Daily March 2026

daily@lists.cert.at

1 participants
22 discussions

Tageszusammenfassung - 17.03.2026
by Daily end-of-shift report 17 Mar '26

17 Mar '26

===================== = End-of-Day report = ===================== Timeframe: Montag 16-03-2026 18:00 − Dienstag 17-03-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ LeakNet ransomware uses ClickFix, Deno runtime in stealthy attacks ∗∗∗ --------------------------------------------- The LeakNet ransomware gang is now using the ClickFix technique for initial access into corporate environments and deploys a malware loader based on the open-source Deno runtime for JavaScript and TypeScript. [..] ReliaQuest calls this tactic a “bring your own runtime” (BYOR) attack, as Deno is a legitimate JavaScript/TypeScript runtime that allows JS/TS code execution outside the browser on a system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/leaknet-ransomware-uses-clic… ∗∗∗ European Security Vendor Targeted by Hackers Fronting as Cisco Domain ∗∗∗ --------------------------------------------- On March 13, 2026, the threat intelligence team at Outpost24, Specops’ parent company, discovered and blocked a sophisticated multi-chain redirect phishing campaign fronting as Cisco, a global network equipment provider. Outpost24’s early detection and rapid response ensured nobody was impacted. The attack is quite complex, leveraging several trusted services as well as compromised legitimate infrastructure to conceal the final phishing destination. --------------------------------------------- https://specopssoft.com/blog/phishing-campaign-cisco/ ∗∗∗ Hacked sites deliver Vidar infostealer to Windows users ∗∗∗ --------------------------------------------- In recent years, ClickFix and fake CAPTCHA techniques have become a popular way for cybercriminals to distribute malware. Our researchers have recently detected a campaign that ultimately delivers the Vidar infostealer, using several different infection chains. [..] Because Vidar loads in memory and communicates with remote command servers, it can quietly collect and exfiltrate data without obvious signs of infection. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intel/2026/03/hacked-sites-deliver… ∗∗∗ New Vidar 2.0 Infostealer Spreads via Fake Game Cheats on GitHub, Reddit ∗∗∗ --------------------------------------------- The new infostealer campaign spreads Vidar 2.0 via fake game cheats on GitHub and Reddit, stealing crypto, login tokens, and files while targeting young gamers ignoring security warnings. --------------------------------------------- https://hackread.com/vidar-2-0-infostealer-fake-game-cheats-github-reddit/ ∗∗∗ New font-rendering trick hides malicious commands from AI tools ∗∗∗ --------------------------------------------- A new font-rendering attack causes AI assistants to miss malicious commands shown on webpages by hiding them in seemingly harmless HTML. The technique relies on social engineering to persuade users to run a malicious command displayed on a webpage, while keeping it encoded in the underlying HTML so AI assistants cannot analyze it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-font-rendering-trick-hid… ∗∗∗ Pwning AI Code Interpreters in AWS Bedrock AgentCore ∗∗∗ --------------------------------------------- During research into AI code execution environments, BeyondTrust Phantom Labs™ discovered that AWS Bedrock AgentCore Interpreter’s Sandbox network mode does not fully block outbound communication. [..] AWS communicated that a fix will not be made and it will change the documentation’s description of sandbox mode instead. [..] AWS awarded the security researcher with a $100 gift card to the AWS Gear Shop and a CVSSv3 score of 7.5. --------------------------------------------- https://www.beyondtrust.com/blog/entry/pwning-aws-agentcore-code-interpreter ∗∗∗ We dont need to hack your AI Agent to hack your AI Agent ∗∗∗ --------------------------------------------- The most severe vulnerabilities in AI assistant deployments often have nothing to do with prompt injection, adversarial inputs, or model manipulation. [..] we went ahead and conducted a routine review of a publicly accessible AI assistant operated by a large enterprise organisation, we identified a backend API URL embedded in a JavaScript asset loaded by the application's frontend. This is a common and often unremarkable finding — backends have URLs, and it's not always avoidable for client-side code to know where to send requests. In this case, however, what sat behind that URL turned out to be the keys to the kingdom. --------------------------------------------- https://srlabs.de/blog/hacking-ai-agent ∗∗∗ Node.js: Tuesday, March 24, 2026 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 25.x, 24.x, 22.x, 20.x releases lines on or shortly after, Tuesday, March 24, 2026 in order to address: 2 high severity issues. 5 medium severity issues. 2 low severity issues. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/march-2026-security-releases ∗∗∗ MC1247893: Phishing-resistente Windows-Anmeldung durch Microsoft Entra-Passkeys (Preview verfügbar) ∗∗∗ --------------------------------------------- Derzeit (Mitte März 2026) beginnt die öffentliche Vorschau (Public Preview) von Microsoft Entra-Passkeys, was eine eine phishing-sichere, passwortlose Anmeldung über Windows Hello bei durch Entra geschützten Ressourcen, einschließlich nicht verwalteter Geräte, ermöglichen soll. Administratoren in Unternehmen müssen sich für diese Funktion anmelden und Richtlinien konfigurieren. --------------------------------------------- https://borncity.com/blog/2026/03/17/mc1247893-phishing-resistente-windows-… ∗∗∗ Boggy Serpens Threat Assessment ∗∗∗ --------------------------------------------- Boggy Serpens is an Iranian nation-state cyberespionage group active since at least 2017. Assessed to be a subordinate element of the MOIS, the group has primarily targeted government, military and critical infrastructure sectors across the Middle East, the Caucasus, Central and Western Asia, South America and Europe. [..] Unit 42 details their persistent targeting. --------------------------------------------- https://unit42.paloaltonetworks.com/boggy-serpens-threat-assessment/ ∗∗∗ New Phishing Scam Uses LiveChat to Pose as Amazon and PayPal in Real Time ∗∗∗ --------------------------------------------- Cofense researchers have found a new phishing scam where threat actors use LiveChat software to impersonate brands like Amazon and PayPal. By chatting with victims in real-time, these cybercriminals are able to bypass security codes and steal credit card information. [..] The scam begins with an email. While most junk mail is easy to ignore, these messages stand out for their clever tricks to get you to click. One version mimics a PayPal notification claiming you have a $200.00 USD refund waiting. --------------------------------------------- https://hackread.com/phishing-scam-livechat-pose-as-amazon-paypal/ ∗∗∗ Comeback des Klimabonus? Nein, nur ein (erneuter) Phishing-Versuch! ∗∗∗ --------------------------------------------- Bereits im Vorjahr hatten wir von der Masche berichtet, jetzt ist sie wieder da! Kriminelle versenden aktuell massenhaft SMS, in denen das Comeback des Klimabonus verkündet wird. Wer sich seine Auszahlung sichern will, müsse sich umgehend vormerken. Über ein durchaus gut gefälschtes Portal wollen die Betrüger:innen an persönliche Informationen und Logindaten fürs Onlinebanking. --------------------------------------------- https://www.watchlist-internet.at/news/comeback-klimabonus-phishing/ ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3-EXT-SA-2026-007: Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2026-007 ∗∗∗ LWN: Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1063248/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 16.03.2026
by Daily end-of-shift report 16 Mar '26

