Daily May 2026

daily@lists.cert.at

1 participants
18 discussions

Tageszusammenfassung - 29.05.2026
by Daily end-of-shift report 29 May '26

29 May '26

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-05-2026 18:00 − Freitag 29-05-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer ∗∗∗ --------------------------------------------- Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware. [..] The activity, observed by the cybersecurity company in May 2026, involves the exploitation of CVE-2026-35616 (CVSS score: 9.1), a critical pre-authentication API access bypass leading to privilege escalation. The issue was addressed by Fortinet in FortiClient EMS 7.4.7 and later. --------------------------------------------- https://thehackernews.com/2026/05/threat-actors-exploit-critical.html ∗∗∗ Signal users targeted in backup-stealing phishing attacks ∗∗∗ --------------------------------------------- A new phishing campaign is targeting Signal users by attempting to steal their backup recovery keys to access encrypted message archives. The attack is initiated by a text message pretending to come from Signal Support. [..] For now, the attacks appear to be targeted. --------------------------------------------- https://www.malwarebytes.com/blog/news/2026/05/signal-users-targeted-in-bac… ∗∗∗ Sechs Zero-Days in sechs Wochen offengelegt: Microsoft reagiert mit Drohung ∗∗∗ --------------------------------------------- Nachweise von Sicherheitslücken in Microsoft Windows sind zuletzt mehrfach veröffentlicht worden, ohne dass es dafür ein Sicherheitsupdate gegeben hat. [..] In einem Blogpost ärgert sich das Microsoft Security Response Center (MSRC), dass es nicht vorab über die Sicherheitslücken informiert wurde. [..] Das Github-Konto des mutmaßlichen Entdeckers der gegenständlichen Sicherheitslücken (Pseudonym Nightmare Eclipse) hat Microsoft bereits gelöscht. [..] Der Konzern droht mit Klagen und der Polizei. [..] In dem selben mit „Nightmare Eclipse” betitelten Blog weist der Autor den Vorwurf, CVD-Regeln nicht befolgt zu haben, als „Diffamierung” von sich. --------------------------------------------- https://heise.de/-11310723 ∗∗∗ Chrome-Update schließt 151 Sicherheitslecks – davon 22 kritische ∗∗∗ --------------------------------------------- Google hat am Mittwoch den Webbrowser Chrome in aktualisierter Fassung veröffentlicht. Erst in der Nacht zum Freitag haben die Entwickler jedoch Informationen über die damit geschlossenen Sicherheitslücken nachgeliefert: 151 Schwachstellen hat die neue Version weniger. Davon haben 22 die Einstufung als „kritisches“ Risiko erhalten. --------------------------------------------- https://heise.de/-11310811 ∗∗∗ Cybersicherheit: Kritische Infrastrukturen holen auf, doch „Risiko-Zone“ wächst ∗∗∗ --------------------------------------------- Ein Enisa-Bericht zeigt deutliche Fortschritte durch die NIS2-Richtlinie, warnt aber vor wachsenden digitalen Gefahren in den Sektoren Raumfahrt und Transport. --------------------------------------------- https://heise.de/-11312014 ∗∗∗ RIPE NCC session fixation: poaching logins with an Atlas probe ∗∗∗ --------------------------------------------- RIPE NCC’s single sign-on did not rotate session tokens on login, leaving 12000 Atlas probe hosts in a position to compromise other RIPE NCC users’ logins. A single link click planted a session token in a target’s browser. [..] I reported this in April 2026, and it was fixed within three weeks. But the structural pattern that makes attacks like this possible, hosting third-party infrastructure under the same domain as the all-powerful SSO cookie, has not yet changed. --------------------------------------------- https://mxsasha.eu/posts/ripe-ncc-session-fixation/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Security Patch Update Advisory - May 2026 ∗∗∗ --------------------------------------------- A Critical Security Patch Update (CSPU) provides targeted, high-priority security fixes in a smaller, more focused format, making them easier to apply with minimal disruption. Critical Security Patch Updates complement Oracle’s existing quarterly cumulative Critical Patch Updates (CPUs). These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. --------------------------------------------- https://www.oracle.com/security-alerts/cspumay2026.html ∗∗∗ CIFSwitch: a non-universal Linux local root vulnerability ∗∗∗ --------------------------------------------- A distro-specific Linux LPE found by harnessing LLMs into better multihop knowledge composition. [..] The harnessed agents found an issue at the intersection of kernel’s CIFS and the userspace cifs-utils-provided helper. [..] A very non-exhaustive list of systems tested. [..] You can use the released PoC to validate the mitigations. --------------------------------------------- https://heyitsas.im/posts/cifswitch/ ∗∗∗ WP Maps Pro Vulnerability Exposed 15,000 WordPress Sites to Site Takeover ∗∗∗ --------------------------------------------- A critical vulnerability in the WP Maps Pro WordPress plugin allowed unauthenticated attackers to create administrator accounts and potentially perform a complete site takeover on affected websites. The issue impacted all WP Maps Pro versions up to 6.1.0. [..] The vulnerability was submitted to the Wordfence Bug Bounty Program on March 24, 2026 [..] May 20, 2026 — WP Maps Pro 6.1.1 was released. [..] CVE-2026-8732 --------------------------------------------- https://thecyberexpress.com/wp-maps-pro-vulnerability/ ∗∗∗ VU#780781: Casdoor contains multiple authentication bypass and access management vulnerabilities ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/780781 ∗∗∗ LWN: Security updates for Friday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1075310/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 28.05.2026
by Daily end-of-shift report 28 May '26

