Daily February 2026

daily@lists.cert.at

1 participants
20 discussions

Tageszusammenfassung - 13.02.2026
by Daily end-of-shift report 13 Feb '26

13 Feb '26

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-02-2026 18:00 − Freitag 13-02-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Microsoft: New Windows LNK spoofing issues arent vulnerabilities ∗∗∗ --------------------------------------------- Today, at Wild West Hackin Fest, security researcher Wietze Beukema disclosed multiple vulnerabilities in Windows LK shortcut files that allow attackers to deploy malicious payloads. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-new-windows-lnk-s… ∗∗∗ Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again ∗∗∗ --------------------------------------------- A handful of European government agencies have been compromised by hackers in recent weeks, thanks to a new round of critical vulnerabilities in an Ivanti product — and it's another grim reminder of the heyday attackers have been having with edge devices. --------------------------------------------- https://www.darkreading.com/endpoint-security/ivanti-epmm-zero-day-bugs-exp… ∗∗∗ 37 Millionen Downloads: 287 Chrome-Extensions bei der Spionage erwischt ∗∗∗ --------------------------------------------- Forscher haben den Traffic zahlreicher Chrome-Erweiterungen analysiert. 287 davon spionieren für Datenbroker das Surfverhalten aus. --------------------------------------------- https://www.golem.de/news/37-millionen-downloads-287-chrome-extensions-bei-… ∗∗∗ Bypassing Administrator Protection by Abusing UI Access ∗∗∗ --------------------------------------------- In my last blog post I introduced the new Windows feature, Administrator Protection and how it aimed to create a secure boundary for UAC where one didn’t exist. I described one of the ways I was able to bypass the feature before it was released. In total I found 9 bypasses during my research that have now all been fixed.In this blog post I wanted to describe the root cause of 5 of those 9 issues, specifically the implementation of UI Access, how this has been a long standing problem with UAC that’s been under-appreciated, and how it’s being fixed now. --------------------------------------------- https://projectzero.google/2026/02/windows-administrator-protection.html ∗∗∗ IPFire stellt freie Domain-Blockliste DBL vor ∗∗∗ --------------------------------------------- Die IPFire-Entwickler haben mit DBL eine kategorisierte Domain-Blockliste veröffentlicht. Sie soll Malware, Phishing und Tracker blockieren. --------------------------------------------- https://www.heise.de/news/IPFire-stellt-freie-Domain-Blockliste-DBL-vor-111… ∗∗∗ How to find and remove credential-stealing Chrome extensions ∗∗∗ --------------------------------------------- Researchers have uncovered 30 Chrome extensions stealing user data. Here’s how to check your browser and remove any malicious extensions step by step. --------------------------------------------- https://www.malwarebytes.com/blog/news/2026/02/how-to-find-and-remove-crede… ∗∗∗ Vorsicht, Trojaner! Kursierende Nachrichten zu Urheberrechtsverletzungen sind Fakes! ∗∗∗ --------------------------------------------- Mit Phishing-Nachrichten im Namen real existierender Unternehmen versuchen Kriminelle aktuell, Schadsoftware auf die Endgeräte ihrer Opfer zu schummeln. Die erhobenen Anschuldigungen sind natürlich frei erfunden, das angehängte Dokument ist allerdings hochgefährlich. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-trojaner-urheberrechtsverle… ∗∗∗ Urgent warnings from UK and US cyber agencies after Polish energy grid attack ∗∗∗ --------------------------------------------- A coordinated cyberattack that targeted Polands energy infrastructure in late December 2025 has prompted cybersecurity agencies to issue urgent warnings to critical national infrastructure operators on both sides of the Atlantic. --------------------------------------------- https://www.fortra.com/blog/urgent-warnings-uk-and-us-cyber-agencies-after-… ∗∗∗ Naming and shaming: How ransomware groups tighten the screws on victims ∗∗∗ --------------------------------------------- When corporate data is exposed on a dedicated leak site, the consequences linger long after the attack fades from the news cycle. --------------------------------------------- https://www.welivesecurity.com/en/ransomware/naming-shaming-ransomware-grou… ∗∗∗ Lawful access to encrypted data: why is this so hard to do? ∗∗∗ --------------------------------------------- As I am now a member of the EU expert group which is tasked with coming up with a solution, I have been thinking a lot about this problem. An interesting train of thought turned out to be the question “We managed to give Law Enforcement (LE) wiretapping powers in old-style phone networks, but not in modern, Internet-based communication services. Why?” --------------------------------------------- https://www.cert.at/en/blog/2026/2/lawful-access-to-encrypted-data-why-is-t… ∗∗∗ 8,000+ ChatGPT API Keys Left Publicly Accessible ∗∗∗ --------------------------------------------- The rapid integration of artificial intelligence into mainstream software development has introduced a new category of security risk, one that many organizations are still unprepared to manage. According to research conducted by Cyble Research and Intelligence Labs (CRIL), thousands of exposed ChatGPT API keys are currently accessible across public infrastructure, dramatically lowering the barrier for abuse. CRIL identified more than 5,000 publicly accessible GitHub repositories containing --------------------------------------------- https://thecyberexpress.com/exposed-chatgpt-api-keys-github-websites/ ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Angreifer attackieren BeyondTrust-Fernwartungslösungen ∗∗∗ --------------------------------------------- Angreifer nutzen eine kritische Schadcode-Lücke in BeyondTrust Remote Support und Privileged Remote Access aus. Sicherheitspatches sind verfügbar. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Angreifer-attackieren-BeyondTrust-F… ∗∗∗ Qnap-NAS: Unbefugte Dateisystemzugriffe möglich ∗∗∗ --------------------------------------------- Sicherheitspatches für die NAS-Betriebssysteme QTS und QuTS hero von Qnap schließen mehrere Lücken. --------------------------------------------- https://www.heise.de/news/Qnap-NAS-Unbefugte-Dateisystemzugriffe-moeglich-1… ∗∗∗ LWN Security updates for Friday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1058642/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 12.02.2026
by Daily end-of-shift report 12 Feb '26

12 Feb '26

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-02-2026 18:00 − Donnerstag 12-02-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Crazy ransomware gang abuses employee monitoring tool in attacks ∗∗∗ --------------------------------------------- A member of the Crazy ransomware gang is abusing legitimate employee monitoring software and the SimpleHelp remote support tool to maintain persistence in corporate networks, evade detection, and prepare for ransomware deployment. --------------------------------------------- https://www.bleepingcomputer.com/news/security/crazy-ransomware-gang-abuses… ∗∗∗ Microsoft Store Outlook add-in hijacked to steal 4,000 Microsoft accounts ∗∗∗ --------------------------------------------- The AgreeTo add-in for Outlook has been hijacked and turned into a phishing kit that stole more than 4,000 Microsoft account credentials. [..] Office add-ins are just URLs pointing to content loaded into Microsoft products from the developer's server. In the case of AgreeTo, the developer used a Vercel-hosted URL (outlook-one.vercel.app) but abandoned the project, despite the userbase it formed. [..] The case of AgreeTo stands out, though, as it is likely the first to be hosted on Microsoft’s Marketplace. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-store-outlook-add-… ∗∗∗ Betrügerische Post-Emails im Umlauf ∗∗∗ --------------------------------------------- Rechnungen von der Post per E-Mail sind häufig Fake. Aktuell kursiert eine Variante, bei der 9,30 Euro für eine Sendung beglichen werden sollen. Ein Klick auf den Button führt auf eine Phishing-Website, auf der Kreditkartendaten gestohlen werden können. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-post-emails-im-umlauf/ ∗∗∗ Nation-State Actors Exploit Notepad++ Supply Chain ∗∗∗ --------------------------------------------- Between June and December 2025, the official hosting infrastructure for the text editor Notepad++ was compromised by a state-sponsored threat group known as Lotus Blossom. The attackers breached the shared hosting provider’s environment. [..] We’ve identified additional unreported infrastructure, which is linked to this campaign. --------------------------------------------- https://unit42.paloaltonetworks.com/notepad-infrastructure-compromise/ ∗∗∗ Kritische Schwachstellen in diversen Routern von Linksys ∗∗∗ --------------------------------------------- Linksys-Router beinhalten Schwachstellen, die bis zu einer unauthentifizierten und vollständigen Kompromittierung der Geräte über das Internet führen. Der Hersteller Linksys hat für betroffene Geräte ein Update bereitgestellt, welches allerdings nur eine Ausnutzung über das Internet verhindert. [..] Shortly after discovering the vulnerabilities, a “quick” scan of the internet showed about 12.000 vulnerable devices. Around six months after the fix was available, this number shrunk to around 4.000. A reason for this large drop is probably because the Linksys routers support auto-update, which is enabled by default and installs new firmware updates without any user interaction. --------------------------------------------- https://www.syss.de/pentest-blog/schwachstellen-in-linksys-routern ∗∗∗ US wants cyber partnerships to send ‘coordinated, strategic message’ to adversaries ∗∗∗ --------------------------------------------- National Cyber Director Sean Cairncross told attendees of the Munich Cyber Security Conference that Washington is looking to deepen cooperation with partners rather than act alone. --------------------------------------------- https://therecord.media/us-wants-cyber-partnerships-to-send-message-to-adve… ∗∗∗ GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use ∗∗∗ --------------------------------------------- In the final quarter of 2025, Google Threat Intelligence Group (GTIG) observed threat actors increasingly integrating artificial intelligence (AI) to accelerate the attack lifecycle, achieving productivity gains in reconnaissance, social engineering, and malware development. This report serves as an update to our November 2025 findings regarding the advances in threat actor usage of AI tools. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/distillation-exper… ∗∗∗ Scary Agent Skills: Hidden Unicode Instructions in Skills ...And How To Catch Them · ∗∗∗ --------------------------------------------- There is a lot of talk about Skills recently, both in terms of capabilities and security concerns. However, so far I haven’t seen anyone bring up hidden prompt injection. So, I figured to demo a Skills supply chain backdoor that survives human review. --------------------------------------------- https://embracethered.com/blog/posts/2026/scary-agent-skills/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Fixes Exploited Zero-Day Affecting iOS, macOS, and Apple Devices ∗∗∗ --------------------------------------------- Apple on Wednesday released iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS updates to address a zero-day flaw that it said has been exploited in sophisticated cyber attacks. --------------------------------------------- https://thehackernews.com/2026/02/apple-fixes-exploited-zero-day.html ∗∗∗ Dell schließt unzählige Sicherheitslücken in Avamar, iDRAC und NetWorker ∗∗∗ --------------------------------------------- In drei Warnmeldungen listet Dell die nun geschlossenen Sicherheitslücken in Komponenten von Drittanbietern auf, die Avamar und NetWorker betreffen. [..] Darunter fallen Komponenten wie Apache HTTP Server, Expat, OpenSSL und Vim. Der Großteil der geschlossenen Lücken stammt aus dem Jahr 2025. Darunter sind auch „kritische“ Schwachstellen (etwa Samba CVE-2025-10230), über die Schadcode auf Systeme gelangen kann. --------------------------------------------- https://www.heise.de/news/Dell-schliesst-unzaehlige-Sicherheitsluecken-in-A… ∗∗∗ Fortinet: LDAP authentication bypass in Agentless VPN and FSSO ∗∗∗ --------------------------------------------- An Authentication Bypass by Primary Weakness vulnerability [CWE-305] in FortiOS fnbamd may allow an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FSSO policy, under specific LDAP server configuration. CVE-2026-22153 --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-25-1052 ∗∗∗ High-Severity RCE Vulnerability Disclosed in next-mdx-remote ∗∗∗ --------------------------------------------- HashiCorp has published HCSEC-2026-01, disclosing a high-severity vulnerability in the popular next-mdx-remote library that can lead to arbitrary code execution when rendering untrusted MDX content on the server. The issue is tracked as CVE-2026-0969 (GHSA-g4xw-jxrg-5f6m) and carries a CVSS 3.1 score of 8.8 (High). [..] It is fixed in version 6.0.0. [..] For clarity, this is not a vulnerability in Next.js itself. It affects applications that use next-mdx-remote to compile untrusted MDX content on the server. --------------------------------------------- https://socket.dev/blog/high-severity-rce-vulnerability-disclosed-in-next-m… ∗∗∗ Multiple Vulnerabilities in various Solax Power Pocket WiFi models ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ LWN Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1058473/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.02.2026
by Daily end-of-shift report 11 Feb '26

