Daily July 2025

daily@lists.cert.at

1 participants
23 discussions

Tageszusammenfassung - 03.07.2025
by Daily end-of-shift report 03 Jul '25

03 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-07-2025 18:00 − Donnerstag 03-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ DOJ investigates ex-ransomware negotiator over extortion kickbacks ∗∗∗ --------------------------------------------- An ex-ransomware negotiator is under criminal investigation by the Department of Justice for allegedly working with ransomware gangs to profit from extortion payment deals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/doj-investigates-ex-ransomwa… ∗∗∗ Data Breach Reveals Catwatchful Stalkerware Is Spying On Thousands of Phones ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from TechCrunch: A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator. The bug, which was discovered by security researcher Eric Daigle, spilled the spyware apps full database of email addresses and plaintext passwords that .. --------------------------------------------- https://yro.slashdot.org/story/25/07/03/0023253/data-breach-reveals-catwatc… ∗∗∗ Fake Spam Plugin Uses Victim’s Domain Name to Evade Detection ∗∗∗ --------------------------------------------- During our investigation of an SEO spam infection (spam content designed to manipulate search engine results), we discovered a nicely crafted plugin that named itself after the infected domain, helping it evade detection. While this tactic was simple, it easily blended in with other legitimate plugins, making it harder to spot during the troubleshooting .. --------------------------------------------- https://blog.sucuri.net/2025/07/fake-spam-plugin-uses-victims-domain-name-t… ∗∗∗ CISA warns the Signal clone used by natsec staffers is being attacked, so patch now ∗∗∗ --------------------------------------------- Two flaws in TeleMessage are frequent attack vectors for malicious cyber actors The US security watchdog CISA has warned that malicious actors are actively exploiting two flaws in the Signal clone TeleMessage TM SGNL, and has directed federal agencies to patch the flaws or discontinue use of the app by July 22. --------------------------------------------- https://www.theregister.com/2025/07/02/cisa_telemessage_patch/ ∗∗∗ ChatGPT creates phisher’s paradise by recommending the wrong URLs for major companies ∗∗∗ --------------------------------------------- Crims have cottoned on to a new way to lead you astray AI-powered chatbots often deliver incorrect information when asked to name the address for major companies’ websites, and threat intelligence business Netcraft thinks that creates an opportunity for criminals. --------------------------------------------- https://www.theregister.com/2025/07/03/ai_phishing_websites/ ∗∗∗ Cisco entfernt SSH-Hintertür in Unified Communications Manager ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat Sicherheitslücken in verschiedenen Produkten geschlossen. Eine Lücke gilt als kritisch. --------------------------------------------- https://www.heise.de/news/Cisco-entfernt-SSH-Hintertuer-in-Unified-Communic… ∗∗∗ Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack ∗∗∗ --------------------------------------------- We analyze CVE-2025-24813 (Tomcat Partial PUT RCE), CVE-2025-27636 and CVE-2025-29891 (Camel Header Hijack RCE). --------------------------------------------- https://unit42.paloaltonetworks.com/apache-cve-2025-24813-cve-2025-27636-cv… ∗∗∗ Hunters International ransomware group claims to be shutting down ∗∗∗ --------------------------------------------- “After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” the prolific cybercrime gang wrote on its darknet site. --------------------------------------------- https://therecord.media/hunters-international-ransomware-extortion-group-cl… ∗∗∗ Russia jails man for 16 years over pro-Ukraine cyberattacks on critical infrastructure ∗∗∗ --------------------------------------------- Russian authorities said the man used malware to attack Russian information systems in 2022, blocking access to websites of several local companies and damaging critical infrastructure. --------------------------------------------- https://therecord.media/russia-jails-man-over-pro-ukraine-cyberattacks ===================== = Vulnerabilities = ===================== ∗∗∗ Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-085 ∗∗∗ Config Pages Viewer - Critical - Access bypass - SA-CONTRIB-2025-086 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-086 ∗∗∗ Security Vulnerabilities fixed in Thunderbird 140 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 128.12 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-55/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.07.2025