28 May '26

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-05-2026 18:00 − Donnerstag 28-05-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Update #2: Qilin-Ransomware nutzt Initial Access aus ZipLine-Kampagne — DACH-Recruiting-Domains im Fokus ∗∗∗ --------------------------------------------- Update #2: 28. Mai 2026: Eine weitere neue Köderdomain wurde bekannt, die demselben Muster folgt: falkentalent[.]at --------------------------------------------- https://www.cert.at/de/aktuelles/2026/5/zipline-qilin-raas-update ∗∗∗ GPU mining malware spreads via SEO poisoning, AI chatbots ∗∗∗ --------------------------------------------- Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations. The compromise occurs through malicious download pages for utility software typically installed by owners of powerful systems, like CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. [..] Microsoft researchers discovered the campaign and determined that the attack begins when users look for one of the aforementioned utilities and are presented with malicious links boosted in search rankings through SEO poisoning. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gpu-mining-malware-spreads-v… ∗∗∗ Vibe-Coding-Verdacht: Datenpanne in NPM-Paket legt Malware-Operation offen ∗∗∗ --------------------------------------------- Sicherheitsforscher von OX Security haben einen Malware-Angriff beobachtet, bei dem der Angreifer offenbar wenig Gespür für seine eigene operative Sicherheit hatte. Laut Blogbeitrag der Forscher versuchte der Angreifer, durch ein NPM-Paket einen Infostealer zu verbreiten. Das Paket enthielt jedoch sein Github-Token, so dass die Forscher die Malware-Aktivitäten ziemlich genau nachverfolgen konnten. --------------------------------------------- https://www.golem.de/news/vibe-coding-verdacht-datenpanne-in-npm-paket-legt… ∗∗∗ Seitenkanalangriff per Javascript: Spionage über SSD-Zugriffe einer Website ∗∗∗ --------------------------------------------- Durch gezielte SSD-Zugriffe und Zeitmessungen können Angreifer über eine Website mit speziellem Javascript-Code heimlich Informationen darüber auslesen, welche Anwendungen auf den Systemen der Besucher laufen. [..] Im Hintergrund geöffnete Webseiten konnten die Forscher bei ihren Tests mit einer Wahrscheinlichkeit von 88,95 Prozent, andere ausgeführte Anwendungen sogar mit einer Wahrscheinlichkeit von 95,83 Prozent korrekt identifizieren. --------------------------------------------- https://www.golem.de/news/seitenkanalangriff-per-javascript-spionage-ueber-… ∗∗∗ Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years ∗∗∗ --------------------------------------------- In late April 2026, a client reached out to us for incident response support after discovering a miner running on users’ computers. We later discovered that the malware was being distributed via illegal movie and TV show streaming sites. The infection chain leveraged a fake update for a video player plugin. When the user attempted to watch a video, the player displayed a message saying the plugin version was outdated and asking to install an update to continue. [..] The archive contained a legitimate executable, HLS Installer.874.exe, alongside a malicious DLL. --------------------------------------------- https://securelist.com/video-books-pirates-miners-rat/119943/ ∗∗∗ Warnung vor gefälschten FIFA-Webseiten vor der Fußball-WM 2026 ∗∗∗ --------------------------------------------- In zwei Wochen startet die Fußball-WM. Kriminelle nutzen die Gunst der Stunde und fälschen die FIFA-Webseite etwa für Phishing. [..] Mehr als 300 Domains laufen mit der betrügerischen Infrastruktur im Hintergrund. Sie greifen das Ping-Identity-SSO-System der FIFA an, um Zugangsdaten abzugreifen. 140 weitere Domains gelten als verdächtig und 3800 sind noch geparkt und warten nur auf ihre Aktivierung. Insgesamt 2513 FIFA-Kontenzugangsdaten für die Domains fifa.com und fifa.org haben die IT-Forscher bereits im Darknet gefunden. --------------------------------------------- https://www.heise.de/news/Warnung-vor-gefaelschten-FIFA-Webseiten-vor-der-F… ∗∗∗ Gefälschte SMS im Namen der Österreichischen Pensionsversicherung ∗∗∗ --------------------------------------------- Eine SMS der Pensionsversicherung fordert zur Aktualisierung des Pensionskontos auf. Vorsicht: Hinter dem Link steckt keine Behörde, sondern eine Phishing-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-sms-im-namen-der-pension… ∗∗∗ SharePoint Update für CVE-2026-45659 (26.5.2026) ∗∗∗ --------------------------------------------- Microsoft hat zum 21. Mai 2026 einen Hinweis auf ein außerplanmäßiges Sicherheitsupdate für seine noch unterstützten SharePoint-Systeme freigegeben (oder zumindest dokumentiert, denn das Update kam bereits zum 12. Mai 2026 mit den regulären SharePoint-Updates). Die Information zum Update ist dann zum 26. Mai 2026 aktualisiert worden. Es handelt sich bei CVE-2026-45659 um eine Microsoft SharePoint Remote Code Execution-Schwachstelle. --------------------------------------------- https://borncity.com/blog/2026/05/27/sharepoint-out-of-band-update-fuer-cve… ∗∗∗ CISA warnt vor Malware durch Supply-Chain-Attacken ∗∗∗ --------------------------------------------- Die CISA warnt aktuell vor den jüngst beobachteten Lieferkettenangriffen auf TanStack, Daemon Tools sowie Nx Console, die Malware verteilt haben. --------------------------------------------- https://heise.de/-11309253 ===================== = Vulnerabilities = ===================== ∗∗∗ New Gogs zero-day flaw lets hackers get remote code execution ∗∗∗ --------------------------------------------- An unpatched zero-day vulnerability in the Gogs self-hosted Git service can allow attackers to gain remote code execution (RCE) on Internet-facing instances. [..] This critical severity argument injection security flaw has yet to be assigned a CVE ID, affects the latest release versions (Gogs 0.14.2 and 0.15.0+dev), and can only be exploited by authenticated attackers without admin privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-gogs-zero-day-flaw-lets-… ∗∗∗ Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2026-038 ∗∗∗ --------------------------------------------- An attacker can supply a crafted payload and trigger PHP Object Injection. If a viable gadget chain exists in the site codebase or installed dependencies, this can result in arbitrary PHP code execution. CVE IDs: CVE-2026-9726 --------------------------------------------- https://www.drupal.org/sa-contrib-2026-038 ∗∗∗ Notepad++: Lücken erlauben Einschleusen von Schadcode und Befehlen ∗∗∗ --------------------------------------------- Ein weiteres Update steht für Notepad++ bereit. Es schließt drei Sicherheitslücken, von denen zwei als hohes Risiko eingestuft sind und Angreifern ermöglichen, etwa Befehle oder gar Schadcode einzuschmuggeln und auszuführen. --------------------------------------------- https://www.heise.de/news/Notepad-Luecken-erlauben-Einschleusen-von-Schadco… ∗∗∗ VMware Sicherheitsupdates für ESXi 8.0U3j & VSA 8.0U3j ∗∗∗ --------------------------------------------- VMware by Broadcom hat gerade Sicherheitsupdates für seine Produkte ESXi 8.0U3j sowie VSA 8.0U3J (vSphere Storage Appliance) veröffentlicht. Ergänzung: Es gab in Kommentaren Hinweise, dass Updates ohne Wartungsvertrag nicht installiert werden dürfen. --------------------------------------------- https://borncity.com/blog/2026/05/28/vmware-sicherheitsupdates-fuer-esxi-8-… ∗∗∗ Veeam: Security Fixes and Improvements 2026-05-27 ∗∗∗ --------------------------------------------- https://www.veeam.com/knowledge-base.html?type=security ∗∗∗ Joomla: [20260520] - Framework - Inadequate content filtering within the cleanAttributes filter code ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/1052-20260520-framework-inadeq… ∗∗∗ LWN: Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1075060/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 27.05.2026
by Daily end-of-shift report 27 May '26

