Daily January 2026

daily@lists.cert.at

1 participants
20 discussions

Tageszusammenfassung - 30.01.2026
by Daily end-of-shift report 30 Jan '26

30 Jan '26

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-01-2026 18:00 − Freitag 30-01-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340) ∗∗∗ --------------------------------------------- When Ivanti removed the embargoes from CVE-2026-1281 and CVE-2026-1340 - pre-auth Remote Command Execution vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) solution - we sighed with relief. Clearly, the universe had decided to continue mocking Secure-By-Design signers right on schedule - every January. [..] As we are always keen to remind everyone, today’s blog post didn’t ruin your weekend. Firstly, the APT currently exploiting these vulnerabilities, and secondly, your lack of response to the warnings from Ivanti and CISA did. --------------------------------------------- https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-i… ∗∗∗ Hugging Face abused to spread thousands of Android malware variants ∗∗∗ --------------------------------------------- A new Android malware campaign is using the Hugging Face platform as a repository for thousands of variations of an APK payload that collects credentials for popular financial and payment services. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hugging-face-abused-to-sprea… ∗∗∗ Microsoft fixes Outlook bug blocking access to encrypted emails ∗∗∗ --------------------------------------------- Microsoft has fixed a known issue that prevented Microsoft 365 customers from opening encrypted emails in classic Outlook after a recent update. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outlook-bug… ∗∗∗ Undocumented "TelnetEnable" functionality of End of Service NETGEAR products ∗∗∗ --------------------------------------------- Some end of service NETGEAR products provide "TelnetEnable" functionality, which allows a magic packet to activate telnet service on the box. [..] Stop using the end of service products, including NETGEAR PR2000. --------------------------------------------- https://jvn.jp/en/jp/JVN46722282/ ∗∗∗ Researchers Find 175,000 Publicly Exposed Ollama AI Servers Across 130 Countries ∗∗∗ --------------------------------------------- Ollama is an open-source framework that allows users to easily download, run, and manage large language models (LLMs) locally on Windows, macOS, and Linux. While the service binds to the localhost address at 127.0.0[.]1:11434 by default, it's possible to expose it to the public internet by means of a trivial change: configuring it to bind to 0.0.0[.]0 or a public interface. The fact that Ollama, like the recently popular Moltbot (formerly Clawdbot), is hosted locally and operates outside of the enterprise security perimeter, poses new security concerns. --------------------------------------------- https://thehackernews.com/2026/01/researchers-find-175000-publicly.html ∗∗∗ ShadowHS: A Fileless Linux Post‑Exploitation Framework Built on a Weaponized hackshell ∗∗∗ --------------------------------------------- Cyble Research & Intelligence Labs (CRIL) has identified a Linux intrusion chain leveraging a highly obfuscated, fileless loader that deploys a weaponized variant of hackshell entirely from memory. Cyble tracks this activity under the name ShadowHS, reflecting its fileless execution model and lineage from the original hackshell utility. --------------------------------------------- https://cyble.com/blog/shadowhs-fileless-linux-post-exploitation-framework/ ∗∗∗ Cybersicherheitschef der USA lädt vertrauliche Dokumente bei ChatGPT hoch ∗∗∗ --------------------------------------------- Offenbar hatte sich ausgerechnet der Boss eine Ausnahmegenehmigung für die Nutzung des Tools geholt und agierte damit umgehend fahrlässig. --------------------------------------------- https://www.derstandard.at/story/3000000306469/cybersicherheitschef-der-usa… ∗∗∗ Arsink Spyware Posing as WhatsApp, YouTube, Instagram, TikTok Hits 143 Countries ∗∗∗ --------------------------------------------- The interesting thing about this campaign is that hackers are not using the official Google Play Store to spread this, but posting links on Telegram and Discord or using the file-sharing site MediaFire. [..] They basically offer ‘Pro’ or ‘Mod’ versions of these apps, promising special features that the real apps don’t have. But, as soon as you download one, the app immediately asks for a long list of permissions. --------------------------------------------- https://hackread.com/arsink-spyware-whatsapp-youtube-instagram-tiktok/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (curl, gimp:2.8, glibc, grafana, grafana-pcp, kernel, osbuild-composer, php:8.3, python-urllib3, python3.11, and python3.12), Debian (chromium), Mageia (ceph, gpsd, libxml2, openjdk, openssl, and xen), SUSE (abseil-cpp, assertj-core, coredns, freerdp, java-11-openjdk, java-25-openjdk, libxml2, openssl-1_0_0, openssl-1_1, python, python-filelock, and python311-sse-starlette), and Ubuntu (kernel, linux, linux-aws, linux-aws-hwe, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-fips, linux-fips, linux-fips, and texlive-bin). --------------------------------------------- https://lwn.net/Articles/1056692/ ∗∗∗ Kritische Schwachstellen in Ivanti Endpoint Manager Mobile - Updates empfohlen ∗∗∗ --------------------------------------------- Ivanti hat ein Security Advisory bezüglich kritischer Schwachstellen im Endpoint Manager Mobile veröffentlicht. Diese Sicherheitslücken werden bereits aktiv ausgenutzt. Die Schwachstellen ermöglichen einem*einer entfernten, nicht authentifizierten Angreifer:in, beliebigen Code auf dem betroffenen System auszuführen (Remote Code Execution), was die vollständige Kompromittierung des Servers erlaubt. CVE-2026-1281, CVE-2026-1340 --------------------------------------------- https://www.cert.at/de/warnungen/2026/1/kritische-schwachstellen-in-ivanti-… ∗∗∗ BoidCMS v2.1.2 Apache .htaccess Rule Bypass Leading to Information Disclosure ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2026010019 ∗∗∗ Lexmark Security Advisory ∗∗∗ --------------------------------------------- https://www.lexmark.com/content/dam/support/collateral/security-alerts/CVE-… ∗∗∗ KiloView Encoder Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-029-01 ∗∗∗ Rockwell Automation ArmorStart LT ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-029-02 ∗∗∗ Rockwell Automation ControlLogix ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-029-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 29.01.2026
by Daily end-of-shift report 29 Jan '26

29 Jan '26

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-01-2026 18:00 − Donnerstag 29-01-2026 18:00 Handler: Alexander Riepl Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Aisuru botnet sets new record with 31.4 Tbps DDoS attack ∗∗∗ --------------------------------------------- The Aisuru/Kimwolf botnet launched a new massive distributed denial of service (DDoS) attack that peaked at 31.4 Tbps and 200 million requests per second, setting a new record. --------------------------------------------- https://www.bleepingcomputer.com/news/security/aisuru-botnet-sets-new-recor… ∗∗∗ Von wegen Virenschutz: Malware über Update-Server von Antivirus-Tool verteilt ∗∗∗ --------------------------------------------- Angreifer haben über das Antivirus-Tool eScan Malware auf Nutzersysteme geschleust. Ein Update-Server des Anbieters war kompromittiert. --------------------------------------------- https://www.golem.de/news/von-wegen-virenschutz-malware-ueber-update-server… ∗∗∗ Theres a Rash of Scam Spam Coming From a Real Microsoft Address ∗∗∗ --------------------------------------------- There are reports that a legitimate Microsoft email address -- which Microsoft explicitly says customers should add to their allow list -- is delivering scam spam. --------------------------------------------- https://it.slashdot.org/story/26/01/28/1849206/theres-a-rash-of-scam-spam-c… ∗∗∗ Ransomware crims forced to take off-RAMP as FBI seizes forum ∗∗∗ --------------------------------------------- Ransomware crims have just lost one of their best business platforms. US law enforcement has seized the notorious RAMP cybercrime forum's dark web and clearnet domains. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2026/01/28/fbi_seizes_r… ∗∗∗ Patch or perish: Vulnerability exploits now dominate intrusions ∗∗∗ --------------------------------------------- Apply fixes within a few hours or face the music, say the pros. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2026/01/29/faster_patch… ∗∗∗ ConsentFix (a.k.a. AuthCodeFix): Detecting OAuth2 Authorization Code Phishing ∗∗∗ --------------------------------------------- ConsentFix (a.k.a. AuthCodeFix) is the latest variant of the fix-type phishing attacks, initially identified by Push Security1. In this technique, the adversary tricks the victim into generating an OAuth authorization code that is part of a localhost URL by signing in to the Azure CLI instance (or other vulnerable applications). Then, the victim is instructed to copy that URL and paste it into a phishing website, essentially handing over the authorization code to the adversary, who is now able to exchange it for an access token. Using the access token, the adversary gets access to the victim’s Microsoft account. --------------------------------------------- https://blog.nviso.eu/2026/01/29/consentfix-a-k-a-authcodefix-detecting-oau… ∗∗∗ Dissecting UAT-8099: New persistence mechanisms and regional focus ∗∗∗ --------------------------------------------- Cisco Talos observed new activity from UAT-8099 spanning from August 2025 through early 2026. Analysis of Cisco's file census and DNS traffic indicates that compromised IIS servers are located across India, Pakistan, Thailand, Vietnam, and Japan, with a distinct concentration of attacks in Thailand and Vietnam. Furthermore, this activity significantly overlaps with the WEBJACK campaign; we have identified high-confidence correlations across malware hashes, C2 infrastructure, victimology, and the promoted gambling sites. --------------------------------------------- https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-… ∗∗∗ Malicious Google Ads Target Mac Users with Fake Mac Cleaner Pages ∗∗∗ --------------------------------------------- Researchers at MacKeeper have found malicious Google Ads for “Mac cleaner” tools that trick users into running dangerous Terminal commands. Stay safe by learning how to spot these fake Apple sites. --------------------------------------------- https://hackread.com/malicious-google-ads-mac-fake-mac-cleaner/ ∗∗∗ Unveiling the Weaponized Web Shell EncystPHP ∗∗∗ --------------------------------------------- FortiGuard Labs has discovered a web shell that we named “EncystPHP.” It features several advanced capabilities, including remote command execution, persistence mechanisms, and web shell deployment. Incidents were launched in early December last year and propagated via exploitation of the FreePBX vulnerability CVE-2025-64328. --------------------------------------------- https://feeds.fortinet.com/~/943094408/0/fortinet/blogs~Unveiling-the-Weapo… ===================== = Vulnerabilities = ===================== ∗∗∗ Nvidia Sicherheitslücken: Attacken auf GPU-Treiber können zu Abstürzen führen ∗∗∗ --------------------------------------------- Softwareschwachstellen gefährden PCs mit Grafikkarten von Nvidia. Sicherheitspatches sind verfügbar. --------------------------------------------- https://www.heise.de/news/Nvidia-Sicherheitsluecken-Attacken-auf-GPU-Treibe… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-25-openjdk, openssl, and python3.9), Debian (gimp, libmatio, pyasn1, and python-django), Fedora (perl-HarfBuzz-Shaper, python-tinycss2, and weasyprint), Mageia (glib2.0), Oracle (curl, fence-agents, gcc-toolset-15-binutils, glibc, grafana, java-1.8.0-openjdk, kernel, mariadb, osbuild-composer, perl, php:8.2, python-urllib3, python3.11, python3.11-urllib3, python3.12, and python3.12-urllib3), SUSE (alloy, avahi, bind, buildah, busybox, container-suseconnect, coredns, gdk-pixbuf, gimp, go1.24, go1.24-openssl, go1.25, helm, kernel, kubernetes, libheif, libpcap, libpng16, openjpeg2, openssl-1_0_0, openssl-1_1, openssl-3, php8, python-jaraco.context, python-marshmallow, python-pyasn1, python-urllib3, python-virtualenv, python311, python313, rabbitmq-server, xen, zli, and zot-registry), and Ubuntu (containerd, containerd-app and wlc). --------------------------------------------- https://lwn.net/Articles/1056544/ ∗∗∗ ZDI-26-049: Delta Electronics DIAView Exposed Dangerous Method Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-26-049/ ∗∗∗ ZDI-26-048: Fortinet FortiSandbox fortisandbox Server-Side Request Forgery Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-26-048/ ∗∗∗ ZDI-26-047: Hancom Office DOC File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-26-047/ ∗∗∗ ZDI-26-046: Cisco Snort _bnfa_search_csparse_nfa Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-26-046/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 28.01.2026
by Daily end-of-shift report 28 Jan '26

