=====================
= End-of-Day report =
=====================
Timeframe: Freitag 28-03-2025 18:00 − Montag 31-03-2025 18:00
Handler: Felician Fuchs
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ New Crocodilus malware steals Android users’ crypto wallet keys ∗∗∗
---------------------------------------------
A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-crocodilus-malware-steal…
∗∗∗ Smoked out - Emmenhtal spreads SmokeLoader malware ∗∗∗
---------------------------------------------
We observed a malicious campaign targeting First Ukrainian International Bank (pumb[.]ua) and noticed the usage of a stealthy malware loader known as Emmenhtal [..] also referred to by Google as Peaklight.
---------------------------------------------
https://feeds.feedblitz.com/~/915916022/0/gdatasecurityblog-en~Smoked-out-E…
∗∗∗ Hidden Malware Strikes Again: Mu-Plugins Under Attack ∗∗∗
---------------------------------------------
Recently, we’ve uncovered multiple cases where threat actors are leveraging the mu-plugins directory to hide malicious code. This approach represents a concerning trend, as the mu-plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks.
---------------------------------------------
https://blog.sucuri.net/2025/03/hidden-malware-strikes-again-mu-plugins-und…
∗∗∗ BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability ∗∗∗
---------------------------------------------
In whats an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process.
---------------------------------------------
https://thehackernews.com/2025/03/blacklock-ransomware-exposed-after.html
∗∗∗ BSI-Studie: Zahlreiche Schwachstellen in Krankenhausinformationssystemen ∗∗∗
---------------------------------------------
IT-Sicherheitsforscher haben im BSI-Auftrag IT-Systemen für Kliniken auf den Zahn gefühlt und Lücken gefunden, etwa bei Verschlüsselung und Zertifikaten.
---------------------------------------------
https://www.heise.de/news/BSI-Studie-Zahlreiche-Schwachstellen-in-Krankenha…
∗∗∗ Backdoor in the Backplane. Doing IPMI security better ∗∗∗
---------------------------------------------
IPMI remains a powerful but dangerously overlooked protocols in many enterprise environments. Whilst its ability to manage out of band systems is invaluable, there are significant security trade-offs – especially when outdated firmware, default credentials, and exposed interfaces are in play. As demonstrated, IPMI can lead, or aid, in a malicious actor compromising the full domain with little more than network access.
---------------------------------------------
https://www.pentestpartners.com/security-blog/backdoor-in-the-backplane-doi…
∗∗∗ Preparing for the EU Radio Equipment Directive security requirements ∗∗∗
---------------------------------------------
UK & EU IoT manufacturers have more security regulation coming. [..] From 1st August 2025, mandatory cybersecurity requirements come into effect under the EU’s Radio Equipment Directive (2014/53/EU), or RED.
---------------------------------------------
https://www.pentestpartners.com/security-blog/preparing-for-the-eu-radio-eq…
∗∗∗ Oracle Health gehackt, US-Patientendaten abgeflossen ∗∗∗
---------------------------------------------
Cyberkriminelle sind laut Berichten nach dem 22. Januar 2025 in die Server des US-Tech-Unternehmens Cerner Oracle Health eingedrungen. Es besteht der Verdacht, dass Patientendaten von US-Bürgern abgezogen wurden. Das FBI untersucht den Vorfall, der Fragen nach der Sicherheit bei Oracle aufkommen lässt. Denn es ist der zweite Sicherheitsvorfall binnen weniger Tage, der bekannt wird.
---------------------------------------------
https://www.borncity.com/blog/2025/03/30/oracle-health-gehackt-us-patienten…
∗∗∗ SVG Phishing Malware Being Distributed with Analysis Obstruction Feature ∗∗∗
---------------------------------------------
AhnLab SEcurity intelligence Center (ASEC) recently identified a phishing malware being distributed in Scalable Vector Graphics (SVG) format.
---------------------------------------------
https://asec.ahnlab.com/en/87078/
∗∗∗ Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service ∗∗∗
---------------------------------------------
Being a provider of cloud SaaS (Software-as-a-service) solutions requires certain cybersecurity responsibilities — including being transparent and open. The moment where this is tested at Oracle has arrived, as they have a serious cybersecurity incident playing out in a service they manage for customers.
---------------------------------------------
https://doublepulsar.com/oracle-attempt-to-hide-serious-cybersecurity-incid…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (amd64-microcode, flatpak, intel-microcode, libdata-entropy-perl, librabbitmq, and vim), Fedora (augeas, containerd, crosswords-puzzle-sets-xword-dl, libssh2, libxml2, nodejs-nodemon, and webkitgtk), Red Hat (libreoffice and python-jinja2), SUSE (389-ds, apparmor, corosync, docker, docker-stable, erlang26, exim, ffmpeg-4, govulncheck-vulndb, istioctl, matrix-synapse, mercurial, openvpn, python3, rke2, and skopeo), and Ubuntu (ansible, linux, linux-hwe-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-azure-fips, linux-gcp-fips, linux-fips, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-realtime, linux-intel-iot-realtime, linux-xilinx-zynqmp, opensc, and ruby-doorkeeper).
---------------------------------------------
https://lwn.net/Articles/1015968/
∗∗∗ IBM InfoSphere Information Server: Unbefugte Zugriffe möglich ∗∗∗
---------------------------------------------
Die Datenintegrationsplattform IBM InfoSphere Information Server ist verwundbar. Die Entwickler haben mehrere Sicherheitslücken geschlossen.
---------------------------------------------
https://www.heise.de/news/IBM-InfoSphere-Information-Server-Unbefugte-Zugri…
∗∗∗ ZendTo NDay Vulnerability Hunting - Unauthenticated RCE in v5.24-3 <= v6.10-4 ∗∗∗
---------------------------------------------
Discovering NDay flaws in ZendTo filesharing software highlighted an interesting fact: without the issuance of CVEs, vulnerabilities can easily go unpatched.
---------------------------------------------
https://projectblack.io/blog/zendto-nday-vulnerabilities/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 27-03-2025 18:00 − Freitag 28-03-2025 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Phishing-as-a-service operation uses DNS-over-HTTPS for evasion ∗∗∗
---------------------------------------------
A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection.
