=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 20-05-2025 18:00 − Mittwoch 21-05-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Windows 11’s most important new feature is post-quantum cryptography. Here’s why. ∗∗∗
---------------------------------------------
For the first time, new quantum-safe algorithms can be invoked using standard Windows APIs.
---------------------------------------------
https://arstechnica.com/security/2025/05/heres-how-windows-11-aims-to-make-…
∗∗∗ VanHelsing ransomware builder leaked on hacking forum ∗∗∗
---------------------------------------------
The VanHelsing ransomware-as-a-service operation published the source code for its affiliate panel, data leak blog, and Windows encryptor builder after an old developer tried to sell it on the RAMP cybercrime forum.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/vanhelsing-ransomware-builde…
∗∗∗ Dero miner zombies biting through Docker APIs to build a cryptojacking horde ∗∗∗
---------------------------------------------
Kaspersky experts break down an updated cryptojacking campaign targeting containerized environments: a Dero crypto miner abuses the Docker API. [..] The entire attack vector is automated via two malware implants: the previously unknown propagation malware nginx and the Dero crypto miner.
---------------------------------------------
https://securelist.com/dero-miner-infects-containers-through-docker-api/116…
∗∗∗ Chrome kann unsichere Passwörter künftig komplett selbst ändern ∗∗∗
---------------------------------------------
Googles Chrome-Browser soll bald automatisch Passwörter ändern können, wenn bei der Anmeldung damit erkannt wird, dass es kompromittiert wurde. [..] Im Idealfall bekommen Nutzer und Nutzerinnen in Chrome dann künftig einen Hinweis, wenn ein gespeichertes Passwort in einem Datenleck gefunden wurde und können den Browser dazu bringen, das Passwort durch ein sicheres zu ersetzen. Das wird dann im Passwortmanager von Chrome abgespeichert, das unsichere wird ersetzt. Die automatische Passwortänderung benötigt dafür insgesamt nur einen Klick.
---------------------------------------------
https://heise.de/-10391298
∗∗∗ Sicherheitsbehörden warnen vor russischer Spionage mit IP-Kameras ∗∗∗
---------------------------------------------
Mutmaßliche Mitarbeiter des russischen Militärgeheimdienstes GRU haben sich Zugriff auf Netzwerke und IP-Kameras von Betreibern kritischer Infrastrukturen (KRITIS) verschafft. Das melden unter anderem NSA, FBI, der Bundesnachrichtendienst (BND) und die Bundesämter für Verfassungsschutz (BfV) sowie Sicherheit in der Informationstechnik (BSI).[..] Betroffen sind laut einer Mitteilung der Behörden vor allem Unternehmen aus der Logistikbranche.
---------------------------------------------
https://heise.de/-10391927
∗∗∗ CISA, NIST Researchers Develop Metric to Determine Likelihood of Vulnerability Exploitation ∗∗∗
---------------------------------------------
Researchers from the U.S. National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have developed a new security metric to determine the likelihood that a vulnerability has been exploited. In a paper published this week, Peter Mell, formerly of NIST, and CISA’s Jonathan Spring outlined their vulnerability exploit metric that augments the work of the Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) catalog.
---------------------------------------------
https://thecyberexpress.com/cisa-nist-vulnerability-exploit-metric/
=====================
= Vulnerabilities =
=====================
∗∗∗ Lücke in OpenPGP.js gefährdet verschlüsselten E-Mail-Verkehr ∗∗∗
---------------------------------------------
In OpenPGP.js, einer weitverbreiteten Javascript-Implementierung von OpenPGP, klafft eine gefährliche Sicherheitslücke, durch die sich das Ergebnis der Signaturprüfung fälschen lässt. Laut einer Sicherheitsmeldung auf Github kann ein Angreifer speziell manipulierte Daten an die Funktionen openpgp.verify oder openpgp.decrypt übergeben, um verschlüsselte und/oder signierte Nachrichten zu spoofen. CVE-2025-47934
---------------------------------------------
https://www.golem.de/news/manipulationsgefahr-luecke-in-openpgp-js-gefaehrd…
∗∗∗ Mehrere Schwachstellen bei eCharge Hardy Barth cPH2 und cPP2 Ladestationen ∗∗∗
---------------------------------------------
Hardy Barth EV charging station products are affected by critical vulnerabilities that can be exploited through both physical access and unauthenticated network access. These vulnerabilities pose significant risks, including system compromise, data breaches, and operational disruptions within EV charging infrastructures. [..] The vendor has not provided a fix for any of the reported vulnerabilities.
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelle…
∗∗∗ Mehrere Sicherheitslücken bedrohen VMware Cloud Foundation ∗∗∗
---------------------------------------------
Wie aus einer Warnmeldung hervorgeht, sind die Lücken (CVE-2025-41229, CVE-2025-41230, CVE-2025-41231) mit dem Bedrohungsgrad "hoch" eingestuft. Nutzen Angreifer die Schwachstellen erfolgreich aus, können sie etwa im Netzwerk über den Port 443 auf sensitive Informationen oder interne Services zugreifen.
---------------------------------------------
https://heise.de/-10390932
∗∗∗ Millions of Node.js Apps at Risk Due to Critical Multer Vulnerabilities ∗∗∗
---------------------------------------------
Two high-severity security flaws have been identified in Multer, a popular middleware used in Node.js applications for handling file uploads. The Multer vulnerabilities, tracked as CVE-2025-47944 and CVE-2025-47935, affect all versions from 1.4.4-lts.1 up to but not including 2.0.0. According to the GitHub post, the two vulnerabilities “allow an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request.
---------------------------------------------
https://thecyberexpress.com/multer-vulnerabilities-expose-node-js/
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (.NET 8.0, avahi, buildah, compat-openssl10, compat-openssl11, expat, firefox, gimp, git, grafana, libsoup, libxslt, mod_auth_openidc, nginx, nodejs:22, osbuild-composer, php, redis, redis:7, skopeo, thunderbird, vim, webkit2gtk3, xterm, and yelp), Arch Linux (dropbear, freetype2, go, nodejs, nodejs-lts-iron, nodejs-lts-jod, python-django, webkit2gtk, webkit2gtk-4.1, webkitgtk-6.0, and wpewebkit), Debian (mongo-c-driver), Fedora (openssh, perl-Mojolicious, thunderbird, yelp, and yelp-xsl), Red Hat (firefox, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-ibm-semeru-certified-jdk, java-21-openjdk, kernel, libxslt, ruby, ruby:3.1, ruby:3.3, unbound, and webkit2gtk3), SUSE (glib2, grub2, kernel, libwebp, openssh, and s390-tools), and Ubuntu (linux, linux-azure, linux-azure-6.11, linux-gcp, linux-gcp-6.11, linux-hwe-6.11, linux-oem-6.11, linux-raspi, linux-realtime, linux-azure, linux-azure-5.15, linux-nvidia-tegra, linux-azure, linux-azure-6.8, linux-oem-6.8, linux-azure, linux-kvm, linux-azure-fips, linux-azure-nvidia, linux-gcp, linux-gcp-6.8, linux-gkeop, linux-gke, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, mariadb-10.6, and postgresql-12, postgresql-14, postgresql-16).