28 Jan '26

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-01-2026 18:00 − Mittwoch 28-01-2026 18:30 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Fortinet blocks exploited FortiCloud SSO zero day until patch is ready ∗∗∗ --------------------------------------------- Fortinet has confirmed a new, actively exploited critical FortiCloud single sign-on (SSO) authentication bypass vulnerability, tracked as CVE-2026-24858, and says it has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-blocks-exploited-fo… ∗∗∗ Slovakian man pleads guilty to operating darknet marketplace ∗∗∗ --------------------------------------------- A Slovakian national admitted on Tuesday to helping operate a darknet marketplace that sold narcotics, cybercrime tools and services, fake government IDs, and stolen personal information for more than two years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/slovakian-man-pleads-guilty-… ∗∗∗ Hackers hijack exposed LLM endpoints in Bizarre Bazaar operation ∗∗∗ --------------------------------------------- A malicious campaign is actively targeting exposed LLM (Large Language Model) service endpoints to commercialize unauthorized access to AI infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hijack-exposed-llm-e… ∗∗∗ Vibe-Coded Sicarii Ransomware Cant Be Decrypted ∗∗∗ --------------------------------------------- A new ransomware strain that entered the scene last year has poorly designed code and an odd "Hebrew" identity that might be a false flag. --------------------------------------------- https://www.darkreading.com/endpoint-security/vibe-coded-sicarii-ransomware… ∗∗∗ WhatsApp Rolls Out Lockdown-Style Security Mode to Protect Targeted Users From Spyware ∗∗∗ --------------------------------------------- Meta on Tuesday announced its adding Strict Account Settings on WhatsApp to secure certain users against advanced cyber attacks because of who they are and what they do. --------------------------------------------- https://thehackernews.com/2026/01/whatsapp-rolls-out-lockdown-style.html ∗∗∗ Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered two malicious packages in the Python Package Index (PyPI) repository that masquerade as spellcheckers but contain functionality to deliver a remote access trojan (RAT). --------------------------------------------- https://thehackernews.com/2026/01/fake-python-spellchecker-packages-on.html ∗∗∗ Mustang Panda Deploys Updated COOLCLIENT Backdoor in Government Cyber Attacks ∗∗∗ --------------------------------------------- Threat actors with ties to China have been observed using an updated version of a backdoor called COOLCLIENT in cyber espionage attacks in 2025 to facilitate comprehensive data theft from infected endpoints. --------------------------------------------- https://thehackernews.com/2026/01/mustang-panda-deploys-updated.html ∗∗∗ Leder-Unikate von „maronellis.com“: Alles Schwindel! ∗∗∗ --------------------------------------------- Sobald Werbeanzeigen von einem kleinen Familienbetrieb berichten, der leider schließen muss, ist Vorsicht angebracht. Besonders dann, wenn eine angebliche Reportage Eindrücke vom großen Ansturm auf die letzten handgefertigten Einzelstücke liefert. Wie problematische Onlineshops funktionieren und wie die Kriminellen ihre Opfer anlocken – eine Analyse am Beispiel „maronellis.com“. --------------------------------------------- https://www.watchlist-internet.at/news/leder-unikate-maronelliscom/ ∗∗∗ Open Source statt Big Tech: Frankreich will Microsoft Teams, Zoom und Co loswerden ∗∗∗ --------------------------------------------- Visio entsteigt der Pilotphase und soll bis 2027 von 200.000 Beamten genutzt werden. Das Streben nach Souveränität, aber auch Kosteneinsparungen liefern die Motivation --------------------------------------------- https://www.derstandard.at/story/3000000306024/open-source-statt-big-tech-f… ∗∗∗ EU fordert Öffnung von Android für andere KI – innerhalb von sechs Monaten ∗∗∗ --------------------------------------------- Die exklusive, tiefgehende Integration von Gemini in das Betriebssystem sei ein Verstoß gegen den Digital Markets Act. Zudem will die EU, dass Google Suchdaten an Konkurrenten herausgibt --------------------------------------------- https://www.derstandard.at/story/3000000306105/eu-fordert-oeffnung-von-andr… ∗∗∗ Angriffswelle auf Journalisten über Signal-Messenger ∗∗∗ --------------------------------------------- Auch andere zivilgesellschaftliche Akteure betroffen. Bösartige Phishing-Nachricht fordert wegen "verdächtiger Aktivitäten" zur "Verifizierung" auf. --------------------------------------------- https://www.derstandard.at/story/3000000306125/angriffswelle-auf-journalist… ∗∗∗ Beware! Fake ChatGPT browser extensions are stealing your login credentials ∗∗∗ --------------------------------------------- If youve installed a browser extension to enhance your ChatGPT experience, you might want to think again. Read more in my article on the Hot for Security blog. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/beware-fake-chatgpt-b… ∗∗∗ Cyberattack on Poland’s power grid hit around 30 facilities, new report says ∗∗∗ --------------------------------------------- Adding to previous research about an operation against Polands electrical grid, analysts at Dragos say it affected dozens of facilities and disrupted operational technology. --------------------------------------------- https://therecord.media/poland-electrical-grid-cyberattack-30-facilities-af… ∗∗∗ Exchange Online: Microsoft verschiebt SMTP AUTH Basic Authentication-Abschaltung ∗∗∗ --------------------------------------------- Eigentlich wollte Microsoft in Exchange Online die Unterstützung für die Basisauthentifizierung mit Client-Übermittlung (SMTP AUTH) bereits im September 2025 einstellen. Dann hieß es, dass die Einstellung zwischen 1. März 2026 bis zum 30. April 2026 schrittweise einstellen. --------------------------------------------- https://borncity.com/blog/2026/01/28/exchange-online-microsoft-verschiebt-s… ∗∗∗ ShinyHunters Target 100+ Firms Using Phone Calls to Bypass SSO Security ∗∗∗ --------------------------------------------- ShinyHunters is driving attacks on 100+ organisations, using vishing and fake login pages with allied groups to bypass SSO and steal company data, reports Silent Push. --------------------------------------------- https://hackread.com/shinyhunters-target-firms-bypass-sso-security/ ∗∗∗ Russian Cybercrime Platform RAMP Forum Seized by Feds ∗∗∗ --------------------------------------------- US authorities have seized the RAMP cybercrime forum, taking down both its clearnet and dark web domains in a major hit to the ransomware infrastructure. --------------------------------------------- https://hackread.com/russian-cybercrime-ramp-forum-seized-feds/ ∗∗∗ OpenSSL January 2026 Security Update: CMS and PKCS#12 Buffer Overflows ∗∗∗ --------------------------------------------- A deep dive into OpenSSL’s January 2026 CMS and PKCS#12 vulnerabilities, including a pre-auth stack overflow and a PKCS#12 parsing bug. --------------------------------------------- https://securitylabs.datadoghq.com/articles/openssl-january-2026-security-u… ===================== = Vulnerabilities = ===================== ∗∗∗ Administrative FortiCloud SSO authentication bypass ∗∗∗ --------------------------------------------- An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS, FortiManager, FortiAnalyzer may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-26-060 ∗∗∗ SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws ∗∗∗ --------------------------------------------- SolarWinds has released security updates to patch critical authentication bypass and remote command execution vulnerabilities in its Web Help Desk IT help desk software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical… ∗∗∗ Two High-Severity n8n Flaws Allow Authenticated Remote Code Execution ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed two new security flaws in the n8n workflow automation platform, including a crucial vulnerability that could result in remote code execution. --------------------------------------------- https://thehackernews.com/2026/01/two-high-severity-n8n-flaws-allow.html ∗∗∗ Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution ∗∗∗ --------------------------------------------- A critical sandbox escape vulnerability has been disclosed in the popular vm2 Node.js library that, if successfully exploited, could allow attackers to run arbitrary code on the underlying operating system. The vulnerability, tracked as CVE-2026-22709, carries a CVSS score of 9.8 out of 10.0 on the CVSS scoring system. --------------------------------------------- https://thehackernews.com/2026/01/critical-vm2-nodejs-flaw-allows-sandbox.h… ∗∗∗ Netzwerkmanagementlösung HPE Aruba Fabric Composer ist angreifbar ∗∗∗ --------------------------------------------- Angreifer können Systeme mit HPE Aruba Networking Fabric Composer mit Schadcode attackieren. --------------------------------------------- https://www.heise.de/news/Netzwerkmanagementloesung-HPE-Aruba-Fabric-Compos… ∗∗∗ A critical GnuPG security update ∗∗∗ --------------------------------------------- There is a new GnuPG update for a "critical security bug" in recentGnuPG releases. A crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack buffer overflow in gpg-agent during the PKDECRYPT--kem=CMS handling. This can easily be used for a DoS but, worse, the memory corruption can very likley also be used to mount a remote code execution attack. The bug was introduced while changing an internal API to the FIPS required KEM API. --------------------------------------------- https://lwn.net/Articles/1056209/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-1.8.0-openjdk), Debian (openssl), Fedora (assimp, chromium, curl, freerdp, gimp, and harfbuzz), Mageia (glibc, haproxy, iperf, and python-pyasn1), Red Hat (image-builder, openssl, and osbuild-composer), Slackware (mozilla), SUSE (avahi, cups, gio-branding-upstream, google-osconfig-agent, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel-firmware, libmatio-devel, libopenjp2-7, nodejs22, php8, python-python-multipart, python311-urllib3_1, qemu, and xen), and Ubuntu (ffmpeg, jaraco.context, openssl, and openssl, openssl1.0). --------------------------------------------- https://lwn.net/Articles/1056330/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 140.7.1 ∗∗∗ --------------------------------------------- CSS-based exfiltration of the content from partially encrypted emails when allowing remote content. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2026-08/ ∗∗∗ [R1] Tenable Network Monitor Version 6.5.3 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus Network Monitor leverages third-party software to help provide underlying functionality. Several of the third-party components (libxml2, libxslt, expat, c-ares, curl, sqlite) were found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2026-02 ∗∗∗ Notification about the vulnerability in beat-access for Windows – Privilege Escalation Risk ∗∗∗ --------------------------------------------- A vulnerability has been identified in beat‑access for Windows, a remote access software provided as part of the beat service, which may allow malicious code to be executed from the local environment. At the time of posting this notice, no attacks exploiting this vulnerability have been confirmed. However, we strongly recommend that customers using beat‑access for Windows promptly update to the latest version (4.0.0 or later). --------------------------------------------- https://www.fujifilm.com/fbglobal/eng/company/news/notice/2026/0127_announc… ∗∗∗ CVE-2025-60021 (CVSS 9.8): Command injection in Apache bRPC heap profiler ∗∗∗ --------------------------------------------- CVE‑2025‑60021, a critical command injection issue in Apache bRPC’s /pprof/heap profiler endpoint, was identified during broader analysis of diagnostic and debugging surfaces in the framework. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/cve-2025-60021-cvss… ∗∗∗ Chrome: Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desk… ∗∗∗ Johnson Controls Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-04 ∗∗∗ Festo Didactic SE MES PC ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-02 ∗∗∗ iba Systems ibaPDA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-01 ∗∗∗ Schneider Electric Zigbee Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 27.01.2026
by Daily end-of-shift report 27 Jan '26