16 Mar '26

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-03-2026 18:00 − Montag 16-03-2026 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Supply-chain attack using invisible code hits GitHub and other repositories ∗∗∗ --------------------------------------------- Unicode thats invisible to the human eye was largely abandoned—until attackers took notice. --------------------------------------------- https://arstechnica.com/security/2026/03/supply-chain-attack-using-invisibl… ∗∗∗ Fake enterprise VPN sites used to steal company credentials ∗∗∗ --------------------------------------------- A threat actor tracked as Storm-2561 is distributing fake enterprise VPN clients from Ivanti, Cisco, and Fortinet to steal VPN credentials from unsuspecting users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-enterprise-vpn-download… ∗∗∗ AppsFlyer Web SDK hijacked to spread crypto-stealing JavaScript code ∗∗∗ --------------------------------------------- The AppsFlyer Web SDK was temporarily hijacked this week with malicious code used to steal cryptocurrency in a supply-chain attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/appsflyer-web-sdk-used-to-sp… ∗∗∗ Cyberangriff: Hacker attackieren polnischen Kernreaktor-Betreiber ∗∗∗ --------------------------------------------- Polens nationales Nuklearforschungszentrum bestätigt einen versuchten Cyberangriff auf die eigene IT. Erste Spuren weisen angeblich Richtung Iran. --------------------------------------------- https://www.golem.de/news/cyberangriff-hacker-attackieren-polnischen-kernre… ∗∗∗ Vernetzte Fabriken im Visier: Cyberangriffe kosten Autobranche Milliarden ∗∗∗ --------------------------------------------- Ein Weißbuch der Denkfabrik CAM und von Cisco zeigt: Die Schadenskosten sind explodiert, wobei vor allem die Zulieferer als schwächstes Glied der Kette gelten. --------------------------------------------- https://www.heise.de/news/Vernetzte-Fabriken-im-Visier-Cyberangriffe-kosten… ∗∗∗ FBI sucht Opfer infizierter Steam-Spiele für eigene Ermittlungen ∗∗∗ --------------------------------------------- Das FBI ruft Nutzer von acht bei Steam angebotenen, aber infizierten Games zu Hilfe. Durch ein Formular sollen Spieler die Ermittlungen unterstützen. --------------------------------------------- https://www.heise.de/news/FBI-sucht-Opfer-infizierter-Steam-Spiele-fuer-eig… ∗∗∗ Spammer setzen auf hohe Spritpreise als Köder ∗∗∗ --------------------------------------------- Durch den Iran-Krieg bleiben die Kraftstoffpreise hoch. Spammer missbrauchen das und wollen Opfern nutzlose OBD2-Dongles andrehen. --------------------------------------------- https://www.heise.de/news/Spam-Warnung-Betrueger-koedern-mit-angeblichen-Sp… ∗∗∗ Festgeld-Falle zinsfuchs.com: Warnzeichen auf einen Blick ∗∗∗ --------------------------------------------- Fest- und Tagesgeldanlagen gelten als sichere und beliebte Geldanlage. Doch Vorsicht: Zwischen seriösen Online-Anbietern verstecken sich immer wieder schwarze Schafe. Ein aktuelles Beispiel ist die Website zinsfuchs.com, die mit attraktiven Angeboten in die Falle lockt. --------------------------------------------- https://www.watchlist-internet.at/news/festgeld-falle-zinsfuchscom/ ∗∗∗ Roll Your Own... LMS ∗∗∗ --------------------------------------------- People say dont roll your own crypto but nobody ever warns you not to roll your own LMS (when you have minimal dev experience). --------------------------------------------- https://blog.zsec.uk/roll-your-own-lms/ ∗∗∗ Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack ∗∗∗ --------------------------------------------- Warlock continues to enhance its attack chain with new tactics to improve persistence, lateral movement, and defense evasion using an expanded toolset: TightVNC Yuze, and a persistent BYOVD technique leveraging the NSec driver. --------------------------------------------- https://www.trendmicro.com/en_us/research/26/c/dissecting-a-warlock-attack.… ∗∗∗ Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape ∗∗∗ --------------------------------------------- Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-sh… ∗∗∗ Companies House vulnerability enabled company hijacking ∗∗∗ --------------------------------------------- A major vulnerability in the Companies House website gave unauthorised access to the private dashboard of any of the five million registered companies for five months. It exposed directors’ home addresses and email addresses, and appears to have enabled attackers to change company and director details – and even file accounts. --------------------------------------------- https://taxpolicy.org.uk/2026/03/13/companies-house-security-vulnerability-… ∗∗∗ Try not to get scammed while looking for work ∗∗∗ --------------------------------------------- Couple weeks ago a CTO contacted me about a role at their company. After three failed calls, I figured they are trying to access my machine. --------------------------------------------- https://trysound.io/try-not-to-get-scammed-while-looking-for-work/ ∗∗∗ 72 Malicious Open VSX Extensions Linked to GlassWorm Campaign Now Using Transitive Dependencies ∗∗∗ --------------------------------------------- GlassWorm has not re-emerged so much as evolved, and our latest analysis shows a significant escalation in how it spreads through Open VSX. Instead of requiring every malicious listing to embed the loader directly, the threat actor is now abusing extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates, allowing a benign-appearing package to begin pulling a separate GlassWorm-linked extension only after trust has already been established. --------------------------------------------- https://socket.dev/blog/open-vsx-transitive-glassworm-campaign ∗∗∗ Ongoing Phishing Campaign Abusing Google Cloud Storage to Redirect Users to Multiple Scam Pages ∗∗∗ --------------------------------------------- A few days ago, I published a blog analyzing a phishing campaign abusing Google Cloud infrastructure: While continuing to monitor the infrastructure used in that campaign, I discovered several additional URLs hosted on Google Cloud Storage (storage[.]googleapis[.]com) that appear to be part of the same ecosystem. --------------------------------------------- https://malwr-analysis.com/2026/03/14/ongoing-phishing-campaign-abusing-goo… ===================== = Vulnerabilities = ===================== ∗∗∗ Chrome: Erster Fix unzureichend, neues Notfall-Update veröffentlicht ∗∗∗ --------------------------------------------- Nachdem Google bereits am Freitag ein Notfall-Update für Chrome veröffentlicht hat, legt der Hersteller in der Nacht zum Samstag nach. --------------------------------------------- https://www.heise.de/news/Jetzt-aktualisieren-Chrome-Notfall-Update-fuer-No… ∗∗∗ LWN Security updates for Monday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1063095/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 13.03.2026
by Daily end-of-shift report 13 Mar '26

