=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 10-12-2025 18:00 − Donnerstag 11-12-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Identitätsklau möglich: Gravierende Sicherheitsmängel bei eID-Karten aufgedeckt ∗∗∗
---------------------------------------------
Seit 2021 können EU-Bürger in Deutschland eine sogenannte eID-Karte beantragen, um sich beispielsweise bei Onlinediensten auszuweisen. Recherchen der Süddeutschen Zeitung zufolge gibt es bei der Beantragung dieser Karten aber erhebliche Sicherheitsprobleme, weil Ämter wohl oft nicht sauber prüfen können, wer eigentlich der Antragsteller ist. Mögliche Folgen sind Missbrauch für Geldwäsche und andere betrügerische Aktivitäten.
---------------------------------------------
https://www.golem.de/news/identitaetsklau-moeglich-gravierende-sicherheitsm…
∗∗∗ Brisantes Datenleck auf Docker Hub: Über 10.000 Docker-Images leaken Zugangsdaten ∗∗∗
---------------------------------------------
Sicherheitsforscher von Flare haben auf Docker Hub bereitgestellte Docker-Images auf enthaltene Anmeldeinformationen durchsucht und sind fündig geworden. Laut eigenem Blogbeitrag fanden die Forscher bei einem einmonatigen Suchlauf in mehr als 10.000 Images unzählige Geheimnisse von über 100 verschiedenen Organisationen – darunter ein Fortune-500-Unternehmen und eine große staatliche Bank.
---------------------------------------------
https://www.golem.de/news/docker-hub-zugangsdaten-in-ueber-10-000-docker-im…
∗∗∗ NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of a new fully-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control (C2) purposes.
---------------------------------------------
https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html
∗∗∗ SMS vom Bundeskanzleramt? Phishing-Falle statt Rückerstattung ∗∗∗
---------------------------------------------
Eine SMS-Nachricht, versendet im Namen des Bundeskanzleramts, verspricht eine Rückerstattung von über 100 Euro. Dahinter verbirgt sich aber wenig überraschend nichts anderes als eine Phishing-Falle. Kriminelle wollen über diesen Weg an Login-Daten für Onlinebanking gelangen.
---------------------------------------------
https://www.watchlist-internet.at/news/bundeskanzleramt-phishing-rueckersta…
∗∗∗ Scammers Sent 40,000 E-Signature Phishing Emails to 6,000 Firms in Just 2 Weeks ∗∗∗
---------------------------------------------
Phishing campaign: Scammers sent over 40,000 spoofed SharePoint, DocuSign and e-sign emails to companies, hiding malicious links behind trusted redirect services.
---------------------------------------------
https://hackread.com/scammers-e-signature-phishing-emails/
∗∗∗ New ‘DroidLock’ Android Malware Locks Users Out, Spies via Front Camera ∗∗∗
---------------------------------------------
Zimperium zLabs reveals DroidLock, a new Android malware acting like ransomware that can hijack Android devices, steal credentials via phishing, and stream your screen via VNC.
---------------------------------------------
https://hackread.com/droidlock-android-malware-users-spy-camera/
∗∗∗ Active Attacks Exploit Gladinets Hard-Coded Keys for Unauthorized Access and Code Execution ∗∗∗
---------------------------------------------
Huntress is warning of a new actively exploited vulnerability in Gladinet's CentreStack and Triofox products stemming from the use of hard-coded cryptographic keys that have affected nine organizations so far.
---------------------------------------------
https://thehackernews.com/2025/12/hard-coded-gladinet-keys-let-attackers.ht…
∗∗∗ .NET SOAPwn Flaw Opens Door for File Writes and Remote Code Execution via Rogue WSDL ∗∗∗
---------------------------------------------
New research has uncovered exploitation primitives in the .NET Framework that could be leveraged against enterprise-grade applications to achieve remote code execution. WatchTowr Labs, which has codenamed the "invalid cast vulnerability" SOAPwn, said the issue impacts Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. But the number of affected vendors is likely to be longer given the widespread use of .NET.
---------------------------------------------
https://thehackernews.com/2025/12/net-soapwn-flaw-opens-door-for-file.html
∗∗∗ New ConsentFix attack hijacks Microsoft accounts via Azure CLI ∗∗∗
---------------------------------------------
A new variation of the ClickFix attack dubbed 'ConsentFix' abuses the Azure CLI OAuth app to hijack Microsoft accounts without the need for a password or to bypass multi-factor authentication (MFA) verifications.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-consentfix-attack-hijack…
∗∗∗ Hackers exploit unpatched Gogs zero-day to breach 700 servers ∗∗∗
---------------------------------------------
An unpatched zero-day vulnerability in Gogs, a popular self-hosted Git service, has enabled attackers to gain remote code execution on Internet-facing instances and compromise hundreds of servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/unpatched-gogs-zero-day-rce-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ffmpeg, firefox-esr, libsndfile, and rear), Fedora (httpd, perl-CGI-Simple, and tinyproxy), Oracle (firefox, kernel, libsoup, mysql8.4, tigervnc, tomcat, tomcat9, and uek-kernel), SUSE (alloy, curl, dovecot24, fontforge, glib2, himmelblau, java-17-openjdk, java-21-openjdk, kernel, krb5, lasso, libvirt, mozjs128, mysql-connector-java, nvidia-open-driver-G07-signed-check, openssh, poppler, postgresql17, postgresql18, python-cbor2, python-Django, python310, python311-Django, runc, strongswan, tomcat11, and xwayland), and Ubuntu (binutils, libpng1.6, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-hwe-6.14, linux-raspi, linux, linux-aws, linux-gcp, linux-realtime, and qtbase-opensource-src).
---------------------------------------------
https://lwn.net/Articles/1050117/
∗∗∗ Google warnt vor Sicherheitslücke: Chrome-Nutzer werden attackiert ∗∗∗
---------------------------------------------
Ein Notfallupdate für den Webbrowser Chrome schließt mehrere gefährliche Sicherheitslücken. Mindestens eine davon wird bereits ausgenutzt.
---------------------------------------------
https://www.golem.de/news/google-warnt-vor-sicherheitsluecke-chrome-nutzer-…
∗∗∗ Barracuda RMM: Kritische Sicherheitslücken erlauben Codeschmuggel ∗∗∗
---------------------------------------------
IT-Verantwortliche, die ihre IT mit Barracuda RMM – ehemals unter dem Namen Managed Workplace bekannt – verwalten, sollten schleunigst den bereitstehenden Hotfix 2025.1.1 installieren, sofern das noch nicht geschehen ist. Er schließt mehrere Sicherheitslücken, von denen gleich drei die Höchstwertung CVSS 10 erhalten und damit ein großes Risiko darstellen.
---------------------------------------------
https://heise.de/-11111274
∗∗∗ WinRAR: Codeschmuggel-Lücke wird attackiert ∗∗∗
---------------------------------------------
Im Packprogramm WinRAR klafft bis zur Version 7.12 Beta 1 eine Sicherheitslücke, die Angreifern das Einschleusen von Schadcode erlaubt. Attacken auf diese Lücken wurden nun beobachtet. Wer WinRAR einsetzt, sollte daher zügig auf eine neuere Version aktualisieren.
