=====================
= End-of-Day report =
=====================
Timeframe: Montag 29-06-2026 18:00 − Dienstag 30-06-2026 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Parkstrafe per SMS? Kriminelle haben es auf Kreditkartendaten abgesehen! ∗∗∗
---------------------------------------------
Alles beginnt mit einer SMS-Nachricht zu einer angeblich offenen Parkstrafe. Am Ende hat das Opfer den Kriminellen sein Auto-Kennzeichen und die Kreditkartendaten übermittelt. Eine Phishing-Falle, die klassischer nicht sein könnte. Und so funktioniert sie.
---------------------------------------------
https://www.watchlist-internet.at/news/parkstrafe-per-sms-kreditkartendaten/
∗∗∗ Sicherheitslücken ohne Ende: Flut an KI-Bug-Reports überfordert Github ∗∗∗
---------------------------------------------
Github kommt bei der Bearbeitung von Sicherheitsmeldungen nicht mehr hinterher. Es gibt wohl einen Rückstau von mehreren Wochen.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecken-ohne-ende-flut-an-ki-bug-repor…
∗∗∗ Fernwartung SimpleHelp: Schwachstelle wird angegriffen ∗∗∗
---------------------------------------------
In der Fernwartungssoftware SimpleHelp klafft eine Sicherheitslücke, die die Höchstwertung beim Risiko erreicht. Sie wurde Mitte des Monats bekannt. Jetzt haben IT-Sicherheitsexperten Cyberangriffe auf das Sicherheitsleck beobachtet.
---------------------------------------------
https://heise.de/-11348620
∗∗∗ CISA: Windows BlueHammer flaw now exploited by ransomware gangs ∗∗∗
---------------------------------------------
CISA confirmed on Monday that ransomware gangs have begun exploiting a high-severity Microsoft Defender privilege escalation vulnerability that has previously been abused in zero-day attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-windows-bluehammer-flaw…
∗∗∗ Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input ∗∗∗
---------------------------------------------
Microsoft has found a malicious Chrome extension that posed as the AI search engine Perplexity and quietly logged what people searched for. It routed every query and every character typed into the address bar through an attacker-controlled server before redirecting users to real results.
---------------------------------------------
https://thehackernews.com/2026/06/malicious-perplexity-chrome-extension.html
∗∗∗ Daktronics: Straßenschilder durch Controller-Lücken manipulierbar ∗∗∗
---------------------------------------------
Durch Sicherheitslücken in Daktronics-Controllern können Angreifer LED-Anzeigetafeln kompromittieren – unter anderem solche am Straßenrand.
---------------------------------------------
https://www.golem.de/news/daktronics-strassenschilder-durch-controller-luec…
∗∗∗ Enterprise Tech In, Shell Out (Progress Kemp LoadMaster Uninitialized Heap to Pre-Auth RCE CVE-2026-8037) ∗∗∗
---------------------------------------------
This time, we're looking at Progress Kemp LoadMaster, a load balancer that sits at the edge of a lot of enterprise networks. Edge appliances have a habit of becoming the way in rather than the thing keeping people out, and CVE-2026-8037 keeps that streak alive: a pre-authentication Remote Code Execution vulnerability accessible to anyone who can access the API. So, in probably a predictable turn of events, we're back doing what we do best.
---------------------------------------------
https://labs.watchtowr.com/enterprise-tech-in-shell-out-progress-kemp-loadm…
∗∗∗ Bot-Schutz: Googles reCaptcha mit Handgesten fällt auf Fotos rein ∗∗∗
---------------------------------------------
Google hat vergangene Woche angekündigt, den reCaptcha-Bot-Schutz mit Handgesten auszustatten. Das lässt sich mit Fotos aushebeln.
---------------------------------------------
https://heise.de/-11348830
∗∗∗ Longinus: 2 Boundaries in One Bug, Piercing Chrome’s Renderer and V8 Sandbox with a Single Vulnerability, CVE-2026-6307 ∗∗∗
---------------------------------------------
To understand the bug, we first need a high-level overview of TurboFan, how it inlines JS-to-Wasm calls, and how its deoptimization metadata decides what kind of value should be reconstructed after a lazy deopt. Furthermore, we need to understand how V8 heap sandbox works and why this single vulnerability allows attackers to do two things at once: 1) gain arbitrary read/write primitives in the sandbox, and 2) escape the sandbox to write outside of it.
---------------------------------------------
https://nebusec.ai/research/v8-cve-2026-6307-writeup/
∗∗∗ Unprivileged root via a use-after-free in DRM GEM change_handle (CVE-2026-46215) ∗∗∗
---------------------------------------------
A use-after-free in the DRM GEM core ioctl DRM_IOCTL_GEM_CHANGE_HANDLE lets any local user with access to a render node escalate to root. drm_gem_change_handle_ioctl() moves a GEM object from one handle to another, but it never adjusts the object’s handle_count. For a short window the object has two IDR entries while its handle count still reads 1, and a concurrent DRM_IOCTL_GEM_CLOSE on the old handle drives that count to 0 and frees the object while the new handle is still pointing at it. The dangling handle is the use-after-free.
---------------------------------------------
https://cyberstan.co.uk/drm-lpe-linux/
∗∗∗ Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates ∗∗∗
---------------------------------------------
Malicious Chrome and Firefox extensions posed as free VPNs while stealing clipboard data through later extension updates.
---------------------------------------------
https://socket.dev/blog/chrome-and-firefox-extensions-free-vpns-add-clipboa…
=====================
= Vulnerabilities =
=====================
∗∗∗ iOS 26.5.2, iPadOS 26.5.2 und macOS 26.5.2: Wichtige Sicherheitsfixes wegen KI ∗∗∗
---------------------------------------------
Apple hat am Montagabend insgesamt drei Betriebssysteme aktualisiert sowie seinen Browser Safari für macOS 15 (Sequoia) und 14 (Sonoma) auf einen neuen Stand gebracht. Systeme und Browser enthalten keine bekannten Neuerungen, dafür stopfen sie diverse Sicherheitslöcher, die Apple laut eigenen Angaben auch aufgrund der neuen Gefahren durch KI flotter liefert.
---------------------------------------------
https://www.heise.de/news/iOS-26-5-2-iPadOS-26-5-2-und-macOS-26-5-2-Wichtig…
∗∗∗ ipv6_frag_escape: Linux LPE - Reliable Jail/Container Escape ∗∗∗
---------------------------------------------
A reliable unprivileged container / jail escape proof of concept for CentOS / RHEL 10.It rides a now fixed IPv6 fragmentation bug in __ip6_append_data() (closed upstream by 38becddc, no CVE), an in-slab linear overflow into the skb_shared_info at the tail of a packet's own head object. This README documents the exploitation chain only. It does not cover the trigger.
