Daily November 2025

daily@lists.cert.at

1 participants
20 discussions

Tageszusammenfassung - 14.11.2025
by Daily end-of-shift report 14 Nov '25

14 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-11-2025 18:00 − Freitag 14-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RCE flaw in ImunifyAV puts millions of Linux-hosted sites at risk ∗∗∗ --------------------------------------------- The ImunifyAV malware scanner for Linux server, used by tens of millions of websites, is vulnerable to a remote code execution vulnerability that could be exploited to compromise the hosting environment. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rce-flaw-in-imunifyav-puts-m… ∗∗∗ New ‘IndonesianFoods’ worm floods npm with 100,000 packages ∗∗∗ --------------------------------------------- A self-spreading package published on npm spams the registry by spawning new packages every every seven seconds, creating large volumes of junk. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-indonesianfoods-worm-flo… ∗∗∗ DoorDash hit by new data breach in October exposing user information ∗∗∗ --------------------------------------------- DoorDash has disclosed a data breach that hit the food delivery platform this October. Beginning yesterday evening, DoorDash, which serves millions of customers across the U.S., Canada, Australia, and New Zealand, started emailing those impacted by the newly discovered security incident. --------------------------------------------- https://www.bleepingcomputer.com/news/security/doordash-hit-by-new-data-bre… ∗∗∗ ASUS warns of critical auth bypass flaw in DSL series routers ∗∗∗ --------------------------------------------- ASUS has released new firmware to patch a critical authentication bypass security flaw impacting several DSL series router models. --------------------------------------------- https://www.bleepingcomputer.com/news/security/asus-warns-of-critical-auth-… ∗∗∗ NIS-2-Umsetzung: Bundestag beschließt umstrittenes Cybersicherheitsgesetz ∗∗∗ --------------------------------------------- NIS 2 kann für Netzbetreiber fehlende Rechtssicherheit, Wirtschaftsrisiken und unnötige Bürokratie bringen. Noch kann der Bundesrat etwas ändern. --------------------------------------------- https://www.golem.de/news/nis-2-umsetzung-bundestag-beschliesst-umstrittene… ∗∗∗ Chinese spies told Claude to break into about 30 critical orgs. Some attacks succeeded ∗∗∗ --------------------------------------------- Anthropic dubs this the first AI-orchestrated cyber snooping campaign Chinese cyber spies used Anthropics Claude Code AI tool to attempt digital break-ins at about 30 high-profile companies and government organizations – and the government-backed snoops "succeeded in a small number of cases," according to a Thursday report from the AI company. --------------------------------------------- https://www.theregister.com/2025/11/13/chinese_spies_claude_attacks/ ∗∗∗ Cybergang cl0p will Daten von Carglass, Fluke und NHS erbeutet haben ∗∗∗ --------------------------------------------- Auf der Darknet-Seite der kriminellen Bande cl0p sind neue Einträge zu Carglass, Fluke und NHS aufgetaucht. Dort will sie Daten geklaut haben. --------------------------------------------- https://www.heise.de/news/Datenlecks-Cybergang-cl0p-will-Daten-von-Carglass… ∗∗∗ FBI: Akira gang has received nearly $250 million in ransoms ∗∗∗ --------------------------------------------- The U.S. and European law enforcement released new information to help organizations defend themselves against the Akira ransomware gang, which has attacked small- and medium-sized businesses for years. --------------------------------------------- https://therecord.media/akira-gang-received-million ∗∗∗ Suspected Russian hacker reportedly detained in Thailand, faces possible US extradition ∗∗∗ --------------------------------------------- Russian news reports and Thai sources said police had detained an alleged Russian hacker on the island of Phuket and transferred him to Bangkok for possible transfer to the U.S. --------------------------------------------- https://therecord.media/russian-hacker-detained-thailand-possible-us-extrad… ∗∗∗ Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics ∗∗∗ --------------------------------------------- In this blog entry, Trend™ Research analyses the layered command-and-control approaches that Lumma Stealer uses to maintain its ongoing operations while enhancing collection of victim-environment data. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-finger… ∗∗∗ When The Impersonation Function Gets Used To Impersonate Users (Fortinet FortiWeb (??) Auth. Bypass) ∗∗∗ --------------------------------------------- The Internet is ablaze, and once again we all have a front-row seat - a bad person, if you can believe it, is doing a bad thing!The first warning of such behaviour came from the great team at Defused:As many are now aware, an unnamed (and potentially silently --------------------------------------------- https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-imp… ∗∗∗ Fortinet: Neuer Exploit missbraucht Zero-Day-Lücke in Firewalls ∗∗∗ --------------------------------------------- IT-Forscher haben neuen Exploit-Code in ihrem Honeypot gefunden. Der attackiert eine bislang unbekannte Fortinet-Sicherheitslücke. --------------------------------------------- https://heise.de/-11078310 ∗∗∗ Nation state threat actor used Claude Code to orchestrate cyber attacks ∗∗∗ --------------------------------------------- We recently argued that an inflection point had been reached in cybersecurity: a point at which AI models had become genuinely useful for cybersecurity operations, both for good and for ill. This was based on systematic evaluations showing cyber capabilities doubling in six months .. --------------------------------------------- https://www.anthropic.com/news/disrupting-AI-espionage ===================== = Vulnerabilities = ===================== ∗∗∗ Security Vulnerabilities fixed in Thunderbird 145 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-90/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 140.5 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-91/ ∗∗∗ Path confusion vulnerability in GUI ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-25-910 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 13.11.2025
by Daily end-of-shift report 13 Nov '25

13 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-11-2025 18:00 − Donnerstag 13-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ November Patch Tuesday does its chores ∗∗∗ --------------------------------------------- A cleanup month brings 63 patches… wait, no, 68… how about 61? --------------------------------------------- https://news.sophos.com/en-us/2025/11/12/november-patch-tuesday-does-its-ch… ∗∗∗ Over 67,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort."The packages were systematically published .. --------------------------------------------- https://thehackernews.com/2025/11/over-46000-fake-npm-packages-flood.html ∗∗∗ Zohocorp ManageEngine: Mehrere Sicherheitslücken in unterschiedlichen Produkten ∗∗∗ --------------------------------------------- Mehrere Schwachstellenberichte zu Lücken in mehreren Zohocorp-ManageEngine-Produkten sind erschienen. Updates stehen bereit. --------------------------------------------- https://www.heise.de/news/Zohocorp-ManageEngine-Mehrere-Sicherheitsluecken-… ∗∗∗ Operation Endgame 3: 1025 Server von Netz genommen ∗∗∗ --------------------------------------------- Internationalen Strafverfolgern ist ein neuerlicher Schlag gegen Malware und dahinterliegende Infrastruktur gelungen. --------------------------------------------- https://www.heise.de/news/Operation-Endgame-3-1025-Server-von-Netz-genommen… ∗∗∗ Citrix Netscaler ADC und Gateway: Update schließt Cross-Site-Scripting-Lücke ∗∗∗ --------------------------------------------- In den Netscaler ADCs und Gateways von Citrix können Angreifer eine Cross-Site-Scripting-Lücke ausnutzen. Updates schließen sie. --------------------------------------------- https://www.heise.de/news/Citrix-Netscaler-ADC-und-Gateway-Update-schliesst… ∗∗∗ Google Sues to Disrupt Chinese SMS Phishing Triad ∗∗∗ --------------------------------------------- Google is suing more than two dozen unnamed individuals allegedly involved in peddling a popular China-based mobile phishing service that helps scammers impersonate hundreds of trusted brands, blast out text message lures, and convert phished payment card data into mobile wallets from Apple and Google. --------------------------------------------- https://krebsonsecurity.com/2025/11/google-sues-to-disrupt-chinese-sms-phis… ∗∗∗ Wenn sich die angebliche Copyright-Verletzung als Betrugsversuch entpuppt ∗∗∗ --------------------------------------------- Immer wieder sorgen E-Mails von vermeintlichen Anwaltskanzleien für Aufregung. Die Empfänger:innen haben angeblich gegen Urheberrechte verstoßen, die Geschädigten fordern Wiedergutmachung. Tatsächlich stimmt hier aber gar nichts. Die Copyright-Verletzung hat nicht stattgefunden, die Anwaltskanzlei existiert nicht. --------------------------------------------- https://www.watchlist-internet.at/news/copyright-verletzung-betrugsversuch/ ∗∗∗ TAG Bulletin: Q3 2025 ∗∗∗ --------------------------------------------- Our bulletin covering coordinated influence operation campaigns terminated on our platforms in Q3 2025. --------------------------------------------- https://blog.google/threat-analysis-group/tag-bulletin-q3-2025/ ∗∗∗ Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery ∗∗∗ --------------------------------------------- NVISO reports a new development to the Contagious Interview campaign. The threat actors have recently resorted to utilizing JSON storage services like JSON Keeper, JSONsilo and npoint.io to host and deliver malware from trojanized code projects, with the lure being a use case or demo project as part of an interview process. Background Contagious Interview .. --------------------------------------------- https://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-js… ∗∗∗ CISA and Partners Release Advisory Update on Akira Ransomware ∗∗∗ --------------------------------------------- Today, Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation, Department of Defense Cyber Crime Center, Department of Health and Human Services, and international partners, released an updated joint Cybersecurity Advisory, #StopRansomware: Akira Ransomware, to provide network defenders with the latest indicators .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/11/13/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-006 ∗∗∗ Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-005 ∗∗∗ Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-008 ∗∗∗ Drupal core - Moderately critical - Defacement - SA-CORE-2025-007 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-007 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 12.11.2025