---------------------------------------------
https://heise.de/-11111474
∗∗∗ ZDI-25-1060: Senstar Symphony FetchStoredLicense Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-1060/
∗∗∗ MISP v2.5.28 Release: Security, Dashboard Upgrade, and Community Enhancements ∗∗∗
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.5.28
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 09-12-2025 18:00 − Mittwoch 10-12-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Der doppelte Login: Phishing-Versuch bei der Salzburg AG ∗∗∗
---------------------------------------------
Mit Phishing-Mails locken Kriminelle die Kund:innen der Salzburg AG auf eine gefälschte Login-Seite. Der erste Anmeldeversuch schlägt zwar fehl, übermittelt aber Usernamen und Passwort an die Betrüger:innen – und öffnet die echte Eingabemaske. Da der zweite Versuch klappt, schöpfen die Opfer keinen Verdacht. Warum die Masche auch für Nicht-Kund:innen relevant ist, erklärt dieser Artikel.
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-doppelter-login/
∗∗∗ 01flip: Multi-Platform Ransomware Written in Rust ∗∗∗
---------------------------------------------
In June 2025, we observed a new ransomware family named 01flip targeting a limited set of victims in the Asia-Pacific region. 01flip ransomware is fully written in the Rust programming language and supports multi-platform architectures by leveraging the cross-compilation feature of Rust.
---------------------------------------------
https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/
∗∗∗ Opportunistic Pro-Russia Hacktivists Attack US and Global Critical Infrastructure ∗∗∗
---------------------------------------------
CISA, in partnership with Federal Bureau of Investigation, the National Security Agency, Department of Energy, Environmental Protection Agency, the Department of Defense Cyber Crime Center, and other international partners published a joint cybersecurity advisory, Pro-Russia Hacktivists Create Opportunistic Attacks Against US and Global Critical Infrastructure.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/12/09/opportunistic-pro-russia…
∗∗∗ Spiderman Phishing Kit Targets European Banks with Real-Time Credential Theft ∗∗∗
---------------------------------------------
Varonis threat analysts warn about Spiderman, a dangerous new kit that automates attacks against European banks and crypto customers, stealing a victim’s full identity profile.
---------------------------------------------
https://hackread.com/spiderman-phishing-kit-european-banks-credential-theft/
=====================
= Vulnerabilities =
=====================
∗∗∗ Besser manuell patchen: Hacker nutzen gefährliche Lücke im Notepad++-Updater aus ∗∗∗
---------------------------------------------
Angreifer verbreiten über eine Sicherheitslücke im Updater von Notepad++ Malware. Der Entwickler warnt und rät zum Update – aber besser von Hand.
---------------------------------------------
https://www.golem.de/news/besser-manuell-patchen-hacker-nutzen-gefaehrliche…
∗∗∗ Patchday: Angreifer nutzen Sicherheitslücke in Windows und Windows Server aus ∗∗∗
---------------------------------------------
Derzeit haben Angreifer unter anderem Windows 11 und Windows Server 2022 im Visier. Demzufolge sollten Admins sicherstellen, dass Windows Update auf ihren Systemen aktiv ist und die aktuellen Sicherheitspatches installiert sind.
---------------------------------------------
https://www.heise.de/news/Patchday-Angreifer-nutzen-Sicherheitsluecke-in-Wi…
∗∗∗ Bitdefender: Sicherheitsleck ermöglicht Rechteausweitung im Virenschutz ∗∗∗
---------------------------------------------
In der Virenschutzsoftware von Bitdefender wurde eine Sicherheitslücke entdeckt, die Angreifern das Ausweiten ihrer Rechte im System ermöglicht. Betroffen sind diverse Bitdefender-Varianten. Aktualisierungen zum Ausbessern der Schwachstelle sind verfügbar.
---------------------------------------------
https://www.heise.de/news/Bitdefender-Sicherheitsleck-ermoeglicht-Rechteaus…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (abrt and kernel), Debian (libpng1.6, libsoup2.4, pdns-recursor, webkit2gtk, and wordpress), Fedora (imhex, libwebsockets, lunasvg, python3-docs, and python3.14), Mageia (python3 and webkit2), Red Hat (abrt, firefox, mysql8.4, and postgresql:15), Slackware (mozilla), SUSE (gegl, gnutls, go1.24, go1.25, libpng16-16, openssh, postgresql13, python-Jinja2, and sssd), and Ubuntu (fonttools and netty).
---------------------------------------------
https://lwn.net/Articles/1049939/
∗∗∗ Fortinet-Patchday: SSO-Login in vielen Produkten umgehbar ∗∗∗
---------------------------------------------
Angreifer können verschiedene Fortinet-Produkte attackieren und sich unter anderem unbefugt Zugriff verschaffen. Sicherheitsupdates stehen zum Download bereit. Bislang sind keine Berichte zu laufenden Attacken bekannt. Admins sollten mit dem Patchen aber nicht zu lange warten.
---------------------------------------------
https://heise.de/-11109878
∗∗∗ Ivanti stopft kritische Sicherheitlücke im Endpoint Manager ∗∗∗
---------------------------------------------
Ein Update für Ivantis Endpoint Manager schließt unter anderem eine kritische Sicherheitslücke, durch die Angreifer Javascript einschleusen können.
---------------------------------------------
https://heise.de/-11110277
∗∗∗ DSA-6075-1 wordpress - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2025/msg00241.html
∗∗∗ ZDI-25-1045: Schneider Electric PowerChute Serial Shutdown Directory Traversal Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-1045/
∗∗∗ ZDI-25-1042: Siemens Simcenter Femap IGS File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-1042/
∗∗∗ Security Vulnerabilities fixed in Thunderbird 140.6 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-96/
∗∗∗ Security Vulnerabilities fixed in Thunderbird 146 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-95/
∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/12/09/cisa-releases-three-indu…
∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/12/09/cisa-adds-two-known-expl…
∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/12/05/cisa-adds-one-known-expl…
∗∗∗ K000158128: SQLite vulnerability CVE-2025-6965 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000158128
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 05-12-2025 18:00 − Dienstag 09-12-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Malicious VSCode extensions on Microsofts registry drop infostealers ∗∗∗
---------------------------------------------
Two malicious extensions on Microsoft's Visual Studio Code Marketplace infect developers' machines with information-stealing malware that can take screenshots, steal credentials, crypto wallets, and hijack browser sessions.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-…
∗∗∗ Ransomware gangs turn to Shanya EXE packer to hide EDR killers ∗∗∗
---------------------------------------------
Multiple ransomware gangs are using a packer-as-a-service platform named Shanya to help them deploy payloads that disable endpoint detection and response solutions on victim systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-gangs-turn-to-sha…
∗∗∗ North Korean hackers exploit React2Shell flaw in EtherRAT malware attacks ∗∗∗
---------------------------------------------
A new malware implant called EtherRAT, deployed in a recent React2Shell attack, runs five separate Linux persistence mechanisms and leverages Ethereum smart contracts for communication with the attacker.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit…
∗∗∗ ‘Broadside’ Mirai Variant Targets Maritime Logistics Sector ∗∗∗
---------------------------------------------
Yet another variant of the Mirai botnet is threatening the maritime logistics sector by exploiting a critical flaw in digital recording devices used by companies on seagoing vessels. The attacks allow for remote command injection via the vulnerability, enabling attackers to establish Netlink-based process monitoring for persistence and other malicious activities.
---------------------------------------------
https://www.darkreading.com/threat-intelligence/broadside-mirai-variant-mar…
∗∗∗ Lumma Stealer: Danger lurking in fake game updates from itch.io and Patreon ∗∗∗
---------------------------------------------
After patches on mainstream gaming platforms like Steam, indie game platforms as well as Patreon have become the latest platforms for distributing malware.