---------------------------------------------
https://github.com/sgkdev/ipv6_frag_escape
∗∗∗ LWN Security updates for Tuesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1080439/
∗∗∗ DGM3103SCT vulnerable to OS command injection ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN28979424/
∗∗∗ Security Vulnerabilities fixed in Firefox 152.0.4 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2026-62/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 26-06-2026 18:00 − Montag 29-06-2026 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Cybersecurity firms targeted by fraudulent OpenAI organization invites ∗∗∗
---------------------------------------------
Threat actors are creating OpenAI tenants that impersonate legitimate companies and inviting employees to join them, in what appears to be a ploy to trick targets into submitting sensitive company information in chats and projects.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cybersecurity-firms-targeted…
∗∗∗ Polymarket customers lose $3 million in supply-chain attack ∗∗∗
---------------------------------------------
Polymarket says it will fully reimburse customers who lost an estimated $3 million after hackers injected a malicious script into the platforms frontend following a breach at a third-party vendor.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/polymarket-customers-lose-3-…
∗∗∗ Hackers now exploit critical Oracle E-Business flaw in attacks ∗∗∗
---------------------------------------------
Attackers have begun exploiting a critical vulnerability (CVE-2026-46817) in the Oracle E-Business Suite (EBS) financial application, according to threat intelligence company Defused.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-oracle-e-business-suite-…
∗∗∗ Root-Zugriff möglich: Exploits für gefährliche Lücke im Linux-Kernel geleakt ∗∗∗
---------------------------------------------
Admins sollten zügig ihre Linux-Systeme absichern. Auf Github sind Exploits für eine Root-Lücke in Debian, Ubuntu und RHEL aufgetaucht.
---------------------------------------------
https://www.golem.de/news/root-zugriff-moeglich-exploits-fuer-gefaehrliche-…
∗∗∗ The Gentlemen are knocking: сustom backdoors and evolving tactics ∗∗∗
---------------------------------------------
Kaspersky researchers analyze incidents related to The Gentlemen RaaS group, disclose their tools and TTPs, and find a new ransomware variant.
---------------------------------------------
https://securelist.com/the-gentlemen-raas/120447/
∗∗∗ Microsoft Adds Another Year To Windows 10 Extended Update Program ∗∗∗
---------------------------------------------
Microsoft has quietly extended free Windows 10 security updates for consumers by another year, pushing the Extended Security Updates (ESU) programs end date from October 12, 2026, to October 12, 2027. "The ESU support page was updated with that date, and Microsofts blog post on the program has a new editors note confirming the change," reports Ars Technica. From the report: The prevalence of Windows across so many devices and form factors has given Microsoft a ..
---------------------------------------------
https://tech.slashdot.org/story/26/06/26/0029235/microsoft-adds-another-yea…
∗∗∗ New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks ∗∗∗
---------------------------------------------
A newly discovered cyber attack campaign has been observed delivering a previously undocumented malware family called SharkLoader that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts.Kaspersky, which is tracking the activity under the moniker StrikeShark, said the campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, ..
---------------------------------------------
https://thehackernews.com/2026/06/new-sharkloader-malware-deploys-cobalt.ht…
∗∗∗ Microsoft keeps Windows Server 2022 hotpatching alive into 2027 ∗∗∗
---------------------------------------------
In the Azure Edition, of course
---------------------------------------------
https://www.theregister.com/security/2026/06/29/microsoft-keeps-windows-ser…
∗∗∗ Critical Unauthenticated Remote Code Execution in Splunk Enterprise (CVE-2026-20253) ∗∗∗
---------------------------------------------
Splunk disclosed a critical unauthenticated remote code execution (RCE) vulnerability in Splunk Enterprise tracked as CVE-2026-20253 on June 10, 2026. The vulnerability has a CVSS score of 9.8 and stems from missing authentication on a PostgreSQL sidecar service recovery endpoint that can be reached through the Splunk Web interface, which proxies requests to the internal PostgreSQL sidecar service without enforcing authentication. A successful attacker can create or truncate ..
---------------------------------------------
https://www.zscaler.com/blogs/security-research/critical-unauthenticated-re…
∗∗∗ Taiwan: Cybersicherheitsbehörde warnt vor Überwachung durch billige eSIMs ∗∗∗
---------------------------------------------
Günstig für den Urlaub erworbene eSIMs könnten Datenverkehr durch China leiten, warnt Taiwans Digitalministerium. Dabei könnten Daten abgegriffen werden.
---------------------------------------------
https://www.heise.de/news/Taiwanische-Cybersicherheitsbehoerde-warnt-vor-Ue…
∗∗∗ FBI-Warnung: Russischer Geheimdienst sieht es auf Messenger-Backup-Keys ab ∗∗∗
---------------------------------------------
Russische Angreifer geben sich inzwischen als Messenger-Support aus, der Zugriff auf die Backup-Wiederherstellungsschlüssel braucht.
---------------------------------------------
https://www.heise.de/news/FBI-Warnung-Russischer-Geheimdienst-sieht-es-auf-…
∗∗∗ Cyberangriffe auf Hotel- und Gastgewerbe: Täter nisten sich ein ∗∗∗
---------------------------------------------
Microsoft Threat Intelligence beobachtet eine mehrstufige Angriffswelle auf das Hotel- und Gastgewerbe in Asien und Europa.
---------------------------------------------
https://www.heise.de/news/Cyberangriffe-auf-Hotel-und-Gastgewerbe-Taeter-ni…
∗∗∗ Kritische libssh2-Lücke: Proof-of-Concept-Exploit veröffentlicht ∗∗∗
---------------------------------------------
Vergangene Woche wurde eine Sicherheitslücke in libssh2 bekannt. Jetzt ist Exploit-Code aufgetaucht, der sie missbrauchen kann.
---------------------------------------------
https://www.heise.de/news/Kritische-libssh2-Luecke-Proof-of-Concept-Exploit…
∗∗∗ Hacking-Fähigkeiten von Chinas KI Z.ai angeblich so gut wie die von Claude ∗∗∗
---------------------------------------------
Zhipu AIs offenes Modell GLM-5.2 erreicht laut Sicherheitsexperten die Fähigkeiten von Anthropics Mythos bei der Bug-Erkennung.
---------------------------------------------
https://www.heise.de/news/Hacking-Faehigkeiten-von-Chinas-KI-Z-ai-angeblich…
∗∗∗ Harnessing Harnesses - Climbing the LLM Hills ∗∗∗
---------------------------------------------
Trying to coerce useful work out of LLMs without the harness is like supervising a room full of drunk toddlers, each convinced theyre helping, none of them checking with each other and falling over the next.
---------------------------------------------
https://blog.zsec.uk/harnessing-harnesses/
∗∗∗ From Perimeter to Proof: The New Architecture of Email Security ∗∗∗
---------------------------------------------
How identity, investigation, browser security, and AI are reshaping the future of email defense.
---------------------------------------------
https://softwareanalyst.substack.com/p/from-perimeter-to-proof-the-new-arch…
∗∗∗ Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages ∗∗∗
---------------------------------------------
Latest wave affects legitimate @immobiliarelabs Backstage packages, with malicious npm releases published across GitLab and LDAP authentication plugin families on June 26, 2026.Socket Threat Research is tracking a fresh compromise in the ongoing Miasma Mini Shai-Hulud supply chain campaign. The latest activity affects legitimate npm packages published under the @immobiliarelabs scope, including Backstage plugins used for GitLab integration and LDAP authentication ..