11 Feb '26

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-02-2026 18:00 − Mittwoch 11-02-2026 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ New Linux botnet SSHStalker uses old-school IRC for C2 comms ∗∗∗ --------------------------------------------- A newly documented Linux botnet named SSHStalker is using the IRC (Internet Relay Chat) communication protocol for command-and-control (C2) operations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-linux-botnet-sshstalker-… ∗∗∗ In Bypassing MFA, ZeroDayRAT Is Textbook Stalkerware ∗∗∗ --------------------------------------------- With access to SIM, location data, and a preview of recent SMSes, attackers have everything they need for account takeover or targeted social engineering. --------------------------------------------- https://www.darkreading.com/threat-intelligence/zerodayrat-brings-commercia… ∗∗∗ DPRK Operatives Impersonate Professionals on LinkedIn to Infiltrate Companies ∗∗∗ --------------------------------------------- The information technology (IT) workers associated with the Democratic Peoples Republic of Korea (DPRK) are now applying to remote positions using real LinkedIn accounts of individuals theyre impersonating, marking a new escalation of the fraudulent scheme. --------------------------------------------- https://thehackernews.com/2026/02/dprk-operatives-impersonate.html ∗∗∗ Kimwolf Botnet Swamps Anonymity Network I2P ∗∗∗ --------------------------------------------- For the past week, the massive "Internet of Things" (IoT) botnet known as Kimwolf has been disrupting the The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnets control servers. --------------------------------------------- https://krebsonsecurity.com/2026/02/kimwolf-botnet-swamps-anonymity-network… ∗∗∗ Shelly IoT door controller config fail: leaving your garage, home and security exposed ∗∗∗ --------------------------------------------- I love my Shelly devices. They are an essential part of my smart home setup. I use them for everything from lights and plugs to garage doors and garden sprinkler control! One of the first Shelly devices I installed about five years ago recently stopped working, so I replaced it with one of their new fourth-generation Shelly 1 devices. That’s when I noticed an issue I hadn’t seen in previous generations. --------------------------------------------- https://www.pentestpartners.com/security-blog/shelly-iot-door-controller-co… ∗∗∗ Recovery Scam: Wie Betrugsopfer erneut geschädigt werden ∗∗∗ --------------------------------------------- Durch Onlinebetrug verlorenes Geld zurückzuholen, das wünschen sich viele Opfer. Und genau diesen Wunsch versuchen Kriminelle für ihre Zwecke zu nutzen. Mit dem sogenannten „Recovery Scam“ ziehen sie bereits Geschädigten zusätzlich Geld aus der Tasche. Im Beispielfall geht es um angeblich wiedergefundene Krypto-Assets und für die Rücküberweisung notwendige Vorauszahlungen. Der Köder: Die Website betrugsrecht(.)de. --------------------------------------------- https://www.watchlist-internet.at/news/recovery-scam-erneut-geschaedigt/ ∗∗∗ A Peek Into Muddled Libra’s Operational Playbook ∗∗∗ --------------------------------------------- Explore the tools Unit 42 found on a Muddled Libra rogue host. Learn how they target domain controllers and use search engines to aid their attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/muddled-libra-ops-playbook/ ∗∗∗ Cybersicherheit Zuhause: Privathaushalte als unterschätzte Angriffsfläche ∗∗∗ --------------------------------------------- Smartphones, Smarthome-Systeme, Cloud-Dienste und vernetzte Haushaltsgeräte sind längst fester Bestandteil des Alltags. Doch während Unternehmen und Behörden auf etablierte Standards, definierte Prozesse und vorhandene Expertise setzen können, bleibt IT-Sicherheit im privaten Umfeld meistens ungeregelt: Unzureichendes Knowhow, geteilte Passwörter und eine unsichere Konfiguration der gemeinsam genutzten Geräte erhöhen in vielen Familien und Wohngemeinschaften das digitale Risiko erheblich. --------------------------------------------- https://certitude.consulting/blog/de/cybersicherheit-zuhause-privathaushalt… ∗∗∗ Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory is being published as an addition to the Cybersecurity and Infrastructure Security Agency (CISA) May 6, 2025, joint fact sheet Primary Mitigations to Reduce Cyber Threats to Operational Technology and European Cybercrime Centre’s (EC3) Operation Eastwood, in which CISA, Federal Bureau of Investigation (FBI), Department of Energy (DOE), Environmental Protection Agency (EPA), and EC3 shared information about cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States and globally. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a ∗∗∗ Love Is in the Air — and So Are Scammers: Valentine’s Day 2026 Threats to Watch For ∗∗∗ --------------------------------------------- As Valentine’s Day 2026 approaches, people are turning to online shopping, digital dating, and last‑minute gift ideas. Unfortunately, cyber criminals are doing the same. Check Point researchers have identified a sharp rise in Valentine‑themed phishing websites, fraudulent stores, and fake dating platforms designed to steal personal data and payment information. --------------------------------------------- https://blog.checkpoint.com/research/love-is-in-the-air-and-so-are-scammers… ∗∗∗ Active Ivanti Exploitation Traced to Single Bulletproof IP—Published IOC Lists Point Elsewhere ∗∗∗ --------------------------------------------- The GreyNoise Global Observation Grid observed active exploitation of two critical Ivanti Endpoint Manager Mobile vulnerabilities, and 83% of that exploitation traces to a single IP address on bulletproof hosting infrastructure that does not appear on widely circulated IOC lists. --------------------------------------------- https://www.greynoise.io/blog/active-ivanti-exploitation ∗∗∗ Hope Is Not a Security Strategy: Why Secure-by-Default Beats Hardening ∗∗∗ --------------------------------------------- Security has always assumed deterministic behavior. We can’t write policy to prevent bad outcomes when we don’t even know what the agent will do. Sandboxing is the natural answer: everyone is buying Mac Minis to run Moltbot (OpenClaw now), Docker is using microVMs for coding agent sandboxes, and countless projects offer sandboxing tools for AI agents. --------------------------------------------- https://tuananh.net/2026/02/09/hope-is-not-a-security-strategy/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken: Attacken auf Windows, Office und den Internet Explorer ∗∗∗ --------------------------------------------- Der Februar fällt im Hinblick auf die Anzahl der zum Microsoft-Patchday geschlossenen Sicherheitslücken wieder etwas milder aus als der Januar. Jedoch befinden sich darunter gleich sechs Lücken, die bereits aktiv ausgenutzt werden. Betroffen sind nicht nur Windows-Systeme, sondern ebenso Microsoft Office und der totgeglaubte Internet Explorer. Nutzer sollten zügig patchen, um sich zu schützen. --------------------------------------------- https://www.golem.de/news/microsoft-patchday-zero-day-luecken-in-windows-of… ∗∗∗ Patchday bei Adobe: After Effects & Co. für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- Sicherheitspatches schließen mehrere Schwachstellen in Anwendungen von Adobe. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://www.heise.de/news/Patchday-bei-Adobe-After-Effects-Co-fuer-Schadcod… ∗∗∗ 800,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in WPvivid Backup WordPress Plugin ∗∗∗ --------------------------------------------- On January 12th, 2026, we received a submission for an Arbitrary File Upload vulnerability in WPvivid Backup, a WordPress plugin with more than 800,000 active installations. This vulnerability can be used by unauthenticated attackers to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. --------------------------------------------- https://www.wordfence.com/blog/2026/02/800000-wordpress-sites-affected-by-a… ∗∗∗ TP-Link Systems Inc. VIGI Series IP Camera ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could result in unauthorized users gaining administrative access to affected closed circuit television cameras. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-036-01 ∗∗∗ LWN Security updates for Wednesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1058265/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 10.02.2026
by Daily end-of-shift report 10 Feb '26