---------------------------------------------
https://feeds.feedblitz.com/~/932262560/0/gdatasecurityblog-en~Lumma-Steale…
∗∗∗ Attacken laufen bereits: Rund 29.000 Server über React-Lücke angreifbar ∗∗∗
---------------------------------------------
Angreifer attackieren eine React2Shell genannte kritische Lücke im React-Framework. Allein in Deutschland gibt es noch über 3.000 anfällige Server.
---------------------------------------------
https://www.golem.de/news/attacken-laufen-bereits-rund-29-000-server-ueber-…
∗∗∗ Zero-Click Agentic Browser Attack Can Delete Entire Google Drive Using Crafted Emails ∗∗∗
---------------------------------------------
A new agentic browser attack targeting Perplexity's Comet browser that's capable of turning a seemingly innocuous email into a destructive action that wipes a user's entire Google Drive contents, findings from Straiker STAR Labs show.
---------------------------------------------
https://thehackernews.com/2025/12/zero-click-agentic-browser-attack-can.html
∗∗∗ Android Malware FvncBot, SeedSnatcher, and ClayRat Gain Stronger Data Theft Features ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of two new Android malware families dubbed FvncBot and SeedSnatcher, as another upgraded version of ClayRat has been spotted in the wild.
---------------------------------------------
https://thehackernews.com/2025/12/android-malware-fvncbot-seedsnatcher.html
∗∗∗ Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT ∗∗∗
---------------------------------------------
Cybersecurity researchers are calling attention to a new campaign dubbed JS#SMUGGLER that has been observed leveraging compromised websites as a distribution vector for a remote access trojan named NetSupport RAT.
---------------------------------------------
https://thehackernews.com/2025/12/experts-confirm-jssmuggler-uses.html
∗∗∗ STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware ∗∗∗
---------------------------------------------
Canadian organizations have emerged as the focus of a targeted cyber campaign orchestrated by a threat activity cluster known as STAC6565.
---------------------------------------------
https://thehackernews.com/2025/12/stac6565-targets-canada-in-80-of.html
∗∗∗ Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading ∗∗∗
---------------------------------------------
The threat actor known as Storm-0249 is likely shifting from its role as an initial access broker to adopt a combination of more advanced tactics like domain spoofing, DLL side-loading, and fileless PowerShell execution to facilitate ransomware attacks.
---------------------------------------------
https://thehackernews.com/2025/12/storm-0249-escalates-ransomware-attacks.h…
∗∗∗ Novel clickjacking attack relies on CSS and SVG ∗∗∗
---------------------------------------------
Security researcher Lyra Rebane has devised a novel clickjacking attack that relies on Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS).
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/12/05/css_svg_clic…
∗∗∗ Crims using social media images, videos in virtual kidnapping scams ∗∗∗
---------------------------------------------
Criminals are altering social media and other publicly available images of people to use as fake proof of life photos in "virtual kidnapping" and extortion scams, the FBI warned on Friday.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/12/05/virtual_kidn…
∗∗∗ New Prompt Injection Attack Vectors Through MCP Sampling ∗∗∗
---------------------------------------------
This article examines the security implications of the Model Context Protocol (MCP) sampling feature in the context of a widely used coding copilot application. MCP is a standard for connecting large language model (LLM) applications to external data sources and tools.
---------------------------------------------
https://unit42.paloaltonetworks.com/model-context-protocol-attack-vectors/
∗∗∗ New BYOVD loader behind DeadLock ransomware attack ∗∗∗
---------------------------------------------
Talos observed a threat actor leveraging a BYOVD technique to disable endpoint detection and escalate privileges in an attack that eventually delivered DeadLock ransomware as the payload.
---------------------------------------------
https://blog.talosintelligence.com/byovd-loader-deadlock-ransomware/
∗∗∗ Space Bears Ransomware Claims Comcast Data Theft Through QuasarBreach ∗∗∗
---------------------------------------------
Space Bears ransomware group is claiming that it obtained internal Comcast material by exploiting a breach at Quasar Inc., a telecommunications engineering contractor based in Georgia.
---------------------------------------------
https://hackread.com/space-bears-ransomware-comcast-quasar-breach/
∗∗∗ ChrimeraWire Trojan Fakes Chrome Activity to Manipulate Search Rankings ∗∗∗
---------------------------------------------
ChrimeraWire is a new Windows trojan that automates web browsing through Chrome to simulate user activity and manipulate search engine rankings.
---------------------------------------------
https://hackread.com/chrimerawire-trojan-fakes-chrome-search-activity/
∗∗∗ SimpleX Chat X Account Hacked, Fake Site Promotes Crypto Wallet Scam ∗∗∗
---------------------------------------------
SimpleX Chat’s X account hacked to promote fake crypto site urging users to connect wallets. Site mimicked official design to steal funds.
---------------------------------------------
https://hackread.com/simplex-chat-x-account-hacked-fake-site-wallet-scam/
∗∗∗ Coupongogo: Remote-Controlled Crypto Stealer Targeting Developers on GitHub ∗∗∗
---------------------------------------------
Deep dive into the Coupongogo browser extension (v1.1.12): The alarming cryptostealer waiting for activation.
---------------------------------------------
https://www.rastersec.com/blog/coupongogo-cryptostealer
∗∗∗ CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones ∗∗∗
---------------------------------------------
CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.
---------------------------------------------
https://www.ibm.com/think/x-force/cve-2023-20078-technical-analysis
∗∗∗ Malicious Crate Mimicking ‘Finch’ Exfiltrates Credentials via a Hidden Dependency ∗∗∗
---------------------------------------------
Socket found a Rust typosquat (finch-rust) that loads sha-rust to steal credentials, using impersonation and an unpinned dependency to auto-deliver updates.
---------------------------------------------
https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credent…
∗∗∗ Researchers Uncover 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE Attacks ∗∗∗
---------------------------------------------
Over 30 security vulnerabilities have been disclosed in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution.
---------------------------------------------
https://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.html
=====================
= Vulnerabilities =
=====================
∗∗∗ DSA-6073-1 ffmpeg - security update ∗∗∗
---------------------------------------------
Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.
---------------------------------------------
https://lists.debian.org/debian-security-announce/2025/msg00239.html
∗∗∗ Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch ∗∗∗
---------------------------------------------
A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack. The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity.
---------------------------------------------
https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html
∗∗∗ Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks ∗∗∗
---------------------------------------------
A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence. The remote code execution vulnerability in question is CVE-2025-6389 (CVSS score: 9.8), which affects all versions of the plugin prior to and including 8.3. It has been patched in version 8.4, released on August 5, 2025. The plugin has more than 1,700 active installations.
---------------------------------------------
https://thehackernews.com/2025/12/sneeit-wordpress-rce-exploited-in-wild.ht…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ffmpeg, krita, lasso, and libpng1.6), Fedora (abrt, cef, chromium, tinygltf, webkitgtk, and xkbcomp), Oracle (buildah, delve and golang, expat, python-kdcproxy, qt6-qtquick3d, qt6-qtsvg, sssd, thunderbird, and valkey), Red Hat (webkit2gtk3), and SUSE (git-bug, go1, and libpng12-0).