---------------------------------------------
https://lwn.net/Articles/1022030/
∗∗∗ Assured Telematics Inc (ATI) Fleet Management System with Geotab Integration ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-11
∗∗∗ Vertiv Liebert RDU101 and UNITY ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-10
∗∗∗ AutomationDirect MB-Gateway ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-09
∗∗∗ Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-04
∗∗∗ f5: K000151431: Intel Ethernet Controller and Adapter vulnerability CVE-2024-24983 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000151431
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 19-05-2025 18:00 − Dienstag 20-05-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Hazy Hawk gang exploits DNS misconfigs to hijack trusted domains ∗∗∗
---------------------------------------------
A threat actor named Hazy Hawk has been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDS).
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hazy-hawk-gang-exploits-dns-…
∗∗∗ 100+ Fake Chrome Extensions Found Hijacking Sessions, Stealing Credentials, Injecting Ads ∗∗∗
---------------------------------------------
An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code.
---------------------------------------------
https://thehackernews.com/2025/05/100-fake-chrome-extensions-found.html
∗∗∗ Bypass SharePoint Restricted View to exfiltrate data using Copilot AI and more… ∗∗∗
---------------------------------------------
Overall, we’ve proven that although a fair amount of effort has been put into enforcing the restrictions of Restricted View there are plenty of ways to circumvent them. Therefore, it is important for administrators and users to understand that it can not be relied on to secure data against motivated attackers.
---------------------------------------------
https://www.pentestpartners.com/security-blog/bypass-sharepoint-restricted-…
∗∗∗ Duping Cloud Functions: An emerging serverless attack vector ∗∗∗
---------------------------------------------
Cisco Talos built on Tenable’s discovery of a Google Cloud Platform vulnerability to uncover how attackers could exploit similar techniques across AWS and Azure.
---------------------------------------------
https://blog.talosintelligence.com/duping-cloud-functions-an-emerging-serve…
∗∗∗ Compromised RVTools Installer Spreading Bumblebee Malware ∗∗∗
---------------------------------------------
RVTools installer on its official site was found delivering malware. Research shows it spread Bumblebee loader. Users urged to verify downloads.
---------------------------------------------
https://hackread.com/compromised-rvtools-installer-drop-bumblebee-malware/
∗∗∗ Gehärtete Images von Docker verbessern die Sicherheit und entlasten Entwickler ∗∗∗
---------------------------------------------
Mit den Hardened Images (DHI) bietet Docker sichere, schlanke und Compliance-konforme Images. Mit dabei sind unter anderem Microsoft, Neo4J oder GitLab.
---------------------------------------------
https://heise.de/-10388766
=====================
= Vulnerabilities =
=====================
∗∗∗ TYPO3 Security Advisories Tue. 20th May, 2025 ∗∗∗
---------------------------------------------
TYPO3 has released 11 new security advisories.
---------------------------------------------
https://typo3.org/help/security-advisories
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (dropbear, firefox-esr, intel-microcode, net-tools, openafs, thunderbird, and xrdp), Fedora (chromium, micropython, syslog-ng, webkitgtk, and xen), Mageia (dropbear and openssh), Oracle (.NET 9.0, kernel, libjpeg-turbo, and yelp and yelp-xsl), Red Hat (compat-openssl11, git-lfs, grafana, kernel, and osbuild and osbuild-composer), Slackware (mozilla), SUSE (cargo-c, gimp, iputils-20240905, kernel, libraw, microcode_ctl, openssh, pnpm, python311-cramjam, python311-httptools, python311-jwcrypto, python311-loguru, python311-mechanize, python311-nltk, python311-oauthlib, python311-py7zr, python311-pycapnp, python311-pyspnego, python311-pywayland, python311-suds, python311-treq, python311-ujson, python311-waitress, ruby3.4-rubygem-actionmailer, ruby3.4-rubygem-actiontext, ruby3.4-rubygem-activerecord, ruby3.4-rubygem-activestorage, ruby3.4-rubygem-fluentd, ruby3.4-rubygem-globalid, ruby3.4-rubygem-jquery-rails, ruby3.4-rubygem-kramdown, ruby3.4-rubygem-loofah, ruby3.4-rubygem-multi_xml, ruby3.4-rubygem-puma, ruby3.4-rubygem-rails, ruby3.4-rubygem-rails-html-sanitizer, ruby3.4-rubygem-sprockets, ruby3.4-rubygem-web-console, ruby3.4-rubygem-websocket-extensions, ucode-intel-20250512, and valkey), and Ubuntu (dotnet8, dotnet9, linux, linux-aws, linux-aws-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-oracle, linux, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-fips, linux-gcp, linux-gcp-5.15, linux-gcp-fips, linux-gke, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, and linux-xilinx-zynqmp).
---------------------------------------------
https://lwn.net/Articles/1021740/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, openjdk-11, openjdk-17, and wireless-regdb), Fedora (iputils, open-vm-tools, sfnt2woff-zopfli, and woff), Red Hat (postgresql:12), SUSE (apache2-mod_auth_openidc, brltty, helm, python-maturin, and rubygem-rack), and Ubuntu (linux-azure-fips).
---------------------------------------------
https://lwn.net/Articles/1021812/
∗∗∗ 22,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Motors WordPress Theme ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2025/05/22000-wordpress-sites-affected-by-pr…
∗∗∗ Danfoss AK-SM 8xxA Series ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-03
∗∗∗ National Instruments Circuit Design Suite ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-02
∗∗∗ ABUP IoT Cloud Platform ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 16-05-2025 18:00 − Montag 19-05-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Curl-Entwickler warnt: Unicode-Trick gefährdet Softwareprojekte auf Github ∗∗∗
---------------------------------------------
Die wenigsten Entwickler dürften die Unterschiede zwischen bestimmten Unicode-Zeichen zuverlässig erkennen. Gerade auf Github ist das ein Problem.
---------------------------------------------
https://www.golem.de/news/curl-entwickler-warnt-unicode-trick-gefaehrdet-so…
∗∗∗ Warnung vor brancheneintrag24.com ∗∗∗
---------------------------------------------
Derzeit kursieren betrügerische E-Mails, die von der Adresse info(a)brancheneintrag24.com stammen. Im Anhang befindet sich ein Formular, das Unternehmen angeblich zur Aktualisierung ihres Brancheneintrags auffordert. [..] Mit dem Ausfüllen und Zurücksenden des Formulars wird ein kostenpflichtiger Vertrag abgeschlossen.