10 Feb '26

===================== = End-of-Day report = ===================== Timeframe: Montag 09-02-2026 18:00 − Dienstag 10-02-2026 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Hackers breach SmarterTools network using flaw in its own software ∗∗∗ --------------------------------------------- SmarterTools confirmed last week that the Warlock ransomware gang breached its network after compromising an email system, but did not impact business applications or account data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-breach-smartertools-… ∗∗∗ ZeroDayRAT malware grants full access to Android, iOS devices ∗∗∗ --------------------------------------------- A new commercial mobile spyware platform dubbed ZeroDayRAT is being advertised to cybercriminals on Telegram as a tool that provides full remote control over compromised Android and iOS devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zerodayrat-malware-grants-fu… ∗∗∗ Trojaner an Bord: Mit Schadcode verseuchte 7-Zip-Version in Umlauf ∗∗∗ --------------------------------------------- Wer das Packprogramm 7-Zip herunterlädt, sollte dringend auf die korrekte Domain achten. Eine mit Malware verseuchte Version wurde gesichtet. --------------------------------------------- https://www.golem.de/news/trojaner-an-bord-mit-schadcode-verseuchte-7-zip-v… ∗∗∗ Dutch Authorities Confirm Ivanti Zero-Day Exploit Exposed Employee Contact Data ∗∗∗ --------------------------------------------- The Netherlands Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed both agencies (Rvdr) have disclosed that their systems were impacted by cyber attacks that exploited the recently disclosed security flaws in Ivanti Endpoint Manager Mobile (EPMM), according to a notice sent to the countrys parliament on Friday. --------------------------------------------- https://thehackernews.com/2026/02/dutch-authorities-confirm-ivanti-zero.html ∗∗∗ Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of an emergent ransomware family dubbed Reynolds that comes embedded with a built-in bring your own vulnerable driver (BYOVD) component for defense evasion purposes within the ransomware payload itself. --------------------------------------------- https://thehackernews.com/2026/02/reynolds-ransomware-embeds-byovd-driver.h… ∗∗∗ More than 135,000 OpenClaw instances exposed to internet in latest vibe-coded disaster ∗∗∗ --------------------------------------------- By default, the bot listens on all network interfaces, and many users never change it Its a day with a name ending in Y, so you know what that means: Another OpenClaw cybersecurity disaster. --------------------------------------------- https://www.theregister.com/2026/02/09/openclaw_instances_exposed_vibe_code/ ∗∗∗ Introducing Augustus: Open Source LLM Prompt Injection Tool ∗∗∗ --------------------------------------------- Last month we released Julius, a tool that answers the question: “what LLM service is running on this endpoint?” Julius identifies the infrastructure. But identification is only the first step. The natural follow-up: “now that I know what’s running, how do I test whether it’s secure?” That’s what Augustus does. --------------------------------------------- https://www.praetorian.com/blog/introducing-augustus-open-source-llm-prompt… ∗∗∗ Jetzt patchen! Abermals Attacken auf SolarWinds Web Help Desk beobachtet ∗∗∗ --------------------------------------------- Sicherheitsforschern zufolge nutzen Angreifer derzeit kritische Schadcode-Lücken in SolarWinds Web Help Desk aus. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Abermals-Attacken-auf-SolarWinds-We… ∗∗∗ Archive.today: Betreiber setzt Nutzer für DDoS-Attacke ein ∗∗∗ --------------------------------------------- Der Betreiber von Archive.today setzt Besucher seiner Seite unwissentlich für eine DDoS-Attacke. Betroffener ist ein finnischer Blogger. --------------------------------------------- https://www.heise.de/news/Archive-today-Betreiber-setzt-Nutzer-fuer-DDoS-At… ∗∗∗ North Korean hackers targeted crypto exec with fake Zoom meeting, ClickFix scam ∗∗∗ --------------------------------------------- The scam involved a ClickFix attack where hackers install malware on a device by having the victim try to resolve fictitious technical issues. --------------------------------------------- https://therecord.media/north-korean-hackers-targeted-crypto-exec-clickfix ∗∗∗ Pride Month Phishing Targets Employees via Trusted Email Services ∗∗∗ --------------------------------------------- Attackers are using Pride Month themed phishing emails to target employees worldwide, abusing trusted email platforms like SendGrid to harvest credentials. --------------------------------------------- https://hackread.com/pride-month-phishing-employees-trusted-email-services/ ∗∗∗ New Cybercrime Group 0APT Accused of Faking Hundreds of Breach Claims ∗∗∗ --------------------------------------------- Researchers reveal the new 0APT cyber group is fabricating attacks on large organisations. Learn how they use fake data to trick companies into paying. --------------------------------------------- https://hackread.com/cybercrime-group-0apt-faking-breach-claims/ ∗∗∗ Beyond the Battlefield: Threats to the Defense Industrial Base ∗∗∗ --------------------------------------------- Introduction In modern warfare, the front lines are no longer confined to the battlefield; they extend directly into the servers and supply chains of the industry that safeguards the nation. Today, the defense sector faces a relentless barrage of cyber operations conducted by state-sponsored actors and criminal groups alike. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense… ∗∗∗ Poland Energy Sector Cyber Incident Highlights OT and ICS Security Gaps ∗∗∗ --------------------------------------------- The purpose of this Alert is to amplify Poland’s Computer Emergency Response Team (CERT Polska’s) Energy Sector Incident Report published on Jan. 30, 2026, and highlight key mitigations for Energy Sector stakeholders. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2026/02/10/poland-energy-sector-cyb… ∗∗∗ Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails ∗∗∗ --------------------------------------------- FortiGuard Labs recently captured a phishing campaign in the wild delivering a new variant of XWorm. XWorm is a multi-functional Remote Access Trojan (RAT) first identified in 2022 that remains actively distributed, including through Telegram-based marketplaces. Once deployed, it provides attackers with full remote control of compromised Windows systems. --------------------------------------------- https://feeds.fortinet.com/~/945702296/0/fortinet/blogs~Deep-Dive-into-New-… ∗∗∗ Tech impersonators: ClickFix and MacOS infostealers ∗∗∗ --------------------------------------------- Datadog identified an active campaign employing fake GitHub repositories impersonating software companies and leveraging the ClickFix initial access technique to deliver macOS infostealers. --------------------------------------------- https://securitylabs.datadoghq.com/articles/tech-impersonators-clickfix-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (fence-agents, firefox, fontforge, freerdp, kernel-rt, keylime, libsoup, libsoup3, nodejs22, nodejs24, opentelemetry-collector, osbuild-composer, python3.12-wheel, qemu-kvm, resource-agents, thunderbird, and util-linux), Debian (kernel, rlottie, shaarli, and usbmuxd), Fedora (asciinema, atuin, bustle, cef, envision, glycin, greetd, helix, java-21-openjdk, java-25-openjdk, java-latest-openjdk, keylime-agent-rust, maturin, mirrorlist-server, ntpd-rs, python3.6, rust-add-determinism, rust-afterburn, rust-ambient-id, rust-app-store-connect, rust-bat, rust-below, rust-btrd, rust-busd, rust-bytes, rust-cargo-c, rust-cargo-deny, rust-coreos-installer, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-crypto-auditing-log-parser, rust-dua-cli, rust-eif_build, rust-git-delta, rust-git-interactive-rebase-tool, rust-git2, rust-gst-plugin-dav1d, rust-gst-plugin-reqwest, rust-heatseeker, rust-ingredients, rust-jsonwebtoken, rust-lsd, rust-monitord, rust-monitord-exporter, rust-muvm, rust-nu, rust-num-conv, rust-onefetch, rust-oo7-cli, rust-pleaser, rust-pore, rust-pretty-git-prompt, rust-procs, rust-rbspy, rust-rbw, rust-rd-agent, rust-rd-hashd, rust-redlib, rust-resctl-bench, rust-resctl-demo, rust-routinator, rust-sccache, rust-scx_layered, rust-scx_rustland, rust-scx_rusty, rust-sequoia-chameleon-gnupg, rust-sequoia-keystore-server, rust-sequoia-octopus-librnp, rust-sequoia-sq, rust-sevctl, rust-shadow-rs, rust-sigul-pesign-bridge, rust-snpguest, rust-speakersafetyd, rust-tealdeer, rust-time, rust-time-core, rust-time-macros, rust-tokei, rust-weezl, rust-wiremix, rust-ybaas, rustup, sad, tbtools, tuigreet, and uv), Mageia (fontforge and nginx), Oracle (firefox, fontforge, freerdp, kernel, keylime, libsoup, python, thunderbird, and uek-kernel), SUSE (abseil-cpp and kernel), and Ubuntu (freerdp2 and libsoup3). --------------------------------------------- https://lwn.net/Articles/1057993/ ∗∗∗ XSS via back button ∗∗∗ --------------------------------------------- An Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability [CWE-79] in FortiSandbox may allow an unauthenticated attacker to execute commands via crafted requests. FortiSandbox PaaS versions 4.4.8 and 5.0.5 contains the fix for this vulnerability. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-25-093 ∗∗∗ Schwerwiegende Schwachstellen in Google Looker aufgedeckt ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag zu einer Information, die mich vor einigen Tagen erreichte. Sicherheitsforscher von Tenable Research habe zwei schwerwiegende Sicherheitslücken in in Google Looker entdeckt und als "LookOut" bezeichnet. Angreifer können ganze Systeme kapern, um Firmengeheimnisse zu stehlen. --------------------------------------------- https://borncity.com/blog/2026/02/09/schwerwiegende-schwachstellen-in-googl… ∗∗∗ February 2026 Security Update ∗∗∗ --------------------------------------------- Ivanti releases standard security patches on the second Tuesday of every month. Our vulnerability management program is central to our commitment to maintaining secure products. Our philosophy is simple: discovering and communicating vulnerabilities, and sharing that information with defenders, is not an indication of weakness; rather it is evidence of rigorous scrutiny and a proactive vulnerability management program. --------------------------------------------- https://www.ivanti.com/blog/february-2026-security-update ∗∗∗ Roundcube 1.7 RC3 released ∗∗∗ --------------------------------------------- We just published the third release candidate for the next major version 1.7 of Roundcube webmail. This release fixes two security issues, and contains a few more fixes for several issues. --------------------------------------------- https://roundcube.net/news/2026/02/09/roundcube-1.7-rc3-released ∗∗∗ Attacken auf BeyondTrust Remote Support und Privileged Remote Access möglich ∗∗∗ --------------------------------------------- Zwei Fernwartungslösungen von BeyondTrust sind verwundbar. Sicherheitsupdates schließen eine kritische Lücke. --------------------------------------------- https://heise.de/-11171444 ∗∗∗ SAP Security Patch Day February 2026 ∗∗∗ --------------------------------------------- SAP has released its February 2026 security patch package containing 27 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes two HotNews vulnerabilities with CVSS ratings up to 9.9, seven High priority issues, sixteen Medium priority fixes, and two Low priority updates. --------------------------------------------- https://redrays.io/blog/sap-security-patch-day-february-2026/ ∗∗∗ Yokogawa FAST/TOOLS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-01 ∗∗∗ AVEVA PI Data Archive ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-03 ∗∗∗ ZLAN Information Technology Co. ZLAN5143D ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 09.02.2026
by Daily end-of-shift report 09 Feb '26