---------------------------------------------
https://lwn.net/Articles/1049657/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel, kernel-rt, and webkit2gtk3), Fedora (abrt and mingw-libpng), Mageia (apache and libpng), Oracle (abrt, go-toolset:rhel8, kernel, sssd, and webkit2gtk3), Red Hat (kernel and kernel-rt), SUSE (gimp, gnutls, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, and postgresql13), and Ubuntu (gnupg2, python-apt, radare2, and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/1049769/
∗∗∗ iOS 26.2: Apple behebt kritische Bugs im zweiten Release Candidate ∗∗∗
---------------------------------------------
Das wahrscheinlich letzte große iOS-Update des Jahres, iOS 26.2, lässt etwas länger auf sich warten: Apple hat stattdessen am Montagabend deutscher Zeit einen zweiten Release Candidate des Updates für das iPhone-Betriebssystem veröffentlicht. Was genau im RC2 geändert wurde, verrieten die Kalifornier bisher nicht. Es gilt aber als sicher, dass einer oder mehrere kritische Fehler behoben werden. Offen bleibt, wann mit dem finalen Release zu rechnen ist.
---------------------------------------------
https://heise.de/-11108257
∗∗∗ Multiple vulnerabilities in ABB Terra AC Wallbox ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN84024274/
∗∗∗ Multiple vulnerabilities in GroupSession ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN19940619/
∗∗∗ SAP-Patchday: 14 Sicherheitswarnungen zum Jahresende ∗∗∗
---------------------------------------------
https://www.heise.de/news/SAP-Patchday-14-Sicherheitswarnungen-zum-Jahresen…
∗∗∗ Security Vulnerabilities fixed in Firefox ESR 140.6 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-94/
∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.31 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-93/
∗∗∗ Security Vulnerabilities fixed in Firefox 146 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-92/
∗∗∗ Vulnerability Summary for the Week of December 1, 2025 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/bulletins/sb25-342
∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/12/08/cisa-adds-two-known-expl…
∗∗∗ K000158118: PostgreSQL vulnerabilities CVE-2025-8713, CVE-2025-8715 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000158118
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 04-12-2025 18:00 − Freitag 05-12-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ React2Shell - Angriffe gegen verwundbare Anwendungen auf von Basis React.JS und weiterer Frameworks ∗∗∗
---------------------------------------------
Diese Woche wurden kritische Sicherheitslücken in den React Server Components veröffentlicht. Diese Schwachstellen ermöglichen unauthentifizierte Remote-Code Execution sofern Anwendungen die betroffenen Server Components einsetzen. Mittlerweile wird diese Sicherheitslücke aktiv ausgenutzt um verwundbare Installationen zu kompromittieren. Proof-of-Concept Exploits sind bereits öffentlich zugänglich. CVE-Nummer(n): CVE-2025-55182
---------------------------------------------
https://www.cert.at/de/warnungen/2025/12/react2shell-angriffe-gegen-verwund…
∗∗∗ CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far ∗∗∗
---------------------------------------------
GreyNoise is already seeing opportunistic, largely automated exploitation attempts consistent with the newly disclosed React Server Components (RSC) “Flight” protocol RCE—often referred to publicly as “React2Shell” and tracked as CVE-2025-55182.
---------------------------------------------
https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-expl…
∗∗∗ Cloudflare blames todays outage on emergency React2Shell patch ∗∗∗
---------------------------------------------
Cloudflare has blamed todays outage on the emergency patching of a critical React remote code execution vulnerability, which is now actively exploited in attacks. [..] "The issue was not caused, directly or indirectly, by a cyber attack on Cloudflare’s systems or malicious activity of any kind. Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components," Cloudflare CTO Dane Knecht noted in a post-mortem.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cloudflare-blames-todays-out…
∗∗∗ Cybersecurity industry overreacts to React vulnerability, starts panic, burns own house down again ∗∗∗
---------------------------------------------
The disclosure write up is great — it’s full of facts, and explains when you are and aren’t vulnerable. I don’t think anybody knows how to parse it and people have started taking actions before even knowing what they’re doing. [..] Check with your developers and suppliers if they even use React v19 yet. They most probably don’t, in which case you aren’t vulnerable.
---------------------------------------------
https://doublepulsar.com/cybersecurity-industry-overreacts-to-react-vulnera…
∗∗∗ Hackers are exploiting ArrayOS AG VPN flaw to plant webshells ∗∗∗
---------------------------------------------
Threat actors have been exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users. Array Networks fixed the vulnerability in a May security update, but has not assigned an identifier, complicating efforts to track the flaw and patch management.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-array…
∗∗∗ FBI warns of virtual kidnapping scams using altered social media photos ∗∗∗
---------------------------------------------
The FBI warns that criminals are altering images shared on social media and using them as fake proof of life photos in virtual kidnapping ransom scams.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-warns-of-virtual-kidnapp…
∗∗∗ Asus supplier hit by ransomware attack as gang flaunts alleged 1 TB haul ∗∗∗
---------------------------------------------
Laptop maker says a vendor breach exposed some phone camera code, but not its own systems Asus has admitted that a third-party supplier was popped by cybercrims after the Everest ransomware gang claimed it had rifled through the tech titans internal files.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/12/05/asus_supplie…
∗∗∗ SMS Phishers Pivot to Points, Taxes, Fake Retailers ∗∗∗
---------------------------------------------
Over the past week, thousands of domain names were registered for scam websites that purport to offer T-Mobile customers the opportunity to claim a large number of rewards points. The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones.
---------------------------------------------
https://krebsonsecurity.com/2025/12/sms-phishers-pivot-to-points-taxes-fake…
∗∗∗ Warnung: Neue Phishing-E-Mails im Namen der WKO im Umlauf ∗∗∗
---------------------------------------------
Kriminelle imitieren besonders gern bekannte Organisationen. Aktuell ist erneut die WKO betroffen. Bei einer neuen Phishing-Variante werden Empfänger:innen unter dem Vorwand einer „Qualitätssicherung“ dazu aufgefordert, ihre Daten zu überprüfen.
---------------------------------------------
https://www.watchlist-internet.at/news/wko-phishing-e-mails-datenerfassung/
∗∗∗ A Hidden Pattern Within Months of Credential-Based Attacks Against Palo Alto GlobalProtect ∗∗∗
---------------------------------------------
GreyNoise detected a surge of 7,000+ IPs attempting to log into GlobalProtect, sharing fingerprints with a surge in SonicWall API scanning and earlier Palo Alto campaigns, exposing a persistent credential-based attack pattern.
---------------------------------------------
https://www.greynoise.io/blog/hidden-pattern-credential-based-attacks-palo-…
∗∗∗ November CVEs Fell 25% YoY, Driven by Slowdowns at Major CNAs ∗∗∗
---------------------------------------------
2025 CVE volume is still running ahead of 2024 overall, even as November cooled off year over year. [..] For security teams, the practical takeaway is to be careful about using “global CVE count” as a proxy for risk. CVE volume can still be useful as a publishing health signal, especially when concentrated among a small number of high-output CNAs and programs.
---------------------------------------------
https://socket.dev/blog/november-cves-fell-25-yoy-driven-by-slowdowns-at-ma…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (buildah, firefox, gimp:2.8, go-toolset:rhel8, ipa, kea, kernel, kernel-rt, pcs, qt6-qtquick3d, qt6-qtsvg, systemd, and valkey), Debian (chromium and unbound), Fedora (alexvsbus, CuraEngine, fcgi, libcoap, python-kdcproxy, texlive-base, timg, and xpdf), Mageia (digikam, darktable, libraw, gnutls, python-django, unbound, webkit2, and xkbcomp), Oracle (bind, firefox, gimp:2.8, haproxy, ipa, java-25-openjdk, kea, kernel, libsoup3, libssh, libtiff, openssl, podman, qt6-qtsvg, squid, systemd, vim, and xorg-x11-server-Xwayland), Slackware (httpd and libpng), SUSE (chromedriver, kernel, and python-mistralclient), and Ubuntu (cups, linux-azure, linux-gcp, linux-gcp, linux-gke, linux-gkeop, linux-ibm-6.8, linux-iot, and mame).