---------------------------------------------
https://socket.dev/blog/miasma-mini-shai-hulud-hits-immobiliarelabs-npm-pac…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 25-06-2026 18:00 − Freitag 26-06-2026 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ New macOS malware embeds fake errors to confuse AI analysis tools ∗∗∗
---------------------------------------------
A newly discovered macOS malware dubbed "Gaslight" is designed to confuse AI-assisted malware analysis tools by hiding prompt injection strings and fake debugging data within the executable.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-macos-malware-embeds-fak…
∗∗∗ Order-tracking app Shop abused to push callback phishing attacks ∗∗∗
---------------------------------------------
Threat actors are increasingly abusing Shop, the order-tracking app from Shopify, by adding fake purchase receipts in users order histories to trick them into providing sensitive data or installing remote access software.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/order-tracking-app-shop-abus…
∗∗∗ Security boss thought MFA would be too much security ∗∗∗
---------------------------------------------
One rule for the workers, another for execs
---------------------------------------------
https://www.theregister.com/security/2026/06/26/security-boss-thought-mfa-w…
∗∗∗ Miasma campaign poisons 20-plus npm packages, hunts for developer secrets ∗∗∗
---------------------------------------------
Microsoft says latest attack targets Leo Platform and RStreams packages, harvesting creds and going after more maintainers
---------------------------------------------
https://www.theregister.com/security/2026/06/26/miasma-campaign-poisons-20-…
∗∗∗ Amazon Q flaw let booby-trapped Git repos execute code, swipe cloud creds ∗∗∗
---------------------------------------------
Researchers warn many AI coding assistants now execute commands from project configurations
---------------------------------------------
https://www.theregister.com/cyber-crime/2026/06/26/amazon-q-flaw-let-booby-…
∗∗∗ YouTube-Werbeblocker mit 11 Millionen Installationen mit möglicher Hintertür ∗∗∗
---------------------------------------------
Adblock for YouTube kommt auf mehr als 11 Millionen Installationen. Es kann jedoch unkontrolliert Script-Code in jede Seite injizieren.
---------------------------------------------
https://www.heise.de/news/YouTube-Werbeblocker-mit-11-Millionen-Installatio…
∗∗∗ Polymarket: Kriminelle sollen Kryptowerte in Millionenhöhe gestohlen haben ∗∗∗
---------------------------------------------
Bei Polymarket haben Angreifer über eingeschleusten Schadcode Geld von Nutzerkonten gestohlen. Das Wettportal will Betroffene entschädigen.
---------------------------------------------
https://www.heise.de/news/Polymarket-Kriminelle-entwenden-Kryptowerte-in-Mi…
∗∗∗ Malware steals Chrome session cookies to take over your accounts ∗∗∗
---------------------------------------------
A phishing campaign installs a malicious Chrome extension to hijack browser sessions and compromise Windows devices.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2026/06/malware-steals-chrome-sessio…
∗∗∗ The "Akrites" vulnerability-mitigation project launches ∗∗∗
---------------------------------------------
The Linux Foundation, in aletter co-signed by a large range of organizations and companies, hasannounced the launch of "Akrites", a project to fast-track vulnerabilityfixes into projects. As Akrites works upstream to fix projects at the source, we commit to support downstream efforts to secure critical infrastructure before it can be exploited. When patches are ..
---------------------------------------------
https://lwn.net/Articles/1079657/
∗∗∗ Russia used social engineering to breach prominent messaging accounts, Ukraine says ∗∗∗
---------------------------------------------
Ukraines SBU described a long-running Russian operation that used fake tech-support workers to persuade people to hand over credentials to their messaging apps.
---------------------------------------------
https://therecord.media/russia-ukraine-social-engineering-messaging-accounts
∗∗∗ DHS chief says president has met with likely CISA nominee; agency plans to hire 600 ∗∗∗
---------------------------------------------
Once a new CISA director is in place, the agency will ramp up hiring efforts, Homeland Security Secretary Markwayne Mullin told lawmakers. The White House has not yet announced a nominee.
---------------------------------------------
https://therecord.media/cisa-director-nominee-workforce-hires-mullin-house-…
∗∗∗ macOS Flaw Allowed Standard Users to Disable CrowdStrike and Kandji Security Tools ∗∗∗
---------------------------------------------
A macOS XPC flaw let regular users disable CrowdStrike and Kandji tools, exposing security gaps that vendors patched after XM Cyber reported the security issue.
---------------------------------------------
https://hackread.com/macos-flaw-users-disable-crowdstrike-kandji-security-t…
∗∗∗ Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem ∗∗∗
---------------------------------------------
Latest wave affects LeoPlatform/RStreams npm packages, three llxlr-published npm packages, the Verana Blockchain Go module, and GitHub Actions/developer-tool workflows.Socket Threat Research is tracking a new ..
---------------------------------------------
https://socket.dev/blog/miasma-mini-shai-hulud-hits-leoplatform-npm-package…
=====================
= Vulnerabilities =
=====================
∗∗∗ Synology-SA-26:11 Synology MailPlus Server ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_26_11
∗∗∗ [R2] Nessus Version 10.12.1 Fixes SQL Injection Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2026-17
∗∗∗ [R3] Tenable Identity Exposure Version 3.93.5 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2026-16
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 24-06-2026 18:00 − Donnerstag 25-06-2026 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Malicious Edge extension abuses Native Messaging as bridge to malware ∗∗∗
---------------------------------------------
A malicious Microsoft Edge extension dubbed Edgecution has been used in a ransomware attack to escape the browser sandbox and deploy a Python-based backdoor.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-edge-extension-abu…
∗∗∗ Mandiant reveals how Cisco SD-WAN zero-day attacks gained root access ∗∗∗
---------------------------------------------
New details have been revealed on how hackers exploited a Cisco Catalyst SD-WAN vulnerability tracked as CVE-2026-20245 in zero-day attacks to create rogue root accounts on targeted devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/mandiant-reveals-how-cisco-s…
∗∗∗ Inside the 2026 SMB threat landscape: From phishing and scams to fake AI tools ∗∗∗
---------------------------------------------
In the first four months of 2026, Kaspersky solutions detected over 33,300 cyberattacks on SMBs masquerading as popular artificial intelligence (AI) tools – almost five times more than in 2025 and 39% more than the number of attacks disguised as the office and collaboration tools that Kaspersky’s research focuses on.
---------------------------------------------
https://securelist.com/smb-threat-report-2026/120357/
∗∗∗ What do Ports Hear When Nobodys Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th) ∗∗∗
---------------------------------------------
For network defenders and analysts, it's important to understand the depth of the noise and how it should be treated. Observing patterns and structural shifts within the static is essential for keeping pace with an automated, multi-directional threat that never stops running. The infrastructure persists, campaigns evolve, payloads update, and the ports keep listening.
---------------------------------------------
https://isc.sans.edu/diary/rss/33104
∗∗∗ StealC Historical Bot Infection Special Report ∗∗∗
---------------------------------------------
On Wednesday 24th June 2026, international law enforcement partners announced additional successful cyber crime disruption actions as part of the ongoing Operation Endgame initiative. This time the StealC infostealer and Amadey malware-as-a-service families were targeted.
---------------------------------------------
https://www.shadowserver.org/news/stealc-historical-bot-infection-special-r…
∗∗∗ Verfassungsschutz zu Spionage: Unis sollen wachsamer sein ∗∗∗
---------------------------------------------
Sicherheitsbehörden warnen vor chinesischer Wissenschaftsspionage an deutschen Hochschulen. Sind die Forschungseinrichtungen wachsam genug?
---------------------------------------------
https://www.heise.de/news/Verfassungsschutz-zu-Spionage-Unis-sollen-wachsam…
∗∗∗ Raiffeisen Phishingmail fordert zur pushTAN-Aktivierung auf ∗∗∗
---------------------------------------------
Aktuell versenden Kriminelle betrügerische E-Mails im Namen der Raiffeisen Bank. Die Nachrichten fordern Kund:innen auf, über einen Link den pushTAN-Dienst zu aktivieren und führen dabei auf eine gefälschte Website, die Kontodaten abgreift.
---------------------------------------------
https://www.watchlist-internet.at/news/raiffeisen-phishingmail-fordert-push…
∗∗∗ Introduction to COM usage by Windows threats ∗∗∗
---------------------------------------------
Component Object Model (COM) is a fundamental Windows technology used by legitimate applications for object activation, inter-process communication, automation and language-independent component reuse. Those same qualities make it useful to threat actors.