--------------------------------------------
https://www.bleepingcomputer.com/news/security/phishing-as-a-service-operat…
∗∗∗ Notfallupdate: Kritische Sandbox-Lücke in Firefox und Tor-Browser entdeckt ∗∗∗
---------------------------------------------
Nicht nur Chrome-Nutzer sollten dieser Tage ihren Browser updaten. Eine aktiv ausgenutzte Sicherheitslücke betrifft auch die Windows-Version von Firefox.
---------------------------------------------
https://www.golem.de/news/notfallupdate-kritische-sandbox-luecke-in-firefox…
∗∗∗ Stealing user credentials with evilginx ∗∗∗
---------------------------------------------
A malevolent mutation of the widely used nginx web server facilitates Adversary-in-the-Middle action, but there's hope.
---------------------------------------------
https://news.sophos.com/en-us/2025/03/28/stealing-user-credentials-with-evi…
∗∗∗ Quick Guide to Magento Security Patches ∗∗∗
---------------------------------------------
Magento remains a popular ecommerce platform in 2025 and its security patches play a vital role in addressing vulnerabilities that could otherwise be exploited by attackers. These patches help prevent issues like data breaches, website defacement, or unauthorized access, ensuring the safety of customer data and store operations. Given the platform’s ..
---------------------------------------------
https://blog.sucuri.net/2025/03/quick-guide-to-magento-security-patches.html
∗∗∗ China’s FamousSparrow flies back into action, breaches US org after years off the radar ∗∗∗
---------------------------------------------
Crew also cooked up two fresh SparrowDoor backdoor variants, says ESET The China-aligned FamousSparrow crew has resurfaced after a long period of presumed inactivity, compromising a US financial-sector trade group and a Mexican research institute. The gang also likely targeted a governmental institution in Honduras, along with other yet-to-be-identified victims.
---------------------------------------------
https://www.theregister.com/2025/03/27/china_famoussparrow_back/
∗∗∗ Storage-Appliances: Dell schließt unzählige Sicherheitslücken in Unity-Serien ∗∗∗
---------------------------------------------
Die Dell-Entwickler haben unter anderem eine 19 Jahre alte Schwachstelle in diversen Unity-Modellen geschlossen.
---------------------------------------------
https://www.heise.de/news/Storage-Appliances-Dell-schliesst-unzaehlige-Sich…
∗∗∗ New security requirements adopted by HTTPS certificate industry ∗∗∗
---------------------------------------------
The Chrome Root Program launched in 2022 as part of Google’s ongoing commitment to upholding secure and reliable network connections in Chrome. We previously described how the Chrome Root Program keeps users safe, and described how the program is focused on promoting technologies and practices that strengthen the underlying ..
---------------------------------------------
http://security.googleblog.com/2025/03/new-security-requirements-adopted-by…
∗∗∗ Money Laundering 101, and why Joe is worried ∗∗∗
---------------------------------------------
In this blog post, Joe covers the very basics of money laundering, how it facilitates ransomware cartels, and what the regulatory future holds for cybercrime.
---------------------------------------------
https://blog.talosintelligence.com/money-laundering-101-and-why-joe-is-worr…
∗∗∗ Gamaredon campaign abuses LNK files to distribute Remcos backdoor ∗∗∗
---------------------------------------------
Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024.
---------------------------------------------
https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/
∗∗∗ Obfuscation 101: Unmasking the Tricks Behind Malicious Code ∗∗∗
---------------------------------------------
“The malicious package was right in front of our eyes, but we didnt see it until it was too late.”Attackers frequently rely on obfuscation—the technique of deliberately making source code confusing and unreadable—to sneak malicious payloads past security defenses and code reviewers alike. Understanding these obfuscation techniques across ..
---------------------------------------------
https://socket.dev/blog/obfuscation-101-the-tricks-behind-malicious-code
∗∗∗ NVD Concedes Inability to Keep Pace with Surging CVE Disclosures in 2025 ∗∗∗
---------------------------------------------
The National Vulnerability Database (NVD) issued a new status update on March 19, attempting to clarify the current state of its vulnerability processing pipeline. The agency says it has resumed processing new CVEs at the same rate it maintained before last year’s slowdown, but with vulnerability volumes surging, that’s no longer enough.We are currently ..
---------------------------------------------
https://socket.dev/blog/nvd-backlog-crisis-deepens-amid-surging-cve-disclos…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (mercurial and opensaml), Fedora (augeas, mingw-libxslt, and nodejs-nodemon), Mageia (chromium-browser-stable), Red Hat (grafana, kernel, kernel-rt, opentelemetry-collector, and podman), SUSE (apache-commons-vfs2, python3, and python36), and Ubuntu (ghostscript, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, ..
---------------------------------------------
https://lwn.net/Articles/1015718/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 26-03-2025 18:00 − Donnerstag 27-03-2025 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Dozens of solar inverter flaws could be exploited to attack power grids ∗∗∗
---------------------------------------------
Dozens of vulnerabilities in products from three leading makers of solar inverters, Sungrow, Growatt, and SMA, could be exploited to control devices or execute code remotely on the vendors cloud platform.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/dozens-of-solar-inverter-fla…
∗∗∗ Cybercrime-Tool Atlantis AIO soll automatisierte Passwort-Attacken optimieren ∗∗∗
---------------------------------------------
Dahinter stecken organisierte Profi-Verbrecher, die ihre Werkzeuge im Darknet mit Werbeanzeigen und Support anpreisen. So auch im Fall des jüngst von Sicherheitsforschern entdeckten Tools Atlantis AIO.
---------------------------------------------
https://www.heise.de/news/Cybercrime-Tool-Atlantis-AIO-soll-automatisierte-…
∗∗∗ Abonnement gekündigt? Achtung: Phishing-Versuch mit Disney+! ∗∗∗
---------------------------------------------
Mit einer angeblich von Disney+ stammenden E-Mail versuchen Kriminelle ihre Opfer auf eine Fake-Loginseite zu locken. Dort fragen sie die Anmeldeinformationen des Abos und Kreditkartendaten ab. Woran Sie den Phishing-Versuch ganz einfach erkennen können, zeigen wir Ihnen hier.
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-versuch-disney/
=====================
= Vulnerabilities =
=====================
∗∗∗ Backuplösung SnapCenter: Angreifer können als Admin Systeme übernehmen ∗∗∗
---------------------------------------------
Die Backupsoftware SnapCenter ist verwundbar und Angreifer können sich durch das erfolgreiche Ausnutzen einer „kritischen“ Sicherheitslücke Admin-Rechte verschaffen. In einem Beitrag zur Schwachstelle (CVE-2025-26512) führen die Entwickler aus, die Versionen 6.0.1P1 und 6.1P1 repariert zu haben. Alle vorigen Ausgaben sind attackierbar.