09 Feb '26

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-02-2026 18:00 − Montag 09-02-2026 18:00 Handler: Alexander Riepl Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Datenabfluss vermutet: Cyberangriff trifft EU-Kommission ∗∗∗ --------------------------------------------- Hackern ist ein Cyberangriff auf die EU-Kommission gelungen. Angriffspunkt war ein System zur Verwaltung mobiler Endgeräte – vermutlich von Ivanti. --------------------------------------------- https://www.golem.de/news/datenabfluss-moeglich-cyberangriff-trifft-eu-komm… ∗∗∗ TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure ∗∗∗ --------------------------------------------- Cybersecurity researchers have called attention to a "massive campaign" that has systematically targeted cloud native environments to set up malicious infrastructure for follow-on exploitation. --------------------------------------------- https://thehackernews.com/2026/02/teampcp-worm-exploits-cloud.html ∗∗∗ Technical Analysis of GuLoader Obfuscation Techniques ∗∗∗ --------------------------------------------- In this blog post, Zscaler ThreatLabz explores the anti-analysis techniques that GuLoader employs including polymorphic code to dynamically construct constant and string values, as well as complex exception-based control flow obfuscation. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-guloader… ∗∗∗ Novel Technique to Detect Cloud Threat Actor Operations ∗∗∗ --------------------------------------------- Cloud-based alerting systems often struggle to distinguish between normal cloud activity and targeted malicious operations by known threat actors. The difficulty doesn’t lie in an inability to identify complex alerting operations across thousands of cloud resources or in a failure to follow identity resources, the problem lies in the accurate detection of known persistent threat actor group techniques specifically within cloud environments. --------------------------------------------- https://unit42.paloaltonetworks.com/tracking-threat-groups-through-cloud-lo… ∗∗∗ KI-Assistent OpenClaw bekommt VirusTotal an die Seite ∗∗∗ --------------------------------------------- Der Entwickler von OpenClaw beabsichtigt mit einer VirusTotal-Partnerschaft die Verbreitung von Malware-Skills einzudämmen. --------------------------------------------- https://heise.de/-11169414 ∗∗∗ Evaluating and mitigating the growing risk of LLM-discovered 0-days ∗∗∗ --------------------------------------------- Claude Opus 4.6, released today, continues a trajectory of meaningful improvements in AI models’ cybersecurity capabilities. Last fall, we wrote that we believed we were at an inflection point for AI's impact on cybersecurity—that progress could become quite fast, and now was the moment to accelerate defensive use of AI. The evidence since then has only reinforced that view. AI models can now find high-severity vulnerabilities at scale. Our view is this is a moment to move quickly—to empower defenders and secure as much code as possible while the window exists. --------------------------------------------- https://red.anthropic.com/2026/zero-days/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (fontforge, kernel, and osbuild-composer), Debian (debian-security-support, sudo, wireshark, xrdp, and zabbix), Fedora (bind, bind-dyndb-ldap, chromium, k9s, libgit2, mingw-glib2, node-exporter, open-vm-tools, plantuml, xorgxrdp, and xrdp), Oracle (fence-agents, image-builder, kernel, libsoup3, and osbuild-composer), Red Hat (image-builder and osbuild-composer), Slackware (openssl and p11), SUSE (chromium, cockpit-354, cockpit-machines, cockpit-machines-346, cockpit-packages, cockpit-podman, cockpit-subscriptions, govulncheck-vulndb, kubernetes-old, libsnmp45-32bit, libxml2, localsearch, micropython, opencloud-server, python-django, python-djangorestframework, python-maturin, python311-Django, python311-wheel, python315, sqlite3, and xrdp), and Ubuntu (linux-fips, linux-aws-fips, linux-gcp-fips and python-pip). --------------------------------------------- https://lwn.net/Articles/1057759/ ∗∗∗ Ivanti EPMM (CVE-2026-1281 & CVE-2026-1340) Exploitation Detection RPM Package ∗∗∗ --------------------------------------------- Ivanti has released updates for Endpoint Manager Mobile (EPMM) which addresses two critical severity vulnerabilities. Successful exploitation could lead to unauthenticated remote code execution. We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure. --------------------------------------------- https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-… ∗∗∗ BeyondTrust warns of critical RCE flaw in remote support software ∗∗∗ --------------------------------------------- BeyondTrust warned customers to patch a critical security flaw in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow unauthenticated attackers to execute arbitrary code remotely. --------------------------------------------- https://www.bleepingcomputer.com/news/security/beyondtrust-warns-of-critica… ∗∗∗ Microsoft kümmert sich um kritische Sicherheitslücke im Azure-Umfeld ∗∗∗ --------------------------------------------- Microsofts Multi-Cloud-Verwaltungslösung Azure Arc, die serverlose Entwicklungsumgebung Azure Functions und das Content Delivery Network (CDN) Azure Front Door waren verwundbar. Das Technologieunternehmen stuft die Gefahr insgesamt als kritisch ein. --------------------------------------------- https://www.heise.de/news/Microsoft-kuemmert-sich-um-kritische-Sicherheitsl… ∗∗∗ Schadcode-Lücke in FortiClient EMS kann PCs kompromittieren ∗∗∗ --------------------------------------------- Admins, die in Firmen Computer mit FortiClient Endpoint Management Server (EMS) verwalten, sollten die Anwendung aus Sicherheitsgründen zeitnah auf den aktuellen Stand bringen. Eine Schwachstelle in einer bestimmten Version kann Schadcode auf Systeme lassen. --------------------------------------------- https://heise.de/-11170228 ∗∗∗ Security updates 1.6.13 and 1.5.13 released ∗∗∗ --------------------------------------------- We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported two security vulnerabilities. --------------------------------------------- https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13 ∗∗∗ Firewalls und mehr: Fast 4.000 deutsche Edge-Devices hängen ohne Support im Netz ∗∗∗ --------------------------------------------- Deutsche Organisationen betreiben Tausende angreifbarer Edge-Devices wie Firewalls und VPN-Appliances. Es besteht dringender Handlungsbedarf. --------------------------------------------- https://www.golem.de/news/firewalls-und-mehr-fast-4-000-deutsche-edge-devic… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 06.02.2026
by Daily end-of-shift report 06 Feb '26

06 Feb '26

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-02-2026 18:00 − Freitag 06-02-2026 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ No Pain, No Gain - How Impunity Perpetuates Failure ∗∗∗ --------------------------------------------- It’s time to treat cybersecurity incidents and data breaches like preventable disasters, not the inevitable cost of doing business. --------------------------------------------- https://bytesandborscht.com/no-pain-no-gain-how-impunity-perpetuates-failur… ∗∗∗ Ransomware gang uses ISPsystem VMs for stealthy payload delivery ∗∗∗ --------------------------------------------- Ransomware operators are hosting and delivering malicious payloads at scale by abusing virtual machines (VMs) provisioned by ISPsystem, a legitimate virtual infrastructure management provider. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-uses-ispsyst… ∗∗∗ Spains Ministry of Science shuts down systems after breach claims ∗∗∗ --------------------------------------------- Spain's Ministry of Science (Ministerio de Ciencia) announced a partial shutdown of its IT systems, affecting several citizen- and company-facing services. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spains-ministry-of-science-s… ∗∗∗ CISA orders federal agencies to replace end-of-life edge devices ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new binding operational directive requiring federal agencies to identify and remove network edge devices that no longer receive security updates from manufacturers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies… ∗∗∗ Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new supply chain attack in which legitimate packages on npm and the Python Package Index (PyPI) repository have been compromised to push malicious versions to facilitate wallet credential theft and remote code execution. --------------------------------------------- https://thehackernews.com/2026/02/compromised-dydx-npm-and-pypi-packages.ht… ∗∗∗ Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries ∗∗∗ --------------------------------------------- Artificial intelligence (AI) company Anthropic revealed that its latest large language model (LLM), Claude Opus 4.6, has found more than 500 previously unknown high-severity security flaws in open-source libraries, including Ghostscript, OpenSC, and CGIF. --------------------------------------------- https://thehackernews.com/2026/02/claude-opus-46-finds-500-high-severity.ht… ∗∗∗ Datenleck bei Substack: Datensatz mit knapp 700.000 Einträgen im Netz ∗∗∗ --------------------------------------------- Cyberkriminelle haben Daten bei Substack abgezogen. Der Datensatz umfasst rund 700.000 Einträge und ist im Netz verfügbar. --------------------------------------------- https://heise.de/-11167482 ∗∗∗ Angriff per Signal: BfV und BSI warnen Politiker, Militärs und Diplomaten ∗∗∗ --------------------------------------------- Ein vergangene Woche bekannt gewordener Angriff auf Nutzer des Messengers Signal zielt auf Bundestagsabgeordnete und andere wichtige Personen ab. --------------------------------------------- https://heise.de/-11168254 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (freerdp, kernel, python3, and python3.12-wheel), Debian (alsa-lib, chromium, openjdk-25, phpunit, tomcat10, tomcat11, and tomcat9), Fedora (openqa, pgadmin4, phpunit10, phpunit11, phpunit12, phpunit8, phpunit9, and yarnpkg), Mageia (python-django), SUSE (alloy, cups, dpdk, expat, glib2, java-1_8_0-ibm, java-1_8_0-openj9, java-25-openjdk, kernel, libpainter0, libsoup, libxml2, openssl-3, python-filelock, python-wheel, python312-Django6, thunderbird, traefik2, udisks2, wireshark, and xen), and Ubuntu (glib2.0, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, python3.14, python3.13, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4, and tracker-miners). --------------------------------------------- https://lwn.net/Articles/1057506/ ∗∗∗ TeamViewer: Lücke erlaubt Zugriffe ohne vorherige Bestätigung ∗∗∗ --------------------------------------------- In TeamViewer wurde eine Sicherheitslücke entdeckt, die angemeldeten Angreifern Zugriffe auf Ressourcen erlaubt, bevor diese Berechtigung lokal bestätigt wurde. Aktualisierte Software-Pakete stehen bereit, um die Schwachstelle zu beheben. IT-Verantwortliche, die TeamViewer einsetzen, sollten zügig updaten. --------------------------------------------- https://www.heise.de/news/TeamViewer-Luecke-erlaubt-Zugriffe-ohne-vorherige… ∗∗∗ Sicherheitsupdates F5 BIG-IP: Angreifer können Datenverkehr lahmlegen ∗∗∗ --------------------------------------------- Setzen Angreifer erfolgreich an Sicherheitslücken in BIG-IP-Appliances wie Advanced WAF/ASM oder APM an, können sie Abstürze auslösen oder eigentlich geschützte Daten einsehen. Dagegen stehen abgesicherte Versionen zum Download bereit. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://heise.de/-11167422 ∗∗∗ DSA-6122-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2026/msg00031.html ∗∗∗ TP-Link Systems Inc. VIGI Series IP Camera ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-26-036-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 05.02.2026
by Daily end-of-shift report 05 Feb '26