13 Mar '26

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-03-2026 18:00 − Freitag 13-03-2026 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Investigating a New Click-Fix Variant ∗∗∗ --------------------------------------------- Atos Researchers identified a new variant of the popular ClickFix technique, where attackers convince the user to execute a malicious command on their own device through the Win + R shortcut. --------------------------------------------- https://thehackernews.com/2026/03/investigating-new-click-fix-variant.html ∗∗∗ Rogue AI agents can work together to hack systems and steal secrets ∗∗∗ --------------------------------------------- AI agents work together to bypass security controls and stealthily steal sensitive data from within the enterprise systems in which they operate, according to tests carried out by frontier security lab Irregular. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2026/03/12/rogue_ai_age… ∗∗∗ A React-based phishing page with credential exfiltration via EmailJS, (Fri, Mar 13th) ∗∗∗ --------------------------------------------- On Wednesday, a phishing message made its way into our handler inbox that contained a fairly typical low-quality lure, but turned out to be quite interesting in the end nonetheless. That is because the accompanying credential stealing web page was dynamically constructed using React and used a legitimate e-mail service for credential collection. --------------------------------------------- https://isc.sans.edu/diary/rss/32794 ∗∗∗ Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a suspected artificial intelligence (AI)-generated malware codenamed Slopoly put to use by a financially motivated threat actor named Hive0163. --------------------------------------------- https://thehackernews.com/2026/03/hive0163-uses-ai-assisted-slopoly.html ∗∗∗ Ivanti EPMM ‘Sleeper Shells’ not so sleepy? ∗∗∗ --------------------------------------------- In late January 2026 an advisory covering two remote code execution vulnerabilities (CVE-2026-1281 & CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM) was published. Shortly after reports (in example by tenable) mentioned publicly available proof-of-concept exploits. --------------------------------------------- https://blog.nviso.eu/2026/03/13/ivanti-epmm-sleeper-shells-not-so-sleepy/ ∗∗∗ “Handala Hack” – Unveiling Group’s Modus Operandi ∗∗∗ --------------------------------------------- Handala Hack, also tracked by Check Point Research as Void Manticore, is an Iranian threat actor that is known for multiple destructive wiping attacks combined with “hack and leak” operations. The threat actor operates several online personas, with the most prominent among them being Homeland Justice, maintained from mid-2022 specifically for multiple attacks. --------------------------------------------- https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-op… ∗∗∗ 6 Malicious Packagist Themes Ship Trojanized jQuery and FUNNULL Redirect Payloads ∗∗∗ --------------------------------------------- Six malicious Packagist packages posing as OphimCMS themes contain trojanized jQuery that exfiltrates URLs, injects ads, and loads FUNNULL-linked redirects. --------------------------------------------- https://socket.dev/blog/6-malicious-packagist-themes-ship-trojanized-jquery… ===================== = Vulnerabilities = ===================== ∗∗∗ Mehrere Sicherheitslücken in AppArmor ("CrackArmor") - Updates verfügbar ∗∗∗ --------------------------------------------- Sicherheitsforscher:innen des Unternehmens Qualys haben insgesamt neun Schwachstellen in AppArmor entdeckt welche von den Expert:innen zusammengefasst als "CrackArmor" bezeichnet werden. --------------------------------------------- https://www.cert.at/de/aktuelles/2026/3/mehrere-sicherheitslucken-in-apparm… ∗∗∗ Veeam warns of critical flaws exposing backup servers to RCE attacks ∗∗∗ --------------------------------------------- Data protection company Veeam Software has patched multiple flaws in its Backup & Replication solution, including four critical remote code execution (RCE) vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-flaw… ∗∗∗ Chrome-Notfallupdate: Zwei attackierte Codeschmuggel-Lücken gestopft ∗∗∗ --------------------------------------------- Google hat in der Nacht zum Freitag ein Notfallupdate für Chrome herausgegeben. Es stopft zwei im Internet angegriffene Sicherheitslecks. --------------------------------------------- https://heise.de/-11209626 ∗∗∗ Veeam Backup & Replication: Kritische Schadcode-Sicherheitslücken entdeckt ∗∗∗ --------------------------------------------- In Veeam Backup & Replication schließt das Unternehmen mit Updates mehrere kritische Sicherheitslücken. Sie erlauben Codeschmuggel. --------------------------------------------- https://heise.de/-11209818 ∗∗∗ LWN Security updates for Friday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1062775/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 12.03.2026
by Daily end-of-shift report 12 Mar '26

12 Mar '26

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-03-2026 18:00 − Donnerstag 12-03-2026 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ New PhantomRaven NPM attack wave steals dev data via 88 packages ∗∗∗ --------------------------------------------- New attack waves from the PhantomRaven supply-chain campaign are hitting the npm registry, with dozens of malicious packages that exfiltrate sensitive data from JavaScript developers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phantomraven-npm-attack-… ∗∗∗ US disrupts SocksEscort proxy network powered by Linux malware ∗∗∗ --------------------------------------------- Law enforcement agencies in the U.S. and Europe along with private partners have disrupted the SocksEscort cybercrime proxy network that used only edge devices compromised via the AVRecon malware for Linux. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-disrupts-socksescort-prox… ∗∗∗ Vollzugriff in zwei Stunden: KI-Agent hackt eigenständig KI-Plattform von McKinsey ∗∗∗ --------------------------------------------- Forscher haben einen KI-Agenten auf McKinseys Lilli-Plattform angesetzt. Er konnte Millionen von Chatnachrichten und andere Daten auslesen. --------------------------------------------- https://www.golem.de/news/vollzugriff-in-zwei-stunden-ki-agent-hackt-eigens… ∗∗∗ When your IoT Device Logs in as Admin, It?s too Late! ∗∗∗ --------------------------------------------- Have you ever installed a new device on your home or company router? Even when setup instructions are straightforward, end users often skip the step that matters most: changing default credentials. The excitement of deploying a new device frequently outweighs the discipline of securing it. --------------------------------------------- https://isc.sans.edu/diary/rss/32788 ∗∗∗ Researchers Trick Perplexitys Comet AI Browser Into Phishing Scam in Under Four Minutes ∗∗∗ --------------------------------------------- Agentic web browsers that leverage artificial intelligence (AI) capabilities to autonomously execute actions across multiple websites on behalf of a user could be trained and tricked into falling prey to phishing and scam traps. --------------------------------------------- https://thehackernews.com/2026/03/researchers-trick-perplexitys-comet-ai.ht… ∗∗∗ Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered half-a-dozen new Android malware families that come with capabilities to steal data from compromised devices and conduct financial fraud. --------------------------------------------- https://thehackernews.com/2026/03/six-android-malware-families-target-pix.h… ∗∗∗ Exploitkit-Gefahr: Apple aktualisiert ältere iOS- und iPadOS-Versionen ∗∗∗ --------------------------------------------- Apple hat in der Nacht zum Donnerstag wichtige Aktualisierungen für Nutzer von iOS und iPadOS 15 und 16 veröffentlicht. Sie sollten schnell eingespielt werden. --------------------------------------------- https://www.heise.de/news/Exploitkit-Gefahr-Apple-aktualisiert-aeltere-iOS-… ∗∗∗ Taming the dragon: reverse engineering firmware with Ghidra ∗∗∗ --------------------------------------------- I stumbled into infosec the same year the NSA graced us with Ghidra. It’s by far become the most used tool in my arsenal for reverse engineering and vulnerability research. It’s free, extensible, and supports some of the quirkier architectures we come across. But its learning curve is steep. This blog post is the culmination of my learnings from spending what may be too many hours in front of Ghidra’s glaring and dated UI. --------------------------------------------- https://www.pentestpartners.com/security-blog/taming-the-dragon-reverse-eng… ∗∗∗ Abo-Falle auf der Handyrechnung: So reagieren Sie richtig ∗∗∗ --------------------------------------------- Plötzlich ist Ihre Handyrechnung höher als gewohnt? Ein Blick auf die Rechnung zeigt: Der Grund ist ein Abo, das Sie gar nicht bewusst abgeschlossen haben. Solche Kostenfallen kommen immer wieder vor. Wir erklären, was dahinter steckt und was Sie dagegen tun können. --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-auf-der-handyrechnung-so-r… ∗∗∗ Internationales Cybercrime-Netz zerschlagen, 700 Opfer in Österreich ∗∗∗ --------------------------------------------- Tausende private Router waren gekapert worden. Dadurch wurden anonym Attacken auf IT-Systeme durchgeführt und Darstellungen von Kindesmissbrauch verbreitet --------------------------------------------- https://www.derstandard.at/story/3000000312309/internationales-cybercrime-n… ∗∗∗ Announcing Pwn2Own Berlin for 2026 ∗∗∗ --------------------------------------------- Willkommen zurück, meine Damen und Herren, zu unserem zweiten Wettbewerb in Berlin! That’s correct (if Google translate didn’t steer me wrong). After our inaugural competition last year, Pwn2Own returns to Berlin and OffensiveCon. Outside of our shipping troubles, we had an amazing time and can’t wait to get back.Last year, we added Artificial Intelligence as a category with great results. --------------------------------------------- https://www.thezdi.com/blog/2026/3/11/announcing-pwn2own-berlin-for-2026 ∗∗∗ A Nerds Life: Weeks of Firmware Teardown to Prove We Were Right ∗∗∗ --------------------------------------------- This blog post is a follow-up to our previous post describing how we managed to extract the firmware of asmartwatch. It contains many references and detailsintroduced in our previous post, readers are therefore advised to read it first. --------------------------------------------- http://blog.quarkslab.com/nerd-life-weeks-firmware-teardown-we-were-right.h… ∗∗∗ InTune Compromise Allows Attackers to Remotely Wipe Medical Supply Company Devices ∗∗∗ --------------------------------------------- A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker’s largest hub outside of the United States, said the company sent home more than 5,000 workers there today. --------------------------------------------- https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-… ===================== = Vulnerabilities = ===================== ∗∗∗ SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites ∗∗∗ --------------------------------------------- An SQL injection vulnerability in Ally, a WordPress plugin from Elementor for web accessibility and usability with more than 400,000 installations, could be exploited to steal sensitive data without authentication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sqli-flaw-in-elementor-ally-… ∗∗∗ Zero Click Unauthenticated RCE in n8n: A Contact Form That Executes Shell Commands ∗∗∗ --------------------------------------------- Pillar Research team found a zero-click, unauthenticated RCE in n8n. Anyone who can reach a public multi-step form with an HTML rendering can execute shell commands on the server. We worked with the n8n team to fix it. If you use n8n Cloud, youre already protected. If youre self-hosting, update to 2.10.1 / 2.9.3 / 1.123.22 now. --------------------------------------------- https://www.pillar.security/blog/zero-click-unauthenticated-rce-in-n8n-a-co… ∗∗∗ Aruba-Switches mit AOS-CX: Angreifer können Admin-Passwort zurücksetzen ∗∗∗ --------------------------------------------- HPEs Netzwerkbetriebssystem Aruba Networking AOS-CX ist verwundbar. Die Entwickler haben mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Aruba-Switches-mit-AOS-CX-Angreifer-koennen-Admin… ∗∗∗ HP-PCs: Angreifer können sich höhere Rechte über UEFI-Lücken verschaffen ∗∗∗ --------------------------------------------- Computer von HP sind über mehrere Schwachstellen im UEFI und Device Manager angreifbar. --------------------------------------------- https://www.heise.de/news/HP-PCs-Angreifer-koennen-sich-hoehere-Rechte-uebe… ∗∗∗ Zoom: Netzwerkangriffe auf kritische Sicherheitslücke möglich ∗∗∗ --------------------------------------------- In der Videokonferenzsoftware von Zoom finden sich teils kritische Sicherheitslücken. Angreifer aus dem Netz können Rechte ausweiten. --------------------------------------------- https://www.heise.de/news/Zoom-Videokonferenzsoftware-ermoeglicht-Angreifer… ∗∗∗ LWN Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1062570/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.03.2026
by Daily end-of-shift report 11 Mar '26