---------------------------------------------
https://www.zettasecure.com/post/warnung-vor-brancheneintrag24-com
∗∗∗ Fake-Shops: Laufsportbegeisterte im Visier von Kriminellen ∗∗∗
---------------------------------------------
Laufschuhe von Top-Marken zu absoluten Niedrigstpreisen?! Vorsicht! Aktuell tauchen vermehrt Fake-Shops für Sportschuhe und anderes Equipment auf. Wer in einem derartigen Store bestellt, schaut in der Regel durch die Finger. Kommt doch eine Lieferung an, enthält diese nur minderwertige Kopien.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-shops-fuer-laufschuhe/
∗∗∗ Windows: Bitlocker-Verschlüsselung über Bitpixie (CVE-2023-21563) ausgehebelt ∗∗∗
---------------------------------------------
Die von Microsoft für Windows verwendete Bitlocker-Verschlüsselung für Datenträger lässt sich über die Bitpixie-Schwachstelle (CVE-2023-21563) per Software aushebeln, wenn gewisse Randbedingungen gelten. [..] Der jetzt bekannt gewordene Angriff ist nicht neues, sondern ein Proof of Concept, den Administratoren ggf. in eigenen Systemen testen können. [..] Die Bitpixie-Schwachstelle – und ganz allgemein sowohl hardware- als auch softwarebasierte Angriffe – kann durch Erzwingen einer Pre-Boot-Authentifizierung entschärft werden.
---------------------------------------------
https://www.borncity.com/blog/2025/05/18/windows-bitlocker-verschluesselung…
∗∗∗ Windows 10/11: Defender mit simplen Tool Defendnot deaktivierbar ∗∗∗
---------------------------------------------
Microsoft hat in Windows 10 und Windows 11 eine Schnittstelle (API) eingebaut, über die Hersteller von Antivirus-Software bei deren Installation den Microsoft Defender deaktivieren können. Einige Leute (darunter ein Blog-Leser) haben nun gezeigt, wie man mit einer einfachen Software (no-defender oder Defendnot) den Windows Defender deaktivieren kann.
---------------------------------------------
https://www.borncity.com/blog/2025/05/19/windows-10-11-defender-mit-simplen…
∗∗∗ Ivanti EPMM Zero-Days: Reconnaissance to Exploitation ∗∗∗
---------------------------------------------
Two critical Ivanti zero-days (CVE-2025-4427 and CVE-2025-4428) are now being actively exploited after a surge in scanning activity last month. When chained together, these vulnerabilities enable unauthenticated remote code execution on Ivanti Endpoint Manager Mobile systems.
---------------------------------------------
https://www.greynoise.io/blog/ivanti-epmm-zero-days-reconnaissance-exploita…
∗∗∗ VM escape in Oracle VirtualBox via VGA device ∗∗∗
---------------------------------------------
We provide a proof-of-concept that demonstrates how to exploit this vulnerability to fully escape a virtual machine.
---------------------------------------------
https://github.com/google/security-research/security/advisories/GHSA-qx2m-r…
∗∗∗ Passwords are okay, impulsive Internet isnt ∗∗∗
---------------------------------------------
Every few weeks, I come across an article telling us how passwords are bad and how we need to go "passwordless". These pieces are written by mostly well-intended nerds who think technology can solve basic problems in human behavior.
---------------------------------------------
https://www.dedoimedo.com/life/passwords-passkeys.html
∗∗∗ New Community Resource: Attribution to IP ∗∗∗
---------------------------------------------
The Curated Intelligence community has shared a new collection for CTI analysts and others who perform cybersecurity research duties. A new GitHub repository has been created that contains a collection of methods to learn who the owner of an IP address is.
---------------------------------------------
https://www.curatedintel.org/2025/05/new-community-resource-attribution-to-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Mozilla Security Advisories May 17, 2025 ∗∗∗
---------------------------------------------
Firefox ESR 115.23.1, ESR 128.10.1 and 138.0.4. Critical
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/
∗∗∗ Angreifer können Verbindungen von Sonicwall SMA1000 manipulieren ∗∗∗
---------------------------------------------
In einer Warnmeldung führt der Anbieter von Netzwerktechnik aus, dass Angreifer im Zuge einer Server-side-request-forgery-Attacke (SSRF) Anfragen an etwa von ihnen kontrollierte Server umleiten können (CVE-2025-40595 "hoch").
---------------------------------------------
https://heise.de/-10387581
∗∗∗ Thousands of WordPress Sites at Risk Due to Critical Crawlomatic Plugin Vulnerability ∗∗∗
---------------------------------------------
A severe security vulnerability has been discovered in the popular WordPress plugin, Crawlomatic Multisite Scraper Post Generator, potentially placing thousands of websites at risk. Tracked as CVE-2025-4389, the flaw allows unauthenticated attackers to upload malicious files, which could ultimately lead to remote code execution on affected websites.
---------------------------------------------
https://thecyberexpress.com/crawlomatic-plugin-hit-by-cve-2025-4389/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 15-05-2025 18:01 − Freitag 16-05-2025 18:01
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ FBI: US officials targeted in voice deepfake attacks since April ∗∗∗
---------------------------------------------
The FBI warned that cybercriminals using AI-generated audio deepfakes to target U.S. officials in voice phishing attacks that started in April.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-us-officials-targeted-in…
∗∗∗ Ransomware gangs increasingly use Skitnet post-exploitation malware ∗∗∗
---------------------------------------------
Ransomware gang members increasingly use a new malware called Skitnet ("Bossnet") to perform stealthy post-exploitation activities on breached networks. The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-gangs-increasingl…
∗∗∗ Understanding CSRF: Cross-site Request Forgery Explained ∗∗∗
---------------------------------------------
Cross-Site Request Forgery, often called CSRF (or its other nicknames, Session Riding and XSRF), is a tricky type of attack. In short, it lets attackers make users do things on websites without their consent or knowledge. This attack works by misusing the trust a web application puts in a user’s browser once they’re logged in. By duping the browser into sending fake requests (usually through shady emails or misleading links), CSRF allows unauthorized commands to hit a website. And since these requests seem to come from a legitimate, logged-in user, the website has a hard time spotting the fakes, which can open the door to significant security problems.
---------------------------------------------
https://blog.sucuri.net/2025/05/understanding-csrf-cross-site-request-forge…
∗∗∗ Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks ∗∗∗
---------------------------------------------
Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT.
---------------------------------------------
https://thehackernews.com/2025/05/fileless-remcos-rat-delivered-via-lnk.html
∗∗∗ VNC. RDP for all to see ∗∗∗
---------------------------------------------
VNC (Virtual Network Computing) is a widely deployed service in perhaps forgotten corners of legacy enterprise networks. This is mainly because it’s a tried and trusted protocol that simply works, however this is disregarding its security flaws and disadvantages in the modern age.
---------------------------------------------
https://www.pentestpartners.com/security-blog/vnc-rdp-for-all-to-see/
∗∗∗ Operation RoundPress ∗∗∗
---------------------------------------------
This blogpost introduces an operation that we named RoundPress, targeting high-value webmail servers with XSS vulnerabilities, and that we assess with medium confidence is run by the Sednit cyberespionage group. The ultimate goal of this operation is to steal confidential data from specific email accounts.
