag 25-11-2025 18:30 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Malicious Blender model files deliver StealC infostealing malware ∗∗∗ --------------------------------------------- A Russian-linked campaign delivers the StealC V2 information stealer malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-blender-model-file… ∗∗∗ Tor switches to new Counter Galois Onion relay encryption algorithm ∗∗∗ --------------------------------------------- Tor has announced improved encryption and security for the circuit traffic by replacing the old tor1 relay encryption algorithm with a new design called Counter Galois Onion (CGO). --------------------------------------------- https://www.bleepingcomputer.com/news/security/tor-switches-to-new-counter-… ∗∗∗ JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new campaign thats leveraging a combination of ClickFix lures and fake adult websites to deceive users into running malicious commands under the guise of a "critical" Windows security update. --------------------------------------------- https://thehackernews.com/2025/11/jackfix-uses-fake-windows-update-pop.html ∗∗∗ Years of JSONFormatter and CodeBeautify Leaks Expose Thousands of Passwords and API Keys ∗∗∗ --------------------------------------------- New research has found that organizations in various sensitive sectors, including governments, telecoms, and critical infrastructure, are pasting passwords and credentials into online tools like JSONformatter and CodeBeautify that are used to format and validate code. --------------------------------------------- https://thehackernews.com/2025/11/years-of-jsonformatter-and-codebeautify.h… ∗∗∗ Ex-CISA officials, CISOs dispel hacklore, spread cybersecurity truths ∗∗∗ --------------------------------------------- Dont believe everything you read Afraid of connecting to public Wi-Fi? Terrified to turn your Bluetooth on? You may be falling for "hacklore," tall tales about cybersecurity that distract you from real dangers. Dozens of chief security officers and ex-CISA officials have launched an effort and website to dispel these myths and show you how not to get hacked for real. --------------------------------------------- www.theregister.com/2025/11/24/hacklore_launch/ ∗∗∗ Is Your Android TV Streaming Box Part of a Botnet? ∗∗∗ --------------------------------------------- On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmart may seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix, ESPN and Hulu, all for a one-time fee of around $400. But security experts warn these TV boxes require intrusive software that forces the user’s network to relay Internet traffic for others, traffic that is often tied to cybercrime activity such as advertising fraud and account takeovers. --------------------------------------------- https://krebsonsecurity.com/2025/11/is-your-android-tv-streaming-box-part-o… ∗∗∗ New ClickFix wave infects users with hidden malware in images and fake Windows updates ∗∗∗ --------------------------------------------- ClickFix just got more convincing, hiding malware in PNG images and faking Windows updates to make users run dangerous commands. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/11/new-clickfix-wave-infects-us… ∗∗∗ UEFI SecureBoot DB Update: Microsoft 2023er CAs installieren ∗∗∗ --------------------------------------------- Die SecureBoot-Zertifikate (KEK und DB) von Microsoft stammen aus dem Jahr 2011 und laufen im Jahr 2026 ab. --------------------------------------------- https://hitco.at/blog/uefi-secureboot-db-update-installieren/ ∗∗∗ Meldungen häufen sich: Kopierte Kleinanzeigen füllen Fake-Shops ∗∗∗ --------------------------------------------- Kriminelle stopfen ihre Fake-Shops immer öfter mit Bildmaterial und Produktinfos von Kleinanzeigen-Portalen voll. Komplette Annoncen landen, leicht verändert und mit einem ordentlichen Rabatt, in den betrügerischen Stores. --------------------------------------------- https://www.watchlist-internet.at/news/kopierte-kleinanzeigen-fuellen-fake-… ∗∗∗ Russia arrests young cybersecurity entrepreneur on treason charges ∗∗∗ --------------------------------------------- Details of the case are classified, but Russian media say Timur Kilin may have drawn official ire after publicly criticizing the state-owned messaging app Max and the government’s anti-cybercrime legislation. --------------------------------------------- https://therecord.media/russia-arrests-tech-entrepreneur-treason ∗∗∗ Update Firefox to Patch CVE-2025-13016 Vulnerability Affecting 180 Million Users ∗∗∗ --------------------------------------------- AI security firm AISLE revealed CVE-2025-13016, a critical Firefox Wasm bug that risked 180M users for six months. Learn how the memory flaw allowed code execution. --------------------------------------------- https://hackread.com/update-firefox-patch-cve-2025-13016-vulnerability/ ∗∗∗ Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications ∗∗∗ --------------------------------------------- CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications (apps). These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/11/24/spyware-allows-cyber-thr… ∗∗∗ The Hidden Dangers of Calendar Subscriptions: 4 Million Devices at Risk ∗∗∗ --------------------------------------------- Bitsight TRACE discovered more than 390 abandoned domains related to iCalendar synchronization (sync) requests for subscribed calendars, potentially putting ~4 million devices at risk. --------------------------------------------- https://www.bitsight.com/blog/hidden-dangers-calendar-subscriptions-4-milli… ∗∗∗ Stop Putting Your Passwords Into Random Websites (Yes, Seriously, You Are The Problem) ∗∗∗ --------------------------------------------- Welcome to watchTowr vs the Internet, part 68.That feeling you’re experiencing? Dread. You should be used to it by now. As is fast becoming an unofficial and, apparently, frowned upon tradition - we identified incredible amounts of publicly exposed passwords, secrets, keys and more for very sensitive environments - and then spent a number of months working out if we could travel back in time to a period in which we just hadn't. --------------------------------------------- https://labs.watchtowr.com/stop-putting-your-passwords-into-random-websites… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, firefox, go-rpm-macros, kernel, kernel-rt, podman, and thunderbird), Debian (erlang, python-gevent, and r-cran-gh), Fedora (buildah, chromium, k9s, kubernetes1.33, kubernetes1.34, podman, python-mkdocs-include-markdown-plugin, and webkitgtk), Gentoo (Chromium, Google Chrome, Microsoft Edge. Opera, qtsvg, redict, redis, UDisks, and WebKitGTK+), Mageia (cups-filters and ruby-rack), Oracle (kernel and libssh), Red Hat (.NET 8.0, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (act, bind, cups-filters, govulncheck-vulndb, grub2, libebml, python39, and tcpreplay), and Ubuntu (linux-raspi, linux-raspi-realtime, openjdk-21, openjdk-25, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4, and runc-app, runc-stable). --------------------------------------------- https://lwn.net/Articles/1047950/ ∗∗∗ Synology-SA-25:15 ActiveProtect Agent ∗∗∗ --------------------------------------------- Synology has released a security update for the ActiveProtect Agent on Windows to address a vulnerability: CVE-2025-13593 allows local users to write arbitrary files with restricted content.Please refer to the Affected Products table for the corresponding updates. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_15 ∗∗∗ Azure Bastion mit schwerer Schwachstelle CVE-2025-49752 ∗∗∗ --------------------------------------------- Der Microsoft Azure Bastion-Dienst zum sicheren und nahtlosen RDP- und SSH-Zugriff auf virtuelle Azure-Maschinen (VMs) weist für alle Bereitstellungen vor dem 20. November 2025 eine schwere Schwachstelle CVE-2025-49752 (CVSS Score 10.0) auf. --------------------------------------------- https://www.borncity.com/blog/2025/11/25/azure-bastion-mit-schwerer-schwach… ∗∗∗ Asus stopft hochriskante Rechteausweitungslücke in MyAsus ∗∗∗ --------------------------------------------- Asus warnt vor einer als hochriskant eingestuften Sicherheitslücke in der MyAsus-Software. Ein Update steht bereit. --------------------------------------------- https://heise.de/-11090371 ∗∗∗ Security Advisory for SiRcom SMART Alert (SiSA) ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-06 ∗∗∗ Security Advisory for Festo Compact Vision System, Control Block, Controller, and Operator Unit products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-05 ∗∗∗ Security Advisory for Zenitel TCIV-3+ ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 ∗∗∗ Security Advisory for Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 24.11.2025
by Daily end-of-shift report 24 Nov '25

24 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-11-2025 18:00 − Montag 24-11-2025 19:30 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Shai-Hulud 2.0: Ongoing Supply Chain Attack ∗∗∗ --------------------------------------------- Detect and mitigate malicious npm packages linked to the recent Shai-Hulud-style campaign. Over 25,000 affected repositories across ~350 unique users. --------------------------------------------- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack ∗∗∗ How to know if your Asus router is one of thousands hacked by China-state hackers ∗∗∗ --------------------------------------------- So far, the hackers are laying low, likely for later use. --------------------------------------------- https://arstechnica.com/security/2025/11/thousands-of-hacked-asus-routers-a… ∗∗∗ CrowdStrike catches insider feeding information to hackers ∗∗∗ --------------------------------------------- American cybersecurity firm CrowdStrike has confirmed that an insider shared screenshots taken on internal systems with hackers after they were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/crowdstrike-catches-insider-… ∗∗∗ Ausgesperrt aus dem eigenen Körper: Zauberkünstler vergisst Passwort für Hand-Chip ∗∗∗ --------------------------------------------- Ein Magier hat sich durch ein vergessenes Passwort dauerhaft aus dem RFID-Chip in seiner eigenen Hand ausgesperrt. --------------------------------------------- https://www.golem.de/news/ausgesperrt-aus-dem-eigenen-koerper-zauberkuenstl… ∗∗∗ ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access ∗∗∗ --------------------------------------------- A recently patched security flaw in Microsoft Windows Server Update Services (WSUS) has been exploited by threat actors to distribute malware known as ShadowPad. --------------------------------------------- https://thehackernews.com/2025/11/shadowpad-malware-actively-exploits.html ∗∗∗ ShinyHunters does not like Salesforce at all, claims the crew accessed Gainsight 3 months ago ∗∗∗ --------------------------------------------- Shiny talks to The Reg EXCLUSIVE ShinyHunters has claimed responsibility for the Gainsight breach that allowed the data thieves to snarf data from hundreds more Salesforce customers. --------------------------------------------- www.theregister.com/2025/11/21/shinyhunters_salesforce_gainsight_breach/ ∗∗∗ Amazon Is Using Specialized AI Agents for Deep Bug Hunting ∗∗∗ --------------------------------------------- Born out of an internal hackathon, Amazon’s Autonomous Threat Analysis system uses a variety of specialized AI agents to detect weaknesses and propose fixes to the company’s platforms. --------------------------------------------- https://www.wired.com/story/amazon-autonomous-threat-analysis/ ∗∗∗ DHL-Phishing zur Online-Handel-Blütezeit ∗∗∗ --------------------------------------------- Mit der "Cyber-Week" startet der Online-Handel in den Jahresendspurt. Online-Betrüger wollen Opfer mit angeblichen Nachzahlungen ködern. --------------------------------------------- https://www.heise.de/news/DHL-Phishing-zur-Online-Handel-Bluetezeit-1108844… ∗∗∗ Fahrradhersteller Woom: IT-Einbruch durch Cybergang INC Ransom ∗∗∗ --------------------------------------------- Vor zwei Wochen gab es einen IT-Einbruch beim Kinderradhersteller Woom. Die Cybergang INC Ransom droht mit Datenveröffentlichung. --------------------------------------------- https://www.heise.de/news/Fahrradhersteller-Woom-IT-Einbruch-durch-Cybergan… ∗∗∗ IT-Sicherheit: BSI will Webmail-Anbieter stärker in die Pflicht nehmen ∗∗∗ --------------------------------------------- Die E-Mail-Sicherheit lastet größtenteils auf den Schultern der Anwender, moniert das BSI. Es sieht die Betreiber etwa bei der Anmeldung in der Verantwortung. --------------------------------------------- https://www.heise.de/news/IT-Sicherheit-BSI-will-Webmail-Anbieter-staerker-… ∗∗∗ Matrix Push C2 abuses browser notifications to deliver phishing and malware ∗∗∗ --------------------------------------------- Attackers can send highly realistic push notifications through your browser, including fake alerts that can lead to malware or phishing pages. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/11/matrix-push-c2-abuses-browse… ∗∗∗ Vorsicht vor gefälschten Rückerstattungen der ÖGK! ∗∗∗ --------------------------------------------- Derzeit verbreitet sich erneut eine Phishing-Welle, die viele Österreicher:innen betrifft. In betrügerischen E-Mails wird behauptet, man habe Anspruch auf eine Rückerstattung der Österreichischen Gesundheitskasse (ÖGK). Wer der Aufforderung folgt, führt jedoch eine Überweisung an Kriminelle durch. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-rueckersta… ∗∗∗ Kundendaten von US-Banken nach Cyberattacke womöglich kompromittiert ∗∗∗ --------------------------------------------- Ein Cyberangriff auf den Dienstleister SitusAMC könnte Kundendaten großer US-Banken wie JPMorgan Chase, Citi und Morgan Stanley kompromittiert haben. --------------------------------------------- https://www.derstandard.at/story/3000000297610/kundendaten-von-us-banken-na… ∗∗∗ SmbCrawler – SMB Share Discovery and Secret-Hunting ∗∗∗ --------------------------------------------- SmbCrawler is a credentialed SMB share crawler for red teams that discovers misconfigured shares and hunts secrets across Windows networks. --------------------------------------------- https://www.darknet.org.uk/2025/11/smbcrawler-smb-share-discovery-and-secre… ∗∗∗ GhostAd: Hidden Google Play Adware Drains Devices and Disrupts Millions of Users ∗∗∗ --------------------------------------------- Check Point researchers uncover a large-scale Android adware campaign that silently drains resources and disrupts normal phone use through persistent background activity. During an internal threat-hunting investigation, Check Point Harmony Mobile Detection Team identified a network of Android applications on Google Play masquerading as harmless utility and emoji-editing tools. --------------------------------------------- https://blog.checkpoint.com/research/ghostad-hidden-google-play-adware-drai… ∗∗∗ SesameOp: Neuartige Backdoor in OpenAI API für C&C missbraucht ∗∗∗ --------------------------------------------- Sicherheitsforscher von Microsoft sind auf eine neuartige Backdoor in der OpenAI Assistant API gestoßen, und haben diese SesameOp genannt. Diese neuartige Backdoor, die von einem Angreifer verwendet wurde, nutzt die API des OpenAI Assistant, um Befehls- und Kontrollfunktionen für Cyberangriffe zu implementieren. --------------------------------------------- https://www.borncity.com/blog/2025/11/22/sesameop-neuartige-backdoor-in-ope… ∗∗∗ Smartmeter: Daten wecken Begehrlichkeiten (der Polizei in Sacramento) ∗∗∗ --------------------------------------------- Smartmeter erfassen ja den Stromverbrauch in Haushalten, und es gibt große Bedenken, dass diese neue Technologie missbraucht werden könnte. In den USA hat die Stadt Sacramento einen entsprechenden Skandal, bei dem der Betreiber der intelligenten Stromzähler ohne richterlichen Beschluss an die örtliche Polizei weitergegeben hat. Die Praxis wurde jetzt von einem Richter gestoppt. --------------------------------------------- https://www.borncity.com/blog/2025/11/23/smartmeter-daten-wecken-begehrlich… ∗∗∗ WTF: Schlüssel weg – Kryptologen kommen nicht an ihre Wahlergebnisse ∗∗∗ --------------------------------------------- Eine renommierte Gruppe von Kryptologie-Forschern nutzt ein ausgefeiltes Schutzsystem – und fällt ihm schließlich selbst zum Opfer. --------------------------------------------- https://heise.de/-11088550 ∗∗∗ A Reverse Engineer’s Anatomy of the macOS Boot Chain & Security Architecture ∗∗∗ --------------------------------------------- The security of the macOS platform on Apple Silicon is not defined by the kernel; it is defined by the physics of the die. Before the first instruction of kernelcache is fetched, a complex, cryptographic ballet has already concluded within the Application Processor (AP). This section dissects the immutable hardware logic that establishes the initial link in the Chain of Trust. --------------------------------------------- http://stack.int.mov/a-reverse-engineers-anatomy-of-the-macos-boot-chain-se… ===================== = Vulnerabilities = ===================== ∗∗∗ Grafana warns of max severity admin spoofing vulnerability ∗∗∗ --------------------------------------------- Grafana Labs is warning of a maximum severity vulnerability (CVE-2025-41115) in its Enterprise product that can be exploited to treat new users as administrators or for privilege escalation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/grafana-warns-of-max-severit… ∗∗∗ CISA warns Oracle Identity Manager RCE flaw is being actively exploited ∗∗∗ --------------------------------------------- The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning government agencies to patch an Oracle Identity Manager tracked as CVE-2025-61757 that has been exploited in attacks, potentially as a zero-day. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-oracle-identity-m… ∗∗∗ Malware im Anmarsch: Kritische Windows-Lücke ermöglicht Angriffe über JPEG-Daten ∗∗∗ --------------------------------------------- Forscher warnen vor einer kritischen Sicherheitslücke in einer Windows-Bibliothek. Angreifer können über JPEG-Bilddaten Schadcode einschleusen. --------------------------------------------- https://www.golem.de/news/malware-im-anmarsch-kritische-windows-luecke-ermo… ∗∗∗ Jetzt patchen! Schadcode-Attacken auf Oracle Identity Manager beobachtet ∗∗∗ --------------------------------------------- Es gibt Hinweise, dass Angreifer Oracle Identity Manager bereits seit August dieses Jahres attackieren. Ein Sicherheitsupdate ist vorhanden. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Schadcode-Attacken-auf-Oracle-Ident… ∗∗∗ HCL BigFix: Sicherheitsprobleme bei SAML-Authentifizierung ∗∗∗ --------------------------------------------- Die Endpoint-Management-Plattform BigFix von HCL ist verwundbar. Nun haben die Entwickler eine kritische Sicherheitslücke geschlossen. --------------------------------------------- https://www.heise.de/news/HCL-BigFix-Sicherheitsprobleme-bei-SAML-Authentif… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (calibre, chromium, cri-o1.32, cri-o1.33, cri-o1.34, dotnet10.0, dovecot, gnutls, gopass, gopass-hibp, gopass-jsonapi, kubernetes1.31, kubernetes1.32, kubernetes1.33, kubernetes1.34, and linux-firmware), Mageia (ffmpeg, kernel, kmod-xtables-addons & kmod-virtualbox, kernel-linus, konsole, and redis), Red Hat (bind and bind-dyndb-ldap and kernel), SUSE (act, alloy, amazon-ssm-agent, ansible-12, ansible-core, blender, chromium, cups-filters, curl, elfutils, expat, firefox, glib2, grub2, helm, kernel, libipa_hbac-devel, libxslt, nvidia-container-toolkit, ongres-scram, openexr, podman, poppler, runc, samba, sssd, thunderbird, and tomcat), and Ubuntu (cups-filters, linux, linux-aws, linux-gcp, linux-hwe-6.14, linux-oracle, linux-realtime, linux-oem-6.14, and linux-realtime-6.14). --------------------------------------------- https://lwn.net/Articles/1047682/ ∗∗∗ Synology-SA-25:14 DSM (PWN2OWN 2025) ∗∗∗ --------------------------------------------- Synology has released a security update for the DSM to address ZDI-CAN-28409: CVE-2025-13392 allows remote attackers to bypass authentication with prior knowledge of the distinguished name (DN).Please refer to the Affected Products table for the corresponding updates. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_14 ∗∗∗ VU#761751: fluentbit contains stack buffer overflow, authentication bypass, and path traversal flaws ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/761751 ∗∗∗ F5: K000157948, BIND vulnerability CVE-2025-40780 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000157948 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 21.11.2025
by Daily end-of-shift report 21 Nov '25

