Daily December 2025

daily@lists.cert.at

1 participants
12 discussions

Tageszusammenfassung - 02.12.2025
by Daily end-of-shift report 02 Dec '25

02 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Montag 01-12-2025 18:00 − Dienstag 02-12-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Glassworm malware returns in third wave of malicious VS Code packages ∗∗∗ --------------------------------------------- The Glassworm campaign, which first emerged on the OpenVSX and Microsoft Visual Studio marketplaces in October, is now in its third wave, with 24 new packages added on the two platforms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/glassworm-malware-returns-in… ∗∗∗ [Guest Diary] Hunting for SharePoint In-Memory ToolShell Payloads, (Tue, Dec 2nd) ∗∗∗ --------------------------------------------- In July 2025, many of us were introduced to the Microsoft SharePoint exploit chain known as ToolShell. ToolShell exploits the deserialization and authentication bypass vulnerabilities, CVE-2025-53770 [2] and CVE-2025-53771 [3], in on-premises SharePoint Server 2016, 2019, and Subscription editions. --------------------------------------------- https://isc.sans.edu/diary/rss/32524 ∗∗∗ Iran-Linked Hackers Hits Israeli Sectors with New MuddyViper Backdoor in Targeted Attacks ∗∗∗ --------------------------------------------- Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors have emerged as the target of a new set of attacks undertaken by Iranian nation-state actors that have delivered a previously undocumented backdoor called MuddyViper. --------------------------------------------- https://thehackernews.com/2025/12/iran-linked-hackers-hits-israeli_2.html ∗∗∗ Stealthy browser extensions waited years before infecting 4.3M Chrome, Edge users with backdoors and spyware ∗∗∗ --------------------------------------------- And some are still active in the Microsoft Edge store A seven-year malicious browser extension campaign infected 4.3 million Google Chrome and Microsoft Edge users with malware, including backdoors and spyware sending peoples data to servers in China. --------------------------------------------- https://www.theregister.com/2025/12/01/chrome_edge_malicious_browser_extens… ∗∗∗ Dont say "Jehova" to an LLM ∗∗∗ --------------------------------------------- The Rabbi in the old skit from Monty Python's "Life of Brian" fell for it, and for a long time, philosophers argued whether quoting someone is fundamentally different to just saying the sentence. I remember a story where one actor smuggled a wedding promise in a co-actor's copy of his lines: After the vow was made on the set and the sentence couldn't be found in the official script: is the actor now bound in real life by his promise? --------------------------------------------- https://www.cert.at/en/blog/2025/12/dont-say-jehova-to-an-llm ∗∗∗ Proxyearth Tool Lets Anyone Trace Users in India with Just a Mobile Number ∗∗∗ --------------------------------------------- Proxyearth is a new site that shows names, Aadhaar numbers, and live locations of users in India using only mobile numbers, raising serious privacy and security concerns. --------------------------------------------- https://hackread.com/proxyearth-trace-users-india-mobile-number/ ∗∗∗ Android TV: YouTube-Client SmartTube war mit Malware verseucht ∗∗∗ --------------------------------------------- Unbekannte konnten SmartTube mit Malware verseuchen und die Version kurzzeitig in Umlauf bringen. Nun gibt der Entwickler Einblicke zum Vorfall. --------------------------------------------- https://heise.de/-11099310 ∗∗∗ Shai-Hulud 2.0 Aftermath: Trends, Victimology and Impact ∗∗∗ --------------------------------------------- A deeper look at the Shai-Hulud 2.0 supply chain attack: reviewing the infection spread, victimology, leaked secrets distribution, and community response so far. --------------------------------------------- https://www.wiz.io/blog/shai-hulud-2-0-aftermath-ongoing-supply-chain-attack ∗∗∗ 68% Of Phishing Websites Are Protected by CloudFlare ∗∗∗ --------------------------------------------- Earlier this year, our CTI team set out to build something wed been thinking about for a while: a phishing intelligence pipeline that could actually keep up with the threat. We combined feeds from hundreds of independent sources with our own real-time hunt for suspicious SSL/TLS certificates. --------------------------------------------- https://blog.sicuranext.com/68-of-phishing-websites-are-protected-by-cloudf… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (gnutls, libpng, mingw-python3, python-spotipy, source-to-image, unbound, and webkitgtk), Mageia (libpng), SUSE (bash-git-prompt, gitea-tea, java-17-openjdk, java-21-openjdk, kernel, openssh, python, and shadowsocks-v2ray-plugin, v2ray-core), and Ubuntu (binutils, openjdk-17-crac, openjdk-21-crac, and openjdk-25-crac). --------------------------------------------- https://lwn.net/Articles/1048973/ ∗∗∗ Patchday: Attacken auf Geräte mit Android 13, 14, 15 und 16 beobachtet ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für verschiedene Androidversionen erschienen. Es gibt bereits Attacken. --------------------------------------------- https://heise.de/-11099576 ∗∗∗ Qualcomm Issues Critical Security Alert Over Secure Boot Vulnerability ∗∗∗ --------------------------------------------- Qualcomm warned partners and device manufacturers about multiple newly discovered vulnerabilities that span its chipset ecosystem. The Qualcomm released a detailed security bulletin on December 1, 2025, outlining six high-priority weaknesses in its proprietary software, including one flaw that directly compromises the secure boot process, one of the most sensitive stages in a device’s startup chain. --------------------------------------------- https://thecyberexpress.com/qualcomm-2025-security-alert/ ∗∗∗ Critical SQL Injection Flaw Exposes Sensitive Data in Devolutions Server ∗∗∗ --------------------------------------------- A batch of new vulnerabilities in Devolutions Server targets organizations that depend on the platform to manage privileged accounts, passwords, and sensitive authentication data. Devolutions has released a security advisory, identified as DEVO-2025-0018, warning customers of multiple vulnerabilities, including a critical flaw that could enable attackers to extract confidential data directly from the system’s database. --------------------------------------------- https://thecyberexpress.com/devolutions-server-sql-injection-flaw/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 01.12.2025
by Daily end-of-shift report 01 Dec '25