11 Mar '26

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-03-2026 18:00 − Mittwoch 11-03-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Analyzing "Zombie Zip" Files (CVE-2026-0866), (Wed, Mar 11th) ∗∗∗ --------------------------------------------- A new vulnerability (CVE-2026-0866) has been published: Zombie Zip. It's a method to create a malformed ZIP file that will bypass detection by most anti-virus engines. The malformed ZIP file can not be opened with a ZIP utility, a custom loader is required. [..] I will show you how to use my tools to analyze such a malformed ZIP file. --------------------------------------------- https://isc.sans.edu/diary/rss/32786 ∗∗∗ Claude Tried to Hack 30 Companies. Nobody Asked It To. ∗∗∗ --------------------------------------------- We gave AI agents simple research tasks on cloned corporate websites. When the legitimate path was broken, the agents autonomously discovered and exploited SQL injection vulnerabilities to complete the task — with zero hacking instructions in any prompt. --------------------------------------------- https://trufflesecurity.com/blog/claude-tried-to-hack-30-companies-nobody-a… ∗∗∗ Sextortion “I recorded you” emails reuse passwords found in disposable inboxes ∗∗∗ --------------------------------------------- I found that one particular sender using the name Jenny Green and the Gmail address JennyGreen64868(a)gmail.com sent many of these emails to people that use the FakeMailGenerator service. [..] My guess is that the scammer searched these public inboxes for passwords and then reused those passwords in their sextortion emails. --------------------------------------------- https://www.malwarebytes.com/blog/news/2026/03/sextortion-i-recorded-you-em… ∗∗∗ Bitpanda-Falle: Warnung vor unautorisiertem Wallet-Transfer ist ein Phishing-Versuch! ∗∗∗ --------------------------------------------- Seit längerer Zeit nutzen nun bereits Kriminelle den Finanzdienstleister Bitpanda als Deckmantel für eine massive Phishing-Welle. Mithilfe von Meldungen zu angeblich unautorisierten Wallet-Transfers oder Auszahlungsversuchen üben sie Druck auf ihre Opfer aus. Die Ziele sind der Zugriff auf das Bankkonto und die Freigabe von Überweisungen. --------------------------------------------- https://www.watchlist-internet.at/news/bitpanda-wallet-transfer-phishing/ ∗∗∗ Sednit reloaded: Back in the trenches ∗∗∗ --------------------------------------------- In this blogpost, we have shown that Sednit’s advanced development team is active once again, operating an arsenal centered on two implants – BeardShell and Covenant – deployed in tandem and each leveraging a different cloud provider. This setup enables operators to reestablish access quickly if the infrastructure for one is taken down. We believe that this dual-implant strategy is not new. [..] The Sednit group – also known as APT28, Fancy Bear, Forest Blizzard, or Sofacy – has been operating since at least 2004. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trench… ∗∗∗ BlackSanta Malware Targets HR Staff with Fake CV Downloads ∗∗∗ --------------------------------------------- It is a classic case of hackers exploiting the one thing recruiters have to do every day: open files from strangers. [..] The threat, dubbed the BlackSanta malware [..] they target the specific workflows of recruiters, sending harmless-looking emails with links to CVs on sites like Dropbox. [..] the attackers are using a technique called steganography. For your information, this involves hiding malicious code inside a normal-looking image. --------------------------------------------- https://hackread.com/blacksanta-malware-hr-staff-fake-cv-downloads/ ∗∗∗ RondoDox Botnet: From Zero to 174 Exploited Vulnerabilities ∗∗∗ --------------------------------------------- A deep dive into the RondoDox botnet, examining its infrastructure, exploit adoption timeline, and methods used to target internet-exposed systems. --------------------------------------------- https://www.bitsight.com/blog/rondodox-botnet-infrastructure-analysis ∗∗∗ Microsoft releases Windows 10 KB5078885 extended security update ∗∗∗ --------------------------------------------- Microsoft has released the Windows 10 KB5078885 extended security update to fix the March 2026 Patch Tuesday vulnerabilities, including 2 zero-days and an issue that prevent some devices from shutting down. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Patch Tuesday for March 2026 — Snort rules and prominent vulnerabilities ∗∗∗ --------------------------------------------- Microsoft has released its monthly security update for March 2026 which includes 79 vulnerabilities, including three that Microsoft marked as “critical.” --------------------------------------------- https://blog.talosintelligence.com/microsoft-patch-tuesday-march-2026/ ∗∗∗ HPE warns of critical AOS-CX flaw allowing admin password resets ∗∗∗ --------------------------------------------- Hewlett Packard Enterprise (HPE) has patched multiple security vulnerabilities in the Aruba Networking AOS-CX operating system, including several authentication and code execution issues. [..] The most severe security flaw today is a critical authentication bypass vulnerability (tracked as CVE-2026-23813) that attackers without privileges can exploit in low-complexity attacks to reset admin passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hpe-warns-of-critical-aos-cx… ∗∗∗ Adobe-Patchday: Schadcodeschmuggel in Reader, Illustrator und weiteren möglich ∗∗∗ --------------------------------------------- Die Patchday-Übersicht von Adobe listet die acht Sicherheitsmitteilungen zu den einzelnen Produkten auf. In Adobe Commerce, Commerce B2B und Magento Open Source schließen die Entwickler 19 Sicherheitslücken. --------------------------------------------- https://www.heise.de/news/Adobe-Patchday-Schadcodeschmuggel-in-Reader-Illus… ∗∗∗ Passwort-Manager KeePassXC 2.7.12: Was Nutzer beim Update beachten müssen ∗∗∗ --------------------------------------------- Der quelloffene Passwort-Manager KeePassXC ist in Version 2.7.12 erschienen. [..] Wie die Entwickler in ihrem Release-Blog mitteilen, enthält die neue Version Mitigationen gegen Exploits über manipulierte OpenSSL-Konfigurationsdateien auf Windows. --------------------------------------------- https://www.heise.de/news/KeePassXC-2-7-12-DLL-Schutz-Passkey-Aenderungen-u… ∗∗∗ Fortinet schließt Brute-Force- und Befehlsschmuggel-Lücken in FortiWeb & Co. ∗∗∗ --------------------------------------------- Fortinet schließt Lücken in FortiWeb oder FortiManager, die etwa Einschleusen von Befehlen erlauben. [..] Unzureichende Prüfung der Interaktionsfrequenz ermöglicht nicht authentifizierten Angreifern, das Authentifizierungs-Rate-Limit von FortiWeb mit manipulierten Anfragen auszuhebeln (CVE-2026-24017, CVSS 7.3, Risiko „hoch“). --------------------------------------------- https://www.heise.de/news/Fortinet-schliesst-Brute-Force-und-Befehlsschmugg… ∗∗∗ Drupal: Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2026-029 ∗∗∗ Drupal: AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2026-028 ∗∗∗ Cisco: Cisco IOS XR Egress Packet Network Interface Aligner Interrupt Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco: Cisco Multiple Cisco Contact Center Products Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco: Cisco IOS XR Software CLI Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco: Cisco IOS XR Software Multi-Instance Intermediate System-to-Intermediate System Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Splunk: Security Advisories 2026-03-11 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ WordPress 6.9.4 Release ∗∗∗ --------------------------------------------- https://wordpress.org/news/2026/03/wordpress-6-9-4-release/ ∗∗∗ LWN: Security updates for Wednesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1062403/ ∗∗∗ Paloalto: CVE-2026-0230 Cortex XDR Agent: Local Administrator can disable the agent on macOS (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2026-0230 ∗∗∗ Paloalto: CVE-2026-0231 Cortex XDR Broker VM: Sensitive Information Disclosure Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2026-0231 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 10.03.2026
by Daily end-of-shift report 10 Mar '26