27 Jan '26

===================== = End-of-Day report = ===================== Timeframe: Montag 26-01-2026 18:00 − Dienstag 27-01-2026 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Over 6,000 SmarterMail servers exposed to automated hijacking attacks ∗∗∗ --------------------------------------------- Nonprofit security organization Shadowserver has found over 6,000 SmarterMail servers exposed online and likely vulnerable to attacks exploiting a critical authentication bypass vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-6-000-smartermail-serve… ∗∗∗ Nike investigates data breach after extortion gang leaks files ∗∗∗ --------------------------------------------- Nike is investigating what it described as a "potential cyber security incident" after the World Leaks ransomware gang leaked 1.4 TB of files allegedly stolen from the sportswear giant. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nike-investigates-data-breac… ∗∗∗ Microsoft bringt Notfallpatch: Office-Nutzer werden über Zero-Day-Lücke attackiert ∗∗∗ --------------------------------------------- Eine gefährliche Sicherheitslücke betrifft alle gängigen Office-Versionen. Angesichts der aktiven Ausnutzung sollten Anwender zügig patchen. --------------------------------------------- https://www.golem.de/news/microsoft-bringt-notfallpatch-office-nutzer-werde… ∗∗∗ Attacken beobachtet: Uralte Telnetd-Lücke gefährdet Hunderttausende Systeme ∗∗∗ --------------------------------------------- Seit über zehn Jahren können sich Angreifer via Telnet Root-Zugriff auf unzählige Geräte verschaffen. Neue Scans zeigen das Ausmaß. --------------------------------------------- https://www.golem.de/news/attacken-beobachtet-uralte-telnetd-luecke-gefaehr… ∗∗∗ Bypassing Windows Administrator Protection ∗∗∗ --------------------------------------------- A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Control (UAC) with a more robust and importantly, securable system to allow a local user to access administrator privileges only when necessary.This blog post will give a brief overview of the new feature, how it works and how it’s different from UAC. I’ll then describe some of the security research I undertook while it was in the .. --------------------------------------------- https://projectzero.google/2026/26/windows-administrator-protection.html ∗∗∗ HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns ∗∗∗ --------------------------------------------- Kaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka Mustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer. --------------------------------------------- https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-a… ∗∗∗ Canva among ~100 targets of ShinyHunters Okta identity-theft campaign ∗∗∗ --------------------------------------------- Atlassian, RingCentral, ZoomInfo also among tech targets ShinyHunters has targeted around 100 organizations in its latest Okta single sign-on (SSO) credential stealing campaign, according to researchers and the criminal group itself. --------------------------------------------- https://www.theregister.com/2026/01/26/shinyhunters_okta_sso_campaign/ ∗∗∗ Threat actors use FortiCloud SSO bypass to collect LDAP connection passwords ∗∗∗ --------------------------------------------- CERT.at gained access to a toolkit of an unknown threat actor targeting FortiCloud SSO bypass in Fortinet appliances (CVE-2025-59718/CVE-2025-59719). We are releasing under TLP:CLEAR key findings about likely post-exploitation goals of the attacker. The obtained exploit works only for the original vulnerability [1] and is not effective against patched .. --------------------------------------------- https://www.cert.at/en/blog/2026/1/threat-actors-use-forticloud-to-collect-… ∗∗∗ Russian security systems firm Delta hit by cyberattack, services disrupted ∗∗∗ --------------------------------------------- Building and car alarm systems managed by Russian company Delta have been disrupted by a cyberattack blamed on a "hostile foreign state." --------------------------------------------- https://therecord.media/russia-delta-security-alarm-company-cyberattack ∗∗∗ Clawdbot: Ein OpenSource KI-Assistent – cool und ein Sicherheitsdesaster ∗∗∗ --------------------------------------------- Bisher dominierten AI-Dienste wie ChatGPT, Gemini etc. den Bereich der LLMs – und Bots setzen auf diesen LLMs auf. Peter Steinberger hat mit seinem Team einen OpenSource Bot, Clawdbot, gebaut, der lokal läuft, Schnittstellen zu diversen Diensten und Modellen bietet .. --------------------------------------------- https://borncity.com/blog/2026/01/26/clawdbot-ein-opensource-ki-assistent/ ∗∗∗ Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088 ∗∗∗ --------------------------------------------- The Google Threat Intelligence Group (GTIG) has identified widespread, active exploitation of the critical vulnerability CVE-2025-8088 in WinRAR, a popular file archiver tool for Windows, to establish initial access and deliver diverse payloads. Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations. The consistent exploitation method, a .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critica… ∗∗∗ Apache Hadoop: Fehler im HDFS-Native-Client lässt Schadcode passieren ∗∗∗ --------------------------------------------- Das Framework Apache Hadoop ist verwundbar. Attacken können im Kontext des HDFS-Dateisystems geschehen. Ein Sicherheitspatch ist verfügbar. --------------------------------------------- https://heise.de/-11155241 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-6112-1 openjdk-21 - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2026/msg00021.html ∗∗∗ DSA-6111-1 imagemagick - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2026/msg00020.html ∗∗∗ Security Vulnerabilities fixed in Firefox 147.0.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2026-06/ ∗∗∗ Kubernetes Remote Code Execution Via Nodes/Proxy GET Permission ∗∗∗ --------------------------------------------- https://grahamhelton.com/blog/nodes-proxy-rce -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 26.01.2026
by Daily end-of-shift report 26 Jan '26

