Daily May 2025

daily@lists.cert.at

1 participants
16 discussions

Tageszusammenfassung - 09.05.2025
by Daily end-of-shift report 09 May '25

09 May '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-05-2025 18:00 − Freitag 09-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Nationale Policy für die koordinierte Offenlegung von Schwachstellen (CVD) ∗∗∗ --------------------------------------------- Der Umgang mit Schwachstellen in IT Produkten und Dienstleistungen ist eine der spannenden Themen in der IT-Sicherheit. Seitens der Hersteller stellt sich die Frage, wie man am besten selbst Probleme identifiziert, wie man mit Meldungen von Dritten am umgeht, wie der Prozess zur Entwicklung von korrigierten Versionen aussieht und wie man diese neue Version schnell und effizient an die Kunden verteilt. Seitens der Finder (Researcher) stellen sich Fragen nach den rechtlichen Rahmenbedingungen für die Schwachstellensuche: was darf ich, was sicher nicht, und wie kommuniziere ich das Ergebnis am sinnvollsten? --------------------------------------------- https://www.cert.at/de/spezielles/2025/5/nationale-cvd-policy ∗∗∗ Malicious PyPi package hides RAT malware, targets Discord devs since 2022 ∗∗∗ --------------------------------------------- A malicious Python package targeting Discord developers with remote access trojan (RAT) malware was spotted on the Python Package Index (PyPI) after more than three years.[..] Named "discordpydebug," the package was masquerading as an error logger utility for developers working on Discord bots and was downloaded over 11,000 times since it was uploaded on March 21, 2022, even though it has no description or documentation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-package-hides… ∗∗∗ FBI: End-of-life routers hacked for cybercrime proxy networks ∗∗∗ --------------------------------------------- The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-end-of-life-routers-hack… ∗∗∗ Operation PowerOFF Takes Down 9 DDoS-for-Hire Domains ∗∗∗ --------------------------------------------- Four different countries, including the United States and Germany, were included in the latest international operation alongside Europols support. --------------------------------------------- https://www.darkreading.com/threat-intelligence/operation-poweroff-takes-do… ∗∗∗ Lumma Stealer, coming and going ∗∗∗ --------------------------------------------- The high-profile information stealer switches up its TTPs, but keeps the CAPTCHA tactic; we take a deep dive. --------------------------------------------- https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/ ∗∗∗ Warnung: Gefälschtes Anwaltsschreiben könnte Schadsoftware enthalten! ∗∗∗ --------------------------------------------- Derzeit kursieren E-Mails einer angeblichen Anwaltskanzlei, in denen Unternehmen beschuldigt werden, Urheberrechte an Inhalten von Avident Entertainment verletzt zu haben. Über einen Download-Link kann eine Sammlung von Beweisen heruntergeladen werden. Aber Vorsicht: Der Link ist betrügerisch und enthält vermutlich Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/warnung-gefaelschtes-anwaltsschreibe… ∗∗∗ Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources ∗∗∗ --------------------------------------------- Unit 42 details a new malware obfuscation technique where threat actors hide malware in bitmap resources within .NET applications. These deliver payloads like Agent Tesla or XLoader. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-payloads-as-bitmap-resources-… ∗∗∗ Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation ∗∗∗ --------------------------------------------- Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload generation and obfuscation. --------------------------------------------- https://www.darknet.org.uk/2025/05/bantam-advanced-php-backdoor-management-… ∗∗∗ Phishing Attack Uses Blob URIs to Show Fake Login Pages in Your Browser ∗∗∗ --------------------------------------------- Cofense Intelligence reveals a novel phishing technique using blob URIs to create local fake login pages, bypassing email security and stealing credentials. --------------------------------------------- https://hackread.com/phishing-attack-blob-uri-fake-login-pages-browser/ ∗∗∗ Remote-Access-Trojaner in npm-Paket mit 40.000 wöchentlichen Downloads gefunden ∗∗∗ --------------------------------------------- Angreifer hatten das Paket rand-user-agent, das unter anderem für automatische Tests und zum Web-Scraping dient, mit Schadcode