---------------------------------------------
https://lwn.net/Articles/1049417/
∗∗∗ VU#441887: Duc contains a stack buffer overflow vulnerability in the buffer_get function, allowing for out-of-bounds memory read ∗∗∗
---------------------------------------------
https://kb.cert.org/vuls/id/441887
∗∗∗ Drupal: Security advisories for contributed projects ∗∗∗
---------------------------------------------
https://www.drupal.org/security/contrib
∗∗∗ Socomec DIRIS Digiware M series and Easy Config, PDF XChange Editor vulnerabilities ∗∗∗
---------------------------------------------
https://blog.talosintelligence.com/socomec-diris-digiware-m-series-and-easy…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 03-12-2025 18:30 − Donnerstag 04-12-2025 18:30
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Fraudulent gambling network may be a nation-state spying operation ∗∗∗
---------------------------------------------
A sprawling infrastructure that has been bilking unsuspecting people through fraudulent gambling websites for 14 years is likely a dual operation run by a nation-state-sponsored group that is targeting government and private-industry organizations in the US and Europe, researchers said Wednesday.
---------------------------------------------
https://arstechnica.com/security/2025/12/fraudulent-gambling-network-may-be…
∗∗∗ Sparkurs bei MacOS: Apple verärgert Forscher mit gekürzten Bug-Bounty-Prämien ∗∗∗
---------------------------------------------
Forscher, die Sicherheitslücken in dem Apple-Betriebssystem MacOS erkunden und an den Hersteller melden, erhalten dafür künftig geringere Belohnungen. Darauf machte kürzlich der Sicherheitsforscher Csaba Fitzl in einem Beitrag auf Linkedin aufmerksam. Er wirft Apple vor, MacOS mit diesem Schritt abzuwerten und sich nicht mehr für den Datenschutz der Nutzer zu interessieren.
---------------------------------------------
https://www.golem.de/news/macos-apple-veraergert-forscher-mit-gekuerzten-bu…
∗∗∗ Attempts to Bypass CDNs, (Wed, Dec 3rd) ∗∗∗
---------------------------------------------
Currently, in order to provide basic DDoS protection and filter aggressive bots, some form of Content Delivery Network (CDN) is usually the simplest and most cost-effective way to protect a web application. In a typical setup, DNS is used to point clients to the CDN, and the CDN will then forward the request to the actual web server. There are a number of companies offering services like this, and cloud providers will usually have solutions like this as well.
---------------------------------------------
https://isc.sans.edu/diary/rss/32532
∗∗∗ Nation-State Attack or Compromised Government? [Guest Diary], (Thu, Dec 4th) ∗∗∗
---------------------------------------------
The ISC internship didn't just teach me about security, it changed how I thought about threats entirely. There's something intriguing about watching live attacks materialize on your DShield Honeypot, knowing that somewhere across the world, an attacker just made a move. And the feedback loop of writing detailed attack observations, then having experienced analysts critique and refine your analysis? That's where real learning happens. One attack observation in particular stands out as a perfect example of what makes this internship so powerful. Let me show you what I discovered!
---------------------------------------------
https://isc.sans.edu/diary/rss/32536
∗∗∗ Record 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hosts ∗∗∗
---------------------------------------------
The botnet has prominently targeted telecommunication providers, gaming companies, hosting providers, and financial services. Also tackled by Cloudflare was a 14.1 Bpps DDoS attack from the same botnet. AISURU is believed to be powered by a massive network comprising an estimated 1-4 million infected hosts worldwide.
---------------------------------------------
https://thehackernews.com/2025/12/record-297-tbps-ddos-attack-linked-to.html
∗∗∗ Gartenfreude oder Betrugsfalle? Warnung vor betrügerischen Pflanzenshops ∗∗∗
---------------------------------------------
Der Beginn des Winters ist einer der besten Zeitpunkte, um Obstbäume zu pflanzen. Das wissen nicht nur Gartenfreund:innen, sondern leider auch Kriminelle. Immer mehr Fake-Shops locken mit vermeintlich attraktiven Angeboten und führen Konsument:innen in die Falle.
---------------------------------------------
https://www.watchlist-internet.at/news/warnung-vor-betruegerischen-pflanzen…
∗∗∗ BRICKSTORM Backdoor ∗∗∗
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) assess People’s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems. CISA, NSA, and Cyber Centre are releasing this Malware Analysis Report to share indicators of compromise (IOCs) and detection signatures based off analysis of eight BRICKSTORM samples. CISA, NSA, and Cyber Centre urge organizations to use the IOCs and detection signatures to identify BRICKSTORM malware samples.
---------------------------------------------
https://www.cisa.gov/news-events/analysis-reports/ar25-338a
∗∗∗ ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading ∗∗∗
---------------------------------------------
Job seekers looking out for opportunities might instead find their personal devices compromised, as a ValleyRAT campaign propagated through email leverages Foxit PDF Reader for concealment and DLL side-loading for initial entry.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html
∗∗∗ Fake ChatGPT Atlas Browser Used in ClickFix Attack to Steal Passwords ∗∗∗
---------------------------------------------
Cybersecurity researchers have uncovered a critical ChatGPT Atlas browser attack, confirming the danger of the ongoing surge in the ClickFix threat.
---------------------------------------------
https://hackread.com/fake-chatgpt-atlas-clickfix-steal-passwords/
∗∗∗ Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue ∗∗∗
---------------------------------------------
Despite extensive scrutiny and public reporting, commercial surveillance vendors continue to operate unimpeded. A prominent name continues to surface in the world of mercenary spyware, Intellexa. Known for its “Predator” spyware, the company was sanctioned by the US Government. New Google Threat Intelligence Group (GTIG) analysis shows that Intellexa is evading restrictions and thriving.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/intellexa-zero-day…
∗∗∗ New Stealthy Linux Malware Combines Mirai DDoS Botnet with Cryptominer ∗∗∗
---------------------------------------------
Cyble researchers have identified new Linux malware that combines Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, enabling both network disruption and financial profit in the same threat campaign.
---------------------------------------------
https://thecyberexpress.com/linux-malware-mirai-botnet-cryptominer/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (expat and libxml2), Debian (openvpn and webkit2gtk), Fedora (gi-loadouts, kf6-kcoreaddons, kf6-kguiaddons, kf6-kjobwidgets, kf6-knotifications, kf6-kstatusnotifieritem, kf6-kunitconversion, kf6-kwidgetsaddons, kf6-kxmlgui, nanovna-saver, persepolis, python-ezdxf, python-pyside6, sigil, stb, syncplay, tinyproxy, torbrowser-launcher, ubertooth, and usd), Mageia (cups), SUSE (cups, gegl, icinga2, mozjs128, and Security), and Ubuntu (ghostscript, kernel, linux, linux-aws, linux-aws-5.15, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-hwe, linux-kvm, linux-oracle, linux-aws-fips, linux-fips, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-fips, linux-gcp, linux-gcp-4.15, linux-hwe, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-gcp-6.14, linux-raspi, linux-gcp-fips, linux-intel-iot-realtime, linux-realtime, linux-raspi, linux-raspi-realtime, linux-xilinx, and postgresql-14, postgresql-16, postgresql-17).
---------------------------------------------
https://lwn.net/Articles/1049251/
∗∗∗ Cross-Site Scripting in Nextcloud: Development files shipped in files_pdfviewer app ∗∗∗
---------------------------------------------
Nextcloud’s PDF viewer uses an outdated version of PDF.js vulnerable to CVE-2024-4367. Attackers with regular user access to a Nextcloud instance are able to prepare a special link. If this link is visited by other logged-in users a cross-site scripting is executed and attackers get access to that users’ files.