---------------------------------------------
https://blog.talosintelligence.com/introduction-to-com-usage-by-windows-thr…
∗∗∗ Windows 10: Sicherheitsupdates für Privatkunden jetzt doch noch bis Oktober 2027 ∗∗∗
---------------------------------------------
Microsoft hat das ESU-Programm für Privatkunden ohne große Vorankündigung um ein weiteres Jahr verlängert.
---------------------------------------------
https://heise.de/-11344923
∗∗∗ Behind the console: An AiTM phishing kit harvesting AWS console credentials and beyond ∗∗∗
---------------------------------------------
Datadog Security Research investigates a June 2026 adversary-in-the-middle phishing campaign that cloned the AWS console login page to harvest victim credentials and multi-factor authentication codes.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phi…
∗∗∗ Ignore DNSSEC if you like MITM attacks ∗∗∗
---------------------------------------------
It really bothers me that almost all distributions and operating systems don’t validate DNSSEC by default. The above attacks are feasible on almost anyone, purely because of lousy defaults.
---------------------------------------------
https://whynothugo.nl/journal/2026/06/24/ignore-dnssec-if-you-like-mitm-att…
=====================
= Vulnerabilities =
=====================
∗∗∗ LWN: Security updates for Thursday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1079551/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 23-06-2026 18:00 − Mittwoch 24-06-2026 18:00
Handler: Alexander Riepl
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ New macOS ClickFix attack silently mounts DMGs to push infostealer ∗∗∗
---------------------------------------------
A new macOS ClickFix campaign is using Terminal commands to silently download, mount, and launch info-stealing malware from malicious disk image (DMG) files.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-si…
∗∗∗ Cisco Unified CM flaw CVE-2026-20230 now exploited in attacks ∗∗∗
---------------------------------------------
A high-severity SSRF vulnerability, tracked as CVE-2026-20230, in Cisco Unified Communications Manager Server is now being exploited in attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisco-unified-cm-sme-flaw-cv…
∗∗∗ Stealthy Mistic backdoor linked to ransomware access broker KongTuke ∗∗∗
---------------------------------------------
A new backdoor dubbed Mistic has been observed in financially motivated attacks targeting organizations in the insurance, education, IT, and professional services sectors.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/stealthy-mistic-backdoor-lin…
∗∗∗ Sicherheitslücke: Millionen von Samsung-Smartphones durch Kernel-Bug gefährdet ∗∗∗
---------------------------------------------
Forscher haben einen gefährlichen Bug im Android-Kernel von Samsung entdeckt, der unzählige Smartphones zwischen Galaxy S9 und S25 betrifft.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecke-acht-jahre-alter-kernel-bug-gef…
∗∗∗ Cisco Unified CM Flaw Exploited After PoC Reveals File-Write Path to Root ∗∗∗
---------------------------------------------
Threat actors have begun to exploit a recently disclosed critical security flaw impacting Cisco Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME).The vulnerability, tracked as CVE-2026-20230 (CVSS score: 8.6), is a case of improper input validation for specific HTTP requests that could allow an unauthenticated, ..
---------------------------------------------
https://thehackernews.com/2026/06/cisco-unified-cm-flaw-exploited-after.html
∗∗∗ Home Assistant: Update stopft Informationsleck ∗∗∗
---------------------------------------------
Die jüngeren Home-Assistant-Updates stopfen unter anderem Informationslecks. Zudem gibt es das Home Assistant OS in neuer Version.
---------------------------------------------
https://www.heise.de/news/Home-Assistant-Update-stopft-Informationsleck-113…
∗∗∗ Ubiquiti UniFi OS-Sicherheitslücken werden angegriffen ∗∗∗
---------------------------------------------
Ende Mai wurden kritische Sicherheitslücken in Ubiquiti UniFi OS bekannt. Inzwischen haben Angreifer diese im Visier.
---------------------------------------------
https://www.heise.de/news/Ubiquiti-UniFi-OS-Sicherheitsluecken-werden-angeg…
∗∗∗ Cyberkriminelle: Die „Wirtschaftsprüfer“, die Sie nie beauftragt haben ∗∗∗
---------------------------------------------
Jede Organisation wird geprüft. Die Frage ist, wer die Prüfung durchführt.
---------------------------------------------
https://www.welivesecurity.com/de/business-security/cyberkriminelle-die-wir…
∗∗∗ Hackergruppe will den Flughafen Wien angegriffen haben ∗∗∗
---------------------------------------------
Als Beweis wurden Frachtpapiere mit Waffenlieferungen veröffentlicht. Laut dem Flughafen Wien sind keine personenbezogenen Daten darunter
---------------------------------------------
https://www.derstandard.at/story/3000000328608/hackergruppe-will-den-flugha…
∗∗∗ Zoho Corp. ManageEngine: Kritische SSO-Lücke ermöglicht Kontenübernahme ∗∗∗
---------------------------------------------
Angreifer können eine kritische Sicherheitslücke in mehreren Zoho Corp. ManageEngine-Produkten missbrauchen, um Konten zu übernehmen.
---------------------------------------------
https://heise.de/-11342888
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (corosync, firefox, kernel, kernel-rt, libpq, memcached, postgresql, postgresql16, postgresql:13, postgresql:16, python-urllib3, python3.14-urllib3, redis:6, skopeo, and vim), Debian (beets, gst-plugins-bad1.0, imagemagick, libmatio, python-urllib3, and u-boot), Fedora (chromium, coturn, frr, grout, materialx, perl-Crypt-DSA, and yt-dlp), Mageia (opensc, perl-Archive-Tar, and podofo), Oracle (fence-agents, libpq, mysql:8.4, and postgresql:16), ..
---------------------------------------------
https://lwn.net/Articles/1079365/
∗∗∗ [R1] Tenable Identity Exposure Version 3.93.5 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2026-16
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 22-06-2026 18:00 − Dienstag 23-06-2026 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Auswirkungen auf die Cybersicherheit von Organisationen durch die Entwicklung im Bereich Künstlicher Intelligenz ∗∗∗
---------------------------------------------
Künstliche Intelligenz verändert die Cybersicherheitslage grundlegend und erfordert neue Maßstäbe in der Reaktionsgeschwindigkeit. Während böswillige Akteure in der Vergangenheit bereits arbeitsteilig auf Künstliche Intelligenz gesetzt hatten – beispielsweise um Phishing-Mails zu verfassen – sind aktuelle KI-Systeme derart leistungsfähig, dass Schwachstellen in Software innerhalb kurzer Zeit sowohl umfassend als auch teilweise autonom erkannt, analysiert und in verwertbare Angriffspfade überführt können. Daraus kann eine Lage entstehen, die Organisationen mit einer erheblich steigenden Zahl neu entdeckter Schwachstellen, Exploits, Patches und Folgevorfällen konfrontiert.
---------------------------------------------
https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2026/2026-2…
∗∗∗ WhatsApp phishing attack uses fake business docs to hack PCs ∗∗∗
---------------------------------------------
An ongoing malware campaign is targeting WhatsApp users in multiple countries with deceptive messages that push VBScript files, leading to remote system access.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/whatsapp-phishing-attack-use…
∗∗∗ Nearly Half of LG Smart TV Apps Are Laced with Proxies ∗∗∗
---------------------------------------------
Everyone worries about the apps on their phone. Almost no one looks at the ones on their TV. We scanned 6,038 of them across LG and Samsung; 2,058 were selling your IP address. On screen, its a relaxing fish tank. Or a clock. Or solitaire. Or puppies. Under the hood, it is a residential proxy: software that can send other peoples internet traffic out through your living room. And we found it everywhere.