---------------------------------------------
https://www.heise.de/news/Backuploesung-SnapCenter-Angreifer-koennen-als-Ad…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (exim), Debian (exim4, ghostscript, and libcap2), Red Hat (container-tools:rhel8), SUSE (apache-commons-vfs2, argocd-cli, azure-cli-core, buildah, chromedriver, docker-stable, ed25519-java, kernel, kubernetes1.29-apiserver, kubernetes1.30-apiserver, kubernetes1.32-apiserver, libmbedcrypto7, microcode_ctl, php7, podman, proftpd, tomcat10, and webkit2gtk3), and Ubuntu (containerd, exim4, mariadb, opensaml, and org-mode).
---------------------------------------------
https://lwn.net/Articles/1015589/
∗∗∗ Security Vulnerability fixed in Firefox 136.0.4, Firefox ESR 128.8.1, Firefox ESR 115.21.1 ∗∗∗
---------------------------------------------
Following the sandbox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles to unprivileged child processes leading to a sandbox escape. The original vulnerability was being exploited in the wild. This only affects Firefox on Windows. Other operating systems are unaffected.
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/
∗∗∗ Splunk: Teils hochriskante Sicherheitslecks in mehreren Produkten ∗∗∗
---------------------------------------------
Splunk hat eine Reihe an Sicherheitslücken in mehreren Produkten gemeldet. Aktualisierte Software-Pakete stehen zum Herunterladen bereit, mit denen Admins diese Sicherheitslecks stopfen können.
---------------------------------------------
https://heise.de/-10330630
∗∗∗ DSA-5888-1 ghostscript - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2025/msg00050.html
∗∗∗ ABB: Cyber Security Advisory - ABB Low Voltage DC Drives and Power Controllers CODESYS RTS Vulnerabilities ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A9494&Lan…
∗∗∗ ABB: Cyber Security Advisory - ABB ACS880 +N8010 Drives CODESYS RTS Vulnerabilities ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A9491&Lan…
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 17, 2025 to March 23, 2025) ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2025/03/wordfence-intelligence-weekly-wordpr…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 25-03-2025 18:00 − Mittwoch 26-03-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ New npm attack poisons local packages with backdoors ∗∗∗
---------------------------------------------
Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. This way, even if the victim removes the malicious packages, the backdoor remains on their system.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-npm-attack-poisons-local…
∗∗∗ NCSC taps influencers to make 2FA go viral ∗∗∗
---------------------------------------------
The world's biggest brands have benefited from influencer marketing for years – now the UK's National Cyber Security Centre (NCSC) has hopped on the bandwagon to preach two-factor authentication (2FA) to the masses.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/03/26/ncsc_influen…
∗∗∗ CoffeeLoader: A Brew of Stealthy Techniques ∗∗∗
---------------------------------------------
Zscaler ThreatLabz has identified a new sophisticated malware family that we named CoffeeLoader, which originated around September 2024. The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products. The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/coffeeloader-brew-stealthy-…
∗∗∗ Have I Been Pwned: Projektbetreiber Troy Hunt gepwned ∗∗∗
---------------------------------------------
Troy Hunt, Betreiber des Dienstes Have-I-Been-Pwned (HIBP), wurde Opfer einer Phishing-Attacke und damit selbst "Pwned". Es sind 16.627 E-Mail-Adressen der Mailingliste für den Newsletter zu Troys persönlichen Blog dadurch in unbefugte Hände abgeflossen. In einem Blog-Beitrag erklärt Hunt, wie es zu dem Vorfall kommen konnte.
---------------------------------------------
https://heise.de/-10328970
=====================
= Vulnerabilities =
=====================
∗∗∗ Kritische Sicherheitslücken in Kubernetes Ingress NGINX Controller - Updates verfügbar ∗∗∗
---------------------------------------------
Im Kubernetes Ingress NGINX Controller, einer Kernkomponente von Kubernetes, wurden mehrere kritische Sicherheitslücken entdeckt. Diese ermöglichen unter anderem unauthentifizierte Remote Code Execution (RCE) und unberechtigten Zugriff auf Secrets.
---------------------------------------------
https://www.cert.at/de/warnungen/2025/3/kubernetes-ingress-nginx-controller…
∗∗∗ Dringend patchen: Gefährliche Zero-Day-Lücke in Chrome für Spionage ausgenutzt ∗∗∗
---------------------------------------------
Nachdem Google in seinem Webbrowser Chrome erst in der vergangenen Woche eine kritische Sicherheitslücke geschlossen hatte, legt der Konzern jetzt nochmal nach. Mit einem am Dienstag veröffentlichten Update beseitigt Google eine Schwachstelle, die bereits im Rahmen gezielter Spionageangriffe aktiv ausgenutzt wird. [..] Die Ausnutzung der als CVE-2025-2783 registrierten Chrome-Lücke wurde Mitte März von Sicherheitsforschern von Kaspersky entdeckt. [..] Den Angaben zufolge lässt sich die Sicherheitslücke durch speziell präparierte Webseiten ausnutzen, die die jeweilige Zielperson lediglich aufrufen muss. [..] Einen Bericht mit weiteren technischen Details wollen die Sicherheitsforscher zu einem späteren Zeitpunkt veröffentlichen.
---------------------------------------------
https://www.golem.de/news/dringend-patchen-gefaehrliche-zero-day-luecke-in-…
∗∗∗ VMware Tools ermöglichen Rechteausweitung in VMs ∗∗∗
---------------------------------------------
In der Sicherheitsmitteilung von Broadcom erörtern die Autoren, dass aufgrund unzureichender Zugriffskontrollen die Umgehung der Authentifizierung möglich ist (CVE-2025-22230, CVSS 7.8, Risiko "hoch"). Bösartige Akteure mit nicht-administrativen Rechten in einem Windows-Gastsystem können dadurch Operationen, die höhere Zugriffsrechte benötigen, ausführen.