27 May '26

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-05-2026 18:00 − Mittwoch 27-05-2026 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Millions of AI agents imperiled by critical vulnerability in open source package ∗∗∗ --------------------------------------------- "BadHost" was found in Starlette, a package with 325 million weekly downloads. --------------------------------------------- https://arstechnica.com/information-technology/2026/05/millions-of-ai-agent… ∗∗∗ KnowledgeDeliver flaw exploited as a zero-day to install web shells ∗∗∗ --------------------------------------------- Hackers exploited a critical zero-day vulnerability in a server running the KnowledgeDeliver learning management system (LMS) to deploy the Godzilla web shell. --------------------------------------------- https://www.bleepingcomputer.com/news/security/knowledgedeliver-flaw-exploi… ∗∗∗ Messenger-App: Schwachstelle in Signal kann Datenlöschung verhindern ∗∗∗ --------------------------------------------- Wegen einer Schwachstelle beim Logging von Löschanfragen könnten Signal-Nachrichten auch nach Jahren wiederherstellbar sein. --------------------------------------------- https://www.golem.de/news/messenger-app-schwachstelle-in-signal-kann-datenl… ∗∗∗ (g+) F5 BIG-IP APM: Ein alter DoS-Patch kehrt als RCE zurück ∗∗∗ --------------------------------------------- F5 stuft CVE-2025-53521 von DoS auf RCE hoch, Angreifer hatten Zugang zum Quellcode. Die dringendste Frage für Admins: Sind BIG-IP-APM-Instanzen direkt aus dem Internet erreichbar? --------------------------------------------- https://www.golem.de/news/f5-big-ip-apm-ein-alter-dos-patch-kehrt-als-rce-z… ∗∗∗ MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries ∗∗∗ --------------------------------------------- The Iranian hacking group known as MuddyWater has been linked to a new campaign affecting at least nine organizations across nine countries on four continents in the first quarter of 2026. --------------------------------------------- https://thehackernews.com/2026/05/muddywater-uses-dll-side-loading-in.html ∗∗∗ Gitea Vulnerability Exposes Private Container Images without Authentication ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a security flaw in Gitea, an open-source, self-hosted platform for version control, that allows unauthenticated remote attackers to pull private container images from Gitea deployments without requiring an account, password, or other credentials. --------------------------------------------- https://thehackernews.com/2026/05/gitea-vulnerability-exposes-private.html ∗∗∗ GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure ∗∗∗ --------------------------------------------- CrowdStrike, in partnership with Google and the Shadowserver Foundation, has announced the simultaneous disruption of all command-and-control (C2) channels associated with GlassWorm, a persistent software chain campaign targeting software developers through malicious packages and extensions. --------------------------------------------- https://thehackernews.com/2026/05/glassworm-malware-takedown-disrupts.html ∗∗∗ Umstrittene Befugnisse: BKA erhält Zugriff auf Angreifer-Infrastruktur ∗∗∗ --------------------------------------------- Das Kabinett hat den Weg für neue Befugnisse freigemacht: Das Bundeskriminalamt soll künftig IT-Systeme von Angreifern stören oder zerstören dürfen. --------------------------------------------- https://www.heise.de/news/Hackback-Erlaubnis-Kabinett-macht-Weg-frei-113083… ∗∗∗ Fake-Anwaltskanzlei: Letzte außergerichtliche Zahlungsaufforderung als Druckmittel ∗∗∗ --------------------------------------------- Ein angeblich telefonisch abgeschlossenes Abo bei einem Gewinnspielunternehmen. Ausstehende Zahlungen und eine letzte Möglichkeit, die Sache außergerichtlich zu klären. Mit dieser Geschichte wollen Kriminelle ans Geld ihrer Opfer. Die dazugehörige Nachricht vom (Fake-)Anwalt kommt per E-Mail - oder per Post. --------------------------------------------- https://www.watchlist-internet.at/news/fake-anwaltskanzlei-zahlungsaufforde… ∗∗∗ FBI warns of Kali365 phishing kit that breaks into Microsoft 365 accounts – no password required ∗∗∗ --------------------------------------------- So, youve enabled multi-factor authentication. Youve taught your staff never to type their passwords into dodgy-looking login pages. Surely your Microsoft 365 accounts are safe now? Well, think again. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-kali365-phishing-… ∗∗∗ BTMOB: A stealthy RAT burrowing deep into Android devices ∗∗∗ --------------------------------------------- The malware pairs remote access capabilities with ready-made campaign tools, lowering the barrier for full device compromise --------------------------------------------- https://www.welivesecurity.com/en/malware/btmob-stealthy-rat-burrowing-deep… ∗∗∗ Trojanized Gemini and Claude Installers Target Developers Via SEO Poisoning ∗∗∗ --------------------------------------------- Cybercriminals are using SEO poisoning and fake Gemini and Claude installer sites to infect developers with fileless malware and steal data. --------------------------------------------- https://hackread.com/trojan-gemini-claude-installers-developers-seo-poisoni… ∗∗∗ OverlayPhantom Android Banking Trojan Targets 180+ Financial Apps Across 10 Countries ∗∗∗ --------------------------------------------- A newly discovered Android banking trojan known as OverlayPhantom is raising concerns among cybersecurity researchers after evidence revealed that the malware is actively targeting banking, financial, and cryptocurrency users across multiple Western countries. --------------------------------------------- https://thecyberexpress.com/overlayphantom-android-banking-trojan/ ∗∗∗ Trotz fehlender Patches: Russland setzt weiterhin massiv auf Microsoft Exchange ∗∗∗ --------------------------------------------- Zahlreiche russische Unternehmen haben wohl noch Exchange und andere westliche Software im Einsatz. Patches bekommen sie dafür aber schon lange nicht mehr. --------------------------------------------- https://www.golem.de/news/trotz-fehlender-patches-russland-setzt-weiterhin-… ===================== = Vulnerabilities = ===================== ∗∗∗ Ausnutzung wahrscheinlich: Kritische Nginx-Lücke gefährdet unzählige Webserver ∗∗∗ --------------------------------------------- Erst vor wenigen Tagen hatten Forscher von Depthfirst eine Nginx Rift genannte Sicherheitslücke in der weit verbreiteten Webserver-Software Nginx aufgedeckt, mit der Angreifer anfällige Systeme temporär unerreichbar machen und manchmal sogar Schadcode zur Ausführung bringen können. Jetzt hat der Nginx-Entwickler F5 noch eine weitere Lücke gepatcht, die weitgehend über die gleichen Eigenschaften verfügt. --------------------------------------------- https://www.golem.de/news/ausnutzung-wahrscheinlich-kritische-nginx-luecke-… ∗∗∗ UniFi OS Server: Kritische Sicherheitslücken ermöglichen Angriffe ∗∗∗ --------------------------------------------- In der zentralen Verwaltungsplattform und dem Betriebssystem für UniFi-Geräte UniFi OS Server klaffen mehrere Sicherheitslücken – teils mit Höchstwertung beim Risiko. Es stehen Updates zur Verfügung, die die Lücken schließen. Wer betroffene UniFi-Geräte einsetzt, sollte mit dem Installieren der Aktualisierungen nicht lange warten. --------------------------------------------- https://www.heise.de/news/UniFi-OS-Server-Kritische-Sicherheitsluecken-ermo… ∗∗∗ 7-Zip: Update schließt Codeschmuggel-Lücke ∗∗∗ --------------------------------------------- Das populäre Packprogramm 7-Zip enthält eine Schwachstelle, die das Einschleusen von Schadcode ermöglicht. Ein Update steht bereit. --------------------------------------------- https://www.heise.de/news/7-Zip-Update-schliesst-Codeschmuggel-Luecke-11308… ∗∗∗ Fehler in Docker Model Runner erlaubt Sandboxausbruch unter macOS ∗∗∗ --------------------------------------------- Nutzen Angreifer eine Sicherheitslücke in Docker unter macOS erfolgreich aus, können sie aus der Sandbox ausbrechen und Schadcode im Hostsystem ausführen. Eine dagegen gerüstete Version steht zum Download bereit. --------------------------------------------- https://www.heise.de/news/Fehler-in-Docker-Model-Runner-erlaubt-Sandboxausb… ∗∗∗ LiteSpeed cPanel-Plugin: Angriffe auf Schwachstelle beobachtet ∗∗∗ --------------------------------------------- Im LiteSpeed-Plugin für cPanel klafft eine Sicherheitslücke, die der Hersteller als kritisch einstuft. Die US-amerikanische IT-Sicherheitsbehörde CISA warnt, dass Angriffe darauf beobachtet wurden. Aktualisierte Software steht bereit. --------------------------------------------- https://heise.de/-11307435 ∗∗∗ CVE-2026-48131 - VPND IKE Fragment Reassembly - Heap Out-of-Bounds Write via Sequence Number Zero ∗∗∗ --------------------------------------------- https://support.checkpoint.com/results/sk/sk184981 ∗∗∗ CVE-2026-48132 - VPN service may restart unexpectedly when processing IKE traffic over NAT-T 4500/UDP ∗∗∗ --------------------------------------------- https://support.checkpoint.com/results/sk/sk184982 ∗∗∗ CVE-2026-48133 Identity Awareness Captive Portal - Unauthenticated Local File Inclusion ∗∗∗ --------------------------------------------- https://support.checkpoint.com/results/sk/sk184993 ∗∗∗ CVE-2026-48134 - SQL injection issue in UserCheck Portal when DLP is active ∗∗∗ --------------------------------------------- https://support.checkpoint.com/results/sk/sk184983 ∗∗∗ CVE-2026-48135 - HTTP service can incorrectly process malformed HTTP requests ∗∗∗ --------------------------------------------- https://support.checkpoint.com/results/sk/sk184991 ∗∗∗ CVE-2026-48136 - Authenticated Administrator Role-Based Access Control Bypass in Compliance ∗∗∗ --------------------------------------------- https://support.checkpoint.com/results/sk/sk184992 ∗∗∗ LWN Security updates for Wednesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1074840/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 26.05.2026
by Daily end-of-shift report 26 May '26