by Daily end-of-shift report 12 Nov '25

12 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-11-2025 18:00 − Mittwoch 12-11-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Rhadamanthys infostealer disrupted as cybercriminals lose server access ∗∗∗ --------------------------------------------- The Rhadamanthys infostealer operation has been disrupted, with numerous “customers” of the malware-as-a-service reporting that they no longer have access to their servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rhadamanthys-infostealer-dis… ∗∗∗ VU#553375: Unprotected temporary directories in Wolfram Cloud version 14.2 may result in privilege escalation ∗∗∗ --------------------------------------------- Wolfram Cloud version 14.2 allows Java Virtual Machine (JVM) unrestricted access to temporary resources in the /tmp/ directory of the cloud environment which may result in privilege escalation, information exfiltration, and remote code execution. In the same cloud instance, temporary directories of other users may be accessible. --------------------------------------------- https://kb.cert.org/vuls/id/553375 ∗∗∗ WhatsApp Malware Maverick Hijacks Browser Sessions to Target Brazils Biggest Banks ∗∗∗ --------------------------------------------- Threat hunters have uncovered similarities between a banking malware called Coyote and a newly disclosed malicious program dubbed Maverick that has been propagated via WhatsApp. --------------------------------------------- https://thehackernews.com/2025/11/whatsapp-malware-maverick-hijacks.html ∗∗∗ Cl0p Ransomware Lists NHS UK as Victim, Days After Washington Post Breach ∗∗∗ --------------------------------------------- Cl0p ransomware lists NHS UK as a victim days after The Washington Post confirms a major Oracle E-Business breach linked to CVE-2025-61882 --------------------------------------------- https://hackread.com/cl0p-ransomware-nhs-uk-washington-post-breach/ ∗∗∗ @facebookmail.com Invites Exploited to Phish Facebook Business Users ∗∗∗ --------------------------------------------- If you manage Facebook advertising for a small or medium-sized business, open your inbox with suspicion, because attackers have been sending highly convincing invites that look like they come straight from Meta. --------------------------------------------- https://hackread.com/facebookmail-com-invites-phish-facebook-business/ ∗∗∗ Hackers Use KakaoTalk and Google Find Hub in Android Spyware Attack ∗∗∗ --------------------------------------------- North Korea-linked KONNI hackers used KakaoTalk and Google Find Hub to spy on victims and remotely wipe Android devices in a targeted phishing campaign. --------------------------------------------- https://hackread.com/hackers-kakaotalk-google-find-hub-android-spyware/ ∗∗∗ Is It CitrixBleed4? Well, No. Is It Good? Also, No. (Citrix NetScaler Memory Leak & RXSS CVE-2025-12101) ∗∗∗ --------------------------------------------- There’s an elegance to vulnerability research that feels almost poetic - the quiet dance between chaos and control. It’s the art of peeling back the layers of complexity, not to destroy but to understand; to trace the fragile threads that hold systems together and see where they might fray. --------------------------------------------- https://labs.watchtowr.com/is-it-citrixbleed4-well-no-is-it-good-also-no-ci… ∗∗∗ Miniatur Wunderland Ziel von IT-Angriff: Kreditkartendaten abgeflossen ∗∗∗ --------------------------------------------- Cyberkriminelle konnten in das Buchungssystem vom Miniatur Wunderland Hamburg eindringen. Dabei konnten sie offenbar Informationen aus dem Zahlungsverkehr mitlesen. Die Untersuchungen dauern noch an. --------------------------------------------- https://www.heise.de/news/Miniatur-Wunderland-Ziel-von-IT-Angriff-Kreditkar… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft November 2025 Patch Tuesday fixes 1 zero-day, 63 flaws ∗∗∗ --------------------------------------------- Today is Microsoft's November 2025 Patch Tuesday, which includes security updates for 63 flaws, including one actively exploited zero-day vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2025-pat… ∗∗∗ Synology fixes BeeStation zero-days demoed at Pwn2Own Ireland ∗∗∗ --------------------------------------------- Synology has addressed a critical-severity remote code execution (RCE) vulnerability in BeeStation products that was demonstrated at the recent Pwn2Own hacking competition. The security issue (CVE-2025-12686) is described as a ‘buffer copy without checking the size of input’ problem, and can be exploited to allow arbitrary code execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/synology-fixes-beestation-ze… ∗∗∗ Avast und AVG: Kritische Sicherheitslücke stillschweigend behoben ∗∗∗ --------------------------------------------- In den Malware-Schutzprogrammen der Marken Avast und AVG stand eine als kritisch eingeordnete Sicherheitslücke offen. Die ist inzwischen geschlossen, ebenso eine weitere, weniger schwerwiegende in Avast Free Antivirus. --------------------------------------------- https://www.heise.de/news/Avast-und-AVG-Kritische-Sicherheitsluecke-stillsc… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, and libtiff), Debian (kernel, libarchive, rust-sudo-rs, and squid), Fedora (chromium, dotnet8.0, forgejo, ruby, and webkitgtk), Oracle (bind, bind9.18, kernel, kernel-uek*, libtiff, and runc), Red Hat (firefox, kernel, and kernel-rt), Slackware (mozilla), SUSE (buildah, colord, containerd, kernel, lasso, libsoup, micropython, ongres-scram, openssh, proxy-helm, uyuni-tools, python-pdfminer.six, qatengine, qatlib, regclient, and runc), and Ubuntu (raptor and raptor2). --------------------------------------------- https://lwn.net/Articles/1046173/ ∗∗∗ Patchday Adobe: Schadcode-Lücken bedrohen InDesign & Co. ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für unter anderem Adobe Illustrator, InCopy und Photoshop erschienen. --------------------------------------------- https://heise.de/-11074930 ∗∗∗ Patchday: Intel dichtet zig Sicherheitslücken ab ∗∗∗ --------------------------------------------- Intel hat auch einen Patchday veranstaltet und 30 Sicherheitsmitteilungen mit Updates veröffentlicht. Davon sind sieben hochriskant. --------------------------------------------- https://heise.de/-11075454 ∗∗∗ DSA-6053-1 linux - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00219.html ∗∗∗ ZDI-25-991: Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-991/ ∗∗∗ CVE-2025-13042: Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desk… ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/11/12/cisa-adds-three-known-ex… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.11.2025
by Daily end-of-shift report 11 Nov '25

11 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Montag 10-11-2025 18:00 − Dienstag 11-11-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Quantum Route Redirect PhaaS targets Microsoft 365 users worldwide ∗∗∗ --------------------------------------------- A new phishing automation platform named Quantum Route Redirect is using around 1,000 domains to steal Microsoft 365 users credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/quantum-route-redirect-phaas… ∗∗∗ How a CPU spike led to uncovering a RansomHub ransomware attack ∗∗∗ --------------------------------------------- A sudden CPU spike turned out to be the first clue of an in-progress RansomHub ransomware attack. Varonis breaks down how their team traced the attack from fake browser updates to domain-admin takeover, ultimately stopping the attack before files were encrypted. --------------------------------------------- https://www.bleepingcomputer.com/news/security/how-a-cpu-spike-led-to-uncov… ∗∗∗ Fernzugriff aus China: Briten untersuchen ihre Elektrobusse auf Kill-Switch ∗∗∗ --------------------------------------------- Eine Untersuchung aus Norwegen ruft weitere Behörden auf den Plan. Der chinesische Hersteller Yutong soll aus der Ferne seine E-Busse lahmlegen können. --------------------------------------------- https://www.golem.de/news/fernzugriff-aus-china-briten-untersuchen-ihre-ele… ∗∗∗ GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites ∗∗∗ --------------------------------------------- The malware known as GootLoader has resurfaced yet again after a brief spike in activity earlier this March, according to new findings from Huntress. The cybersecurity company said it observed three GootLoader infections since October 27, 2025, out of which two resulted in hands-on keyboard intrusions with domain controller compromise taking place within 17 hours of initial infection. --------------------------------------------- https://thehackernews.com/2025/11/gootloader-is-back-using-new-font-trick.h… ∗∗∗ Phishers try to lure 5K Facebook advertisers with fake business pages ∗∗∗ --------------------------------------------- One company alone was hit with more than 4,200 emails More than 5,000 businesses that use Facebook for advertising were bombarded by tens of thousands of phishing emails in a credential- and data-stealing campaign. --------------------------------------------- www.theregister.com/2025/11/10/5k_facebook_advertising_customers_phishing/ ∗∗∗ Unsichtbarer Wurm in Visual Studio Extensions: GlassWorm lebt ∗∗∗ --------------------------------------------- Der Mitte Oktober entdeckte Supply-Chain-Angriff über die Marktplätze von Visual Studio Code geht offenbar weiter: Auf dem Open-VSX-Marktplatz der Eclipse Foundation sind drei weitere Pakete mit GlassWorm aufgetaucht. --------------------------------------------- https://www.heise.de/news/Schadsoftware-weiter-aktiv-GlassWorm-erneut-in-Op… ∗∗∗ Achtung Phishing: WKO fordert keine Datenaktualisierung per E-Mail! ∗∗∗ --------------------------------------------- Aktuell kursiert eine neue Phishing-Variante im Namen der WKO. In der E-Mail werden Sie aufgefordert, Ihre Handelsregister-, Verzeichnis- oder Unternehmensdaten zu aktualisieren. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-phishing-wko-fordert-keine-d… ∗∗∗ You Thought It Was Over? Authentication Coercion Keeps Evolving ∗∗∗ --------------------------------------------- A new type of authentication coercion attack exploits an obscure and rarely monitored remote procedure call (RPC) interface. --------------------------------------------- https://unit42.paloaltonetworks.com/authentication-coercion/ ∗∗∗ Russian hacker to plead guilty to aiding Yanluowang ransomware group ∗∗∗ --------------------------------------------- Court documents show evidence proving Volkov served as an initial access broker for the ransomware gang — breaking into the network of victims and then offering his access for a percentage of the ransom. --------------------------------------------- https://therecord.media/russian-hacker-to-plead-guilty-aiding-ransomware-gr… ∗∗∗ Cyber Action Toolkit: breaking down the barriers to resilience ∗∗∗ --------------------------------------------- How the NCSC’s "Cyber Action Toolkit" is helping small businesses to improve their cyber security. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/cat-breaking-down-resilience-barriers ∗∗∗ Cisco Finds Open-Weight AI Models Easy to Exploit in Long Chats ∗∗∗ --------------------------------------------- Cisco’s new research shows that open-weight AI models, while driving innovation, face serious security risks as multi-turn attacks, including conversational persistence, can bypass safeguards and expose data. --------------------------------------------- https://hackread.com/cisco-open-weight-ai-models-long-chat-exploit/ ∗∗∗ Fake NPM Package With 206K Downloads Targeted GitHub for Credentials ∗∗∗ --------------------------------------------- Veracode Threat Research exposed a targeted typosquatting attack on npm, where the malicious package @acitons/artifact stole GitHub tokens. Learn how this supply chain failure threatened the GitHub organisations code. --------------------------------------------- https://hackread.com/fake-npm-package-downloads-github-credentials/ ∗∗∗ BSI zur Cybersicherheit: Stabil unsicher ∗∗∗ --------------------------------------------- Das aktuelle BSI-Lagebild zeigt eklatante Probleme auf – während der zuständige Minister auf die Wirksamkeit neuer Maßnahmen hofft. --------------------------------------------- https://heise.de/-11074222 ∗∗∗ MacOS Infection Vector: Using AppleScripts to bypass Gatekeeper ∗∗∗ --------------------------------------------- TLDR This gives an overview of how .scpt AppleScript are used to creatively deliver macOS malware, such as fake office documents or fake Zoom/Teams updates. Previously a technique seen with APT campaigns for macOS, we can now see samples coming from the macOS stealer ecosystem like MacSync and Odyssey. --------------------------------------------- https://pberba.github.io/security/2025/11/11/macos-infection-vector-applesc… ===================== = Vulnerabilities = ===================== ∗∗∗ Popular JavaScript library expr-eval vulnerable to RCE flaw ∗∗∗ --------------------------------------------- A critical vulnerability in the popular expr-eval JavaScript library, with over 800,000 weekly downloads on NPM, can be exploited to execute code remotely through maliciously crafted input. --------------------------------------------- https://www.bleepingcomputer.com/news/security/popular-javascript-library-e… ∗∗∗ SAP fixes hardcoded credentials flaw in SQL Anywhere Monitor ∗∗∗ --------------------------------------------- SAP has released its November security updates that address multiple security vulnerabilities, including a maximum severity flaw in the non-GUI variant of the SQL Anywhere Monitor and a critical code injection issue in the Solution Manager platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sap-fixes-hardcoded-credenti… ∗∗∗ Root-Sicherheitslücke bedroht IBMs Datenbanksystem Db2 ∗∗∗ --------------------------------------------- Angreifer können Systeme mit IBM Db2 und Business Automation Workflow attackieren und im schlimmsten Fall Root-Rechte erlangen, um PCs zu kompromittieren. Sicherheitspatches stehen zum Download bereit. --------------------------------------------- https://www.heise.de/news/Root-Sicherheitsluecke-bedroht-IBMs-Datenbanksyst… ∗∗∗ Sicherheitslücke in Dell Display and Peripheral Manager gefährdet PCs ∗∗∗ --------------------------------------------- Wenn Angreifer erfolgreich an einer Lücke in Dell Display and Peripheral Manager unter Windows ansetzen, können sie sich höhere Nutzerrechte verschaffen. In einer aktuellen Version der Software haben die Entwickler eine Sicherheitslücke geschlossen. Bislang gibt es keine Hinweise auf bereits laufende Attacken. --------------------------------------------- https://heise.de/-11073226 ∗∗∗ Security Vulnerabilities fixed in Firefox 145 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/ ∗∗∗ Ivanti November 2025 Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/november-2025-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 10.11.2025
by Daily end-of-shift report 10 Nov '25

10 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-11-2025 18:00 − Montag 10-11-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Malicious NuGet packages drop disruptive time bombs ∗∗∗ --------------------------------------------- Several malicious packages on NuGet have sabotage payloads scheduled to activate in 2027 and 2028, targeting database implementations and Siemens S7 industrial control devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-nuget-packages-dro… ∗∗∗ ClickFix Campaign Targets Hotels, Spurs Secondary Customer Attacks ∗∗∗ --------------------------------------------- Attackers compromise hospitality providers with an infostealer and RAT malware and then use stolen data to launch phishing attacks against customers via both email and WhatsApp. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/clickfix-targets-hot… ∗∗∗ Secure boot certificate rollover is real but probably wont hurt you ∗∗∗ --------------------------------------------- LWN wrote an article which opens with the assertion "Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September". This is, depending on interpretation, either misleading or just plain wrong, but also theres not a good source of truth here, so. --------------------------------------------- https://mjg59.dreamwidth.org/72892.html ∗∗∗ Whisper Leak: A novel side-channel attack on remote language models ∗∗∗ --------------------------------------------- Microsoft has discovered a side-channel attack on language models which allows adversaries to conclude model conversation topics, despite being encrypted. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/11/07/whisper-leak-a-nov… ∗∗∗ Honeypot: Requests for (Code) Repositories ∗∗∗ --------------------------------------------- This is just a quick diary entry to report that I saw requests on my honeypot for (code) repositories. --------------------------------------------- https://isc.sans.edu/diary/rss/32460 ∗∗∗ Slot Gacor: The Rise of Online Casino Spam ∗∗∗ --------------------------------------------- Online casino spam has been without a doubt one of the most prevalent types of spam content that we’ve seen on infected websites in recent years. An extremely common method of promoting low-quality or otherwise undesirable websites is for spammers to hack websites and fill them full of backlinks to pump their SEO. --------------------------------------------- https://blog.sucuri.net/2025/11/slot-gacor-the-rise-of-online-casino-spam.h… ∗∗∗ Allianz UK joins growing list of Clop’s Oracle E-Business Suite victims ∗∗∗ --------------------------------------------- Insurance giant’s UK arm says cybercriminals misattributed the real victim Allianz UK confirms it was one of the many companies that fell victim to the Clop gangs Oracle E-Business Suite (EBS) attack after crims reported that they had attacked a subsidiary. --------------------------------------------- www.theregister.com/2025/11/10/allianz_uk_joins_growing_list/ ∗∗∗ Watchguard Firebox: Gefährdung durch Standardpasswort für Admin ∗∗∗ --------------------------------------------- Watchguard versieht die Firebox-Firewalls mit Standardpasswörtern. Angreifer können sich dadurch leicht Admin-Rechte verschaffen. --------------------------------------------- https://www.heise.de/news/Watchguard-Firebox-Gefaehrdung-durch-Standardpass… ∗∗∗ Drilling Down on Uncle Sam’s Proposed TP-Link Ban ∗∗∗ --------------------------------------------- The U.S. government is reportedly preparing to ban the sale of wireless routers and other networking gear from TP-Link Systems, a tech company that currently enjoys an estimated 50% market share among home users and small businesses. Experts say while the proposed ban may have more to do with TP-Links ties to China than any specific technical threats, much of the rest of the industry serving this market also sources hardware from China and ships products that are insecure fresh out of the box. --------------------------------------------- https://krebsonsecurity.com/2025/11/drilling-down-on-uncle-sams-proposed-tp… ∗∗∗ Handy-Guthaben aufladen? Vorsicht vor gefälschter HoT-Website ∗∗∗ --------------------------------------------- Eine neue Betrugsmasche richtet sich derzeit gegen Kund:innen des Mobilfunkanbieters HoT. Im Internet ist eine täuschend echt gestaltete Website aufgetaucht, die vorgibt, den offiziellen Aufladeservice von HoT bereitzustellen. Wer dort sein Guthaben für Handy oder WLAN aufladen möchte, läuft Gefahr, seine Kreditkartendaten an Kriminelle weiterzugeben. --------------------------------------------- https://www.watchlist-internet.at/news/handy-guthaben-aufladen-vorsicht-vor… ∗∗∗ Hack halts Dutch broadcaster, forcing radio hosts back to LPs ∗∗∗ --------------------------------------------- A Dutch TV and radio broadcaster has found itself at the mercy of cybercriminals after suffering a cyber attack, and leaving it scrambling to find ways to play music to its listeners. Read more in my article on the Hot for Security blog. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/hack-halts-dutch-broa… ∗∗∗ Dont call it Cyber Command 2.0: Master plan for digital forces will take years to implement ∗∗∗ --------------------------------------------- The latest model for improving U.S. Cyber Command is circulating at the Pentagon. Some of the initiatives will spill into the next decade — an approach that is sure to create friction on Capitol Hill and beyond. --------------------------------------------- https://therecord.media/revised-cyber-command-master-plan-dod-pentagon ∗∗∗ Short-term renewal of cyber information sharing law appears in bill to end shutdown ∗∗∗ --------------------------------------------- An expired 2015 law that gives companies liability protection when they share cyberthreat information with the federal government would be renewed through January 30 under Senate legislation to end the government shutdown. --------------------------------------------- https://therecord.media/cisa-2015-information-sharing-law-renewal-bill-endi… ∗∗∗ Russian missile barrage disrupts internet, customs databases in Ukraine ∗∗∗ --------------------------------------------- Emergency blackouts lasting up to 12 hours were introduced following the attack, with Kyiv and other regions facing widespread internet and communication outages, according to internet watchdog NetBlocks. --------------------------------------------- https://therecord.media/russian-missile-barrage-disrupts-internet-ukraine ∗∗∗ Phishing-Kampagne zielt auf Führungskräfte ∗∗∗ --------------------------------------------- In letzter Zeit scheinen Führungskräfte und leitende Angestellte aus unterschiedlichen Branchen verstärkt ins Visier von Cyberkriminellen zu geraten. Diese versuchen die Adressaten mittels Phishing-Mails zur Herausgabe von Daten zu überlisten. --------------------------------------------- https://www.borncity.com/blog/2025/11/08/phishing-kampagne-zielt-auf-fuehru… ∗∗∗ No Place Like Localhost: Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480 ∗∗∗ --------------------------------------------- Mandiant Threat Defense has uncovered exploitation of an unauthenticated access vulnerability within Gladinet’s Triofox file-sharing and remote access platform. This now-patched n-day vulnerability, assigned CVE-2025-12480, allowed an attacker to bypass authentication and access the application configuration pages, enabling the upload and execution of arbitrary payloads. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerabil… ∗∗∗ EU will DSGVO schleifen – nicht nur bei Cookie-Bannern ∗∗∗ --------------------------------------------- Der von der EU-Kommission geplante "digitale Omnibus" würde bestehende Datenschutzrechte aufweichen. Es geht etwa um Cookies und das Training von KI-Systemen. --------------------------------------------- https://heise.de/-11071630 ∗∗∗ The state of the Rust dependency ecosystem ∗∗∗ --------------------------------------------- Over the past few days, I analyzed over 200,000 crates from crates.io to uncover patterns in maintenance, developer engagement, security, and overall ecosystem health. The results: a mix of fascinating insights, concerning trends, and reasons for optimism. --------------------------------------------- https://00f.net/2025/10/17/state-of-the-rust-ecosystem/ ∗∗∗ Balancer hack analysis and guidance for the DeFi ecosystem ∗∗∗ --------------------------------------------- On November 3, 2025, attackers exploited a vulnerability in Balancer v2 to drain more than $100M across nine blockchain networks. The attack targeted a number of Balancer v2 pools, exploiting a rounding direction error. --------------------------------------------- https://blog.trailofbits.com/2025/11/07/balancer-hack-analysis-and-guidance… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own ∗∗∗ --------------------------------------------- QNAP has fixed seven zero-day vulnerabilities that security researchers exploited to hack QNAP network-attached storage (NAS) devices during the Pwn2Own Ireland 2025 competition. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-fixes-seven-nas-zero-da… ∗∗∗ Sicherheitslücken in RunC: Angreifer können aus Docker-Containern ausbrechen ∗∗∗ --------------------------------------------- Administratoren sollten aufpassen, welche Docker-Images sie nutzen. Angreifer können sich Root-Zugriff auf das Hostsystem verschaffen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-in-runc-angreifer-koennen-aus-… ∗∗∗ runC Container Escape Vulnerabilities ∗∗∗ --------------------------------------------- High-severity vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) were disclosed in early November 2025. A malicious or compromised container image can abuse how runc handles masked paths, bind-mounts, and special files to write to the host /proc filesystem and escape the container boundary - enabling remote code execution on the host, persistence, or cluster-wide denial-of-service. These issues affect virtually all Linux container stacks that use runc (Docker, containerd, CRI-O, Kubernetes, and managed services). --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6248 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 07.11.2025
by Daily end-of-shift report 07 Nov '25

07 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-11-2025 18:00 − Freitag 07-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ID verification laws are fueling the next wave of breaches ∗∗∗ --------------------------------------------- ID laws are forcing companies to store massive amounts of sensitive data, turning compliance into a security risk. Acronis explains how integrated backup and cybersecurity platforms help MSPs reduce complexity and close the gaps attackers exploit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/id-verification-laws-are-fue… ∗∗∗ Test der EFF: Diese Anti-Virus-Tools schützen am besten vor Spionage-Apps ∗∗∗ --------------------------------------------- Mit Stalkerware lassen sich leicht Mitmenschen ausspionieren. Ein neuer Test zeigt, welche Anti-Virus-Tools für Android den besten Schutz bieten. --------------------------------------------- https://www.golem.de/news/test-der-eff-diese-anti-virus-tools-schuetzen-am-… ∗∗∗ The Cats Out of the Bag: A Meow Attack Data Corruption Campaign Simulation via MAD-CAT ∗∗∗ --------------------------------------------- In 2024, I published Feline Hackers Among Us? (A Deep Dive and Simulation of the Meow Attack), which explored the notorious Meow attack campaign that had plagued unsecured databases since 2020. That article focused on demonstrating the attack against a single MongoDB instance using a simple Python script. A proof-of-concept that illustrates how devastating misconfigurations can be. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-cats-ou… ∗∗∗ Google Launches New Maps Feature to Help Businesses Report Review-Based Extortion Attempts ∗∗∗ --------------------------------------------- Google on Thursday said its rolling out a dedicated form to allow businesses listed on Google Maps to report extortion attempts made by threat actors who post inauthentic bad reviews on the platform and demand ransoms to remove the negative .. --------------------------------------------- https://thehackernews.com/2025/11/google-launches-new-maps-feature-to.html ∗∗∗ Gootloader malware back for the attack, serves up ransomware ∗∗∗ --------------------------------------------- Move fast - miscreants compromised a domain controller in 17 hours Gootloader JavaScript malware, commonly used to deliver ransomware, is back in action after a period of reduced activity. --------------------------------------------- https://www.theregister.com/2025/11/06/gootloader_back_ransomware/ ∗∗∗ Cybercrims plant destructive time bomb malware in industrial .NET extensions ∗∗∗ --------------------------------------------- Multi-year wait for destruction comes to an end for mystery attackers Security experts have helped remove malicious NuGet packages planted in 2023 that were designed to destroy systems years in advance, with some payloads not due to hit .. --------------------------------------------- https://www.theregister.com/2025/11/07/cybercriminals_plant_destructive_tim… ∗∗∗ Cisco: Tausende Firewalls verwundbar, neue Angriffswege beobachtet ∗∗∗ --------------------------------------------- Zum Missbrauch der seit Ende September bekannten Sicherheitslücken in Cisco-Firewalls haben Angreifer neue Wege gefunden. Tausende sind verwundbar. --------------------------------------------- https://www.heise.de/news/Cisco-Tausende-Firewalls-verwundbar-neue-Angriffs… ∗∗∗ Groupware Zimbra: Updates stopfen mehrere Sicherheitslücken ∗∗∗ --------------------------------------------- In der Groupware Zimbra haben die Entwickler mit aktualisierten Paketen mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Groupware-Zimbra-Updates-stopfen-mehrere-Sicherhe… ∗∗∗ Supply-Chain-Attacken: Fast jedes dritte Unternehmen betroffen ∗∗∗ --------------------------------------------- Ist die Firmen-IT zu gut geschützt, attackieren Angreifer gezielt Zulieferer. Knapp 28 Prozent der Firmen sind betroffen – viele davon mit spürbaren Folgen. --------------------------------------------- https://www.heise.de/news/Supply-Chain-Attacken-Fast-jedes-dritte-Unternehm… ∗∗∗ Exploiting AgTech connectivity to corner the grain market ∗∗∗ --------------------------------------------- I live in the countryside & as a result, know quite a few farmers. The subject of connected farming systems comes up quite a lot in the local pub. Those of you who have watched Clarkson’s Farm will understand just how complex and confusing some tractor systems .. --------------------------------------------- https://www.pentestpartners.com/security-blog/exploiting-agtech-connectivit… ∗∗∗ “Pay up or we share the tapes”: Hackers target massage parlour clients in blackmail scheme ∗∗∗ --------------------------------------------- South Korean police have uncovered a hacking operation that stole sensitive data from massage parlours and blackmailed their male clientele. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/pay-up-or-we-share-th… ∗∗∗ LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices ∗∗∗ --------------------------------------------- Commercial-grade LANDFALL spyware exploits CVE-2025-21042 in Samsung Android’s image processing library. The spyware was embedded in malicious DNG files. --------------------------------------------- https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-androi… ∗∗∗ “I Paid Twice” Scam Infects Booking.com Users with PureRAT via ClickFix ∗∗∗ --------------------------------------------- Cybersecurity firm Sekoia reports a widespread fraud where criminals compromise hotel systems (Booking.com, Expedia and others) with PureRAT malware, then use stolen reservation data to phish and defraud guests. --------------------------------------------- https://hackread.com/i-paid-twice-scam-booking-com-purerat-clickfix/ ∗∗∗ What’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299) ∗∗∗ --------------------------------------------- Happy Friday, friends and.. others.We’re glad/sorry to hear that your week has been good/bad, and it’s the weekend/but at least it’s almost the weekend!What’re We Doing Today, Mr Fox?Today, in a tale that seems all too --------------------------------------------- https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remot… ∗∗∗ Hausärztin: "Elektronische Patientenakte ist ein digitaler Pappkarton" ∗∗∗ --------------------------------------------- Datenschutz, Technik und Vertrauen bei der elektronischen Patientenakte. Darüber diskutierten Fachleute im rheinland-pfälzischen Landtag. --------------------------------------------- https://heise.de/-11069279 ∗∗∗ Kubevirt security audit ∗∗∗ --------------------------------------------- Security is a core concern in the development of any open-source project. To ensure reliability and resilience, many teams choose to conduct independent audits that help identify potential weaknesses and strengthen their systems. In this context, Quarkslab experts recently performed a security assessment of the KubeVirt with the goal of supporting its .. --------------------------------------------- http://blog.quarkslab.com/kubevirt-security-audit.html ∗∗∗ Results from Testing Six AI Models on Advanced Security Exploits ∗∗∗ --------------------------------------------- We ran three advanced security vulnerabilities through GPT-5, o3, Claude, Gemini, and Grok. --------------------------------------------- https://blog.kilocode.ai/p/we-tested-6-ai-models-on-3-advanced ∗∗∗ 9 Malicious NuGet Packages Deliver Time-Delayed Destructive Payloads ∗∗∗ --------------------------------------------- Sockets Threat Research Team discovered nine malicious NuGet packages that inject time-delayed destructive payloads into database operations and target industrial control systems. Published under the NuGet alias shanhai666 between 2023 and 2024, these packages terminate the host application process with 20% probability on each database query after specific .. --------------------------------------------- https://socket.dev/blog/9-malicious-nuget-packages-deliver-time-delayed-des… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 06.11.2025
by Daily end-of-shift report 06 Nov '25

06 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-11-2025 18:00 − Donnerstag 06-11-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ 5 AI-developed malware families analyzed by Google fail to work and are easily detected ∗∗∗ --------------------------------------------- You wouldnt know it from the hype, but the results fail to impress. --------------------------------------------- https://arstechnica.com/security/2025/11/ai-generated-malware-poses-little-… ∗∗∗ Fernzugriff per SIM-Karte: Auch dänische Elektrobusse aus China steuerbar ∗∗∗ --------------------------------------------- Der Hersteller Yutong kann seine Elektrobusse theoretisch jederzeit aus der Ferne lahmlegen. In Dänemark sind die Fahrzeuge großflächig im Einsatz. --------------------------------------------- https://www.golem.de/news/fernzugriff-per-sim-karte-auch-daenische-elektrob… ∗∗∗ Extortion and ransomware drive over half of cyberattacks ∗∗∗ --------------------------------------------- In 80% of the cyber incidents Microsoft’s security teams investigated last year, attackers sought to steal data—a trend driven more by financial gain than intelligence gathering. --------------------------------------------- https://blogs.microsoft.com/on-the-issues/2025/10/16/mddr-2025/ ∗∗∗ Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detection ∗∗∗ --------------------------------------------- The threat actor known as Curly COMrades has been observed exploiting virtualization technologies as a way to bypass security solutions and execute custom malware. According to a new report from Bitdefender, the adversary is said to have enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine. --------------------------------------------- https://thehackernews.com/2025/11/hackers-weaponize-windows-hyper-v-to.html ∗∗∗ Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine ∗∗∗ --------------------------------------------- A previously unknown threat activity cluster has been observed impersonating Slovak cybersecurity company ESET as part of phishing attacks targeting Ukrainian entities. The campaign, detected in May 2025, is tracked by the security outfit under the moniker InedibleOchotense, describing it as Russia-aligned. --------------------------------------------- https://thehackernews.com/2025/11/trojanized-eset-installers-drop.html ∗∗∗ Cisco Warns of New Firewall Attack Exploiting CVE-2025-20333 and CVE-2025-20362 ∗∗∗ --------------------------------------------- Cisco on Wednesday disclosed that it became aware of a new attack variant thats designed to target devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software releases that are susceptible to CVE-2025-20333 and CVE-2025-20362. --------------------------------------------- https://thehackernews.com/2025/11/cisco-warns-of-new-firewall-attack.html ∗∗∗ SonicWall fingers state-backed cyber crew for September firewall breach ∗∗∗ --------------------------------------------- Spies, not crooks, were behind digital heist – damage stopped at the backups, says US cybersec biz. SonicWall has blamed an unnamed, state-sponsored collective for the September break-in that saw cybercriminals rifle through a cache of firewall configuration backups. --------------------------------------------- https://www.theregister.com/2025/11/06/sonicwall_fingers_statebacked_cyber_… ∗∗∗ Industry Attacks Surge, Mobile Malware Spreads: The ThreatLabz 2025 Mobile, IoT & OT Report ∗∗∗ --------------------------------------------- Mobile devices, IoT sensors, and OT systems are no longer distinct domains; they are the interconnected backbone of modern business and infrastructure. From the factory floor and hospital ward to the global supply chain, this convergence powers innovation and efficiency. However, it has also created a sprawling, interdependent attack surface that threat actors are exploiting with increasing speed and sophistication. --------------------------------------------- https://www.zscaler.com/blogs/security-research/industry-attacks-surge-mobi… ∗∗∗ Fakeshops täuschen Online-Käufer ∗∗∗ --------------------------------------------- Fakeshops ziehen den Menschen ohne Gegenleistung das Geld aus der Tasche. Laut einer Umfrage sind nicht gerade wenige User von dieser Betrugs-Masche betroffen. --------------------------------------------- https://www.heise.de/news/Fakeshops-taeuschen-Online-Kaeufer-11067321.html ∗∗∗ Have I Been Pwned: Milliarden neuer Passwörter in Sammlung ∗∗∗ --------------------------------------------- Aus Infostealer-Datensätzen konnte Have-I-Been-Pwned-Betreiber Troy Hunt 1,3 Milliarden einzigartige Passwörter extrahieren. --------------------------------------------- https://www.heise.de/news/Have-I-Been-Pwned-Milliarden-neuer-Passwoerter-in… ∗∗∗ Bundestag: Koalition einigt sich bei NIS2-Richtlinien-Umsetzung ∗∗∗ --------------------------------------------- Unions- und SPD-Fraktion haben sich nach intensiven Verhandlungen bei der Überarbeitung der Cybersicherheitsvorgaben für Kritische Infrastrukturen geeinigt. --------------------------------------------- https://www.heise.de/news/Bundestag-Koalition-einigt-sich-bei-NIS2-Richtlin… ∗∗∗ Windows: Oktober-Sicherheitsupdates können Bitlocker-Wiederherstellung auslösen ∗∗∗ --------------------------------------------- Die Sicherheitsupdates vom Oktober-Patchday für Windows können dazu führen, dass die Bitlocker-Wiederherstellung startet. --------------------------------------------- https://www.heise.de/news/Windows-Oktober-Sicherheitsupdates-koennen-Bitloc… ∗∗∗ Cloudflare Scrubs Aisuru Botnet from Top Domains List ∗∗∗ --------------------------------------------- For the past week, domains associated with the massive Aisuru botnet have repeatedly usurped Amazon, Apple, Google and Microsoft in Cloudflares public ranking of the most frequently requested websites. Cloudflare responded by redacting Aisuru domain names from their top websites list. The chief executive at Cloudflare says Aisurus overlords are using the