versehen. --------------------------------------------- https://heise.de/-10377590 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libapache2-mod-auth-openidc, mariadb-10.5, and openssh), Red Hat (osbuild-composer), Slackware (mariadb), SUSE (apache2-mod_auth_openidc, glib2, ImageMagick, libsoup, libsoup2, libva, openvpn, sqlite3, and weblate), and Ubuntu (libsoup3, php-horde-css-parser, and python-django). --------------------------------------------- https://lwn.net/Articles/1020545/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fossil, libapache2-mod-auth-openidc, and request-tracker4), Fedora (thunderbird), Mageia (firefox and thunderbird), SUSE (389-ds, apparmor, cargo-c, chromium, go1.24, govulncheck-vulndb, java-1_8_0-openjdk, kanidm, libsoup, mozjs102, openssl-1_1, openssl-3, python-Django, sccache, tealdeer, tomcat, transfig, wasm-bindgen, and wireshark), and Ubuntu (libreoffice and python-h11). --------------------------------------------- https://lwn.net/Articles/1020653/ ∗∗∗ Sicherheitslücken: F5 BIG-IP-Appliances sind an mehreren Stellen verwundbar ∗∗∗ --------------------------------------------- https://heise.de/-10377584 ∗∗∗ Joomla: [20250402] - Core - MFA Authentication Bypass ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/964-20250402-core-mfa-authenti… ∗∗∗ Pixmeo OsiriX MD ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-128-01 ∗∗∗ Hitachi Energy RTU500 Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-02 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-01 ∗∗∗ Mitsubishi Electric CC-Link IE TSN ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.05.2025
by Daily end-of-shift report 08 May '25

08 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-05-2025 18:00 − Donnerstag 08-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ WhatsApp provides no cryptographic management for group messages ∗∗∗ --------------------------------------------- The weakness creates the possibility of an insider or hacker adding rogue members. [..] “This means that it is possible for the WhatsApp server to add new members to a group,” Martin R. Albrecht, a researcher at King's College in London, wrote in an email. “A correct client—like the official clients—will display this change but will not prevent it. Thus, any group chat that does not verify who has been added to the chat can potentially have their messages read.” --------------------------------------------- https://arstechnica.com/security/2025/05/whatsapp-provides-no-cryptographic… ∗∗∗ Password crisis deepens in 2025: lazy, reused, and stolen ∗∗∗ --------------------------------------------- A new study of over 19 billion newly exposed passwords manifests a widespread weak password reuse crisis. Lazy keyboard patterns, such as 123456, still reign supreme, and 94% of passwords are reused or duplicated, data leaks from 2024-2025 reveal. Names like Ana rank as the second most popular component. --------------------------------------------- https://cybernews.com/security/password-leak-study-unveils-2025-trends-reus… ∗∗∗ Ransomware: Unbekannte Angreifer leaken LockBit-Datenbank – dank PHP-Exploit? ∗∗∗ --------------------------------------------- Tausende Bitcoin-Adressen, Chatnachrichten und weitere brisante Details des Ransomware-Anbieters kursieren nun im Web. Der LockBit-Support relativiert. --------------------------------------------- https://www.heise.de/news/Ransomware-Unbekannte-Angreifer-leaken-LockBit-Da… ∗∗∗ RCEs and more in the KUNBUS GmbH Revolution Pi PLC ∗∗∗ --------------------------------------------- Four new vulnerabilities in the Revolution Pi industrial PLCs. Two give unauthenticated attackers RCE—potentially a direct impact on safety and operations. [..] Since the vulnerabilities affect ICS equipment, we coordinated disclosure with CISA and KUNBUS’ PSIRT team (security.txt). --------------------------------------------- https://www.pentestpartners.com/security-blog/rces-and-more-in-the-kunbus-g… ∗∗∗ 2,99 € Einfuhrzoll für die Post? Achtung, Phishing! ∗∗∗ --------------------------------------------- Ein Paket hängt im Zoll fest? Die Auslieferung ist nur gegen die Zahlung einer Gebühr möglich? Ein Szenario, das Kriminelle aktuell verstärkt als Betrugsmasche einsetzen. Sie versenden Phishing-Mails im Namen der Post AG und hoffen auf leichtgläubige Opfer. --------------------------------------------- https://www.watchlist-internet.at/news/einfuhrzoll-fuer-die-post/ ∗∗∗ Fake AI Tools Push New Noodlophile Stealer Through Facebook Ads ∗∗∗ --------------------------------------------- Scammers are using fake AI tools and Facebook ads to spread Noodlophile Stealer malware, targeting users with a multi-stage attack to steal credentials. --------------------------------------------- https://hackread.com/fake-ai-tools-noodlophile-stealer-facebook-ads/ ∗∗∗ RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale ∗∗∗ --------------------------------------------- Learn how RedisRaider is targeting publicly accecesibly Redis servers to mine crypocurrency. --------------------------------------------- https://securitylabs.datadoghq.com/articles/redisraider-weaponizing-misconf… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall urges admins to patch VPN flaw exploited in attacks ∗∗∗ --------------------------------------------- Discovered and reported by Rapid7 cybersecurity researcher Ryan Emmons, the three security flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) can be chained by attackers to gain remote code execution as root and compromise vulnerable instances. The vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.15-81sv and higher. [..] SonicWall advised admins to check their SMA devices' logs for any signs of unauthorized logins and enable the web application firewall and multifactor authentication (MFA) on their SMA100 appliances as a safety measure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-pa… ∗∗∗ CISCO Security Advisories 07. - 08.05.2025 ∗∗∗ --------------------------------------------- Cisco has released 29 new security Advisories. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. [..] Note: For exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device. It is not enabled by default. CVE-2025-20188 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Catalyst Center Unauthenticated API Access Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the management API of Cisco Catalyst Center, formerly Cisco DNA Center, could allow an unauthenticated, remote attacker to read and modify the outgoing proxy configuration settings. CVE-2025-20210 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Drupal Security Advisories 07.05.2025 ∗∗∗ --------------------------------------------- Drupal has released 10 new security advisories. --------------------------------------------- https://www.drupal.org/security ∗∗∗ Ubiquiti UniFi Protect: Kritisches Leck ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- In einer Sicherheitsmitteilung erörtert Ubiquiti die Schwachstellen. Bösartige Akteure mit Zugriff auf das Verwaltungsnetzwerk können einen Heap-basierten Pufferüberlauf in den Unifi-Protect-Kameras mit Firmware 4.75.43 und vorherigen provozieren und dadurch beliebigen Code einschleusen und ausführen (CVE-2025-23123, CVSS 10.0, Risiko "kritisch"). --------------------------------------------- https://www.heise.de/news/Ubiquity-UniFi-Protect-Einschleusen-von-Schadcode… ∗∗∗ Mitel SIP-Phones lassen sich beliebige Befehle unterjubeln ∗∗∗ --------------------------------------------- Laut der Sicherheitsmitteilung von Mitel gibt es eine Befehlsschmuggel-Lücke in den SIP-Phones der Baureihen 6800, 6900, 6900w sowie dem 6970-Konferenz-Modell. Angreifer aus dem Netz können dadurch ohne vorherige Authentifizierung Befehle einschleusen, da nicht näher genannte Parameter nicht ausreichend gefiltert werden. Damit können sie System- und Nutzer-Daten und Konfigurationen einsehen oder ändern (CVE-2025-47188, CVSS 9.8, Risiko "kritisch"). --------------------------------------------- https://heise.de/-10376625 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 28, 2025 to May 4, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.05.2025
by Daily end-of-shift report 07 May '25

07 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-05-2025 18:00 − Mittwoch 07-05-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Samsung MagicINFO 9 Server RCE flaw now exploited in attacks ∗∗∗ --------------------------------------------- Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/samsung-magicinfo-9-server-r… ∗∗∗ Apache Parquet exploit tool detect servers vulnerable to critical flaw ∗∗∗ --------------------------------------------- A proof-of-concept exploit tool has been publicly released for a maximum severity Apache Parquet vulnerability, tracked as CVE-2025-30065, making it easy to find vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apache-parquet-exploit-tool-… ∗∗∗ Millionenstrafe für Firma nach WhatsApp-Hack ∗∗∗ --------------------------------------------- Die NSO Group