05 Feb '26

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-02-2026 18:00 − Donnerstag 05-02-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zendesk spam wave returns, floods users with Activate account emails ∗∗∗ --------------------------------------------- A fresh wave of spam is hitting inboxes worldwide, with users reporting that they are once again being bombarded by automated emails generated through companies unsecured Zendesk support systems. Some recipients say they are receiving hundreds of messages with strange or alarming subject lines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zendesk-spam-wave-returns-fl… ∗∗∗ CISA: VMware ESXi flaw now exploited in ransomware attacks ∗∗∗ --------------------------------------------- CISA confirmed on Wednesday that ransomware gangs have begun exploiting a high-severity VMware ESXi sandbox escape vulnerability that was used in zero-day attacks since at least February 2024. Broadcom patched this ESXi arbitrary-write vulnerability (tracked as CVE-2025-22225) almost one year ago, in March 2025, alongside a memory leak (CVE-2025-22226) and a TOCTOU flaw (CVE-2025-22224), and tagged them all as actively exploited zero-days. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-vmware-esxi-flaw-now-ex… ∗∗∗ Broken Phishing URLs, (Thu, Feb 5th) ∗∗∗ --------------------------------------------- For a few days, many phishing emails that landed into my mailbox contain strange URLs. [..] But the format of the URLs is broken! In a URL, parameters are extra pieces of information added after a question mark (?) to tell a website more details about a request; they are written as name=value pairs (for example “email=user@domain”), and multiple parameters are separated by an ampersand (&). [..] Threat actors implement this to break security controls. --------------------------------------------- https://isc.sans.edu/diary/rss/32686 ∗∗∗ Three clues that your LLM may be poisoned with a sleeper-agent back door ∗∗∗ --------------------------------------------- The threat sees an attacker embed a hidden backdoor into the model's weights – the importance assigned to the relationship between pieces of information – during its training. Attackers can activate the backdoor using a predefined phrase. [..] In a research paper [PDF] published this week, Kumar and coauthors detailed a lightweight scanner to help enterprises detect backdoored models. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2026/02/05/llm_poisoned… ∗∗∗ Technical Analysis of Marco Stealer ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has discovered an information stealer that we named Marco Stealer, which was first observed in June 2025. Marco Stealer primarily targets browser data, cryptocurrency wallet information, files from popular cloud services like Dropbox and Google Drive, and other sensitive files stored on the victim’s system. Marco Stealer implements several anti-analysis techniques including string encryption and terminating security tools. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-marco-st… ∗∗∗ The Shadow Campaigns: Uncovering Global Espionage ∗∗∗ --------------------------------------------- This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the group’s activity as the Shadow Campaigns. [..] Over the past year, this group has compromised government and critical infrastructure organizations across 37 countries. This means that approximately one out of every five countries has experienced a critical breach from this group in the past year. --------------------------------------------- https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espi… ∗∗∗ Black Basta: Defense Evasion Capability Embedded in Ransomware Payload ∗∗∗ --------------------------------------------- Normally the BYOVD defense evasion component of an attack would involve a distinct tool that would be deployed on the system prior to the ransomware payload in order to disable security software. However, in this attack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself. --------------------------------------------- https://www.security.com/threat-intelligence/black-basta-ransomware-byovd ∗∗∗ Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework ∗∗∗ --------------------------------------------- Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices. [..] DKnife’s attacks target a wide range of devices, including PCs, mobile devices, and Internet of Things (IoT) devices. It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates. --------------------------------------------- https://blog.talosintelligence.com/knife-cutting-the-edge/ ∗∗∗ Sanctioned Bulletproof Host Linked to Hijacking of Old Home Routers ∗∗∗ --------------------------------------------- Compromised home routers in 30+ countries had DNS traffic redirected, sending users to malicious sites while normal browsing appeared unaffected. [..] According to Infoblox, the manipulated DNS traffic was routed to resolvers hosted by Aeza International, a Russian bulletproof hosting provider sanctioned by the US government in July 2025. --------------------------------------------- https://hackread.com/sanctioned-bulletproof-host-hijack-old-home-routers/ ∗∗∗ How to write your first obfuscator of Java Bytecode ∗∗∗ --------------------------------------------- In this article I describe Java bytecode obfuscation, using one of the challenges I did in 2023 as part of the interviews with Quarkslab for the position of Java compiler engineer in QShield. --------------------------------------------- http://blog.quarkslab.com/how-to-write-your-first-obfuscator-of-java-byteco… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 05.02.2026 ∗∗∗ --------------------------------------------- Cisco Meeting Management, Cisco Secure Web Appliance, Cisco TelePresence Collaboration Endpoint Software and RoomOS, Cisco Prime Infrastructure, Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure, --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (brotli, curl, kernel, python-wheel, and python3.12), Debian (containerd), Fedora (gnupg2, pgadmin4, phpunit10, phpunit11, phpunit12, phpunit8, phpunit9, and yarnpkg), Mageia (expat), Oracle (qemu-kvm and util-linux), Red Hat (kernel, kernel-rt, opentelemetry-collector, and python3.12-wheel), SUSE (abseil-cpp, dpdk, freerdp, glib2, ImageMagick, java-11-openj9, java-17-openj9, java-1_8_0-ibm, java-1_8_0-openj9, java-1_8_0-openjdk, java-21-openj9, kernel, libsoup, libsoup-3_0-0, openssl-3, patch, python-Django, rekor, rizin, udisks2, and xrdp), and Ubuntu (gh, linux, linux-aws, linux-azure, linux-azure-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-oracle, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-oem-6.17, linux-oracle, linux-raspi, linux-realtime, linux, linux-gke, linux-gkeop, linux-hwe-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, linux-intel-iot-realtime, and linux-realtime, linux-realtime-6.8, linux-raspi-realtime). --------------------------------------------- https://lwn.net/Articles/1057381/ ∗∗∗ Automatisierungstool n8n: Weitere kritische Lücken gestopft ∗∗∗ --------------------------------------------- Im Automatisierungstool n8n haben die Entwickler weitere Sicherheitslücken gestopft. Ein Update auf die jüngste Fassung ist empfehlenswert. [..] Eine Auflistung der neuen CVE-Einträge nach Schweregrad sortiert bietet jedoch einen Überblick, Details finden sich auf der n8n-Sicherheitsseite. --------------------------------------------- https://heise.de/-11165845 ∗∗∗ Splunk: SVD-2026-0201: Third-Party Package Updates in Splunk SOAR - February 2026 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2026-0201 ∗∗∗ Splunk: SVD-2025-1205: Incorrect permissions assignment on Splunk Enterprise for Windows during new installation or upgrade ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1205 ∗∗∗ Zyxel security advisory for post-authentication command injection vulnerability in the DDNS configuration CLI command of ZLD firewalls ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Patchday Android: Treiberlücke gefährdet Pixel-Smartphones ∗∗∗ --------------------------------------------- https://heise.de/-11165905 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 04.02.2026
by Daily end-of-shift report 04 Feb '26