01 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-11-2025 18:00 − Montag 01-12-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Arkanix Stealer: Newly discovered short term profit malware ∗∗∗ --------------------------------------------- Recently, we stumbled upon a new stealer named Arkanix. This stealer possibly belongs to the short-lived category of stealers which aim for short-term quick financial gains. --------------------------------------------- https://feeds.feedblitz.com/~/930747470/0/gdatasecurityblog-en~Arkanix-Stea… ∗∗∗ Bis zu 16 Jahre alt: Zehntausende gültige Zugangsdaten bei Gitlab geleakt ∗∗∗ --------------------------------------------- Ein Forscher hat alle öffentlichen Gitlab-Repos auf Zugangsdaten gescannt. Er fand mehr als 17.000, erhielt aber nur eine recht dürftige Belohnung. --------------------------------------------- https://www.golem.de/news/bis-zu-16-jahre-alt-zehntausende-gueltige-zugangs… ∗∗∗ North Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware ∗∗∗ --------------------------------------------- The North Korean threat actors behind the Contagious Interview campaign have continued to flood the npm registry with 197 more malicious packages since last month. --------------------------------------------- https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html ∗∗∗ New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control ∗∗∗ --------------------------------------------- A new Android malware named Albiriox has been advertised under a malware-as-a-service (MaaS) model to offer a "full spectrum" of features to facilitate on-device fraud (ODF), screen manipulation, and real-time interaction with infected devices. --------------------------------------------- https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html ∗∗∗ Google and Apple ordered to stop fake government TXTs ∗∗∗ --------------------------------------------- Singapore’s government last week told Google and Apple to prevent fake government messages. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/12/01/asia_tech_ne… ∗∗∗ The WIRED Guide to Digital Opsec for Teens ∗∗∗ --------------------------------------------- Practicing good “operations security” is essential to staying safe online. Here’s a complete guide for teenagers (and anyone else) who wants to button up their digital lives. --------------------------------------------- https://www.wired.com/story/digital-opsec-for-teens/ ∗∗∗ how i found a europa.eu compromise (thanks to cricket) ∗∗∗ --------------------------------------------- While looking for a way to stream the India vs Pakistan cricket match on 14th September 2025, I stumbled across a suspicious search result on a europa.eu dev subdomain. It was being abused for blackhat SEO and redirecting users to scam streaming sites. I traced similar behavior across other high-profile domains, reported the issue to CERT-EU via email (after some Twitter help) and the problem was later confirmed as fixed on 6th November 2025. This post walks through how I found it, how I reported it and what we can learn from it. --------------------------------------------- https://blog.himanshuanand.com/2025/11/how-i-found-a-europa.eu-compromise-t… ∗∗∗ Südkorea: Bei Onlinehändler Daten zu zwei Dritteln der Bevölkerung abgegriffen ∗∗∗ --------------------------------------------- Ein inzwischen nicht mehr bei Coupang arbeitender Angestellter soll bei Südkoreas größtem Onlinehändler Daten zur gesamten Kundschaft abgegriffen haben. --------------------------------------------- https://www.heise.de/news/Suedkorea-Bei-Onlinehaendler-Daten-zu-zwei-Dritte… ∗∗∗ Webinar: Smartphone, Tablet & Co sicher nutzen ∗∗∗ --------------------------------------------- Wie kann ich meine persönlichen Daten am Smartphone, Tablet & Co. schützen? Wie erkenne ich Viren und Trojaner auf meinem Gerät - und was ist dann zu tun? In diesem Webinar zeigen wir Ihnen die wichtigsten Sicherheitseinstellungen – von Berechtigungen über Datenschutz bis hin zu Nutzungszeiten. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-smartphone-tablet-co-sicher-… ∗∗∗ Fußballtrikots zum Schnäppchenpreis? Bei diesen Fake-Shops gibt es nur Eigentore ∗∗∗ --------------------------------------------- Fußballspieler:innen aufgepasst! Gerade wimmelt es von Fake-Shops mit günstigen Trikots. --------------------------------------------- https://www.watchlist-internet.at/news/fussballtrikots-zum-schnaeppchenprei… ∗∗∗ Awareness für Web-Security: Die OWASP Top Ten 2025 ∗∗∗ --------------------------------------------- Der erste Release Candidate der neuen OWASP Top Ten enthüllt die größten Sicherheitsrisiken in der Webentwicklung – von Konfiguration bis Software Supply Chain. --------------------------------------------- https://heise.de/-11098119 ∗∗∗ India Enforces Mandatory SIM-Binding for Messaging Apps Under New DoT Rules ∗∗∗ --------------------------------------------- India’s Department of Telecommunications (DoT) has introduced a shift in the way messaging platforms operate in the country, mandating the adoption of SIM-binding as a core security requirement. Under the Telecommunication Cybersecurity Amendment Rules, 2025, all major messaging services, including Telegram, and regional platforms such as Arattai, must ensure that their applications remain continuously linked to an active SIM card on the user’s device. --------------------------------------------- https://thecyberexpress.com/sim-binding-dot-rule/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#633103: Insufficient Session Cookie Invalidation in nopCommerce ASP.NET Core eCommerce Platform ∗∗∗ --------------------------------------------- nopCommerce, an ecommerce platform, fails to invalidate session cookies upon user logout or session termination, enabling attackers to use the captured cookie to gain access to the application. Version 4.70 and after, with the exception of 4.80.3, fixes the vulnerability put forth by CVE-2025-11699. Users on version 4.80.3, or any version of nopCommerce prior to version 4.70, should update to the latest version, 4.90.3, as soon as possible. --------------------------------------------- https://kb.cert.org/vuls/id/633103 ∗∗∗ CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include a security flaw impacting OpenPLC ScadaBR, citing evidence of active exploitation. --------------------------------------------- https://thehackernews.com/2025/11/cisa-adds-actively-exploited-xss-bug.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bind9.18, cups, gimp, ipa, kernel, libssh, mingw-expat, openssl, pcs, sssd, tigervnc, and valkey), Debian (gnome-shell-extension-gsconnect, mistral-dashboard, pagure, python-mistralclient, pytorch, qtbase-opensource-src, sogo, tryton-server, and unbound), Fedora (cef, drupal7, glib2, linux-firmware, migrate, pack, pgadmin4, rnp, and unbound), Slackware (libxslt), SUSE (cpp-httplib, curl, glib2, grub2, kernel, libcoap-devel, libcryptopp, libwireshark19, postgresql15, and postgresql17), and Ubuntu (edk2). --------------------------------------------- https://lwn.net/Articles/1048817/ ∗∗∗ Sicherheitsupdate: Präparierte XML-Dateien können GeoServer lahmlegen ∗∗∗ --------------------------------------------- Nutzen Angreifer erfolgreich Schwachstellen in GeoServer aus, können sie unter anderem Schadcode ausführen. In aktuellen Versionen haben die Entwickler nun die Sicherheitsprobleme gelöst. --------------------------------------------- https://heise.de/-11097923 ∗∗∗ Microsoft Entra ID blockt externe Fremd-Scripte ∗∗∗ --------------------------------------------- Kleiner Nachtrag von letzter Woche, der Administratoren in Unternehmensumgebungen tangieren kann. Microsoft will die Sicherheit der Microsoft Entra ID-Authentifizierung verbessern. Dazu sollen indem externe Skriptinjektionen blockiert werden, wie ein Entwickler in einem Blog-Beitrag im Microsoft Entra-Blog erklärt hat. --------------------------------------------- https://www.borncity.com/blog/2025/12/01/microsoft-entra-id-blockt-externe-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily December 2025