aus Israel hatte einen Bug in WhatsApp genutzt, um Spyware zu installieren. Meta klagte und gewann. --------------------------------------------- https://futurezone.at/digital-life/meta-whatsapp-nso-group-spionagesoftware… ∗∗∗ Zero Day: Windows-Lücke von mindestens zwei Hackergruppen ausgenutzt ∗∗∗ --------------------------------------------- Mindestens zwei Cyberbanden haben sich einer Schwachstelle im CLFS-Treiber von Windows bedient, bevor Microsoft einen Patch ausliefern konnte. --------------------------------------------- https://www.golem.de/news/zero-day-windows-luecke-von-mindestens-zwei-hacke… ∗∗∗ State of ransomware in 2025 ∗∗∗ --------------------------------------------- Kaspersky researchers review ransomware trends for 2024, analyze the most active groups and forecast how this threat will evolve in 2025. --------------------------------------------- https://securelist.com/state-of-ransomware-in-2025/116475/ ∗∗∗ Lights Out and Stalled Factories: Using M.A.T.R.I.X to Learn About Modbus Vulnerabilities ∗∗∗ --------------------------------------------- Let’s explore the critical role of Modbus in energy and manufacturing systems, then demonstrate real-world exploitation techniques using Docker-based simulations and the custom-built Python tool M.A.T.R.I.X. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lights-out-… ∗∗∗ Backupsoftware Commvault: Weitere Lücke angegriffen, Patch offenbar unwirksam ∗∗∗ --------------------------------------------- Zum Wochenende wurden Angriffe auf eine weitere Commvault-Sicherheitslücke bekannt. Das Update zum Abdichten wirkt wohl nicht. --------------------------------------------- https://www.heise.de/news/Backupsoftware-Commvault-Weitere-Luecke-angegriff… ∗∗∗ Wegen Sicherheitslücken: LibreOffice rät von OpenOffice ab ∗∗∗ --------------------------------------------- Die Entwickler von LibreOffice raten vom Konkurrenten OpenOffice ab. Die Apache-Software enthalte Sicherheitslücken und werde nicht weiterentwickelt. --------------------------------------------- https://www.heise.de/news/Wegen-Sicherheitsluecken-LibreOffice-raet-von-Ope… ∗∗∗ NIS2 nicht umgesetzt: EU-Strafe für Deutschland rückt einen Schritt näher ∗∗∗ --------------------------------------------- Die EU-Kommission hat die zweite Stufe des Vertragsverletzungsverfahren gegen Deutschland eingeleitet, weil es die NIS2-Richtlinie noch nicht umgesetzt hat. --------------------------------------------- https://www.heise.de/news/NIS2-nicht-umgesetzt-EU-Strafe-fuer-Deutschland-r… ∗∗∗ Exploiting Copilot AI for SharePoint ∗∗∗ --------------------------------------------- TL;DR AI Assistants are becoming far more common Copilot for SharePoint is Microsoft’s answer to generative AI assistance on SharePoint Attackers will look to exploit anything they can get their .. --------------------------------------------- https://www.pentestpartners.com/security-blog/exploiting-copilot-ai-for-sha… ∗∗∗ Meta lässt sich sechs Wochen Zeit, bis Betrug entfernt wird ∗∗∗ --------------------------------------------- Postings über Kryptoscams oder betrügerische Influencer-Aktionen bleiben auf Facebook und Instagram am längsten von allen online --------------------------------------------- https://www.derstandard.at/story/3000000268532/meta-laesst-sich-sechs-woche… ∗∗∗ Ransomware Attackers Leveraged Privilege Escalation Zero-day ∗∗∗ --------------------------------------------- Exploit used by Play-linked attackers targets the CVE-2025-29824 zero-day vulnerability patched on April 8. --------------------------------------------- https://www.security.com/threat-intelligence/play-ransomware-zero-day ∗∗∗ Unsophisticated Cyber Actor(s) Targeting Operational Technology ∗∗∗ --------------------------------------------- CISA is increasingly aware of unsophisticated cyber actor(s) targeting ICS/SCADA systems within U.S. critical Infrastructure sectors (Oil and Natural Gas), specifically in Energy and Transportation Systems. Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/05/06/unsophisticated-cyber-ac… ∗∗∗ Poland arrests four in global DDoS-for-hire takedown ∗∗∗ --------------------------------------------- The suspects allegedly operated six platforms that offered distributed denial-of-service attacks for as little as 10 euros. --------------------------------------------- https://therecord.media/poland-arrests-four-ddos-hire ∗∗∗ Achtung bei iVentoy, es werden obskure Zertifikate und Treiber installiert ∗∗∗ --------------------------------------------- Kurze Warnung an Leute aus der Blog-Leserschaft, die das Tool iVentoy zur Verteilung von Betriebssystem-Images über ein Netzwerk und einen PXE-Server einsetzen. Es gibt aktuell eine Diskussion, dass das Tool .. --------------------------------------------- https://www.borncity.com/blog/2025/05/07/achtung-bei-iventoy-es-werden-obsk… ∗∗∗ ClickFix Scam: How to Protect Your Business Against This Evolving Threat ∗∗∗ --------------------------------------------- Cybercriminals aren’t always loud and obvious. Sometimes, they play it quiet and smart. One of the tricks of .. --------------------------------------------- https://hackread.com/clickfix-scam-how-to-protect-business-againt-threat/ ∗∗∗ COLDRIVER Using New Malware To Steal Documents >From Western Targets and NGOs ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) has identified a new piece of malware called LOSTKEYS, attributed to the Russian government-backed threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto). LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-do… ===================== = Vulnerabilities = ===================== ∗∗∗ Honeywell MB Secure Authenticated Command Injection ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/authenticated-command… ∗∗∗ Langflow Missing Authentication Vulnerability ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6085 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2025
by Daily end-of-shift report 06 May '25

06 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 05-05-2025 18:00 − Dienstag 06-05-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Man pleads guilty to using malicious AI software to hack Disney employee ∗∗∗ --------------------------------------------- Fake image-generating app allowed man to download 1.1TB of Disney-owned data. --------------------------------------------- https://arstechnica.com/ai/2025/05/man-pleads-guilty-to-using-malicious-ai-… ∗∗∗ Luna Moth extortion hackers pose as IT help desks to breach US firms ∗∗∗ --------------------------------------------- The data-theft extortion group known as Luna Moth, aka Silent Ransom Group, has ramped up callback phishing campaigns in attacks on legal and financial institutions in the United States. --------------------------------------------- https://www.bleepingcomputer.com/news/security/luna-moth-extortion-hackers-… ∗∗∗ "Mirai" Now Exploits Samsung MagicINFO CMS (CVE-2024-7399), (Mon, May 5th) ∗∗∗ --------------------------------------------- Last August, Samsung patched an arbitrary file upload vulnerability that could lead to remote code execution [1]. The announcement was very sparse and did not even include affected .. --------------------------------------------- https://isc.sans.edu/diary/Mirai+Now+Exploits+Samsung+MagicINFO+CMS+CVE2024… ∗∗∗ CISA slammed for role in censorship industrial complex as budget faces possible $500M cut ∗∗∗ --------------------------------------------- Because who needs cybersecurity when there’s culture wars to win President Trumps dream 2026 budget would gut the US govts Cybersecurity and Infrastructure Security Agency, aka CISA, by $491 million - about 17 percent – and accuses the organization of abandoning its core mission in favor of policing online speech. --------------------------------------------- https://www.theregister.com/2025/05/06/cisa_budget_cuts/ ∗∗∗ Signal-Affäre: Modifizierter Messenger stellt nach zweitem Einbruch Betrieb ein ∗∗∗ --------------------------------------------- In der US-Regierung wird eine modifizierte App benutzt, um per Signal zu kommunizieren. Die heißt TeleMessage, wurde zweimal geknackt und vorerst dicht gemacht. --------------------------------------------- https://www.heise.de/news/Signal-Affaere-Modifizierter-Messenger-stellt-nac… ∗∗∗ Peru denies it was hit by ransomware attack following Rhysida claims ∗∗∗ --------------------------------------------- The prolific ransomware gang claimed to have taken over the Peruvian governments domain. --------------------------------------------- https://therecord.media/peru-rhysida-ransomware-claims-denied ∗∗∗ NSA to cut up to 2,000 civilian roles as part of intel community downsizing ∗∗∗ --------------------------------------------- The agency is expected to make the cuts by the end of year, however that deadline could change as it is tied to the Defense Department’s broader push to reduce its budget by 8 percent in each of the next five years. --------------------------------------------- https://therecord.media/nsa-to-cut-up-to-2000-roles-downsizing ∗∗∗ Verizon DBIR 2025: Edge KEVs Are Increasingly Left Unpatched — and More Often Exploited in Breaches ∗∗∗ --------------------------------------------- Edge vulnerabilities are a critical and growing threat. The 2025 DBIR reveals an eightfold surge in exploitation, yet many remain unpatched despite immediate risk. --------------------------------------------- https://www.greynoise.io/blog/verizon-dbir-2025-edge-kevs-increasingly-left… ∗∗∗ Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines ∗∗∗ --------------------------------------------- UNC3944, which overlaps with public reporting on Scattered Spider, is a financially-motivated threat actor characterized by its persistent use of social engineering and brazen communications with victims. In early operations, UNC3944 largely targeted telecommunications-related organizations to support SIM swap operations. However, after shifting to .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-… ∗∗∗ A Timely Reminder: Russia’s Enduring Cyber Threat to Critical Infrastructure ∗∗∗ --------------------------------------------- Russia’s cyber operations — ranging from power-grid disruptions to global ransomware — continue to be among the world’s most prolific and destructive, underscoring the continued .. --------------------------------------------- https://detect.fyi/a-timely-reminder-russias-enduring-cyber-threat-to-criti… ∗∗∗ How to Harden GitHub Actions: The Unofficial Guide ∗∗∗ --------------------------------------------- Build resilient GitHub Actions workflows with lessons from recent attacks. --------------------------------------------- https://www.wiz.io/blog/github-actions-security-guide ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium and kappanhang), Red Hat (osbuild-composer and thunderbird), SUSE (chromedriver), and Ubuntu (c-ares, corosync, mysql-8.0, mysql-8.4, openjdk-17, openjdk-21, openjdk-24, openjdk-8, and openjdk-lts). --------------------------------------------- https://lwn.net/Articles/1020222/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2025
by Daily end-of-shift report 05 May '25

05 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-05-2025 18:00 − Montag 05-05-2025 18:00 Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Magento supply chain attack compromises hundreds of e-stores ∗∗∗ --------------------------------------------- A supply chain attack involving 21 backdoored Magento extensions has compromised between 500 and 1,000 e-commerce stores, including one belonging to a $40 billion multinational. --------------------------------------------- https://www.bleepingcomputer.com/news/security/magento-supply-chain-attack-… ∗∗∗ StealC malware enhanced with stealth upgrades and data theft tools ∗∗∗ --------------------------------------------- The creators of StealC, a widely-used information stealer and malware downloader, have released its second major version, bringing multiple stealth and data theft enhancements. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stealc-malware-enhanced-with… ∗∗∗ Shuffling the Greatest Hits: How DragonForce Ransomware Samples LockBit and Conti Into a Ransomware Jukebox ∗∗∗ --------------------------------------------- DragonForce ransomware has been assessed as a sophisticated threat that tactically deploys payloads derived from leaked source code of both the notorious LockBit 3.0 and Conti ransomware families. While the samples share some similar core functionality, DragonForce distinguishes itself in several .. --------------------------------------------- https://hybrid-analysis.blogspot.com/2025/05/shuffling-greatest-hits-how-dr… ∗∗∗ Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware ∗∗∗ --------------------------------------------- An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years.The activity, which lasted from at least May 2023 to February 2025, .. --------------------------------------------- https://thehackernews.com/2025/05/iranian-hackers-maintain-2-year-access.ht… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/05/02/cisa-adds-two-known-expl… ∗∗∗ CVE-2025-31324: Critical SAP NetWeaver Vulnerability Actively Exploited ∗∗∗ --------------------------------------------- SAP has recently released a critical security patch for a severe vulnerability in SAP NetWeaver Visual Composer that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-31324, has recently been patched with the release of SAP Security Note 3594142. --------------------------------------------- https://www.truesec.com/hub/blog/cve-2025-31324-critical-sap-netweaver-vuln… ∗∗∗ DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door ∗∗∗ --------------------------------------------- The individuals operating under the DragonForce banner and attacking UK high street retailers are using social engineering for entry. I think it’s in the public interest to break down what is happening. --------------------------------------------- https://doublepulsar.com/dragonforce-ransomware-cartel-attacks-on-uk-high-s… ∗∗∗ NPM targeted by malware campaign mimicking familiar library names ∗∗∗ --------------------------------------------- Developers looking for familiar packages from other programming languages are increasingly falling victim to malicious attacks. Summary #The Socket threat research team uncovered a coordinated malware operation across the NPM ecosystem. The actor behind the campaign published dozens of malicious NPM packages that mimic well-known Python, Java, C++, .NET, .. --------------------------------------------- https://socket.dev/blog/npm-targeted-by-malware-campaign-mimicking-familiar… ∗∗∗ Apache Parquet Java Vulnerability CVE-2025-46762 Exposes Systems to Remote Code Execution Attacks ∗∗∗ --------------------------------------------- A vulnerability has been identified in Apache Parquet Java, which could leave systems exposed to remote code execution (RCE) attacks. Apache Parquet contributor Gang Wu discovered, this flaw, tracked as CVE-2025-46762, .. --------------------------------------------- https://thecyberexpress.com/apache-parquet-java-flaw-cve-2025-46762/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, containerd, and vips), Fedora (chromium, java-17-openjdk, nodejs-bash-language-server, nodejs-pnpm, ntpd-rs, redis, rust-hickory-proto, thunderbird, and valkey), Mageia (apache-mod_auth_openidc, fcgi, graphicsmagick, kernel-linus, pam, poppler, and tomcat), Red Hat (firefox, libsoup, nodejs:20, redis:6, .. --------------------------------------------- https://lwn.net/Articles/1020130/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.05.2025
by Daily end-of-shift report 02 May '25

02 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-04-2025 18:00 − Freitag 02-05-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Angreifer setzen erneut an älteren Sonicwall-Lücken an ∗∗∗ --------------------------------------------- Aufgrund von laufenden Attacken sollten Admins ihre Fernwartungslösungen der SMA-Serie von Sonicwall umgehend auf den aktuellen Stand bringen. [..] Beide Schwachstellen betreffen die SMA-Reihen SMA 200, 210, 400, 410 und 500v. Die Entwickler versichern, die Lücken ab der Firmware 10.2.1.14-75sv geschlossen zu haben. [..] Sind Attacken erfolgreich, können Angreifer Schadcode ausführen. Die "kritische" Lücke (CVE-2024-38475) betrifft die SMA-Komponente Apache HTTP Server. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Angreifer-setzen-erneut-an-aelteren… ∗∗∗ SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475) ∗∗∗ --------------------------------------------- Another day, another edge device being targeted - it’s a typical Thursday! In today’s blog post, we’re excited to share our previously private analysis of the now exploited in-the-wild N-day vulnerabilities affecting SonicWall’s SMA100 appliance. [..] Although this is a CVE attached to the Apache HTTP Server, it is important to note that due to how CVEs are now assigned, a seperate CVE will not be assigned for SonicWall's [..] As always, we’ve produced a Detection Artefact Generator to demonstrate and achieve pre-auth RCE. --------------------------------------------- https://labs.watchtowr.com/sonicboom-from-stolen-tokens-to-remote-shells-so… ∗∗∗ Why MFA is getting easer to bypass and what to do about it ∗∗∗ --------------------------------------------- As detailed on Thursday by Cisco Talos, an entire ecosystem has cropped up to help criminals defeat these forms of MFA. --------------------------------------------- https://arstechnica.com/security/2025/05/phishing-attacks-that-defeat-mfa-a… ∗∗∗ Windows: Anmeldung mit alten Passwörtern durch RDP möglich ∗∗∗ --------------------------------------------- Laut Microsoft handelt es sich um eine "Design-Entscheidung, die sicherstellt, dass mindestens ein Nutzerkonto dazu in der Lage ist, sich anzumelden, ganz gleich, wie lange das System offline war". Daher treffe dieses Verhalten die Definition einer Schwachstelle nicht. Microsoft habe keine Pläne, etwas daran zu