26 Jan '26

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-01-2026 18:00 − Montag 26-01-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Hackers can bypass npm’s Shai-Hulud defenses via Git dependencies ∗∗∗ --------------------------------------------- The defense mechanisms that NPM introduced after the Shai-Hulud supply-chain attacks have weaknesses that allow threat actors to bypass them via Git dependencies. [..] the vulnerabilities were discovered in multiple utilities in the JavaScript ecosystem that allow managing dependencies, like pnpm, vlt, Bun, and NPM. [..] They say that the problems were addressed in all tools except for NPM, who closed the report stating that the behavior "works as expected." --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-can-bypass-npms-shai… ∗∗∗ Nearly 800,000 Telnet servers exposed to remote attacks ∗∗∗ --------------------------------------------- Internet security watchdog Shadowserver tracks nearly 800,000 IP addresses with Telnet fingerprints amid ongoing attacks exploiting a critical authentication bypass vulnerability in the GNU InetUtils telnetd server. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nearly-800-000-telnet-server… ∗∗∗ Konni Hackers Deploy AI-Generated PowerShell Backdoor Against Blockchain Developers ∗∗∗ --------------------------------------------- As recently as this month, Konni has been observed distributing spear-phishing emails containing malicious links that are disguised as harmless advertising URLs associated with Google and Naver's advertising platforms to bypass security filters and deliver a remote access trojan codenamed EndRAT. [..] The email messages have been found to masquerade as financial notices, such as transaction confirmations or wire transfer requests, to trick recipients into downloading ZIP archives hosted on WordPress sites. The ZIP file comes with a Windows shortcut (LNK) that's designed to execute an AutoIt script disguised as a PDF document. --------------------------------------------- https://thehackernews.com/2026/01/konni-hackers-deploy-ai-generated.html ∗∗∗ Malicious VS Code AI Extensions with 1.5 Million Installs Steal Developer Source Code ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered two malicious Microsoft Visual Studio Code (VS Code) extensions that are advertised as artificial intelligence (AI)-powered coding assistants [..] The extensions, which have 1.5 million combined installs and are still available for download from the official Visual Studio Marketplace, are listed below - ChatGPT - 中文版 [..] ChatGPT - ChatMoss --------------------------------------------- https://thehackernews.com/2026/01/malicious-vs-code-ai-extensions-with-15.h… ∗∗∗ BitLocker: Microsoft gibt Schlüssel an Strafverfolger heraus ∗∗∗ --------------------------------------------- Wer seine Festplatte oder SSD verschlüsselt, darf eigentlich davon ausgehen, dass nur er diese auch wieder entschlüsseln kann. Bei der Verschlüsselungstechnologie BitLocker von Microsoft scheint dies aber nicht unbedingt der Fall zu sein, weil das Unternehmen den Schlüssel in der Home-Edition von Windows automatisch im Online-Account des Nutzers abspeichert. --------------------------------------------- https://www.heise.de/news/Microsoft-gibt-BitLocker-Schluessel-an-Strafverfo… ∗∗∗ Microsoft SharePoint/OneDrive: IDCRL-Authentication endet ab 31. Jan. 2026 – OpenID Connect und OAuth kommt (MC1184649) ∗∗∗ --------------------------------------------- Microsoft lässt bei den Online-Versionen das IDCRL-Authentication Protocol zum 31. Januar 2026 auslaufen. Die Authentifizierung erfolgt dann über OpenID Connect und OAuth – lässt sich aber noch einige Wochen wieder umstellen. Microsoft hat die Änderung bereits im November 2025 angekündigt, das Ganze aber als Erinnerung nochmals zum 20. Januar 2026 im Microsoft 365 Message Center unter MC1184649 – Microsoft SharePoint: Retirement of IDCRL authentication protocol and enforcement of OpenID Connect and OAuth protocols eingestellt. --------------------------------------------- https://borncity.com/blog/2026/01/25/microsoft-sharepoint-onedrive-idcrl-au… ∗∗∗ $6,000 “Stanley” Toolkit Sold on Russian Forums Fakes Secure URLs in Chrome ∗∗∗ --------------------------------------------- Varonis researchers discovered that Stanley uses a clever trick of disguising itself as a simple note-taking tool called Notely. Once a person installs it, the app can display a fake login page directly over a real website. [..] What is most concerning for the average user is that this toolkit isn’t just a piece of software but a full-featured service. The most expensive version comes with a guarantee that the malicious app will pass the official security checks of the Chrome Web Store. --------------------------------------------- https://hackread.com/stanley-toolkit-russia-forum-fakes-chrome-urls/ ∗∗∗ New Fake CAPTCHA Scam Abuses Microsoft Tools to Install Amatera Stealer ∗∗∗ --------------------------------------------- Blackpoint Cyber discovered a new Fake CAPTCHA campaign that tricks users into installing Amatera Stealer. By abusing legitimate Microsoft scripts and hiding malicious code in Google Calendar and PNG images, this attack bypasses standard security to harvest private passwords and browser data. --------------------------------------------- https://hackread.com/fake-captcha-scam-microsoft-tools-amatera-stealer/ ∗∗∗ F5: K000159681: Credential harvesting campaign targeting F5 VPN users ∗∗∗ --------------------------------------------- On January 13, 2026, researchers identified a large-scale credential harvesting campaign targeting several VPN providers, including F5. The threat actors behind the campaign registered numerous doppelgänger domains designed to mimic legitimate F5 domains. These domains are used to deceive victims into downloading counterfeit BIG-IP VPN client installers. [..] IOCs, C2 servers, and the malicious script hash value --------------------------------------------- https://my.f5.com/manage/s/article/K000159681 ∗∗∗ Screeps: How a game about programming exposed thousands of players to remote code execution ∗∗∗ --------------------------------------------- In Screeps (short for "Scripting Creeps"), you cannot click on a unit ("creep") and tell it what to do. If you place a building on the map, your builders will stand next to it and do nothing. There are no buttons to give your creeps instructions. Instead, you must write code to define their behavior. [..] In Multiplayer Screeps worlds, all of the code to progress the game runs on the server, including the AI for your units. [..] Screeps is on Steam, and the native client reuses the browser code but with no sandboxing. nw.require('child_process').exec('your command here') will get you full command line access to the target machine. [..] It is fixed now, which was the primary goal of my writing this. --------------------------------------------- https://outsidetheasylum.blog/screeps/ ∗∗∗ The end of the curl bug-bounty ∗∗∗ --------------------------------------------- There is no longer a curl bug-bounty program. It officially stops on January 31, 2026. [..] We saw an explosion in AI slop reports combined with a lower quality even in the reports that were not obvious slop – presumably because they too were actually misled by AI but with that fact just hidden better. [..] The never-ending slop submissions take a serious mental toll to manage and sometimes also a long time to debunk. --------------------------------------------- https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/ ===================== = Vulnerabilities = ===================== ∗∗∗ Hands-Free Lockpicking: Critical Vulnerabilities in dormakaba’s Physical Access Control System ∗∗∗ --------------------------------------------- In this post, Clemens Stockenreitner and Werner Schober of the SEC Consult Vulnerability Lab highlight several critical vulnerabilities found in dormakaba’s physical access control systems based on exos 9300. This access control system originates from the manufacturer's enterprise product line for door and access systems and is predominantly used by large enterprises in Europe, including industrial and service companies, logistics operators, energy providers, and airport operators. --------------------------------------------- https://sec-consult.com/blog/detail/hands-free-lockpicking-critical-vulnera… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gimp, glib2, go-toolset:rhel8, golang, java-17-openjdk, java-21-openjdk, kernel, net-snmp, pcs, and thunderbird), Debian (apache2, imagemagick, incus, inetutils, libuev, openjdk-17, php7.4, python3.9, shapelib, taglib, and zvbi), Fedora (mingw-glib2, mingw-harfbuzz, mingw-libsoup, mingw-openexr, pgadmin4, python3.11, python3.12, python3.9, and wireshark), Gentoo (Asterisk, Commons-BeanUtils, GIMP, inetutils, and Vim, gVim), Mageia (kernel), Oracle (glib2, java-17-openjdk, java-21-openjdk, and libpng), Red Hat (java-17-openjdk, java-21-openjdk, kernel, and kernel-rt), SUSE (azure-cli-core, bind, buildah, chromium, coredns, glib2, harfbuzz, kernel, kernel-firmware, libheif, libvirt, openCryptoki, openvswitch, podman, python, python-urllib3, rabbitmq-server, and vlang), and Ubuntu (cjson). --------------------------------------------- https://lwn.net/Articles/1055958/ ∗∗∗ Beckhoff Security Advisory 2025-003: Vulnerabilities in Beckhoff Device Manager ∗∗∗ --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 23.01.2026
by Daily end-of-shift report 23 Jan '26