by Daily end-of-shift report 02 Jul '25

02 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-07-2025 18:00 − Mittwoch 02-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft: DNS issue blocks delivery of Exchange Online OTP codes ∗∗∗ --------------------------------------------- Microsoft is working to fix a DNS misconfiguration that is causing one-time passcode (OTP) message delivery failures in Exchange Online for some users. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-links-dns-issue-t… ∗∗∗ Kundenfang am Unfallort: Hacker verkauft Daten aus Notrufsystem an Bestatter ∗∗∗ --------------------------------------------- Die Notrufdaten sind in Echtzeit zur Verfügung gestellt worden. Die Bestatter konnten damit frühzeitig an Einsatzorten auftauchen, um neue Kunden zu gewinnen. --------------------------------------------- https://www.golem.de/news/kundenfang-am-unfallort-hacker-verkauft-daten-aus… ∗∗∗ C2 mit Dinosauriern ∗∗∗ --------------------------------------------- Angreifer nutzen gerne Programme, die als Open Source verfügbar sind und typischerweise als legitim sowie harmlos eingestuft werden (z. B. rclone .. --------------------------------------------- https://sec-consult.com/de/blog/detail/c2-mit-dinosauriern/ ∗∗∗ chwoot: Kritische Linux-Lücke macht Nutzer auf den meisten Systemen zu Root ∗∗∗ --------------------------------------------- Ein Beispielexploit steht im Netz und funktioniert auf vielen Standardystemen. Admins sollten schnell die bereitstehenden Updates einspielen. --------------------------------------------- https://www.heise.de/news/chwoot-Kritische-Linux-Luecke-macht-Nutzer-auf-de… ∗∗∗ Bericht: EU-Grenzsystem SIS II mit zahlreichen Sicherheitslücken ∗∗∗ --------------------------------------------- Vertrauliche Berichte sollen tausende Schwachstellen im EU-Grenzsystem SIS II monieren. Die Entwickler bessern sie zu langsam aus. --------------------------------------------- https://www.heise.de/news/Bericht-EU-Grenzsystem-SIS-II-mit-zahlreichen-Sic… ∗∗∗ 600,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability in Forminator WordPress Plugin ∗∗∗ --------------------------------------------- On June 20th, 2025, we received a submission for an Arbitrary File Deletion vulnerability in Forminator, a WordPress plugin with more than 600,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to specify arbitrary file paths in a form submission, and the file will be deleted when the submission is deleted. It can be .. --------------------------------------------- https://www.wordfence.com/blog/2025/07/600000-wordpress-sites-affected-by-a… ∗∗∗ Sinaloa-Kartell hackte das FBI, um geheime Informanten ausfindig zu machen ∗∗∗ --------------------------------------------- Ein Bericht des US-Justizministeriums übt Kritik am Umgang des FBI mit der Gefahr durch Überwachungstechnologien --------------------------------------------- https://www.derstandard.at/story/3000000277554/sinaloa-kartell-hackte-das-f… ∗∗∗ Russian bulletproof hosting service Aeza Group sanctioned by US for ransomware work ∗∗∗ --------------------------------------------- Support for ransomware, darknet drug markets and other cybercrime activity landed the Russian company Aeza Group on the U.S. governments sanctions list, the Treasury Department said. --------------------------------------------- https://therecord.media/russia-bulletproof-hosting-aeza-group-us-sanctions ∗∗∗ Ransomware gang attacks German charity that feeds starving children ∗∗∗ --------------------------------------------- Cybercriminals are extorting the German humanitarian aid group Welthungerhilfe (WHH) for 20 bitcoin. The charity said it will not pay. --------------------------------------------- https://therecord.media/welthungerhilfe-german-hunger-relief-charity-ransom… ∗∗∗ Analysis of Attacks Targeting Linux SSH Servers for Proxy Installation ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting Linux servers that are inappropriately managed using honeypots. One of the representative honeypots is the SSH service that uses weak credentials, which is targeted by a large .. --------------------------------------------- https://asec.ahnlab.com/en/88749/ ∗∗∗ PDFs: Portable documents, or perfect deliveries for phish? ∗∗∗ --------------------------------------------- A popular social engineering technique returns: callback phishing, or TOAD attacks, which leverage PDFs, VoIP anonymity and even QR code tricks. --------------------------------------------- https://blog.talosintelligence.com/pdfs-portable-documents-or-perfect-deliv… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.07.2025
