Daily May 2026

daily@lists.cert.at

1 participants
18 discussions

Tageszusammenfassung - 13.05.2026
by Daily end-of-shift report 13 May '26

13 May '26

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-05-2026 18:00 − Mittwoch 13-05-2026 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation ∗∗∗ --------------------------------------------- A threat actor with affiliations to China has been linked to a "multi-wave intrusion" targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of its targeting. --------------------------------------------- https://thehackernews.com/2026/05/azerbaijani-energy-firm-hit-by-repeated.h… ∗∗∗ Angriff umgeht BitLocker mittels Windows Recovery Environment ∗∗∗ --------------------------------------------- BitLocker soll vertrauliche Daten auch vor physischen Angriffen schützen. Die Windows Recovery Environment hebelt den Schutz aus. --------------------------------------------- https://www.heise.de/news/Angriff-umgeht-BitLocker-mittels-Windows-Recovery… ∗∗∗ Datenpanne bei Best Western Hotels: Hacker konnten monatelang Buchungsdaten abgreifen ∗∗∗ --------------------------------------------- Angreifer konnten sich wohl rund ein halbes Jahr lang ungestört im System von Best Western Hotels umsehen und Daten der Hotelgäste ausleiten. --------------------------------------------- https://www.golem.de/news/best-western-hotels-hacker-konnten-monatelang-auf… ∗∗∗ RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded ∗∗∗ --------------------------------------------- RubyGems, the standard package manager for the Ruby programming language, has temporarily paused account sign ups following what has been described as a "major malicious attack." --------------------------------------------- https://thehackernews.com/2026/05/rubygems-suspends-new-signups-after.html ∗∗∗ Thus Spoke…The Gentlemen ∗∗∗ --------------------------------------------- The Gentlemen ransomware‑as‑a‑service (RaaS) operation is a relatively new group that emerged around mid‑2025. Its operators advertise the service across multiple underground forums, promoting their ransomware platform and inviting penetration testers and other technically skilled actors to join as affiliates. --------------------------------------------- https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/ ∗∗∗ Claude Code RCE: Exploiting Deeplink Handlers via Settings Injection ∗∗∗ --------------------------------------------- Of course I took a peek at the Claude Code source. --------------------------------------------- https://0day.click/recipe/2026-05-12-cc-rce/ ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday Microsoft: Kritische DNS-Client-Lücke bedroht Windows ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für unter anderem Azure, Edge, Office und Windows veröffentlicht. Viele Lücken wurden mit KI-Agenten entdeckt. --------------------------------------------- https://www.heise.de/news/Patchday-Microsoft-Kritische-DNS-Client-Luecke-be… ∗∗∗ Patchday: Adobe schließt mehr als 50 Lücken in After Effects & Co. ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates reparieren diverse Adobe-Anwendungen. Bislang gibt es keine Berichte zu laufenden Attacken. --------------------------------------------- https://heise.de/-11292536 ∗∗∗ Fortinet stopft elf Sicherheitslücken in mehreren Produkten ∗∗∗ --------------------------------------------- Fortinet hat zum „Patch-Dienstag“ elf Sicherheitsflicken konzertiert veröffentlicht. Zwei der Lecks gelten als kritisch. --------------------------------------------- https://heise.de/-11292861 ∗∗∗ 1,000,000 WordPress Sites Affected by Arbitrary File Read and SQL Injection Vulnerabilities in Avada Builder WordPress Plugin ∗∗∗ --------------------------------------------- On March 21st, 2026, we received a submission for an Arbitrary File Read and an SQL Injection vulnerability in Avada Builder, a WordPress plugin with an estimated 1,000,000 active installations.The post 1,000,000 WordPress Sites Affected by Arbitrary File Read and SQL Injection Vulnerabilities in Avada Builder WordPress Plugin appeared first on Wordfence. --------------------------------------------- https://www.wordfence.com/blog/2026/05/1000000-wordpress-sites-affected-by-… ∗∗∗ New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution ∗∗∗ --------------------------------------------- Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution. --------------------------------------------- https://thehackernews.com/2026/05/new-exim-bdat-vulnerability-exposes.html ∗∗∗ LWN Security updates for Wednesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1072596/ ∗∗∗ NCSC-2026-0147 [1.00] [M/H] Kwetsbaarheden verholpen in Siemens-producten ∗∗∗ --------------------------------------------- https://advisories.ncsc.nl/advisory?id=NCSC-2026-0147 ∗∗∗ FortiGuard Labs: Improper access control on API endpoints ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-26-128 ∗∗∗ FortiGuard Labs: Incorrect global authorization ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-26-136 ∗∗∗ FortiGuard Labs: Out-of-bounds access in CAPWAP daemon ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-26-123 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 12.05.2026
by Daily end-of-shift report 12 May '26