26 May '26

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-05-2026 18:00 − Dienstag 26-05-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Update #1: Qilin-Ransomware nutzt Initial Access aus ZipLine-Kampagne — DACH-Recruiting-Domains im Fokus ∗∗∗ --------------------------------------------- Uns sind weitere Köderdomains bekannt geworden, die demselben Muster folgen: valenzsearch[.]at, haasrecruiting[.]at, bergersearch[.]at --------------------------------------------- https://www.cert.at/de/aktuelles/2026/5/zipline-qilin-raas-update ∗∗∗ Anthropic to release Mythos-class models to the public ∗∗∗ --------------------------------------------- Anthropic has revealed its intention to one day release models that match the performance of its Mythos bug-finding AI to the public, once it can make them safe. --------------------------------------------- https://www.theregister.com/security/2026/05/25/anthropic-to-release-mythos… ∗∗∗ Critical Ghost CMS Vulnerability Exploited to Hack 700+ Websites ∗∗∗ --------------------------------------------- A critical Ghost CMS vulnerability identified as CVE-2026-26980 has been exploited in a widespread cyber campaign that compromised more than 700 websites, including platforms associated with major institutions such as Harvard University, University of Oxford, and DuckDuckGo. [..] The flaw received a CVSS severity score of 9.4, highlighting the serious risks posed by CVE-2026-26980. The vulnerability was reportedly discovered by Anthropic using its Claude AI system. [..] Investigators noted that a DLL file involved in the campaign carried a compilation timestamp dated February 16, 2026 [..] The malicious activity was first detected on May 7, 2026. --------------------------------------------- https://thecyberexpress.com/cve-2026-26980-ghost-cms-vulnerability/ ∗∗∗ Github: Staged publishing and new install-time controls for NPM ∗∗∗ --------------------------------------------- Staged publishing is now generally available on npm. Instead of a direct publish that immediately makes a package version available to consumers, the prebuilt tarball is uploaded to a stage queue where a maintainer must explicitly approve it before it becomes installable. --------------------------------------------- https://github.blog/changelog/2026-05-22-staged-publishing-and-new-install-… ∗∗∗ Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects ∗∗∗ --------------------------------------------- Socket researchers identified a coordinated supply chain campaign affecting eight packages on Packagist whose upstream repositories were modified to include the same malicious postinstall script. The script attempted to download a Linux binary from a GitHub Releases URL, save it to /tmp/.sshd, make it executable, and run it in the background. --------------------------------------------- https://socket.dev/blog/malicious-postinstall-hook-found-across-700-github-… ∗∗∗ Fake software on GitHub and SourceForge distribute Deno RAT ∗∗∗ --------------------------------------------- We found fake installers and plugins for ChatGPT, Claude, AutoTune, and other popular software that can give attackers full control over your device. [..] The infection chain is usually started via MSI files or PowerShell scripts downloaded from GitHub or SourceForge in most of the analyzed cases. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intel/2026/05/fake-software-on-git… ∗∗∗ Anruf, WhatsApp, QR-Code: Neue Phishing-Masche betrifft Erste Bank Kund:innen ∗∗∗ --------------------------------------------- Kriminelle geben sich aktuell als Mitarbeitende der Erste Bank aus und fordern ihre Opfer per WhatsApp dazu auf, einen Aktivierungs-QR-Code für George zu übermitteln. Wer den Code weitergibt, ermöglicht den Tätern Zugriff auf das Konto. --------------------------------------------- https://www.watchlist-internet.at/news/qr-code-erste-bank/ ∗∗∗ Betrüger verschicken seit Monaten Scam-Mails von offizieller Microsoft-Adresse ∗∗∗ --------------------------------------------- Betrüger können über eine offizielle E-Mailadresse von Microsoft Nachrichten verschicken. Über die selbe Adresse werden auch Codes für die Zwei-Faktor-Authentifzierung versendet. [..] Die genutzte Absenderadresse lautet "msonlineservicesteam(a)microsoftonline.com". --------------------------------------------- https://www.derstandard.at/story/3000000322088/betrueger-verschicken-seit-m… ∗∗∗ DBIR 2026: Sicherheitslücken als häufigstes Einfallstor für Angriffe ∗∗∗ --------------------------------------------- Obwohl der Bericht (DBIR 2026) noch auf Daten aus dem Jahr 2025 basiert und somit vor den jüngsten Fortschritten bei KI-Spitzenmodellen entstanden ist, sind die Trends eindeutig: KI verändert die Cybersicherheitsbranche grundlegend. [..] Fast ein Drittel (31 %) aller Sicherheitsverletzungen beginnt mit der Ausnutzung von Schwachstellen. --------------------------------------------- https://borncity.com/blog/2026/05/25/dbir-2026-sicherheitsluecken-sind-das-… ∗∗∗ 2 PhaaS 2 Furious: The Evolution of Chinese-language Phishing Services ∗∗∗ --------------------------------------------- While Russian-speaking threat actors have historically dominated the phishing-as-a-service (PhaaS) landscape, a rival ecosystem is rapidly growing within the Chinese-language underground. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/chinese-language-p… ∗∗∗ Six Signals for Threat Attribution ∗∗∗ --------------------------------------------- Credible threat attribution weighs six signals together. Each signal has a disciplined methodology behind it, with citations and stress tests to back the conclusions. --------------------------------------------- https://zeltser.com/six-signals-for-threat-attribution ∗∗∗ Noroboto: Lying fonts and mitigation in Rust ∗∗∗ --------------------------------------------- The "noroboto.ttf" "lexploit" is straightforward: create a new malicious font definition which is embedded in a document according to the specification and lies about the Unicode representation of its glyphs. --------------------------------------------- https://tritium.legal/blog/noroboto ∗∗∗ Detection Logic Bugs, Developing Context to Bypass MiniPlasma Rules ∗∗∗ --------------------------------------------- Recently, because of Nightmare-eclipse’s Green Plasma and MiniPlasma variants, it’s been a busy week. There are tons of community detection rules out there now. But as someone who practices Adversarial Detection Engineering, that is, hunting for bugs in detection logic, you know a small tweaks can bypass detection. --------------------------------------------- https://detect.fyi/detection-logic-bugs-developing-context-to-bypass-minipl… ∗∗∗ Remove SPNs and Fix Kerberoasting ∗∗∗ --------------------------------------------- Remediate Kerberoasting vulnerabilities by removing SPNs for accounts that dont need them. --------------------------------------------- https://projectblack.io/blog/remove-spn-fix-kerberoasting/ ∗∗∗ NISG 2026: Der praktische 6-Monats-Fahrplan für österreichische Unternehmen ∗∗∗ --------------------------------------------- Der 1. Oktober 2026 ist kein weiches Zieldatum. Ab diesem Tag gilt das Netz- und Informationssystemsicherheitsgesetz NISG 2026 in Österreich vollumfänglich [..] Dieser Fahrplan zeigt konkret, was in den nächsten 6 Monaten zu tun ist: So, dass ein IT-Verantwortlicher oder eine Geschäftsführerin morgen damit beginnen kann. --------------------------------------------- https://www.zettasecure.com//post//nisg-2026-fahrplan-oesterreich ===================== = Vulnerabilities = ===================== ∗∗∗ Roundcube: Security updates 1.6.16 and 1.7.1 released ∗∗∗ --------------------------------------------- We just published security updates to the 1.6 LTS and 1.7 versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities. --------------------------------------------- https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1 ∗∗∗ Debian SE Linux and PinTheft ∗∗∗ --------------------------------------------- PinTheft is a Linux local privilege escalation exploit for an RDS zerocopy double-free that can be turned into a page-cache overwrite through io_uring fixed buffers. [..] We duped on this bug with some other teams and a patch is available so we are releasing our PoC. --------------------------------------------- https://etbe.coker.com.au/2026/05/24/debian-selinux-pintheft/ ∗∗∗ Splunk: SVD-2026-0504: Denial of Service through coldToFrozen.sh Script in Splunk Enterprise ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2026-0504 ∗∗∗ LWN: Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1074443/ ∗∗∗ Synology-SA-26:10 Synology Chat Server ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_26_10 ∗∗∗ MISP 2.5.38 - UI and security update ∗∗∗ --------------------------------------------- https://www.misp-project.org/2026/05/26/misp.2.5.38.released.html/ ∗∗∗ Zyxel security advisory for missing authorization vulnerability in GS1200v3 series switches ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 22.05.2026
by Daily end-of-shift report 22 May '26

22 May '26

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-05-2026 18:00 − Freitag 22-05-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Qilin-Ransomware nutzt Initial Access aus ZipLine-Kampagne — DACH-Recruiting-Domains im Fokus ∗∗∗ --------------------------------------------- Wir haben Hinweise darauf, dass die Ransomware-Gruppe Qilin Initial Access von Akteur:innen der ZipLine-Phishing-Kampagne erwirbt und für eigene Verschlüsselungs- und Erpressungsoperationen weiterverwendet. In Österreich liegen uns bereits bestätigte Fälle vor. [..] Im DACH-Raum sehen wir aktuell vor allem Köderdomains mit Recruiting-Bezug. --------------------------------------------- https://www.cert.at/de/aktuelles/2026/5/zipline-qilin-raas ∗∗∗ A hacker group is poisoning open source code at an unprecedented scale ∗∗∗ --------------------------------------------- GitHub is just the latest victim of TeamPCP, a gang that has carried out a spree of software supply chain attacks. [..] Amid an epidemic of supply chain attacks like the ones TeamPCP has unleashed, Socket’s Burckhardt says open-source users will need to take trust-but-verify measures, like analyzing updates for malware before rolling them out across a network, as well as the kind of “cool-down” period that Read recommends before downloading and running code. --------------------------------------------- https://arstechnica.com/information-technology/2026/05/a-hacker-group-is-po… ∗∗∗ Megalodon: Mass GitHub Repo Backdooring via CI Workflows ∗∗∗ --------------------------------------------- On May 18, 2026, an automated campaign codenamed megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories in a six-hour window. [..] 5,700+ commits in six hours, 5,561 repositories, one payload: replace a GitHub Actions workflow with a dormant secret exfiltration backdoor. The workflow_dispatch trigger design means these backdoors sit silent until activated, creating no visible CI runs. --------------------------------------------- https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows ∗∗∗ Drupal: Critical SQL injection flaw now targeted in attacks ∗∗∗ --------------------------------------------- Drupal is warning that hackers are attempting to exploit a "highly critical" SQL injection vulnerability announced earlier this week. --------------------------------------------- https://www.bleepingcomputer.com/news/security/drupal-critical-sql-injectio… ∗∗∗ Google API keys keep working after you delete them long enough to be exploited ∗∗∗ --------------------------------------------- When you delete a Google API key, it says it’s immediately deleted. Our testing says ~23 minutes. During that window, an attacker with a leaked key keeps access to your data and enabled APIs (including Gemini). You have no way to revoke it faster or confirm when it stops working. Google closed our report as “won’t fix”. --------------------------------------------- https://www.aikido.dev/blog/google-api-keys-deletion ∗∗∗ Paved With Intent: ROADtools and Nation-State Tactics in the Cloud ∗∗∗ --------------------------------------------- Open-source framework ROADtools is being misused by threat actors for cloud intrusions. [..] ROADtools is an open-source framework written in Python and built for red-teaming and research. It primarily targets the identity and authentication layers of Azure, and focuses on how accounts, applications and tokens operate in tenants. --------------------------------------------- https://unit42.paloaltonetworks.com/roadtools-cloud-attacks/ ∗∗∗ CISA to allow researchers to report vulnerabilities to exploited bugs catalog ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) announced the creation of a nomination form on Thursday that they said enables “researchers, vendors, and industry partners” to report bugs that need to be added to the Known Exploited Vulnerabilities catalog. --------------------------------------------- https://therecord.media/cisa-to-allow-researchers-to-report-vulnerabilities… ===================== = Vulnerabilities = ===================== ∗∗∗ Ubiquiti patches three max severity UniFi OS vulnerabilities ∗∗∗ --------------------------------------------- Ubiquiti has released security updates to patch three maximum severity vulnerabilities in Unify OS that can be exploited by remote attackers without privileges. [..] --------------------------------------------- https://www.bleepingcomputer.com/news/security/ubiquiti-patches-three-max-s… ∗∗∗ Trend Micro Apex One und Langflow: Warnung vor Angriffen ∗∗∗ --------------------------------------------- Die unter Beschuss stehende Schwachstelle in Trend Micros Apex One schließen die Updates aus dem Mai, die der Hersteller am Donnerstag dieser Woche veröffentlicht hat. [..] In Langflow handelt es sich um eine verkettete Schwachstelle, die die Übernahme von Konten und das Ausführen von Schadcode aus dem Netz ermöglicht. --------------------------------------------- https://www.heise.de/news/Schwachstellen-in-Trend-Micro-Apex-One-und-Langfl… ∗∗∗ Notepad++: Update bessert Schwachstelle im Installer aus ∗∗∗ --------------------------------------------- Notepad++ schließt in der neuen Version 8.9.6 eine Sicherheitslücke im Installer. Die Risikobewertung ist noch nicht eindeutig, ein aufgeführter CVE-Eintrag noch nicht veröffentlicht. --------------------------------------------- https://www.heise.de/news/Notepad-Update-bessert-Schwachstelle-im-Installer… ∗∗∗ FatGid - FreeBSD 14.x kernel LPE ∗∗∗ --------------------------------------------- A kernel stack buffer overflow exists in the setcred(2) system call introduced in FreeBSD 14.x. The overflow occurs before any privilege check, allowing any unprivileged local user to trigger arbitrary behaviour ranging from a kernel panic to full local privilege escalation. [..] The FreeBSD Security Team published FreeBSD-SA-26:18.setcred on 2026-05-21 with the assigned identifier CVE-2026-45250. Patches landed across all supported branches on 2026-05-20. --------------------------------------------- https://fatgid.io/ ∗∗∗ LWN: Security updates for Friday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1074040/ ∗∗∗ Tenable: [R1] Sensor Proxy Version 1.4.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2026-15 ∗∗∗ Openwall: CVE-2026-47243: Kata Containers guest-root to host-root escape via virtiofs ∗∗∗ --------------------------------------------- https://www.openwall.com/lists/oss-security/2026/05/21/14 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 21.05.2026
by Daily end-of-shift report 21 May '26