---------------------------------------------
https://spur.us/blog/smart-tv-apps-residential-proxy-sdks
∗∗∗ Nach Protesten: AMD bringt RAM-Verschlüsselung TSME zurück ∗∗∗
---------------------------------------------
Ohne Ankündigung hat AMD das Sicherheitsmerkmal TSME bei bestimmten Ryzen-Prozessoren deaktiviert. Kunden protestierten, AMD reagiert.
---------------------------------------------
https://www.heise.de/news/Nach-Protesten-AMD-bringt-RAM-Verschluesselung-TS…
∗∗∗ Secure-Boot: Zertifikatablauf steht an, Microsoft gibt weitere Hilfestellung ∗∗∗
---------------------------------------------
Die ersten Secure-Boot-Zertifikate laufen in diesen Tagen ab. Microsoft legt noch mal Handreichungen nach, für Linux auf Azure-VMs.
---------------------------------------------
https://www.heise.de/news/Secure-Boot-Zertifikate-Ablauf-startet-weitere-Ha…
∗∗∗ The Global Namespace Risk: Universal Bucket Hijacking Technique for Cloud Data Exfiltration ∗∗∗
---------------------------------------------
We recently identified a bucket hijacking technique impacting multiple services across major cloud service providers (CSPs). The attack technique exploits a fundamental architectural flaw that is common across cloud providers and could potentially affect other cloud providers as well.
---------------------------------------------
https://unit42.paloaltonetworks.com/cloud-bucket-hijacking-risks/
∗∗∗ Detecting the Klue supply chain attack in Salesforce instances ∗∗∗
---------------------------------------------
We summarize the Klue supply chain attack and provide detection guidance for Salesforce environments monitored by Datadog Cloud SIEM.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/detecting-the-klue-supply-chain…
∗∗∗ Fake-Shops, Abo-Fallen, Phishing-Gewinnspiele: Wie Kriminelle das Fußball-Fieber nutzen ∗∗∗
---------------------------------------------
Die Weltmeisterschaft in den USA, Mexiko und Kanada ist in vollem Gange. Dass Betrüger:innen von diesem Hype profitieren möchten, überrascht nicht. Dieser Artikel zeigt, welche Strategien und Mechanismen sie für ihre Fallen nutzen.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-shops-abofallen-fussball/
∗∗∗ Introducing Patch the Planet ∗∗∗
---------------------------------------------
What happens when you clear dozens of Trail of Bits engineers’ schedules, pair them with every open-source maintainer they can contact, and unleash the latest frontier models like GPT-5.5-Cyber on critical open-source targets? Thanks to our partnership with OpenAI and its Daybreak initiative, we can report that the impact is hundreds of discovered bugs, 64 pull requests, and 51 issues filed across 19 projects (with many more still undergoing coordinated disclosure). That was just the first week of Patch the Planet.
---------------------------------------------
https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/
=====================
= Vulnerabilities =
=====================
∗∗∗ Pixelsmash: Lücke in FFmpeg-Decoder gefährdet unzählige Systeme ∗∗∗
---------------------------------------------
Sicherheitsforscher von JFrog haben eine gefährliche Sicherheitslücke in dem weitverbreiteten freien Multimedia-Framework FFmpeg aufgedeckt. Wie die Forscher in einem Blogbeitrag schildern, können Angreifer damit zahlreiche auf FFmpeg angewiesene Softwarelösungen zum Absturz bringen. In einigen Fällen, etwa bei Jellyfin und Nextcloud, soll sogar eine Schadcodeausführung möglich sein.
---------------------------------------------
https://www.golem.de/news/pixelsmash-luecke-in-ffmpeg-decoder-gefaehrdet-un…
∗∗∗ LWN Security updates for Tuesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1079083/
∗∗∗ NCSC-2026-0209 [1.00] [M/H] Kwetsbaarheden verholpen in MongoDB Server ∗∗∗
---------------------------------------------
https://advisories.ncsc.nl/advisory?id=NCSC-2026-0209
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 19-06-2026 18:00 − Montag 22-06-2026 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Angriffswelle gegen FortiGate Devices - "FortiBleed" ∗∗∗
---------------------------------------------
Fortinet hat letzten Freitag, am 19.5.2026, nun auch ein offizielles Statement zu "FortiBleed" veröffentlicht. Wir hatten zuvor in einem Blog-Artikel unseren aktuellen Wissensstand beschrieben. Bei dieser Angriffswelle handelt es sich nicht um die Ausnutzung einer neuen Schwachstelle. Die Angreifer:innen verwenden stattdessen Zugangsdaten, die bei früheren Sicherheitsvorfällen (u. a. im Zusammenhang mit CVE-2025-59718, CVE-2025-59719 und CVE-2026-24858) erlangt wurden, sowie Brute-Force-Methoden gegen Geräte mit schwacher Passworthygiene und ohne Multi-Faktor-Authentifizierung (MFA).
---------------------------------------------
https://www.cert.at/de/warnungen/2026/6/angriffswelle-gegen-fortigate-devic…
∗∗∗ New Prinz Eugen ransomware prioritizes recent files for encryption ∗∗∗
---------------------------------------------
A new ransomware operation named Prinz Eugen prioritizes recently modified files for encryption and leaves no ransom note on the system.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-prinz-eugen-ransomware-p…
∗∗∗ Squidbleed: 29 Jahre alte Lücke in populärer Proxy-Software entdeckt ∗∗∗
---------------------------------------------
Die zuletzt unter anderem durch die Entdeckung von HTTP/2 Bomb aufgefallenen Sicherheitsforscher von Calif haben mithilfe von Claude Mythos eine Sicherheitslücke in der weitverbreiteten freien Proxyserver-Software Squid entdeckt. Angreifer können damit Speicherinhalte leaken und Daten aus von Squid verarbeiteten HTTP-Requests abgreifen. Die Besonderheit dabei: Die Lücke wurde 1997 eingeführt und blieb damit fast drei Jahrzehnte unentdeckt.
---------------------------------------------
https://www.golem.de/news/squidbleed-29-jahre-alte-luecke-in-populaerer-pro…
∗∗∗ AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network ∗∗∗
---------------------------------------------
A new malware family is turning forgotten home routers into a distributed reconnaissance and proxy network, not the DDoS botnet these devices usually end up in. [..] The campaign goes after routers built on Realtek's RTL819X chips, hardware that was current around 2012 to 2015. XLab first saw it on March 12, 2026, spreading from a single IP, 107.150.106.14. [..] The infected pool is mostly D-Link, with the DIR-850L alone making up about 75 percent.
---------------------------------------------
https://thehackernews.com/2026/06/arystinger-malware-infects-4300-legacy.ht…
∗∗∗ New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER. According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware.
---------------------------------------------
https://thehackernews.com/2026/06/new-oxloader-loader-uses-malicious.html
∗∗∗ Anlagebetrug mit Promi-Namen: Gefälschter oe24-Artikel lockt in die Falle ∗∗∗
---------------------------------------------
Angebliche Anlagetipps von Prominenten sind oft Teil einer Betrugsmasche. Aktuell missbrauchen Kriminelle den Namen von Armin Wolf und der Raiffeisen Bank für eine gefälschte Berichterstattung im Design von oe24. Das Ziel besteht darin, Leser:innen auf eine betrügerische Anlageplattform zu locken.