12 May '26

===================== = End-of-Day report = ===================== Timeframe: Montag 11-05-2026 18:00 − Dienstag 12-05-2026 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ New GhostLock tool abuses Windows API to block file access ∗∗∗ --------------------------------------------- A security researcher has released a proof-of-concept tool named GhostLock that demonstrates how a legitimate Windows file API can be abused in attacks to block access to files stored locally or on SMB network shares. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ghostlock-tool-abuses-wi… ∗∗∗ Cyberangriff trifft Fahrzeughersteller: Kundendaten von Skoda kompromittiert ∗∗∗ --------------------------------------------- Ein unbekannter Angreifer hat ein von Skoda genutztes Shopsystem infiltriert und konnte auf Kundendaten zugreifen. Auch Zugangsdaten sind betroffen. --------------------------------------------- https://www.golem.de/news/cyberangriff-trifft-fahrzeughersteller-kundendate… ∗∗∗ Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ∗∗∗ --------------------------------------------- Google on Monday disclosed that it identified an unknown threat actor using a zero-day exploit that it said was likely developed with an artificial intelligence (AI) system, marking the first time the technology has been put to use in the wild in a malicious context for vulnerability discovery and exploit generation. --------------------------------------------- https://thehackernews.com/2026/05/hackers-used-ai-to-develop-first-known.ht… ∗∗∗ cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ∗∗∗ --------------------------------------------- A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. --------------------------------------------- https://thehackernews.com/2026/05/cpanel-cve-2026-41940-under-active.html ∗∗∗ Prüfportal für Gutscheinkarten? Wie ein kurzer Check das Guthaben absaugt ∗∗∗ --------------------------------------------- Wer im Zuge eines Online-Privatverkaufs dazu gedrängt wird, für die Zahlung gekaufte Gutscheinkarten auf einem dubiosen Portal zu überprüfen, sollte den Deal sofort abblasen. Hier wird nämlich nichts geprüft, die Plattform ist lediglich ein praktischer Weg für Kriminelle, an das Guthaben auf den Karten zu gelangen. --------------------------------------------- https://www.watchlist-internet.at/news/pruefportal-fuer-gutscheinkarten/ ∗∗∗ Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign ∗∗∗ --------------------------------------------- Iran-linked threat actor abused signed Fortemedia and SentinelOne binaries for DLL sideloading and exfiltrated data through a public file-transfer service. --------------------------------------------- https://www.security.com/threat-intelligence/iran-seedworm-electronics ===================== = Vulnerabilities = ===================== ∗∗∗ SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANA ∗∗∗ --------------------------------------------- SAP has released the May 2026 security updates addressing 15 vulnerabilities across multiple products, including two critical flaws in the Commerce Cloud enterprise-grade e-commerce platform and the S/4HANA ERP suite. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sap-fixes-critical-vulnerabi… ∗∗∗ VU#471747: dnsmasq contains several vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation ∗∗∗ --------------------------------------------- dnsmasq is affected by multiple memory safety and input validation vulnerabilities, including heap buffer overflows, heap corruption, and code execution flaws. Collectively, these vulnerabilities enable attackers to poison cached DNS records, bypass security controls, crash the dnsmasq process, or under certain conditions, achieve local privilege escalation. dnsmasq has released version 2.92rel2 to fix the vulnerabilities. --------------------------------------------- https://kb.cert.org/vuls/id/471747 ∗∗∗ Anonymisierendes Linux Tails: Notfallupdate 7.7.3 fixt DirtyFrag-Lücke ∗∗∗ --------------------------------------------- Das anonymisierende Linux Tails ist als nächstes Notfallupdate in Version 7.7.3 erschienen. Es schließt die DirtyFrag-Lücke. --------------------------------------------- https://www.heise.de/news/Anonymisierendes-Linux-Tails-Notfallupdate-7-7-3-… ∗∗∗ Node.js: Abermals Ausbruch aus vm2-Sandbox möglich ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke in der Node.js-Sandbox vm2 kann Schadcode passieren lassen. Ein Sicherheitspatch steht zum Download bereit. --------------------------------------------- https://www.heise.de/news/Node-js-Abermals-Ausbruch-aus-vm2-Sandbox-moeglic… ∗∗∗ OpenSearch-Client für Node.js ist auch kompromittiert – Teil 2 ∗∗∗ --------------------------------------------- Die Hiobsbotschaften reißen heute nicht ab. Im Beitrag Neuer Shai-Hulud Lieferkettenangriff auf npm tanstack-Pakete; CheckMarx Jenkins-Paket infiziert hatte ich über zwei Lieferkettenangriffe der letzten beiden Stunden berichtet. Der Mini Shai Hulud-Lieferkettenangriff auf npm tanstack-Pakete hat sich ausgeweitet und der OpenSearch-Client für Node.js ist auch kompromittiert. --------------------------------------------- https://borncity.com/blog/2026/05/12/opensearch-client-fuer-node-js-ist-auc… ∗∗∗ May 2026 Security Update ∗∗∗ --------------------------------------------- Ivanti is disclosing vulnerabilities in Ivanti Secure Access Client, Xtraction, Virtual Traffic Manager and Endpoint Manager (EPM). --------------------------------------------- https://www.ivanti.com/blog/may-2026-security-update ∗∗∗ Postmortem: TanStack npm supply-chain compromise ∗∗∗ --------------------------------------------- On 2026-05-11 between 19:20 and 19:26 UTC, an attacker published 84 malicious versions across 42 @tanstack/* npm packages by combining: the pull_request_target "Pwn Request" pattern, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of an OIDC token from the GitHub Actions runner process. No npm tokens were stolen and the npm publish workflow itself was not compromised. --------------------------------------------- https://tanstack.com/blog/npm-supply-chain-compromise-postmortem ∗∗∗ Pi-hole-Update schließt dnsmasq-Sicherheitslücken ∗∗∗ --------------------------------------------- https://www.heise.de/news/Pi-hole-Update-schliesst-dnsmasq-Sicherheitslueck… ∗∗∗ LWN Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1072498/ ∗∗∗ Firefox 150.0.3 korrigiert Passwort-Druck-Bug ∗∗∗ --------------------------------------------- https://borncity.com/blog/2026/05/12/firefox-150-0-3-korrigiert-passwort-dr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.05.2026
by Daily end-of-shift report 11 May '26