21 May '26

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-05-2026 18:00 − Donnerstag 21-05-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Hackers bypass SonicWall VPN MFA due to incomplete patching ∗∗∗ --------------------------------------------- Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks. [..] SonicWall warned in a security advisory for CVE-2024-12802 that installing the firmware update alone on Gen6 devices does not fully mitigate the vulnerability, and a manual reconfiguration of the LDAP server is required. Failing to do so leaves open the possibility of bypassing MFA protection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-bypass-sonicwall-vpn… ∗∗∗ A New SonicWall Scanning Spike Echoes the Pattern That Preceded CVE-2026-0400 ∗∗∗ --------------------------------------------- Between May 9 and May 18, 2026, GreyNoise observed a significant new spike in scanning of SonicWall SonicOS management interfaces. The May 12 peak — approximately 597,000 sessions — was the largest single-day total recorded on the SonicWall SonicOS API Scanner tag in the past 90 days, roughly 46× the typical daily volume for this tag in the 30 days before the elevation. --------------------------------------------- https://www.greynoise.io/blog/sonicwall-scanning-spike-echoes-pattern-prece… ∗∗∗ Google publishes exploit code threatening millions of Chromium users ∗∗∗ --------------------------------------------- Google on Wednesday published exploit code for an unfixed vulnerability in its Chromium browser codebase [..] The proof-of-concept code exploits the Browser Fetch programming interface, a standard that allows long videos and other large files to be downloaded in the background. An attacker can use the exploit to create a connection for monitoring some aspects of a user’s browser usage and as a proxy for viewing sites and launching denial-of-service attacks. [..] The unfixed vulnerability can be exploited by any website a user visits. [..] Users of Chromium browsers should be suspicious of download dropdowns that appear for no reason. --------------------------------------------- https://arstechnica.com/security/2026/05/google-publishes-exploit-code-thre… ∗∗∗ Attackers spill plaintext passwords of 46k Myspace93 users after 2021 breach ∗∗∗ --------------------------------------------- Users of the Myspace93 parody web art site be warned: the dataset spilled after a reported breach in 2021 included the plaintext usernames and passwords of more than 46,000 registered users. [..] In addition to the clear-as-day passwords and usernames, HIBP said email addresses and IP addresses were also among the exposed data. --------------------------------------------- https://www.theregister.com/security/2026/05/21/46k-plaintext-passwords-pwn… ∗∗∗ The npm Threat Landscape: Attack Surface and Mitigations (Updated May 20) ∗∗∗ --------------------------------------------- Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more. --------------------------------------------- https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/ ∗∗∗ Webworm: New burrowing techniques ∗∗∗ --------------------------------------------- ESET researchers analyzed the 2025 activity of Webworm, a China-aligned APT group that started out targeting organizations in Asia, but has recently shifted its focus to Europe. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techn… ∗∗∗ Europe dismantles VPN service used by cybercriminals to hide ransomware attacks ∗∗∗ --------------------------------------------- The international operation targeted a service known as First VPN, which had been marketed for years on Russian-speaking cybercrime forums as a secure way for criminals to evade law enforcement. --------------------------------------------- https://therecord.media/europe-dismantles-first-vpn ∗∗∗ Microsoft warnt vor Defender 0-Days und patcht ∗∗∗ --------------------------------------------- Microsoft hat zum 19. Mai 2026 zwei 0-Day-Schwachstellen CVE-2026-41091 und CVE-2026-45498 im Defender durch Update der Defender Antimalware Platform geschlossen. Die Schwachstellen betrafen die Defender Antimalware Platform Version 4.18.26030.3011 und älter. --------------------------------------------- https://borncity.com/blog/2026/05/21/microsoft-warnt-vor-defender-0-days-un… ∗∗∗ Unpatchable Vulnerabilities of Kubernetes: CVE-2021-25740 ∗∗∗ --------------------------------------------- For this post, we're going to look at the last of the four unpatchable Kubernetes CVEs, CVE-2021-25740, which relates to how Kubernetes ingress or LoadBalancer features can be abused to bypass network security controls in a cluster. --------------------------------------------- https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerab… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitspatches Atlassian: Bamboo, Confluence & Co. sind verwundbar ∗∗∗ --------------------------------------------- Angreifer können an mehreren Softwareschwachstellen unter anderem in Atlassian Bamboo Data Center and Server, Confluence Data Center and Server und Jira Data Center and Server ansetzen und betroffene Systeme im schlimmsten Fall vollständig kompromittieren. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://www.heise.de/news/Sicherheitspatches-Atlassian-Bamboo-Confluence-Co… ∗∗∗ Grafikkartentreiber von Nvidia unter Linux und Windows angreifbar ∗∗∗ --------------------------------------------- Nutzen Angreifer Schwachstellen im Grafikkartentreiber von Nvidia erfolgreich aus, können sie Dienste abstürzen lassen, unbefugt auf Informationen zugreifen oder sogar Schadcode ausführen. Dagegen stehen abgesicherte Versionen für Linux und Windows zum Download bereit. Weiterhin haben die Entwickler Lücken in der vGPU-Software geschlossen. --------------------------------------------- https://www.heise.de/news/Grafikkartentreiber-von-Nvidia-unter-Linux-und-Wi… ∗∗∗ Kritische Sicherheitslücke in Drupal Core - Updates verfügbar ∗∗∗ --------------------------------------------- In Drupal Core existiert eine SQL-Injection-Schwachstelle in der Datenbank-Abstraktions-API. Speziell gestaltete Anfragen können zu beliebigen SQL-Injections führen. Die Schwachstelle ist ausschließlich für Drupal-Installationen relevant, die PostgreSQL als Datenbank einsetzen, und kann ohne Authentifizierung durch anonyme Benutzer:innen ausgenutzt werden. --------------------------------------------- https://www.cert.at/de/warnungen/2026/5/kritische-sicherheitslucke-in-drupa… ∗∗∗ Cisco Secure Workload Unauthorized API Access Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Splunk: SVD-2026-0515: Third-Party Package Updates in Splunk User Behavior Analytics - May 2026 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2026-0515 ∗∗∗ LWN: Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1073860/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 20.05.2026
by Daily end-of-shift report 20 May '26