---------------------------------------------
https://www.watchlist-internet.at/news/anlagebetrug-mit-promi-namen-gefaels…
∗∗∗ Popa Botnetz kapert Smart TVs für Web-Scraping ∗∗∗
---------------------------------------------
icherheitsforscher haben ein Botnetz enttarnt, welches Millionen Smart TVs gekapert hat. Die Millionen Android Smart TV-Geräte, die Teil des Popa-Botnets sind, leiteten Webverkehr (Web-Scaping) an dessen Betreiber weiter.
---------------------------------------------
https://borncity.com/blog/2026/06/22/popa-botnetz-kapert-smart-tvs-fuer-web…
∗∗∗ Mark-of-the-web and pinning installers to sites ∗∗∗
---------------------------------------------
While MoTW is intended for the operating system and other origin-aware applications such as MSFT Office to make security decisions, an executable can also access its own MoTW. This is the basis for a proof-of-concept with a simple Win32 GUI application ...
---------------------------------------------
https://blog.randomoracle.io/2026/06/20/mark-of-the-web-and-pinning-install…
=====================
= Vulnerabilities =
=====================
∗∗∗ libssh2: Teils kritische Lücken in populärer SSH-Bibliothek ∗∗∗
---------------------------------------------
Angreifer können CVE-2026-55200 ausnutzen, indem sie speziell gestaltete SSH-Pakete mit übermäßig großen package_length-Werten übermitteln und dadurch Schreibvorgänge außerhalb vorgesehener Grenzen auslösen. Die Folge ist eine Korruption des Heap-Speichers, wodurch im schlimmsten Fall Schadcode eingeschleust und zur Ausführung gebracht werden kann. [..] Alle Versionen von libssh2 bis einschließlich der seit Oktober 2024 als aktuell geltenden Version 1.11.1 sollen anfällig für CVE-2026-55199 und CVE-2026-55200 sein. Korrekturen wurden mit den Commits 1762685 und 97acf3d bereitgestellt. Wann ein neues Release mit den beiden Patches erscheint, ist noch unklar.
---------------------------------------------
https://www.golem.de/news/libssh2-teils-kritische-luecken-in-populaerer-ssh…
∗∗∗ Bamboo, Confluence & Co.: Atlassian schließt 100 Sicherheitslücken ∗∗∗
---------------------------------------------
Wie aus dem Sicherheitsbereich der Atlassian-Website hervorgeht, haben die Entwickler in aktuellen Versionen insgesamt 100 Lücken geschlossen. Davon sind neben dem eigenen Code auch Abhängigkeiten zu etwa Apache Tomcat betroffen.
---------------------------------------------
https://www.heise.de/news/Bamboo-Confluence-Co-Atlassian-schliesst-100-Sich…
∗∗∗ LWN: Security updates for Monday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1078922/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 18-06-2026 18:00 − Freitag 19-06-2026 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ USB worm spreads crypto-stealing malware via Windows shortcut files ∗∗∗
---------------------------------------------
Threat actors targeting cryptocurrency wallets have been distributing clipboard-stealing malware with self-spreading capabilities and using the Tor network to conceal communication.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/usb-worm-spreads-crypto-stea…
∗∗∗ Jailbreak möglich: Wohl unpatchbarer Hardware-Bug gefährdet iPhones ∗∗∗
---------------------------------------------
Forscher haben einen offenbar unpatchbaren Bug entdeckt, der Jailbreaks für mehrere iPhone-, iPad- und Apple-Watch-Modelle ermöglichen könnte.
---------------------------------------------
https://www.golem.de/news/jailbreak-moeglich-wohl-unpatchbarer-hardware-bug…
∗∗∗ Warnung vor Fake-Rechnungen von Sixt Server ∗∗∗
---------------------------------------------
Derzeit melden sich zahlreiche Unternehmen bei uns, die Rechnungen für angebliche Cloud-Dienstleistungen erhalten haben. Tatsächlich handelt es sich dabei um einen Betrugsversuch: Die gefälschten Rechnungen sollen Unternehmen zu einer unberechtigten Zahlung verleiten.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-rechnungen-von-sixt-server/
∗∗∗ Killing me gently: Inside Gentlemen’s EDR killer framework ∗∗∗
---------------------------------------------
ESET Research shares the results of a months-long investigation into the suite of EDR killers maintained by the RaaS gang Gentlemen.
---------------------------------------------
https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-ge…
∗∗∗ Brand der Floridsdorfer Brücke: Glasfaserausfälle in Wien ∗∗∗
---------------------------------------------
Heute hat es auf der Floridsdorfer Brücke gebrannt. Was der ORF nicht meldet ist, dass über diese Brücke auch Glasfasertrassen geführt werden, und dass durch den Brand einige dieser Leitungen ausgefallen sind. Wenn man die Standorte der relevanten Rechenzentren in Wien kennt, dann ist sofort klar, dass das sehr relevant ist. Bei uns ging bis jetzt eine formelle NIS Meldung ein, weiters haben wir informell von anderen Organisationen gehört, dass sie betroffen sind.
---------------------------------------------
https://www.cert.at/de/aktuelles/2026/6/brand-der-floridsdorfer-brucke-glas…
∗∗∗ Bulgaria allowed surveillance tech firm to sell products to repressive regimes, report says ∗∗∗
---------------------------------------------
The nonprofit Human Rights Watch obtained export licensing records covering 2018 through 2023, which show the Bulgarian government allowed the surveillance firm Circles to peddle the tech to law enforcement and intelligence agencies in several countries known for human rights abuses.
---------------------------------------------
https://therecord.media/bulgaria-allowed-surveillance-tech-firm-to-sell-to-…
∗∗∗ PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM ∗∗∗
---------------------------------------------
A pre-authentication remote code execution (RCE) chain in Oracle PeopleSoft PeopleTools reaches an internal-only management servlet through a server-side request forgery (SSRF) in the PSIGW gateway, then gains code execution through Java XMLDecoder deserialization. Oracle assigned CVE-2026-35273 (CVSS 9.8) and released an out-of-band patch on June 10, 2026. [..] Our researchers discovered new information about this vulnerability, which was responsibly disclosed to Oracle as part of our investigation.
---------------------------------------------
https://www.trendmicro.com/en_us/research/26/f/PeopleTools.html
∗∗∗ Anthropics KI Mythos: Unternehmen haben weiter Zugriff auf Preview-Version ∗∗∗
---------------------------------------------
Trotz US-Anordnung haben manche Unternehmen weiterhin Zugriff auf eine Preview-Version von Anthropics KI-Modell Mythos.
---------------------------------------------
https://heise.de/-11338742
∗∗∗ I discovered a large-scale malware distribution on GitHub ∗∗∗
---------------------------------------------
This is the story of how I found 10,000 repositories on GitHub that distribute Trojan malware. They are all from different contributors, have different names, and are not forks of other repositories. But they share a common pattern, which is what allowed me to write a script to find such repositories.
---------------------------------------------
https://orchidfiles.com/github-repositories-distributing-malware/
=====================
= Vulnerabilities =
=====================
∗∗∗ Windows 10/11: Rechteausweitung in AMD-RAID-Treiber ∗∗∗
---------------------------------------------
Im AMD RAID-Treiber für Windows 10 und Windows 11 ist ein gravierender Bug bekannt geworden, der die Sicherheit des Systems gefährdet. Die Schwachstelle CVE-2024-21962, hat einen CVSS-Score von 8.6. AMD und auch der Hersteller HP haben Sicherheitshinweise sowie eine neue Treiberversion veröffentlicht.