by Daily end-of-shift report 01 Jul '25

01 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 30-06-2025 18:00 − Dienstag 01-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Root-Zugriff für alle: Kritische Sudo-Lücke gefährdet unzählige Linux-Systeme ∗∗∗ --------------------------------------------- Forscher haben eine gefährliche Sicherheitslücke im Kommandozeilentool Sudo entdeckt. Angreifer können mit wenig Aufwand Root-Rechte erlangen. --------------------------------------------- https://www.golem.de/news/root-zugriff-fuer-alle-kritische-sudo-luecke-gefa… ∗∗∗ Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations ∗∗∗ --------------------------------------------- Since 2024, Microsoft Threat Intelligence has observed remote IT workers deployed by North Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate revenue for the North Korean government. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north… ∗∗∗ Vulnerability & Patch Roundup — June 2025 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website .. --------------------------------------------- https://blog.sucuri.net/2025/06/vulnerability-patch-roundup-june-2025.html ∗∗∗ U.S. Agencies Warn of Rising Iranian Cyberattacks on Defense, OT Networks, and Critical Infrastructure ∗∗∗ --------------------------------------------- U.S. cybersecurity and intelligence agencies have issued a joint advisory warning of potential cyber attacks from Iranian state-sponsored or affiliated threat actors. "Over the past several months, there has been increasing activity from hacktivists .. --------------------------------------------- https://thehackernews.com/2025/06/us-agencies-warn-of-rising-iranian.html ∗∗∗ OneClik Red Team Campaign Targets Energy Sector Using Microsoft ClickOnce and Golang Backdoors ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a new campaign dubbed OneClik that leverages Microsofts ClickOnce software deployment technology and bespoke Golang backdoors to compromise organizations within the energy, oil, and gas .. --------------------------------------------- https://thehackernews.com/2025/06/oneclik-malware-targets-energy-sector.html ∗∗∗ Terrible tales of opsec oversights: How cybercrooks get themselves caught ∗∗∗ --------------------------------------------- The silly mistakes to the flagrant failures They say that success breeds complacency, and complacency leads to failure. For cybercriminals, taking too many shortcuts when it comes to opsec delivers a little more than that. --------------------------------------------- https://www.theregister.com/2025/07/01/terrible_tales_of_opsec_oversights/ ∗∗∗ Überwachungskameras aus China: Kanada ordnet Schließung von Hikvision Canada an ∗∗∗ --------------------------------------------- Hikvision kommt aus China und verkauft Überwachungstechnik. Seit Jahren gibt es Kritik an dem Konzern. Nun lässt Kanada den dortigen Ableger schließen. --------------------------------------------- https://www.heise.de/news/Ueberwachungskameras-aus-China-Kanada-ordnet-Schl… ∗∗∗ Webbrowser Chrome: Sicherheitslücke wird angegriffen ∗∗∗ --------------------------------------------- In der Nacht zum Dienstag hat Google den Chrome-Browser ungeplant aktualisiert. Eine Sicherheitslücke wird bereits attackiert. --------------------------------------------- https://www.heise.de/news/Chrome-Google-stopft-attackierte-Sicherheitslueck… ∗∗∗ Viele Sicherheitslücken in Dell OpenManage Network Integration geschlossen ∗∗∗ --------------------------------------------- Angreifer können Dell OpenManage Network Integration über verschiedene Wege attackieren. Sicherheitsupdates stehen zur Verfügung. --------------------------------------------- https://www.heise.de/news/Viele-Sicherheitsluecken-in-Dell-OpenManage-Netwo… ∗∗∗ Britischer IT-Angestellter rächte sich an Ex-Arbeitgeber: Sieben Monate Haft ∗∗∗ --------------------------------------------- Nur wenige Stunden nach seiner Entlassung startete der junge Mann eine Cyberattacke und sorgte für Schäden in Höhe von 200.000 Pfund --------------------------------------------- https://www.derstandard.at/story/3000000277498/britischer-it-angestellter-r… ∗∗∗ 50 customers of French bank hit after insider helped SIM swap scammers ∗∗∗ --------------------------------------------- French police have arrested a business student interning at the bank Société Générale who is accused of helping SIM-swapping scammers to defraud 50 of its clients. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/50-customers-of-frenc… ∗∗∗ Encryption vs. Lawful Interception: EU policy news ∗∗∗ --------------------------------------------- I’ve commented here on this blog (or its German twin) quite a few time already on various legislative proposals on how the law enforcement agencies can keep their traditional access to the communication of suspects. See Ein paar Thesen zu aktuellen Gesetzesentwürfen (2017) Ein paar Gedanken zur „Überwachung verschlüsselter Nachrichten" (2024) Roles in .. --------------------------------------------- https://www.cert.at/en/blog/2025/7/encryption-vs-lawful-interception-eu-pol… ∗∗∗ DOJ raids 29 ‘laptop farms’ in crackdown on N. Korean IT worker scheme ∗∗∗ --------------------------------------------- The Justice Department announced a coordinated action to disrupt a Pyongyang campaign to get North Koreans hired at U.S.-based companies. --------------------------------------------- https://therecord.media/doj-raids-laptop-farms-crackdown ∗∗∗ International Criminal Court targeted by new ‘sophisticated’ attack ∗∗∗ --------------------------------------------- The ICC credited its “alert and response mechanisms” for “swiftly” discovering, confirming and containing a cyberattack. --------------------------------------------- https://therecord.media/international-criminal-court-cyberattack-2025 ∗∗∗ Malware in Apps: Godfather 2.0 für Android; SparkKitty in App-Stores ∗∗∗ --------------------------------------------- Kleiner Sammelbeitrag rund um das Thema Smartphone-Apps mit Malware an Bord. Aktuell feiert die Android-Malware Godfather 2.0 ihr Comeback bzw. Erfolge beim Raubzügen beim Online-Banking. Zudem haben Sicherheitsforscher .. --------------------------------------------- https://www.borncity.com/blog/2025/06/30/malware-in-apps-godfather-2-0-fuer… ∗∗∗ What the NULL?! Wing FTP Server RCE (CVE-2025-47812) ∗∗∗ --------------------------------------------- While performing a penetration test for one of our Continuous Penetration Testing customers, we’ve found a Wing FTP server instance that allowed anonymous connections. It was almost the only interesting thing exposed, but we still wanted to get a foothold into their perimeter and provide the customer with an impactful finding. So we .. --------------------------------------------- https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2… ∗∗∗ Django Joins curl in Pushing Back on AI Slop Security Reports ∗∗∗ --------------------------------------------- Django has updated its official security documentation with new guidance for AI-assisted vulnerability reports, responding to a rising number of submissions generated by large language models (LLMs) that cite fabricated code or non-existent features. The change was authored by Django Fellow Natalia Bidart, who helps maintain the project’s .. --------------------------------------------- https://socket.dev/blog/django-joins-curl-in-pushing-back-on-ai-slop-securi… ∗∗∗ How hacktivist cyber operations surged amid Israeli-Iranian conflict ∗∗∗ --------------------------------------------- In June 2025, Israel carried out airstrikes against key Iranian military and nuclear facilities. Iran swiftly retaliated, escalating regional tensions to unprecedented levels. This military confrontation has not only unfolded in conventional warfare but also triggered a massive surge in cyber operations. Almost immediately after the .. --------------------------------------------- https://outpost24.com/blog/hacktivist-cyber-operations-iran-israel/ ===================== = Vulnerabilities = ===================== ∗∗∗ XSA-470 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-470.html ∗∗∗ [R1] Nessus Version 10.8.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-13 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily July 2025