11 May '26

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-05-2026 18:00 − Montag 11-05-2026 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Hackers abuse Google ads, Claude.ai chats to push Mac malware ∗∗∗ --------------------------------------------- Attackers are abusing Google Ads and legitimate Claude.ai shared chats in an active malvertising campaign. Users searching for "Claude mac download" may come across sponsored search results that list claude.ai as the target website, but lead to instructions that install malware on their Mac. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-cla… ∗∗∗ Messenger: So will Signal Phishing-Angriffe erschweren ∗∗∗ --------------------------------------------- Nachdem die Messenger-App Signal Ziel einer Phishing-Attacke unter anderem auf Politiker geworden ist, sollen solche Angriffe erschwert werden. --------------------------------------------- https://www.golem.de/news/messenger-so-will-signal-phishing-angriffe-erschw… ∗∗∗ Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads ∗∗∗ --------------------------------------------- A malicious Hugging Face repository managed to take a spot in the platform's trending list by impersonating OpenAI's Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. --------------------------------------------- https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.ht… ∗∗∗ Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotaged ∗∗∗ --------------------------------------------- Cybercrooks ruin engineers weekends with Saturday attack. Checkmarx’s software engineers are still working to remove a malicious version of the code security outfit's Jenkins plugin after detecting an unauthorized upload over the weekend. --------------------------------------------- https://www.theregister.com/devops/2026/05/11/checkmarx-tackles-another-tea… ∗∗∗ Yarbo responds to robot flaws that could mow down their owners ∗∗∗ --------------------------------------------- A researcher found a host of vulnerabilities in Yarbo garden robots that could expose Wi-Fi passwords, hijack cameras, and run over their owners on command. --------------------------------------------- https://www.malwarebytes.com/blog/news/2026/05/yarbo-responds-to-robot-flaw… ∗∗∗ E-Mail zur Erneuerung der ID Austria App ist fake ∗∗∗ --------------------------------------------- Aktuell ist eine betrügerische E-Mail im Umlauf, die Nutzer:innen zu einem angeblich notwendigen Update der ID-Austria-App auffordert. Das Ziel: Zugang zu privaten Daten und Accounts zu erlangen. --------------------------------------------- https://www.watchlist-internet.at/news/erneuerung-der-id-austria-app-fake/ ∗∗∗ Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware ∗∗∗ --------------------------------------------- In April, we observed an intrusion linked to the Atos-reported campaign where an EtherRAT was installed via a malicious MSI masquerading as a Sysinternals tool. Later in the intrusion, we observed the deployment of a new malware framework named TukTuk, first reported by Evangelos G, which, according to their analysis, is AI-generated. --------------------------------------------- https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end… ∗∗∗ Vulnerability Garden: A growing list of named vulnerabilities, attack techniques and exploits ∗∗∗ --------------------------------------------- A growing list of 966 named vulnerabilities, attack techniques and exploits. --------------------------------------------- https://vulnerability.garden/ ∗∗∗ the 90 day disclosure policy is dead ∗∗∗ --------------------------------------------- The 90 day responsible disclosure window was built for a world where bug finders were rare and exploit development was slow. That world is gone. LLMs have compressed both timelines to near-zero. I have seen it first hand, and so has everyone else paying attention. --------------------------------------------- https://blog.himanshuanand.com/2026/05/the-90-day-disclosure-policy-is-dead/ ∗∗∗ Hunting ClickFix Win + X Variants ∗∗∗ --------------------------------------------- It has been just over a year since my post on ClickFix, where I explored the technique in depth. Since then, defenders have adopted countermeasures that detect ClickFix execution through the Windows Run prompt shortcut (Win + R), or have disabled that vector entirely through the Windows registry. This post focuses on variants that leverage the Windows Power User Menu (Win + X) and user-driven Terminal launches to paste and execute commands. --------------------------------------------- https://detect.fyi/hunting-clickfix-win-x-variants-ff06e4c62bd9 ===================== = Vulnerabilities = ===================== ∗∗∗ Per DHCP-Antwort zum Root: KI findet 21 Jahre alte Schadcode-Lücke in FreeBSD ∗∗∗ --------------------------------------------- Auf unzähligen FreeBSD-basierten Systemen lässt sich über einen bösartigen DHCP-Server im Netzwerk Schadcode einschleusen und als Root ausführen. --------------------------------------------- https://www.golem.de/news/per-dhcp-antwort-zum-root-ki-findet-21-jahre-alte… ∗∗∗ Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a critical security vulnerability in Ollama that, if successfully exploited, could allow a remote, unauthenticated attacker to leak its entire process memory. The out-of-bounds read flaw, which likely impacts over 300,000 servers globally, is tracked as CVE-2026-7482 (CVSS score: 9.1). It has been codenamed Bleeding Llama by Cyera. --------------------------------------------- https://thehackernews.com/2026/05/ollama-out-of-bounds-read-vulnerability.h… ∗∗∗ JDownloader verteilte Malware-Downloads ∗∗∗ --------------------------------------------- Die Webseite des recht populären Downloader-Tools JDownloader wurde kompromittiert. Sie hat dadurch falsche Installationspakete ausgeliefert, die mit Malware verseucht sind. Inzwischen haben die Betreiber die Webseite bereinigt. Auch bei den Daemon Tools gab es solch einen Vorfall; inzwischen haben auch dort die Inhaber reagiert und stellen nun saubere Installer bereit. --------------------------------------------- https://www.heise.de/news/JDownloader-verteilte-Malware-Downloads-11288832.… ∗∗∗ Sicherheitspatch: Abermals Sicherheitslücken in cPanel und WHM geschlossen ∗∗∗ --------------------------------------------- Angreifer können cPanel und WebHost Manager unter anderem mit Schadcode attackieren. Sicherheitspatches sind verfügbar. --------------------------------------------- https://www.heise.de/news/Sicherheitspatch-Abermals-Sicherheitsluecken-in-c… ∗∗∗ Schadcode-Lücke bedroht IBM App Connect Enterprise und IBM Integration Bus ∗∗∗ --------------------------------------------- Angreifer können IBM App Connect Enterprise und IBM Integration Bus for z/OS attackieren. Updates lösen das Sicherheitsproblem. --------------------------------------------- https://heise.de/-11289112 ∗∗∗ LWN Security updates for Monday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1072301/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 08.05.2026
by Daily end-of-shift report 08 May '26