10 Mar '26

===================== = End-of-Day report = ===================== Timeframe: Montag 09-03-2026 18:00 − Dienstag 10-03-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Lock the Ghost ∗∗∗ --------------------------------------------- In the software world, “remove” is not equal to "gone." This is crystal clear. There is always a good reason for that, but even the best reason does not have to be intuitive or expected by the users. Let’s take a short trip through how Python Package Index handles removals and how we can lock the ghost in an uv.lock file – forever! --------------------------------------------- https://www.cert.at/en/blog/2026/3/lock-the-ghost ∗∗∗ Microsoft Teams phishing targets employees with A0Backdoor malware ∗∗∗ --------------------------------------------- Hackers contacted employees at financial and healthcare organizations over Microsoft Teams to trick them into granting remote access through Quick Assist and deploy a new piece of malware called A0Backdoor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-tar… ∗∗∗ APT28 hackers deploy customized variant of Covenant open-source tool ∗∗∗ --------------------------------------------- The Russian state-sponsored APT28 threat group is using a custom variant of the open-source Covenant post-exploitation framework for long-term espionage operations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apt28-hackers-deploy-customi… ∗∗∗ Microsoft to enable Windows hotpatch security updates by default ∗∗∗ --------------------------------------------- Microsoft will turn on hotpatch security updates by default for all eligible Windows devices managed through Microsoft Intune and the Microsoft Graph API, beginning with the May 2026 Windows security update. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-to-enable-hotpatc… ∗∗∗ Malicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a malicious npm package that masquerades as an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive data from compromised hosts. --------------------------------------------- https://thehackernews.com/2026/03/malicious-npm-package-posing-as.html ∗∗∗ KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malware called KadNap that's primarily targeting Asus routers to enlist them into a botnet for proxying malicious traffic. --------------------------------------------- https://thehackernews.com/2026/03/kadnap-malware-infects-14000-edge.html ∗∗∗ Bawag-Phishing: Debitkarte, PIN-Code und Zugangsdaten für Onlinebanking in Gefahr! ∗∗∗ --------------------------------------------- Eine altbekannte Phishing-Masche ist gerade wieder besonders häufig zu beobachten. Die Drahtzieher versenden Fake-Mails im Namen der Bawag, die vor einem Ablaufen der Debitkarte warnen. Mit dem vermeintlichen Bestellvorgang der neuen Card fragen sie sensibelste Daten ab. Zudem werden die Opfer aufgefordert, ihre alte Karte per Post an eine Wiener Adresse zu schicken. --------------------------------------------- https://www.watchlist-internet.at/news/bawag-phishing-debitkarte/ ∗∗∗ Iranian MOIS Actors & the Cyber Crime Connection ∗∗∗ --------------------------------------------- Iran-linked actors are increasingly engaging with the cyber crime ecosystem. Their activity suggests a growing reliance on criminal tools, services, and operational models in support of state objectives. Iranian actors have long used cyber crime and hacktivism as cover for destructive activity, but the trend now suggests direct engagement with the criminal ecosystem. The post Iranian MOIS Actors & the Cyber Crime Connection appeared first on Check Point Research. --------------------------------------------- https://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-co… ∗∗∗ OpenClaw Advisory Surge Highlights Gaps Between GHSA and CVE Tracking ∗∗∗ --------------------------------------------- A recent burst of security disclosures in the OpenClaw project is drawing attention to how vulnerability information flows across advisory and CVE systems. --------------------------------------------- https://socket.dev/blog/openclaw-advisory-surge-highlights-gaps-between-ghs… ∗∗∗ Cyberattack Forces Polish Hospital Revert to Paper-Based Operations ∗∗∗ --------------------------------------------- The Independent Public Regional Hospital in the western Polish city of Szczecin has been compelled to switch back to a paper-based workflow after suffering a cyberattack over the weekend. Hospital authorities confirmed that the incident, which struck the facility’s IT system on the night of March 7-8, 2026, has temporarily disrupted digital operations, though patients’ health remains uncompromised. --------------------------------------------- https://thecyberexpress.com/szczecin-public-regional-hospital-cyberattack/ ===================== = Vulnerabilities = ===================== ∗∗∗ SAP-Patchday: NetWeaver-Lücke ermöglicht Einschleusen von Schadcode ∗∗∗ --------------------------------------------- Im März behandelt SAP in 15 Sicherheitsmitteilungen teils kritische Sicherheitslücken in diversen Produkten. Admins müssen handeln. --------------------------------------------- https://heise.de/-11205008 ∗∗∗ 30,000 WordPress Sites Affected by Authentication Bypass Vulnerability in Tutor LMS Pro WordPress Plugin ∗∗∗ --------------------------------------------- On December 30th, 2025, we received a submission for an Authentication Bypass vulnerability in Tutor LMS Pro, a WordPress plugin estimated to have more than 30,000 active installations. The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address. --------------------------------------------- https://www.wordfence.com/blog/2026/03/30000-wordpress-sites-affected-by-au… ∗∗∗ LWN Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1062260/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2026/03/09/cisa-adds-three-known-ex… ∗∗∗ Ivanti March 2026 Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/march-2026-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 09.03.2026
by Daily end-of-shift report 09 Mar '26