20 May '26

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-05-2026 18:00 − Mittwoch 20-05-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Datenklau: Hacker wollen 4.000 private Github-Repos geplündert haben ∗∗∗ --------------------------------------------- Die Cybergang TeamPCP setzt Github unter Druck. Sie will an Daten aus Tausenden privaten Code-Repos gelangt sein und stellt diese nun zum Verkauf. --------------------------------------------- https://www.golem.de/news/datenklau-hacker-wollen-4-000-private-github-repo… ∗∗∗ Microsoft shares mitigation for YellowKey Windows zero-day ∗∗∗ --------------------------------------------- Microsoft has shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day vulnerability that grants access to protected drives. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation… ∗∗∗ Stealer Spoofs Google, Microsoft & Apple, Then Backdoors macOS ∗∗∗ --------------------------------------------- The SHub Reaper stealer, which hides behind fake WeChat and Miro installers, marks a shift from ClickFix social engineering to Apple script-based execution. --------------------------------------------- https://www.darkreading.com/threat-intelligence/stealer-spoofs-google-micro… ∗∗∗ How an image could compromise your Mac: understanding an ExifTool vulnerability (CVE-2026-3102) ∗∗∗ --------------------------------------------- We explain how a flaw in ExifTool allows attackers to compromise macOS systems via a malicious image (CVE-2026-3102). --------------------------------------------- https://securelist.com/exiftool-compromise-mac/119866/ ∗∗∗ Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new ad fraud and malvertising operation dubbed Trapdoor targeting Android device users.The activity, per HUMANs Satori Threat Intelligence and Research Team, encompassed 455 malicious Android apps and 183 threat actor-owned command-and-control (C2) domains, turning the infrastructure into a pipeline for multi-stage fraud. --------------------------------------------- https://thehackernews.com/2026/05/trapdoor-android-ad-fraud-scheme-hit.html ∗∗∗ Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware ∗∗∗ --------------------------------------------- Thousands of US victims, including 12+ machines owned and operated by Redmond. --------------------------------------------- https://www.theregister.com/security/2026/05/19/microsoft-disrupts-alleged-… ∗∗∗ Neue Phishing-Masche: Gutschrift nach "Fehler" von booking.com als Köder ∗∗∗ --------------------------------------------- Kriminelle versenden via WhatsApp Nachrichten, in denen sie sich als Gästebetreuung eines Hotels ausgeben und eine Rückbuchung versprechen. Angeblich sei aufgrund eines technischen Fehlers bei booking.com ein falscher Betrag eingezogen worden. Besonders problematisch: Die Eckdaten stimmen mit einer echten Buchung überein! Wer der aufgebauten Falle folgt, liefert den Drahtziehern seine Logindaten fürs Onlinebanking. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-gutschrift-booking/ ∗∗∗ Tracking TamperedChef Clusters via Certificate and Code Reuse ∗∗∗ --------------------------------------------- Unit 42 analyzes TamperedChef malware clusters that use trojanized productivity apps and malvertising to deliver stealthy payloads to targets. The post Tracking TamperedChef Clusters via Certificate and Code Reuse appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/ ∗∗∗ Huawei zero-day attack behind last year’s crash of Luxembourgs entire telecoms network ∗∗∗ --------------------------------------------- There is no evidence that the incident has recurred, but the flaw remains unexplained and has not been publicly acknowledged by the company. --------------------------------------------- https://therecord.media/huawei-zero-day-behind-last-year-luxembourg-telecom… ∗∗∗ How OLTs may have exposed entire ISP networks ∗∗∗ --------------------------------------------- This is the fifteenth article I have written over the past three years at Quarkslab, and without a doubt, it has been the most thrilling and fun to put together. The hidden world of ISP (Internet Service Provider) network security might sound complex, but what I am about to reveal could shake up how you see network defenses. In this post, I dive deep into how vulnerabilities in critical devices can lead to the complete takeover of service provider networks. --------------------------------------------- http://blog.quarkslab.com/how-olts-may-have-exposed-entire-isp-networks.html ∗∗∗ durabletask: TeamPCPs Latest PyPi Compromise ∗∗∗ --------------------------------------------- Discover the latest on malicious versions of the pypi package durabletask, matching TeamPCP tactics. --------------------------------------------- https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack ∗∗∗ Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor ∗∗∗ --------------------------------------------- Sockets Threat Research Team identified a malicious Go module published as github.com/shopsprint/decimal, a typosquat of the widely used github.com/shopspring/decimal arbitrary precision arithmetic library. The typosquatted module has been present on the Go ecosystem since 2017-11-08 and was weaponized on 2023-08-19 when version v1.3.3 added a malicious init() function that opens a DNS TXT record command and control channel to a threat actor controlled subdomain on a free dynamic DNS provider. --------------------------------------------- https://socket.dev/blog/popular-go-decimal-library-typosquat-dns-backdoor?u… ===================== = Vulnerabilities = ===================== ∗∗∗ Max-severity flaw in ChromaDB for AI apps allows server hijacking ∗∗∗ --------------------------------------------- A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/max-severity-flaw-in-chromad… ∗∗∗ Node.js: Vier kritische Sicherheitslücken mit Höchstwertung in vm2 geschlossen ∗∗∗ --------------------------------------------- Angreifer können abermals aus der Node.js-Sandbox vm2 ausbrechen und Schadcode im Hostsystem ausführen. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://www.heise.de/news/Node-js-Vier-kritische-Sicherheitsluecken-mit-Hoe… ∗∗∗ Hunderte bösartige npm-Pakete im AntV-Ökosystem entdeckt ∗∗∗ --------------------------------------------- In einer neuen Mini-Shai-Hulud-Lieferkettenattacke haben Bedrohungsakteure am 19. Mai mehr als 600 bösartige Versionen von npm-Paketen verbreitet. Hauptziel der Attacke war das Datenvisualisierungs-Ökosystem AntV. Die infizierten Versionen sind mittlerweile entfernt. --------------------------------------------- https://heise.de/-11300242 ∗∗∗ LWN Security updates for Wednesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1073713/ ∗∗∗ MISP 2.5.38 - UI and security update ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.38 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 19.05.2026
by Daily end-of-shift report 19 May '26

19 May '26

===================== = End-of-Day report = ===================== Timeframe: Montag 18-05-2026 18:00 − Dienstag 19-05-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Vorankündigung: Kritische Sicherheitslücke in Drupal Core - Patch-Verfügbarkeit am 20. Mai 2026 ∗∗∗ --------------------------------------------- Drupal hat eine Vorankündigung (Pre-Announcement) zu einer als kritisch eingestuften Sicherheitslücke in Drupal Core veröffentlicht. Für alle unterstützten Versionszweige wird am 20. Mai 2026 zwischen 19:00 und 23:00 CEST eine Sicherheitsaktualisierung bereitgestellt. Zum Zeitpunkt dieser Vorankündigung sind noch keine Details zur Schwachstelle und kein Patch verfügbar. --------------------------------------------- https://www.cert.at/de/aktuelles/2026/5/drupal-critical-preannounce ∗∗∗ GitHub Actions Supply Chain Attack Redirects Tags to Steal CI/CD Credentials ∗∗∗ --------------------------------------------- In yet another software supply chain attack, threat actors have compromised the popular GitHub Actions workflow, actions-cool/issues-helper, to run malicious code that harvests sensitive credentials and exfiltrates them to an attacker-controlled server. --------------------------------------------- https://thehackernews.com/2026/05/github-actions-supply-chain-attack.html ∗∗∗ Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a compromised version of the Nx Console extension that was published to the Microsoft Visual Studio Code (VS Code) Marketplace. The extension in question is rwl.angular-console (version 18.95.0), a popular user interface and plugin for code editors like VS Code, Cursor, and JetBrains. The VS Code extension has more than 2.2 million installations. --------------------------------------------- https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html ∗∗∗ DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability ∗∗∗ --------------------------------------------- Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that could allow for local privilege escalation (LPE). --------------------------------------------- https://thehackernews.com/2026/05/dirtydecrypt-poc-released-for-linux.html ∗∗∗ Cyberangriff Grafana: Erpresser kopieren Sourcecode und drohen mit Leak ∗∗∗ --------------------------------------------- Grafana Labs ist Opfer einer Cyberattacke geworden. Dabei hatten Angreifer Zugriff auf die Codebasis von Grafana. Darunter fallen alle zu einem Projekt gehörenden Quelltext- und Konfigurationsdateien. Also offensichtlich mehr, als die Open-Source-Anwendung auf GitHub ohnehin öffentlich preisgibt. [..] Die Entwickler versichern, dass nach jetzigem Kenntnisstand keine Kundendaten oder persönliche Daten von Mitarbeitern von dem Vorfall betroffen sind. --------------------------------------------- https://www.heise.de/news/Cyberattacke-Angreifer-kopieren-Sourcecode-von-Gr… ∗∗∗ CISA Admin Leaked AWS GovCloud Keys on Github ∗∗∗ --------------------------------------------- Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history. --------------------------------------------- https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-… ∗∗∗ 32-jähriger SMS-Betrüger in Wien festgenommen ∗∗∗ --------------------------------------------- Ermittlern des Landeskriminalamts Wien ist ein Schlag gegen mutmaßliche Cyberkriminelle gelungen, die über sogenannte "SMS Blaster" millionenfach betrügerische Phishing-SMS versendet haben sollen. Seit dem 6. April sollen die Phishing-SMS insbesondere bei größeren Veranstaltungen verschickt worden sein. Am 14. Mai wurde ein Verdächtiger ausgeforscht und von Cobra-Beamten festgenommen. [..] Bei den eingesetzten Geräten handelt es sich um sogenannte "SMS Blaster". Das Gerät imitiert Mobilfunkzellen oder nutzt Mobilfunknetze automatisiert. Damit können tausende Nachrichten gleichzeitig an Mobiltelefone in der Umgebung gesendet werden. --------------------------------------------- https://www.derstandard.at/story/3000000321362/32-jaehriger-sms-betrueger-i… ∗∗∗ Microsoft Details Storm-2949 Cloud Attack on Azure and Microsoft 365 ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence has disclosed details of a cyberattack carried out by a threat actor tracked as Storm-2949, which escalated from a targeted identity compromise into a large-scale breach of cloud infrastructure and sensitive enterprise systems. The campaign focused heavily on data theft from Microsoft 365 services, Azure-hosted production environments, and cloud storage resources, demonstrating how compromised identities can become gateways to an organization’s entire cloud ecosystem. --------------------------------------------- https://thecyberexpress.com/microsoft-storm-2949-azure-m365-cloud-breach/ ∗∗∗ When Filenames Become Attack Surfaces: Weaponizing NASAs CFITSIO Extended Filename Syntax ∗∗∗ --------------------------------------------- This research was recently presented at BSides Luxembourg 2026. This blogpost documents our findings presented during the talk. [..] We’ll focus on perfectly documented features, useful during file processing, but chained together to achieve some unexpected offensive primitives. --------------------------------------------- https://blog.doyensec.com/2026/05/19/cfitsio-weaponized-filenames.html ===================== = Vulnerabilities = ===================== ∗∗∗ SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access ∗∗∗ --------------------------------------------- Critical security vulnerabilities have been disclosed in SEPPMail Secure E-Mail Gateway, an enterprise-grade email security solution, that could be exploited to achieve remote code execution and enable an attacker to read arbitrary mails from the virtual appliance. [..] One significant hurdle that an attacker must overcome to achieve remote code execution is that syslogd re-reads the configuration only upon receiving the SIGHUP (aka "signal hang up") signal. --------------------------------------------- https://thehackernews.com/2026/05/seppmail-secure-e-mail-gateway.html ∗∗∗ Linux kernel flaw opens root-only files to unprivileged users ∗∗∗ --------------------------------------------- Despite its official designation, a demo exploit on GitHub calls it ssh-keysign-pwn. It is not quite as catchy a name as Copy Fail, or Dirty Frag, or indeed Fragnesia, but we feel it is safe to say it hasn't been a good month. [..] The good news is that it's already been fixed [..] This time, the culprit is CVE-2026-46333, a local kernel vulnerability that lets an unprivileged user read files they should not be able to access, including those normally available only to root. An attacker who already has login access to an affected machine could therefore potentially grab SSH keys, password files, or other confidential credentials. --------------------------------------------- https://www.theregister.com/security/2026/05/18/linux-kernel-flaw-opens-roo… ∗∗∗ TYPO3 Security Advisories 19.05.2026 ∗∗∗ --------------------------------------------- TYPO3 has release security advisories for ceselector, tt_address, ke_search, news, crawler and sf_register. --------------------------------------------- https://typo3.org/security ∗∗∗ Mozilla Foundation Security Advisories for Firefox 19.05.2026 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ LWN: Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1073542/ ∗∗∗ DFIR-IRIS advisories ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/3b38de4446b06c28191ae872bb… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 18.05.2026
by Daily end-of-shift report 18 May '26