---------------------------------------------
https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-003/
∗∗∗ Jetzt patchen! Kritische Schadcodelücke bedroht React ∗∗∗
---------------------------------------------
Softwareentwickler, die mit React arbeiten, sollten die JavaScript-Programmbibliothek aus Sicherheitsgründen umgehend auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer eine Schwachstelle ausnutzen und Systeme durch das Ausführen von Schadcode vollständig kompromittieren. Sicherheitsupdates sind verfügbar.
---------------------------------------------
https://heise.de/-11102366
∗∗∗ Chrome 143.0.7499.40 / 41 schließt Schwachstellen ∗∗∗
---------------------------------------------
Zum 2. Dezember 2025 hat Google den Chrome-Browser auf die Versionen 143.0.7499.40 / 41 aktualisiert, um gleich mehrere Schwachstellen zu schließen. Auch der Extended Stable Chromium-Entwicklungszweig hat ein Update erhalten. Ich ziehe mal einige Informationen zu diesen Themen nachfolgend kurz zusammen.
---------------------------------------------
https://www.borncity.com/blog/2025/12/04/chrome-143-0-7499-40-41-schliesst-…
∗∗∗ DSA-6069-1 openvpn - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2025/msg00235.html
∗∗∗ K000158050: SQLite vulnerability CVE-2019-8457 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000158050
∗∗∗ K000158042: Apache HTTP server vulnerabilities CVE-2024-47252 and CVE-2025-49812 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000158042
∗∗∗ K000158059: Next.js vulnerability CVE-2025-66478 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000158059
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 02-12-2025 18:00 − Mittwoch 03-12-2025 18:30
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Aisuru botnet behind new record-breaking 29.7 Tbps DDoS attack ∗∗∗
---------------------------------------------
In just three months, the massive Aisuru botnet launched more than 1,300 distributed denial-of-service attacks, one of them setting a new record with a peak at 29.7 terabits per second.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/aisuru-botnet-behind-new-rec…
∗∗∗ Deep dive into DragonForce ransomware and its Scattered Spider connection ∗∗∗
---------------------------------------------
DragonForce expanded its ransomware operation in 2025 by working with English-speaking hackers known for advanced social engineering and initial access. Acronis explains how the "Scattered Spider" collaboration enables coordinated, multistage intrusions across major environments.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/deep-dive-into-dragonforce-r…
∗∗∗ Technical Analysis of Matanbuchus 3.0 ∗∗∗
---------------------------------------------
Matanbuchus is a malicious downloader, written in C++, which has been offered as a Malware-as-a-Service (MaaS) since 2020. Over this time, Matanbuchus has undergone several development stages. In July 2025, version 3.0 of Matanbuchus was identified in-the-wild. Matanbuchus offers threat actors the option to deploy additional payloads and perform hands-on keyboard activity via shell commands.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/technical-analysis-matanbuc…
∗∗∗ Grundrechte: Gericht stoppt Massenüberwachung des Schweizer Geheimdienstes ∗∗∗
---------------------------------------------
Das Schweizer Bundesverwaltungsgericht erklärt die Fernmeldeaufklärung des Nachrichtendienstes des Bundes nach Klage von Bürgerrechtlern für verfassungswidrig.
---------------------------------------------
https://www.heise.de/news/Grundrechte-Gericht-stoppt-Massenueberwachung-des…
∗∗∗ Falsche Schlangen: Neues von MuddyWater ∗∗∗
---------------------------------------------
MuddyWater hat es auf kritische Infrastrukturen in Israel und Ägypten abgesehen und setzt dabei auf maßgeschneiderte Malware, verbesserte Taktiken und ein vorhersehbares Spielbuch.
---------------------------------------------
https://www.welivesecurity.com/de/eset-research/falsche-schlangen-neues-von…
∗∗∗ Aktuelle Welle: Phishing im Namen der Volksbank ∗∗∗
---------------------------------------------
Seit einigen Wochen versenden Kriminelle ihre Phishing-Versuche besonders häufig im Namen der Volksbank. Sie setzen dabei auf die altbekannten E-Mails bzw. SMS-Nachrichten. Wer dem Link zur „Datenaktualisierung“ oder „Konto-Entsperrung“ folgt, läuft Gefahr, Logindaten für Onlinebanking preiszugeben.
---------------------------------------------
https://www.watchlist-internet.at/news/starke-welle-phishing-volksbank/
∗∗∗ India backs off mandatory cyber safety app after surveillance backlash ∗∗∗
---------------------------------------------
Mobile phone makers will no longer be required to load the Indian governments Sanchar Saathi app onto new devices after the initial announcement prompted pushback from companies and privacy groups.
---------------------------------------------
https://therecord.media/india-drops-mandate-sanchar-saathi-app-privacy-surv…
∗∗∗ Small numbers of Notepad++ users reporting security woes ∗∗∗
---------------------------------------------
I’ve heard from 3 orgs now who’ve had security incidents on boxes with Notepad++ installed, where it appears Notepad++ processes have spawned the initial access. These have resulted in hands on keyboard threat actors.
---------------------------------------------
https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-…
∗∗∗ Everest Ransomware Claims ASUS Breach and 1TB Data Theft ∗∗∗
---------------------------------------------
Everest ransomware group claims it breached ASUS, stealing over 1TB of data including camera source code. ASUS has been given 21 hours to respond via Qtox.
---------------------------------------------
https://hackread.com/everest-ransomware-asus-breach-1tb-data/
∗∗∗ Paying the Ransom: A Short-Term Fix or Long-Term Risks? ∗∗∗
---------------------------------------------
Ransomware attacks rose by nearly 25% in 2024. If compromised, should you pay ransomware demands or not? We review the risks, reasons to pay or not, and more.
---------------------------------------------
https://www.bitsight.com/blog/paying-ransom-for-ransomware
∗∗∗ Industrielle Kontrollsysteme: Iskra iHUB bleibt vorerst ohne Sicherheitspatch ∗∗∗
---------------------------------------------
Für einige industrielle Steuerungs- und Automatisierungssysteme von etwa Mitsubishi sind Sicherheitsupdates erschienen. Eine kritische Lücke bleibt aber offen.
---------------------------------------------
https://heise.de/-11101017
=====================
= Vulnerabilities =
=====================
∗∗∗ Vulnerability & Patch Roundup — November 2025 ∗∗∗
---------------------------------------------
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
---------------------------------------------
https://blog.sucuri.net/2025/11/vulnerability-patch-roundup-november-2025.h…
∗∗∗ 100,000 WordPress Sites Affected by Remote Code Execution Vulnerability in Advanced Custom Fields: Extended WordPress Plugin ∗∗∗
---------------------------------------------
On November 18th, 2025, we received a submission for an unauthenticated Remote Code Execution vulnerability in Advanced Custom Fields: Extended, a WordPress plugin with more than 100,000 active installations. This vulnerability can be leveraged to execute code remotely.
---------------------------------------------
https://www.wordfence.com/blog/2025/12/100000-wordpress-sites-affected-by-r…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (containerd, mako, and xen), Fedora (forgejo, nextcloud, openbao, rclone, restic, and tigervnc), Oracle (firefox, kernel, libtiff, libxml2, and postgresql), SUSE (libecpg6, lightdm-kde-greeter, python-cbor2, python-mistralclient-doc, python315, and python39), and Ubuntu (kdeconnect, linux, linux-aws, linux-realtime, python-django, and unbound).