09 Mar '26

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-03-2026 18:00 − Montag 09-03-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Microsoft: Hackers abusing AI at every stage of cyberattacks ∗∗∗ --------------------------------------------- Microsoft says threat actors are increasingly using artificial intelligence in their operations to accelerate attacks, scale malicious activity, and lower technical barriers across all aspects of a cyberattack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-hackers-abusing-ai… ∗∗∗ Termite ransomware breaches linked to ClickFix CastleRAT attacks ∗∗∗ --------------------------------------------- Ransomware threat actors tracked as Velvet Tempest are using the ClickFix technique and legitimate Windows utilities to deploy the DonutLoader malware and the CastleRAT backdoor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/termite-ransomware-breaches-… ∗∗∗ VU#976247: Antivirus and Endpoint Detection and Response Archive Scanning Engines may not properly scan malformed zip archives ∗∗∗ --------------------------------------------- Malformed ZIP headers can cause antivirus and endpoint detection and response software (EDR) to produce false negatives. Despite the presence of malformed headers, some extraction software is still able to decompress the ZIP archive, allowing potentially malicious payloads to run upon file decompression. --------------------------------------------- https://kb.cert.org/vuls/id/976247 ∗∗∗ Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model ∗∗∗ --------------------------------------------- Anthropic on Friday said it discovered 22 new security vulnerabilities in the Firefox web browser as part of a security partnership with Mozilla. Of these, 14 have been classified as high, seven have been classified as moderate, and one has been rated low in severity. --------------------------------------------- https://thehackernews.com/2026/03/anthropic-finds-22-firefox.html ∗∗∗ Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft ∗∗∗ --------------------------------------------- Two Google Chrome extensions have turned malicious after what appears to be a case of ownership transfer, offering attackers a way to push malware to downstream customers, inject arbitrary code, and harvest sensitive data. --------------------------------------------- https://thehackernews.com/2026/03/chrome-extension-turns-malicious-after.ht… ∗∗∗ UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device ∗∗∗ --------------------------------------------- The North Korean threat actor known as UNC4899 is suspected to be behind a sophisticated cloud compromise campaign targeting a cryptocurrency organization in 2025 to steal millions of dollars in cryptocurrency. --------------------------------------------- https://thehackernews.com/2026/03/unc4899-used-airdrop-file-transfer-and.ht… ∗∗∗ Spyware disguised as emergency-alert app sent to Israeli smartphones ∗∗∗ --------------------------------------------- Steals SMS messages, location data, contacts and delivers it to Hamas-linked crew Hamas-linked attackers are dropping spyware disguised as an emergency-alert app on Israelis smartphones via SMS messages, according to security researchers. --------------------------------------------- https://www.theregister.com/2026/03/06/spyware_disguised_as_emergency_alert/ ∗∗∗ Russian cybercrims phish their way into officials Signal and WhatsApp accounts ∗∗∗ --------------------------------------------- Dutch spies flag large-scale campaign to hijack secure messaging accounts Russian-linked hackers are trying to break into the Signal and WhatsApp accounts of government officials, journalists, and military personnel globally – not by cracking encryption, but by simply tricking people into handing over the keys. --------------------------------------------- https://www.theregister.com/2026/03/09/dutch_spies_say_russian_cybercrims/ ∗∗∗ Middle East Conflict Fuels Opportunistic Cyber Attacks ∗∗∗ --------------------------------------------- Threat actors often take advantage of major global events to fuel interest in their malicious activities. Zscaler ThreatLabz is diligently tracking a surge in cybercriminal activity that capitalizes on the elevated political climate in the Middle East. This increased malicious activity includes discoveries that are directly tied to the ongoing conflict, alongside other related findings. --------------------------------------------- https://www.zscaler.com/blogs/security-research/middle-east-conflict-fuels-… ∗∗∗ NIS2: Warum sich so wenige Unternehmen registrieren ∗∗∗ --------------------------------------------- Die NIS2-Registrierungsfrist ist verstrichen, doch viele Unternehmen haben sich noch nicht angemeldet. Darum stockt die Umsetzung der Security-Richtlinie. --------------------------------------------- https://www.heise.de/news/Douglas-Adams-wuerde-NIS2-lieben-11204285.html ∗∗∗ DumpBrowserSecrets – Browser Credential Harvesting with App-Bound Encryption Bypass ∗∗∗ --------------------------------------------- DumpBrowserSecrets extracts saved passwords, cookies, OAuth tokens and autofill data from Chrome, Edge, Firefox, Opera and Vivaldi, bypassing App-Bound Encryption via Early Bird APC injection. --------------------------------------------- https://www.darknet.org.uk/2026/03/dumpbrowsersecrets-browser-credential-ha… ∗∗∗ LTR101 - Getting into Industry in 2026 ∗∗∗ --------------------------------------------- Breaking into cybersecurity in 2026: SOC roles, blue team skills, labs, certifications, and practical advice to help you land your first job. --------------------------------------------- https://blog.zsec.uk/ltr101-getting-into-industry-in-2026/ ∗∗∗ AI Bot Hackerbot-Claw Targets Microsoft, DataDog and CNCF GitHub Repos ∗∗∗ --------------------------------------------- Security firm Pillar reveals the Chaos Agent in which Hackerbot-Claw, an AI agent, used natural language to compromise major GitHub projects and hijack developer tools. --------------------------------------------- https://hackread.com/ai-bot-hackerbot-claw-microsoft-datadog-github-repos/ ∗∗∗ Behind the console: Active phishing campaign targeting AWS console credentials ∗∗∗ --------------------------------------------- Datadog Security Research identified an active adversary-in-the-middle (AiTM) phishing campaign targeting AWS Console credentials via typosquatted domains that mimic AWS infrastructure. --------------------------------------------- https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phi… ∗∗∗ The first AI agent worm is months away, if that ∗∗∗ --------------------------------------------- I'm convinced that the first AI worm/virus is months away, if that. We've seen the first major evidence of "claw" style agents, which have only been around very briefly, acting in highly malicious ways. --------------------------------------------- https://dustycloud.org/blog/the-first-ai-agent-worm-is-months-away-if-that/ ∗∗∗ ClipXDaemon Malware, a Stealthy Cryptocurrency Clipboard Hijacker on Linux ∗∗∗ --------------------------------------------- Security researchers have identified a new Linux malware strain called ClipXDaemon, a stealthy threat designed to target cryptocurrency users by manipulating copied wallet addresses. Cyble’s Research & Intelligence Labs (CRIL) found the malware delivered through a loader structure previously associated with ShadowHS activity. --------------------------------------------- https://thecyberexpress.com/clipxdaemon-linux-malware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Nextcloud: Codeschmuggel durch Lücke in Flow möglich ∗∗∗ --------------------------------------------- In Nextcloud Flow können Angreifer eine Sicherheitslücke missbrauchen, um die Instanz zu kompromittieren. Ein Update steht bereit. --------------------------------------------- https://heise.de/-11203404 ∗∗∗ Critical Nginx UI Vulnerability Exposes Server Backups and Sensitive Data ∗∗∗ --------------------------------------------- A newly disclosed vulnerability in Nginx UI, tracked as CVE-2026-27944, has raised major security concerns after researchers confirmed that attackers can download and decrypt server backups without authentication. The flaw, which carries a CVSS score of 9.8, represents a critical security risk for organizations that expose their Nginx UI management interface to the public internet. --------------------------------------------- https://thecyberexpress.com/cve-2026-27944-nginx-ui-backup-vulnerability/ ∗∗∗ LWN Security updates for Monday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1062103/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 06.03.2026
by Daily end-of-shift report 06 Mar '26