---------------------------------------------
https://www.heise.de/-10328819
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (nginx and ruby-rack), Fedora (expat and libxslt), Mageia (bluez, dcmtk, ffmpeg, and radare2), Red Hat (container-tools:rhel8, gvisor-tap-vsock, kernel, kernel-rt, libreoffice, and podman), SUSE (buildah, forgejo, gitleaks, google-guest-agent, google-osconfig-agent, govulncheck-vulndb, grafana, helm, libxslt, php8, python-gunicorn, and python-Jinja2), and Ubuntu (freerdp2 and varnish).
---------------------------------------------
https://lwn.net/Articles/1015464/
∗∗∗ MISP v2.4.206 and v2.5.8 Released - new workflow modules, improved graph object relationship management and many other improvements ∗∗∗
---------------------------------------------
[security] Fixed stored XSS in event reports (mermaid rendering function).
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.5.8
∗∗∗ ZDI-25-181: (0Day) Arista NG Firewall User-Agent Cross-Site Scripting Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Minimal user interaction is required to exploit this vulnerability. CVE-2025-2767
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-181/
∗∗∗ Huawei: Security Advisory - Authentication Bypass Vulnerability in Huawei PC Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2025/huawei-sa-20250325-…
∗∗∗ ZDI-25-180: (0Day) 70mai A510 Use of Default Password Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-180/
∗∗∗ ZDI-25-178: (0Day) CarlinKit CPC200-CCPA update.cgi Improper Verification of Cryptographic Signature Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-178/
∗∗∗ Inaba Denki Sangyo CHOCO TEI WATCHER mini ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 24-03-2025 18:00 − Dienstag 25-03-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Browser-in-the-Browser attacks target CS2 players Steam accounts ∗∗∗
---------------------------------------------
A new phishing campaign targets Counter-Strike 2 players utilizing Browser-in-the-Browser (BitB) attacks that display a realistic window that mimics Steams login page.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/browser-in-the-browser-attac…
∗∗∗ Open-sourcing OpenPubkey SSH (OPKSSH): integrating single sign-on with SSH ∗∗∗
---------------------------------------------
OPKSSH (OpenPubkey SSH) is now open-sourced as part of the OpenPubkey project.
---------------------------------------------
https://blog.cloudflare.com/open-sourcing-openpubkey-ssh-opkssh-integrating…
∗∗∗ Zero Day: Russische Firma zahlt für Telegram-Lücken Millionen ∗∗∗
---------------------------------------------
Die stetig wachsende Nutzerbasis macht die Plattform auch für Cyberangriffe immer interessanter. Aus diesem Grund bietet der russische Schwachstellenhändler Operation Zero mittlerweile bis zu vier Millionen US-Dollar für ungepatchte Sicherheitslücken in Telegram.
---------------------------------------------
https://www.golem.de/news/zero-day-russische-firma-zahlt-millionen-fuer-tel…
∗∗∗ Achtung: Phishing-Mails im Namen des Wiener Tourismusverbands! ∗∗∗
---------------------------------------------
Aktuell kursieren E-Mails im Namen der Buchhaltung, die dazu auffordern, Rechnungen aufgrund technischer Probleme direkt per E-Mail zu senden. Vorsicht: Diese E-Mails stammen nicht von Mitarbeitenden des Wiener Tourismusverband sondern von Kriminellen!
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-phishing-mails-im-namen-des-…
∗∗∗ Oracle angeblich gehackt: Nutzerdaten im Darknet zum Verkauf ∗∗∗
---------------------------------------------
Sicherheitsforscher von CloudSEK berichten, dass im Darknet sensible Daten von rund 140.000 Oracle-Kunden zum Verkauf stehen. Diese Informationen sollen aus einer Cyberattacke stammen. Dem Hard- und Softwarehersteller zufolge hat es keinen IT-Sicherheitsvorfall gegeben.
---------------------------------------------
https://heise.de/-10327980
∗∗∗ US-Behörde stoppt Gelder für Lets Encrypt und Tor ‒ Open Tech Fund wehrt sich ∗∗∗
---------------------------------------------
Nach einem Dekret von US-Präsident Trump erhält der Open Technology Fund keine Fördermittel mehr. Deswegen zieht die Organisation jetzt vor Gericht.
---------------------------------------------
https://heise.de/-10328226
∗∗∗ Fake Hiring Challenge for Developers Steals Sensitive Data ∗∗∗
---------------------------------------------
Cyble threat intelligence researchers have uncovered a GitHub repository masquerading as a hiring coding challenge that tricks developers into downloading a backdoor to steal sensitive data. [..] There is evidence that the campaign may be expanding beyond a fake hiring challenge for developers, as Cyble Research and Intelligence Labs (CRIL) researchers also found invoice-themed lures.
---------------------------------------------
https://thecyberexpress.com/fake-hiring-challenge-targets-developers/
=====================
= Vulnerabilities =
=====================
∗∗∗ Notable vulnerabilities in Next.js (CVE-2025-29927) and CrushFTP ∗∗∗
---------------------------------------------
On Friday, March 21, 2025, file transfer software maker CrushFTP disclosed a new vulnerability to customers via email. While the email [...] indicates only CrushFTP v11 is affected by the still-CVE-less (as of March 25) unauthenticated port access vulnerability, the extremely sparse vendor advisory indicates that both CrushFTP v10 and v11 are affected. According to the vendor, the issue is not exploitable if customers have the DMZ function of CrushFTP in place.
---------------------------------------------
https://www.rapid7.com/blog/post/2025/03/25/etr-notable-vulnerabilities-in-…
∗∗∗ RCE Vulnerabilities in k8s Ingress NGINX (9.8 CVE for ingress-nginx) ∗∗∗
---------------------------------------------
Wiz Research discovered CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes dubbed #IngressNightmare. Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover.