04 Feb '26

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-02-2026 18:00 − Mittwoch 04-02-2026 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Wave of Citrix NetScaler scans use thousands of residential proxies ∗∗∗ --------------------------------------------- A coordinated reconnaissance campaign targeting Citrix NetScaler infrastructure over the past week used tens of thousands of residential proxies to discover login panels. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wave-of-citrix-netscaler-sca… ∗∗∗ Schlüssel kaputt: Weitere Ransomware-Panne führt zu Totalverlust ∗∗∗ --------------------------------------------- In der Nitrogen-Ransomware klafft ein Bug, der alle Lösegeldverhandlungen ad absurdum führt. Die Daten können nicht mehr entschlüsselt werden. --------------------------------------------- https://www.golem.de/news/schluessel-kaputt-weitere-ransomware-panne-fuehrt… ∗∗∗ AI agents cant yet pull off fully autonomous cyberattacks - but they are already very helpful to crims ∗∗∗ --------------------------------------------- Dont relax: This is a when, not if scenario AI agents and other systems cant yet conduct cyberattacks fully on their own - but they can help criminals in many stages of the attack chain, according to the International AI Safety report. --------------------------------------------- https://www.theregister.com/2026/02/03/autonomous_cyberattacks_not_real_yet/ ∗∗∗ Clouds rush to deliver OpenClaw-as-a-service offerings ∗∗∗ --------------------------------------------- As analyst house Gartner declares AI tool ‘comes with unacceptable cybersecurity risk’ and urges admins to snuff it out If you’re brave enough to want to run the demonstrably insecure AI assistant OpenClaw, several clouds have already started offering it as a service. --------------------------------------------- https://www.theregister.com/2026/02/04/cloud_hosted_openclaw/ ∗∗∗ Angriffe auf Solarwinds Web Help Desk, FreePBX und Gitlab beobachtet ∗∗∗ --------------------------------------------- Die CISA warnt vor jüngst beobachteten Angriffen auf Sicherheitslücken in Solarwinds Web Help Desk, FreePBX und Gitlab. --------------------------------------------- https://www.heise.de/news/Angriffe-auf-Solarwinds-Web-Help-Desk-FreePBX-und… ∗∗∗ Phishing: Falsche Cloud-Speicher-Warnung nachverfolgt ∗∗∗ --------------------------------------------- Phishing-Mails zielen nicht nur direkt auf Zugangsdaten ab, sondern bringen Opfer öfter zu Affiliate-Marketing-Seiten. --------------------------------------------- https://www.heise.de/news/Phishing-Falsche-Cloud-Speicher-Warnung-nachverfo… ∗∗∗ Gesucht: Notfallhandwerksdienst, Gefunden: Vermittlungsagentur ∗∗∗ --------------------------------------------- Hinter zahlreichen Webseiten von Notfallinstallateuren, Schlüsseldiensten und ähnlichen Unternehmen stecken gar keine Handwerksbetriebe, sondern lediglich Vermittlungsagenturen. Das ist nicht illegal, kann für Betroffene aber dennoch unangenehme Folgen haben. Woran man die Webauftritte der Agenturen erkennt und wie man am besten für den Ernstfall vorsorgt. --------------------------------------------- https://www.watchlist-internet.at/news/vermittlungsagentur-statt-handwerksd… ∗∗∗ Exclusive: US used cyber weapons to disrupt Iranian air defenses during 2025 strikes ∗∗∗ --------------------------------------------- The U.S. military digitally disrupted Iranian air missile defense systems during its operation last year against the country’s nuclear program, some of the most sophisticated action Cyber Command has taken to date against Iran. --------------------------------------------- https://therecord.media/iran-nuclear-cyber-strikes-us ∗∗∗ Phishing Campaigns Abuse Trusted Cloud Platforms, Raising New Risks for Enterprises ∗∗∗ --------------------------------------------- ANY.RUN experts report a surge in phishing campaigns abusing trusted cloud and CDN platforms to bypass security controls and target enterprise users. --------------------------------------------- https://hackread.com/phishing-campaigns-cloud-platforms-enterprises-risks/ ∗∗∗ React Server Components Exploitation Consolidates as Two IPs Generate Majority of Attack Traffic ∗∗∗ --------------------------------------------- Two months after CVE-2025-55182 was disclosed on December 3, 2025, exploitation activity targeting React Server Components has consolidated significantly. --------------------------------------------- https://www.greynoise.io/blog/react2shell-exploitation-consolidates ∗∗∗ Native Sysmon-Integration in Windows rückt näher ∗∗∗ --------------------------------------------- Microsoft hat Windows-Insider-Vorschauen veröffentlicht, die das mächtige Sysmon-Protokollierungstool als Windows-Feature mitbringen. --------------------------------------------- https://heise.de/-11164696 ∗∗∗ Phishing: Falsche Cloud-Speicher-Warnung nachverfolgt ∗∗∗ --------------------------------------------- Phishing-Mails zielen nicht nur direkt auf Zugangsdaten ab, sondern bringen Opfer öfter zu Affiliate-Marketing-Seiten. --------------------------------------------- https://heise.de/-11164973 ∗∗∗ Web Traffic Hijacking: When Your Nginx Configuration Turns Malicious ∗∗∗ --------------------------------------------- Datadog Security Research has identified an active web traffic hijacking campaign that targets NGINX installations and management panels like Baota (BT). In this post, we provide our analysis of the techniques this campaign uses and share indicators of compromise you can check for in your NGINX configurations. --------------------------------------------- https://securitylabs.datadoghq.com/articles/web-traffic-hijacking-nginx-con… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Vulnerability Alert: CVE-2025-40551 in SolarWinds Web Help Desk ∗∗∗ --------------------------------------------- https://www.bitsight.com/blog/cve-2025-40551-solarwinds-critical-vulnerabil… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 03.02.2026
by Daily end-of-shift report 03 Feb '26

03 Feb '26

===================== = End-of-Day report = ===================== Timeframe: Montag 02-02-2026 18:00 − Dienstag 03-02-2026 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Aktive Ausnutzung von Sicherheitslücken in Ivanti Endpoint Manager Mobile (CVE-2026-1281, CVE-2026-1340) ∗∗∗ --------------------------------------------- Zwei kürzlich behobene Sicherheitslücken in Ivanti Endpoint Manager Mobile (CVE-2026-1281 und CVE-2026-1340, siehe dazu unsere Warnung vom 31.01.2026 sowie eine technische Analyse der Sicherheitsexpert:innen von Watchtowr) werden bereits von Bedrohungsakteuren ausgenutzt. Laut Ivanti selbst ist die Untersuchung der bisher bekannten Vorfälle noch im Gange und verlässliche technische Indikatoren liegen noch nicht vor. --------------------------------------------- https://www.cert.at/de/aktuelles/2026/2/aktive-ausnutzung-von-sicherheitslu… ∗∗∗ Hackers exploit critical React Native Metro bug to breach dev systems ∗∗∗ --------------------------------------------- Hackers are targeting developers by exploiting the critical vulnerability CVE-2025-11953 in the Metro server for React Native to deliver malicious payloads for Windows and Linux. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-critical-react-n… ∗∗∗ Iron Mountain: Data breach mostly limited to marketing materials ∗∗∗ --------------------------------------------- Iron Mountain, a leading data storage and recovery services company, says that a recent breach claimed by the Everest extortion gang is limited to mostly marketing materials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/iron-mountain-data-breach-mo… ∗∗∗ Attackers Harvest Dropbox Logins Via Fake PDF Lures ∗∗∗ --------------------------------------------- A malware-free phishing campaign targets corporate inboxes and asks employees to view "request orders," ultimately leading to Dropbox credential theft. --------------------------------------------- https://www.darkreading.com/cloud-security/attackers-harvest-dropbox-logins… ∗∗∗ Detecting and Monitoring OpenClaw (clawdbot, moltbot) ∗∗∗ --------------------------------------------- Last week, a new AI agent framework was introduced to automate "live". It targets office work in particular, focusing on messaging and interacting with systems. The tool has gone viral not so much because of its features, which are similar to those of other agent frameworks, but because of a stream of security oversights in its design. --------------------------------------------- https://isc.sans.edu/diary/rss/32678 ∗∗∗ Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users ∗∗∗ --------------------------------------------- A security audit of 2,857 skills on ClawHub has found 341 malicious skills across multiple campaigns, according to new findings from Koi Security, exposing users to new supply chain risks. ClawHub is a marketplace designed to make it easy for OpenClaw users to find and install third-party skills. --------------------------------------------- https://thehackernews.com/2026/02/researchers-find-341-malicious-clawhub.ht… ∗∗∗ APT28 Leverages CVE-2026-21509 in Operation Neusploit ∗∗∗ --------------------------------------------- In January 2026, Zscaler ThreatLabz identified a new campaign in-the-wild, tracked as Operation Neusploit, targeting countries in the Central and Eastern European region. In this campaign, the threat actor leveraged specially crafted Microsoft RTF files to exploit CVE-2026-21509 and deliver malicious backdoors in a multi-stage infection chain. --------------------------------------------- https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21… ∗∗∗ Neue Runde für den Dauerbrenner: Phishing-SMS im Namen von FinanzOnline ∗∗∗ --------------------------------------------- Wirklich zum Stillstand kam die Betrugsmasche ohnehin nie, aktuell ist aber eine Welle von besonderem Ausmaß zu beobachten. Es geht um die fast schon klassischen Phishing-SMS im Namen von FinanzOnline, die vor einem Ablaufen der Registrierung warnen. In Wahrheit haben es Kriminelle auf die Kontakt- und Bankdaten ihrer Opfer abgesehen. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-sms-finanzonline/ ∗∗∗ WhatsApp Encryption, a Lawsuit, and a Lot of Noise ∗∗∗ --------------------------------------------- It’s not every day that we see mainstream media get excited about encryption apps! For that reason, the past several days have been fascinating, since we’ve been given not one but several unusual stories about the encryption used in WhatsApp. --------------------------------------------- https://blog.cryptographyengineering.com/2026/02/02/whatsapp-encryption-a-l… ∗∗∗ The art of the invisible key: Passkey global breakthrough ∗∗∗ --------------------------------------------- Introduction Passkeys now protects billions of accounts, redefining how the world signs in through stronger, more secure authentication without a password. Yet this global movement runs deeper. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/the-art-of-the-invi… ∗∗∗ The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit ∗∗∗ --------------------------------------------- Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom. Active since 2009, the group is known for its targeted espionage campaigns primarily impacting organizations across Southeast Asia and more recently Central America, focusing on government, telecom, aviation, critical infrastructure, and media sectors. --------------------------------------------- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blos… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Unbefugte Zugriffe auf WatchGuard Firebox vorstellbar ∗∗∗ --------------------------------------------- Angreifer können auf Firebox-Firewalls von WatchGuard zugreifen. Reparierte Fireware-OS-Version stehen zum Download bereit. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdate-Unbefugte-Zugriffe-auf-WatchGua… ∗∗∗ Critical vLLM Flaw Exposes Millions of AI Servers to Remote Code Execution ∗∗∗ --------------------------------------------- A newly disclosed security flaw has placed millions of AI servers at risk after researchers identified a critical vulnerability in vLLM, a widely deployed Python package for serving large language models. The issue, tracked as CVE-2026-22778 (GHSA-4r2x-xpjr-7cvv), enables remote code execution (RCE) by submitting a malicious video URL to a vulnerable vLLM API endpoint. The vulnerability affects vLLM versions 0.8.3 through 0.14.0 and was patched in version 0.14.1. --------------------------------------------- https://thecyberexpress.com/cve-2026-22778-vllm-rce-malicious-video-link/ ∗∗∗ ZDI-26-043: (0Day) npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-0775. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-26-043/ ∗∗∗ Micropatches released for Microsoft Excel Remote Code Execution Vulnerability (CVE-2025-62203) ∗∗∗ --------------------------------------------- November 2025 Windows Updates brought a patch for CVE-2025-62203, a remote code execution vulnerability in Microsoft Excel that could allow a remote attacker to have their malicious code executed on users computer upon opening an Excel file. The vulnerability was discovered and reported to Microsoft by Quan Jin with DBAPPSecurity. --------------------------------------------- https://blog.0patch.com/2026/02/micropatches-released-for-microsoft.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (fence-agents, gcc-toolset-15-binutils, golang-github-openprinting-ipp-usb, iperf3, kernel, kernel-rt, openssl, osbuild-composer, php:8.2, python3, util-linux, and wireshark), Debian (clamav and xrdp), Fedora (gimp and openttd), Mageia (docker-containerd), Oracle (gimp:2.8, golang-github-openprinting-ipp-usb, grafana-pcp, image-builder, iperf3, kernel, openssl, osbuild-composer, php, php:8.2, php:8.3, python3.9, util-linux, and wireshark), SUSE (cockpit-subscriptions, elemental-register, elemental-toolkit, glibc, gpg2, logback, openssl-1_1, python-urllib3, ucode-amd, and unbound), and Ubuntu (inetutils, libpng1.6, mysql-8.0, mysql-8.4, openjdk-17, openjdk-17-crac, openjdk-21, openjdk-21-crac, openjdk-25, openjdk-25-crac, openjdk-8, openjdk-lts, and thunderbird). --------------------------------------------- https://lwn.net/Articles/1057047/ ∗∗∗ Jetzt updaten! Angreifer übernehmen SmarterMail-Instanzen als Admin ∗∗∗ --------------------------------------------- Alle drei mittlerweile in SmarterMail 100.0.9511 geschlossenen Sicherheitslücken (CVE-2026-23760), CVE-2026-24423, CVE-2025-52691) sind mit dem Bedrohungsgrad „kritisch“ eingestuft. Alle vorigen Ausgaben sollen verwundbar sein. Der US-Sicherheitsbehörde CISA zufolge nutzen Angreifer die ersten beiden Schwachstellen bereits aus. --------------------------------------------- https://heise.de/-11163471 ∗∗∗ Improper file access permission settings in Mitsubishi Small-Capacity UPS Shutdown Software FREQSHIP-mini for Windows ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN64883963/ ∗∗∗ Kubernetes CVE-2026-24514: ingress-nginx Admission Controller denial of service ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/136680 ∗∗∗ Kubernetes CVE-2026-24513: ingress-nginx auth-url protection bypass ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/136679 ∗∗∗ Kubernetes CVE-2026-24512: ingress-nginx rules.http.paths.path nginx configuration injection ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/136678 ∗∗∗ Kuberenetes CVE-2026-1580: ingress-nginx auth-method nginx configuration injection∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/136677 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 02.02.2026
by Daily end-of-shift report 02 Feb '26