23 Jan '26

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-01-2026 18:00 − Freitag 23-01-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Analysis of Single Sign On (SSO) abuse on FortiOS ∗∗∗ --------------------------------------------- Fortinet product security has identified the issue, and the company is working on a fix to remediate this occurrence. An advisory will be issued as the fix scope and timeline is available. It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations. In the meantime, Fortinet recommends taking the mitigating actions described below. --------------------------------------------- https://feeds.fortinet.com/~/941387753/0/fortinet/blogs~Analysis-of-Single-… ∗∗∗ Okta SSO accounts targeted in vishing-based data theft attacks ∗∗∗ --------------------------------------------- Okta is warning about custom phishing kits built specifically for voice-based social engineering (vishing) attacks. BleepingComputer has learned that these kits are being used in active attacks to steal Okta SSO credentials for data theft. --------------------------------------------- https://www.bleepingcomputer.com/news/security/okta-sso-accounts-targeted-i… ∗∗∗ Datenlecks analysiert: Solche Passwörter sollten Nutzer besser meiden ∗∗∗ --------------------------------------------- Forscher haben rund sechs Milliarden Passwörter aus mehreren Datenlecks untersucht. Ihr Bericht zeigt Muster auf, die besonders häufig vorkommen. --------------------------------------------- https://www.golem.de/news/datenlecks-analysiert-solche-passwoerter-sollten-… ∗∗∗ Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new dual-vector campaign that leverages stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software for persistent remote access to compromised hosts. [..] The attack unfolds in two distinct waves, where the threat actors leverage fake invitation notifications to steal victim credentials, and then leverage those pilfered credentials to deploy RMM tools to establish persistent access. --------------------------------------------- https://thehackernews.com/2026/01/phishing-attack-uses-stolen-credentials.h… ∗∗∗ Crims compromised energy firms Microsoft accounts, sent 600 phishing emails ∗∗∗ --------------------------------------------- Unknown attackers are abusing Microsoft SharePoint file-sharing services to target multiple energy-sector organizations, harvest user credentials, take over corporate inboxes, and then send hundreds of phishing emails from compromised accounts to contacts inside and outside those organizations. The attackers likely used previously-compromised email addresses to gain initial access to "multiple" energy-sector organizations targeted in this campaign, according to Redmond, which detailed the digital intrusions in a Wednesday report. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2026/01/22/crims_compro… ∗∗∗ 149 Million Usernames and Passwords Exposed by Unsecured Database ∗∗∗ --------------------------------------------- This “dream wish list for criminals” includes millions of Gmail, Facebook, banking logins, and more. The researcher who discovered it suspects they were collected using infostealing malware. --------------------------------------------- https://www.wired.com/story/149-million-stolen-usernames-passwords/ ∗∗∗ URL fritz.box leitet seit 22.1.2026 auf 91.195.240.12 um ∗∗∗ --------------------------------------------- Die von der früheren AVM, heute FRITZ, erworbene Domain fritz.box ist wohl wieder auf "Abwegen". [..] Die Whois-Daten zeigen, dass heute (22.1.2026) die Domain-Registrierung abgelaufen ist. --------------------------------------------- https://borncity.com/blog/2026/01/22/url-fritz-box-leitet-seit-22-1-2026-au… ∗∗∗ KI und Security: Zero-Day-Exploits durch KI sind bereits Realität ∗∗∗ --------------------------------------------- Eine Studie zeigt: KIs können komplexe Zero-Day-Exploits erstellen. Die Folge: Die Suche nach Sicherheitslücken wird erfolgreich industrialisiert und skaliert. --------------------------------------------- https://heise.de/-11151838 ∗∗∗ Exploit Cursor Agents to create persistent, distributed threats ∗∗∗ --------------------------------------------- Yesterday a VSCode exploit was written up. When a programmer simply opens a folder that contains a malicious tasks.json file, the malicious code will silently run from inside the editor itself – where all their work lives. That got me thinking: could I use this to re-program a developer's AI agents and get them to do what I want? Even worse — could I do this to all their code repositories? Turns out: hell yes. --------------------------------------------- https://ike.io/open-a-folder-all-your-agents-are-mine/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel), Debian (bind9, chromium, osslsigncode, and python-urllib3), Fedora (freerdp, ghostscript, hcloud, rclone, rust-rkyv0.7, rust-rkyv_derive0.7, and vsftpd), Mageia (avahi and harfbuzz), SUSE (alloy, avahi, busybox, cargo-c, corepack22, corepack24, curl, docker, dpdk, exiv2-0_26, ffmpeg-4, firefox, glib2, go1.24, go1.25, gpg2, haproxy, kernel, kernel-firmware, keylime, libpng16, librsvg, libsodium, libsoup, libsoup2, libtasn1, log4j, net-snmp, open-vm-tools, openldap2_5, ovmf, pgadmin4, php7, podman, python-filelock, python-marshmallow, python-pyasn1, python-tornado, python-urllib3, python-virtualenv, python3, python311-pyasn1, python311-weasyprint, rust1.91, rust1.92, util-linux, webkit2gtk3, and wireshark), and Ubuntu (libxml2 and pyasn1). --------------------------------------------- https://lwn.net/Articles/1055671/ ∗∗∗ Videokonferenzsoftware: Zoom Node möglicher Ansatzpunkt für Schadcode-Attacken ∗∗∗ --------------------------------------------- In einer Warnmeldung führen die Entwickler aus, dass die nun geschlossene Sicherheitslücke (CVE-2026-22844) mit dem Bedrohungsgrad „kritisch“ eingestuft ist. Die Schwachstelle betrifft konkret die Komponente Multimedia Routers (MMRs). Damit eine Attacke gelingt, muss ein Angreifer Teilnehmer eines Meetings sein. Ist das gegeben, kann er auf einem nicht näher beschriebenen Weg Schadcode ausführen. --------------------------------------------- https://heise.de/-11151434 ∗∗∗ Rockwell Automation CompactLogix 5370 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-03 ∗∗∗ Schneider Electric EcoStruxure Process Expert ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-01 ∗∗∗ EVMAPA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08 ∗∗∗ Weintek cMT X Series HMI EasyWeb Service ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-05 ∗∗∗ Delta Electronics DIAView ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-07 ∗∗∗ Johnson Controls Inc. iSTAR Configuration Utility (ICU) tool ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-04 ∗∗∗ AutomationDirect CLICK Programmable Logic Controller ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-02 ∗∗∗ Hubitat Elevation Hubs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 22.01.2026
by Daily end-of-shift report 22 Jan '26