---------------------------------------------
https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
∗∗∗ Kubernetes: CVE-2025-1974 ∗∗∗
---------------------------------------------
https://github.com/kubernetes/kubernetes/issues/131009
∗∗∗ Kubernetes: CVE-2025-1098 ∗∗∗
---------------------------------------------
https://github.com/kubernetes/kubernetes/issues/131008
∗∗∗ Kubernetes: CVE-2025-1097 ∗∗∗
---------------------------------------------
https://github.com/kubernetes/kubernetes/issues/131007
∗∗∗ Kubernetes: CVE-2025-24514 ∗∗∗
---------------------------------------------
https://github.com/kubernetes/kubernetes/issues/131006
∗∗∗ Kubernetes: CVE-2025-24513 ∗∗∗
---------------------------------------------
https://github.com/kubernetes/kubernetes/issues/131005
∗∗∗ Micropatches released for SCF File NTLM Hash Disclosure Vulnerability (0day) - and Free Micropatches for it ∗∗∗
---------------------------------------------
https://blog.0patch.com/2025/03/scf-file-ntlm-hash-disclosure.html
∗∗∗ Rockwell Automation 440G TLS-Z ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-03
∗∗∗ Rockwell Automation Verve Asset Manager ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-02
∗∗∗ ABB RMC-100 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-01
∗∗∗ Inaba Denki Sangyo CHOCO TEI WATCHER Mini ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 21-03-2025 18:00 − Montag 24-03-2025 18:00
Handler: Felician Fuchs
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ FBI warnings are true—fake file converters do push malware ∗∗∗
---------------------------------------------
The FBI is warning that fake online document converters are being used to steal peoples information and, in worst-case scenarios, lead to ransomware attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-warnings-are-true-fake-f…
∗∗∗ Cloudflare now blocks all unencrypted traffic to its API endpoints ∗∗∗
---------------------------------------------
Cloudflare announced that it closed all HTTP connections and it is now accepting only secure, HTTPS connections for api.cloudflare.com.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cloudflare-now-blocks-all-un…
∗∗∗ Trusted Signing: Hacker signieren Windows-Malware über Microsoft-Plattform ∗∗∗
---------------------------------------------
Forscher haben Malware entdeckt, die über Microsofts neue Trusted-Signing-Plattform signiert wurde. Windows-Systeme lassen sich damit leichter infizieren.
---------------------------------------------
https://www.golem.de/news/trusted-signing-microsoft-dienst-zum-signieren-vo…
∗∗∗ Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories CI/CD Secrets Exposed ∗∗∗
---------------------------------------------
The supply chain attack involving the GitHub Action "tj-actions/changed-files" started as a highly-targeted attack against one of Coinbases open-source projects, before evolving into something more widespread in scope."The payload was focused on ..
---------------------------------------------
https://thehackernews.com/2025/03/github-supply-chain-breach-coinbase.html
∗∗∗ Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks ∗∗∗
---------------------------------------------
A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions.The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 ..
---------------------------------------------
https://thehackernews.com/2025/03/critical-nextjs-vulnerability-allows.html
∗∗∗ Oracle Cloud says its not true someone broke into its login servers and stole data ∗∗∗
---------------------------------------------
Despite evidence to the contrary as alleged pilfered info goes on sale Oracle has straight up denied claims by a miscreant that its public cloud offering has been compromised and information stolen.
---------------------------------------------
https://www.theregister.com/2025/03/23/oracle_cloud_customers_keys_credenti…
∗∗∗ Verfassungsschutz: Deutsche NGOs Ziel von russischen Cyberangriffen ∗∗∗
---------------------------------------------
Das Bundesamt für Verfassungsschutz hat einige zivilgesellschaftliche Organisationen alarmiert, dass sie verstärkt im Fokus russischer Cyberattacken stünden.
---------------------------------------------
https://www.heise.de/news/Verfassungsschutz-warnt-NGOs-vor-zunehmenden-russ…
∗∗∗ Google Maps: Falsche Schlüsseldienste und Co. spähen Nutzer aus ∗∗∗
---------------------------------------------
Der Navigationsdienst Google Maps klagt gegen unechte Geschäfte auf seiner Plattform, die Nutzerdaten abschöpften und verkauften.
---------------------------------------------
https://heise.de/-10325360
∗∗∗ How to find Next.js on your network ∗∗∗
---------------------------------------------
On March 22nd, 2025, Next.js disclosed an authentication bypass vulnerability in the middleware layer. Exploitation is trivial and can be achieved by sending an extra HTTP header. For specifics, please see ..
---------------------------------------------
https://www.runzero.com/blog/next-js/
∗∗∗ Next.js Patches Critical Middleware Vulnerability (CVE-2025-29927) ∗∗∗
---------------------------------------------
This weekend, the Next.js team released emergency patches addressing a critical vulnerability (CVE-2025-29927) that allowed attackers to bypass middleware-based security checks, including authentication and ..
---------------------------------------------
https://socket.dev/blog/next-js-patches-critical-middleware-vulnerability
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 20-03-2025 18:00 − Freitag 21-03-2025 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Angreifer machen sich an Hintertür in Cisco Smart Licensing Utility zu schaffen ∗∗∗
---------------------------------------------
Wie Sicherheitsforscher berichten, fangen Angreifer derzeit an, zwei Schwachstellen in Cisco Smart Licensing Utility auszunutzen. Darüber verschaffen sie sich Zugang mit Adminrechten. Sicherheitspatches sind schon länger verfügbar. [..] Die „kritischen“ Lücken (CVE-2024-20439, CVE-2024-20440) sind seit Anfang September 2024 bekannt.
---------------------------------------------
https://heise.de/-10323893
∗∗∗ VSCode extensions found downloading early-stage ransomware ∗∗∗
---------------------------------------------
Two malicious VSCode Marketplace extensions were found deploying in-development ransomware from a remote server, exposing critical gaps in Microsofts review process.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/vscode-extensions-found-down…
∗∗∗ Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates ∗∗∗
---------------------------------------------
The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to disable anti-malware tools.
---------------------------------------------
https://thehackernews.com/2025/03/medusa-ransomware-uses-malicious-driver.h…
∗∗∗ How to Avoid US-Based Digital Services—and Why You Might Want To ∗∗∗
---------------------------------------------
Amid growing concerns over Big Tech firms aligning with Trump administration policies, people are starting to move their digital lives to services based overseas. Heres what you need to know.
---------------------------------------------
https://www.wired.com/story/trump-era-digital-expat/
∗∗∗ Fake-Shops wie eu.stanlaystore.com locken mit günstigen Stanley Cups ∗∗∗
---------------------------------------------
Stanley Cups gehören aktuell zu den beliebtesten Thermoskannen auf dem Markt. Leider machen sich auch Kriminelle die hohe Nachfrage zunutze und bieten die trendigen Becher in Fake-Shops an. Wie zum Beispiel die Website eu.stanlaystore.com, die mit unschlagbar günstigen Preisen lockt.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-shops-wie-eustanlaystorecom-loc…
∗∗∗ Achtung Phishing: So funktioniert der neue Debitkarten-Betrug ∗∗∗
---------------------------------------------
Kriminelle versenden derzeit vermehrt gefälschte E-Mails im Namen der Erste Bank. Darin wird behauptet, dass Ihre Debitkarte veraltet sei und Sie eine neue Karte beantragen müssen. Mit dieser Betrugsmasche versuchen Kriminelle, an Ihre Debitkarte samt PIN zu gelangen!