---------------------------------------------
https://lwn.net/Articles/1049103/
∗∗∗ Microsoft schließt stillschweigend LNK-Schwachstelle CVE-2025-9491 ∗∗∗
---------------------------------------------
Seit Ende August 2025 ist eine LNK-File-Schwachstelle (CVE-2025-9491) bekannt. Diese lässt sich unter Windows für eine Remote Code-Ausführung missbrauchen. Microsoft wollte erst keinen Patch bereitstellen, hat dann aber doch was per Update getan.
---------------------------------------------
https://www.borncity.com/blog/2025/12/03/microsoft-schliesst-stillschweigen…
∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
CISA released five Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-336-01 Industrial Video & Control LongwatchICSA-25-336-02 Iskra iHUB and iHUB Lite. ICSMA-25-336-01 Mirion Medical EC2 Software NMIS BioDose. ICSA-25-201-01 Mitsubishi Electric CNC Series (Update A) and ICSA-23-157-02 Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (Update C).
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/12/02/cisa-releases-five-indus…
∗∗∗ ZDI-25-1039: (Pwn2Own) Synology BeeStation Plus auth_info Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-1039/
∗∗∗ Splunk SVD-2025-1209: Third-Party Package Updates in Splunk Enterprise - December 2025 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2025-1209
∗∗∗ Splunk SVD-2025-1206: Incorrect permissions assignment on Splunk Universal Forwarder for Windows during new installation or upgrade ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2025-1206
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 01-12-2025 18:00 − Dienstag 02-12-2025 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Glassworm malware returns in third wave of malicious VS Code packages ∗∗∗
---------------------------------------------
The Glassworm campaign, which first emerged on the OpenVSX and Microsoft Visual Studio marketplaces in October, is now in its third wave, with 24 new packages added on the two platforms.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/glassworm-malware-returns-in…
∗∗∗ [Guest Diary] Hunting for SharePoint In-Memory ToolShell Payloads, (Tue, Dec 2nd) ∗∗∗
---------------------------------------------
In July 2025, many of us were introduced to the Microsoft SharePoint exploit chain known as ToolShell. ToolShell exploits the deserialization and authentication bypass vulnerabilities, CVE-2025-53770 [2] and CVE-2025-53771 [3], in on-premises SharePoint Server 2016, 2019, and Subscription editions.
---------------------------------------------
https://isc.sans.edu/diary/rss/32524
∗∗∗ Iran-Linked Hackers Hits Israeli Sectors with New MuddyViper Backdoor in Targeted Attacks ∗∗∗
---------------------------------------------
Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors have emerged as the target of a new set of attacks undertaken by Iranian nation-state actors that have delivered a previously undocumented backdoor called MuddyViper.
---------------------------------------------
https://thehackernews.com/2025/12/iran-linked-hackers-hits-israeli_2.html
∗∗∗ Stealthy browser extensions waited years before infecting 4.3M Chrome, Edge users with backdoors and spyware ∗∗∗
---------------------------------------------
And some are still active in the Microsoft Edge store A seven-year malicious browser extension campaign infected 4.3 million Google Chrome and Microsoft Edge users with malware, including backdoors and spyware sending peoples data to servers in China.
---------------------------------------------
https://www.theregister.com/2025/12/01/chrome_edge_malicious_browser_extens…
∗∗∗ Dont say "Jehova" to an LLM ∗∗∗
---------------------------------------------
The Rabbi in the old skit from Monty Python's "Life of Brian" fell for it, and for a long time, philosophers argued whether quoting someone is fundamentally different to just saying the sentence. I remember a story where one actor smuggled a wedding promise in a co-actor's copy of his lines: After the vow was made on the set and the sentence couldn't be found in the official script: is the actor now bound in real life by his promise?
---------------------------------------------
https://www.cert.at/en/blog/2025/12/dont-say-jehova-to-an-llm
∗∗∗ Proxyearth Tool Lets Anyone Trace Users in India with Just a Mobile Number ∗∗∗
---------------------------------------------
Proxyearth is a new site that shows names, Aadhaar numbers, and live locations of users in India using only mobile numbers, raising serious privacy and security concerns.
---------------------------------------------
https://hackread.com/proxyearth-trace-users-india-mobile-number/
∗∗∗ Android TV: YouTube-Client SmartTube war mit Malware verseucht ∗∗∗
---------------------------------------------
Unbekannte konnten SmartTube mit Malware verseuchen und die Version kurzzeitig in Umlauf bringen. Nun gibt der Entwickler Einblicke zum Vorfall.
---------------------------------------------
https://heise.de/-11099310
∗∗∗ Shai-Hulud 2.0 Aftermath: Trends, Victimology and Impact ∗∗∗
---------------------------------------------
A deeper look at the Shai-Hulud 2.0 supply chain attack: reviewing the infection spread, victimology, leaked secrets distribution, and community response so far.
---------------------------------------------
https://www.wiz.io/blog/shai-hulud-2-0-aftermath-ongoing-supply-chain-attack
∗∗∗ 68% Of Phishing Websites Are Protected by CloudFlare ∗∗∗
---------------------------------------------
Earlier this year, our CTI team set out to build something wed been thinking about for a while: a phishing intelligence pipeline that could actually keep up with the threat. We combined feeds from hundreds of independent sources with our own real-time hunt for suspicious SSL/TLS certificates.
---------------------------------------------
https://blog.sicuranext.com/68-of-phishing-websites-are-protected-by-cloudf…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (gnutls, libpng, mingw-python3, python-spotipy, source-to-image, unbound, and webkitgtk), Mageia (libpng), SUSE (bash-git-prompt, gitea-tea, java-17-openjdk, java-21-openjdk, kernel, openssh, python, and shadowsocks-v2ray-plugin, v2ray-core), and Ubuntu (binutils, openjdk-17-crac, openjdk-21-crac, and openjdk-25-crac).
---------------------------------------------
https://lwn.net/Articles/1048973/
∗∗∗ Patchday: Attacken auf Geräte mit Android 13, 14, 15 und 16 beobachtet ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitsupdates für verschiedene Androidversionen erschienen. Es gibt bereits Attacken.
---------------------------------------------
https://heise.de/-11099576
∗∗∗ Qualcomm Issues Critical Security Alert Over Secure Boot Vulnerability ∗∗∗
---------------------------------------------
Qualcomm warned partners and device manufacturers about multiple newly discovered vulnerabilities that span its chipset ecosystem. The Qualcomm released a detailed security bulletin on December 1, 2025, outlining six high-priority weaknesses in its proprietary software, including one flaw that directly compromises the secure boot process, one of the most sensitive stages in a device’s startup chain.
---------------------------------------------
https://thecyberexpress.com/qualcomm-2025-security-alert/
∗∗∗ Critical SQL Injection Flaw Exposes Sensitive Data in Devolutions Server ∗∗∗
---------------------------------------------
A batch of new vulnerabilities in Devolutions Server targets organizations that depend on the platform to manage privileged accounts, passwords, and sensitive authentication data. Devolutions has released a security advisory, identified as DEVO-2025-0018, warning customers of multiple vulnerabilities, including a critical flaw that could enable attackers to extract confidential data directly from the system’s database.
---------------------------------------------
https://thecyberexpress.com/devolutions-server-sql-injection-flaw/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 28-11-2025 18:00 − Montag 01-12-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Arkanix Stealer: Newly discovered short term profit malware ∗∗∗
---------------------------------------------
Recently, we stumbled upon a new stealer named Arkanix. This stealer possibly belongs to the short-lived category of stealers which aim for short-term quick financial gains.