22 Jan '26

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-01-2026 18:00 − Donnerstag 22-01-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ A patch for the NIS2 Directive ∗∗∗ --------------------------------------------- On January 20th, 2026 the EU Commission presented a package of legislative proposals, including an update to the NIS2 directive. --------------------------------------------- https://www.cert.at/en/blog/2026/1/a-patch-for-the-nis2-directive ∗∗∗ Look at FortiCloud SSO Bypass Exploitation (CVE-2025-59718/59719) ∗∗∗ --------------------------------------------- In December last year, Fortinet disclosed [1] a vulnerability in SAML processing, which allowed full bypass of authentication to management interfaces with FortiCloud SSO enabled. According to new, still not officially confirmed reports, the vulnerability may not have been fully patched [10]. As affected devices are represented in my small high-interactive honeypots network, we have an opportunity to take a look at what the attackers do. --------------------------------------------- https://www.cert.at/en/blog/2026/1/look-at-forticloud-sso-bypass-exploitati… ∗∗∗ New Android malware uses AI to click on hidden browser ads ∗∗∗ --------------------------------------------- A new family of Android click-fraud trojans leverages TensorFlow machine learning models to automatically detect and interact with specific advertisement elements. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-android-malware-uses-ai-… ∗∗∗ Chainlit AI framework bugs let hackers breach cloud environments ∗∗∗ --------------------------------------------- Two high-severity vulnerabilities in Chainlit, a popular open-source framework for building conversational AI applications, allow reading any file on the server and leaking sensitive information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chainlit-ai-framework-bugs-l… ∗∗∗ Is AI-Generated Code Secure?, (Thu, Jan 22nd) ∗∗∗ --------------------------------------------- The title of this diary is perhaps a bit catchy but the question is important. I don’t consider myself as a good developer. That’s not my day job and I’m writing code to improve my daily tasks. I like to say “I’m writing sh*ty code! It works for me, no warranty that it will for for you”. Today, most of my code (the skeleton of the program) is generated by AI, probably like most of you. --------------------------------------------- https://isc.sans.edu/diary/rss/32648 ∗∗∗ Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts ∗∗∗ --------------------------------------------- A new malicious package discovered in the Python Package Index (PyPI) has been found to impersonate a popular library for symbolic mathematics to deploy malicious payloads, including a cryptocurrency miner, on Linux hosts. --------------------------------------------- https://thehackernews.com/2026/01/malicious-pypi-package-impersonates.html ∗∗∗ Preparing for the EU Cyber Resilience Act (CRA) ∗∗∗ --------------------------------------------- Product security has matured significantly over the last decade. Secure defaults, defined ownership of security risk, reliable update mechanisms, and structured vulnerability handling are now mainstream and well understood by experienced engineering and security teams. These practices are no longer aspirational. They are now the minimum required to build and operate digital products responsibly. --------------------------------------------- https://www.pentestpartners.com/security-blog/preparing-for-the-eu-cyber-re… ∗∗∗ Phishing-Falle: Verlust des Zugriffs auf ChatGPT ∗∗∗ --------------------------------------------- Eine aktuell kursierende Phishing-Mail warnt vor einer Kündigung des ChatGPT-Kontos. Schuld sei eine ausgebliebene Zahlung. Das Problem ließe sich aber mit einer Aktualisierung der notwendigen Daten aus der Welt schaffen. Wer dem entsprechenden Pfad folgt, übermittelt den Kriminellen allerdings Kreditkarten- und Kontaktinformationen. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-falle-chatgpt/ ∗∗∗ European Space Agency’s cybersecurity in freefall as yet another breach exposes spacecraft and mission data ∗∗∗ --------------------------------------------- It has just been a few weeks since reports emerged of the Christmas cyber attack suffered by the European Space Agency (ESA), and the situation has already become worse. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/european-space-agency… ∗∗∗ The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time ∗∗∗ --------------------------------------------- Imagine visiting a webpage that looks perfectly safe. It has no malicious code, no suspicious links. Yet, within seconds, it transforms into a personalized phishing page. --------------------------------------------- https://unit42.paloaltonetworks.com/real-time-malicious-javascript-through-… ∗∗∗ Osiris: New Ransomware, Experienced Attackers? ∗∗∗ --------------------------------------------- Poortry driver and modified Rustdesk tool used in recent attack campaign, which bears similarities to previous Inc ransomware attacks. --------------------------------------------- https://www.security.com/threat-intelligence/new-ransomware-osiris ∗∗∗ Watering Hole Attack Targets EmEditor Users with Information-Stealing Malware ∗∗∗ --------------------------------------------- TrendAI™ Research provides a technical analysis of a compromised EmEditor installer used to deliver multistage malware that performs a range of malicious actions. --------------------------------------------- https://www.trendmicro.com/en_us/research/26/a/watering-hole-attack-targets… ∗∗∗ Cyber Is What We Make of It ∗∗∗ --------------------------------------------- Cyber Is What We Make of It "Its not what happens to you, but how you react to it that matters." — EpictetusNot long ago an Atlantic Council op-ed in CyberScoop outlined ten key reforms to close Americas cybersecurity gaps. The recommendations are sensible: migrate to memory-safe languages, apply formal verification to critical systems, establish zero trust architectures, build data resilience, conduct proactive threat hunting. Laudable, uncontroversial, and comprehensive; --------------------------------------------- https://buttondown.com/grugq/archive/cyber-is-what-we-make-of-it/ ===================== = Vulnerabilities = ===================== ∗∗∗ SmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release ∗∗∗ --------------------------------------------- A new security flaw in SmarterTools SmarterMail email software has come under active exploitation in the wild, two days after the release of a patch. --------------------------------------------- https://thehackernews.com/2026/01/smartermail-auth-bypass-exploited-in.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gpsd), Debian (inetutils and modsecurity-crs), Fedora (cpp-httplib, curl, mariadb11.8, mingw-libtasn1, mingw-libxslt, mingw-python3, rclone, and rpki-client), Oracle (gimp, glib2, go-toolset:rhel8, golang, kernel, mariadb-devel:10.3, and thunderbird), Red Hat (buildah, go-toolset:rhel8, golang, grafana, kernel, kernel-rt, multiple packages, openssl, osbuild-composer, podman, and skopeo), Slackware (bind), SUSE (ffmpeg-4, libsodium, libvirt, net-snmp, open-vm-tools, ovmf, postgresql17, postgresql18, python-FontTools, python-weasyprint, and webkit2gtk3), and Ubuntu (glib2.0 and opencc). --------------------------------------------- https://lwn.net/Articles/1055484/ ∗∗∗ Jetzt handeln! Angreifer umgehen offenbar Fortinet-Sicherheitspatch ∗∗∗ --------------------------------------------- Medienberichten zufolge ist ein Sicherheitspatch für diverse Fortinet-Produkte defekt. Admins können Instanzen aber trotzdem schützen. --------------------------------------------- https://heise.de/-11149777 ∗∗∗ Updaten! Angriffsversuche auf Sicherheitslücken in Cisco Unified Communications ∗∗∗ --------------------------------------------- In mehreren Unified-Communications-Produkten von Cisco klafft eine Sicherheitslücke, die Angreifern ohne Anmeldung das Einschleusen von Schadcode aus dem Netz und dessen Ausführung mit Root-Rechten ermöglicht. Admins sollten die bereitstehenden Aktualisierungen zügig anwenden, da Cisco bereits Angriffsversuche aus dem Netz auf die Schwachstelle beobachtet hat. --------------------------------------------- https://heise.de/-11149877 ∗∗∗ Dell Data Protection Advisor über unzählige Sicherheitslücken angreifbar ∗∗∗ --------------------------------------------- Dell schließt teilweise sechzehn Jahre alte Schwachstellen in Data Protection Advisor, über die Angreifer Systeme kompromittieren können. --------------------------------------------- https://heise.de/-11150421 ∗∗∗ SSA-864900 V1.6 (Last Update: 2026-01-22): Multiple Vulnerabilities in Fortigate NGFW on RUGGEDCOM APE1808 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-864900.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 21.01.2026
by Daily end-of-shift report 21 Jan '26