08 May '26

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-05-2026 18:00 − Freitag 08-05-2026 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New PCPJack worm steals credentials, cleans TeamPCP infections ∗∗∗ --------------------------------------------- A new malware framework called PCPJack is stealing credentials from exposed cloud infrastructure while actively removing TeamPCP's access to the systems. Among the targeted services are Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications. In many cases, the threat actor moves laterally on the network. [..] To mitigate this risk, the researchers recommend enforcing multi-factor authentication (MFA), using IMDSv2 in AWS, ensuring proper authentication for Docker and Kubernetes services, following least-privilege principles, and avoiding storing secrets in plaintext. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-pcpjack-worm-steals-cred… ∗∗∗ Ende-zu-Ende-Verschlüsselung: Instagram deaktiviert Privatsphärenschutz ∗∗∗ --------------------------------------------- Es flog etwas unter dem Radar, doch ab dem heutigen Freitag wird es Ernst: Instagram verwässert den Privatsphärenschutz des sozialen Netzwerks. Die Opt-in-Option zur Ende-zu-Ende-Verschlüsselung (End-to-End-Encryption, E2EE) schaltet Meta für Direktnachrichten global ab. [..] Als Erklärung dazu, warum die Ende-zu-Ende-Verschlüsselung nun nicht mehr möglich sein soll, liefert ein aktualisierter Facebook-Blog-Beitrag eine Antwort: Demnach haben nur sehr wenige Menschen die Möglichkeit der Aktivierung der Ende-zu-Ende-Verschlüsselung in Direktnachrichten genutzt. --------------------------------------------- https://www.heise.de/news/Ende-zu-Ende-Verschluesselung-Instagram-deaktivie… ∗∗∗ ShinyHunters escalates Canvas attacks with school login defacements ∗∗∗ --------------------------------------------- According to new reporting, ShinyHunters has now hit Instructure again, this time moving from quiet data theft to very visible extortion. Using another vulnerability in Instructure’s systems, the attackers were able to modify Canvas login portals for hundreds of educational institutions, defacing both web logins and the Canvas app with an on‑screen ransom message. --------------------------------------------- https://www.malwarebytes.com/blog/news/2026/05/shinyhunters-escalates-canva… ∗∗∗ ClaudeBleed Vulnerability Lets Hackers Hijack Claude Chrome Extension to Steal Data ∗∗∗ --------------------------------------------- Cybersecurity researchers from LayerX have found a major security flaw in the Claude for Chrome browser extension that could allow hackers to take full control of the AI assistant. They have named this vulnerability ClaudeBleed, and their research shows that even a basic extension with no special permissions can hijack Claude to steal private files and send emails without the user’s knowledge or consent. [..] After being notified by LayerX, Anthropic released a patch on 6 May in version 1.0.70. This update added new pop-up windows to ask for user permission. However, the LayerX team quickly found a way around them, discovering that by forcing the extension into a privileged mode, aka Act without asking mode, they could skip the permission screens entirely. --------------------------------------------- https://hackread.com/claudebleed-vulnerability-hackers-claude-chrome-extens… ∗∗∗ Kubernetes security fundamentals: Secrets ∗∗∗ --------------------------------------------- In this post, we'll be exploring secrets management in Kubernetes. Securely handling secrets is essential for any cluster operator, and there are several important nuances to keep in mind. --------------------------------------------- https://securitylabs.datadoghq.com/articles/kubernetes-security-fundamental… ∗∗∗ Behind the Scenes Hardening Firefox with Claude Mythos Preview ∗∗∗ --------------------------------------------- Two weeks ago we announced that we had identified and fixed an unprecedented number of latent security bugs in Firefox with the help of Claude Mythos Preview and other AI models. In this post, we’ll go into more detail about how we approached this work, what we found, and advice for other projects on making good use of emerging capabilities to harden themselves against attack. --------------------------------------------- https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/ ∗∗∗ Stop MITM on the first SSH connection, on any VPS or cloud provider ∗∗∗ --------------------------------------------- This little script stops attacks on the first SSH connection to a new VM, even on providers (like Hetzner Cloud) that don't offer a proprietary solution; we only need cloud-init, which is widely supported. --------------------------------------------- https://www.joachimschipper.nl/Stop%20MITM%20on%20the%20first%20SSH%20conne… ===================== = Vulnerabilities = ===================== ∗∗∗ Lokale Privilegieneskalation im Linux-Kernel ("Dirty Frag" und "Copy Fail 2") - PoCs verfügbar, kein Patch ∗∗∗ --------------------------------------------- Am 7. Mai 2026 wurden zwei neue Schwachstellen im Linux-Kernel öffentlich gemacht, die unter den Namen „Dirty Frag“ und „Copy Fail 2: Electric Boogaloo“ bekannt sind. Beide Schwachstellen ermöglichen lokalen, nicht privilegierten Benutzer:innen eine Eskalation auf root. [..] Es handelt sich um deterministische Logikfehler ohne Race-Condition; bei einem Fehlschlag tritt keine Kernel-Panik auf, die Erfolgswahrscheinlichkeit wird als hoch beschrieben. [..] Bestehende Gegenmaßnahmen gegen „Copy Fail“ (CVE-2026-31431), insbesondere das Sperren des Moduls algif_aead, schützen NICHT gegen „Dirty Frag“ oder „Copy Fail 2“. [..] Betroffen sind die meisten aktuellen Linux-Distributionen mit aktiviertem Page-Cache-Pfad in esp4/esp6 bzw. rxrpc. [..] Zum Zeitpunkt der Veröffentlichung dieser Warnung liegen für die meisten Distributionen noch keine vollständig gepatchten Kernel vor. --------------------------------------------- https://www.cert.at/de/warnungen/2026/5/linux-lpe-dirty-frag-copy-fail-2 ∗∗∗ LWN Security updates for Friday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1071859/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 07.05.2026
by Daily end-of-shift report 07 May '26