02 Feb '26

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-01-2026 18:00 − Montag 02-02-2026 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Cloud storage payment scam floods inboxes with fake renewals ∗∗∗ --------------------------------------------- Over the past few months, a large-scale cloud storage subscription scam campaign has been targeting users worldwide with repeated emails falsely warning recipients that their photos, files, and accounts are about to be blocked or deleted due to an alleged payment failure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloud-storage-payment-scam-f… ∗∗∗ NationStates confirms data breach, shuts down game site ∗∗∗ --------------------------------------------- NationStates, a multiplayer browser-based game, has confirmed a data breach after taking its website offline earlier this week to investigate a security incident. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nationstates-confirms-data-b… ∗∗∗ Panera Bread breach impacts 5.1 million accounts, not 14 million customers ∗∗∗ --------------------------------------------- The data breach notification service Have I Been Pwned says that a data breach at the U.S. food chain Panera Bread affected 5.1 million accounts, not 14 million customers as previously reported. --------------------------------------------- https://www.bleepingcomputer.com/news/security/panera-bread-data-breach-imp… ∗∗∗ Spionagegefahr: Verfassungsschutz warnt vor E-Autos aus China ∗∗∗ --------------------------------------------- E-Autos aus China könnten theoretisch ferngesteuert werden. Die technischen Risiken sind dokumentiert - doch auch Tesla sammelt massenhaft Daten. --------------------------------------------- https://www.golem.de/news/spionagegefahr-verfassungsschutz-warnt-vor-e-auto… ∗∗∗ Texteditor: Notepad++-Server gehackt und Update-Traffic manipuliert ∗∗∗ --------------------------------------------- Angreifern ist es gelungen, die Update-Infrastruktur von Notepad++ zu kompromittieren und Traffic umzuleiten. Der Entwickler entschuldigt sich. --------------------------------------------- https://www.golem.de/news/texteditor-notepad-server-gehackt-und-update-traf… ∗∗∗ Breaking the Sound Barrier, Part II: Exploiting CVE-2024-54529 ∗∗∗ --------------------------------------------- In the first part of this series, I detailed my journey into macOS security research, which led to the discovery of a type confusion vulnerability (CVE-2024-54529) and a double-free vulnerability (CVE-2025-31235) in the coreaudiod system daemon through a process I call knowledge-driven fuzzing. While the first post focused on the process of finding the vulnerabilities, this post dives into the intricate process of exploiting the type confusion vulnerability. --------------------------------------------- https://projectzero.google/2026/01/sound-barrier-2.html ∗∗∗ Google Presentations Abused for Phishing ∗∗∗ --------------------------------------------- Charlie, one of our readers, has forwarded an interesting phishing email. The email was sent to users of the Vivladi Webmail service. --------------------------------------------- https://isc.sans.edu/diary/rss/32668 ∗∗∗ AI Coding Assistants Secretly Copying All Code to China ∗∗∗ --------------------------------------------- There’s a new report about two AI coding assistants, used by 1.5 million developers, that are surreptitiously sending a copy of everything they ingest to China.Maybe avoid using them. --------------------------------------------- https://www.schneier.com/blog/archives/2026/02/ai-coding-assistants-secretl… ∗∗∗ Shadow Directories: A Unique Method to Hijack WordPress Permalinks ∗∗∗ --------------------------------------------- Last month, while working on a WordPress cleanup case, a customer reached out with a strange complaint: their website looked completely normal to them and their visitors, but Google search results were showing something very different. Instead of normal titles and descriptions, Google was displaying casino and gambling-related content. We have been seeing rising cases of spam on WordPress websites. What made this even more confusing was where the spam was appearing. --------------------------------------------- https://blog.sucuri.net/2026/01/shadow-directories-a-unique-method-to-hijac… ∗∗∗ Ex-Google Engineer Convicted for Stealing AI Secrets for China Startup ∗∗∗ --------------------------------------------- A former Google engineer accused of stealing thousands of the companys confidential documents to build a startup in China has been convicted in the U.S., the Department of Justice (DoJ) announced Thursday. --------------------------------------------- https://thehackernews.com/2026/01/ex-google-engineer-convicted-for.html ∗∗∗ Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a supply chain attack targeting the Open VSX Registry in which unidentified threat actors compromised a legitimate developers resources to push malicious updates to downstream users. --------------------------------------------- https://thehackernews.com/2026/02/open-vsx-supply-chain-attack-used.html ∗∗∗ eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware ∗∗∗ --------------------------------------------- The update infrastructure for eScan antivirus, a security solution developed by Indian cybersecurity company MicroWorld Technologies, has been compromised by unknown attackers to deliver a persistent downloader to enterprise and consumer systems. --------------------------------------------- https://thehackernews.com/2026/02/escan-antivirus-update-servers.html ∗∗∗ Sicherheitslücke: Tausch weiterer elektronischer Heilberufsausweise in Arbeit ∗∗∗ --------------------------------------------- Kunden von D-Trust und SHC+Care müssen ihre bereits ECC-fähigen elektronischen Heilberufsausweise (eHBA) tauschen. Wie viele das betrifft, ist unklar. --------------------------------------------- https://www.heise.de/news/Digital-Health-Tausch-weiterer-E-Heilberufsauswei… ∗∗∗ Anonymisierendes Linux: Notfall-Update Tails 7.4.1 erschienen ∗∗∗ --------------------------------------------- Die auf Anonymität im Netz ausgerichtete Linux-Distribution Tails ist in Version 7.4.1 erschienen – ein Notfall-Update. --------------------------------------------- https://www.heise.de/news/Anonymisierendes-Linux-Notfall-Update-Tails-7-4-1… ∗∗∗ Please Don’t Feed the Scattered Lapsus Shiny Hunters ∗∗∗ --------------------------------------------- A prolific data ransom gang that calls itself Scattered Lapsus ShinyHunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion. --------------------------------------------- https://krebsonsecurity.com/2026/02/please-dont-feed-the-scattered-lapsus-s… ∗∗∗ How fake party invitations are being used to install remote access tools ∗∗∗ --------------------------------------------- “You’re invited!” It sounds friendly, familiar and quite harmless. But in a scam we recently spotted, that simple phrase is being used to trick victims into installing a full remote access tool on their Windows computers—giving attackers complete control of the system. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intel/2026/02/how-fake-party-invit… ∗∗∗ Microsoft erklärt NTLM als "deprecated" – Deaktivierung in nächster Windows-Version ∗∗∗ --------------------------------------------- Microsoft hat die veraltete NTLM-Authentifizierung in Windows als "deprecated" erklärt. In der nächsten Windows Version (Server und Client) wird NTLM standardmäßig deaktiviert und die Kerberos-Authentifizierung Standard. Damit neigt sich die Verwendung von NTLM seinem Ende zu. --------------------------------------------- https://borncity.com/blog/2026/02/01/microsoft-erklaert-ntlm-als-deprecated… ∗∗∗ US Seizes $400 Million Linked to Helix Dark Web Crypto Mixer ∗∗∗ --------------------------------------------- US authorities take control of over $400 million in crypto, cash, and property tied to Helix, a major darknet bitcoin mixing service used by drug markets. --------------------------------------------- https://hackread.com/us-seizes-400m-helix-dark-web-crypto-mixer/ ∗∗∗ Windows Malware Uses Pulsar RAT for Live Chats While Stealing Data ∗∗∗ --------------------------------------------- We usually think of computer viruses as silent, invisible programs running in the background, but a worrying discovery shows that modern hackers are getting much more personal. --------------------------------------------- https://hackread.com/windows-malware-pulsar-rat-live-chats-steal-data/ ∗∗∗ Guidance from the Frontlines: Proactive Defense Against ShinyHunters-Branded Data Theft Targeting SaaS ∗∗∗ --------------------------------------------- Mandiant is tracking a significant expansion and escalation in the operations of threat clusters associated with ShinyHunters-branded extortion. As detailed in our companion report, 'Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft', these campaigns leverage evolved voice phishing (vishing) and victim-branded credential harvesting to successfully compromise single sign-on (SSO) credentials and enroll unauthorized devices into victim multi-factor authentication (MFA) solutions. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/defense-against-sh… ∗∗∗ Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft ∗∗∗ --------------------------------------------- Mandiant has identified an expansion in threat activity that uses tactics, techniques, and procedures (TTPs) consistent with prior ShinyHunters-branded extortion operations. These operations primarily leverage sophisticated voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhun… ∗∗∗ Manic Monday: A Day in the Life of Threat Hunting ∗∗∗ --------------------------------------------- Discover a day in the life of threat hunting with Bitsight Adversary Intelligence. Learn how security teams detect and disrupt threats before damage is done. --------------------------------------------- https://www.bitsight.com/blog/day-in-the-life-threat-hunting ∗∗∗ Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340) ∗∗∗ --------------------------------------------- When Ivanti removed the embargoes from CVE-2026-1281 and CVE-2026-1340 - actively exploited pre-auth Remote Command Execution vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) solution - we sighed with relief. Clearly, the universe had decided to continue mocking Secure-By-Design signers right on schedule - every January. --------------------------------------------- https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-i… ∗∗∗ The European Space Agency got hacked, and now we own the domain used! ∗∗∗ --------------------------------------------- It's not often that two of my interests align so well, but we're talking about space rockets and cyber security! Whilst Magecart and Magecart-style attacks might not be the most common attack vector at the moment, they are still happening with worrying frequency, and they are still catching out some pretty big organisations. --------------------------------------------- https://scotthelme.ghost.io/the-european-space-agency-got-hacked-and-now-we… ∗∗∗ archive.today is directing a DDOS attack against my blog ∗∗∗ --------------------------------------------- Around January 11, 2026, archive.today (aka archive.is, archive.md, etc) started using its users as proxies to conduct a distributed denial of service (DDOS) attack against Gyrovague, my personal blog. --------------------------------------------- https://gyrovague.com/2026/02/01/archive-today-is-directing-a-ddos-attack-a… ∗∗∗ Exploiting MediaTeks Download Agent ∗∗∗ --------------------------------------------- In September 2025, Chimera quietly announced “world-first” support for MediaTek’s latest Dimensity 9400 and 8400 SoCs running DAs compiled months after MediaTek had patched Carbonara. So we figured they’d either found a way around the patches, or they were sitting on something entirely new. We had to find out. --------------------------------------------- https://blog.r0rt1z2.com/posts/exploiting-mediatek-datwo/ ∗∗∗ Hacking Moltbook: The AI Social Network Any Human Can Control ∗∗∗ --------------------------------------------- 1 exposed database. 35,000 emails. 1.5M API keys. And 17,000 humans behind the not-so-autonomous AI network. --------------------------------------------- https://www.wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-k… ∗∗∗ Inside Lodash’s Security Reset and Maintenance Reboot ∗∗∗ --------------------------------------------- For more than a decade, Lodash has been one of the most widely deployed libraries in the JavaScript ecosystem. Its utilities are deeply embedded in frameworks, build systems, and production applications across the web. Like many foundational dependencies, Lodash evolved into critical infrastructure long before the ecosystem had strong models for funding, governance, or long-term security operations. --------------------------------------------- https://socket.dev/blog/inside-lodash-security-reset?utm_medium=feed ∗∗∗ Britain and Japan Join Forces on Cybersecurity and Strategic Minerals ∗∗∗ --------------------------------------------- Japan and Britain have agreed to expand cooperation on cybersecurity and critical mineral supply chains, framing the move as a strategic response to intensifying geopolitical, economic, and technological pressures. The British and Japanese cybersecurity strategy and agreement were confirmed during British Prime Minister Keir Starmer’s overnight visit to Tokyo, where leaders from both countries reaffirmed their commitment to collective security and economic resilience. --------------------------------------------- https://thecyberexpress.com/britain-japanese-cybersecurity-cooperation/ ∗∗∗ Russian APT28 Exploit Zero-Day Hours After Microsoft Discloses Office Vulnerability ∗∗∗ --------------------------------------------- Ukraines cyber defenders warn Russian hackers weaponized a Microsoft zero-day within 24 hours of public disclosure, targeting government agencies with malicious documents delivering Covenant framework backdoors. --------------------------------------------- https://thecyberexpress.com/russian-apt28-exploit-zero-day-cve-2026-21509/ ∗∗∗ Default Credentials, Vulnerable Devices Exploited in Polish Energy Grid Attack ∗∗∗ --------------------------------------------- A cyberattack by Russian state-sponsored threat actors that targeted at least 30 wind and solar farms in Poland relied on default credentials, lack of multi-factor authentication (MFA) and outdated and misconfigured devices, according to a new report on the December 2025 incident by CERT Polska, the Polish computer emergency response team. --------------------------------------------- https://thecyberexpress.com/default-credentials-polish-energy-grid-attack/ ===================== = Vulnerabilities = ===================== ∗∗∗ OpenSSL: 12 Sicherheitslecks, eines erlaubt Schadcodeausführung und ist kritisch ∗∗∗ --------------------------------------------- In OpenSSL wurden 12 Sicherheitslücken entdeckt – mit KI-Tools. Eine davon gilt als kritisch. Aktualisierte Software steht bereit. --------------------------------------------- https://www.heise.de/news/OpenSSL-12-Sicherheitslecks-eines-erlaubt-Schadco… ∗∗∗ Sicherheitspatches: Root-Attacken auf IBM Db2 möglich ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken gefährden IBMs Datenbankmanagementsystem Db2. Primär können Instanzen abstürzen. --------------------------------------------- https://www.heise.de/news/Sicherheitspatches-Root-Attacken-auf-IBM-Db2-moeg… ∗∗∗ Dell Unity: Angreifer können Schadcode mit Root-Rechten ausführen ∗∗∗ --------------------------------------------- Admins sollten zeitnah ein wichtiges Sicherheitsupdate für Dell Unity Operating Environment installieren. --------------------------------------------- https://www.heise.de/news/Dell-Unity-Angreifer-koennen-Schadcode-mit-Root-R… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (iperf3, kernel, and php), Debian (ceph, pillow, pyasn1, python-django, and python-tornado), Fedora (bind9-next, cef, chromium, fontforge, java-21-openjdk, java-25-openjdk, java-latest-openjdk, mingw-python-urllib3, mingw-python-wheel, nodejs20, nodejs22, nodejs24, opencc, openssl, python-wheel, and qownnotes), Red Hat (binutils, gcc-toolset-13-binutils, gcc-toolset-14-binutils, gcc-toolset-15-binutils, java-1.8.0-openjdk, and java-25-openjdk), Slackware (expat), SUSE (bind, cacti, cacti-spine, chromedriver, chromium, dirmngr, fontforge-20251009, glib2, golang-github-prometheus-prometheus, govulncheck-vulndb, icinga2, ImageMagick, kernel, logback, openCryptoki, openssl-1_1, python311-djangorestframework, python311-pypdf, python314, python315, qemu, and xen), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm and linux-aws-fips, linux-fips, linux-gcp-fips). --------------------------------------------- https://lwn.net/Articles/1056923/ ∗∗∗ Privileged File System Vulnerability Present in a SCADA System ∗∗∗ --------------------------------------------- We detail our discovery of CVE-2025-0921. This privileged file system flaw in SCADA system Iconics Suite could lead to a denial-of-service (DoS) attack. --------------------------------------------- https://unit42.paloaltonetworks.com/iconics-suite-cve-2025-0921/ ∗∗∗ Vulnerability & Patch Roundup — January 2026 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2026/01/vulnerability-patch-roundup-january-2026.ht… ∗∗∗ Multiple vulnerabilities in Cybozu Garoon ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN35265756/ ∗∗∗ Multiple Microsoft Office products vulnerable to untrusted search path ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN04984838/ ∗∗∗ Sonatype Nexus Repository vulnerable to server-side request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN64861120/ ∗∗∗ OS command injection in raspap-webgui ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN27202136/ ∗∗∗ ZDI-26-050: GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-26-050/ ∗∗∗ KI-Bot: OpenClaw (Moltbot) mit hochriskanter Codeschmuggel-Lücke ∗∗∗ --------------------------------------------- https://www.heise.de/news/KI-Bot-OpenClaw-Moltbot-mit-hochriskanter-Codesch… ∗∗∗ Multiple vulnerabilities in Native Instruments Native Access (MacOS) ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ CVE-2025-60021 (CVSS 9.8): command injection in Apache bRPC heap profiler ∗∗∗ --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/cve-2025-60021-cvss… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily February 2026