---------------------------------------------
https://borncity.com/blog/2026/06/19/windows-10-11-rechteausweitung-in-amd-…
∗∗∗ LWN: Security updates for Friday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1078662/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 17-06-2026 18:00 − Donnerstag 18-06-2026 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Rogueplanet-Exploit: Microsoft verspricht ein "High-Quality-Sicherheitsupdate" ∗∗∗
---------------------------------------------
Microsoft will mit einem Update die Ausnutzung des Rogueplanet-Exploits auf Windows-Geräten unterbinden. Wann das passiert, bleibt aber ein Rätsel.
---------------------------------------------
https://www.golem.de/news/rogueplanet-exploit-microsoft-verspricht-ein-high…
∗∗∗ Jetzt patchen: Nginx-Webserver durch kritische Lücken angreifbar ∗∗∗
---------------------------------------------
Angreifer können aufgrund von Sicherheitslücken in drei Nginx-Modulen Webserver lahmlegen oder Schadcode einschleusen. Patches verhindern das.
---------------------------------------------
https://www.golem.de/news/jetzt-patchen-nginx-webserver-durch-kritische-lue…
∗∗∗ Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline ∗∗∗
---------------------------------------------
A French-speaking attacker broke into a small French automotive business, planted a keylogger, and stole banking and email credentials.Ordinary stuff, until one move near the end.Before his command-and-control server went dark, he installed OpenSSH and Tailscale on a victims machine, building a way back in that did not run through the C2 at all. When the Havoc server went ..
---------------------------------------------
https://thehackernews.com/2026/06/junior-hacker-used-tailscale-and.html
∗∗∗ Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments ∗∗∗
---------------------------------------------
An unknown threat actor has been observed leveraging paid or promoted posts on legitimate news websites to drum up buzz for their warez, according to new findings from Check Point Research.The threat actor also has at their disposal a dedicated WordPress ..
---------------------------------------------
https://thehackernews.com/2026/06/crypto-clipper-campaign-abuses-fake.html
∗∗∗ Operation Endgame: Ermittler säubern tausende Blogs von SocGholish ∗∗∗
---------------------------------------------
Strafverfolger aus vier Ländern zerschlugen ein Botnet und Wordpress-Blogs, die Kriminelle als Verteilstationen für Schadsoftware mißbrauchten.
---------------------------------------------
https://www.heise.de/news/Operation-Endgame-Ermittler-saeubern-tausende-Blo…
∗∗∗ Auslaufende Secure Boot-Zertifikate - was war, was ist, was kommt ∗∗∗
---------------------------------------------
Zwei völlig unterschiedliche Technologien, eine sehr ähnliche Problematik - DNS und Secure Boot sind beides Technologien die (idealerweise) problemfrei im Hintergrund laufen .. bis sie dann plötzlich zum Thema werden. Genau das könnte im Laufe dieses Jahres bei Secure Boot der Fall sein - die kryptographischen Vertrauensanker, auf denen UEFI Secure Boot beruht, stammen größtenteils aus dem Jahr 2011. Und das Ende fünfzehnjährigen ..
---------------------------------------------
https://www.cert.at/de/blog/2026/6/auslaufende-secure-boot-zertifikate-was-…
∗∗∗ Aktueller Stand rund um "FortiBleed" ∗∗∗
---------------------------------------------
Vergangenes Wochenende entdeckte ein Sicherheitsforscher im Rahmen seiner Arbeit eine ungewöhnlich strukturierte Sammlung gestohlener Daten, welche sich nach weiterer Analyse als kompromittierte Zugangsdaten für zehntausende Fortinet-Systeme weltweit herausstellten. Die Echtheit der Daten wurden in weiterer Folge sowohl durch unabhängige Sicherheitsexperten als auch das Sicherheitsunternehmen Hudson Rock bestätigt. Die rund 75.000 betroffenen Fortinet-Systeme ..
---------------------------------------------
https://www.cert.at/de/blog/2026/6/aktueller-stand-rund-um-fortibleed
∗∗∗ EU grants Ukraine access to cybersecurity reserve for major attacks ∗∗∗
---------------------------------------------
As Kyiv takes steps toward formal accession to the EU, the bloc is integrating Ukraine with its pool of pre-approved cybersecurity incident response companies.
---------------------------------------------
https://therecord.media/ukraine-access-eu-cybersecurity-reserve
∗∗∗ Von Blaster bis BlueHammer: Wiederholt sich die Geschichte bei Microsoft? ∗∗∗
---------------------------------------------
Seit einigen Wochen gibt es ja einen ziemlichen Disput zwischen einem Sicherheitsforscher mit dem Alias Nightmare Eclipse und dem Microsoft Security Response Center-Team (MSRC-Team). Es geht um die Art, wie Sicherheitslücken gemeldet, ..
---------------------------------------------
https://borncity.com/blog/2026/06/18/von-blaster-bis-bluehammer-wiederholt-…
∗∗∗ The Road to Post-Quantum Readiness Part 1 of 2: Understanding the Risk ∗∗∗
---------------------------------------------
Post-Quantum Cryptography is no longer a future-only concern. Standards are final, major providers have already deployed hybrid protection, and the real risk now is data captured today and decrypted later. Part 1 explains the fundamentals, the threat, and why organizations can no longer afford to wait.
---------------------------------------------
https://blog.nviso.eu/2026/06/18/the-road-to-post-quantum-readiness-part-1/
∗∗∗ Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign ∗∗∗
---------------------------------------------
Cybercriminals hijacked Google Ads searches for popular AI developer tools to funnel over 2,000 victims toward malicious download pages before quietly moving their operation onto claude.ais own platform, turning the trusted domain into a delivery mechanism for credential-stealing malware.
---------------------------------------------
https://www.trendmicro.com/en_us/research/26/f/claudeai-shared-chat-abused-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Drupal core - Critical - PHP object injection - SA-CORE-2026-005 ∗∗∗
---------------------------------------------
Project: Drupal coreDate: 2026-June-05Security risk: Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: PHP object injectionAffected versions: =10.6.0 =11.2.0 =11.3.0 CVE IDs: CVE-2026-55803Description: SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web ..
---------------------------------------------
https://www.drupal.org/sa-core-2026-005
∗∗∗ Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050 ∗∗∗
---------------------------------------------
Project: Plotly.js GraphingDate: 2026-June-17Security risk: Critical 19 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: PHP object injectionAffected versions: CVE IDs: ..
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-050
∗∗∗ Flag attendance field - Critical - PHP object injection - SA-CONTRIB-2026-049 ∗∗∗
---------------------------------------------
Project: Flag attendance fieldDate: 2026-June-17Security risk: Critical 19 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: PHP object injectionAffected versions: CVE IDs: CVE-2026-55809Description: The Flag attendance field module gives you the ability to add attendance by depending on Flag module.flag_attendance_field stores ..
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-049
∗∗∗ Formatter Field - Critical - PHP object injection - SA-CONTRIB-2026-048 ∗∗∗
---------------------------------------------
Project: Formatter FieldDate: 2026-June-17Security risk: Critical 19 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: PHP object injectionAffected versions: CVE IDs: CVE-2026-12535Description: The Formatter Field module provides a mechanism for specifying a formatter and formatter settings to be used for displaying a ..
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-048
∗∗∗ SVD-2026-0614: OS Command Injection in the btool Configuration Helper in Splunk AI Toolkit ∗∗∗
---------------------------------------------
In Splunk AI Toolkit versions below 5.7.4, a user who holds the “admin” Splunk role could execute arbitrary OS commands on the host running the Splunk Enterprise instance.The vulnerability is possible because of an unsafe shell execution pattern in the btool configuration helper, which constructs OS command strings from dynamic parameters without disabling shell interpretation.