06 Mar '26

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-03-2026 18:00 − Freitag 06-03-2026 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Wikipedia hit by self-propagating JavaScript worm that vandalized pages ∗∗∗ --------------------------------------------- The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began vandalizing pages and modifying user scripts across multiple wikis. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wikipedia-hit-by-self-propag… ∗∗∗ Fake Claude Code install guides push infostealers in InstallFix attacks ∗∗∗ --------------------------------------------- Threat actors are employing a new variation of the ClickFix social engineering technique called InstallFix to convince users into running malicious commands under the pretext of installing legitimate command line interface (CLI) tools. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-claude-code-install-gui… ∗∗∗ Cyberangriff: Das FBI hat offenbar Hacker im Netzwerk ∗∗∗ --------------------------------------------- Beim FBI ist offenbar ein System zur Verwaltung von Überwachungsmaßnahmen kompromittiert worden. Die Behörde untersucht verdächtige Aktivitäten. --------------------------------------------- https://www.golem.de/news/cyberangriff-das-fbi-hat-offenbar-hacker-im-netzw… ∗∗∗ Datenschutz: FBI gelangt an Zahlungsdaten von Protonmail ∗∗∗ --------------------------------------------- Durch Rechtshilfeabkommen können persönliche Daten auch aus der Schweiz an Strafverfolgungsbehörden in den USA gelangen. --------------------------------------------- https://www.golem.de/news/datenschutz-fbi-gelangt-an-zahlungsdaten-von-prot… ∗∗∗ Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer ∗∗∗ --------------------------------------------- Microsoft on Thursday disclosed details of a new widespread ClickFix social engineering campaign that has leveraged the Windows Terminal app as a way to activate a sophisticated attack chain and deploy the Lumma Stealer malware. --------------------------------------------- https://thehackernews.com/2026/03/microsoft-reveals-clickfix-campaign.html ∗∗∗ Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a multi-stage malware campaign that uses batch scripts as a pathway to deliver various encrypted remote access trojan (RATs) payloads that correspond to XWorm, AsyncRAT, and Xeno RAT. --------------------------------------------- https://thehackernews.com/2026/03/multi-stage-voidgeist-malware.html ∗∗∗ Warnung vor Angriffen auf Hikvision, Rockwell Automation und Apple-Produkte ∗∗∗ --------------------------------------------- Die US-amerikanische IT-Sicherheitsbehörde CISA warnt vor aktuellen Angriffen auf Hikvision, Rockwell Automation und Apple-Produkte. --------------------------------------------- https://www.heise.de/news/Warnung-vor-Angriffen-auf-Hikvision-Rockwell-Auto… ∗∗∗ London: Bei Cyberangriff auf Verkehrsbehörde zehn Millionen Datensätze gestohlen ∗∗∗ --------------------------------------------- 2024 gab es einen Cyberangriff auf die britische Behörde TfL. Nun ist herausgekommen: Dabei wurden auch Daten von zehn Millionen Kundinnen und Kunden gestohlen. --------------------------------------------- https://www.heise.de/news/London-Zehn-Millionen-Datensaetze-bei-Cyberangrif… ∗∗∗ BSI: 11.500 kritische Einrichtungen unter NIS2 registriert ∗∗∗ --------------------------------------------- Zum Registrierungsfristende haben tausende Unternehmen den Prozess abgeschlossen – doch knapp 20.000 fehlen wohl noch. --------------------------------------------- https://www.heise.de/news/BSI-11-500-kritische-Einrichtungen-unter-NIS2-reg… ∗∗∗ Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets ∗∗∗ --------------------------------------------- We uncovered a fake CleanMyMac site delivering SHub Stealer, a macOS infostealer that steals credentials and silently backdoors crypto wallets. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site… ∗∗∗ An Investigation Into Years of Undetected Operations Targeting High-Value Sectors ∗∗∗ --------------------------------------------- In-depth analysis of threat activity we call CL-UNK-1068. We discuss their toolset, including tunneling, reconnaissance and credential theft. --------------------------------------------- https://unit42.paloaltonetworks.com/cl-unk-1068-targets-critical-sectors/ ∗∗∗ The Hidden Cyber Risks of Remote Work Infrastructure ∗∗∗ --------------------------------------------- Hidden cyber risks in remote work include insecure home Wi-Fi, phishing attacks, and data exposure, leaving businesses and employees vulnerable to breaches. --------------------------------------------- https://hackread.com/hidden-cyber-risks-remote-work-infrastructure/ ∗∗∗ Avira: Deserialize, Delete and Escalate - The Proper Way to Use an AV ∗∗∗ --------------------------------------------- Avira Internet Security ships with a handful of modules that quietly handle privileged operations in the background: software updates, performance monitoring and system cleanup. Each one runs parts of its workflow as SYSTEM. Three of them dont bother checking what they are actually operating on. --------------------------------------------- http://blog.quarkslab.com/avira-deserialize-delete-and-escalate-the-proper-… ∗∗∗ A GitHub Issue Title Compromised 4,000 Developer Machines ∗∗∗ --------------------------------------------- The attack - which Snyk named "Clinejection"2 - composes five well-understood vulnerabilities into a single exploit that requires nothing more than opening a GitHub issue. --------------------------------------------- https://grith.ai/blog/clinejection-when-your-ai-tool-installs-another ∗∗∗ Fake imToken Chrome Extension Steals Seed Phrases via Phishing Redirects ∗∗∗ --------------------------------------------- Socket’s Threat Research Team uncovered a malicious Chrome extension, lmΤoken Chromophore (extension ID bbhaganppipihlhjgaaeeeefbaoihcgi), that impersonates imToken while presenting itself as a hex color visualizer in the Chrome Web Store. Instead of providing the harmless tool it promises, the extension automatically opens a threat actor-controlled phishing site as soon as it is installed, and again whenever the user clicks it. --------------------------------------------- https://socket.dev/blog/fake-imtoken-chrome-extension-steals-seed-phrases-v… ∗∗∗ A Satellite Receiver Trusted by Pentagon, ESA Has More Than 20 Security Flaws — and the Maker Never Responded ∗∗∗ --------------------------------------------- A penetration tester found more than 20 vulnerabilities in a satellite receiver deployed by the U.S. Department of Defense (also referred to as the Department of War), the European Space Agency, and other critical infrastructure operators worldwide — and the device’s manufacturer, International Data Casting Corporation (IDC), did not respond to a single disclosure attempt over several months. --------------------------------------------- https://thecyberexpress.com/satellite-receiver-vulnerabilities-unpatched/ ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress membership plugin bug exploited to create admin accounts ∗∗∗ --------------------------------------------- Hackers are exploiting a critical vulnerability in the User Registration & Membership plugin, which is installed on more than 60,000 WordPress sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-membership-plugin-… ∗∗∗ Acronis warnt vor zig Sicherheitslücken in Cyber Protect ∗∗∗ --------------------------------------------- Vor mehr als 20 Sicherheitslücken in Cyber Protect warnt Acronis aktuell. Admins sollten bereitstehende Updates rasch anwenden. --------------------------------------------- https://www.heise.de/news/Acronis-Cyber-Protect-Zig-Schwachstellen-gefaehrd… ∗∗∗ LWN Security updates for Friday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1061738/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 05.03.2026
by Daily end-of-shift report 05 Mar '26

05 Mar '26

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-03-2026 18:00 − Donnerstag 05-03-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers ∗∗∗ --------------------------------------------- A maximum severity vulnerability in the FreeScout helpdesk platform allows hackers to achieve remote code execution without any user interaction or authentication. [..] The flaw is tracked as CVE-2026-28289 and bypasses a fix for another remote code execution (RCE) security issue (CVE-2026-27636) that could be exploited by authenticated users with upload permissions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mail2shell-zero-click-attack… ∗∗∗ Kritische Sicherheitslücken in Cisco Secure Firewall Produkten - Updates verfügbar ∗∗∗ --------------------------------------------- Cisco hat am 4. März 2026 mehrere Advisories veröffentlicht, die insgesamt 17 Schwachstellen in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software und Cisco Secure Firewall Management Center (FMC) Software adressieren. --------------------------------------------- https://www.cert.at/de/warnungen/2026/3/kritische-sicherheitslucken-in-cisc… ∗∗∗ Google says 90 zero-days were exploited in attacks last year ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities actively exploited throughout 2025, almost half of them in enterprise software and appliances. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-says-90-zero-days-wer… ∗∗∗ Malware-laced OpenClaw installers get Bing AI search boost ∗∗∗ --------------------------------------------- Think before you download OpenClaw, the AI agent that can manage just about anything, is risky all by itself, but now fake installers for it are wreaking havoc. Users who searched Bing’s AI results for “OpenClaw Windows” were directed to a malicious GitHub repository that delivered information stealers and GhostSocks onto their machines. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2026/03/04/fake_opencla… ∗∗∗ Cybercrime: Behörden schalten das Datenleak-Forum LeakBase ab ∗∗∗ --------------------------------------------- Nach der Beschlagnahmung der LeakBase-Datenbank, einem der weltweit größten Cybercrime-Foren, identifizierten und verhafteten die Behörden mehrere Verdächtige. --------------------------------------------- https://www.heise.de/news/Cybercrime-Behoerden-schalten-das-Datenleak-Forum… ∗∗∗ Europäische Strafverfolger zerschlagen Phishing-Plattform ∗∗∗ --------------------------------------------- Tycoon2FA gehörte zu den weltweit größten Phishing-Operationen. Sie ermöglichte Kriminellen unbemerkten Zugriff auf E-Mail-Konten. Nun wurde sie abgeschaltet. --------------------------------------------- https://www.heise.de/news/Europaeische-Strafverfolgungsbehoerden-zerschlage… ∗∗∗ New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages ∗∗∗ --------------------------------------------- The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories. Across its many variants, the stealer demonstrates extensive data‑harvesting capabilities, with its ability to dynamically stage payloads, bypass analysis through anti‑VM and anti‑debug checks and offload sensitive operations to encrypted payloads showing a level of engineering sophistication that continues to increase. --------------------------------------------- https://www.trendmicro.com/en_us/research/26/c/boryptgrab-stealer-targets-u… ∗∗∗ Fake Zoom, Teams Meeting Invites Use Compromised Certificates to Drop Malware ∗∗∗ --------------------------------------------- A new phishing campaign is using stolen certificates from TrustConnect Software PTY LTD to sign malware. By impersonating updates for Zoom and Microsoft Teams, hackers install RMM tools to gain persistent, privileged access to networks. --------------------------------------------- https://hackread.com/fake-zoom-teams-invites-malware-certificates/ ∗∗∗ Cyberangriffe im Jahr 2026: Der Login als Waffe ∗∗∗ --------------------------------------------- Cyberkriminelle und nationalstaatliche Akteure verlagern ihren Fokus zunehmend weg vom aufwendigen Eindringen in Systeme, wie aus Cloudflares Bedrohungsbericht 2026 hervorgeht. Stattdessen setzen sie eher auf das effizientere Einloggen mit gestohlenen Zugangsdaten. --------------------------------------------- https://heise.de/-11200132 ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal: AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2026-022 ∗∗∗ Drupal: Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2026-024 ∗∗∗ LWN: Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1061464/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 04.03.2026
by Daily end-of-shift report 04 Mar '26

04 Mar '26

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-03-2026 18:00 − Mittwoch 04-03-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations ∗∗∗ --------------------------------------------- The intrusions, identified by Huntress last month across five partner organizations, involved the threat actors using email spam as lures, followed by a phone call from an IT desk that activates a layered malware delivery pipeline. --------------------------------------------- https://thehackernews.com/2026/03/fake-tech-support-spam-deploys.html ∗∗∗ Angriffe auf VMware Aria Operations beobachtet ∗∗∗ --------------------------------------------- In der vergangenen Woche hatte Broadcom eine Warnung veröffentlicht, die Sicherheitslecks in VMware Aria Operations betraf. Die Software kommt auch in Cloud Foundation, Telco Cloud Platform, Telco Cloud Infrastructure und vSphere Foundation zum Einsatz, sodass auch diese verwundbar sind. Die CISA meldet nun Angriffe auf eine Schwachstelle, die nicht authentifizierten Akteuren das Ausführen beliebiger Befehle und in der Folge von beliebigem Schadcode aus dem Netz in VMware Aria Operations ermöglicht. --------------------------------------------- https://www.heise.de/news/Angriffe-auf-VMware-Aria-Operations-beobachtet-11… ∗∗∗ ESC-Tickets: Hohes Risiko bei Kauf über hellotickets.de! ∗∗∗ --------------------------------------------- Bis zum großen Spektakel des Eurovision Song Contest (ESC) sind es noch knapp zwei Monate. Alle Shows sind bereits ausverkauft. Dennoch werden auf der Website hellotickets.de vermeintlich weiterhin Eintrittskarten angeboten. --------------------------------------------- https://www.watchlist-internet.at/news/esc-tickets-hohes-risiko-helloticket… ∗∗∗ Telegram Increasingly Used to Sell Access, Malware and Stolen Logs ∗∗∗ --------------------------------------------- Cybercriminals are now increasingly using Telegram to sell corporate access, malware subscriptions, and stealer logs, turning the messaging app into a fast cybercrime hub. --------------------------------------------- https://hackread.com/telegram-used-sell-access-malware-stolen-logs/ ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2026 Mar 04 ∗∗∗ --------------------------------------------- On March 4, 2026, Cisco released 27 new security advisories. Two of these advisories impact the Cisco Firewall Management Center and have been classified as critical (Authentication Bypass CVE-2026-20079 and Remote Code Execution CVE-2026-20131). --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/publicationListing.x ∗∗∗ Vulnerability & Patch Roundup — February 2026 ∗∗∗ --------------------------------------------- To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2026/02/vulnerability-patch-roundup-february-2026.h… ∗∗∗ LWN: Security updates for Wednesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1061295/ ∗∗∗ [R1] Nessus Manager Versions 10.10.3 and 10.11.3 Fix One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2026-08 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily March 2026