---------------------------------------------
https://feeds.feedblitz.com/~/930747470/0/gdatasecurityblog-en~Arkanix-Stea…
∗∗∗ Bis zu 16 Jahre alt: Zehntausende gültige Zugangsdaten bei Gitlab geleakt ∗∗∗
---------------------------------------------
Ein Forscher hat alle öffentlichen Gitlab-Repos auf Zugangsdaten gescannt. Er fand mehr als 17.000, erhielt aber nur eine recht dürftige Belohnung.
---------------------------------------------
https://www.golem.de/news/bis-zu-16-jahre-alt-zehntausende-gueltige-zugangs…
∗∗∗ North Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware ∗∗∗
---------------------------------------------
The North Korean threat actors behind the Contagious Interview campaign have continued to flood the npm registry with 197 more malicious packages since last month.
---------------------------------------------
https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html
∗∗∗ New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control ∗∗∗
---------------------------------------------
A new Android malware named Albiriox has been advertised under a malware-as-a-service (MaaS) model to offer a "full spectrum" of features to facilitate on-device fraud (ODF), screen manipulation, and real-time interaction with infected devices.
---------------------------------------------
https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html
∗∗∗ Google and Apple ordered to stop fake government TXTs ∗∗∗
---------------------------------------------
Singapore’s government last week told Google and Apple to prevent fake government messages.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/12/01/asia_tech_ne…
∗∗∗ The WIRED Guide to Digital Opsec for Teens ∗∗∗
---------------------------------------------
Practicing good “operations security” is essential to staying safe online. Here’s a complete guide for teenagers (and anyone else) who wants to button up their digital lives.
---------------------------------------------
https://www.wired.com/story/digital-opsec-for-teens/
∗∗∗ how i found a europa.eu compromise (thanks to cricket) ∗∗∗
---------------------------------------------
While looking for a way to stream the India vs Pakistan cricket match on 14th September 2025, I stumbled across a suspicious search result on a europa.eu dev subdomain. It was being abused for blackhat SEO and redirecting users to scam streaming sites. I traced similar behavior across other high-profile domains, reported the issue to CERT-EU via email (after some Twitter help) and the problem was later confirmed as fixed on 6th November 2025. This post walks through how I found it, how I reported it and what we can learn from it.
---------------------------------------------
https://blog.himanshuanand.com/2025/11/how-i-found-a-europa.eu-compromise-t…
∗∗∗ Südkorea: Bei Onlinehändler Daten zu zwei Dritteln der Bevölkerung abgegriffen ∗∗∗
---------------------------------------------
Ein inzwischen nicht mehr bei Coupang arbeitender Angestellter soll bei Südkoreas größtem Onlinehändler Daten zur gesamten Kundschaft abgegriffen haben.
---------------------------------------------
https://www.heise.de/news/Suedkorea-Bei-Onlinehaendler-Daten-zu-zwei-Dritte…
∗∗∗ Webinar: Smartphone, Tablet & Co sicher nutzen ∗∗∗
---------------------------------------------
Wie kann ich meine persönlichen Daten am Smartphone, Tablet & Co. schützen? Wie erkenne ich Viren und Trojaner auf meinem Gerät - und was ist dann zu tun? In diesem Webinar zeigen wir Ihnen die wichtigsten Sicherheitseinstellungen – von Berechtigungen über Datenschutz bis hin zu Nutzungszeiten.
---------------------------------------------
https://www.watchlist-internet.at/news/webinar-smartphone-tablet-co-sicher-…
∗∗∗ Fußballtrikots zum Schnäppchenpreis? Bei diesen Fake-Shops gibt es nur Eigentore ∗∗∗
---------------------------------------------
Fußballspieler:innen aufgepasst! Gerade wimmelt es von Fake-Shops mit günstigen Trikots.
---------------------------------------------
https://www.watchlist-internet.at/news/fussballtrikots-zum-schnaeppchenprei…
∗∗∗ Awareness für Web-Security: Die OWASP Top Ten 2025 ∗∗∗
---------------------------------------------
Der erste Release Candidate der neuen OWASP Top Ten enthüllt die größten Sicherheitsrisiken in der Webentwicklung – von Konfiguration bis Software Supply Chain.
---------------------------------------------
https://heise.de/-11098119
∗∗∗ India Enforces Mandatory SIM-Binding for Messaging Apps Under New DoT Rules ∗∗∗
---------------------------------------------
India’s Department of Telecommunications (DoT) has introduced a shift in the way messaging platforms operate in the country, mandating the adoption of SIM-binding as a core security requirement. Under the Telecommunication Cybersecurity Amendment Rules, 2025, all major messaging services, including Telegram, and regional platforms such as Arattai, must ensure that their applications remain continuously linked to an active SIM card on the user’s device.
---------------------------------------------
https://thecyberexpress.com/sim-binding-dot-rule/
=====================
= Vulnerabilities =
=====================
∗∗∗ VU#633103: Insufficient Session Cookie Invalidation in nopCommerce ASP.NET Core eCommerce Platform ∗∗∗
---------------------------------------------
nopCommerce, an ecommerce platform, fails to invalidate session cookies upon user logout or session termination, enabling attackers to use the captured cookie to gain access to the application. Version 4.70 and after, with the exception of 4.80.3, fixes the vulnerability put forth by CVE-2025-11699. Users on version 4.80.3, or any version of nopCommerce prior to version 4.70, should update to the latest version, 4.90.3, as soon as possible.
---------------------------------------------
https://kb.cert.org/vuls/id/633103
∗∗∗ CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV ∗∗∗
---------------------------------------------
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include a security flaw impacting OpenPLC ScadaBR, citing evidence of active exploitation.
---------------------------------------------
https://thehackernews.com/2025/11/cisa-adds-actively-exploited-xss-bug.html
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (bind9.18, cups, gimp, ipa, kernel, libssh, mingw-expat, openssl, pcs, sssd, tigervnc, and valkey), Debian (gnome-shell-extension-gsconnect, mistral-dashboard, pagure, python-mistralclient, pytorch, qtbase-opensource-src, sogo, tryton-server, and unbound), Fedora (cef, drupal7, glib2, linux-firmware, migrate, pack, pgadmin4, rnp, and unbound), Slackware (libxslt), SUSE (cpp-httplib, curl, glib2, grub2, kernel, libcoap-devel, libcryptopp, libwireshark19, postgresql15, and postgresql17), and Ubuntu (edk2).
---------------------------------------------
https://lwn.net/Articles/1048817/
∗∗∗ Sicherheitsupdate: Präparierte XML-Dateien können GeoServer lahmlegen ∗∗∗
---------------------------------------------
Nutzen Angreifer erfolgreich Schwachstellen in GeoServer aus, können sie unter anderem Schadcode ausführen. In aktuellen Versionen haben die Entwickler nun die Sicherheitsprobleme gelöst.
---------------------------------------------
https://heise.de/-11097923
∗∗∗ Microsoft Entra ID blockt externe Fremd-Scripte ∗∗∗
---------------------------------------------
Kleiner Nachtrag von letzter Woche, der Administratoren in Unternehmensumgebungen tangieren kann. Microsoft will die Sicherheit der Microsoft Entra ID-Authentifizierung verbessern. Dazu sollen indem externe Skriptinjektionen blockiert werden, wie ein Entwickler in einem Blog-Beitrag im Microsoft Entra-Blog erklärt hat.
---------------------------------------------
https://www.borncity.com/blog/2025/12/01/microsoft-entra-id-blockt-externe-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/