---------------------------------------------
https://www.welivesecurity.com/en/eset-research/operation-roundpress/
∗∗∗ Commit Stomping ∗∗∗
---------------------------------------------
Commit Stomping is a technique inspired by timestomping, a well-known method used in offensive operations where file metadata is manipulated to hide the true timing of actions. In Git, Commit Stomping involves altering commit timestamps to mislead observers about when changes were introduced.
---------------------------------------------
https://blog.zsec.uk/commit-stomping/
=====================
= Vulnerabilities =
=====================
∗∗∗ Printer company provided infected software downloads for half a year ∗∗∗
---------------------------------------------
When Cameron Coward, the Youtuber behind the channel Serial Hobbyism, wanted to review a $6k UV printer and plugged in the USB flash drive with the printer software, the Antivirus software alerted him of a USB-spreading worm and a Floxif infection. Floxif is a file infector that attaches itself to Portable Executable files, so it can spread to network shares, removable drives like USB flash drives or backup storage systems.
---------------------------------------------
https://feeds.feedblitz.com/~/918394763/0/gdatasecurityblog-en~Printer-comp…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, kernel, kernel-rt, redis:6, and yelp and yelp-xsl), Debian (chromium), Red Hat (compat-openssl11, kernel, and thunderbird), and SUSE (nbdkit, open-vm-tools, and rustup).
---------------------------------------------
https://lwn.net/Articles/1021482/
∗∗∗ Malicious ‘Checker’ Packages on PyPI Probe TikTok and Instagram for Valid Accounts ∗∗∗
---------------------------------------------
We often hear about the importance of secure data. Have I Been Pwned and similar websites exist to see if passwords or emails are listed online. However, many people do not understand the ramifications of their own leaked data.
---------------------------------------------
https://socket.dev/blog/malicious-checker-packages-on-pypi-probe-tiktok-and…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 14-05-2025 18:01 − Donnerstag 15-05-2025 18:01
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Spies hack high-value mail servers using an exploit from yesteryear ∗∗∗
---------------------------------------------
XSS is short for cross-site scripting. Vulnerabilities result from programming errors found in webserver software that, when exploited, allow attackers to execute malicious code in the browsers of people visiting an affected website. XSS first got attention in 2005, with the creation of the Samy Worm, which knocked MySpace out of commission when it added more than one million MySpace friends to a user named Samy. XSS exploits abounded for the next decade and have gradually fizzled more recently, although this class of attacks continues now.
---------------------------------------------
https://arstechnica.com/security/2025/05/spies-hack-high-value-mail-servers…
∗∗∗ Critical Infrastructure Under Siege: OT Security Still Lags ∗∗∗
---------------------------------------------
With critical infrastructure facing constant cyber threats from the Typhoons and other corners, federal agencies and others are warning security for the OT network, a core technology in many critical sectors, is not powered up enough.
---------------------------------------------
https://www.darkreading.com/ics-ot-security/critical-infrastructure-ot-secu…
∗∗∗ Beyond the kill chain: What cybercriminals do with their money (Part 1) ∗∗∗
---------------------------------------------
Sophos X-Ops investigates what financially motivated threat actors invest their ill-gotten profits in, once the dust has settled.
---------------------------------------------
https://news.sophos.com/en-us/2025/05/15/beyond-the-kill-chain-what-cybercr…
∗∗∗ Technical Analysis of TransferLoader ∗∗∗
---------------------------------------------
Zscaler ThreatLabz has identified a new malware loader that we have named TransferLoader, which has been active since at least February 2025. ThreatLabz has identified three different components (a downloader, a backdoor, and a specialized loader for the backdoor) embedded in TransferLoader binaries. In addition, ThreatLabz has observed TransferLoader being used to deliver Morpheus ransomware. All components of TransferLoader share similarities including various anti-analysis techniques and code obfuscation.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/technical-analysis-transfer…
∗∗∗ USA: Bösartige Kommunikationsgeräte in chinesischen Solar-Wechselrichtern ∗∗∗
---------------------------------------------
Bei der Untersuchung von Wechselrichtern aus China durch Experten in den USA wurden in einigen Geräten nicht dokumentierte Kommunikationsgeräte gefunden. US-Energiebehörden wollen das Risiko dieser chinesischen Inverter Medienberichten zufolge neu beurteilen.
---------------------------------------------
https://www.heise.de/news/Boesartige-Kommunikationsgeraete-in-Solar-Wechsel…
∗∗∗ Angeblicher Steam-Hack: Datenleck enthält SMS-Sendeprotokolle ∗∗∗
---------------------------------------------
Ein angebliches Datenleck bei der Spieleplattform Steam soll 89 Millionen Datensätze enthalten – ein Unbekannter versucht seit vergangenem Samstag, sie im Darknet für 5.000 US-Dollar zu verkaufen. Doch die Resonanz ist mau und die Brisanz der Daten fraglich.
---------------------------------------------
https://heise.de/-10383892
=====================
= Vulnerabilities =
=====================
∗∗∗ Drupal Security Advisories 2025-05-14 ∗∗∗
---------------------------------------------
Drupal has released 7 new security advisories.
---------------------------------------------
https://www.drupal.org/security
∗∗∗ Palo Alto Networks Security Advisories 2025-05-14 ∗∗∗
---------------------------------------------
Palo Alto has released 11 new security advisories.
---------------------------------------------
https://security.paloaltonetworks.com/
∗∗∗ Mozilla Foundation Security Advisories 2025-05-13 ∗∗∗
---------------------------------------------
For Thunderbird 138.0.1 and Thunderbird 128.10.1.
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (open-vm-tools), Fedora (dnsdist), Gentoo (Node.js and Tracker miners), Red Hat (kernel and xdg-utils), SUSE (audiofile, go1.22-openssl, go1.24, grub2, kernel-devel, openssl-1_1, openssl-3, and python311-Django), and Ubuntu (ruby-rack).
---------------------------------------------
https://lwn.net/Articles/1021379/
∗∗∗ Patchday: Lücken in Intel-Software und -Treibern gestopft ∗∗∗
---------------------------------------------
Angreifer können Computer mit Hard- und Software von Intel attackieren. Sind Attacken erfolgreich, können sie unter anderem Denial-of-Service-Zustände (DoS) erzeugen, die in der Regel zu Abstürzen führen.
---------------------------------------------
https://heise.de/-10384160
∗∗∗ Google warnt: Gefährliche Chrome-Lücke wird aktiv ausgenutzt ∗∗∗
---------------------------------------------
Im weit verbreiteten Webbrowser Chrome klaffen mehrere gefährliche Sicherheitslücken, von denen eine bereits aktiv von Angreifern ausgenutzt wird. Davor warnt Google in den Release Notes zu einem am Mittwoch bereitgestellten Update. Betroffen ist nicht nur die Windows-Variante von Google Chrome, sondern auch jene für Mac und Linux. Anwender sollten den Browser zeitnah aktualisieren, um sich vor möglichen Angriffen zu schützen.