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-phishing-so-funktioniert-der…
∗∗∗ GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment (Updated 3/21) ∗∗∗
---------------------------------------------
Updated March 20: The recent compromise of the GitHub action tj-actions/changed-files and additional actions within the reviewdog organization has captured the attention of the GitHub community, marking another major software supply chain attack. Our team conducted an in-depth investigation into this incident and uncovered many more details about how the attack occurred and its timeline. [..] Our team also discovered that the initial attack targeted Coinbase. The payload was focused on exploiting the public CI/CD flow of one of their open source projects – agentkit, probably with the purpose of leveraging it for further compromises. However, the attacker was not able to use Coinbase secrets or publish packages.
---------------------------------------------
https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/
∗∗∗ Major web services go dark in Russia amid reported Cloudflare block ∗∗∗
---------------------------------------------
Website outages were observed across Russia this week, with regulators attributing them to issues with foreign servers. Observers said the problems might be tied to Russian government moves to block Cloudflare services.
---------------------------------------------
https://therecord.media/russia-websites-dark-reported-cloudflare-block
=====================
= Vulnerabilities =
=====================
∗∗∗ Vulnerability in NAKIVO Backup & Replication ∗∗∗
---------------------------------------------
A vulnerability has been discovered in NAKIVO Backup & Replication 10.11.3.86570 and earlier. [..] We have already removed the affected versions from App Center and requested NAKIVO to provide a fixed version as soon as possible.
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-25-08
∗∗∗ Siemens: SSA-656895 V1.2 (Last Update: 2025-03-20): Open Redirect Vulnerability in Teamcenter ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-656895.html
∗∗∗ [R1] Nessus Agent Version 10.8.3 Fixes One Vulnerability ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2025-02
∗∗∗ F5: K000150484: Apache Tomcat vulnerability CVE-2025-24813 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000150484
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 19-03-2025 18:00 − Donnerstag 20-03-2025 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ HellCat hackers go on a worldwide Jira hacking spree ∗∗∗
---------------------------------------------
Swiss global solutions provider Ascom has confirmed a cyberattack on its IT infrastructure as a hacker group known as Hellcat targets Jira servers worldwide using compromised credentials.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hellcat-hackers-go-on-a-worl…
∗∗∗ Six Governments Likely Use Israeli Paragon Spyware to Hack IM Apps and Harvest Data ∗∗∗
---------------------------------------------
The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of spyware developed by Israeli company Paragon Solutions, according to a new report from The Citizen Lab. [..] In these attacks, targets were added to a WhatsApp group, and then sent a PDF document, which is subsequently parsed automatically to trigger the now-patched zero-day vulnerability and load the Graphite spyware.
---------------------------------------------
https://thehackernews.com/2025/03/six-governments-likely-use-israeli.html
∗∗∗ Phishing-Versuche im Namen der Oberbank – „Bitte aktualisieren Sie Ihre persönlichen Informationen“ ∗∗∗
---------------------------------------------
Mit Fake-SMS-Nachrichten versuchen Kriminelle gerade verstärkt, Opfer auf gefälschte Kundenportale der Oberbank zu leiten. Ziel der Phishing-Attacke sind sensible Bankdaten. Hier erfahren Sie, wie der Betrugsversuch abläuft und wie Sie den Fake erkennen. Außerdem erklären wir, was Sie tun können, falls Sie Ihre persönlichen Informationen bereits an die Betrüger:innen übermittelt haben.
---------------------------------------------
https://www.watchlist-internet.at/news/persoenlichen-informationen-phishing…
∗∗∗ Presseaussendung: Fake-Shops, Produktpiraterie und Co. als Bedrohung für den österreichischen Onlinehandel ∗∗∗
---------------------------------------------
Fake-Shops, Markenfälschungen, Produktpiraterie oder Verletzungen des geistigen Eigentums: Die Bedrohungen im E-Commerce sind vielfältig und können für österreichische Unternehmer:innen nicht nur zu finanziellen Verlusten durch betrügerische Konkurrenz führen, sondern auch das Vertrauen der Kund:innen in den Online-Handel als Ganzes untergraben.
---------------------------------------------
https://www.watchlist-internet.at/news/presseaussendung-bedrohungen-fuer-de…
∗∗∗ UK sets timeline for country’s transition to quantum-resistant encryption ∗∗∗
---------------------------------------------
The U.K. National Cyber Security Centre issued new guidance to help organizations transition to cryptographic algorithms and protocols that can protect data threatened by quantum computing.
---------------------------------------------
https://therecord.media/uk-ncsc-quantum-resistant-algorithms-transition
=====================
= Vulnerabilities =
=====================
∗∗∗ WordPress security plugin WP Ghost vulnerable to remote code execution bug ∗∗∗
---------------------------------------------
Popular WordPress security plugin WP Ghost is vulnerable to a critical severity flaw that could allow unauthenticated attackers to remotely execute code and hijack servers. [..] The flaw, tracked as CVE-2025-26909, impacts all versions of WP Ghost up to 5.4.01 and stems from insufficient input validation in the 'showFile()' function. Exploiting the flaw could allow attackers to include arbitrary files via manipulated URL paths.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wordpress-security-plugin-wp…
∗∗∗ Google warnt: Kritische Sicherheitslücke in Chrome gefährdet Nutzer ∗∗∗
---------------------------------------------
Google hat wichtige Sicherheitsupdates für seinen Webbrowser Chrome veröffentlicht. [..] Mit Details zu der als CVE-2025-2476 registrierten Schwachstelle hält sich Google in seiner Versionsankündigung aus Sicherheitsgründen noch zurück.
---------------------------------------------
https://www.golem.de/news/google-warnt-kritische-sicherheitsluecke-in-chrom…
∗∗∗ Veeam Backup & Replication RCE-Schwachstelle CVE-2025-23120 ∗∗∗
---------------------------------------------
Nutzer von Veeam Backup & Replication müssen reagieren. Der Anbieter Veeam hat zum 19. März 2025 über eine Remote Code Execution (RCE) Schwachstelle CVE-2025-23120 in verschiedenen Versionen des genannten Produkts informiert. Es gibt Sicherheitsupdates, um diese Schwachstelle zu schließen.