ändern. --------------------------------------------- https://www.heise.de/news/Windows-Log-in-ueber-RDP-mit-widerrufenen-Passwoe… ∗∗∗ Prolific RansomHub Operation Goes Dark ∗∗∗ --------------------------------------------- The chat infrastructure and data-leak site of the notorious ransomware-as-a-service group has been inactive since March 31, according to security vendors. --------------------------------------------- https://www.darkreading.com/cyber-risk/prolific-ransomhub-operation-goes-da… ∗∗∗ Softwareupdates manipuliert: Hacker missbrauchen IPv6-Feature für Cyberattacken ∗∗∗ --------------------------------------------- Spellbinder nutzt den Angaben nach einen Angriffsvektor, der schon mindestens seit 2008 bekannt ist und schon 2011 in einem Blogbeitrag unter der Bezeichnung "SLAAC-Attack" ausführlich beschrieben wurde. [..] Mit Spellbinder lassen sich demnach IPv6-Konfigurationen spoofen, die normalerweise automatisch über eine Methode namens SLAAC (Stateless Address Autoconfiguration) zugewiesen werden. --------------------------------------------- https://www.golem.de/news/softwareupdates-manipuliert-hacker-missbrauchen-i… ∗∗∗ MintsLoader Drops GhostWeaver via Phishing, ClickFix — Uses DGA, TLS for Stealth Attacks ∗∗∗ --------------------------------------------- The malware loader known as MintsLoader has been used to deliver a PowerShell-based remote access trojan called GhostWeaver. "MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts," Recorded Futures Insikt Group said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/05/mintsloader-drops-ghostweaver-via.html ∗∗∗ I StealC You: Tracking the Rapid Changes To StealC ∗∗∗ --------------------------------------------- StealC is a popular information stealer and malware downloader that has been sold since January 2023. In March 2025, StealC version 2 (V2) was introduced with key updates, including a streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption (in the latest variants). The malware’s payload delivery options have been expanded to include Microsoft Software Installer (MSI) packages and PowerShell scripts. --------------------------------------------- https://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid… ∗∗∗ Using Trusted Protocols Against You: Gmail as a C2 Mechanism ∗∗∗ --------------------------------------------- Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. The threat actor’s email is the only potential clue as to their motivation, but once the tunnel is created, the threat actor can exfiltrate data or execute commands that we may not know about through these packages. --------------------------------------------- https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-m… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat, fig2dev, firefox-esr, golang-github-gorilla-csrf, jinja2, libxml2, nagvis, qemu, request-tracker4, request-tracker5, u-boot, and vips), Fedora (firefox, giflib, and thunderbird), Mageia (imagemagick), Red Hat (thunderbird), SUSE (amber-cli, libjxl, and redis), and Ubuntu (h2o, poppler, and postgresql-10). --------------------------------------------- https://lwn.net/Articles/1019645/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, nodejs, openjdk-17, and thunderbird), Fedora (firefox, golang-github-nvidia-container-toolkit, and thunderbird), Mageia (kernel), Oracle (ghostscript, glibc, kernel, libxslt, php:8.1, and thunderbird), SUSE (cmctl, firefox-esr, govulncheck-vulndb, java-21-openjdk, libxml2, poppler, python-h11, and redis), and Ubuntu (docker.io, ghostscript, linux-xilinx-zynqmp, and micropython). --------------------------------------------- https://lwn.net/Articles/1019869/ ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-121-01 KUNBUS GmbH Revolution Pi, ICSMA-25-121-01 MicroDicom DICOM Viewer --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/05/01/cisa-releases-two-indust… ∗∗∗ ZDI-25-267: GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-267/ ∗∗∗ IBM Cognos Analytics: Angreifer können Schadcode hochladen ∗∗∗ --------------------------------------------- https://www.heise.de/news/IBM-Cognos-Analytics-Angreifer-koennen-Schadcode-… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 21, 2025 to April 27, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… ∗∗∗ Tenable: [R1] Sensor Proxy Version 1.2.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-08 ∗∗∗ f5: K000151130: GnuTLS vulnerability CVE-2024-12243 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151130 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily May 2025