21 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-11-2025 18:00 − Freitag 21-11-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ ‘Matrix Push’ C2 Tool Hijacks Browser Notifications for Phishing ∗∗∗ --------------------------------------------- Have you ever given two seconds of thought to a browser notification? No? Thats what hackers are counting on. --------------------------------------------- https://www.darkreading.com/threat-intelligence/matrix-push-c2-tool-hijacks… ∗∗∗ Schutz vor Betrug: Wo bleibt Österreichs SMS-Firewall? ∗∗∗ --------------------------------------------- Beim angekündigten Schutzmechanismus gegen Phishing-SMS hat sich offenbar kaum etwas getan. --------------------------------------------- https://futurezone.at/netzpolitik/sms-firewall-oesterreich-spamnachrichten-… ∗∗∗ ToddyCat: your hidden email assistant. Part 1 ∗∗∗ --------------------------------------------- Kaspersky experts analyze the ToddyCat APT attacks targeting corporate email. We examine the new version of TomBerBil, the TCSectorCopy and XstReader tools, and methods for stealing access tokens from Outlook. --------------------------------------------- https://securelist.com/toddycat-apt-steals-email-data-from-outlook/118044/ ∗∗∗ Fired techie admits sabotaging ex-employer, causing $862K in damage ∗∗∗ --------------------------------------------- PowerShell script locked thousands of workers out of their accounts An Ohio IT contractor has pleaded guilty to breaking into his former employers systems and causing nearly $1 million worth of damage after being fired. --------------------------------------------- https://www.theregister.com/2025/11/20/it_contractor_sabotage/ ∗∗∗ LLM-generated malware is improving, but dont expect autonomous attacks tomorrow ∗∗∗ --------------------------------------------- Researchers tried to get ChatGPT to do evil, but it didnt do a good job LLMs are getting better at writing malware - but theyre still not ready for prime time. --------------------------------------------- https://www.theregister.com/2025/11/20/llmgenerated_malware_improving/ ∗∗∗ Virenscanner ClamAV: Große Aufräumaktion der Entwickler angekündigt ∗∗∗ --------------------------------------------- Entrümpelung beim Virenscanner ClamAV: Cisco lässt die Entwickler alte Signaturen rauswerfen, auch alte Docker-Images müssen gehen. --------------------------------------------- https://www.heise.de/news/Virenscanner-ClamAV-Entwickler-starten-Entruempel… ∗∗∗ Budget Samsung phones shipped with unremovable spyware, say researchers ∗∗∗ --------------------------------------------- Samsung is under fire again for shipping phones in parts of the world with a hidden system app, AppCloud, that users can’t easily remove. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/11/budget-samsung-phones-shippe… ∗∗∗ Vorsicht vor Fake-Shops rund um den Black Friday ∗∗∗ --------------------------------------------- Der Black Friday steht vor der Tür und viele Online-Händler locken bereits jetzt mit großzügigen Rabatten. Doch Sparfüchse sollten vor einer Bestellung genau hinsehen, denn auch betrügerische Shops versuchen, von der erhöhten Kauflaune zu profitieren. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-rund-um-den-… ∗∗∗ NIS2: Gesetz für mehr Cybersicherheit ist auf dem Weg ∗∗∗ --------------------------------------------- Die Regierung holt ein Versäumnis nach: Das Gesetz hätte schon vor einem Jahr beschlossen werden sollen --------------------------------------------- https://www.derstandard.at/story/3000000297503/nis2-gesetz-fuer-mehr-cybers… ∗∗∗ Inside Europe’s AI-Fuelled GLP-1 Scam Epidemic: How Criminal Networks Are Hijacking the Identities of the NHS, AEMPS, ANSM, BfArM and AIFA to Sell Fake Weight-Loss Products ∗∗∗ --------------------------------------------- The global appetite for GLP-1 medications like Ozempic, Wegovy and Mounjaro have created something far more dangerous than a cultural trend. It has created the perfect opening for cyber criminals who understand how desperation, scarcity and online misinformation intersect. As clinics struggle with shortages and manufacturers warn of supply limits extending .. --------------------------------------------- https://blog.checkpoint.com/research/inside-europes-ai-fuelled-glp-1-scam-e… ∗∗∗ Stolen VPN Credentials Most Common Ransomware Attack Vector ∗∗∗ --------------------------------------------- Compromised VPN credentials are the most common initial access vector for ransomware attacks, according to a new report. Nearly half of ransomware attacks in the third quarter abused compromised VPN credentials as the initial access point, according to research from Beazley Security, the cybersecurity arm of Beazley Insurance. Nearly a quarter of initial access .. --------------------------------------------- https://thecyberexpress.com/stolen-vpn-credentials-most-common-ransomware-a… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-885: (0Day) Digilent DASYLab DSB File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-885/ ∗∗∗ CVE-2025-50165: Critical Flaw in Windows Graphics Component ∗∗∗ --------------------------------------------- https://www.zscaler.com/blogs/security-research/cve-2025-50165-critical-fla… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 20.11.2025
by Daily end-of-shift report 20 Nov '25

20 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-11-2025 18:00 − Donnerstag 20-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critics scoff after Microsoft warns AI feature can infect machines and pilfer data ∗∗∗ --------------------------------------------- Integration of Copilot Actions into Windows is off by default, but for how long? --------------------------------------------- https://arstechnica.com/security/2025/11/critics-scoff-after-microsoft-warn… ∗∗∗ Salesforce investigates customer data theft via Gainsight breach ∗∗∗ --------------------------------------------- Salesforce says it revoked refresh tokens linked to Gainsight-published applications while investigating a new wave of data theft attacks targeting customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/salesforce-investigates-cust… ∗∗∗ Sicherheitslücke wird ausgenutzt: Angreifer attackieren 7-Zip-Nutzer ∗∗∗ --------------------------------------------- Ältere Versionen des Packprogramms 7-Zip weisen eine gefährliche Schadcode-Lücke auf, die inzwischen ausgenutzt wird. Nutzer sollten handeln. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-wird-ausgenutzt-angreifer-attac… ∗∗∗ Fake-Softwareupdates: Cyberspione verteilen Malware über manipulierten DNS-Traffic ∗∗∗ --------------------------------------------- Eine APT-Gruppe leitet gezielt DNS-Traffic kompromittierter Router um, um Anwendern falsche Softwareupdates mit einer Backdoor unterzuschieben. --------------------------------------------- https://www.golem.de/news/dns-traffic-umgeleitet-cyberspione-verbreiten-mal… ∗∗∗ Banking-Trojaner: Neue Android-Malware liest verschlüsselte Chats mit ∗∗∗ --------------------------------------------- Egal ob Signal, Telegram oder Whatsapp - kein Chat kann sich vor dem Sturnus-Trojaner verstecken. Opfer bemerken den Datenklau nicht. --------------------------------------------- https://www.golem.de/news/banking-trojaner-neue-android-malware-liest-versc… ∗∗∗ Blockchain and Node.js abused by Tsundere: an emerging botnet ∗∗∗ --------------------------------------------- Kaspersky GReAT experts discovered a new campaign featuring the Tsundere botnet. Node.js-based bots abuse web3 smart contracts and are spread via MSI installers and PowerShell scripts. --------------------------------------------- https://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117… ∗∗∗ Inside the dark web job market ∗∗∗ --------------------------------------------- This report examines how employment and recruitment function on the dark web, based on over 2,000 job-related posts collected from shadow forums between January 2023 and June 2025. --------------------------------------------- https://securelist.com/dark-web-job-market-2023-2025/118057/ ∗∗∗ SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp ∗∗∗ --------------------------------------------- Trustwave SpiderLabs researchers have recently identified a banking Trojan we dubbed Eternidade Stealer, which is distributed through WhatsApp hijacking and social engineering lures. In this blog post, we will break down the techniques used in the campaign and highlight the new tools employed by the threat group. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spiderlabs-… ∗∗∗ Iran-Linked Hackers Mapped Ship AIS Data Days Before Real-World Missile Strike Attempt ∗∗∗ --------------------------------------------- Threat actors with ties to Iran engaged in cyber warfare as part of efforts to facilitate and enhance physical, real-world attacks, a trend that Amazon has called cyber-enabled kinetic targeting.The development is a sign that the lines between state-sponsored cyber attacks and kinetic warfare are increasingly blurring, necessitating the need for a new category of warfare, the tech giants .. --------------------------------------------- https://thehackernews.com/2025/11/iran-linked-hackers-mapped-ship-ais.html ∗∗∗ Zu gut, um wahr zu sein? Vorsicht vor betrügerischen Kredit-Angeboten! ∗∗∗ --------------------------------------------- Kein Einkommensnachweis nötig? Die Zinsen weit unter dem üblichen Niveau? Maximale Flexibilität? Kriminelle locken ihre Opfer mit unrealistischen Kredit-Versprechen in die Falle. Sie drängen sie zur Überweisung verschiedenster Steuern, Gebühren etc. – zu einer Auszahlung kommt es allerdings nie. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-kredit-angebote/ ∗∗∗ NSO seeks to overturn WhatsApp case, saying it is ‘catastrophic’ for the spyware maker ∗∗∗ --------------------------------------------- In a court filing ahead of the ruling, NSO told the judge that blocking it from targeting WhatsApp infrastructure to implant its spyware could “put NSO’s entire enterprise at risk” and “force NSO out of business.” --------------------------------------------- https://therecord.media/nso-seeks-to-overturn-whatsapp-case ∗∗∗ Reoccurring Use of Highly Suspicious PDF Editors to Infiltrate Environments ∗∗∗ --------------------------------------------- The activities observed are the following: — File is downloaded from conmateapp[.]com ortrm[.]conmateapp[.]com (OSINT suggests that these are downloaded through ads but this has not .. --------------------------------------------- https://www.truesec.com/hub/blog/reoccurring-use-of-highly-suspicious-pdf-e… ∗∗∗ FortiWeb CVE‑2025‑64446: What We’re Seeing in the Wild ∗∗∗ --------------------------------------------- GreyNoise has begun seeing active exploitation of CVE‑2025‑64446, the critical path‑traversal flaw that lets an unauthenticated actor run administrative commands on Fortinet FortiWeb appliances. --------------------------------------------- https://www.greynoise.io/blog/fortiweb-cve-2025-64446 ∗∗∗ Palo Alto Scanning Surges 40X in 24 Hours, Marking 90-Day High ∗∗∗ --------------------------------------------- GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals. Beginning on 14 November 2025, activity rapidly intensified, culminating in a 40x surge within 24 hours, marking a new 90-day high. --------------------------------------------- https://www.greynoise.io/blog/palo-alto-scanning-surges-90-day-high -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 19.11.2025
by Daily end-of-shift report 19 Nov '25

19 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-11-2025 18:00 − Mittwoch 19-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New ShadowRay attacks convert Ray clusters into crypto miners ∗∗∗ --------------------------------------------- A global campaign dubbed ShadowRay 2.0 hijacks exposed Ray Clusters by exploiting an old code execution flaw to turn them into a self-propagating cryptomining botnet. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-shadowray-attacks-conver… ∗∗∗ Russian bulletproof hosting provider sanctioned over ransomware ties ∗∗∗ --------------------------------------------- Today, the United States, the United Kingdom, and Australia announced sanctions targeting Russian bulletproof hosting (BPH) providers that have supported ransomware gangs and other cybercrime operations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-sanctions-russian-bulletp… ∗∗∗ Gen Z ist bei Passwörtern so schlecht wie 80-Jährige ∗∗∗ --------------------------------------------- Das beliebteste Passwort weltweit lautet: “Passwort”. --------------------------------------------- https://futurezone.at/digital-life/passwort-gen-z-aeltere-generation-80-jae… ∗∗∗ Microsoft: Windows 11 bekommt hardwarebeschleunigtes Bitlocker ∗∗∗ --------------------------------------------- Bisher war Bitlocker ausschließlich als Softwareverschlüsselung vorgesehen. Das soll sich in Windows bald ändern. --------------------------------------------- https://www.golem.de/news/microsoft-windows-11-bekommt-hardwarebeschleunigt… ∗∗∗ NIS-2-Richtlinie: Zentrale Anlaufstelle für Cybervorfälle geplant ∗∗∗ --------------------------------------------- Firmen sollen in der EU künftig Sicherheitsvorfälle nur noch bei einer Behörde melden müssen. Das soll den Berichtsaufwand verringern. --------------------------------------------- https://www.golem.de/news/nis-2-richtlinie-zentrale-anlaufstelle-fuer-cyber… ∗∗∗ IT threat evolution in Q3 2025. Mobile statistics ∗∗∗ --------------------------------------------- The report features statistics on mobile threats for the third quarter of 2025, along with interesting findings and trends from the quarter, including an increase in ransomware activity in Germany, and more. --------------------------------------------- https://securelist.com/malware-report-q3-2025-mobile-statistics/118013/ ∗∗∗ IT threat evolution in Q3 2025. Non-mobile statistics ∗∗∗ --------------------------------------------- The report presents key trends and statistics on malware that targets personal computers running Windows and macOS, as well as Internet of Things (IoT) devices, during the third quarter of 2025. --------------------------------------------- https://securelist.com/malware-report-q3-2025-pc-iot-statistics/118020/ ∗∗∗ Sneaky 2FA Phishing Kit Adds BitB Pop-ups Designed to Mimic the Browser Address Bar ∗∗∗ --------------------------------------------- The malware authors associated with a Phishing-as-a-Service (PhaaS) kit known as Sneaky 2FA have incorporated Browser-in-the-Browser (BitB) functionality into their arsenal, underscoring the continued evolution of such offerings and further making it easier for .. --------------------------------------------- https://thehackernews.com/2025/11/sneaky-2fa-phishing-kit-adds-bitb-pop.html ∗∗∗ Tens of thousands more ASUS routers pwned by suspected, evolving China operation ∗∗∗ --------------------------------------------- Researchers say attacks are laying the groundwork for stealthy espionage activity Around 50,000 ASUS routers have been compromised in a sophisticated attack that researchers believe may be linked to China, according to findings released today by SecurityScorecards STRIKE team. --------------------------------------------- https://www.theregister.com/2025/11/19/thousands_more_asus_routers_pwned/ ∗∗∗ Fakeshops: Vorsicht bei Black-Week- und Heizöl-Angeboten ∗∗∗ --------------------------------------------- Die Verbraucherzentrale NRW warnt vor Fakeshops mit vermeintlichen Heizöl-Schnäppchen. Die Black-Week lockt Betrüger auf den Plan. --------------------------------------------- https://www.heise.de/news/Fakeshops-Vorsicht-bei-Black-Week-und-Heizoel-Ang… ∗∗∗ Sicherheitslücken: Solarwinds Platform und Serv-U für Attacken anfällig ∗∗∗ --------------------------------------------- Angreifer können Solarwinds Netzwerkmonitoringlösung Platform und die Dateitransfersoftware Serv-U attackieren. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-Solarwinds-Platform-und-Serv-U… ∗∗∗ Vorsicht: Kombinierte Phishing & Abo-Falle statt neuem iPhone 17 pro! ∗∗∗ --------------------------------------------- Das neueste iPhone – völlig kostenlos – direkt nach Hause geschickt! Gibt’s nicht? Gibt’s tatsächlich nicht! Hinter dem verlockenden Angebot versteckt sich in Wahrheit nichts anderes als eine Betrugs-Kombi aus Kreditkartendiebstahl und Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-falle-iphone-17-pro/ ∗∗∗ Anatomy of an Akira Ransomware Attack: When a Fake CAPTCHA Led to 42 Days of Compromise ∗∗∗ --------------------------------------------- Unit 42 outlines a Howling Scorpius attack delivering Akira ransomware that originated from a fake CAPTCHA and led to a 42-day compromise. --------------------------------------------- https://unit42.paloaltonetworks.com/fake-captcha-to-compromise/ ∗∗∗ Unwanted Gifts: Major Campaign Lures Targets with Fake Party Invites ∗∗∗ --------------------------------------------- Prolific threat actor delivering RMM packages using variety of lures, including seasonal party invites --------------------------------------------- https://www.security.com/threat-intelligence/rmm-logmein-attacks ∗∗∗ LG battery subsidiary says ransomware attack targeted overseas facility ∗∗∗ --------------------------------------------- A "specific overseas facility" fell prey to a ransomware attack but is now operating normally, according to LG Energy Solution — the South Korean multinationals battery-making subsidiary. --------------------------------------------- https://therecord.media/lg-energy-solution-ransomware-incident-battery-maker -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 18.11.2025
by Daily end-of-shift report 18 Nov '25

18 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Montag 17-11-2025 18:00 − Dienstag 18-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft: Azure hit by 15 Tbps DDoS attack using 500,000 IP addresses ∗∗∗ --------------------------------------------- Microsoft said today that the Aisuru botnet hit its Azure network with a 15.72 terabits per second (Tbps) DDoS attack, launched from over 500,000 IP addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-aisuru-botnet-use… ∗∗∗ RondoDox botnet malware now hacks servers using XWiki flaw ∗∗∗ --------------------------------------------- The RondoDox botnet malware is now exploiting a critical remote code execution (RCE) flaw in XWiki Platform tracked as CVE-2025-24893. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rondodox-botnet-malware-now-… ∗∗∗ The Tycoon 2FA Phishing Platform and the Collapse of Legacy MFA ∗∗∗ --------------------------------------------- Tycoon 2FA enables turnkey real-time MFA relays behind 64,000+ attacks this year, proving legacy MFA collapses the moment a phishing kit targets it. Learn from Token Ring how biometric, phishing-proof FIDO2 hardware blocks these relay attacks before they succeed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/the-tycoon-2fa-phishing-plat… ∗∗∗ Sicherheitslücke in V8: Hacker attackieren Chrome-Nutzer über Javascript-Engine ∗∗∗ --------------------------------------------- Zur Ausnutzung der Chrome-Lücke reicht der bloße Aufruf einer bösartigen Webseite. Angreifer können daraufhin Schadcode zur Ausführung bringen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-in-v8-angreifer-attackieren-chr… ∗∗∗ A Simple WhatsApp Security Flaw Exposed 3.5 Billion Phone Numbers ∗∗∗ --------------------------------------------- By plugging tens of billions of phone numbers into WhatsApp’s contact discovery tool, researchers found “the most extensive exposure of phone numbers” ever—along with profile photos and more. --------------------------------------------- https://www.wired.com/story/a-simple-whatsapp-security-flaw-exposed-billion… ∗∗∗ IT-Vorfall: Stadtwerke Detmold nicht mehr erreichbar ∗∗∗ --------------------------------------------- Die Stadtwerke Detmold sind Opfer eines IT-Angriffs geworden. Sie sind derzeit nicht mehr erreichbar. Die Versorgung soll gesichert sein. --------------------------------------------- https://www.heise.de/news/Stadtwerke-Detmold-nach-IT-Vorfall-offline-110829… ∗∗∗ Common Kubernetes misconfigurations and how to avoid them ∗∗∗ --------------------------------------------- TL;DR Introduction Kubernetes has changed the way we deploy and scale workloads. It’s powerful, flexible, and very good at hiding a lot of complexity. It is also very good at hiding security problems until someone starts poking at it. Attackers usually take the path of least resistance. If they find an exposed API, dashboard, or port, that is often .. --------------------------------------------- https://www.pentestpartners.com/security-blog/common-kubernetes-misconfigur… ∗∗∗ ASFINAG Phishing-Welle fordert Bezahlung angeblicher Verkehrsstrafe ∗∗∗ --------------------------------------------- Eine Verkehrsstrafe möchte man meist schnell begleichen, um zusätzliche Kosten zu vermeiden. Genau diesen Reflex nutzen derzeit Kriminelle aus: Im Umlauf befindet sich eine gefälschte Mahn-SMS, die angeblich von der ASFINAG stammt. --------------------------------------------- https://www.watchlist-internet.at/news/asfinag-phishing-welle-fordert-bezah… ∗∗∗ MI5 warns of Chinese spies using LinkedIn to gain intel on lawmakers ∗∗∗ --------------------------------------------- The alert identifies two specific LinkedIn profiles, featuring fake personas, that are being used by China’s Ministry of State Security in an attempt to build relationships in Westminster and gain intelligence. --------------------------------------------- https://therecord.media/mi5-warns-chinese-spies-using-linkedin-lawmakers ∗∗∗ Russian suspect detained in Thailand is allegedly tied to Void Blizzard group ∗∗∗ --------------------------------------------- More details are emerging about a 35-year-old Russian man arrested by Thai police in Phuket earlier this month with reported help from the FBI. --------------------------------------------- https://therecord.media/russian-arrested-thailand-allegedly-void-blizzard-a… ∗∗∗ Breaking Down S3 Ransomware: Variants, Attack Paths and Trend Vision One™ Defenses ∗∗∗ --------------------------------------------- In this blog entry, Trend™ Research explores how ransomware actors are shifting their focus to cloud-based assets, including the tactics used to compromise business-critical data in AWS environments. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/k/s3-ransomware.html ∗∗∗ When Bulletproof Hosting Proves Bulletproof: The Stark Industries Shell Game ∗∗∗ --------------------------------------------- EU sanctions hit Stark Industries in May 2025. GreyNoise data shows how the group quietly rebranded to THE.Hosting and kept its malicious infrastructure running. --------------------------------------------- https://www.greynoise.io/blog/stark-industries-shell-game ∗∗∗ Nordkoreas Remote-Angestellte: Fünf Helfer in den USA bekennen sich schuldig ∗∗∗ --------------------------------------------- Schon seit Jahren lässt Nordkorea Menschen über das Internet in den USA arbeiten, um an Gehälter zu kommen. Nun zeigt sich in den USA, wie dabei geholfen wird. --------------------------------------------- https://heise.de/-11082874 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libwebsockets), Fedora (chromium and fvwm3), Mageia (apache, firefox, and postgresql13, postgresql15), Oracle (idm:DL1), Red Hat (bind, bind9.18, firefox, and openssl), SUSE (alloy, ghostscript, and openssl-1_0_0), and Ubuntu (ffmpeg and freeglut). --------------------------------------------- https://lwn.net/Articles/1046891/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 17.11.2025