---------------------------------------------
https://www.borncity.com/blog/2025/03/19/veeam-backup-replication-rce-schwa…
∗∗∗ ZDI-25-175: (0Day) Luxion KeyShot USDC File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-175/
∗∗∗ ZDI-25-174: (0Day) Luxion KeyShot DAE File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-174/
∗∗∗ Schwerwiegende Sicherheitslücken bedrohen Serverbetriebssystem IBM AIX ∗∗∗
---------------------------------------------
https://www.heise.de/news/Schwerwiegende-Sicherheitsluecken-bedrohen-Server…
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0002 ∗∗∗
---------------------------------------------
https://webkitgtk.org/security/WSA-2025-0002.html
∗∗∗ SMA Sunny Portal ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-079-04
∗∗∗ Santesoft Sante DICOM Viewer Pro ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-079-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 18-03-2025 18:00 − Mittwoch 19-03-2025 18:00
Handler: Alexander Riepl
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Malicious Android Vapor apps on Google Play installed 60 million times ∗∗∗
---------------------------------------------
Over 300 malicious Android applications downloaded 60 million items from Google Play acted as adware or attempted to steal credentials and credit card information.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-android-vapor-apps…
∗∗∗ Why its time for phishing prevention to move beyond email ∗∗∗
---------------------------------------------
While phishing has evolved, email security hasnt kept up. Attackers now bypass MFA & detection tools with advanced phishing kits, making credential theft harder to prevent. Learn how Push Securitys browser-based security stops attacks as they happen.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/why-its-time-for-phishing-pr…
∗∗∗ iOS-Nutzer gefährdet: Phishing-Lücke in Passwords-App erst nach Monaten gepatcht ∗∗∗
---------------------------------------------
Apples Passwords-App hat Weiterleitungen zur Passwortänderung über unsicheres HTTP abgewickelt. Angreifer hätten auf Phishingseiten umleiten können.
---------------------------------------------
https://www.golem.de/news/unsicheres-http-ios-nutzer-durch-phishing-luecke-…
∗∗∗ Malware im Anmarsch: Ungepatchte Windows-Lücke wird seit 8 Jahren ausgenutzt ∗∗∗
---------------------------------------------
Hacker nutzen die Schwachstelle schon mindestens seit 2017 aus. Ein Patch ist bisher nicht in Sicht. Auch Ziele in Deutschland sind bereits attackiert worden.
---------------------------------------------
https://www.golem.de/news/malware-im-anmarsch-ungepatchte-windows-luecke-wi…
∗∗∗ Arcane stealer: We want all your data ∗∗∗
---------------------------------------------
The new Arcane stealer spreads via YouTube and Discord, collecting data from many applications, including VPN and gaming clients, network utilities, messaging apps, and browsers.
---------------------------------------------
https://securelist.com/arcane-stealer/115919/
∗∗∗ Announcing OSV-Scanner V2: Vulnerability scanner and remediation tool for open source ∗∗∗
---------------------------------------------
Today, were thrilled to announce the launch of OSV-Scanner V2.0.0, following the announcement of the beta version. This V2 release builds upon the foundation we laid with OSV-SCALIBR and adds significant new capabilities ..
---------------------------------------------
https://security.googleblog.com/2025/03/announcing-osv-scanner-v2-vulnerabi…
∗∗∗ Buying browser extensions for fun and profit ∗∗∗
---------------------------------------------
Your browser extensions could be secretly sold to malicious actors without your knowledge. What starts as helpful tools created by passionate developers can transform into dangerous spyware when sold to the highest bidder. As these extensions grow to hundreds of thousands of users, their creators—overwhelmed by maintenance and lacking ..
---------------------------------------------
https://secureannex.com/blog/buying-browser-extensions/
∗∗∗ Which passwords are attackers using against RDP ports right now? ∗∗∗
---------------------------------------------
The Specops research team has been analyzing 15 million passwords being used to attack RDP ports, in live attacks happening against networks right now. Our team have found the ten most common passwords attackers are using and analyzed their wordlists for the most common complexity rules and password lengths. We shared the results of a ..
---------------------------------------------
https://specopssoft.com/blog/passwords-used-in-attacking-rdp-ports/
∗∗∗ AMOS and Lumma stealers actively spread to Reddit users ∗∗∗
---------------------------------------------
Reddit users from trading and crypto subreddits are being lured into installing malware disguised as premium cracked software.
---------------------------------------------
https://www.malwarebytes.com/blog/scams/2025/03/amos-and-lumma-stealers-act…
∗∗∗ Website-Kidnapping: So schützen Sie Ihre Website vor Hackingangriffen! ∗∗∗
---------------------------------------------
Immer öfter geraten österreichische Unternehmen ins Visier von Kriminellen, die ihre Website unbemerkt manipulieren, um Kund:innen auf Fake-Shops oder andere illegale Inhalte weiterzuleiten. Besonders gefährdet sind kleine und mittlere Unternehmen (KMU), da sie oft nicht über ausreichende IT-Sicherheitsmaßnahmen verfügen.
---------------------------------------------
https://www.watchlist-internet.at/news/website-kidnapping-so-schuetzen-sie-…
∗∗∗ Russland vergiftet KI-Chatbots wie ChatGPT gezielt mit Propaganda ∗∗∗
---------------------------------------------
Rund 3,6 Millionen Artikel des russischen Pravda-Netzwerks sollen in das Trainingsmaterial westlicher KI-Systeme eingeflossen sein. So werden Fake News via KI verbreitet
---------------------------------------------
https://www.derstandard.at/story/3000000261876/russland-vergiftet-ki-chatbo…
∗∗∗ The Citizen Lab’s director dissects spyware and the ‘proliferating’ market for it ∗∗∗
---------------------------------------------
In an interview with Recorded Future News, Deibert explained the technical aspects of the Citizen Lab’s methods and how spyware companies continue to evolve to evade detection.