21 Jan '26

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-01-2026 18:00 − Mittwoch 21-01-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ EU plans cybersecurity overhaul to block foreign high-risk suppliers ∗∗∗ --------------------------------------------- The European Commission has proposed new cybersecurity legislation mandating the removal of high-risk suppliers to secure telecommunications networks and strengthening defenses against state-backed and cybercrime groups targeting critical infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/eu-plans-cybersecurity-overh… ∗∗∗ VoidLink cloud malware shows clear signs of being AI-generated ∗∗∗ --------------------------------------------- The recently discovered cloud-focused VoidLink malware framework is believed to have been developed by a single person with the help of an artificial intelligence model. --------------------------------------------- https://www.bleepingcomputer.com/news/security/voidlink-cloud-malware-shows… ∗∗∗ Hackers exploit security testing apps to breach Fortune 500 firms ∗∗∗ --------------------------------------------- Threat actors are exploiting misconfigured web applications used for security training and internal penetration testing, such as DVWA, OWASP Juice Shop, Hackazon, and bWAPP, to gain access to cloud environments of Fortune 500 companies and security vendors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-security-tes… ∗∗∗ Mass Spam Attacks Leverage Zendesk Instances ∗∗∗ --------------------------------------------- The CRM vendor advised ignoring or deleting suspicious emails and said the attacks were not tied to any breach or software vulnerability. --------------------------------------------- https://www.darkreading.com/threat-intelligence/mass-spam-attacks-zendesk-i… ∗∗∗ Jetzt abschalten: Zehn Jahre alte Telnetd-Lücke macht jeden Client zum Root ∗∗∗ --------------------------------------------- Seit 2015 kann sich über Telnetd jeder Client einen Root-Zugriff verschaffen. Einen Patch gibt es zwar, empfohlen wird jedoch die Abschaltung. --------------------------------------------- https://www.golem.de/news/jetzt-abschalten-zehn-jahre-alte-telnetd-luecke-m… ∗∗∗ LastPass Warns of Fake Maintenance Messages Targeting Users’ Master Passwords ∗∗∗ --------------------------------------------- LastPass is alerting users to a new active phishing campaign that's impersonating the password management service, which aims to trick users into giving up their master passwords. --------------------------------------------- https://thehackernews.com/2026/01/lastpass-warns-of-fake-maintenance.html ∗∗∗ Curl shutters bug bounty program to remove incentive for submitting AI slop ∗∗∗ --------------------------------------------- The maintainer of popular open-source data transfer tool cURL has ended the project’s bug bounty program after maintainers struggled to assess a flood of AI-generated contributions. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2026/01/21/curl_ends_bu… ∗∗∗ Einschränkung der Anzeigenauslieferung auf Facebook? Unternehmens-Profile im Visier von Kriminellen ∗∗∗ --------------------------------------------- Mit vermeintlich vom Meta-Konzern stammenden E-Mails versuchen Betrüger:innen, sich Zugang zu Unternehmens-Accounts zu erschleichen. Dafür haben sie eine gefälschte Login-Seite gebaut. Wie läuft die Masche konkret ab? Woran ist die Betrugsabsicht zu erkennen? Dieser Artikel liefert Antworten. --------------------------------------------- https://www.watchlist-internet.at/news/einschraenkung-der-anzeigenausliefer… ∗∗∗ DNS OverDoS: Are Private Endpoints Too Private? ∗∗∗ --------------------------------------------- We discovered an aspect of Azure’s Private Endpoint architecture that could expose Azure resources to denial of service (DoS) attacks. In this article, we explore how both intentional and inadvertent acts could result in limited access to Azure resources through the Azure Private Link mechanism. We uncovered this issue while investigating irregular behavior in Azure test environments. --------------------------------------------- https://unit42.paloaltonetworks.com/dos-attacks-and-azure-private-endpoint/ ∗∗∗ IT-Sicherheit: Roter Draht zwischen Peking und London ∗∗∗ --------------------------------------------- Ein neues, geheimes Forum soll die Kommunikation zwischen britischen und chinesischen Diensten verbessern. Es könnte das erste seiner Art sein. --------------------------------------------- https://heise.de/-11148209 ∗∗∗ Introducing > PowerShell.Exposed ∗∗∗ --------------------------------------------- PowerShell (PS) isn’t just a “Windows admin tool.” Once shell access is established, this is the cheapest and most powerful hands-on-keyboard control an attacker can have. --------------------------------------------- https://detect.fyi/introducing-powershell-exposed-4974fe712117?source=rss--… ∗∗∗ New EU Vulnerability Platform GCVE Goes Live, Reducing Reliance on Global Systems ∗∗∗ --------------------------------------------- Europe’s long-running conversation about digital autonomy quietly crossed a milestone with the launch of a new public vulnerability platform. The EU Vulnerability Database, created under the GCVE initiative, is now live. This signals a deliberate shift in how software weaknesses are identified, cataloged, and shared across Europe. --------------------------------------------- https://thecyberexpress.com/eu-launches-gcve-vulnerability-database/ ∗∗∗ Critical Vulnerability in Advanced Custom Fields: Extended Plugin Puts 100,000 WordPress Sites at Risk ∗∗∗ --------------------------------------------- A critical security flaw has been discovered in a widely used ACF add-on plugin for WordPress, placing up to 100,000 websites at risk of a full site takeover. The vulnerability affects the Advanced Custom Fields: Extended plugin, an add-on designed to extend the functionality of the popular Advanced Custom Fields ecosystem. An advisory issued about the flaw assigns a severity rating of 9.8, emphasizing the serious impact it can have if exploited. --------------------------------------------- https://thecyberexpress.com/acf-add-on-vulnerability-wordpress/ ===================== = Vulnerabilities = ===================== ∗∗∗ Aktuelle Angriffswelle gegen CVE-2025-59718, Patches unzureichend ∗∗∗ --------------------------------------------- Im Dezember des vergangenen Jahres hat Fortinet Informationen über einen Login Bypass in mehreren Produkten des Unternehmens veröffentlicht (siehe dazu auch unser Warning vom 19.12.2025) und gleichzeitig Patches zur Verfügung gestellt welche das Problem beheben sollten. --------------------------------------------- https://www.cert.at/de/aktuelles/2026/1/aktuelle-angriffswelle-gegen-cve-20… ∗∗∗ GitLab Patch Release: 18.8.2, 18.7.2, 18.6.4 ∗∗∗ --------------------------------------------- Learn more about GitLab Patch Release: 18.8.2, 18.7.2, 18.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE). --------------------------------------------- https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-re… ∗∗∗ Sicherheitslücken: Nvidia CUDA Toolkit lässt Schadcode passieren ∗∗∗ --------------------------------------------- Nvidias Programmierschnittstelle CUDA weist Sicherheitslücken auf, wodurch unter anderem Schadcode auf Systeme gelangen kann. Davon sind je nach Sicherheitslücke Linux und Windows bedroht. Eine reparierte Ausgabe von CUDA Toolkit schafft Abhilfe. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-Nvidia-CUDA-Toolkit-laesst-Sch… ∗∗∗ Sicherheitspatches: Atlassian sichert Confluence & Co. gegen mögliche Attacken ∗∗∗ --------------------------------------------- Atlassian hat für Bamboo, Bitbucket, Confluence, Crowd, Jira und Jira Service Management Data Center und Server wichtige Sicherheitsupdates veröffentlicht. Nach erfolgreichen Attacken können Angreifer in erster Linie DoS-Zustände und somit Abstürze auslösen. --------------------------------------------- https://www.heise.de/news/Sicherheitspatches-Atlassian-sichert-Confluence-C… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (brotli and container-tools:rhel8), Debian (python-keystonemiddleware and python3.9), Fedora (cef, freerdp, golang-github-tetratelabs-wazero, and libpcap), Oracle (brotli, gpsd, kernel, and transfig), Red Hat (freerdp, golang, java-11-openjdk with Extended Lifecycle Support, libpng, libssh, mingw-libpng, and runc), SUSE (abseil-cpp, alloy, apache2, bind, cpp-httplib, curl, erlang, firefox, gpg2, grafana, haproxy, hauler, hawk2, libblkid-devel, libpng16, libraylib550, python-keystonemiddleware-doc, python-uv, python-weasyprint, squid, and tomcat), and Ubuntu (crawl and iperf3). --------------------------------------------- https://lwn.net/Articles/1055322/ ∗∗∗ VU#458022: Open5GS WebUI uses a hard-coded secrets including JSON Web Token signing key ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/458022 ∗∗∗ VU#102648: Code Injection Vulnerability in binary-parser library ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/102648 ∗∗∗ VU#481830: libheif Uncompressed Codec Lacks Bounds Check Leading to Application Crash ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/481830 ∗∗∗ Oracle Critical Patch Update Advisory - January 2026 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/cpujan2026.html ∗∗∗ Cisco Unified Communications Products Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Schneider Electric EcoStruxure Foxboro DCS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-020-01 ∗∗∗ Rockwell Automation Verve Asset Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-020-03 ∗∗∗ Schneider Electric devices using CODESYS Runtime ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-020-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 20.01.2026
by Daily end-of-shift report 20 Jan '26

20 Jan '26

===================== = End-of-Day report = ===================== Timeframe: Montag 19-01-2026 18:00 − Dienstag 20-01-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Google Gemini Prompt Injection Flaw Exposed Private Calendar Data via Malicious Invites ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a security flaw that leverages indirect prompt injection targeting Google Gemini as a way to bypass authorization guardrails and use Google Calendar as a data extraction mechanism. --------------------------------------------- https://thehackernews.com/2026/01/google-gemini-prompt-injection-flaw.html ∗∗∗ Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass to Origin Servers ∗∗∗ --------------------------------------------- Cloudflare has addressed a security vulnerability impacting its Automatic Certificate Management Environment (ACME) validation logic that made it possible to bypass security controls and access origin servers. [..] The web infrastructure company said it found no evidence that the vulnerability was ever exploited in a malicious context. [..] The vulnerability was addressed by Cloudflare on October 27, 2025, with a code change that serves the response and disables WAF features only when the request matches a valid ACME HTTP-01 challenge token for that hostname. --------------------------------------------- https://thehackernews.com/2026/01/cloudflare-fixes-acme-validation-bug.html ∗∗∗ Hackers Use LinkedIn Messages to Spread RAT Malware Through DLL Sideloading ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new phishing campaign that exploits social media private messages to propagate malicious payloads, likely with the intent to deploy a remote access trojan (RAT). --------------------------------------------- https://thehackernews.com/2026/01/hackers-use-linkedin-messages-to-spread.h… ∗∗∗ EU-Kommission arbeitet an Open-Source-Strategie und fragt Community nach Feedback ∗∗∗ --------------------------------------------- Einzelpersonen und Gruppen haben bis zum 3. Februar Zeit, um Hinweise einzureichen. --------------------------------------------- https://www.derstandard.at/story/3000000304870/eu-kommission-arbeitet-an-op… ∗∗∗ Microsoft & Anthropic MCP Servers At Risk of RCE, Cloud Takeovers ∗∗∗ --------------------------------------------- Researchers found the popular model context protocol (MCP) servers, which are integral components of AI services, carry serious vulnerabilities. [..] When they analyzed more than 7,000 MCP servers, they found that the same SSRF exposure might be latent in around 36.7% of all MCP servers on the Web today. [..] The company reported its findings to Anthropic last June. Half a year later, in December, Anthropic released the 2025.12.18 version of the Git MCP server, which better enforced path validation (in response to CVE-2025-68145), addressed argument handling (CVE-2025-68144), and completely removed the git_init tool (CVE-2025-68143). --------------------------------------------- https://www.darkreading.com/application-security/microsoft-anthropic-mcp-se… ∗∗∗ Inside a Multi-Stage Windows Malware Campaign ∗∗∗ --------------------------------------------- The attack begins with social engineering lures delivered via business-themed documents crafted to appear routine and benign. These documents and accompanying scripts serve as visual distractions, diverting victims to fake tasks or status messages while malicious activity runs silently in the background. --------------------------------------------- https://feeds.fortinet.com/~/940900697/0/fortinet/blogs~Inside-a-MultiStage… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke bei TP-Link: Überwachungskameras per Passwort-Reset knackbar ∗∗∗ --------------------------------------------- Der Netzwerkgerätehersteller TP-Link warnt vor einer gefährlichen Sicherheitslücke in seinen Vigi-Überwachungskameras. [..] Laut Schwachstellenbeschreibung basiert die Lücke auf einem Bug in der Passwortwiederherstellungsfunktion der Webschnittstelle betroffener Kameras. [..] Angreifer können mittels CVE-2026-0629 das Admin-Passwort zurücksetzen, ohne dass eine Überprüfung erfolgt. [..] Angreifer brauchen für die Ausnutzung von CVE-2026-0629 zwar einen Zugriff auf das lokale Netzwerk, mit dem die anvisierte Kamera verbunden ist. --------------------------------------------- https://www.golem.de/news/tp-link-admin-konten-zahlloser-ueberwachungskamer… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gpsd-minimal, jmc, kernel, kernel-rt, and net-snmp), Debian (apache-log4j2 and dcmtk), Fedora (exim, gpsd, mysql8.0, mysql8.4, python-biopython, and rust-lru), Mageia (firefox, nss and thunderbird), Oracle (container-tools:rhel8, gpsd-minimal, jmc, kernel, net-snmp, and uek-kernel), Red Hat (net-snmp), SUSE (chromium, go, harfbuzz-devel, kernel, libsoup, rust1.91, rust1.92, and thunderbird), and Ubuntu (apache2, avahi, and python-urllib3). --------------------------------------------- https://lwn.net/Articles/1055152/ ∗∗∗ VU#244846: Server-Side Template Injection (SSTI) vulnerability exist in Genshi ∗∗∗ --------------------------------------------- A Server-Side Template Injection (SSTI) vulnerability exists in the Genshi template engine due to unsafe evaluation of template expressions. [..] Genshi is a Python library developed by Edgewall, it provides an integrated set of components for parsing, generating, and processing HTML, XML, or other textual content for output generation on the web. [..] If an attacker can influence or inject template expressions, this vulnerability allows arbitrary code execution with the privileges of the running application. [..] At the time of publication, Genshi has not released an update addressing this issue. --------------------------------------------- https://kb.cert.org/vuls/id/244846 ∗∗∗ VU#271649: Stack-based buffer overflow in libtasn1 versions v4.20.0 and earlier ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/271649 ∗∗∗ Beckhoff Security Advisory 2025-002 ∗∗∗ --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 19.01.2026
by Daily end-of-shift report 19 Jan '26