by Daily end-of-shift report 17 Nov '25

17 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-11-2025 18:00 − Montag 17-11-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Jaguar Land Rover cyberattack cost the company over $220 million ∗∗∗ --------------------------------------------- Jaguar Land Rover (JLR) published its financial results for July 1 to September 30, warning that the cost of a recent cyberattack totaled £196 million ($220 million) in the quarter. --------------------------------------------- https://www.bleepingcomputer.com/news/security/jaguar-land-rover-cyberattac… ∗∗∗ Decades-old 'Finger' protocol abused in ClickFix malware attacks ∗∗∗ --------------------------------------------- The decades-old "finger" command is making a comeback, with threat actors using the protocol to retrieve remote commands to execute on Windows devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-… ∗∗∗ DoorDash email spoofing vulnerability sparks messy disclosure dispute ∗∗∗ --------------------------------------------- A vulnerability in DoorDashs systems could allow anyone to send "official" DoorDash-themed emails right from companys authorized servers, paving a near-perfect phishing channel. DoorDash has now patched the issue, but a contentious disclosure dispute has erupted, with both sides accusing each other of acting in bad faith. --------------------------------------------- https://www.bleepingcomputer.com/news/security/doordash-email-spoofing-vuln… ∗∗∗ Cursor Issue Paves Way for Credential-Stealing Attacks ∗∗∗ --------------------------------------------- Researchers discovered a security weakness in the AI-powered coding tool that allows malicious MCP server to hijack Cursors internal browser. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/cursor-issue-credential… ∗∗∗ Ransomware: Kunden- und Mitarbeiterdaten von Logitech gehackt ∗∗∗ --------------------------------------------- Der Zubehörhersteller Logitech hat ein Datenleck eingeräumt. Der Angriff erfolgte wohl über Oracle-Software. --------------------------------------------- https://www.golem.de/news/ransomware-kunden-und-mitarbeiterdaten-von-logite… ∗∗∗ Rust Adoption Drives Android Memory Safety Bugs Below 20% for First Time ∗∗∗ --------------------------------------------- Google has disclosed that the companys continued adoption of the Rust programming language in Android has resulted in the number of memory safety vulnerabilities falling below 20% for the first time. --------------------------------------------- https://thehackernews.com/2025/11/rust-adoption-drives-android-memory.html ∗∗∗ Overconfidence is the new zero-day as teams stumble through cyber simulations ∗∗∗ --------------------------------------------- Readiness metrics have flatlined since 2023, with most sectors slipping backward as teams fumble crisis drills. Teams that think theyre ready for a major cyber incident are scoring barely 22 percent accuracy and taking more than a day to contain simulated attacks, according to new data out Monday. --------------------------------------------- www.theregister.com/2025/11/17/immersive_cyber_resilience_report/ ∗∗∗ DOJ Issued Seizure Warrant to Starlink Over Satellite Internet Systems Used at Scam Compound ∗∗∗ --------------------------------------------- A new US law enforcement initiative is aimed at crypto fraudsters targeting Americans—and now seeks to seize infrastructure it claims is crucial to notorious scam compounds. --------------------------------------------- https://www.wired.com/story/doj-issued-seizure-warrants-to-starlink-over-sa… ∗∗∗ Cyberangriff: Bundestagspolizei warnt Fraktionen vor gefährlichen USB-Sticks ∗∗∗ --------------------------------------------- In vielen Abgeordnetenbüros sind Postsendungen auf Englisch mit einem USB-Stick eingegangen. Die Polizei mahnt, solche Geräte nicht an Computer anzuschließen. --------------------------------------------- https://www.heise.de/news/Cyberangriff-Bundestagspolizei-warnt-Fraktionen-v… ∗∗∗ Autonome KI-Cyberattacke: Hat sie wirklich so stattgefunden? ∗∗∗ --------------------------------------------- Eine weitgehend autonome, KI-gesteuerte Cyberattacke will Anthropic nicht nur entdeckt, sondern auch gestoppt haben. Aber stimmt das wirklich? --------------------------------------------- https://www.heise.de/news/Autonomer-KI-Cyberangriff-Zweifel-an-Anthropics-U… ∗∗∗ IT-Vorfall bei Washington Post: Daten von knapp 10.000 Leuten abgeflossen ∗∗∗ --------------------------------------------- Über eine Oracle-Schwachstelle sind Kriminelle auch bei der Washington Post eingedrungen. Daten von fast 10.000 Menschen sind abgeflossen. --------------------------------------------- https://www.heise.de/news/IT-Vorfall-bei-Washington-Post-Daten-von-knapp-10… ∗∗∗ Cyberangriffe erschüttern Börsen: Massive finanzielle Folgen ∗∗∗ --------------------------------------------- Eine neue Umfrage zeigt drastische finanzielle Folgen von Cyberangriffen: 70 Prozent der börsennotierten Unternehmen mussten ihre Gewinnprognosen anpassen. --------------------------------------------- https://www.heise.de/news/Studie-Cyberangriffe-treffen-Aktienkurse-und-Fina… ∗∗∗ Scammers are sending bogus copyright warnings to steal your X login ∗∗∗ --------------------------------------------- A copyright violation sounds serious, so cybercriminals are faking messages from the DMCA to lure you into handing over your X credentials. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/11/scammers-are-sending-bogus-c… ∗∗∗ Advent, Advent – nicht alles glänzt! Vorsicht vor unseriösen Adventkalender-Shops! ∗∗∗ --------------------------------------------- Adventkalender versüßen Groß und Klein die Vorweihnachtszeit. Doch alle Jahre wieder versuchen auch unseriöse Anbieter, Profit aus dem Weihnachtsgeschäft zu schlagen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-unserioesen-adventkalen… ∗∗∗ Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT ∗∗∗ --------------------------------------------- Two campaigns delivering Gh0st RAT to Chinese speakers show a deep understanding of the target populations virtual environment and online behavior. --------------------------------------------- https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-r… ∗∗∗ Initial Access Brokers (IAB) in 2025 – >From Dark Web Listings to Supply Chain Ransomware Events ∗∗∗ --------------------------------------------- Initial access brokers in 2025, how dark web access listings feed ransomware supply chain events like JLR, and what CISOs can do to detect and disrupt them. --------------------------------------------- https://www.darknet.org.uk/2025/11/initial-access-brokers-iab-in-2025-from-… ∗∗∗ From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion ∗∗∗ --------------------------------------------- The intrusion took place in May 2024, when a user executed a malicious JavaScript file. This JavaScript file has been previously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated file, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among extensive filler content used for evasion. --------------------------------------------- https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-e… ∗∗∗ Cat’s Got Your Files: Lynx Ransomware ∗∗∗ --------------------------------------------- The intrusion began in early March 2025 with a single successful Remote Desktop Protocol (RDP) logon to an internet-exposed system. Notably, there was no evidence of credential stuffing, brute forcing, or other failed authentication attempts from the source IP, indicating the threat actor likely possessed valid credentials before the activity occurred. --------------------------------------------- https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware/ ∗∗∗ MISP v2.5.25 Release Notes ∗∗∗ --------------------------------------------- This release introduces a security fix, significant performance improvements for REST searches, new default feeds, and several important bug fixes. Security: Fixed a vulnerability that could expose user passwords in workflows. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.25 ∗∗∗ AIPAC Discloses Data Breach, Says Hundreds Affected ∗∗∗ --------------------------------------------- AIPAC reports data breach after external system access, hundreds affected, investigation ongoing with added security steps. --------------------------------------------- https://hackread.com/aipac-data-breach-hundreds-affected/ ∗∗∗ EchoGram Flaw Bypasses Guardrails in Major LLMs ∗∗∗ --------------------------------------------- HiddenLayer reveals the EchoGram vulnerability, which bypasses safety guardrails on GPT-5.1 and other major LLMs, giving security teams just a 3-month head start. --------------------------------------------- https://hackread.com/echogram-flaw-bypass-guardrails-major-llms/ ∗∗∗ Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem ∗∗∗ --------------------------------------------- Last year, Mandiant published a blog post highlighting suspected Iran-nexus espionage activity targeting the aerospace, aviation, and defense industries in the Middle East. In this follow-up post, Mandiant discusses additional tactics, techniques, and procedures (TTPs) observed in incidents Mandiant has responded to. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc154… ∗∗∗ No Leak, No Problem - Bypassing ASLR with a ROP Chain to Gain RCE ∗∗∗ --------------------------------------------- After my previous post on ARM exploitation, where we crafted an exploit for a known vulnerability, I decided to continue the research on a more modern IoT target. In this follow-up post, I will take you through building a considerably more complex binary exploit. We will explore the path from firmware extraction and analysis to the discovery of a previously unknown vulnerability and its exploitation. --------------------------------------------- https://modzero.com/en/blog/no-leak-no-problem/ ∗∗∗ npm Malware Campaign Uses Adspect Cloaking to Deliver Malicious Redirects ∗∗∗ --------------------------------------------- The Socket Threat Research Team recently discovered dino_reborn, an npm threat actor with seven packages constructing an intricate malware campaign. Upon visiting a fake website constructed by one of the packages, the threat actor determines if the visitor is a victim or a security researcher. If the visitor is a victim, they see a fake CAPTCHA, eventually bringing them to a malicious site. If they are a security researcher, only a few tells on the fake website would tip them off that something nefarious may be occurring. --------------------------------------------- https://socket.dev/blog/npm-malware-campaign-uses-adspect-cloaking-to-deliv… ∗∗∗ MacOS Infection Vector: Using AppleScripts to bypass Gatekeeper ∗∗∗ --------------------------------------------- This gives an overview of how .scpt AppleScript are used to creatively deliver macOS malware, such as fake office documents or fake Zoom/Teams updates. Previously a technique seen with APT campaigns for macOS, we can now see samples coming from the macOS stealer ecosystem like MacSync and Odyssey. --------------------------------------------- https://pberba.github.io/security/2025/11/11/macos-infection-vector-applesc… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Fortinet FortiWeb wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke (CVE-2025-64446) in Fortinet FortiWeb erlaubt es unauthentifizierten Angreifer:innen, eigene Admin-Konten zu erstellen und somit die vollständige Kontrolle über betroffene Geräte zu erlangen. Die Schwachstelle wird mindestens seit dem 6. Oktober 2025 aktiv ausgenutzt und Exploitcode ist bereits öffentlich verfügbar. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/11/kritische-sicherheitslucke-in-fort… ∗∗∗ Mehrere Sicherheitslücken bedrohen Cisco Catalyst Center ∗∗∗ --------------------------------------------- Sicherheitsupdates schließen mehrere Schwachstellen in Ciscos Netzwerk-Kontrollzentrum Catalyst Center. --------------------------------------------- https://www.heise.de/news/Admin-Sicherheitsluecke-bedroht-Cisco-Catalyst-Ce… ∗∗∗ Microsoft Patch Tuesday, November 2025 Edition ∗∗∗ --------------------------------------------- Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited. Microsoft also fixed a glitch that prevented some Windows 10 users from taking advantage of an extra year of security updates, which is nice because the zero-day flaw and other critical weaknesses patched today affect all versions of Windows, including Windows 10. --------------------------------------------- https://krebsonsecurity.com/2025/11/microsoft-patch-tuesday-november-2025-e… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-base1.0, lasso, and thunderbird), Fedora (bind9-next, chromium, containerd, fvwm3, luksmeta, opentofu, python-pdfminer, python-uv-build, ruff, rust-get-size-derive2, rust-get-size2, rust-regex, rust-regex-automata, rust-reqsign, rust-reqsign-aws-v4, rust-reqsign-command-execute-tokio, rust-reqsign-core, rust-reqsign-file-read-tokio, rust-reqsign-http-send reqwest, suricata, uv, and xmedcon), Mageia (apache-commons-beanutils, apache-commons-fileupload, apache-commons-lang, botan2, python-django, spdlog, stardict, webkit2, and yelp-xsl), Slackware (xpdf), and SUSE (bind, chromedriver, firefox, kernel, libxml2, and openssh). --------------------------------------------- https://lwn.net/Articles/1046756/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily November 2025