18 May '26

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-05-2026 18:00 − Montag 18-05-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing ∗∗∗ --------------------------------------------- The Tycoon2FA phishing kit now supports device-code phishing attacks and abuses Trustifi click-tracking URLs to hijack Microsoft 365 accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-… ∗∗∗ Recent Kernel exploits, attack surface reduction, example IPSEC ∗∗∗ --------------------------------------------- Multiple of the recent kernel exploits have affected the "esp" Linux Kernel module. ESP is, as far as I understand, part of IPSEC, and I think it's fair to say that IPSEC is not widely used these days. --------------------------------------------- https://www.openwall.com/lists/oss-security/2026/05/16/3 ∗∗∗ NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE ∗∗∗ --------------------------------------------- A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck. The vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0. According to AI-native security company depthfirst, the vulnerability was introduced in 2008. --------------------------------------------- https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.ht… ∗∗∗ Microsoft Edge: Keine Klartext-Passwörter mehr im Browserprozess ∗∗∗ --------------------------------------------- Microsofts Edge hatte alle Passwörter aus dem Passwort-Manager beim Start geladen und im Klartext vorgehalten. Jetzt aber nicht mehr. --------------------------------------------- https://www.heise.de/news/Microsoft-Edge-Keine-Klartext-Passwoerter-mehr-im… ∗∗∗ Microsoft rejects critical Azure vulnerability report, no CVE issued ∗∗∗ --------------------------------------------- A security researcher claims Microsoft quietly fixed an Azure Backup for AKS vulnerability after rejecting his report, and without issuing a CVE. Microsoft disputes the claim, telling BleepingComputer the behavior was expected and that "no product changes were made," despite the researcher documenting a silent fix. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-rejects-critical-a… ∗∗∗ Fake-Mail: Angebliche PayPal-Zahlung führt in Phishing-Falle ∗∗∗ --------------------------------------------- Derzeit sind betrügerische E-Mails im Umlauf, die angeblich von PayPal stammen und eine hohe Zahlung melden. Wer erschrickt und unüberlegt klickt, landet auf einer Fake-Website! --------------------------------------------- https://www.watchlist-internet.at/news/angebliche-paypal-zahlung-klicks/ ∗∗∗ Hackers Use PyInstaller and AMSI Patching to Deliver XWorm RAT v7.4 ∗∗∗ --------------------------------------------- Hackers are hiding XWorm malware in PyInstaller files to bypass Windows security, steal data and remotely control devices through ads. --------------------------------------------- https://hackread.com/hackers-pyinstaller-amsi-patching-xworm-rat-v7-4/ ∗∗∗ Welcome to BlackFile: Inside a Vishing Extortion Operation ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) has continued to track an expansive extortion campaign by UNC6671, a threat actor operating under the "BlackFile" brand, that targets organizations via sophisticated voice phishing (vishing) and single sign-on (SSO) compromise. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-… ===================== = Vulnerabilities = ===================== ∗∗∗ Forscher eskaliert: Gefährlicher Zero-Day-Exploit für Windows geleakt ∗∗∗ --------------------------------------------- Der Miniplasma genannte Exploit nutzt eine Windows-Lücke aus, die eigentlich schon seit 2020 gepatcht sein sollte. Das ist offenkundig nicht der Fall. [..] Der unter dem Namen Chaotic Eclipse bekannte Sicherheitsforscher, der zuletzt mehrere ungepatchte Lücken in Windows aufgedeckt hatte, hat dafür einen neuen Exploit veröffentlicht. Angreifer sollen damit unter Windows Systemrechte erlangen können. [..] Chaotic Eclipse hat ihn nach eigenen Angaben unter Windows 11 und Windows Server 2025 getestet. In beiden Fällen soll er trotz aktuellen Patch-Standes funktionieren und eine Shell mit Systemrechten starten. Der Forscher geht davon aus, dass alle Windows-Versionen betroffen sind. --------------------------------------------- https://www.golem.de/news/forscher-eskaliert-gefaehrlicher-zero-day-exploit… ∗∗∗ Microsoft Exchange: Zero-Day-Lücke wird angegriffen ∗∗∗ --------------------------------------------- In der Schwachstellenbeschreibung erklärt Microsoft, dass es sich um unzureichende Filterung von Eingaben bei der Generierung von Webseiten handelt, eine Cross-Site-Scripting-Lücke. Dadurch können nicht authentifizierte Angreifer aus dem Netz Spoofing-Angriffe ausführen (CVE-2026-42897, CVSS 8.1, Risiko „hoch“). Den Schweregrad stuft Microsoft jedoch als „kritisch“ ein. Ein Blog-Beitrag von Microsofts Exchange-Team erklärt das sowie die Gegenmaßnahmen etwas ausführlicher. --------------------------------------------- https://www.heise.de/news/Microsoft-Exchange-Zero-Day-Luecke-wird-angegriff… ∗∗∗ Microsoft Authenticator: Kritische Sicherheitslücke ermöglicht Token-Diebstahl ∗∗∗ --------------------------------------------- Microsoft warnt vor einer Sicherheitslücke im Authenticator. Angreifer können Sign-in-Token abgreifen und damit Zugriff erlangen. [..] Zum Missbrauch der Lücke müssen Angreifer ein Opfer dazu bringen, mit einer legitim erscheinenden, bösartigen Anfrage zu interagieren. [..] Aktualisierte Versionen des Authenticators von Microsoft stehen in den jeweiligen App-Stores bereit. --------------------------------------------- https://www.heise.de/news/Microsoft-Authenticator-Kritische-Sicherheitsluec… ∗∗∗ PostgreSQL: Updates stopfen hochriskante Sicherheitslecks ∗∗∗ --------------------------------------------- Die Entwickler von PostgreSQL schreiben in einer Versionsankündigung, dass die neu verfügbaren Fassungen 18.4, 17.10, 16.14, 15.18 und 14.23 insgesamt elf Schwachstellen ausbessern. --------------------------------------------- https://www.heise.de/news/PostgreSQL-Updates-stopfen-hochriskante-Sicherhei… ∗∗∗ LWN: Security updates for Monday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1073356/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 15.05.2026
by Daily end-of-shift report 15 May '26