19 Jan '26

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-01-2026 18:00 − Montag 19-01-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ StealC hackers hacked as researchers hijack malware control panels ∗∗∗ --------------------------------------------- A cross-site scripting (XSS) flaw in the web-based control panel used by operators of the StealC info-stealing malware allowed researchers to observe active sessions and gather intelligence on the attackers’ hardware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stealc-hackers-hacked-as-res… ∗∗∗ Autotype: Windows-11-Update macht beliebte Keepass-Funktion kaputt ∗∗∗ --------------------------------------------- Seit dem Januar-Patchday kann Keepass in einigen Windows-Dialogen keine Zugangsdaten mehr per Autotype einfügen. Ein Fix ist nicht zu erwarten. --------------------------------------------- https://www.golem.de/news/autotype-windows-11-update-macht-beliebte-keepass… ∗∗∗ What Happened After Security Researchers Found 60 Flock Cameras Livestreaming to the Internet ∗∗∗ --------------------------------------------- A couple months ago, YouTuber Benn Jordan "found vulnerabilities in some of Flock's license plate reader cameras," reports 404 Media's Jason Koebler. "He reached out to me to tell me he had learned that some of Flock's Condor cameras were left live-streaming to the open internet." --------------------------------------------- https://yro.slashdot.org/story/26/01/17/0718211/what-happened-after-securit… ∗∗∗ China-Linked APT Exploited Sitecore Zero-Day in Critical Infrastructure Intrusions ∗∗∗ --------------------------------------------- A threat actor likely aligned with China has been observed targeting critical infrastructure sectors in North America since at least last year. --------------------------------------------- https://thehackernews.com/2026/01/china-linked-apt-exploits-sitecore-zero.h… ∗∗∗ CrashFix Chrome Extension Delivers ModeloRAT Using ClickFix-Style Browser Crash Lures ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of an ongoing campaign dubbed KongTuke that used a malicious Google Chrome extension masquerading as an ad blocker to deliberately crash the web browser and trick victims into running arbitrary commands using ClickFix-like lures to deliver a previously undocumented remote access trojan (RAT) dubbed ModeloRAT. --------------------------------------------- https://thehackernews.com/2026/01/crashfix-chrome-extension-delivers.html ∗∗∗ Fehlende Postleitzahl? Nachricht von DPD ist eine Phishing-Falle ∗∗∗ --------------------------------------------- Ein Klassiker des Online-Betrugs. Ein Paketdienstleister meldet sich aus heiterem Himmel. Angeblich war ein Zustellversuch aufgrund einer fehlenden Postleitzahl nicht erfolgreich. Tatsächlich versuchen Kriminelle über ein gefälschtes Portal an Kreditkartendaten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/dpd-phishing-falle/ ∗∗∗ Windows Januar 2026 Update tauscht Secure Boot Zertifikate ∗∗∗ --------------------------------------------- Im Juni 2026 laufen UEFI Secure Boot-Zertifikate für Windows ab. Im Oktober 2026 trifft es dann das nächste ablaufende UEFI-Zertifikat für den Secure Boot. Microsoft hat zum 13. Januar 2026 im Rahmen des Patchday erneut den Ansatz unternommen, das Secure Boot-Zertifikat im UEFI auszutauschen. Hier eine kurze Nachlese zum Sachstand. --------------------------------------------- https://borncity.com/blog/2026/01/17/windows-januar-2026-update-tauscht-sec… ∗∗∗ From Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers ∗∗∗ --------------------------------------------- This blog entry provides an in-depth analysis of the multistage delivery of the Evelyn information stealer, which was used in a campaign targeting software developers. --------------------------------------------- https://www.trendmicro.com/en_us/research/26/a/analysis-of-the-evelyn-steal… ∗∗∗ Hackers Exploiting PDF24 App to Deploy Stealthy PDFSIDER Backdoor ∗∗∗ --------------------------------------------- Resecurity has identified PDFSIDER malware that exploits the legitimate PDF24 App to covertly steal data and allow remote access. Learn how this APT-level campaign targets corporate networks through spear-phishing and encrypted communications. --------------------------------------------- https://hackread.com/hackers-exploit-pdf24-app-pdfsider-backdoor/ ∗∗∗ Blink and youll miss them: 6-day certificates are here! ∗∗∗ --------------------------------------------- What a great way to start 2026! Let's Encrypt have now made their short-lived certificates available, so you can go and start using them right away. --------------------------------------------- https://scotthelme.ghost.io/blink-and-youll-miss-them-6-day-certificates-ar… ∗∗∗ Microsoft startet mit Identifizierung von unsicherer RC4-Verschlüsselung ∗∗∗ --------------------------------------------- Die Windows-Sicherheitsupdates aus dem Januar läuten den Rauswurf unsicherer RC4-Verschlüsselung ein. Eine Lücke erfordert Maßnahmen. --------------------------------------------- https://heise.de/-11145332 ∗∗∗ Malware Peddlers Are Now Hijacking Snap Publisher Domains ∗∗∗ --------------------------------------------- tl;dr: There’s a relentless campaign by scammers to publish malware in the Canonical Snap Store. Some gets caught by automated filters, but plenty slips through. Recently, these miscreants have changed tactics - they’re now registering expired domains belonging to legitimate snap publishers, taking over their accounts, and pushing malicious updates to previously trustworthy applications. This is a significant escalation. --------------------------------------------- https://blog.popey.com/2026/01/malware-purveyors-taking-over-published-snap… ∗∗∗ TPM on Embedded Systems: Pitfalls and Caveats ∗∗∗ --------------------------------------------- Trusted Platform Module (TPM) chips have been around since the release of the TPM 1.2 specification more than 20 years ago, and the TPM 2.0 specification1 was released in 2014. The technology is now seeing widespread adoption in various computing sectors. TPMs have been a standard feature in PCs, particularly notebooks, for some time. With integration into tools like systemd’s tooling for LUKS/dm-crypt and legal requirements like EU’s CRA, TPM functionality is also now making its way into the embedded Linux sector. In this post, we’ll highlight common pitfalls and considerations for using TPM chips on embedded devices. --------------------------------------------- https://sigma-star.at/blog/2026/01/tpm-on-embedded-systems-pitfalls-and-cav… ∗∗∗ How to Remove Saved Passwords From Google Chrome (And Why You Should) ∗∗∗ --------------------------------------------- It usually starts with a small convenience. You log into a site once, Chrome offers to remember the password, and you click “Save” without thinking twice. Weeks turn into months, devices multiply, and before you know it, your browser knows more about your digital life than you do. This is exactly how many users end up relying on Chrome’s built-in tools without ever learning how to delete passwords from Chrome when it actually matters. --------------------------------------------- https://thecyberexpress.com/how-to-delete-saved-passwords-in-google-chrome/ ∗∗∗ All In One SEO Plugin Flaw Exposes AI Token to Low-Privilege WordPress Users ∗∗∗ --------------------------------------------- A newly disclosed security vulnerability in the All In One SEO ecosystem has drawn attention across the WordPress community due to its potential reach and impact. The flaw affects the widely used AIOSEO plugin, which is active on more than 3 million WordPress websites. It allows low-privileged users to access a site-wide AI access token tied to the plugin’s artificial intelligence features. --------------------------------------------- https://thecyberexpress.com/all-in-one-seo-wordpress-ai-token/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cups, libpq, libsoup3, podman, and postgresql16), Debian (ffmpeg, gpsd, python-urllib3, and thunderbird), Fedora (chromium, foomuuri, forgejo, freerdp, harfbuzz, libtpms, musescore, python-biopython, and python3.12), Mageia (gimp, libpng, nodejs, and python-urllib3), and SUSE (alloy, avahi, bind, chromedriver, chromium, cpp-httplib, docker, erlang, fluidsynth, freerdp, go-sendxmpp, govulncheck-vulndb, kernel, libwireshark19, NetworkManager-applet-l2tp, python, python311-virtualenv, thunderbird, and zk). --------------------------------------------- https://lwn.net/Articles/1054992/ ∗∗∗ Unberechtigte Zugriffe möglich: Lücken in Dells OneFS-NAS-Betriebssystem ∗∗∗ --------------------------------------------- Dells NAS-Betriebssystem PowerScale OneFS ist über mehrere Sicherheitslücken angreifbar. Dagegen stehen abgesicherte Ausgaben zum Download bereit. --------------------------------------------- https://heise.de/-11145497 ∗∗∗ Wireshark 4.6.3 Released, (Sat, Jan 17th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/32636 ∗∗∗ K000159600: Rack vulnerability CVE-2022-30123 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000159600 ∗∗∗ K000159077: GNU Tar vulnerability CVE-2019-9923 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000159077 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily January 2026