---------------------------------------------
https://www.golem.de/news/google-warnt-gefaehrliche-chrome-luecke-wird-akti…
∗∗∗ Fortinet dichtet mehrere Lücken ab, Angriffe auf FortiVoice beobachtet ∗∗∗
---------------------------------------------
CVE-2025-32756 is a critical stack-based buffer overflow vulnerability affecting multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This flaw allows unauthenticated remote attackers to execute arbitrary code or commands via crafted HTTP requests, posing a severe security risk.
---------------------------------------------
https://www.heise.de/news/Fortinet-dichtet-mehrere-Luecken-ab-Angriffe-auf-…
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0004 ∗∗∗
---------------------------------------------
https://webkitgtk.org/security/WSA-2025-0004.html
∗∗∗ Reflected cross-site scripting vulnerability in Ricoh laser printers and MFPs which implement Web Image Monitor ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN20474768/
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (May 5, 2025 to May 11, 2025) ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 13-05-2025 18:00 − Mittwoch 14-05-2025 18:01
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt ∗∗∗
---------------------------------------------
A new DarkCloud Stealer campaign is using AutoIt obfuscation for malware delivery. The attack chain involves phishing emails, RAR files and multistage payloads.
---------------------------------------------
https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit…
∗∗∗ Intel: Ein weiterer Angriff umgeht alle bisherigen CPU-Schutzmaßnahmen ∗∗∗
---------------------------------------------
Intel hat einen Lauf: Eine weitere Sicherheitslücke öffnet viele Prozessoren erneut für Seitenkanalangriffe trotz bisheriger Schutzmaßnahmen. [..] Wie schon der Angriffstyp Training Solo erfordert BPI physischen Zugriff auf ein System. Daher sind die zugehörigen CVE-Nummern CVE-2024-43420, CVE-2025-20623 und CVE-2024-45332 nur mit dem Schweregrad Medium bewertet.
---------------------------------------------
https://heise.de/-10383474
∗∗∗ A Privacy Mechanism That Backfired ∗∗∗
---------------------------------------------
Some bugs are more interesting than others. Last time I mentioned how CVE-2025-24091 was one of my favorite iOS vulnerabilities so far. That was because I wasn’t yet allowed to disclose my actual favorite! This post is about CVE-2025-31212, the most ironic vulnerability I’ve ever found, and here's why...
---------------------------------------------
https://rambo.codes/posts/2025-05-12-a-privacy-mechanism-that-backfired
=====================
= Vulnerabilities =
=====================
∗∗∗ Ivanti EPMM: Remote Code Execution Schwachstellen (CVE-2025-4427, CVE-2025-4428) - Updates verfügbar ∗∗∗
---------------------------------------------
Ivanti veröffentlichte am 13. Mai Updates & Sicherheitsadvisories zu zwei Schwachstellen in Ivanti Endpoint Manager Mobile (EPMM). Die verkettete Ausnutzung der beiden Lücken kann zur unauthentifizierten Ausführung von Schadcode genutzt werden. Ivanti gibt an die Ausnutzung dieser Lücken auf einer limitierten Anzahl an Systemen, bereits vor der Veröffentlichtung des Advisories, beobachtet zu haben. CVE-Nummern: CVE-2025-4427, CVE-2025-4428
---------------------------------------------
https://www.cert.at/de/warnungen/2025/5/ivanti-epmm-rce
∗∗∗ Microsoft primes 71 fixes for May Patch Tuesday ∗∗∗
---------------------------------------------
Five issues actively exploited in the wild, but the real excitement may have been handled in advance.
---------------------------------------------
https://news.sophos.com/en-us/2025/05/14/microsoft-primes-71-fixes-for-may-…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (emacs, firefox, gnutls, java-17-openjdk, java-21-openjdk, osbuild-composer, python39:3.9, and thunderbird), Arch Linux (screen), Debian (varnish), Fedora (chromium), Gentoo (Atop, FreeType, and Spidermonkey), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk and postgresql15, postgresql13), Oracle (389-ds-base, emacs, firefox, kernel, libsoup, libtiff, mod_auth_openidc:2.3, nodejs:20, nodejs:22, osbuild-composer, python39:3.9, qemu-kvm, ruby, ruby:3.1, ruby:3.3, and thunderbird), Red Hat (.NET 8.0, .NET 9.0, avahi, buildah, corosync, delve and golang, exiv2, expat, firefox, ghostscript, gimp, git, grafana, gvisor-tap-vsock, java-21-openjdk, kernel, kernel-rt, libarchive, libjpeg-turbo, libsoup, libsoup3, libxslt, mod_auth_openidc, nginx, nginx:1.22, nginx:1.24, nodejs22, nodejs:20, nodejs:22, opentelemetry-collector, osbuild-composer, perl, php, php:8.2, php:8.3, podman, python-jinja2, redis, redis:7, rhc, ruby:2.5, skopeo, sqlite, thunderbird, tomcat, tomcat9, valkey, vim, xorg-x11-server-Xwayland, xterm, xz, yelp, and yggdrasil), Slackware (screen), SUSE (apparmor, dirmngr, gimp, golang-github-prometheus-node_exporter, java-11-openj9, java-17-openj9, java-21-openj9, libxmp-devel, python311-Django4, rabbitmq-server313, rke2, and transfig), and Ubuntu (abseil and open-vm-tools).
---------------------------------------------
https://lwn.net/Articles/1021199/
∗∗∗ Patchday Adobe: Schadcode-Attacken auf InDesign und Photoshop möglich ∗∗∗
---------------------------------------------
Adobe schließt Sicherheitslücken in mehreren Anwendungen. Bislang gibt es keine Berichte zu Attacken.
---------------------------------------------
https://heise.de/-10382767
∗∗∗ VIdeokonferenzen: Hochriskante Rechteausweitungslücken in Zoom Workplace Apps ∗∗∗
---------------------------------------------
Zoom meldet mehrere Sicherheitslücken in den Workplace Apps der Videokonferenzsoftware. Eine verpasst den Status "kritisch" nur knapp.
---------------------------------------------
https://heise.de/-10383108
∗∗∗ Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP11 IF03 ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v…
∗∗∗ MISP 2.4.209 / 2.5.11 Release Notes Latest ∗∗∗
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.5.11
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 12-05-2025 18:00 − Dienstag 13-05-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Sit, Fetch, Steal - Chihuahua Stealer: A new Breed of Infostealer ∗∗∗
---------------------------------------------
Chihuahua Stealer is a newly discovered .NET-based infostealer that blends common malware techniques with unusually advanced features. It first came to our attention through a Reddit post made on April 9, where a user shared an obfuscated PowerShell script, they were tricked into executing via a Google Drive document.