---------------------------------------------
https://therecord.media/ron-deibert-citizen-lab-spyware-interview
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-25-149: Adobe Acrobat Reader DC AcroForm Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-271561.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-149/
∗∗∗ ZDI-25-151: Progress Software Kemp LoadMaster mangle Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software Kemp LoadMaster. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-1758.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-151/
∗∗∗ ZDI-25-150: Microsoft Windows MSC File Insufficient UI Warning Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.0. The following CVEs are assigned: CVE-2025-26633.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-150/
∗∗∗ ZDI-25-172: Apple macOS MOV File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-24124.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-172/
∗∗∗ Multiple Vulnerabilities in Autodesk AutoCAD and certain AutoCAD-based Products ∗∗∗
---------------------------------------------
Autodesk AutoCAD and certain AutoCAD-based products are affected by multiple vulnerabilities. Exploitation of these vulnerabilities can lead to code execution. Exploitation of these vulnerabilities requires user interaction.
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0001
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 17-03-2025 18:00 − Dienstag 18-03-2025 18:00
Handler: Alexander Riepl
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Critical AMI MegaRAC bug can let attackers hijack, brick servers ∗∗∗
---------------------------------------------
A new critical severity vulnerability found in American Megatrends Internationals MegaRAC Baseboard Management Controller (BMC) software can let attackers hijack and potentially brick vulnerable servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/critical-ami-megarac-bug-can…
∗∗∗ StilachiRAT analysis: From system reconnaissance to cryptocurrency theft ∗∗∗
---------------------------------------------
Microsoft Incident Response uncovered a novel remote access trojan (RAT) named StilachiRAT, which demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data. This blog primarily focuses on analysis of the WWStartupCtrl64.dll module that contains the RAT capabilities and summarizes ..
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2025/03/17/stilachirat-analys…
∗∗∗ New ‘Rules File Backdoor’ Attack Lets Hackers Inject Malicious Code via AI Code Editors ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of a new supply chain attack vector dubbed Rules File Backdoor that affects artificial intelligence (AI)-powered code editors like GitHub Copilot and Cursor, causing them to inject malicious ..
---------------------------------------------
https://thehackernews.com/2025/03/new-rules-file-backdoor-attack-lets.html
∗∗∗ Britische Hintertüren: Verdacht nach Apple auch bei Google ∗∗∗
---------------------------------------------
Britische Überwacher verlangen weltweiten Zugriff auf Apple-Backups. Apple darf das nicht bestätigen und ist damit offenbar kein Einzelfall.
---------------------------------------------
https://www.heise.de/news/Auch-Google-kann-britischen-Ueberwachungsbefehl-n…
∗∗∗ FBI-Warnung: Betrügerische Online-Dateikonverter schleusen Trojaner in Dokumente ∗∗∗
---------------------------------------------
Wer kostenlose Onlinedienste zum Umwandeln von etwa Textdateien nutzt, kann sich Malware einfangen. Darauf weist das FBI hin.
---------------------------------------------
https://www.heise.de/news/Malwareverteiler-FBI-warnt-vor-betruegerischen-On…
∗∗∗ Bogus ‘DeepSeek’ AI Installers Are Infecting Devices with Malware, Research Finds ∗∗∗
---------------------------------------------
In a digital landscape hungry for the next big thing in Artificial Intelligence, a new contender called DeepSeek recently burst ..
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/bogus-deepseek-ai-inst…
∗∗∗ Betrügerisches Gewinnspiel: Abofalle statt günstigem Thermomix! ∗∗∗
---------------------------------------------
Frau S. wünscht sich schon lange einen Thermomix. Bisher schreckte sie jedoch der hohe Preis der Küchenmaschine ab. Umso größer ist ihre Freude, als sie im Internet sieht, dass sie nach der Teilnahme an einer Umfrage den Thermomix für nur zwei Euro erhalten kann. Doch Vorsicht: Statt eines günstigen Thermomix erwartet sie eine teure Abofalle!
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerisches-gewinnspiel-abofalle…
∗∗∗ Google-Mutter Alphabet bietet für Cybersecurity-Startup Wiz 30 Milliarden Dollar ∗∗∗
---------------------------------------------
Es wäre die größte Transaktion von Alphabet. Ein Angebot über 23 Milliarden Dollar war im Vorjahr abgelehnt worden
---------------------------------------------
https://www.derstandard.at/story/3000000261775/wsj-alphabet-bietet-f252r-cy…
∗∗∗ Crypto exchange OKX shuts down tool used by North Korean hackers to launder stolen funds ∗∗∗
---------------------------------------------
OKX said it detected a coordinated effort by one of North Korea’s most prolific hacking outfits to misuse its decentralized finance (DeFi) services.
---------------------------------------------
https://therecord.media/crypto-okx-shuts-down-exchange
∗∗∗ Password reuse is rampant: nearly half of observed user logins are compromised ∗∗∗
---------------------------------------------
Accessing private content online, whether it's checking email or streaming your favorite show, almost always starts with a “login” step. Beneath this everyday task lies a widespread human mistake we still have not resolved: password reuse. Many users recycle passwords across multiple services, creating a ripple effect of risk when their credentials are leaked.
---------------------------------------------
https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-comprom…
∗∗∗ Offline PKI using 3 YubiKeys and an ARM single board computer ∗∗∗
---------------------------------------------
An offline PKI enhances security by physically isolating the certificate authority from network threats. A YubiKey is a low-cost solution to store a root certificate. You also need an air-gapped environment to operate the root CA.
---------------------------------------------
https://vincent.bernat.ch/en/blog/2025-offline-pki-yubikeys
∗∗∗ Security Risks of Setting Access Control Allow Origin: * ∗∗∗
---------------------------------------------
Wildcard CORS: convenient or careless? What are the ACTUAL scenarios that could lead to a loose CORS policy being exploited?
---------------------------------------------
https://projectblack.io/blog/security-risks-of-setting-access-control-allow…
=====================
= Vulnerabilities =
=====================
∗∗∗ TYPO3-EXT-SA-2025-003: Multiple vulnerabilities in extension “[clickstorm] SEO” (cs_seo) ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2025-003
∗∗∗ TYPO3-EXT-SA-2025-002: Cross-Site Scripting in extension “Additional TCA” (additional_tca) ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2025-002
∗∗∗ Varnish Enterprise vulnerability in MSE4 when handling range requests ∗∗∗
---------------------------------------------
https://docs.varnish-software.com/security/VEV00001/
∗∗∗ HTTP/1 client-side desync vulnerability ∗∗∗
---------------------------------------------
https://docs.varnish-software.com/security/VSV00015/
∗∗∗ Schneider Electric EcoStruxure Power Automation System ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-077-03
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily