Daily April 2026

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 30.04.2026
by Daily end-of-shift report 30 Apr '26

30 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-04-2026 18:00 − Donnerstag 30-04-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Popular WordPress redirect plugin hid dormant backdoor for years ∗∗∗ --------------------------------------------- The Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, had a backdoor added five years ago that allows injecting arbitrary code into users sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/popular-wordpress-redirect-p… ∗∗∗ RDP Security: CPS Threats Spark Need for Secure Remote Access ∗∗∗ --------------------------------------------- 1.8 million RDP and 1.6 million VNC servers are exposed on the internet. [..] 18% of exposed RDP servers run end-of-life Windows versions; an additional 42% run Windows 10, which reached end of support last October. [..] 19,000+ RDP servers remain vulnerable to BlueKeep (CVE-2019-0708) — a critical remote code execution flaw. Nearly 60,000 VNC servers have authentication disabled — 670+ of those have direct access to OT/ICS control panels. [..] Hacktivist groups are sharing custom tools to scan for vulnerable VNC servers and selling access to compromised assets. --------------------------------------------- https://www.forescout.com/blog/rdp-security-cps-threats-spark-need-for-secu… ∗∗∗ Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution ∗∗∗ --------------------------------------------- Google has addressed a maximum severity security flaw in Gemini CLI -- the "@google/gemini-cli" npm package and the "google-github-actions/run-gemini-cli" GitHub Actions workflow -- that could have allowed attackers to execute arbitrary commands on host systems. [..] The update addresses the problem by requiring folders to be explicitly trusted before configuration files can be accessed. To that end, users are being urged to review their workflows and adopt one of two approaches. --------------------------------------------- https://thehackernews.com/2026/04/google-fixes-cvss-10-gemini-cli-ci-rce.ht… ∗∗∗ Aktive Ausnutzung einer schwerwiegenden Sicherheitslücke in cPanel und WHM ∗∗∗ --------------------------------------------- Der Hersteller cPanel hat kürzlich Sicherheitsupdates zur Behebung einer kritischen Schwachstelle (CVE-2026-41940) in den Produkten cPanel & WHM sowie WP Squared veröffentlicht. Laut Berichten von watchTowr wird diese Schwachstelle bereits aktiv durch Angreifer:innen ausgenutzt, um Hosting-Infrastrukturen zu kompromittieren. Es gibt Hinweise darauf, dass gezielte Zero-Day-Angriffe bereits seit Ende Februar 2026 stattfinden. --------------------------------------------- https://www.cert.at/de/aktuelles/2026/4/aktive-ausnutzung-einer-schwerwiege… ∗∗∗ New AI-Powered Bluekit Phishing Kit Targets Major Platforms with MFA Bypass Attacks ∗∗∗ --------------------------------------------- Bluekit Phishing Kit is a new PhaaS tool that targets major platforms, using AiTM techniques to steal session data and bypass MFA protections. [..] According to Varonis’ experts, when a victim enters their details on a fake Bluekit page, the kit doesn’t just grab the password; it also steals session cookies and local storage data. --------------------------------------------- https://hackread.com/bluekit-phishing-kit-targets-platforms-mfa-bypass-atta… ∗∗∗ Adapting Zero Trust Principles to Operational Technology ∗∗∗ --------------------------------------------- This guidance supports OT owners and operators in addressing the unique challenges of transitioning to a ZT architecture, considering technology gaps from legacy infrastructure, operational constraints, and safety requirements. It focuses on establishing comprehensive asset visibility, proactively addressing supply chain risks, and implementing robust identity and access management while stressing the importance of layered security measures—including network segmentation, secure communication protocols, and vulnerability management. --------------------------------------------- https://www.cisa.gov/resources-tools/resources/adapting-zero-trust-principl… ∗∗∗ Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables ∗∗∗ --------------------------------------------- The Socket Research Team has detected an active supply-chain attack targeting the unscoped tanstack package on npm, a brand-squatted impersonation of the legitimate @tanstack/* organization. Beginning today, the package's maintainer (sh20raj) began pushing malicious versions that silently steal environment variable files, including .env, .env.local, and .env.production, from developers' machines at install time, exfiltrating them to an attacker-controlled endpoint. Versions 2.0.4 through 2.0.7 are confirmed malicious. --------------------------------------------- https://socket.dev/blog/tanstack-brandsquat-compromise?utm_medium=feed ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall SonicOS: Sicherheitslücke erlaubt Management-Interface-Zugriff ∗∗∗ --------------------------------------------- SonicWall warnt vor drei Sicherheitslücken in SonicOS. [..] Am schwersten wiegt eine Schwachstelle, die die Entwickler als schwache Authentifizierung einstufen. Dadurch können Angreifer unbefugt auf bestimmte, nicht genannte Management-Interface-Funktionen zugreifen – unter ebenfalls nicht genannten Umständen (CVE-2026-0204, CVSS 8.0, Risiko „hoch“). --------------------------------------------- https://www.heise.de/news/SonicWall-SonicOS-Sicherheitsluecke-erlaubt-Manag… ∗∗∗ ProFTPD: Codeschmuggel durch mod_sql möglich ∗∗∗ --------------------------------------------- Laut der Schwachstellenbeschreibung ist mod_sql von ProFTPD vor der Version 1.3.10rc1 von der Sicherheitslücke betroffen. Durch den übertragenen Nutzernamen können bösartige Akteure aus dem Netz ohne vorherige Anmeldung beliebige SQL-Befehle und Schadcode einschleusen. Das gelingt in Szenarien, die USER-Anfragen mit Erweiterungen wie „%U“ loggen und in denen das SQL-Backend Befehle zulässt, beispielsweise „COPY TO PROGRAM“ (CVE-2026-42167, CVSS 8.1, Risiko „hoch“). [..] Admins sollten daher prüfen, ob sie das mod_sql etwa für Logging in Datenbanken überhaupt einsetzen. --------------------------------------------- https://www.heise.de/news/ProFTPD-Codeschmuggel-durch-mod-sql-moeglich-1127… ∗∗∗ Copy Fail: Kritische Linux-Kernel-Schwachstelle ermöglicht lokale Root-Rechte ∗∗∗ --------------------------------------------- Die Schwachstelle steckt im Linux-Kernel und beruht auf einem simplen, aber schweren Logikfehler. Benutzer:innen können dadurch mit wenig Daten gezielt in eigentlich geschützte Speicherbereiche schreiben. Das reicht aus, um interne Strukturen zu verändern und sich höhere Rechte zu verschaffen. Der Vorgang funktioniert zuverlässig und ohne typische Hürden wie Race Conditions oder spezielle Systemabhängigkeiten. --------------------------------------------- https://www.cert.at/de/warnungen/2026/4/copy-fail-kritische-linux-kernel-sc… ∗∗∗ LWN: Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1070640/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 29.04.2026
by Daily end-of-shift report 29 Apr '26

29 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-04-2026 18:00 − Mittwoch 29-04-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Per Git-Push-Befehl: Angreifer hätten Millionen von Github-Repos kapern können ∗∗∗ --------------------------------------------- Sicherheitsforscher von Wiz haben eine extrem gefährliche Sicherheitslücke in der internen Git-Infrastruktur von Github entdeckt. Laut Blogbeitrag der Forscher hätten Angreifer durch einen einfachen Git-Push-Befehl Schadcode auf die Backend-Server von Github schleusen und damit tief in die Infrastruktur eindringen können. Auch Github Enterprise Server ist betroffen. [..] Auf Github.com soll die Lücke innerhalb weniger Stunden nach Meldung der Forscher gepatcht worden sein. [..] Wer einen eigenen Github-Enterprise-Server betreibt, muss den Patch hingegen selbst einspielen, sofern noch nicht geschehen. --------------------------------------------- https://www.golem.de/news/per-git-push-befehl-angreifer-haetten-millionen-v… ∗∗∗ Nach Cyberangriff: Hacker erpressen Vimeo mit Nutzerdaten ∗∗∗ --------------------------------------------- Der berüchtigte Cyberakteur Shinyhunters ist offenbar bei einem Cyberangriff auf einen Dienstleister an Daten der beliebten Videoplattform und Youtube-Alternative Vimeo gelangt. Betroffen sind laut Mitteilung des Betreibers sowohl Nutzer- als auch Kundendaten. [..] Ursache des Datenabflusses war den Angaben zufolge ein Sicherheitsvorfall bei dem KI-Analyseanbieter Anodot. --------------------------------------------- https://www.golem.de/news/cyberangriff-trifft-videoplattform-hacker-erbeute… ∗∗∗ LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure ∗∗∗ --------------------------------------------- In yet another instance of threat actors quickly jumping on the exploitation bandwagon, a newly disclosed critical security flaw in BerriAI's LiteLLM Python package has come under active exploitation in the wild within 36 hours of the bug becoming public knowledge. The vulnerability, tracked as CVE-2026-42208 (CVSS score: 9.3), is an SQL injection that could be exploited to modify the underlying LiteLLM proxy database. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example, POST /chat/completions) and reach this query through the proxy's error-handling path. --------------------------------------------- https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html ∗∗∗ 30 ClawHub skills secretly turn AI agents into a crypto swarm ∗∗∗ --------------------------------------------- Thirty ClawHub skills published by a single author are silently co-opting AI agents and creating a mass cryptocurrency mining swarm – without any malware or user consent. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2026/04/29/30_clawhub_s… ∗∗∗ CISA flags data-theft bug in NSA-built OT networking tool ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) is warning anyone who uses GrassMarlin, a tool developed by the National Security Agency (NSA), about a new vulnerability that attackers can use to snoop on sensitive information. [..] GrassMarlin went EOL in 2017, so there are no fixes in the works. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2026/04/29/cisa_flags_d… ∗∗∗ Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer ∗∗∗ --------------------------------------------- A new npm supply-chain compromise is targeting the SAP developer ecosystem. [..] The pattern is familiar but also a bit different: a trusted package receives a new preinstall hook, the hook runs a new setup.mjs file, and that loader downloads the Bun JavaScript runtime to execute a large obfuscated payload named execution.js. The payload is an 11.7 MB credential stealer and propagation framework. --------------------------------------------- https://www.aikido.dev/blog/mini-shai-hulud-has-appeared ∗∗∗ Fake-Krypto-Casino: Wenn Promis einen Registrierungs-Bonus versprechen ∗∗∗ --------------------------------------------- Mithilfe übernommener Social-Media-Profile oder geschickt platzierter Werbeanzeigen locken Kriminelle ihre Opfer in angebliche Krypto-Casinos. Durch die Einzahlung von 200 Euro werde ein Registrierungsbonus von 2.500 Euro freigeschaltet. Vor einer Beanspruchung der Gewinne müssen allerdings erst diverse Gebühren und Steuern beglichen werden. --------------------------------------------- https://www.watchlist-internet.at/news/fake-krypto-casino/ ∗∗∗ RIPE NCC RPKI exploit chain ∗∗∗ --------------------------------------------- One click on a malicious, but not suspicious, link. That is all it could take for a network operator to get disconnected from the internet, through a chain of vulnerabilities I discovered. From that single click, I could fully control their routing authorisations in a RIPE NCC portal, telling the rest of the internet not to accept their routes. I could also hijack all their RIPE Database objects, locking the legitimate owners out until RIPE NCC staff manually restore them. This attack chain comes down to surprising entry points, risky architectural decisions, and components that don’t look security-critical until they are. --------------------------------------------- https://mxsasha.eu/posts/ripe-ncc-rpki-exploit-chain/ ===================== = Vulnerabilities = ===================== ∗∗∗ IT-Sicherheitsplattform: Anreifer können Wazuh kompromittieren ∗∗∗ --------------------------------------------- Wie aus dem Sicherheitsbereich der GitHub-Website von Wazuh hervorgeht, ist eine Schwachstelle (CVE-2026-30893) mit dem Bedrohungsgrad „kritisch“ eingestuft. Im Zuge einer Path-Traversal-Attacke können Angreifer unbefugt auf eigentlich geschützte Pfade zugreifen. --------------------------------------------- https://www.heise.de/news/IT-Sicherheitsplattform-Anreifer-koennen-Wazuh-ko… ∗∗∗ Schwachstelle in cPanel und WHM (28. April 2026) ∗∗∗ --------------------------------------------- Zum 28. April 2026 wurden gravierende Schwachstellen in der Software bekannt. Diese erlauben einen unautorisierte Anmeldung an der cPanel oder WHM Oberfläche. --------------------------------------------- https://borncity.com/blog/2026/04/29/schwachstelle-in-cpanel-und-whm/ ∗∗∗ Abermals kritische Sicherheitslücke in Nginx UI geschlossen ∗∗∗ --------------------------------------------- Eine Schwachstelle (CVE-2026-42238) gilt als „kritisch“. Weil bei jeder Neuinstallation und jedem Neustart die Backup-Restore-Points für zehn Minuten ohne Authentifizierung ansprechbar sind, können entfernte Angreifer manipulierte Backups hochladen. Dabei können sie die Konfigurationsdatei app.ini mit eigenen Befehlen überschreiben und die volle Kontrolle über Instanzen erlangen. Durch das erfolgreiche Ausnutzen einer weiteren Lücke (CVE-2026-42221 „hoch“) können Angreifer im Zuge der Ersteinrichtung Admin-Accounts kapern. Das soll ohne Authentifizierung möglich sein. --------------------------------------------- https://heise.de/-11276012 ∗∗∗ LWN: Security updates for Wednesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1070428/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 28.04.2026
by Daily end-of-shift report 28 Apr '26

28 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Montag 27-04-2026 18:00 − Dienstag 28-04-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Open source package with 1 million monthly downloads stole user credentials ∗∗∗ --------------------------------------------- On Friday, unknown attackers exploited the vulnerability to push a new version of element-data, a command-line interface that helps users monitor performance and anomalies in machine-learning systems. [..] The malicious version was tagged as 0.23.3 and was published to the developers’ Python Package Index and Docker image accounts. It was removed about 12 hours later, on Saturday. [..] If you’re one of millions using element-data, it’s time to check for compromise. --------------------------------------------- https://arstechnica.com/security/2026/04/open-source-package-with-1-million… ∗∗∗ Windows-Shell-Lücke wird angegriffen ∗∗∗ --------------------------------------------- Im Februar hat Microsoft eine Windows-Shell-Lücke geschlossen, jedoch unvollständig. Jetzt wurden Angriffe entdeckt. [..] Die Auswirkungen scheinen nicht so gravierend wie vor dem unzureichenden Patch aus dem Februar. [..] Akamai hat im Blog jedoch eine weitergehende Analyse veröffentlicht. Die IT-Analysten stufen die neue Schwachstelle anders als Microsoft als Zero-Click-Schwachstelle ein. [..] Microsoft hat die neue Schwachstelle CVE-2026-32202 (CVSS 4.3, Risiko „mittel“) am April-Patchday mit Softwareflicken ausgebessert. --------------------------------------------- https://www.heise.de/news/Windows-Shell-Luecke-wird-angegriffen-11274647.ht… ∗∗∗ Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub data ∗∗∗ --------------------------------------------- Application security company Checkmarx has confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository. Although the investigation is ongoing, Checkmarx believes that the access vector was the Trivy supply-chain attack attributed to the hacker group known as TeamPCP. which provided access to credentials from downstream users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/checkmarx-confirms-lapsus-ha… ∗∗∗ Cyberangriff trifft Medtronic: Datenklau bei großem Medizintechnik-Konzern ∗∗∗ --------------------------------------------- Medtronic ist vor allem für seine Herzschrittmacher bekannt. Nun gesteht der Konzern, dass Hacker Daten aus seiner IT-Umgebung abziehen konnten. [..] Shinyhunters hatte Medtronic einem Bericht von Bleeping Computer zufolge schon am 18. April im Darknet erpresst. Die Hackergruppe gab dort an, mehr als neun Millionen Datensätze respektive "Terabytes" an personenbezogenen Daten und anderen unternehmensinternen Informationen erbeutet zu haben. [..] Der Konzern versichert zudem, die Netzwerke seiner Krankenhauskunden seien von den IT-Netzwerken von Medtronic getrennt und würden von den IT-Teams der jeweiligen Kunden gesichert und verwaltet. --------------------------------------------- https://www.golem.de/news/datenklau-cyberangriff-trifft-medizintechnik-konz… ∗∗∗ Cyber Threat Intelligence - Art, Science, something else entirely? ∗∗∗ --------------------------------------------- As everyone who has been in this area for a while can probably still remember, hoarding indicators of compromise is a fun activity and can be incredibly enticing when you have not yet a real clue of what you are doing. It is, at least initially, certainly more interesting than diving straight into anthropological, psychological, sociological, or analytical textbooks. However, as I became more experienced in and, more importantly, more fascinated by the analytical work that makes intelligence .. well, intelligence .. I began to notice that it's not really clear what "type" of activity intelligence analysis is. --------------------------------------------- https://bytesandborscht.com/cyber-threat-intelligence-art-science-something… ∗∗∗ Secure-Boot-Zertifikate: Microsoft Defender verschafft Überblick ∗∗∗ --------------------------------------------- Die Zeit wird knapp: Die Secure-Boot-Zertifikate aus 2011 laufen ab Juni dieses Jahres ab. [..] Im Message-Center der Windows-Release-Health-Notizen hat Microsoft jetzt die neue Funktion für den Microsoft Defender angekündigt. [..] Jetzt können IT-Teams an zentraler Stelle die Verbreitung der Secure-Boot-Zertifikate aus dem Jahr 2023 in ihrem Gerätepark einsehen, erklärt das Unternehmen. --------------------------------------------- https://www.heise.de/news/Secure-Boot-Zertifikate-Microsoft-Defender-versch… ∗∗∗ VECT: Ransomware by design, Wiper by accident ∗∗∗ --------------------------------------------- VECT Ransomware is a Ransomware-as-a-Service (RaaS) program that made its first appearance in December 2025 on a Russian-language cybercrime forum. [..] Check Point Research discovers that the VECT 2.0 ransomware permanently destroys “large files” rather than encrypting them. --------------------------------------------- https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-acc… ∗∗∗ KI-Enkeltrick und Deepfakes: Interpol warnt vor verschärfter Betrugswelle ∗∗∗ --------------------------------------------- Europa ist zum primären Ziel einer weltweiten Betrugswelle geworden. Laut dem „Global Financial Fraud Threat Assessment 2026“ von Interpol verzeichnete keine andere Region einen so starken Anstieg bei Betrugsmaschen: ein Plus von 69 Prozent im Vergleich zum Vorjahr. [..] Der Interpol-Bericht verdeutlicht, dass der Erfolg dieser Betrugsmaschen auf einer hochgradig arbeitsteiligen Unterwelt basiert. Ein Faktor sei die Zunahme von „Fraud-as-a-Service“-Modellen. --------------------------------------------- https://heise.de/-11274056 ===================== = Vulnerabilities = ===================== ∗∗∗ Xen Security Advisories 20.04.2026 ∗∗∗ --------------------------------------------- Xen has released 5 new security advisories. --------------------------------------------- https://xenbits.xen.org/xsa/ ∗∗∗ Mozilla Security Advisories for Firefox 28.04.2026 ∗∗∗ --------------------------------------------- Mozilla has release multiple security advisories for Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1. (1x critical) --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Notepad++ Releases 8.9.4 Patch to Fix String Injection Vulnerability (CVE-2026-3008) in 8.9.3 ∗∗∗ --------------------------------------------- A vulnerability has been identified in the popular open-source text editor, Notepad++, with the release of CVE-2026-3008. The vulnerability, discovered and reported by CSA under its Responsibility Vulnerability Disclosure Policy, is linked to a potential string injection flaw in Notepad++ version 8.9.3. To mitigate the risk associated with this vulnerability, users and administrators are strongly urged to update their installations to version 8.9.4 immediately. --------------------------------------------- https://thecyberexpress.com/notepad-cve-2026-3008-vulnerability/ ∗∗∗ Security updates available in Foxit PDF Reader 2026.1.1 and Foxit PDF Editor 2026.1.1/14.0.4 ∗∗∗ --------------------------------------------- https://www.foxit.com/support/security-bulletins.html ∗∗∗ LWN: Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1070184/ ∗∗∗ Zyxel security advisory for command injection vulnerabilities in certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 27.04.2026
by Daily end-of-shift report 27 Apr '26

27 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-04-2026 18:00 − Montag 27-04-2026 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cyber Threat Intelligence - Art, Science, something else entirely? ∗∗∗ --------------------------------------------- Is Cyber Threat Intelligence an art, science, both, or something else entirely? --------------------------------------------- https://bytesandborscht.com/cyber-threat-intelligence-art-science-something… ∗∗∗ New BlackFile extortion group linked to surge of vishing attacks ∗∗∗ --------------------------------------------- A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-blackfile-extortion-gang… ∗∗∗ ADT confirms data breach after ShinyHunters leak threat ∗∗∗ --------------------------------------------- Home security giant ADT has confirmed a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adt-confirms-data-breach-aft… ∗∗∗ Panne bei RDP-Verbindungen: Windows-Update mit kaputter Warnmeldung verteilt ∗∗∗ --------------------------------------------- Neue Warnmeldungen sollen Windows-Nutzer eigentlich vor bösartigen RDP-Dateien schützen. Doch die sind manchmal weder gut lesbar noch bedienbar. --------------------------------------------- https://www.golem.de/news/panne-bei-rdp-verbindungen-windows-update-mit-kap… ∗∗∗ Attacken auf Firmennetzwerke: Hacker tricksen Teams-Nutzer mit Spam aus ∗∗∗ --------------------------------------------- Google-Forscher warnen vor einer Hackergruppe, die Nutzer bei Microsoft Teams austrickst, um gefährliche Malware in Firmennetzwerke zu schleusen. --------------------------------------------- https://www.golem.de/news/attacken-auf-firmennetzwerke-hacker-tricksen-team… ∗∗∗ FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed federal civilian agency's Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with a new malware called FIRESTARTER. --------------------------------------------- https://thehackernews.com/2026/04/firestarter-backdoor-hit-federal-cisco.ht… ∗∗∗ Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new Lua-based malware created years before the notorious Stuxnet worm that aimed to sabotage Iran's nuclear program by destroying uranium enrichment centrifuges. --------------------------------------------- https://thehackernews.com/2026/04/researchers-uncover-pre-stuxnet-fast16.ht… ∗∗∗ LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure ∗∗∗ --------------------------------------------- A high-severity security flaw in LMDeploy, an open-source toolkit for compressing, deploying, and serving large language models (LLMs), has come under active exploitation in the wild less than 13 hours after its public disclosure. --------------------------------------------- https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.ht… ∗∗∗ Gesundheitsdaten aus UK Biobank auf Alibaba angeboten ∗∗∗ --------------------------------------------- Gesundheitsdaten der UK Biobank wurden online angeboten. Der Zugriff ist inzwischen gestoppt. Weitere Sicherheitsmaßnahmen sind geplant. --------------------------------------------- https://www.heise.de/news/Gesundheitsdaten-aus-UK-Biobank-auf-Alibaba-angeb… ∗∗∗ New ClickFix attack Hides in Native Windows Tools to Reduce Detection Risk ∗∗∗ --------------------------------------------- Fake CAPTCHA ClickFix attack tricks users into running malicious commands, using cmdkey and regsvr32 to maintain persistence and avoid detection on Windows. --------------------------------------------- https://hackread.com/clickfix-variant-native-windows-tools-bypass-security/ ∗∗∗ Microsoft Entra Agent ID Flaw Enabled Tenant Takeover via Privilege Escalation ∗∗∗ --------------------------------------------- Microsoft Entra Agent ID flaw allowed privilege escalation and tenant takeover via Service Principal abuse, now fully patched by Microsoft. --------------------------------------------- https://hackread.com/microsoft-entra-agent-id-flaw-tenant-takeover/ ∗∗∗ Angriffe auf SimpleHelp, Samsung MagicINFO und D-Link DIR-823X beobachtet ∗∗∗ --------------------------------------------- Die US-Behörde CISA warnt vor beobachteten Attacken auf Schwachstellen in SimpleHelp, Samsung MagicINFO und D-Link DIR-823X. --------------------------------------------- https://heise.de/-11272629 ∗∗∗ 73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations ∗∗∗ --------------------------------------------- Socket is tracking cloned Open VSX extensions tied to GlassWorm, with several updated from benign-looking sleepers into malware delivery vehicles. --------------------------------------------- https://socket.dev/blog/73-open-vsx-sleeper-extensions-glassworm?utm_medium… ∗∗∗ Udemy Data Breach — ShinyHunters Claims 1.4M Records ∗∗∗ --------------------------------------------- The notorious cybercriminal group ShinyHunters posted a “Pay or Leak” warning on their data leak site on April 24, 2026, claiming the compromise of over 1.4 million records containing PII and internal corporate data from Udemy. The final deadline set for Udemy to respond is April 27, 2026, or face public exposure. --------------------------------------------- https://thecyberthrone.in/2026/04/24/udemy-data-breach-shinyhunters-claims-… ∗∗∗ Operation TrustTrap Reveals 16,800 Fake Domains Exploiting User Trust ∗∗∗ --------------------------------------------- In a world where digital threats are becoming more confusing, Cyble Research and Intelligence Labs (CRIL) has uncovered one of the most extensive deceptive domain spoofing campaigns to date. --------------------------------------------- https://thecyberexpress.com/operation-trusttrap/ ∗∗∗ Fake CAPTCHA Scam Abuses Verification Clicks to Send Costly International Texts ∗∗∗ --------------------------------------------- Research from Infoblox reveals a massive Click2SMS fraud scheme using fake CAPTCHAs and back button hijacking to trick victims into sending costly international texts. --------------------------------------------- https://hackread.com/fake-captcha-pages-exploit-clicks-send-texts/ ===================== = Vulnerabilities = ===================== ∗∗∗ Werbeblocker Pi-hole: Update stopft Codeschmuggel- und Rechteausweitungslücken ∗∗∗ --------------------------------------------- Die Entwickler haben den DNS-basierten Werbeblocker Pi-hole aktualisiert. Das Update stopft hochriskante Sicherheitslecks. --------------------------------------------- https://www.heise.de/news/Werbeblocker-Pi-hole-Update-stopft-Codeschmuggel-… ∗∗∗ VMware Tanzu Spring Boot: Angreifer können auf Endpoints zugreifen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Schwachstellen in der VMware-Tanzu-Spring-Framework-Komponente Spring Boot. --------------------------------------------- https://heise.de/-11272771 ∗∗∗ „Pack2TheRoot“: Sicherheitslücke betrifft mehrere Linux-Distributionen ∗∗∗ --------------------------------------------- Das Telekom-Sicherheitsteam hat die Sicherheitslücke „Pack2TheRoot“ entdeckt, die Rechteausweitung in mehreren Distributionen ermöglicht. --------------------------------------------- https://heise.de/-11272897 ∗∗∗ LWN Security updates for Monday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1069938/ ∗∗∗ K000160994: SQLite vulnerability CVE-2025-70873 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000160994 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 24.04.2026
by Daily end-of-shift report 24 Apr '26

24 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-04-2026 18:00 − Freitag 24-04-2026 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Trigona ransomware attacks use custom exfiltration tool to steal data ∗∗∗ --------------------------------------------- Recently observed Trigona ransomware attacks are using a custom, command-line tool to steal data from compromised environments faster and more efficiently. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trigona-ransomware-attacks-u… ∗∗∗ LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure ∗∗∗ --------------------------------------------- A high-severity security flaw in LMDeploy, an open-source toolkit for compressing, deploying, and serving LLMs, has come under active exploitation in the wild less than 13 hours after its public disclosure. --------------------------------------------- https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.ht… ∗∗∗ Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 ∗∗∗ --------------------------------------------- Chinese-speaking individuals are the target of a new campaign that uses a trojanized version of SumatraPDF reader to deploy the AdaptixC2 Beacon post-exploitation agent and ultimately facilitate the abuse of Microsoft Visual Studio Code (VS Code) tunnels for remote access. --------------------------------------------- https://thehackernews.com/2026/04/tropic-trooper-uses-trojanized.html ∗∗∗ Behörde für abgesicherte Ausweise geknackt – Millionen Franzosen betroffen ∗∗∗ --------------------------------------------- Frankreichs Behörde für Ausweise gesteht ein, dass Daten von 12 Millionen Franzosen auf dem Schwarzmarkt feilgeboten werden. Der Täter spricht von 19 Millionen. --------------------------------------------- https://www.heise.de/news/Behoerde-fuer-abgesicherte-Ausweise-geknackt-Mill… ∗∗∗ Handala Hack Team: Threat Actor Profile ∗∗∗ --------------------------------------------- Handala Hack Team, also stylized as Handala_hack, is a hacktivist threat group aligned with pro-Palestinian messaging and Iranian strategic interests. It emerged in December 2023 following the escalation of the Gaza conflict, shortly after the 7 October 2023 Hamas attack on Israel, presenting itself as a pro-Palestinian hacktivist collective. Its operations closely mirror Iranian state-linked activity and indicate a focus on disruption and psychological impact rather than financial gain. --------------------------------------------- https://outpost24.com/blog/handala-hack-threat-profile/ ∗∗∗ Analyzing GLOBAL GROUP (BlackLock) Artifacts ∗∗∗ --------------------------------------------- In the rapidly evolving threat landscape of early 2026, ransomware operations have shifted dramatically toward high-impact infrastructure targets, with VMware ESXi hypervisors emerging as a prime vector for mass disruption. Ransomware groups like GLOBAL GROUP are one of those groups. It started all today with an technical analysis of a publicly shared X domain by the MalwareHunterTeam and the leak of the whole ecosystem of RAMP . --------------------------------------------- https://detect.fyi/analyzing-global-group-blacklock-artifacts-72dabc14c500?… ===================== = Vulnerabilities = ===================== ∗∗∗ Update #1: Schwerwiegende Sicherheitslücken in Cisco Adaptive Security Appliance - aktiv ausgenutzt - Updates verfügbar ∗∗∗ --------------------------------------------- Cisco hat Informationen zu einer vermutlich bereits seit einigen Monaten laufenden Angriffskampagne veröffentlicht. Im Rahmen dieser Kampagne haben Angreifer:innen, denen bereits im vergangenen Jahr eine breitgefächerte Kampagne gegen Edge-Devices zugerechnet wurde, Cisco Adaptive Security Appliance (ASA) Systeme der 5500-X Reihe welche "VPN web services" kompromittiert um in weiterer Folge auf den übernommenen Geräten Schadsoftware zu platzieren und Daten zu stehlen. --------------------------------------------- https://www.cert.at/de/warnungen/2026/4/schwerwiegende-sicherheitslucken-in… ∗∗∗ Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks ∗∗∗ --------------------------------------------- Over 10,000 Zimbra Collaboration Suite (ZCS) instances exposed online are vulnerable to ongoing attacks exploiting a cross-site scripting (XSS) security flaw, according to nonprofit security organization Shadowserver. On Friday, Internet security watchdog Shadowserver also warned that over 10,500 Zimbra servers exposed online remain unpatched, most of them in Asia (3,794) and Europe (3,793). --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-says-zimbra-flaw-now-ex… ∗∗∗ Fast 12 Jahre unentdeckt: Telekom deckt gefährliche Root-Lücke in Linux auf ∗∗∗ --------------------------------------------- Sicherheitsforscher der Telekom haben Claude auf Linux -Systeme losgelassen. Die KI hat eine seit 2014 bestehende Root-Lücke in Packagekit gefunden. --------------------------------------------- https://www.golem.de/news/fast-12-jahre-unentdeckt-telekom-deckt-gefaehrlic… ∗∗∗ Patch richtet fehlerhafte Zugriffskontrolle in HCL BigFix Service Management ∗∗∗ --------------------------------------------- Die KI-gestützte Endpoint-Verwaltungsplattform HCL BigFix Service Management ist verwundbar. Aufgrund einer fehlerhaften Zugriffskontrolle können Angreifer auf Instanzen zugreifen. Ein Sicherheitspatch steht zum Download bereit. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://www.heise.de/news/Patch-richtet-fehlerhafte-Zugriffskontrolle-in-HC… ∗∗∗ LWN Security updates for Friday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1069549/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 23.04.2026
by Daily end-of-shift report 23 Apr '26

23 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-04-2026 18:00 − Donnerstag 23-04-2026 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ New Mirai campaign exploits RCE flaw in EoL D-Link routers ∗∗∗ --------------------------------------------- A new Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mirai-campaign-exploits-… ∗∗∗ New GopherWhisper APT group abuses Outlook, Slack, Discord for comms ∗∗∗ --------------------------------------------- A previously undocumented state-backed threat actor named GopherWhisper is using a Go-based custom toolkit and legitimate services like Microsoft 365 Outlook, Slack, and Discord in attacks against government entities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-gopherwhisper-apt-group-… ∗∗∗ Electricity Is a Growing Area of Cyber Risk ∗∗∗ --------------------------------------------- IT has long been concerned about ensuring systems receive the right amount of electricity. Cyberattackers are realizing they can manipulate voltage fluctuations for their purposes, too. --------------------------------------------- https://www.darkreading.com/cyber-risk/are-power-regulators-becoming-a-new-… ∗∗∗ Hacker erbeuten Daten von Intersport-Kunden ∗∗∗ --------------------------------------------- Die Cyberkriminellen haben Kundendaten von Usern erbeutet, die den Onlineshop von Intersport benutzt haben. --------------------------------------------- https://futurezone.at/digital-life/intersport-hacker-angriff-kriminelle-dat… ∗∗∗ Vercel Finds More Compromised Accounts in Context.ai-Linked Breach ∗∗∗ --------------------------------------------- Vercel on Wednesday revealed that it has identified an additional set of customer accounts that were compromised as part of a security incident that enabled unauthorized access to its internal systems. --------------------------------------------- https://thehackernews.com/2026/04/vercel-finds-more-compromised-accounts.ht… ∗∗∗ Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages ∗∗∗ --------------------------------------------- Apple has rolled out a software fix for iOS and iPadOS to address a Notification Services flaw that stored notifications marked for deletion on the device.The vulnerability, tracked as CVE-2026-28950 (CVSS score: N/A), has been described as a logging issue that has been addressed with improved data redaction. --------------------------------------------- https://thehackernews.com/2026/04/apple-patches-ios-flaw-that-stored.html ∗∗∗ AI Tools Are Helping Mediocre North Korean Hackers Steal Millions ∗∗∗ --------------------------------------------- One group of hackers used AI for everything from vibe coding their malware to creating fake company websites—and stole as much as $12 million in three months. --------------------------------------------- https://www.wired.com/story/ai-tools-are-helping-mediocre-north-korean-hack… ∗∗∗ Tropic Trooper Pivots to AdaptixC2 and Custom Beacon Listener ∗∗∗ --------------------------------------------- On March 12, 2026, Zscaler ThreatLabz discovered a malicious ZIP archive containing military-themed document lures targeting Chinese-speaking individuals. Our analysis of this sample uncovered a campaign leveraging a multi-stage attack chain where a trojanized SumatraPDF reader deploys an AdaptixC2 Beacon agent, ultimately leading to the download and abuse of Visual Studio (VS) Code tunnels for remote access. --------------------------------------------- https://www.zscaler.com/blogs/security-research/tropic-trooper-pivots-adapt… ∗∗∗ Sicherheitsbehörden warnen vor chinesischen Mitnutzern ∗∗∗ --------------------------------------------- Nachrichtendienste und Cybersicherheitsbehörden warnen vor Angreifern aus der Volksrepublik, die Infrastruktur Nichtsahnender für Operationen nutzenn. --------------------------------------------- https://www.heise.de/news/Sicherheitsbehoerden-warnen-vor-chinesischen-Mitn… ∗∗∗ Fake-Fahrzeugbericht: Diese Falle wartet beim Online-Autoverkauf! ∗∗∗ --------------------------------------------- Wer online ein KFZ verkaufen möchte, erhält oft seltsame Anfragen. Bestehen Interessent:innen auf der Erstellung eines zusätzlichen Prüfberichts und liefern gleich die dafür passende Website mit, ist allerhöchste Vorsicht angebracht! Mit derartigen Fake-Portalen ziehen Kriminellen ihren Opfern das Geld aus der Tasche und ergaunern Kreditkartendaten. --------------------------------------------- https://www.watchlist-internet.at/news/fake-fahrzeugbericht/ ∗∗∗ Hackers deployed wiper malware in destructive attacks on Venezuela’s energy sector ∗∗∗ --------------------------------------------- Hackers deployed a previously unknown wiper malware against Venezuela’s energy and utilities sector in an attack that appears to have been designed to destroy systems. --------------------------------------------- https://therecord.media/hackers-venezuela-wiper-malware-oil ∗∗∗ Defending against China-nexus covert networks of compromised devices ∗∗∗ --------------------------------------------- Explaining the widespread shift in tactics, techniques and procedures (TTPs) towards networks of compromised infrastructure, and how to defend against it --------------------------------------------- https://www.ncsc.gov.uk/news/defending-against-china-nexus-covert-networks-… ∗∗∗ Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) identified a multistage intrusion campaign by a newly tracked threat group, UNC6692, that leveraged persistent social engineering, a custom modular malware suite, and deft pivoting inside the victim’s environment to achieve deep network penetration. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-eng… ∗∗∗ Signal-Phishing-Warnung: Auslöser wohl Angriff auf Julia Klöckner ∗∗∗ --------------------------------------------- Julia Klöckner ist offenbar Opfer der Signal-Phishing-Angriffe geworden, vor denen BfV und BSI am Mittwoch erneut gewarnt haben. --------------------------------------------- https://heise.de/-11268708 ∗∗∗ Tails 7.7: Warnung vor abgelaufenen Secure-Boot-Zertifikaten ∗∗∗ --------------------------------------------- Die Linux-Distribution für anonymes Bewegen im Netz, Tails, ist in Version 7.7 erschienen. Sie warnt vor alten Secure-Boot-Zertifikaten. --------------------------------------------- https://heise.de/-11269936 ∗∗∗ University of Warsaw Data Breach Exposes 200,000+ Sensitive Files on Darknet ∗∗∗ --------------------------------------------- Over 200,000 files containing sensitive personal information from the University of Warsaw have been leaked online. The University of Warsaw cyberattack, which targeted the institutions digital systems, resulted in the publication of the stolen data on the darknet in mid-April 2026. --------------------------------------------- https://thecyberexpress.com/university-of-warsaw-cyberattack/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Diverse Attacken auf IBM App Connect Enterprise möglich ∗∗∗ --------------------------------------------- IBMs Integrationsplattform App Connect Enterprise ist verwundbar. Angreifer können an mehreren Schwachstellen ansetzen. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdate-Diverse-Attacken-auf-IBM-App-Co… ∗∗∗ n8n: Updates beheben kritische Sicherheitslücken in Automatisierungsplattform ∗∗∗ --------------------------------------------- Die Aktualisierung wurde per E-Mail allen Admins angekündigt, diese sollten sie nun prompt einspielen. Es droht Code-Einschleusung. --------------------------------------------- https://heise.de/-11268464 ∗∗∗ VMware Tanzu Spring Security: Angreifer können bösartigen Clients anmelden ∗∗∗ --------------------------------------------- Aufgrund von Sicherheitsproblemen ist im Kontext von VMware Tanzu Spring Security unter anderem die Authentifizierung umgehbar. --------------------------------------------- https://heise.de/-11268714 ∗∗∗ Kritische Lücke in Rubys Standardbibliothek ERB: Angreifer können Code ausführen ∗∗∗ --------------------------------------------- Die Ruby-Lücke ist nicht einfach auszunutzen, ermöglicht einem Angreifer aber, sensible Daten auszulesen, Code zu starten und Backdoors zu installieren. --------------------------------------------- https://heise.de/-11268704 ∗∗∗ Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions ∗∗∗ --------------------------------------------- Docker alerted Socket to malicious images pushed to the official checkmarx/kics Docker Hub repository after internal monitoring flagged suspicious new activity around KICS image tags. Our investigation found that attackers appear to have overwritten existing tags, including v2.1.20 and alpine, while also introducing a new v2.1.21 tag that does not correspond to a legitimate upstream release. --------------------------------------------- https://socket.dev/blog/checkmarx-supply-chain-compromise ∗∗∗ Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign ∗∗∗ --------------------------------------------- Socket researchers discovered that the Bitwarden CLI was compromised as part of the ongoing Checkmarx supply chain campaign. The affected package version appears to be @bitwarden/cli2026.4.0, and the malicious code was published in bw1.js, a file included in the package contents. The attack appears to have leveraged a compromised GitHub Action in Bitwarden’s CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign. --------------------------------------------- https://socket.dev/blog/bitwarden-cli-compromised ∗∗∗ NTFS-Treiber für Linux: NTFS-3G schließt Rechteausweitungslücke ∗∗∗ --------------------------------------------- https://www.heise.de/news/NTFS-Treiber-fuer-Linux-NTFS-3G-schliesst-Rechtea… ∗∗∗ LWN Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1069356/ ∗∗∗ DLL Hijacking in EfficientLab Controlio (cloud-based employee monitoring service) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/dll-hijacking-in-effi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 22.04.2026
by Daily end-of-shift report 22 Apr '26

22 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-04-2026 18:00 − Mittwoch 22-04-2026 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ New GoGra malware for Linux uses Microsoft Graph API for comms ∗∗∗ --------------------------------------------- A Linux variant of the GoGra backdoor uses legitimate Microsoft infrastructure, relying on an Outlook inbox for stealthy payload delivery. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-gogra-malware-for-linux-… ∗∗∗ New npm supply-chain attack self-spreads to steal auth tokens ∗∗∗ --------------------------------------------- A new supply chain attack targeting the Node Package Manager (npm) ecosystem is stealing developer credentials and attempting to spread through packages published from compromised accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-npm-supply-chain-attack-… ∗∗∗ Inside Caller-as-a-Service Fraud: The Scam Economy Has a Hiring Process ∗∗∗ --------------------------------------------- Fraud operations now operate like call centers, complete with hiring, training, and performance tracking. Flare reveals how cybercriminals manage "Caller-as-a-Service" operations like a professional sales team. --------------------------------------------- https://www.bleepingcomputer.com/news/security/inside-caller-as-a-service-f… ∗∗∗ 13 Jahre unentdeckt: Mittels KI aufgespürte Lücke gefährdet Tausende Server ∗∗∗ --------------------------------------------- Hacker nutzen eine gefährliche und mithilfe von KI entdeckte Sicherheitslücke in Apache ActiveMQ aus. Auch in Deutschland sollten Admins tätig werden. --------------------------------------------- https://www.golem.de/news/deutschland-auf-platz-4-tausende-apache-activemq-… ∗∗∗ Backdoor in Claude-Desktop-App: Stille Brücke aus dem Browser ∗∗∗ --------------------------------------------- Claude Desktop legt auf MacOS Native Messaging Hosts in jeden Chromium-Browser, sogar in noch nicht installierte. Das ist nicht harmlos - was nun zu tun ist. --------------------------------------------- https://www.golem.de/news/backdoor-in-claude-desktop-app-stille-bruecke-aus… ∗∗∗ Impressums-Diebstahl: Fake-Shops für Anhänger als Dauerbrenner ∗∗∗ --------------------------------------------- Sie zählen zu den am häufigsten gemeldeten Fake-Shops: Portale für KFZ-Anhänger. Zu Bestpreisen, versteht sich. Nach der Bezahlung via Vorauskasse sind die Kriminellen plötzlich nicht mehr erreichbar. Das Geld ist weg, der Anhänger kommt nie. Was die Shops so gefährlich macht und woran man sie erkennt, erklärt dieser Artikel. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-anhaenger/ ∗∗∗ Kritische Schwachstelle in Microsoft-GitHub-Repository ∗∗∗ --------------------------------------------- Sicherheitsforscher von Tenable Research haben eine kritische Schwachstelle (CVSSv4 Score 9,3) in einem Microsoft-GitHub-Repository entdeckt. Die Sicherheitslücke ermöglicht Remote Code Execution (RCE) sowie unautorisierten Zugriff auf Repository-Secrets. Die Entdeckung unterstreicht, dass CI/CD-Infrastrukturen ein zentraler Bestandteil moderner Angriffsflächen sind. --------------------------------------------- https://borncity.com/blog/2026/04/22/kritische-schwachstelle-in-microsoft-g… ∗∗∗ Attacken laufen bereits: Rund 1.300 Sharepoint-Instanzen sind angreifbar ∗∗∗ --------------------------------------------- Eine Lücke in Microsoft Sharepoint lässt Angreifer vertrauliche Daten lesen und ändern. Obwohl es einen Patch gibt, sind die meisten Systeme ungeschützt. --------------------------------------------- https://www.golem.de/news/attacken-laufen-bereits-rund-1-300-sharepoint-ins… ∗∗∗ Surge in Bomgar RMM Exploitation Demonstrates Supply Chain Risk ∗∗∗ --------------------------------------------- The critical remote code execution flaw (CVE-2026-1731) in the remote monitoring and management tool can be exploited to spread ransomware and compromise supply chains. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/surge-bomgar-rmm-exp… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft releases emergency patches for critical ASP.NET flaw ∗∗∗ --------------------------------------------- Microsoft has released out-of-band (OOB) security updates to patch a critical ASP.NET Core privilege escalation vulnerability. The security flaw (tracked as CVE-2026-40372) was found in the ASP.NET Core Data Protection cryptographic APIs, and it could allow unauthenticated attackers to gain SYSTEM privileges on affected devices by forging authentication cookies. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergenc… ∗∗∗ Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape ∗∗∗ --------------------------------------------- A critical security vulnerability has been disclosed in a Python-based sandbox called Terrarium that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-5752, is rated 9.3 on the CVSS scoring system. --------------------------------------------- https://thehackernews.com/2026/04/cohere-ai-terrarium-sandbox-flaw.html ∗∗∗ Schadcode-Schlupflöcher bedrohen Apache Airflow und Airflow Keycloak ∗∗∗ --------------------------------------------- Apaches Open-Source-Workflow-Management-Plattformen Airflow und Airflow Keycloak sind verwundbar. Eine Lücke gilt als kritisch. --------------------------------------------- https://www.heise.de/news/Schadcode-Schlupfloecher-bedrohen-Apache-Airflow-… ∗∗∗ Oracle Critical Patch Update Advisory - April 2026 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/cpuapr2026.html ∗∗∗ LWN Security updates for Wednesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1069105/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 21.04.2026
by Daily end-of-shift report 21 Apr '26

21 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Montag 20-04-2026 18:00 − Dienstag 21-04-2026 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Serial-to-IP Devices Hide Thousands of Old and New Bugs ∗∗∗ --------------------------------------------- The OT devices that translate machine talk into Internet-speak are riddled with vulnerabilities and more frequently targeted for attacks, researchers say. --------------------------------------------- https://www.darkreading.com/ics-ot-security/serial-ip-devices-thousands-of-… ∗∗∗ BSI warnt: Phishing-Attacken über Signal nehmen zu ∗∗∗ --------------------------------------------- Angreifer kapern regelmäßig Signal-Konten mittels Phishing. Beim BSI gibt es nun einen Leitfaden mit Handlungsempfehlungen für Betroffene. --------------------------------------------- https://www.golem.de/news/bsi-warnt-phishing-attacken-ueber-signal-nehmen-z… ∗∗∗ A .WAV With A Payload, (Tue, Apr 21st) ∗∗∗ --------------------------------------------- There have been reports of threat actors using a .wav file as a vector for malware. It's a proper .wav file, but they didn't use staganography. The .wav file will play, but you'll just hear noise. --------------------------------------------- https://isc.sans.edu/diary/rss/32910 ∗∗∗ Real Apple notifications are being used to drive tech support scams ∗∗∗ --------------------------------------------- Scammers have found a way to abuse legitimate Apple notification emails to trick people into calling fake tech support numbers. --------------------------------------------- https://www.malwarebytes.com/blog/news/2026/04/real-apple-notifications-are… ∗∗∗ Fake-Jobvermittlungsagenturen jubeln Opfern Malware unter ∗∗∗ --------------------------------------------- Sie sind ansprechend designet und versprechen interessante Jobs zu Top-Konditionen. Leider ist an diesen Vermittlungsagenturen nichts echt. Über die Fake-Webseiten und dazugehörige Anwerbe-Mails wollen Kriminelle nicht nur an persönliche Informationen gelangen. Sie schummeln außerdem Schadsoftware auf die Geräte ihrer Opfer. --------------------------------------------- https://www.watchlist-internet.at/news/fake-jobvermittlungsagenturen/ ∗∗∗ Bad Apples: Weaponizing native macOS primitives for movement and execution ∗∗∗ --------------------------------------------- Cisco Talos documents several macOS living-off-the-land (LOTL) techniques, demonstrating that native pathways for movement and execution remain accessible to those who understand the underlying architecture. --------------------------------------------- https://blog.talosintelligence.com/bad-apples-weaponizing-native-macos-prim… ∗∗∗ Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories ∗∗∗ --------------------------------------------- Our research on Void Dokkaebi’s operations uncovered a campaign that turns infected developer repositories into malware delivery channels. By spreading through trusted workflows, organizational codebases, and open-source projects, the threat can scale from a single compromise to a broader supply chain risk. --------------------------------------------- https://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-… ∗∗∗ Deep Malware Analysis of a Multi-Stage Cobalt Strike Loader ∗∗∗ --------------------------------------------- In this blog post, we provide a detailed technical reconstruction of a multi-stage malware chain that ultimately delivers a Cobalt Strike Beacon. --------------------------------------------- https://www.joesecurity.org/blog/621128515416801396 ∗∗∗ Command Execution via Drag-and-Drop in Terminal Emulators ∗∗∗ --------------------------------------------- Many people may not be aware that terminal emulators such as Kitty and xfce4-terminal support dragging and dropping of files into the terminal to insert the file's path directly at the cursor position. While this feature has existed for a while, more people have started to notice this as Claude Code has grown in popularity and allows users to drag and drop files for Claude to process. --------------------------------------------- https://sdushantha.github.io/post/drop-it-like-its-hot ∗∗∗ Inside An AWS Cloud Threat Detection SOC Lab: Simulating and Detecting Real Cloud Attacks ∗∗∗ --------------------------------------------- Cloud computing has become the backbone over time of how modern systems are built and run. As I started diving deeper into cloud security, I began to see just how much organizations and various industries depend on it, not just for convenience, but for scalability, speed, and the ability to support technologies like artificial intelligence and big data. --------------------------------------------- https://detect.fyi/inside-an-aws-cloud-threat-detection-soc-lab-simulating-… ∗∗∗ Context.ai OAuth Token Compromise ∗∗∗ --------------------------------------------- Compromised Context.ai OAuth tokens enabled attackers to perform a supply chain attack via trusted SaaS integrations. Learn how to assess the risk in your environment and how to prevent the next attack. --------------------------------------------- https://www.wiz.io/blog/contextai-oauth-token-compromise ===================== = Vulnerabilities = ===================== ∗∗∗ SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files ∗∗∗ --------------------------------------------- A critical security vulnerability has been disclosed in SGLang that, if successfully exploited, could result in remote code execution on susceptible systems. The vulnerability, tracked as CVE-2026-5760, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of command injection leading to the execution of arbitrary code. --------------------------------------------- https://thehackernews.com/2026/04/sglang-cve-2026-5760-cvss-98-enables.html ∗∗∗ Apache ActiveMQ RCE ∗∗∗ --------------------------------------------- CVE-2026-34197 is a high-severity remote code execution (RCE) vulnerability affecting Apache ActiveMQ Classic. The flaw resides in the exposed Jolokia JMX-HTTP interface and allows attackers to execute arbitrary commands on the underlying system via crafted broker management requests. Recent reporting indicates that this vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild and elevating its priority for remediation. --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6428 ∗∗∗ Schadcode-Lücke mit Höchstwertung bedroht Firebird ∗∗∗ --------------------------------------------- Das Open-Source-Datenbankmanagementsystem Firebird ist über mehrere Wege angreifbar. Es kann Schadcode auf Systeme gelangen. --------------------------------------------- https://www.heise.de/news/Schadcode-Luecke-mit-Hoechstwertung-bedroht-Fireb… ∗∗∗ Supply Chain Compromise Impacts Axios Node Package Manager ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this alert to provide guidance in response to the software supply chain compromise of the Axios node package manager (npm).1 Axios is an HTTP client for JavaScript that developers commonly use in Node.js and browser environments. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-… ∗∗∗ LWN Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1068830/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 20.04.2026
by Daily end-of-shift report 20 Apr '26

20 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-04-2026 18:00 − Montag 20-04-2026 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ LLM-basierte Schwachstellensuche ∗∗∗ --------------------------------------------- Nachdem sich Open Source Maintainer 2025 noch über eine Flut an minderwertigen Sicherheitshinweisen beschwert hatten, die durch LLM-basierte Schwachstellensuche ausgelöst wurde, so hat sich das Bild 2026 gedreht. --------------------------------------------- https://www.cert.at/de/aktuelles/2026/4/llm-basierte-schwachstellensuche ∗∗∗ Payouts King ransomware uses QEMU VMs to bypass endpoint security ∗∗∗ --------------------------------------------- The Payouts King ransomware is using the QEMU emulator as a reverse SSH backdoor to run hidden virtual machines on compromised systems and bypass endpoint security. --------------------------------------------- https://www.bleepingcomputer.com/news/security/payouts-king-ransomware-uses… ∗∗∗ Critical flaw in Protobuf library enables JavaScript code execution ∗∗∗ --------------------------------------------- Proof-of-concept exploit code has been published for a critical remote code execution flaw in protobuf.js, a widely used JavaScript implementation of Googles Protocol Buffers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-flaw-in-protobuf-li… ∗∗∗ WhatsApp Leaks User Metadata to Attackers ∗∗∗ --------------------------------------------- Strangers can infer limited info about you without knowing or messaging you, which could theoretically aid certain kinds of malicious activity. --------------------------------------------- https://www.darkreading.com/endpoint-security/whatsapp-leaks-user-metadata ∗∗∗ Jugendschutz und Sicherheit: EU-App für Altersnachweis nach zwei Minuten gehackt ∗∗∗ --------------------------------------------- Sicherheitsexperten kritisieren die neue Jugendschutz-App der EU. Die EU-Kommission verteidigt sich und sieht keine aktuellen Probleme. --------------------------------------------- https://www.golem.de/news/jugendschutz-und-sicherheit-eu-app-fuer-altersnac… ∗∗∗ Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet ∗∗∗ --------------------------------------------- Threat actors are exploiting security flaws in TBK DVR and end‑of‑life (EoL) TP-Link Wi-Fi routers to deploy Mirai-botnet variants on compromised devices, according to findings from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42. --------------------------------------------- https://thehackernews.com/2026/04/mirai-variant-nexcorium-exploits-cve.html ∗∗∗ $13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims ∗∗∗ --------------------------------------------- Grinex, a Kyrgyzstan-incorporated cryptocurrency exchange sanctioned by the U.K. and the U.S. last year, said its suspending operations after it blamed Western intelligence agencies for a $13.74 million hack. --------------------------------------------- https://thehackernews.com/2026/04/1374m-hack-shuts-down-sanctioned-grinex.h… ∗∗∗ I meant to do that! AI vendors shrug off responsibility for vulns ∗∗∗ --------------------------------------------- AI vendors: "You need to use AI to fight AI threats (and do everything else in your corporate IT environment)." Also AI vendors: "That's not a security flaw; it's working as intended." --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2026/04/19/ai_vendors_r… ∗∗∗ Ransomware-Angriffe fordern Ermittler heraus ∗∗∗ --------------------------------------------- Ransomware-Banden setzen auf KI und das Darknet, um kritische Infrastruktur zu treffen. Ermittler in Koblenz agieren zunehmend proaktiv. --------------------------------------------- https://www.heise.de/news/Proaktive-Ermittlungen-gegen-Cybercrime-auf-Lande… ∗∗∗ Fake-ÖAMTC-Mail zu angeblichem Notfall-Rettungswerkzeug ∗∗∗ --------------------------------------------- Derzeit kursieren betrügerische E-Mails, die angeblich vom ÖAMTC stammen. In diesen werden Fahrzeughalter:innen zum Kauf eines angeblich verpflichtenden „Notfall-Rettungswerkzeugs” gedrängt. Die Nachricht ist gefälscht und soll zum Kauf in einem problematischen Online-Shop verleiten. --------------------------------------------- https://www.watchlist-internet.at/news/fake-oeamtc-mail-zu-angeblichem-notf… ∗∗∗ ID Austria: Warnung vor Betrugsmasche mit abgelaufenen Zertifikaten ∗∗∗ --------------------------------------------- Den Umstand, dass bald 300.000 Zertifikate ablaufen, nutzen Kriminelle aus. Entsprechende SMS sind aber immer ein Betrugsversuch, warnen die Behörden. --------------------------------------------- https://www.derstandard.at/story/3000000317241/id-austria-warnung-vor-betru… ∗∗∗ Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17) ∗∗∗ --------------------------------------------- Unit 42 details recent Iranian cyberattack activity, sharing direct observations of phishing, hacktivist activity and cybercrime. We include recommendations for defenders. --------------------------------------------- https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/ ∗∗∗ MAD Bugs: Even "cat readme.txt" is not safe ∗∗∗ --------------------------------------------- Codex found a bug turning "cat readme.txt" into arbitrary code execution. --------------------------------------------- https://blog.calif.io/p/mad-bugs-even-cat-readmetxt-is-not ∗∗∗ Anthropics Claude Mythos Launch Is Built on Misinformation ∗∗∗ --------------------------------------------- A primary-source investigation for developers and security researchers who want the real story about what the Data says about Mythos. --------------------------------------------- https://www.artificialintelligencemadesimple.com/p/anthropics-claude-mythos… ∗∗∗ Some secret management belongs in your HTTP proxy ∗∗∗ --------------------------------------------- Larger organizations commit to centralizing secrets management in a service. When done well, these services solve a lot of issues around secrets, at the cost of creating a lot of ops overhead (which is why they are limited to larger organizations) and engineering complexity. Smaller organizations have, until now, lived with the pain. But the pain has become far more significant with agents. --------------------------------------------- https://blog.exe.dev/http-proxy-secrets ∗∗∗ NIST Officially Stops Enriching Most CVEs as Vulnerability Volume Skyrockets ∗∗∗ --------------------------------------------- NIST will stop enriching most CVEs under a new risk-based model, narrowing the NVD's scope as vulnerability submissions continue to surge. --------------------------------------------- https://socket.dev/blog/nist-officially-stops-enriching-most-cves?utm_mediu… ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day-Lücken unter Beschuss: Angriffe auf Windows-Systeme beobachtet ∗∗∗ --------------------------------------------- Hacker haben drei kürzlich bekanntgewordene Sicherheitslücken im Windows Defender ausgenutzt. Nur für eine davon gibt es bisher einen Patch. --------------------------------------------- https://www.golem.de/news/zero-day-luecken-unter-beschuss-angriffe-auf-wind… ∗∗∗ Mehr als ein Dutzend Root-Lücken gefährden Dell PowerProtect Data Domain ∗∗∗ --------------------------------------------- In aktuellen Versionen von Dell PowerProtect Data Domain haben die Entwickler Schwachstellen geschlossen. --------------------------------------------- https://heise.de/-11263713 ∗∗∗ n8n: Wichtiges Sicherheitsupdate in Sicht ∗∗∗ --------------------------------------------- Offensichtlich ist die Automatisierungsplattform n8n angreifbar. Die Entwickler wollen am Mittwochmittag ein Sicherheitsupdate veröffentlichen. --------------------------------------------- https://heise.de/-11264561 ∗∗∗ Xenbits XSA-488 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-488.html ∗∗∗ LWN Security updates for Monday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1068681/ ∗∗∗ Vercel April 2026 security incident ∗∗∗ --------------------------------------------- https://vercel.com/kb/bulletin/vercel-april-2026-security-incident -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 17.04.2026
by Daily end-of-shift report 17 Apr '26

17 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-04-2026 18:00 − Freitag 17-04-2026 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Microsoft Defender “RedSun” zero-day PoC grants SYSTEM privileges ∗∗∗ --------------------------------------------- A researcher known as "Chaotic Eclipse" has published a proof-of-concept exploit for a second Microsoft Defender zero-day, dubbed "RedSun," in the past two weeks, protesting how the company works with cybersecurity researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/new-microsoft-defender-reds… ∗∗∗ ZionSiphon malware designed to sabotage water treatment systems ∗∗∗ --------------------------------------------- A new malware called ZionSiphon, specifically designed for operational technology, is targeting water treatment and desalination environments to sabotage their operations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zionsiphon-malware-designed-… ∗∗∗ Recently leaked Windows zero-days now exploited in attacks ∗∗∗ --------------------------------------------- Threat actors are exploiting three recently disclosed Windows security vulnerabilities in attacks aimed at gaining SYSTEM or elevated administrator permissions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/recently-leaked-windows-zero… ∗∗∗ Every Old Vulnerability Is Now an AI Vulnerability ∗∗∗ --------------------------------------------- AIs danger isnt that its creating new bugs, its that its amplifying old ones. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/every-old-vulnerability… ∗∗∗ Totalrecall Reloaded: Tool zeigt Schwachstelle in Windows Recall ∗∗∗ --------------------------------------------- Eine neue Version des Tools Totalrecall zeigt, wie sich Daten aus Windows Recall immer noch vergleichsweise leicht abgreifen lassen. --------------------------------------------- https://www.golem.de/news/totalrecall-reloaded-tool-zeigt-schwachstelle-in-… ∗∗∗ Für 2.300 US-Dollar: Forscher entlockt Claude gefährlichen Chrome-Exploit ∗∗∗ --------------------------------------------- Ein Forscher hat mit Claude Opus in rund 20 Stunden eine funktionierende Exploit-Kette für Chrome entwickelt. Mythos braucht es dafür gar nicht. --------------------------------------------- https://www.golem.de/news/fuer-2-300-us-dollar-forscher-entlockt-claude-gef… ∗∗∗ Joomla SEO Spam Injector: Obfuscated PHP Backdoor Hijacking Site Visitors ∗∗∗ --------------------------------------------- During a recent malware cleanup investigation, we encountered a compromised Joomla website where the site owner reported a strange issue. Their website displayed a large number of suspicious product links that had nothing to do with their business. These products were not added by the website owner and did not exist in their catalog. --------------------------------------------- https://blog.sucuri.net/2026/04/joomla-seo-spam-injector-obfuscated-php-bac… ∗∗∗ North Korea targets macOS users in latest heist ∗∗∗ --------------------------------------------- Social engineering: low-cost, hard to patch, and scales well North Korean criminals set on stealing Apple users credentials and cryptocurrency are using a combination of social engineering and a fake Zoom software update to trick people into manually running malware on their own computers, according to Microsoft. --------------------------------------------- https://www.theregister.com/2026/04/16/north_korea_social_engineering_macos/ ∗∗∗ Spionageangst im Bendlerblock: Pistorius verbannt Privat-Handys aus Sitzungen ∗∗∗ --------------------------------------------- Wegen akuter Abhörgefahren durch Russland und China verschärft das Verteidigungsministerium die Regeln für Smartphones und Smartwatches in sensiblen Bereichen. --------------------------------------------- https://www.heise.de/news/Spionageangst-im-Bendlerblock-Pistorius-verbannt-… ∗∗∗ Österlicher Zertifikats-GAU bei D-Trust: Zehntausende Zertifikate ungültig ∗∗∗ --------------------------------------------- Zwischen Gründonnerstag und Ostermontag mussten Admins ihre TLS-Zertifikate austauschen. Nun gibt D-Trust bekannt: Fast 60.000 waren nicht regelkonform. --------------------------------------------- https://www.heise.de/news/Oesterlicher-Zertifikats-GAU-bei-D-Trust-Zehntaus… ∗∗∗ Windows-Updates: Unerwartete Server-Reboots und Anmeldestörungen ∗∗∗ --------------------------------------------- Die Updates für Windows Server im April haben Nebenwirkungen. Server starten unerwartet neu oder erlauben keine Admin-Anmeldungen. --------------------------------------------- https://www.heise.de/news/Windows-Updates-Unerwartete-Server-Reboots-und-An… ∗∗∗ “Your shipment has arrived” email hides remote access software ∗∗∗ --------------------------------------------- This DHL-themed email tries to get recipients to install remote access software attackers can use to deploy further malware, including ransomware. --------------------------------------------- https://www.malwarebytes.com/blog/news/2026/04/your-shipment-has-arrived-em… ∗∗∗ Sometimes changing the password on your email mailbox isn’t enough ∗∗∗ --------------------------------------------- Have you ever taken a look at your Microsoft 365 mailbox rules? If not, it might be worth a few minutes of your time. Because newly released research reveals that hackers may already have beaten you to it. Read more in my article on the Fortra blog. --------------------------------------------- https://www.fortra.com/blog/sometimes-changing-password-your-email-mailbox-… ∗∗∗ A Deep Dive Into Attempted Exploitation of CVE-2023-33538 ∗∗∗ --------------------------------------------- CVE-2023-33538 allows for command injection in TP-Link routers. We discuss exploitation attempts with payloads characteristic of Mirai botnet malware. --------------------------------------------- https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/ ∗∗∗ New CGrabber and Direct-Sys Malware Spread Through GitHub ZIP Files ∗∗∗ --------------------------------------------- Hackers spread CGrabber and Direct-Sys malware through GitHub ZIP files, bypassing security tools to steal passwords, crypto wallets, and user data. --------------------------------------------- https://hackread.com/cgrabber-direct-sys-malware-github-zip-files/ ∗∗∗ New Mirai Variant Nexcorium Hijacks DVR Devices for DDoS Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers at Fortinet have discovered Nexcorium, a new Mirai-based malware targeting TBK DVR systems to turn them into a botnet for DDoS attacks. --------------------------------------------- https://hackread.com/mirai-variant-nexcorium-dvr-devices-ddos-attacks/ ∗∗∗ Android 13 erreicht Support-Ende: Millionen Geräte betroffen ∗∗∗ --------------------------------------------- Android 13 ist raus. Google hat schon Anfang März den Support für die im Jahr 2022 veröffentlichte OS-Version eingestellt. --------------------------------------------- https://heise.de/-11262547 ∗∗∗ Obfuscation vs the Optimizer: An LLVM Middle-End Arms Race ∗∗∗ --------------------------------------------- Obfuscation is security through obscurity; its purpose is to transform a piece of code into a much more complex representation, whilst preserving the original semantics of the code. A compilers job is to transform source code into binary code and produce the simplest and most optimized representation it can for a given architecture. These are contrary goals, yet this contradiction is where obfuscators find their greatest leverage. --------------------------------------------- http://blog.quarkslab.com/obfuscation-vs-the-optimizer-an-llvm-middle-end-a… ∗∗∗ HTTP desync in Discords media proxy: Spying on a whole platform ∗∗∗ --------------------------------------------- In 2022, I came across a quirky behavior on media.discordapp.net when I miskeyed a space character into an attachment link: a 502 bad gateway. After some fiddling I realized that this was caused by a HTTP injection bug within the media proxy’s request to the upstream GCP bucket. The space character corrupted the proxied HTTP message, which caused the connection to prematurely terminate. --------------------------------------------- https://tmctmt.com/posts/http-desync-in-discord/ ∗∗∗ Russian GRU Cyber Campaign Targets Western Logistics Firms Supporting Ukraine ∗∗∗ --------------------------------------------- A new joint cybersecurity advisory has revealed an ongoing Russian GRU cyber campaign targeting Western logistics entities and technology companies, particularly those involved in coordinating and delivering aid to Ukraine. The activity has been linked to the Russian General Staff Main Intelligence Directorate’s Unit 26165, widely tracked in the cybersecurity community as APT28 or Fancy Bear. --------------------------------------------- https://thecyberexpress.com/russian-gru-cyber-campaign-targets-logistics/ ===================== = Vulnerabilities = ===================== ∗∗∗ Angreifer attackieren Apache ActiveMQ Broker, Apache ActiveMQ ∗∗∗ --------------------------------------------- Admins sollten zügig die gegen derzeit laufende Attacken gerüsteten Versionen von Apache ActiveMQ Broker und Apache ActiveMQ installieren. --------------------------------------------- https://www.heise.de/news/Angreifer-attackieren-Apache-ActiveMQ-Broker-Apac… ∗∗∗ YubiKey Manager: Sicherheitslücke ermöglicht Ausführung untergeschobenen Codes ∗∗∗ --------------------------------------------- Yubico warnt vor einer Suchpfad-Schwachstelle im YubiKey Manager, libfido2 und python-fido2. Updates korrigieren die Fehler. --------------------------------------------- https://www.heise.de/news/YubiKey-Manager-Sicherheitsluecke-ermoeglicht-Aus… ∗∗∗ LWN Security updates for Friday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1068400/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily April 2026