---------------------------------------------
https://feeds.feedblitz.com/~/918192962/0/gdatasecurityblog-en~Sit-Fetch-St…
∗∗∗ Türkiye-linked spy crew exploited a messaging app zero-day to snoop on Kurdish army in Iraq ∗∗∗
---------------------------------------------
Turkish spies exploited a zero-day bug in a messaging app to collect info on the Kurdish army in Iraq, according to Microsoft, which says the attacks began more than a year ago. Specifically, the snoops abused CVE-2025-27920, a directory traversal vulnerability in version 2.0.62 of messaging app Output Messenger, and the intrusions began in April 2024. The app's developer Srimax issued a software update in December to patch the hole, however not all users applied the fixes.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/05/13/turkish_spie…
∗∗∗ As US vuln-tracking falters, EU enters with its own security bug database ∗∗∗
---------------------------------------------
The European Vulnerability Database (EUVD) is now fully operational, offering a streamlined platform to monitor critical and actively exploited security flaws amid the US struggles with budget cuts, delayed disclosures, and confusion around the future of its own tracking systems.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/05/13/eu_security_…
∗∗∗ SAP-Patchday: Kritische Netweaver-Lücke und viele mehr gestopft ∗∗∗
---------------------------------------------
SAP veröffentlicht im Mai 2025 insgesamt 16 neue Sicherheitsmeldungen. Sie behandeln teils kritische Sicherheitslücken in diversen Produkten aus dem Business-Softwarekatalog des Unternehmens.
---------------------------------------------
https://heise.de/-10381863
∗∗∗ Auditing Moodles core hunting for logical bugs ∗∗∗
---------------------------------------------
The following article explains how, during an audit, we examined Moodle (v4.4.3) and found ways of bypassing all the restrictions preventing SSRF vulnerabilities from being exploited.
---------------------------------------------
http://blog.quarkslab.com/auditing-moodles-core-hunting-for-logical-bugs.ht…
∗∗∗ Beyond the Hook: A Technical Deep Dive into Modern Phishing Methodologies ∗∗∗
---------------------------------------------
A technical exploration of modern phishing tactics, from basic HTML pages to advanced MFA-bypassing techniques, with analysis of infrastructure setup and delivery methods used by phishers in 2025.
---------------------------------------------
http://blog.quarkslab.com/technical-dive-into-modern-phishing.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Apple Updates Everything: May 2025 Edition, (Mon, May 12th) ∗∗∗
---------------------------------------------
Apple released its expected update for all its operating systems. The update, in addition to providing new features, patches 65 different vulnerabilities. Many of these vulnerabilities affect multiple operating systems within the Apple ecosystem.
---------------------------------------------
https://isc.sans.edu/diary/rss/31942
∗∗∗ Perfekt implementierte Sicherungen ausgehebelt: Spectre-Angriffe sind zurück ∗∗∗
---------------------------------------------
Bisherige Schutzmechanismen schützen nicht immer gegen Spectre-artige Seitenkanalangriffe auf Prozessoren, selbst wenn sie perfekt implementiert sind und verschiedene Domains voneinander abschotten. Zu dem Ergebnis kommen Forscher der Systems and Network Security Group an der Vrije Universiteit Amsterdam (VUSec).
---------------------------------------------
https://www.heise.de/news/Perfekt-implementierte-Sicherungen-ausgehebelt-Sp…
∗∗∗ 82,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in TheGem WordPress Theme ∗∗∗
---------------------------------------------
On May 4th, 2025, we received a submission for an Arbitrary File Upload vulnerability in TheGem, a WordPress theme with more than 82,000 sales. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover.
---------------------------------------------
https://www.wordfence.com/blog/2025/05/82000-wordpress-sites-affected-by-ar…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libeconf and rubygems), Fedora (libxmp), Gentoo (glibc), Oracle (java-1.8.0-openjdk, kernel, libxslt, and virtuoso-opensource), SUSE (augeas, git-lfs, kanidm, and tomcat10), and Ubuntu (linux-lts-xenial).
---------------------------------------------
https://lwn.net/Articles/1020948/
∗∗∗ Stack-based buffer overflow vulnerability in API ∗∗∗
---------------------------------------------
A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-25-254
∗∗∗ EPMM Security Update ∗∗∗
---------------------------------------------
To this end, we are issuing an important security update addressing vulnerabilities associated with open-source libraries used in Ivanti Endpoint Manager Mobile (EPMM). At the time of disclosure, we are aware of a very limited number of customers whose solution has been exploited. The issue only affects the on-prem EPMM product.
---------------------------------------------
https://www.ivanti.com/blog/epmm-security-update
∗∗∗ Xen Security Advisory CVE-2024-28956 / XSA-469 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-469.html
∗∗∗ Möglichkeit für Replay-Attacken im Tiiwee X1 Alarm System (SYSS-2025-006) ∗∗∗
---------------------------------------------
https://www.syss.de/pentest-blog/moeglichkeit-fuer-replay-attacken-im-tiiwe…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 09-05-2025 18:00 − Montag 12-05-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ iClicker site hack targeted students with malware via fake CAPTCHA ∗∗∗
---------------------------------------------
The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/iclicker-hack-targeted-stude…
∗∗∗ Von AMD-Lücke inspiriert: Forscher warnt vor Ransomware im CPU-Microcode ∗∗∗
---------------------------------------------
Eine Ransomware-Infektion kann für Unternehmen weitreichende Folgen haben, die nicht selten auch in einer Insolvenz münden. Durch geeignete Maßnahmen lassen sich die Risiken für solche Sicherheitsvorfälle eindämmen. Der Sicherheitsforscher Christiaan Beek von Rapid7 warnt jedoch vor einer Bedrohung, der gängige Cybersicherheitslösungen wohl bisher wenig entgegenzusetzen haben: Ransomware im Microcode der CPU.
---------------------------------------------
https://www.golem.de/news/von-amd-luecke-inspiriert-forscher-warnt-vor-rans…
∗∗∗ It Is 2025, And We Are Still Dealing With Default IoT Passwords And Stupid 2013 Router Vulnerabilities, (Mon, May 12th) ∗∗∗
---------------------------------------------
Unipi Technologies is a company developing programmable logic controllers for a number of different applications like home automation, building management, and industrial controls. The modules produced by Unipi are likely to appeal to a more professional audience. All modules are based on the "Marvis" platform, a customized Linux distribution maintained by Unipi.
---------------------------------------------
https://isc.sans.edu/diary/rss/31940
∗∗∗ A Subtle Form of Siege: DDoS Smokescreens as a Cover for Quiet Data Breaches ∗∗∗
---------------------------------------------
DDoS attacks have long been dismissed as blunt instruments, favored by script kiddies and hacktivists for their ability to overwhelm and disrupt. But in todays fragmented, hybrid-cloud environments, theyve evolved into something far more cunning: a smokescreen. What looks like digital vandalism may actually be a coordinated diversion, engineered to distract defenders from deeper breaches in progress.
---------------------------------------------
https://www.tripwire.com/state-of-security/subtle-form-siege-ddos-smokescre…
∗∗∗ Threat Brief: CVE-2025-31324 ∗∗∗
---------------------------------------------
On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50. This threat brief shares a brief overview of the vulnerability and our analysis, and also includes details of what we’ve observed through our incident response services and telemetry.
---------------------------------------------
https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-313…
∗∗∗ SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths ∗∗∗
---------------------------------------------
sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with elevated privileges. However, misconfigurations and certain vulnerabilities can be exploited to escalate privileges, potentially compromising system security.