07 May '26

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-05-2026 18:00 − Donnerstag 07-05-2026 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers abuse Google ads for GoDaddy ManageWP login phishing ∗∗∗ --------------------------------------------- A phishing campaign delivered through Google sponsored search results is targeting credentials for ManageWP, GoDaddys platform for managing fleets of WordPress websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-for… ∗∗∗ Fake Claude AI website delivers new Beagle Windows malware ∗∗∗ --------------------------------------------- A fake version for the Claude AI website offers a malicious Claude-Pro Relay download that pushes a previously undocumented backdoor for Windows named Beagle. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-claude-ai-website-deliv… ∗∗∗ When DNSSEC goes wrong: how we responded to the .de TLD outage ∗∗∗ --------------------------------------------- On May 5, 2026, DENIC published broken DNSSEC signatures for the .de TLD, making millions of domains unreachable. Heres what 1.1.1.1 saw, how serve stale cushioned the impact, and how we restored resolution. --------------------------------------------- https://blog.cloudflare.com/de-tld-outage-dnssec/ ∗∗∗ How Cloudflare responded to the “Copy Fail” Linux vulnerability ∗∗∗ --------------------------------------------- When a critical Linux kernel privilege escalation was publicly disclosed, Cloudflares security and engineering teams detected, investigated, and mitigated the threat across our global fleet, confirming zero customer impact and no malicious exploitation. --------------------------------------------- https://blog.cloudflare.com/copy-fail-linux-vulnerability-mitigation/ ∗∗∗ Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have exposed a new Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to enlist them in a network capable of carrying out distributed denial-of-service (DDoS) attacks. --------------------------------------------- https://thehackernews.com/2026/05/mirai-based-xlabsv1-botnet-exploits-adb.h… ∗∗∗ Insolvenzmasse: Kriminelle imitieren neben Anwaltskanzleien nun auch Autohändler, Großhändler und Wirtschaftsprüfer ∗∗∗ --------------------------------------------- Die Masche bleibt gleich, aber die Deckmäntel ändern sich. Wurde früher ausschließlich die Identität von Anwaltskanzleien missbraucht, um über Vorschussbetrug an das Geld von Opfern zu gelangen, haben die Kriminellen nun ihr Portfolio erweitert. Sie geben sich mittlerweile auch als eine Vielzahl anderer Unternehmen und Agenturen aus. Ein Update. --------------------------------------------- https://www.watchlist-internet.at/news/insolvenzmasse-autohaendler-grosshae… ∗∗∗ World Password Day 2026: Why “Strong Passwords” Can’t Save You from AI, Infostealers, and the Telegram Underground ∗∗∗ --------------------------------------------- As we recognize World Password Day in 2026, the traditional advice to “use a complex password with numbers and symbols” feels hopelessly outdated. Today, a 16-character password is useless if an infostealer malware extracts it directly from a browser cache, or if an employee willingly pastes it into an unmanaged AI chatbot. Welcome to the real World Password Day 2026. --------------------------------------------- https://blog.checkpoint.com/security/world-password-day-2026-why-strong-pas… ∗∗∗ Polish intelligence warns hackers attacked water treatment control systems ∗∗∗ --------------------------------------------- The agency did not publicly attribute the incidents to a specific group or country but said Poland faced intensified hostile cyber activity in 2024 and 2025, “with particular emphasis on the special services of the Russian Federation.” --------------------------------------------- https://therecord.media/polish-intelligence-warns-hackers-attacked-water-tr… ∗∗∗ Warnung vor IONOS/1&1 Rechnungs-Phishing ∗∗∗ --------------------------------------------- Ich stelle mal eine kurze Warnung hier im Blog ein, weil mir bereits zum zweiten Monat eine Phishing-Mail von 1&1 in meinem Postfach zugestellt wurde, die Rechnungs-Phishing bei IONOS versucht. --------------------------------------------- https://borncity.com/blog/2026/05/07/warnung-vor-ionos-11-rechnungs-phishin… ∗∗∗ Best OSINT Tools for Investigations and Threat Intelligence in 2026 ∗∗∗ --------------------------------------------- Explore the best OSINT tools for your digital investigations, threat intelligence, reconnaissance, and tracking online activity in 2026. --------------------------------------------- https://hackread.com/best-osint-tools-investigate-threat-intelligence-2026/ ∗∗∗ Plastic Flowers to Protect the Hive ∗∗∗ --------------------------------------------- Agentic development has fundamentally changed the software ecosystem. Modern coding agents are trained and prompted to seek out tools that will help with their assigned coding tasks. They will install those tools into their user’s environment, with little to no oversight on what the installed package actually does, relying on name pattern matching more than any other signal. --------------------------------------------- https://phildini.dev/slopsquatting-for-good ∗∗∗ Operation Epic Fury Exposes Critical OT Security Gaps in U.S. Oil and Gas Sector ∗∗∗ --------------------------------------------- The cybersecurity posture of the U.S. oil and gas sector has come under renewed scrutiny following Operation Epic Fury, with a new independent survey revealing a disconnect between operator confidence and actual operational technology (OT) security capabilities. --------------------------------------------- https://thecyberexpress.com/operation-epic-fury-ot-security-detection-gaps/ ∗∗∗ ClickFix Campaign Evolves with Targeting of MacOS Users ∗∗∗ --------------------------------------------- ClickFix started as a Windows problem. It is no longer one. Microsofts Defender Security Research Team published a detailed analysis documenting an active ClickFix campaign that is targeting macOS users since at least January 2026. The primary goal is delivering infostealers by convincing users to paste malicious commands into their own Terminal, framed as routine system maintenance. --------------------------------------------- https://thecyberexpress.com/clickfix-campaign-evolves-targets-macos-users/ ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco: Codeschmuggel-Leck in Unity Connection und weitere Lücken ∗∗∗ --------------------------------------------- Cisco hat fast zwei Handvoll Sicherheitsupdates veröffentlicht. Sie schließen mehrere hochriskante Lücken etwa in Unity Connection. --------------------------------------------- https://www.heise.de/news/Cisco-Codeschmuggel-Leck-in-Unity-Connection-und-… ∗∗∗ May 2026 EPMM Security Update ∗∗∗ --------------------------------------------- Ivanti has released updates for Ivanti Endpoint Manager Mobile (EPMM) which addresses five high severity vulnerabilities. --------------------------------------------- https://www.ivanti.com/blog/may-2026-epmm-security-update ∗∗∗ Node.js 25: Ausbrüche aus JavaScript-Sandbox vm2 vorstellbar ∗∗∗ --------------------------------------------- Die Sandbox-Komponente vm2 der Open-Source-JavaScript-Laufzeitumgebung Node.js ist mit bestimmten Einstellungen verwundbar. --------------------------------------------- https://heise.de/-11285063 ∗∗∗ Salesforce Marketing Cloud Vulnerabilities Expose Cross-Tenant Subscriber Data Risks ∗∗∗ --------------------------------------------- A recently disclosed set of vulnerabilities in Salesforce Marketing Cloud, widely known as SFMC, has drawn attention to the security risks tied to centralized marketing infrastructure. The flaws, which affected components tied to AMPScript, CloudPages, and email-rendering workflows, could have enabled attackers to access subscriber information, enumerate marketing emails, and potentially affect organizations across multiple tenants. --------------------------------------------- https://thecyberexpress.com/salesforce-sfmc-ampscript-vulnerability/ ∗∗∗ Authenticated Arbitrary File Upload Vulnerability Patched in Slider Revolution 7 WordPress Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2026/05/authenticated-arbitrary-file-upload-… ∗∗∗ LWN Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1071700/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 06.05.2026
by Daily end-of-shift report 06 May '26

06 May '26

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-05-2026 18:00 − Mittwoch 06-05-2026 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MuddyWater hackers use Chaos ransomware as a decoy in attacks ∗∗∗ --------------------------------------------- The MuddyWater Iranian hackers disguised their operations as a Chaos ransomware attack, relying on Microsoft Teams social engineering to gain access and establish persistence. --------------------------------------------- https://www.bleepingcomputer.com/news/security/muddywater-hackers-use-chaos… ∗∗∗ OceanLotus suspected of using PyPI to deliver ZiChatBot malware ∗∗∗ --------------------------------------------- Kaspersky researchers uncovered malicious wheel packages in PyPI that targeted both Windows and Linux and contained a dropper delivering malware dubbed ZiChatBot. We attribute this activity to OceanLotus APT. --------------------------------------------- https://securelist.com/oceanlotus-suspected-pypi-zichatbot-campaign/119603/ ∗∗∗ Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader ∗∗∗ --------------------------------------------- OpenClaw, previously known as Clawdbot, Moltbot, and Molty, is an open-source framework designed for autonomous AI agents that execute complex tasks requiring high-privilege local system access. While intended for automation, its modular "skill" architecture has been weaponized as a significant attack vector. --------------------------------------------- https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-di… ∗∗∗ Behörde für abgesicherte Ausweise geknackt: 15-Jähriger verhaftet ∗∗∗ --------------------------------------------- Millionen Datensätze aus französischen „abgesicherten Ausweisen” gerieten in falsche Hände. Kein fremder Geheimdienst, sondern ein Bursche ist verdächtig. --------------------------------------------- https://www.heise.de/news/Behoerde-fuer-abgesicherte-Ausweise-geknackt-15-J… ∗∗∗ „Pressure Cooker“: Europols geheime Datenverarbeitung ohne Aufsicht ∗∗∗ --------------------------------------------- Interne, per Infofreiheit erlangte Warnungen belegen, dass das EU-Polizeiamt lange operative Netzwerke ohne IT-Kontrolle und richtige Protokollierung betrieb. --------------------------------------------- https://www.heise.de/news/Pressure-Cooker-Europols-geheime-Datenverarbeitun… ∗∗∗ FSFE warnt: NHS sollte quelloffenen Code nicht depublizieren ∗∗∗ --------------------------------------------- Die Free Software Foundation Europe warnt vor dem Umstellen der NHS-Code-Repositories auf Privat aus Angst vor KI-Schwachstellensuche. --------------------------------------------- https://www.heise.de/news/FSFE-warnt-NHS-sollte-quelloffenen-Code-nicht-dep… ∗∗∗ IPFire: Neue DNS Firewall soll URL-Filter und Pi-hole ablösen ∗∗∗ --------------------------------------------- Die Firewall-Distribution IPFire bringt mit Core Update 201 eine DNS Firewall mit, die unerwünschte Domains schon bei der Namensauflösung blockiert. --------------------------------------------- https://www.heise.de/news/IPFire-Neue-DNS-Firewall-soll-URL-Filter-und-Pi-h… ∗∗∗ Discounter-Falle: Gefälschte Suchergebnisse führen in Lidl-Fake-Shop ∗∗∗ --------------------------------------------- Wer sich online auf die Suche nach günstigen Haushaltsgeräten, Fahrrädern, Werkzeugen oder anderen beliebten Artikeln macht, landet häufig in einem Fake-Shop. Als „gesponserte Suchergebnisse“ getarnte Werbeanzeigen führen direkt in die Falle, die optisch dem Web-Auftritt des bekannten Discounters Lidl nachempfunden ist. --------------------------------------------- https://www.watchlist-internet.at/news/lidl-fake-shop/ ∗∗∗ Paramiko Security Audit ∗∗∗ --------------------------------------------- Paramiko is a pure-Python implementation of SSHv2 that provides both client- and server-side functionality. It serves as the foundation for the high-level SSH library Fabric and is widely regarded as one of the most popular SSH solutions in the Python ecosystem. The Cryptography library, for its part, offers Python developers access to a broad range of cryptographic algorithms and primitives. It is a widely adopted Python/Rust library with more than 25,000 known dependencies. --------------------------------------------- http://blog.quarkslab.com/paramiko-security-audit.html ∗∗∗ The Jenkins Threat Landscape ∗∗∗ --------------------------------------------- What usage patterns, plugin adoption, and configuration choices reveal about the Jenkins attack surface. --------------------------------------------- https://www.wiz.io/blog/jenkins-threat-risk-insights ∗∗∗ New Infostealer Dubbed ‘Pheno’ Hijacks Windows’ Phone Link App to Steal MFA OTPs ∗∗∗ --------------------------------------------- Attackers have found a way to intercept SMS-based one-time passwords from a victims mobile device without deploying a single line of malware on the phone itself. Instead, they go through the Windows PC the phone is already connected to. --------------------------------------------- https://thecyberexpress.com/new-infostealer-pheno-steals-mfa-otps/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE ∗∗∗ --------------------------------------------- The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in the HTTP Server, including a severe vulnerability that could potentially lead to remote code execution (RCE). The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of "double free and possible RCE" in the HTTP/2 protocol handling. --------------------------------------------- https://thehackernews.com/2026/05/critical-apache-http2-flaw-cve-2026.html ∗∗∗ PAN-OS-Lücke wird angegriffen, Updates erst in Wochen geplant ∗∗∗ --------------------------------------------- Palo Alto Networks warnt vor einer bereits angegriffenen kritischen Sicherheitslücke in PAN-OS. Updates kommen frühestens Mitte Mai. --------------------------------------------- https://www.heise.de/news/PAN-OS-Luecke-wird-angegriffen-Updates-erst-in-Wo… ∗∗∗ An exploitable integer overflow in Lix (CVE-2026-44028) ∗∗∗ --------------------------------------------- Security researchers have found a security issue in Lix. This issue has been assigned CVE-2026-44028. --------------------------------------------- https://lix.systems/blog/2026-05-05-lix-unsigned-integer-overflow/ ∗∗∗ Attackers Actively Exploiting Critical Vulnerability in Breeze Cache Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2026/05/attackers-actively-exploiting-critic… ∗∗∗ LWN Security updates for Wednesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1071466/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 05.05.2026
by Daily end-of-shift report 05 May '26

05 May '26

===================== = End-of-Day report = ===================== Timeframe: Montag 04-05-2026 18:00 − Dienstag 05-05-2026 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Trellix discloses data breach after source code repository hack ∗∗∗ --------------------------------------------- Cybersecurity firm Trellix disclosed a data breach after attackers gained access to "a portion" of its source code repository. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trellix-discloses-data-breac… ∗∗∗ Amazon SES increasingly abused in phishing to evade detection ∗∗∗ --------------------------------------------- The Amazon Simple Email Service (SES) is being increasingly abused to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-ses-increasingly-abus… ∗∗∗ Weaver E-cology critical bug exploited in attacks since March ∗∗∗ --------------------------------------------- Hackers have been exploiting a critical vulnerability (CVE-2026-22679) in the Weaver E-cology office automation since mid-March to run discovery commands. --------------------------------------------- https://www.bleepingcomputer.com/news/security/weaver-e-cology-critical-bug… ∗∗∗ CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs ∗∗∗ --------------------------------------------- A new version of the CloudZ remote access tool (RAT) is deploying a previously unseen malicious plugin called Pheno that hijacks the Microsoft Phone Link connection to steal sensitive codes from mobile devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloudz-malware-abuses-micros… ∗∗∗ Webbrowser: Klartext-Passwörter im Speicher von Microsoft Edge entdeckt ∗∗∗ --------------------------------------------- Der in Edge integrierte Passwortmanager ist offenbar keine sichere Wahl. Passwörter landen beim Start im Prozessspeicher und lassen sich auslesen. --------------------------------------------- https://www.golem.de/news/webbrowser-klartext-passwoerter-permanent-im-spei… ∗∗∗ Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools ∗∗∗ --------------------------------------------- An active phishing campaign has been observed targeting multiple vectors since at least April 2025 with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts. --------------------------------------------- https://thehackernews.com/2026/05/phishing-campaign-hits-80-orgs-using.html ∗∗∗ Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries ∗∗∗ --------------------------------------------- Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed lures and legitimate email services to direct users to attacker-controlled domains and steal authentication tokens. --------------------------------------------- https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html ∗∗∗ Vimeo-Datenleck: 119.000 E-Mail-Adressen betroffen ∗∗∗ --------------------------------------------- Die Cybergang ShinyHunters hat Daten von Vimeo bei Anodot gestohlen und ins Darknet gestellt. Nun hat Have-I-Been-Pwned sie aufgenommen. --------------------------------------------- https://www.heise.de/news/Vimeo-Datenleck-119-000-E-Mail-Adressen-betroffen… ∗∗∗ Datenschutzvorfall bei Verlag Delius Klasing ∗∗∗ --------------------------------------------- Der Verlag Delius Klasing räumt in einer E-Mail an Kunden einen IT-Vorfall ein. Personenbezogene Kundendaten wurden offengelegt. --------------------------------------------- https://www.heise.de/news/Datenschutzvorfall-bei-Verlag-Delius-Klasing-1128… ∗∗∗ Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities ∗∗∗ --------------------------------------------- TrendAI™ Research breaks down Quasar Linux (QLNX), a previously undocumented sophisticated Linux RAT with low detection rates. In this blog, we examine a full-featured Linux threat incorporating a rootkit, a PAM backdoor, credential harvesting, and more, revealing how this malware enables stealthy access, persistence, and potential supply-chain attacks. --------------------------------------------- https://www.trendmicro.com/en_us/research/26/e/quasar-linux-qlnx-a-silent-f… ∗∗∗ CISA Unveils New Initiative to Fortify America’s Critical Infrastructure ∗∗∗ --------------------------------------------- Today, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance to help critical infrastructure (CI) entities across all sectors prepare to operate through a crisis or conflict, continuing vital service delivery even as their systems are under attack. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-unveils-new-initiative-fortify-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Kritische Schadcode-Lücke bedroht Android 14, 15 und 16 ∗∗∗ --------------------------------------------- Schadcode kann durch ein fehlerhaftes Debugging-Modul auf Androidgeräte schlüpfen. Nun hat Google die kritische Schwachstelle geschlossen. --------------------------------------------- https://www.heise.de/news/Patchday-Kritische-Schadcode-Luecke-bedroht-Andro… ∗∗∗ Daemon Tools Lite: Infizierte Installer durch Supply-Chain-Attacke ∗∗∗ --------------------------------------------- Offiziell signierte Daemon-Tools-Installer von der Herstellerseite bringen Malware mit. Offenbar durch einen Lieferkettenangriff. --------------------------------------------- https://www.heise.de/news/Daemon-Tools-Lite-Infizierte-Installer-durch-Supp… ∗∗∗ Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass ∗∗∗ --------------------------------------------- Progress Software has released updates to address two security flaws in MOVEit Automation, including a critical bug that could result in an authentication bypass. MOVEit Automation (formerly Central) is a secure, server-based managed file transfer (MFT) solution used to schedule and automate file movement workflows in enterprise environments without requiring any custom scripts. --------------------------------------------- https://thehackernews.com/2026/05/progress-patches-critical-moveit.html ∗∗∗ LWN Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1071324/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 04.05.2026
by Daily end-of-shift report 04 May '26

04 May '26

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-04-2026 18:00 − Montag 04-05-2026 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ConsentFix v3 attacks target Azure with automated OAuth abuse ∗∗∗ --------------------------------------------- A new attack type, dubbed ConsentFix v3, has been circulating on hacker forums, building on the previous technique by adding automation and scaling potential. --------------------------------------------- https://www.bleepingcomputer.com/news/security/consentfix-v3-attacks-target… ∗∗∗ Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks ∗∗∗ --------------------------------------------- A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel. --------------------------------------------- https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html ∗∗∗ Trellix: Angreifer erlangten Zugriff auf Quellcode ∗∗∗ --------------------------------------------- Trellix, das aus FireEye und McAfee hervorging, hat einen IT-Vorfall gemeldet. Angreifer haben Zugriff auf Quellcode erlangt. --------------------------------------------- https://www.heise.de/news/Trellix-Angreifer-erlangten-Zugriff-auf-Quellcode… ∗∗∗ Vorfall bei DigiCert: Malware-Autoren klauten Zertifikate ∗∗∗ --------------------------------------------- Die Zertifizierungsstelle DigiCert hat im April mehrere Zertifikate zur Signierung von Programmen („Code Signing Certificate“) an Malware-Autoren ausgegeben. Diese hatten zuvor Kundendienstmitarbeiter bei DigiCert mit Schadsoftware angegriffen und deren Rechner übernommen. Weil verschiedene Schutzmaßnahmen versagten, erlangten die Kriminellen Zugriff auf ein geschütztes Kundenportal – inklusive aller notwendigen Informationen, um die Zertifikate abzurufen. --------------------------------------------- https://www.heise.de/news/Nach-Malware-Angriff-Kriminelle-nutzten-Codesigni… ∗∗∗ Build a Decoy MCP Server to Catch AI Agent Attackers ∗∗∗ --------------------------------------------- Your AI agents MCP config can be a target for an attacker who reaches your machine. A decoy MCP server entry pointing at a Cloudflare Worker can reveal the attackers presence and their intent. --------------------------------------------- https://zeltser.com/decoy-mcp-server-honeypot ∗∗∗ ESC-Tickets im Netz: Drittanbieter wie ticombo.com bergen ein hohes Risiko! ∗∗∗ --------------------------------------------- Für den ausverkauften Eurovision Song Contest tauchen immer wieder Ticketangebote bei Drittanbietern auf. Wir erklären, warum man besser die Finger davon lassen sollte. --------------------------------------------- https://www.watchlist-internet.at/news/esc-tickets-plattformen-wie-ticomboc… ∗∗∗ That AI Extension Helping You Write Emails? It’s Reading Them First ∗∗∗ --------------------------------------------- Unit 42 uncovers high-risk AI browser extensions. Disguised as productivity tools, they steal data, intercept prompts, and exfiltrate passwords. Protect your browser. --------------------------------------------- https://unit42.paloaltonetworks.com/high-risk-gen-ai-browser-extensions/ ∗∗∗ EV-Zertifikate von Lenovo & Co. durch GoldenEyeDog missbraucht ∗∗∗ --------------------------------------------- Hersteller wie Lenovo, Kingston, Shuttle Inc. und Palit Microsystems sind von einem Zertifikatsproblem betroffen. Eine chinesische Hackergruppe namens GoldenEyeDog (APT-Q-27) war in der Lage, EV-Zertifikate im Namen der oben genannten Organisationen auszustellen und für kriminelle Zwecke zu missbrauchen. --------------------------------------------- https://borncity.com/blog/2026/05/03/ev-zertifikate-von-lenovo-co-durch-gol… ∗∗∗ Careful Adoption of Agentic AI Services ∗∗∗ --------------------------------------------- CISA, in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and other international and U.S. partners, released guidance for organizations on adopting agentic artificial intelligence (AI) systems. --------------------------------------------- https://www.cisa.gov/resources-tools/resources/careful-adoption-agentic-ai-… ∗∗∗ The Life-Dinner Principle in Detection ∗∗∗ --------------------------------------------- Cybersecurity has its own folk saying. You have heard it at conferences, on panels, in vendor decks, and in LinkedIn posts from CISOs who are “humbled” to announce something: “The attacker only has to be right once. The defender has to be right every time.” --------------------------------------------- https://detect.fyi/the-life-dinner-principle-in-detection-822169d9da2c ∗∗∗ Evaluating our Threat Hunting Detection Rules (+ KQL Query Evaluation) ∗∗∗ --------------------------------------------- I really enjoy creating detection rules — they give me better visibility into current threats, help me stay proactive, and bring many other advantages. On the other hand, it’s a double-edged sword. --------------------------------------------- https://detect.fyi/evaluating-our-threat-hunting-detection-rules-kql-query-… ∗∗∗ Practical Package Security: The Unofficial Guide ∗∗∗ --------------------------------------------- Get actionable best practices to shrink your attack surface, protect execution environments, control package ingestion, and catch compromises early. --------------------------------------------- https://www.wiz.io/blog/practical-package-security-the-unofficial-guide ∗∗∗ Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise ∗∗∗ --------------------------------------------- Socket found a malicious Intercom PHP package on Packagist using Composer plugin execution to steal credentials and spread across ecosystems. --------------------------------------------- https://socket.dev/blog/mini-shai-hulud-packagist-malicious-intercom-php-pa… ∗∗∗ Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables ∗∗∗ --------------------------------------------- The Socket Research Team has detected an active supply-chain attack targeting the unscoped tanstack package on npm, a brand-squatted impersonation of the legitimate @tanstack/* organization. --------------------------------------------- https://socket.dev/blog/tanstack-brandsquat-compromise ∗∗∗ NCSC Warns Organisations to Act Fast as Hidden Software Flaws Surface ∗∗∗ --------------------------------------------- Organisations worldwide are being urged to prepare for a vulnerability patch wave, as security experts warn that advances in artificial intelligence (AI) could rapidly expose long-standing weaknesses across software systems. The warning comes from National Cyber Security Centre (NCSC), which says businesses must act now to strengthen their environments before a surge of critical updates arrives. --------------------------------------------- https://thecyberexpress.com/ncsc-vulnerability-patch-wave/ ∗∗∗ FBI Warns of Surge in Cyber-Enabled Cargo Theft Targeting Logistics Firms ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has issued a public warning over a sharp rise in cyber-enabled cargo theft, as threat actors increasingly use digital tactics to impersonate legitimate businesses, hijack freight, and steal high-value shipments. According to the FBI, cybercriminals are targeting transportation and logistics companies involved in shipping, receiving, and insuring cargo. --------------------------------------------- https://thecyberexpress.com/cyber-enabled-cargo-theft-fbi-issues-alert/ ===================== = Vulnerabilities = ===================== ∗∗∗ Copy Fail Update #1: Kritische Linux-Kernel-Schwachstelle ermöglicht lokale Root-Rechte ∗∗∗ --------------------------------------------- 04.05.2026 Wir haben den Hinweis erhalten, dass ein Workaround existiert, der auf Systemen greift, bei denen der betroffene Code in einem Kernel-Modul enthalten ist (wie unter anderem Debian-basierte Systeme wie Ubuntu). Dabei wird das Laden des Moduls verhindert. --------------------------------------------- https://www.cert.at/de/warnungen/2026/4/copy-fail-kritische-linux-kernel-sc… ∗∗∗ Progress warns of critical MOVEit Automation auth bypass flaw ∗∗∗ --------------------------------------------- Progress Software warned customers to patch a critical authentication bypass vulnerability in its MOVEit Automation enterprise-grade managed file transfer (MFT) application. --------------------------------------------- https://www.bleepingcomputer.com/news/security/moveit-automation-customers-… ∗∗∗ Netzwerkanalysetool Wireshark: Zahlreiche Sicherheitslücken geschlossen ∗∗∗ --------------------------------------------- In zwei aktuellen Versionen von Wireshark haben die Entwickler mehrere Schwachstellen geschlossen. --------------------------------------------- https://www.heise.de/news/Netzwerkanalysetool-Wireshark-Zahlreiche-Sicherhe… ∗∗∗ Tails 7.7.1: Notfallupdate für anonymisierendes Linux stopft Firefox-Lecks ∗∗∗ --------------------------------------------- Das anonymisierende Linux Tails schließt in Version 7.7.1 unter anderem Firefox-Sicherheitslücken im Tor-Browser. --------------------------------------------- https://www.heise.de/news/Tails-7-7-1-Notfallupdate-fuer-anonymisierendes-L… ∗∗∗ Bösartige npm-Pakete: SAP-Software kompromittiert ∗∗∗ --------------------------------------------- Mehrere npm-Pakete von SAP waren einer Supply‑Chain‑Attacke ausgesetzt. Dahinter steckt die Hackergruppe TeamPCP, sagen Sicherheitsforscher. --------------------------------------------- https://www.heise.de/news/Boesartige-npm-Pakete-SAP-Software-kompromittiert… ∗∗∗ LWN Security updates for Monday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1071167/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily May 2026