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2026-0614
∗∗∗ Cisco Identity Services Engine Remote Code Execution and Information Disclosure Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Crosswork Network Controller Server-Side Template Injection Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Webex App Open Redirect Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Umbrella Virtual Appliance Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Hardcoded Root Cloud Credentials in Application Binaries in Silver Leaf Technologies Worksnaps ∗∗∗
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/hardcoded-root-cloud-cre…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 16-06-2026 18:00 − Mittwoch 17-06-2026 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Kodak confirms data breach claimed by ShinyHunters extortion gang ∗∗∗
---------------------------------------------
Kodak has confirmed that its working with external cybersecurity experts to investigate a security breach after hackers gained access to some of the companys data.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/kodak-confirms-data-breach-c…
∗∗∗ Historischer Anstieg: KI lässt Anzahl gemeldeter Sicherheitslücken explodieren ∗∗∗
---------------------------------------------
Neuen Hochrechnungen zufolge könnten 2026 etwa 66.000 neue Sicherheitslücken registriert werden. Im Vorjahr waren es noch deutlich weniger.
---------------------------------------------
https://www.golem.de/news/historischer-anstieg-ki-laesst-anzahl-gemeldeter-…
∗∗∗ Fußball-WM: Offizielles Streamingportal der Fifa gehackt ∗∗∗
---------------------------------------------
Eine Forscherin hat eine unzureichende Sicherheitsprüfung bei Systemen der Fifa entdeckt. Angreifer hätten Streams der laufenden WM sabotieren können.
---------------------------------------------
https://www.golem.de/news/fussball-wm-offizielles-streamingportal-der-fifa-…
∗∗∗ France To Stop Certifying Products Without Quantum-Safe Encryption ∗∗∗
---------------------------------------------
Starting in 2027, Frances cybersecurity agency ANSSI will stop certifying security products that lack quantum-resistant encryption, effectively forcing government agencies and critical infrastructure operators to phase out older cryptographic systems. Reuters reports: Samih Souissi, ANSSIs chief of staff, said at the France Quantum conference that ..
---------------------------------------------
https://it.slashdot.org/story/26/06/16/181236/france-to-stop-certifying-pro…
∗∗∗ WordPress PBN Plugin Drops Dual Webshells via Database Injection ∗∗∗
---------------------------------------------
During a recent incident response engagement, our team uncovered a multi-stage WordPress infection that goes beyond the usual file-based malware. The attacker combined a fake plugin, a remote command-and-control server, and two PHP web shells stored directly inside the WordPress database.The campaign is operated by a Turkish-speaking threat actor ..
---------------------------------------------
https://blog.sucuri.net/2026/06/wordpress-pbn-plugin-drops-dual-webshells-v…
∗∗∗ CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution ∗∗∗
---------------------------------------------
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a maximum-severity security flaw impacting Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
---------------------------------------------
https://thehackernews.com/2026/06/cisa-warns-of-actively-exploited-joomla.h…
∗∗∗ Three critical Fortinet sandbox bugs splattered by unknown attackers ∗∗∗
---------------------------------------------
All have patches, so make sure you upgrade to a fixed version
---------------------------------------------
https://www.theregister.com/security/2026/06/16/three-critical-fortinet-san…
∗∗∗ ‘Dangerous’ AI Models Are Coming No Matter What ∗∗∗
---------------------------------------------
The US government crackdown on Anthropic’s Claude Fable 5 and Mythos 5 hides a glaring truth: AI models with advanced hacking capabilities will soon be the norm.
---------------------------------------------
https://www.wired.com/story/dangerous-ai-models-are-coming-no-matter-what/
∗∗∗ Mehrere Plug-ins für JetBrains-IDEs stehlen API-Keys für OpenAI, DeepSeek & Co. ∗∗∗
---------------------------------------------
Mindestens 15 Plug-ins für JetBrains-IDEs übermitteln API-Keys an einen externen Server. Dabei bieten sie ansonsten die versprochenen Funktionen.
---------------------------------------------
https://www.heise.de/news/Mehrere-Plug-ins-fuer-JetBrains-IDEs-stehlen-API-…
∗∗∗ Android 17 hat direkt Sicherheitspatches mit an Bord ∗∗∗
---------------------------------------------
Googles Entwickler haben in der Launchversion von Android 17 diverse Sicherheitslücken geschlossen.
---------------------------------------------
https://www.heise.de/news/Android-17-hat-direkt-Sicherheitspatches-mit-an-B…
∗∗∗ Angriffe auf FortiSandbox-Schwachstellen ∗∗∗
---------------------------------------------
Schwachstellen in FortiSandbox sind derzeit Ziel von Angriffen im Internet. Patches zum Absichern stehen seit April bereit.
---------------------------------------------
https://www.heise.de/news/Angriffe-auf-FortiSandbox-Schwachstellen-11335667…
∗∗∗ NIS2-Mahnung: BSI setzt neue Frist zur Registrierung bis Ende Juli ∗∗∗
---------------------------------------------
Die Registrierungszahlen zum IT-Sicherheitsgesetz enttäuschen. Das BSI mahnt Firmen, NIS2-Vorgaben einzuhalten, und gibt eine neue Deadline vor.
---------------------------------------------
https://www.heise.de/news/NIS2-Mahnung-BSI-setzt-neue-Frist-zur-Registrieru…
∗∗∗ GitHub dismissed security reports on flaws now exploited by supply-chain worm, researchers say ∗∗∗
---------------------------------------------
GitHub rejected two formal vulnerability reports identifying design flaws that researchers say are enabling variants of the Shai-Hulud supply-chain worm to infect and compromise hundreds of software packages and developer accounts worldwide.
---------------------------------------------
https://therecord.media/github-dismissed-reports-shai-hulud-deep-specter
∗∗∗ Reducing Microsoft Sentinel Costs Without Compromising Detection – Part 1: The Summary Rules Quest ∗∗∗
---------------------------------------------
This blog is the first in a series exploring how Summary Rules, together with Auxiliary or Data Lake storage, can help organizations optimize SIEM costs without compromising core threat detection and monitoring capabilities.
---------------------------------------------
https://blog.nviso.eu/2026/06/17/reducing-microsoft-sentinel-costs-without-…
∗∗∗ FortiBleed — 75k Fortinet firewalls have admin passwords cracked ∗∗∗
---------------------------------------------
An interesting post popped up on LinkedIn at the weekend from Voldymyr Diachenko saying plain text passwords were found in the wild by Hunt Intelligence Inc for Fortinet firewalls ..
---------------------------------------------
https://doublepulsar.com/fortibleed-75k-fortinet-firewalls-have-admin-passw…
∗∗∗ Threat tactic spotlight: Subdomain takeover ∗∗∗
---------------------------------------------
In this blog post you’ll learn how to detect and prevent subdomain takeover – a tactic where threat actors exploit dangling DNS records to redirect traffic to attacker-controlled resources. We’ll explain the issue, how the situation arises, and how you can use various AWS features and services to help mitigate the impact of this tactic.
---------------------------------------------
https://aws.amazon.com/blogs/security/threat-tactic-spotlight-subdomain-tak…
=====================
= Vulnerabilities =
=====================
∗∗∗ Critical Security Patch Update Advisory - June 2026 ∗∗∗
---------------------------------------------
https://www.oracle.com/security-alerts/cspujun2026.html
∗∗∗ Multiple Vulnerabilities in Quanos Content Solutions SCHEMA ST4 ∗∗∗
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities…
∗∗∗ A 27-Year-Old Authentication Bypass in OpenBSDs PPP Stack ∗∗∗
---------------------------------------------
https://blog.argus-systems.ai/blog/openbsd-pap-27-year-auth-bypass.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/