botnet to boost their malicious domain rankings, while simultaneously attacking the companys domain name system (DNS) service. --------------------------------------------- https://krebsonsecurity.com/2025/11/cloudflare-scrubs-aisuru-botnet-from-to… ∗∗∗ Account-Takeover: Kriminelle wollen mithilfe einer Fake-Abstimmung die Kontrolle über WhatsApp-Konten erlangen ∗∗∗ --------------------------------------------- Das Smartphone meldet sich, eine neue WhatsApp-Mitteilung ist eingegangen. Es geht um ein Voting, eine Stimme für die Tochter einer Bekannten. Als Hauptpreis winkt ein „kostenloses Stipendium“ für eine junge Nachwuchstänzerin. Dahinter versteckt sich allerdings der Versuch von Kriminellen, das WhatsApp-Konto ihrer Opfer zu übernehmen. --------------------------------------------- https://www.watchlist-internet.at/news/account-takeover-fake-abstimmung/ ∗∗∗ Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming ∗∗∗ --------------------------------------------- How a fast-growing scam is tricking WhatsApp users into revealing their most sensitive financial and other data. --------------------------------------------- https://www.welivesecurity.com/en/scams/sharing-is-scaring-whatsapp-screen-… ∗∗∗ Russia’s Sandworm hackers deploying wipers against Ukraine’s grain industry ∗∗∗ --------------------------------------------- The Russian state-backed hacking unit Sandworm has been targeting Ukraines grain industry with wiper malware amid Moscows ongoing efforts to undermine Kyivs wartime economy. --------------------------------------------- https://therecord.media/russia-sandworm-grain-wipers ∗∗∗ An Unerring Spear: Cephalus Ransomware Analysis ∗∗∗ --------------------------------------------- Cephalus is a new ransomware group that first appeared in mid-June 2025. The group claims that they are motivated 100% by financial gain. Their main method of breaching organizations is by stealing credentials through Remote Desktop Protocol (RDP) accounts that do not have multi-factor authentication (MFA) enabled. --------------------------------------------- https://asec.ahnlab.com/en/90878/ ∗∗∗ Hackers Steal Personal Data and 17K Slack Messages in Nikkei Data Breach ∗∗∗ --------------------------------------------- Nikkei confirms breach after a virus infected an employee PC, exposing 17,368 names and Slack chat histories. The media giant reported the incident voluntarily. --------------------------------------------- https://hackread.com/nikkei-data-breach-hackers-steal-data-slack-messages/ ∗∗∗ What GreyNoise Learned from Deploying MCP Honeypots ∗∗∗ --------------------------------------------- GreyNoise deployed MCP honeypots to see what happens when AI middleware meets the open internet — revealing how attackers interact with this new layer of AI infrastructure. --------------------------------------------- https://www.greynoise.io/blog/deploying-mcp-honeypots ===================== = Vulnerabilities = ===================== ∗∗∗ [UPDATE] Cisco Secure Firewall Adaptive Security Appliance Software, Secure Firewall Threat Defense Software, IOS Software, IOS XE Software, and IOS XR Software Web Services Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Added information on first fixed releases for Cisco Secure Firewall ASA Software releases 9.12 and 9.14. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Sicherheitslücken gefährden PCs mit Dell CloudLink und Command Monitor ∗∗∗ --------------------------------------------- Patches lösen mehrere Sicherheitsprobleme mit Dell CloudLink und Command Monitor. --------------------------------------------- https://www.heise.de/news/Unbefugte-Zugriffe-auf-Dell-CloudLink-und-Command… ∗∗∗ WatchGuard Fireware OS IKEv2 Out-of-Bounds Vulnerability ∗∗∗ --------------------------------------------- A critical Out-of-Bounds Write vulnerability (CVE-2025-9242) exists in the WatchGuard Fireware OS iked process, which handles IKEv2 VPN connections. The flaw allows a remote, unauthenticated attacker to execute arbitrary code on affected devices. --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6247 ∗∗∗ Google Issues Emergency Chrome 142 Update to Fix Multiple High-Risk Vulnerabilities ∗∗∗ --------------------------------------------- Google has rolled out an emergency update for its Chrome browser, version 142, to address a series of serious remote code execution (RCE) vulnerabilities that could allow attackers to take control of affected systems. The update, released on November 5, 2025, is being distributed gradually across desktop platforms, Windows, macOS, and Linux, as well as Android devices through Google Play and Chrome’s built-in update mechanism. --------------------------------------------- https://thecyberexpress.com/google-chrome-142-fixes-rce-flaws/ ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released four Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS: ICSA-25-310-01 Advantech DeviceOn iEdge, ICSA-25-310-02 Ubia Ubox, ICSA-25-310-03 ABB FLXeon Controllers and ICSA-25-282-01 Hitachi Energy Asset Suite (Update A). CISA encourages users and administrators to review newly released ICS Advisories for technical details and mitigations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/11/06/cisa-releases-four-indus… ∗∗∗ CISA warns of critical CentOS Web Panel bug exploited in attacks ∗∗∗ --------------------------------------------- The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning that threat actors are exploiting a critical remote command execution flaw in CentOS Web Panel (CWP). --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-cento… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 05.11.2025
by Daily end-of-shift report 05 Nov '25

05 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-11-2025 18:00 − Mittwoch 05-11-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Aktuelle Phishingwelle im Namen von FinanzOnline ∗∗∗ --------------------------------------------- Aktuell erreichen uns vermehrt Meldungen über Phishing-Kampagnen im Namen des österreichischen FInanzministeriums. Während eine Welle an Mails versucht Nutzer:innen mit einer gefälschten Mehrwertsteuer-Rückerstattung in die Falle zu locken warnen SMS-Nachrichten vor einem angeblich abgelaufenen FinanzOnline-Zugang. Auch Watchlist Internet berichtet bereits über diese Angriffe. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/11/aktuelle-phishingwelle-im-namen-vo… ∗∗∗ Malicious Android apps on Google Play downloaded 42 million times ∗∗∗ --------------------------------------------- Hundreds of malicious Android apps on Google Play were downloaded more than 40 million times between June 2024 and May 2025, notes a report from cloud security company Zscaler. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-android-apps-on-go… ∗∗∗ Sicherheitsupdates: Windows 10 verwirrt Nutzer mit Anzeigefehler zum Supportende ∗∗∗ --------------------------------------------- Einige Windows-10-Systeme zeigen trotz bestehendem Support oder ESU-Lizenz an, nicht mehr unterstützt zu werden. Laut Microsoft ist das ein Bug. --------------------------------------------- https://www.golem.de/news/sicherheitsupdates-windows-10-verwirrt-nutzer-mit… ∗∗∗ Google Uncovers PROMPTFLUX Malware That Uses Gemini AI to Rewrite Its Code Hourly ∗∗∗ --------------------------------------------- Google on Wednesday said it discovered an unknown threat actor using an experimental Visual Basic Script (VB Script) malware dubbed PROMPTFLUX that interacts with its Gemini artificial intelligence (AI) model API to write its own source code for improved obfuscation and evasion. --------------------------------------------- https://thehackernews.com/2025/11/google-uncovers-promptflux-malware-that.h… ∗∗∗ Microsoft gibt Tipps für erweiterten Support für kommerzielles Windows 10 ∗∗∗ --------------------------------------------- Inzwischen sollte es sattsam bekannt sein: Microsoft hat den Support für Windows 10 offiziell zum 14. Oktober 2025 eingestellt. Privatnutzer in der EU bekommen nach langem Hin und Her ein Jahr kostenlos erweiterten Support (Extended Security Updates, ESU), wenn sie sich dafür anmelden. --------------------------------------------- https://www.heise.de/news/Microsoft-gibt-Tipps-fuer-erweiterten-Support-fue… ∗∗∗ Ransomware: Apache OpenOffice bestreitet Cyber-Attacke ∗∗∗ --------------------------------------------- Bei der Apache Software Foundation soll es im Kontext von OpenOffice zu einer Cyberattacke gekommen sein, bei der Kriminelle interne Daten kopiert haben. Das gibt zumindest die Ransomwarebande Akira auf ihrer Website an. Nun schaltet sich Apache ein und dementiert eine Attacke. --------------------------------------------- https://www.heise.de/news/Cybercrime-Apache-OpenOffice-dementiert-Ransomwar… ∗∗∗ Nein, Europol & Interpol haben kein Ermittlungsverfahren eingeleitet! ∗∗∗ --------------------------------------------- Sie zählt zu den Klassikern des Online-Betrugs: Eine E-Mail, die über ein kürzlich eröffnetes Ermittlungsverfahren von Europol und/oder Interpol informiert. Es geht um schwere Anschuldigungen, alle relevanten Informationen finden sich in einem angehängten Dokument. Von derartigen Nachrichten gehen zwei Gefahren gleichzeitig aus! --------------------------------------------- https://www.watchlist-internet.at/news/europol-interpol-ermittlungsverfahre… ∗∗∗ 9 arrested in Europe in operation against fake platforms for crypto investments ∗∗∗ --------------------------------------------- A multinational operation in late October targeted a network that “created dozens of fake cryptocurrency investment platforms that looked like legitimate websites and promised high returns,” but simply took the money and laundered it, Eurojust said. --------------------------------------------- https://therecord.media/9-arrested-europe-crypto-platform-takedown ∗∗∗ Norton Crack Midnight Ransomware, Release Free Decryptor ∗∗∗ --------------------------------------------- Norton finds a flaw in the new Midnight ransomware built from Babuk code and releases a free decryptor to help victims recover files without paying a ransom. --------------------------------------------- https://hackread.com/norton-midnight-ransomware-free-decryptor/ ∗∗∗ GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools ∗∗∗ --------------------------------------------- Based on recent analysis of the broader threat landscape, Google Threat Intelligence Group (GTIG) has identified a shift that occurred within the last year: adversaries are no longer leveraging artificial intelligence (AI) just for productivity gains, they are deploying novel AI-enabled malware in active operations. This marks a new operational phase of AI abuse, involving tools that dynamically alter behavior mid-execution. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage… ∗∗∗ Enormer Finanzanlage-Betrug: 9 Europäer verhaftet ∗∗∗ --------------------------------------------- Über dutzende Kryptowährungs-Angebote soll ein europäisches Verbrechernetzwerk mehr als 600 Millionen Euro eingenommen und über Blockchains gewaschen haben. Vergangene Woche wurden neun Personen an ihren jeweiligen Wohnsitzen verhaftet: in Köln, Katalonien und auf Zypern. --------------------------------------------- https://heise.de/-11056948 ∗∗∗ Kreditkartenbetrug: Durchsuchungen auf drei Kontinenten ∗∗∗ --------------------------------------------- In einer koordinierten Aktion auf drei Kontinenten sind Ermittler gegen mutmaßliche Betrugs- und Geldwäschenetzwerke vorgegangen – auch in Deutschland. Den Beschuldigten wird vorgeworfen, Kreditkartendaten von Geschädigten aus 193 Ländern genutzt zu haben, um mehr als 19 Millionen Abonnements über professionell betriebene Schein-Webseiten abzuschließen, wie das Bundeskriminalamt mitteilte. --------------------------------------------- https://heise.de/-11057117 ∗∗∗ Iran-linked Threat Group Claims Breach of Israeli Defense Contractor’s Security Cameras ∗∗∗ --------------------------------------------- An Iran-linked threat group claims to have accessed the security cameras of an Israeli defense contractor and leaked videos of internal meetings and employees working on defense systems. The threat group – Cyber Toufan – has been posting about the alleged breach of Maya Engineering on its Telegram channels for at least a few weeks, but the group’s claims became public in recent days in an X post and articles on media sites such as Straight Arrow News and Breached Company. --------------------------------------------- https://thecyberexpress.com/israeli-defense-contractors-breach/ ===================== = Vulnerabilities = ===================== ∗∗∗ Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058) ∗∗∗ --------------------------------------------- SummaryZscaler uncovered a vulnerability in Keras that exposed AI and machine learning environments to file access and network exploitation risks, highlighting the urgent need to secure the AI model supply chain. --------------------------------------------- https://www.zscaler.com/blogs/security-research/zscaler-discovers-vulnerabi… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9 and gimp), Fedora (chromium, fastapi-cli, fastapi-cloud-cli, gherkin, libnbd, maturin, openapi-python-client, python-annotated-doc, python-cron-converter, python-fastapi, python-inline-snapshot, python-jiter, python-openapi-core, python-platformio, python-pydantic, python-pydantic-core, python-pydantic-extra-types, python-rignore, python-starlette, python-typer, python-typing-inspection, python-uv-build, ruff, rust-astral-tokio-tar, rust-attribute-derive, rust-attribute-derive-macro, rust-collection_literals, rust-get-size-derive2, rust-get-size2, rust-interpolator, rust-jiter, rust-manyhow, rust-manyhow-macros, rust-proc-macro-utils, rust-quote-use, rust-quote-use-macros, rust-regex, rust-regex-automata, rust-reqsign, rust-reqsign-aws-v4, rust-reqsign-command-execute-tokio, rust-reqsign-core, rust-reqsign-file-read-tokio, rust-reqsign-http-send-reqwest, rust-serde_json, rust-speedate, rust-tikv-jemalloc-sys, rust-tikv-jemallocator, and uv), Mageia (golang and libavif), Red Hat (bind9.16, pcs, and qt6-qtsvg), SUSE (colord, ffmpeg, govulncheck-vulndb, jasper, openjpeg, poppler, qatengine, qatlib, runc, sccache, and tiff), and Ubuntu (keystone, libssh, linux-hwe-6.14, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-raspi, runc-app, runc-stable, squid, squid3, and unbound). --------------------------------------------- https://lwn.net/Articles/1045124/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 04.11.2025
by Daily end-of-shift report 04 Nov '25

04 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Montag 03-11-2025 18:00 − Dienstag 04-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake Solidity VSCode extension on Open VSX backdoors developers ∗∗∗ --------------------------------------------- A remote access trojan dubbed SleepyDuck, and disguised as the well-known Solidity extension in the Open VSX open-source registry, uses an Ethereum smart contract to establish a communication channel with the attacker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-solidity-vscode-extensi… ∗∗∗ Lösegeldverhandler angeklagt: Ex-Cyberangestellte sollen Unternehmen gehackt haben ∗∗∗ --------------------------------------------- Drei Ex-Mitarbeiter von Cybersecurityfirmen scheinen ein äußerst fragwürdiges Nebengeschäft betrieben zu haben. Es war Ransomware im Spiel. --------------------------------------------- https://www.golem.de/news/ex-mitarbeiter-angeklagt-loesegeldverhandler-wohl… ∗∗∗ SesameOp: Novel backdoor uses OpenAI Assistants API for command and control ∗∗∗ --------------------------------------------- Microsoft Incident Response – Detection and Response Team (DART) researchers uncovered a new backdoor that is notable for its novel use of the OpenAI Assistants Application Programming Interface (API) as a mechanism for command-and-control (C2) communications. Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-bac… ∗∗∗ Apple Patches Everything, Again, (Tue, Nov 4th) ∗∗∗ --------------------------------------------- Apple released its expected set of operating system upgrades. This is a minor feature upgrade that also includes fixes for 110 different vulnerabilities. As usual for Apple, many of the vulnerabilities affect multiple operating systems. None of the vulnerabilities .. --------------------------------------------- https://isc.sans.edu/diary/Apple+Patches+Everything+Again/32448 ∗∗∗ Scattered LAPSUS$ Hunters: Anatomy of a Federated Cybercriminal Brand ∗∗∗ --------------------------------------------- Trustwave SpiderLabs’ Cyber Threat Intelligence team is tracking the recent emergence of what appears to be the consolidation of three well-known threat groups into a “federated alliance” that offers, among its activities, Extortion-as-a-Service (EaaS). --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scattered-l… ∗∗∗ Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks ∗∗∗ --------------------------------------------- Details have emerged about a now-patched critical security flaw in the popular "@react-native-community/cli" npm package that could be potentially exploited to run malicious operating system (OS) commands under certain .. --------------------------------------------- https://thehackernews.com/2025/11/critical-react-native-cli-flaw-exposed.ht… ∗∗∗ Europol and Eurojust Dismantle €600 Million Crypto Fraud Network in Global Sweep ∗∗∗ --------------------------------------------- Nine people have been arrested in connection with a coordinated law enforcement operation that targeted a cryptocurrency money laundering network that defrauded victims of €600 million (~$688 million).According to a statement released by Eurojust today, the .. --------------------------------------------- https://thehackernews.com/2025/11/europol-and-eurojust-dismantle-600.html ∗∗∗ Chinas president Xi Jinping jokes about backdoors in Xiaomi smartphones ∗∗∗ --------------------------------------------- South Koreas president laughed, so perhaps it was funny? Unlike Chinas censorship and snooping Chinese president Xi Jinping has joked that smartphones from Xiaomi might include backdoors. --------------------------------------------- https://www.theregister.com/2025/11/04/chinas_president_xi_jinping_jokes/ ∗∗∗ Russland verhindert 2-Faktor-SMS für Telegram und Whatsapp ∗∗∗ --------------------------------------------- Der Kreml will Informationskontrolle. SMS- und Telefonanruf-Blockaden sollen Whatsapp und Telegram aushungern. --------------------------------------------- https://www.heise.de/news/Russland-verhindert-2-Faktor-SMS-fuer-Telegram-un… ∗∗∗ Patchday: Kritische Schadcode-Lücke in Android 13, 14, 15, 16 geschlossen ∗∗∗ --------------------------------------------- Angreifer können Geräte mit Android attackieren und im schlimmsten Fall Schadcode ausführen. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://www.heise.de/news/Patchday-Kritische-Schadcode-Luecke-in-Android-13… ∗∗∗ Rückerstattung und abgelaufene ID: Doppelte Phishing-Welle im Namen von FinanzOnline ∗∗∗ --------------------------------------------- Eine aktuell massenhaft versendete E-Mail im Namen von FinanzOnline verspricht eine üppige Mehrwertsteuerrückerstattung. Knapp 300 Euro warten angeblich. Tatsächlich haben es die Kriminellen auf Zugangsdaten zum Online-Banking und das Geld ihrer Opfer abgesehen. Daneben kursieren vermehrt die klassischen Fake-SMS, die vor einem Ablauf des FinanzOnline-Zugangs warnen. --------------------------------------------- https://www.watchlist-internet.at/news/mehrwertsteuer-phishing-finanzonline/ ∗∗∗ Millionen für Abhörsysteme: EU förderte offenbar massiv die Spyware-Industrie ∗∗∗ --------------------------------------------- In Reaktion auf einen aktuellen Bericht meldeten sich 39 Mitglieder des Europäischen Parlaments "tief besorgt". Man wolle die Vergabe an fragwürdige Unternehmen nun prüfen --------------------------------------------- https://www.derstandard.at/story/3000000294846/millionen-fuer-abhoersysteme… ∗∗∗ Cargo theft gets a boost from hackers using remote monitoring tools ∗∗∗ --------------------------------------------- Cybersecurity researchers have been tracking thieves who are using their deep knowledge of trucking and transportation technology to steal cargo. --------------------------------------------- https://therecord.media/cargo-theft-hackers-remote-monitoring-tools ∗∗∗ More than $100 million stolen in exploit of Balancer DeFi protocol ∗∗∗ --------------------------------------------- Hackers pilfered millions of dollars worth of cryptocurrency on Monday from the decentralized finance protocol Balancer. --------------------------------------------- https://therecord.media/crypto-heist-balancer-exploit ∗∗∗ CyberSlop — meet the new threat actor, MIT and Safe Security ∗∗∗ --------------------------------------------- Cybersecurity vendors peddling nonsense isn’t new, but lately we have a new dimension — Generative AI. This has allowed vendors — and educators — to peddle cyberslop for profit. --------------------------------------------- https://doublepulsar.com/cyberslop-meet-the-new-threat-actor-mit-and-safe-s… ∗∗∗ PHP Cryptomining Campaign: October/November 2025 ∗∗∗ --------------------------------------------- >From Aug–Oct 2025, GreyNoise observed a surge in exploitation attempts against PHP and PHP-based frameworks as attackers deployed cryptominers—driven by rising Bitcoin prices and higher mining payoffs. --------------------------------------------- https://www.greynoise.io/blog/php-cryptomining-campaign ∗∗∗ Für Entkriminalisierung: BSI-Chefin fordert Überarbeitung des Hackerparagrafen ∗∗∗ --------------------------------------------- Die Präsidentin des Bundesamts für Sicherheit in der Informationstechnik hat Änderungen am Hackerparagrafen gefordert. Unterstützung kommt aus der Opposition. --------------------------------------------- https://heise.de/-11044176 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dcmtk, geographiclib, gimp, pure-ftpd, and ruby-rack), Fedora (dotnet9.0), Oracle (expat, kernel, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), Red Hat (git, mariadb:10.5, multiple packages, osbuild-composer, pcs, sssd, and tigervnc), SUSE (kernel and redis), and Ubuntu (google-guest-agent). --------------------------------------------- https://lwn.net/Articles/1044949/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 03.11.2025
by Daily end-of-shift report 03 Nov '25

03 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 31-10-2025 18:00 − Montag 03-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Open VSX rotates access tokens used in supply-chain malware attack ∗∗∗ --------------------------------------------- The Open VSX registry rotated access tokens after they were accidentally leaked by developers in public repositories and allowed threat actors to publish malicious extensions in an attempted supply-chain attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/open-vsx-rotates-tokens-used… ∗∗∗ Hackers use RMM tools to breach freighters and steal cargo shipments ∗∗∗ --------------------------------------------- Threat actors are targeting freight brokers and trucking carriers with malicious links and emails to deploy remote monitoring and management tools (RMMs) that enable them to hijack cargo and steal physical goods. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-rmm-tools-to-bre… ∗∗∗ Attacken auf EU: Ungepatchte Windows-Lücke wird seit Jahren ausgenutzt ∗∗∗ --------------------------------------------- Die Sicherheitslücke ist Microsoft schon seit über einem Jahr bekannt. Bisher lehnt der Konzern es jedoch ab, einen Patch bereitzustellen. --------------------------------------------- https://www.golem.de/news/attacken-auf-eu-ungepatchte-windows-luecke-wird-s… ∗∗∗ Cyberbedrohung: China kann jederzeit Norwegens Elektrobusse lahmlegen ∗∗∗ --------------------------------------------- Möglich ist das aufgrund einer in den Bussen verbauten SIM-Karte, über die OTA-Updates bezogen werden. Die potenziellen Folgen sind weitreichend. --------------------------------------------- https://www.golem.de/news/cyberbedrohung-china-kann-jederzeit-norwegens-ele… ∗∗∗ Warnung vor Angriffen auf Lücken in VMware und XWiki ∗∗∗ --------------------------------------------- Angreifer missbauchen Schwachstellen in VMware und XWiki, warnt die IT-Sicherheitsbehörde CISA. Updates stopfen die Lücken. --------------------------------------------- https://www.heise.de/news/Warnung-vor-Angriffen-auf-Luecken-in-VMware-und-X… ∗∗∗ Monitoring-Software: Schwachstellen bedrohen IBM Tivoli Monitoring und Nagios XI ∗∗∗ --------------------------------------------- Angreifer können IBM Tivoli Monitoring und Nagios XI attackieren und Dateien manipulieren oder sogar Schadcode ausführen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://www.heise.de/news/Monitoring-Software-IBM-Tivoli-Monitoring-und-Nag… ∗∗∗ Alleged Jabber Zeus Coder ‘MrICQ’ in U.S. Custody ∗∗∗ --------------------------------------------- A Ukrainian man indicted in 2012 for conspiring with a prolific hacking group to steal tens of millions of dollars from U.S. businesses was arrested in Italy and is now in custody in the United States, KrebsOnSecurity has learned. Sources close to the investigation say Yuriy Igorevich Rybtsov, a 41-year-old from the Russia-controlled city of Donetsk, .. --------------------------------------------- https://krebsonsecurity.com/2025/11/alleged-jabber-zeus-coder-mricq-in-u-s-… ∗∗∗ Wer verschenkt schon einen Porsche?! Datendiebstahl statt Wohltätigkeit ∗∗∗ --------------------------------------------- Mit Hilfe von Fake-Profilen auf Social Media ködern Kriminelle ihre Opfer. Sie locken sie auf eine Website, wo ein angebliches Gewinnspiel für einen Porsche wartet. Wer teilnehmen will, muss (sehr persönliche) Informationen übermitteln. Eine direkte Gefahr für das Bankkonto besteht zwar nicht, die erbeuteten Daten kommen allerdings bei späteren Betrugsmaschen zum Einsatz. --------------------------------------------- https://www.watchlist-internet.at/news/porsche-zu-verschenken/ ∗∗∗ Politischer Cyberangriff an der University of Pennsylvania zielt auf "woke" Studenten ab ∗∗∗ --------------------------------------------- Die Hacker griffen unter anderem eine Gruppe an, die sich gegen die Berücksichtigung von Ethnie im Bewerbungsprozess einsetzt --------------------------------------------- https://www.derstandard.at/story/3000000294635/politischer-cyberangriff-an-… ∗∗∗ Betrugsmasche: Warnung vor vermeintlichen Finanz-Online-Nachrichten ∗∗∗ --------------------------------------------- Ein Opfer in Oberösterreich wurde um eine halbe Million Euro geprellt --------------------------------------------- https://www.derstandard.at/story/3000000294680/betrugsmasche-warnung-vor-ve… ∗∗∗ Ernst & Young (EY): 4TB DB-Backup im Internet gefunden ∗∗∗ --------------------------------------------- Kleiner Nachtrag von voriger Woche. Bei Ernst & Young (kurz EY) hat es mutmaßlich einen veritablen Datenschutz- und Sicherheitsvorfall gegeben. Sicherheitsforscher sind im Internet auf eine Backup-Datei für einen .. --------------------------------------------- https://www.borncity.com/blog/2025/11/03/ernst-young-ey-4tb-db-backup-im-in… ∗∗∗ North Korean Hackers Caught on Video Using AI Filters in Fake Job Interviews ∗∗∗ --------------------------------------------- North Korean hackers from the Famous Chollima group used AI deepfakes and stolen identities in fake job interviews to infiltrate crypto and Web3 companies. --------------------------------------------- https://hackread.com/north-korean-hackers-video-ai-filter-fake-job-intervie… ===================== = Vulnerabilities = ===================== ∗∗∗ Ilevia EVE X1/X5 Server 4.7.18.0.eden Default Credentials ∗∗∗ --------------------------------------------- The EVE X1 server uses a weak set of default administrative credentials that can be found and used to gain full control of the system. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5963.php ∗∗∗ Normal Drupal core security window rescheduled for November 12, 2025 due to DrupalCon - PSA-2025-11-03 ∗∗∗ --------------------------------------------- The upcoming Drupal core security release window has been rescheduled from November 19, 2025 to November 12, 2025. As normal, the window will occur between 1600 UTC and 2200 UTC.Schedule change for back-to-back DrupalConsThis schedule change is due to DrupalCons Vienna and Nara overlapping the October and November core security windows. We do not schedule core security windows .. --------------------------------------------- https://www.drupal.org/psa-2025-11-03 ∗∗∗ HashiCorp Consul <= 1.21.5 Event Denial of Service (CVE-2025-11375) ∗∗∗ --------------------------------------------- ADVISORY INFORMATION Product: HashiCorp ConsulVendor URL: https://developer.hashicorp.com/consulCWE: Memory Allocation with Excessive Size Value [CWE-789]Date found: 2025-09-19Date published: 2025-11-02CVSSv4 Score: 7.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)CVE: CVE-2025-11375 VERSIONS AFFECTED Consul Community Edition <= 1.21.5Consul Enterprise <= 1.21.5, 1.20.7, 1.19.9 and 1.18.11 INTRODUCTION Consul is a service networking solution that enables teams to --------------------------------------------- https://www.rcesecurity.com/2025/11/hashicorp-consul-1-21-5-event-denial-of… ∗∗∗ HashiCorp Consul <= 1.21.5 KVS Denial of Service (CVE-2025-11374) ∗∗∗ --------------------------------------------- ADVISORY INFORMATION Product: HashiCorp ConsulVendor URL: https://developer.hashicorp.com/consulCWE: Memory Allocation with Excessive Size Value [CWE-789]Date found: 2025-09-19Date published: 2025-11-02CVSSv4 Score: 7.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)CVE: CVE-2025-11374 VERSIONS AFFECTED Consul Community Edition <= 1.21.5Consul Enterprise <= 1.21.5, 1.20.7, 1.19.9 and 1.18.11 INTRODUCTION Consul is a service networking solution that enables teams to --------------------------------------------- https://www.rcesecurity.com/2025/11/hashicorp-consul-1-21-5-kvs-denial-of-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily November 2025