---------------------------------------------
https://www.darknet.org.uk/2025/05/sudo_killer-auditing-sudo-configurations…
∗∗∗ One-click RCE in ASUS’s preinstalled driver software ∗∗∗
---------------------------------------------
By trawling through the Javascript on the website, and about 700k lines of decompiled code that the exe produced, I managed to create a list of callable endpoints including some unused ones sitting in the exe.
---------------------------------------------
https://mrbruh.com/asusdriverhub/
∗∗∗ CVE-2024-26809: Critical nftables Vulnerability in Linux Kernel Could Lead to Root Access ∗∗∗
---------------------------------------------
A critical security flaw has been discovered in the Linux kernel’s nftables subsystem, which is responsible for packet filtering in modern Linux distributions. This flaw, a double-free vulnerability, allows local attackers to escalate their privileges and execute arbitrary code.
---------------------------------------------
https://thecyberexpress.com/cve-2024-26809-nftables-vulnerability/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libbson-xs-perl, postgresql-13, redis, and simplesamlphp), Fedora (chromium, deluge, epiphany, golang-github-nats-io-nkeys, libxmp, nodejs22, perl-Compress-Raw-Lzma, php-adodb, python-h11, and xz), Gentoo (firefox, NVIDIA Drivers, Orc, PAM, and thunderbird), Mageia (libreoffice, python-django, and transfig), Red Hat (emacs, firefox, python39:3.9, and thunderbird), SUSE (bird3, freetype2, ldap-proxy, libmosquitto1, and ruby3.4-rubygem-rack), and Ubuntu (linux, linux-aws, linux-kvm, linux-aws, and linux-fips).
---------------------------------------------
https://lwn.net/Articles/1020884
∗∗∗ TuneUp und Dienste in Avast, AVG, Avira und Norton reißen Sicherheitslücken auf ∗∗∗
---------------------------------------------
Die Virenschutzsoftware der Marken Avast, AVG, Avira und Norton von Gen Digital bringt unter anderem System-Optimierungsdienste und weitere Komponenten mit, die Schwachstellen enthalten. Nutzerinnen und Nutzer der betroffenen Software sollten prüfen, ob sie neuere Versionen installiert haben als die bekannt verwundbaren.
---------------------------------------------
https://heise.de/-10379900
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 08-05-2025 18:00 − Freitag 09-05-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Nationale Policy für die koordinierte Offenlegung von Schwachstellen (CVD) ∗∗∗
---------------------------------------------
Der Umgang mit Schwachstellen in IT Produkten und Dienstleistungen ist eine der spannenden Themen in der IT-Sicherheit. Seitens der Hersteller stellt sich die Frage, wie man am besten selbst Probleme identifiziert, wie man mit Meldungen von Dritten am umgeht, wie der Prozess zur Entwicklung von korrigierten Versionen aussieht und wie man diese neue Version schnell und effizient an die Kunden verteilt. Seitens der Finder (Researcher) stellen sich Fragen nach den rechtlichen Rahmenbedingungen für die Schwachstellensuche: was darf ich, was sicher nicht, und wie kommuniziere ich das Ergebnis am sinnvollsten?
---------------------------------------------
https://www.cert.at/de/spezielles/2025/5/nationale-cvd-policy
∗∗∗ Malicious PyPi package hides RAT malware, targets Discord devs since 2022 ∗∗∗
---------------------------------------------
A malicious Python package targeting Discord developers with remote access trojan (RAT) malware was spotted on the Python Package Index (PyPI) after more than three years.[..] Named "discordpydebug," the package was masquerading as an error logger utility for developers working on Discord bots and was downloaded over 11,000 times since it was uploaded on March 21, 2022, even though it has no description or documentation.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-pypi-package-hides…
∗∗∗ FBI: End-of-life routers hacked for cybercrime proxy networks ∗∗∗
---------------------------------------------
The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-end-of-life-routers-hack…
∗∗∗ Operation PowerOFF Takes Down 9 DDoS-for-Hire Domains ∗∗∗
---------------------------------------------
Four different countries, including the United States and Germany, were included in the latest international operation alongside Europols support.
---------------------------------------------
https://www.darkreading.com/threat-intelligence/operation-poweroff-takes-do…
∗∗∗ Lumma Stealer, coming and going ∗∗∗
---------------------------------------------
The high-profile information stealer switches up its TTPs, but keeps the CAPTCHA tactic; we take a deep dive.
---------------------------------------------
https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/
∗∗∗ Warnung: Gefälschtes Anwaltsschreiben könnte Schadsoftware enthalten! ∗∗∗
---------------------------------------------
Derzeit kursieren E-Mails einer angeblichen Anwaltskanzlei, in denen Unternehmen beschuldigt werden, Urheberrechte an Inhalten von Avident Entertainment verletzt zu haben. Über einen Download-Link kann eine Sammlung von Beweisen heruntergeladen werden. Aber Vorsicht: Der Link ist betrügerisch und enthält vermutlich Schadsoftware!
---------------------------------------------
https://www.watchlist-internet.at/news/warnung-gefaelschtes-anwaltsschreibe…
∗∗∗ Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources ∗∗∗
---------------------------------------------
Unit 42 details a new malware obfuscation technique where threat actors hide malware in bitmap resources within .NET applications. These deliver payloads like Agent Tesla or XLoader.
---------------------------------------------
https://unit42.paloaltonetworks.com/malicious-payloads-as-bitmap-resources-…
∗∗∗ Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation ∗∗∗
---------------------------------------------
Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload generation and obfuscation.
---------------------------------------------
https://www.darknet.org.uk/2025/05/bantam-advanced-php-backdoor-management-…
∗∗∗ Phishing Attack Uses Blob URIs to Show Fake Login Pages in Your Browser ∗∗∗
---------------------------------------------
Cofense Intelligence reveals a novel phishing technique using blob URIs to create local fake login pages, bypassing email security and stealing credentials.
---------------------------------------------
https://hackread.com/phishing-attack-blob-uri-fake-login-pages-browser/
∗∗∗ Remote-Access-Trojaner in npm-Paket mit 40.000 wöchentlichen Downloads gefunden ∗∗∗
---------------------------------------------
Angreifer hatten das Paket rand-user-agent, das unter anderem für automatische Tests und zum Web-Scraping dient, mit Schadcode versehen.
---------------------------------------------
https://heise.de/-10377590
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, libapache2-mod-auth-openidc, mariadb-10.5, and openssh), Red Hat (osbuild-composer), Slackware (mariadb), SUSE (apache2-mod_auth_openidc, glib2, ImageMagick, libsoup, libsoup2, libva, openvpn, sqlite3, and weblate), and Ubuntu (libsoup3, php-horde-css-parser, and python-django).
---------------------------------------------
https://lwn.net/Articles/1020545/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (fossil, libapache2-mod-auth-openidc, and request-tracker4), Fedora (thunderbird), Mageia (firefox and thunderbird), SUSE (389-ds, apparmor, cargo-c, chromium, go1.24, govulncheck-vulndb, java-1_8_0-openjdk, kanidm, libsoup, mozjs102, openssl-1_1, openssl-3, python-Django, sccache, tealdeer, tomcat, transfig, wasm-bindgen, and wireshark), and Ubuntu (libreoffice and python-h11).