15 May '26

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-05-2026 18:00 − Freitag 15-05-2026 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ West Pharmaceutical says hackers stole data, encrypted systems ∗∗∗ --------------------------------------------- West Pharmaceutical Services disclosed that it was the target of a cyberattack that resulted in data exfiltration and system encryption. --------------------------------------------- https://www.bleepingcomputer.com/news/security/west-pharmaceutical-says-hac… ∗∗∗ KongTuke hackers now use Microsoft Teams for corporate breaches ∗∗∗ --------------------------------------------- Initial access broker KongTuke has moved to Microsoft Teams for social engineering attacks, taking as little as five minutes to gain persistent access to corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kongtuke-hackers-now-use-mic… ∗∗∗ Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution ∗∗∗ --------------------------------------------- Stolen browser sessions and authentication tokens are becoming more valuable than stolen passwords. Flare explains how the REMUS infostealer evolved around session theft and operational scalability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/inside-the-remus-infostealer… ∗∗∗ SOHO router attack by APT28 ∗∗∗ --------------------------------------------- Few weeks ago, one particular large scale cyber-attack hit the mainstream news everywhere. Russian cyber actor APT28 attacked SOHO routers and managed to compromise some credentials through that. The attack itself was carried in multiple phases and was quite interesting. --------------------------------------------- https://en.blog.nic.cz/2026/05/14/soho-router-attack-by-apt28/ ∗∗∗ Kimsuky targets organizations with PebbleDash-based tools ∗∗∗ --------------------------------------------- Kaspersky researchers analyze a range of new PebbleDash-based tools used in recent Kimsuky campaigns and reveal their connection to the AppleSeed malware cluster. --------------------------------------------- https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/ ∗∗∗ How AI Hallucinations Are Creating Real Security Risks ∗∗∗ --------------------------------------------- AI hallucinations are introducing serious security risks into critical infrastructure decision-making by exploiting human trust through highly confident yet incorrect outputs. --------------------------------------------- https://thehackernews.com/2026/05/how-ai-hallucinations-are-creating-real.h… ∗∗∗ PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure ∗∗∗ --------------------------------------------- Threat actors have been observed attempting to exploit a recently disclosed security vulnerability in PraisonAI, an open-source multi-agent orchestration framework, within four hours of its public disclosure. --------------------------------------------- https://thehackernews.com/2026/05/praisonai-cve-2026-44338-auth-bypass.html ∗∗∗ FrostyNeighbor: Fresh mischief and digital shenanigans ∗∗∗ --------------------------------------------- ESET researchers uncovered new activities attributed to FrostyNeighbor, updating its compromise chain to support the group’s continual cyberespionage operations. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischi… ∗∗∗ Device Code Phishing via Fake File-Sharing Invitation ∗∗∗ --------------------------------------------- Truesec has observed a phishing attempt where a customer received an email claiming that a sender wanted to share a document. The message prompted the recipient to click “Open”, which redirected the user to a website designed to appear legitimate. --------------------------------------------- https://www.truesec.com/hub/blog/device-code-phishing-via-fake-file-sharing… ∗∗∗ China-Linked Twill Typhoon Uses Fake Apple and Yahoo Sites for Espionage ∗∗∗ --------------------------------------------- A new Darktrace report reveals how Chinese hackers use fake Apple and Yahoo sites and the FDMTP malware framework to spy on organisations. --------------------------------------------- https://hackread.com/chinatwill-typhoon-fake-apple-yahoo-sites-espionage/ ∗∗∗ FamousSparrow Targeted Oil and Gas Industry via MS Exchange Server Exploit ∗∗∗ --------------------------------------------- Bitdefender Labs reveals how the China-linked FamousSparrow hacking group targeted an Azerbaijani energy firm using ProxyNotShell, Deed RAT, and Terndoor malware across three persistent waves. --------------------------------------------- https://hackread.com/famoussparrow-oil-gas-ms-exchange-server-exploit/ ∗∗∗ CalPhishing Scam Uses EvilTokens Kit, Outlook Invites to Steal M365 Sessions ∗∗∗ --------------------------------------------- Hackers are exploiting Outlook calendar invites and device code phishing to steal M365 session tokens, bypass MFA and breach enterprise accounts. --------------------------------------------- https://hackread.com/calphishing-eviltokens-kit-outlook-invites-m365/ ∗∗∗ Anatomy of a WooCommerce Skimmer: A Technical Deep-Dive ∗∗∗ --------------------------------------------- One malicious change to a trusted JavaScript file can turn your checkout page into a silent credit-card skimmer, siphoning customer data off to criminals while the website looks secure and continues to work as normal. That creates serious organisational risk: PCI exposure, regulatory consequences, reputational damage, and a breach that remains invisible until long after the damage is done. --------------------------------------------- https://scotthelme.ghost.io/anatomy-of-a-woocommerce-skimmer-a-technical-de… ∗∗∗ Backdoored Cemu release linked to TanStack and Mistral supply chain campaign ∗∗∗ --------------------------------------------- We investigate how a coordinated supply chain campaign that compromised npm and PyPI packages also backdoored the official Cemu Nintendo Wii U emulator GitHub release, reaching nearly 20,000 Linux users. --------------------------------------------- https://securitylabs.datadoghq.com/articles/backdoored-cemu-release-teampcp… ∗∗∗ Backdoored node-ipc npm releases steal developer credentials through DNS queries ∗∗∗ --------------------------------------------- An analysis of backdoored node-ipc npm releases that add an obfuscated credential collection and DNS exfiltration payload to the CommonJS entrypoint. --------------------------------------------- https://securitylabs.datadoghq.com/articles/node-ipc-npm-malware-analysis/ ∗∗∗ New critical Exim mailer flaw allows remote code execution ∗∗∗ --------------------------------------------- A critical vulnerability affecting certain configurations of the Exim open-source mail transfer agent could be exploited by an unauthenticated remote attacker to execute arbitrary code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-critical-exim-mailer-fla… ===================== = Vulnerabilities = ===================== ∗∗∗ Fragnesia: Schon wieder gefährliche Root-Lücke im Linux-Kernel ∗∗∗ --------------------------------------------- Dirty Frag und Copy Fail beschäftigen bereits unzählige Linux-Admins. Die nächste Root-Lücke ist bereits identifiziert – und die Patches sind spät dran. --------------------------------------------- https://www.golem.de/news/fragnesia-schon-wieder-gefaehrliche-root-luecke-i… ∗∗∗ Webserver gefährdet: 18 Jahre alte Sicherheitslücke in Nginx entdeckt ∗∗∗ --------------------------------------------- Nginx-Webserver sollen sich durch eine seit 2008 präsente Lücke zum Absturz bringen lassen. Manchmal ist wohl auch eine Schadcodeausführung möglich. --------------------------------------------- https://www.golem.de/news/webserver-gefaehrdet-18-jahre-alte-sicherheitslue… ∗∗∗ Update stopft 79 Sicherheitslücken in Google Chrome ∗∗∗ --------------------------------------------- Das wöchentliche Chrome-Update schließt insgesamt 79 Sicherheitslücken. Davon gelten 14 als kritisch. --------------------------------------------- https://www.heise.de/news/Update-stopft-79-Sicherheitsluecken-in-Google-Chr… ∗∗∗ Jetzt patchen! Angreifer attackieren Cisco Catalyst SD-WAN Controller ∗∗∗ --------------------------------------------- Angreifer nutzen derzeit eine kritische Sicherheitslücke in Cisco Catalyst SD-WAN Controller aus. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-11294491 ∗∗∗ Ivanti EPM: Sicherheitslücken ermöglichen SQL-Iinjection und Rechteausweitung ∗∗∗ --------------------------------------------- Ivanti warnt vor drei Sicherheitslücken im Endpoint Manager (EPM). Sie ermöglichen SQL-Injection oder Rechteausweitung. --------------------------------------------- https://heise.de/-11294605 ∗∗∗ VMware Fusion: Angreifer können sich root-Rechte verschaffen ∗∗∗ --------------------------------------------- Nutzen Angreifer eine Schwachstelle in VMware Fusion erfolgreich aus, können sie sich unter bestimmten Bedingungen Root-Nutzerrechte verschaffen. Nun haben die Entwickler die Lücke geschlossen. --------------------------------------------- https://heise.de/-11294685 ∗∗∗ F5 BIG-IP: Quartalssicherheitsupdate schließt zahlreiche Lücken ∗∗∗ --------------------------------------------- Der Netzwerkausrüster F5 hat unter anderem für verschiedene BIG-IP-Produkte wichtige Sicherheitsupdates veröffentlicht. --------------------------------------------- https://heise.de/-11294929 ∗∗∗ Zero-Click-Lücke in Outlook: Angreifer können Systeme per E-Mail kompromittieren ∗∗∗ --------------------------------------------- Das bloße Senden einer E-Mail reicht aus, um über Microsoft Outlook Schadcode zur Ausführung zu bringen. Ein Klick auf einen Link ist nicht nötig. --------------------------------------------- https://www.golem.de/news/zero-click-luecke-in-outlook-angreifer-koennen-sy… ∗∗∗ Mdash: Microsofts KI findet vier kritische Lücken in Windows ∗∗∗ --------------------------------------------- Microsofts Projekt MDash soll beim Finden von Sicherheitslücken sogar noch besser sein als Anthropics Claude Mythos. --------------------------------------------- https://www.golem.de/news/mdash-microsofts-ki-findet-vier-kritische-luecken… ∗∗∗ telnetd 2.7 Buffer Overflow ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2026050010 ∗∗∗ WPS Office improper access restriction to its named pipe ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN14434132/ ∗∗∗ Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Catalyst SD-WAN Manager Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Crosswork Network Controller and Cisco Network Services Orchestrator Advisory ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ [R1] Tenable Network Monitor 6.5.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2026-14 ∗∗∗ LWN Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1072838/ ∗∗∗ LWN Security updates for Friday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1073059/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily May 2026