---------------------------------------------
https://lwn.net/Articles/1020653/
∗∗∗ Sicherheitslücken: F5 BIG-IP-Appliances sind an mehreren Stellen verwundbar ∗∗∗
---------------------------------------------
https://heise.de/-10377584
∗∗∗ Joomla: [20250402] - Core - MFA Authentication Bypass ∗∗∗
---------------------------------------------
https://developer.joomla.org/security-centre/964-20250402-core-mfa-authenti…
∗∗∗ Pixmeo OsiriX MD ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-128-01
∗∗∗ Hitachi Energy RTU500 Series ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-02
∗∗∗ Horner Automation Cscape ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-01
∗∗∗ Mitsubishi Electric CC-Link IE TSN ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-03
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 07-05-2025 18:00 − Donnerstag 08-05-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ WhatsApp provides no cryptographic management for group messages ∗∗∗
---------------------------------------------
The weakness creates the possibility of an insider or hacker adding rogue members. [..] “This means that it is possible for the WhatsApp server to add new members to a group,” Martin R. Albrecht, a researcher at King's College in London, wrote in an email. “A correct client—like the official clients—will display this change but will not prevent it. Thus, any group chat that does not verify who has been added to the chat can potentially have their messages read.”
---------------------------------------------
https://arstechnica.com/security/2025/05/whatsapp-provides-no-cryptographic…
∗∗∗ Password crisis deepens in 2025: lazy, reused, and stolen ∗∗∗
---------------------------------------------
A new study of over 19 billion newly exposed passwords manifests a widespread weak password reuse crisis. Lazy keyboard patterns, such as 123456, still reign supreme, and 94% of passwords are reused or duplicated, data leaks from 2024-2025 reveal. Names like Ana rank as the second most popular component.
---------------------------------------------
https://cybernews.com/security/password-leak-study-unveils-2025-trends-reus…
∗∗∗ Ransomware: Unbekannte Angreifer leaken LockBit-Datenbank – dank PHP-Exploit? ∗∗∗
---------------------------------------------
Tausende Bitcoin-Adressen, Chatnachrichten und weitere brisante Details des Ransomware-Anbieters kursieren nun im Web. Der LockBit-Support relativiert.
---------------------------------------------
https://www.heise.de/news/Ransomware-Unbekannte-Angreifer-leaken-LockBit-Da…
∗∗∗ RCEs and more in the KUNBUS GmbH Revolution Pi PLC ∗∗∗
---------------------------------------------
Four new vulnerabilities in the Revolution Pi industrial PLCs. Two give unauthenticated attackers RCE—potentially a direct impact on safety and operations. [..] Since the vulnerabilities affect ICS equipment, we coordinated disclosure with CISA and KUNBUS’ PSIRT team (security.txt).
---------------------------------------------
https://www.pentestpartners.com/security-blog/rces-and-more-in-the-kunbus-g…
∗∗∗ 2,99 € Einfuhrzoll für die Post? Achtung, Phishing! ∗∗∗
---------------------------------------------
Ein Paket hängt im Zoll fest? Die Auslieferung ist nur gegen die Zahlung einer Gebühr möglich? Ein Szenario, das Kriminelle aktuell verstärkt als Betrugsmasche einsetzen. Sie versenden Phishing-Mails im Namen der Post AG und hoffen auf leichtgläubige Opfer.
---------------------------------------------
https://www.watchlist-internet.at/news/einfuhrzoll-fuer-die-post/
∗∗∗ Fake AI Tools Push New Noodlophile Stealer Through Facebook Ads ∗∗∗
---------------------------------------------
Scammers are using fake AI tools and Facebook ads to spread Noodlophile Stealer malware, targeting users with a multi-stage attack to steal credentials.
---------------------------------------------
https://hackread.com/fake-ai-tools-noodlophile-stealer-facebook-ads/
∗∗∗ RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale ∗∗∗
---------------------------------------------
Learn how RedisRaider is targeting publicly accecesibly Redis servers to mine crypocurrency.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/redisraider-weaponizing-misconf…
=====================
= Vulnerabilities =
=====================
∗∗∗ SonicWall urges admins to patch VPN flaw exploited in attacks ∗∗∗
---------------------------------------------
Discovered and reported by Rapid7 cybersecurity researcher Ryan Emmons, the three security flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) can be chained by attackers to gain remote code execution as root and compromise vulnerable instances. The vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.15-81sv and higher. [..] SonicWall advised admins to check their SMA devices' logs for any signs of unauthorized logins and enable the web application firewall and multifactor authentication (MFA) on their SMA100 appliances as a safety measure.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-pa…
∗∗∗ CISCO Security Advisories 07. - 08.05.2025 ∗∗∗
---------------------------------------------
Cisco has released 29 new security Advisories.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs…
∗∗∗ Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. [..] Note: For exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device. It is not enabled by default. CVE-2025-20188
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Catalyst Center Unauthenticated API Access Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the management API of Cisco Catalyst Center, formerly Cisco DNA Center, could allow an unauthenticated, remote attacker to read and modify the outgoing proxy configuration settings. CVE-2025-20210
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Drupal Security Advisories 07.05.2025 ∗∗∗
---------------------------------------------
Drupal has released 10 new security advisories.
---------------------------------------------
https://www.drupal.org/security
∗∗∗ Ubiquiti UniFi Protect: Kritisches Leck ermöglicht Codeschmuggel ∗∗∗
---------------------------------------------
In einer Sicherheitsmitteilung erörtert Ubiquiti die Schwachstellen. Bösartige Akteure mit Zugriff auf das Verwaltungsnetzwerk können einen Heap-basierten Pufferüberlauf in den Unifi-Protect-Kameras mit Firmware 4.75.43 und vorherigen provozieren und dadurch beliebigen Code einschleusen und ausführen (CVE-2025-23123, CVSS 10.0, Risiko "kritisch").
---------------------------------------------
https://www.heise.de/news/Ubiquity-UniFi-Protect-Einschleusen-von-Schadcode…
∗∗∗ Mitel SIP-Phones lassen sich beliebige Befehle unterjubeln ∗∗∗
---------------------------------------------
Laut der Sicherheitsmitteilung von Mitel gibt es eine Befehlsschmuggel-Lücke in den SIP-Phones der Baureihen 6800, 6900, 6900w sowie dem 6970-Konferenz-Modell. Angreifer aus dem Netz können dadurch ohne vorherige Authentifizierung Befehle einschleusen, da nicht näher genannte Parameter nicht ausreichend gefiltert werden. Damit können sie System- und Nutzer-Daten und Konfigurationen einsehen oder ändern (CVE-2025-47188, CVSS 9.8, Risiko "kritisch").
---------------------------------------------
https://heise.de/-10376625
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 28, 2025 to May 4, 2025) ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily