=====================
= End-of-Day report =
=====================
Timeframe: Montag 15-06-2026 18:00 − Dienstag 16-06-2026 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ ÖIAT-Studie: Über 600.000 betrügerische und problematische Werbeanzeigen auf Facebook und Instagram ∗∗∗
---------------------------------------------
Eine „Analyse des Betrugsökosystems Online-Werbung auf Meta-Plattformen“ hat erstaunliche Ergebnisse geliefert. Über einen Zeitraum von drei Monaten entdeckte die Forschungsabteilung des ÖIAT über 600.000 betrügerische bzw. problematische Werbeanzeigen auf Meta-Plattformen. EU-weit wurden diese über 1 Milliarde Mal ausgespielt, davon 123 Millionen Mal allein in Österreich.
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerische-problematische-werbea…
∗∗∗ Mit Malware erbeutet: 124 Millionen neue Passwörter bei HaveIBeenPwned ∗∗∗
---------------------------------------------
Cyberkriminelle greifen mit Infostealer-Malware häufig Zugangsdaten ab. HaveIBeenPwned hat seine Datenbank um eine große Sammlung davon erweitert.
---------------------------------------------
https://www.golem.de/news/mit-malware-erbeutet-124-millionen-neue-passwoert…
∗∗∗ Windows version of SprySOCKS Linux malware used to attack govt orgs ∗∗∗
---------------------------------------------
Windows variants for the SprySOCKS Linux malware have been used in attacks targeting government organizations in at least four countries.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/windows-version-of-sprysocks…
∗∗∗ Ransomware gang abuses Microsoft Teams relays to hide malicious traffic ∗∗∗
---------------------------------------------
DragonForce ransomware used a custom malware named 'Backdoor.Turn' to hide command-and-control traffic inside Microsoft Teams relay infrastructure.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-micro…
∗∗∗ North Korean Hackers Are Turning Developer Tools Into Malware Delivery Channels ∗∗∗
---------------------------------------------
Cybersecurity researchers have flagged two malicious cyber campaigns that exhibit similarities with a persistent North Korean threat cluster known as Contagious Interview (aka Famous Chollima, HexagonalRodent, and Void Dokkaebi). According to a report published by Proofpoint, the threat actor has been found orchestrating phishing campaigns using developer role recruitment or code review themes to target nearly 100 organizations in finance, cryptocurrency, education, technology, and several other sectors. The activity has been codenamed UNK_DeadDrop.
---------------------------------------------
https://thehackernews.com/2026/06/north-korean-hackers-are-turning.html
∗∗∗ EvilTokens: Neue Phishing-Kampagne verschafft sich Zugriff mit legitimen Mitteln ∗∗∗
---------------------------------------------
Was passiert, wenn bei einem Phishing-Angriff offizielle Infrastruktur genutzt wird, anstatt diese zu fälschen? EvilTokens markiert eine Weiterentwicklung des Phishing: Es werden nicht mehr Anmeldedaten gestohlen, sondern die Opfer dazu verleitet, legitime Sitzungen zu autorisieren.
---------------------------------------------
https://www.welivesecurity.com/de/cybercrime/eviltokens-neue-phishing-kampa…
∗∗∗ Pickle in the Middle – Hijacking Vertex AI Model Uploads for Cross-Tenant RCE ∗∗∗
---------------------------------------------
We discovered a vulnerability in the Google Cloud Vertex AI software development kit (SDK) for Python, and responsibly disclosed it to Google. Before Google’s fix, the vulnerability would have allowed an attacker operating entirely from their own Google Cloud project to hijack a victim's model upload and poison it. By exploiting this flaw in vulnerable versions of the SDK, an attacker can achieve remote code execution (RCE) within a target’s Vertex AI serving infrastructure, with zero initial access to the victim's project.
---------------------------------------------
https://unit42.paloaltonetworks.com/hijacking-vertex-ai-model/
∗∗∗ Viel Geduld: Chinesische IT-Spione lauerten lange in Forschungseinrichtungen ∗∗∗
---------------------------------------------
Viel Geduld haben chinesische Angreifer bewiesen: Sie nisteten sich in Redcap-Servern ein, nutzten das aber erst mehr als ein Jahr später voll aus.
---------------------------------------------
https://heise.de/-11333355
∗∗∗ GlassWASM: WebAssembly Malware Found in Trojanized Open VSX Extensions ∗∗∗
---------------------------------------------
The trojanized extensions use TinyGo-compiled WebAssembly and Solana transaction memos to resolve command-and-control infrastructure.
---------------------------------------------
https://socket.dev/blog/glasswasm-malware-open-vsx-extensions?utm_medium=fe…
∗∗∗ A backdoor in a LinkedIn job offer ∗∗∗
---------------------------------------------
Last week, I got a LinkedIn message from a recruiter at a small crypto startup. We exchanged a few messages over a couple of days, she described a broken proof-of-concept they needed a lead engineer for, and then sent me a public GitHub repo to review. Specifically, she asked me to “check out the deprecated Node modules issue.” It’s not uncommon to ask for a review of an existing codebase, but something felt off and raised an alarm in my head, so I decided to get a bit extra paranoid.
---------------------------------------------
https://roman.pt/posts/linkedin-backdoor/
∗∗∗ Critical Fortinet FortiSandbox flaws now exploited in attacks ∗∗∗
---------------------------------------------
Attackers are now exploiting several critical vulnerabilities in Fortinet's FortiSandbox cyber threat detection platform, according to threat intelligence company Defused. Fortinet released security updates for these three critical-severity security flaws (tracked as CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089) on April 14.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/critical-fortinet-fortisandb…
=====================
= Vulnerabilities =
=====================
∗∗∗ Root-Attacken auf Cisco Catalyst SD-WAN Manager und cPanel-Plug-in LiteSpeed ∗∗∗
---------------------------------------------
Admins, die Cisco Catalyst SD-WAN Manager oder cPanel mit LiteSpeed-Plug-in verwalten, sollten aufgrund von laufenden Angriffen umgehend die verfügbaren Sicherheitsupdates installieren. Im schlimmsten Fall können Angreifer als root-Nutzer auf Systeme zugreifen. Damit das klappt, müssen sie aber zuerst einige Hürden überwinden.
---------------------------------------------
https://www.heise.de/news/Root-Attacken-auf-Cisco-Catalyst-SD-WAN-Manager-u…
∗∗∗ LWN Security updates for Tuesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1078158/
∗∗∗ Broken Access Control in syracom AG Secure Login (2FA) for Atlassian Jira / Confluence / Bitbucket ∗∗∗
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/broken-access-control-in…
∗∗∗ Zyxel security advisory for stack-based buffer overflow vulnerability in GS1900 series switches ∗∗∗
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 12-06-2026 18:00 − Montag 15-06-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ New attack turned Microsoft 365 Copilot into 1-click data theft tool ∗∗∗
---------------------------------------------
A critical vulnerability chain dubbed SearchLeak in Microsoft 365 Copilot Enterprise could allow attackers to steal sensitive data from a targets mailbox, OneDrive, or SharePoint account through a specially crafted URL.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-attack-turned-microsoft-…
∗∗∗ Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites ∗∗∗
---------------------------------------------
An attacker tampered with trusted JavaScript files used by WordPress sites running PushEngage, OptinMonster, and TrustPulse, turning those files into a way to break into the sites.When a site administrator was logged in as the file loaded, the code created an admin account under the attackers control and installed a hidden plugin that opened a way back in.
---------------------------------------------
https://thehackernews.com/2026/06/popular-wordpress-plugin-scripts.html
∗∗∗ „Sommer der Glückseligkeit“: curl nimmt einen Monat lang keine Bug-Reports an ∗∗∗
---------------------------------------------
Seit Wochen kämpft der Maintainer von curl mit der Arbeitslast durch die Flut an KI-generierten Bug-Reports. Im Juli soll deshalb keiner angenommen werden.
---------------------------------------------
https://www.heise.de/news/Sommer-der-Glueckseligkeit-curl-nimmt-einen-Monat…
∗∗∗ WKO-Phishing: Betrugsmail fordert Datenaktualisierung ∗∗∗
---------------------------------------------
Aktuell behauptet eine E-Mail im Namen der Wirtschaftskammer Österreich (WKO), dass Unternehmensdaten nicht aktualisiert wurden. Wer den enthaltenen Link nicht ausfüllt, dem werden umfassende Strafen angedroht. Tatsächlich haben es Kriminelle auf sensible Unternehmens- und Personendaten abgesehen.
---------------------------------------------
https://www.watchlist-internet.at/news/wko-phishing-betrugsmail-fordert-dat…
∗∗∗ FortiNet SSO Vulnerability CVE-2025-59718 and CVE-2025-59719 Leading to Full System Compromise ∗∗∗
---------------------------------------------
Earlier this year, Truesec CSIRT responded to multiple incidents related to the two FortiCloud single-sign-on (SSO) vulnerabilities from December 2025 (tracked as CVE-2025-59718 and CVE-2025-59719). In this blog post, we share our insights into threat actors’ activities and methods for compromising an environment.
---------------------------------------------
https://www.truesec.com/hub/blog/vulnerability-cve-2025-59718-and-cve-2025-…
∗∗∗ Routerhersteller fordern Kontrolle importierter Geräte ∗∗∗
---------------------------------------------
EU-Sicherheitsvorschriften für 5G-Mobilfunk sollen Spionage vorbeugen. Für Heimnetzwerke gibt es keine entsprechenden Regeln, kritisieren nun Hersteller.
---------------------------------------------
https://heise.de/-11331799
∗∗∗ 152 Chrome Live Wallpaper Extensions Hid Ad Tracking and Faked Google Search Traffic ∗∗∗
---------------------------------------------
Sockets Threat Research Team identified a family of 152 Chrome Web Store new-tab "live wallpaper" extensions, built from one shared codebase but distributed across 38 separate Chrome Web Store publisher accounts and three brand backends, carrying a combined total of approximately 105,000 reported installs.
---------------------------------------------
https://socket.dev/blog/152-chrome-live-wallpaper-extensions-hid-ad-tracking
∗∗∗ Präparierte PDF-Datei kann Avira Antivirus gefährlich werden ∗∗∗
---------------------------------------------
In einer Schwachstellendatenbank sind Lücken in Avira Antivirus aufgetaucht. Bislang listet der Softwarehersteller die Lücken nicht auf. Sie sind aber gepatcht.
---------------------------------------------
https://www.heise.de/news/Praeparierte-PDF-Datei-kann-Avira-Antivirus-gefae…
∗∗∗ LibreNMS Authenticated RCE (< 26.5.0) ∗∗∗
---------------------------------------------
When theres one, theres normally more. This is a part 2 to our previous post on LibreNMS. This vulnerability allows an admin user to inject commands that are passed to the exec function, which will then be executed as the user running the poller.
---------------------------------------------
https://projectblack.io/blog/librenms-authenticated-rce-26-5-0/
∗∗∗ Why Use App-Level Auth When Every Database Has Auth? (Splunk Enterprise CVE-2026-20253 Pre-Auth RCE) ∗∗∗
---------------------------------------------
On June 10th, Splunk published this CVE-2026-20253 advisory [..] It has everything that we love: No authentication requirements, An almost full-mark CVSS score, Claims to be a security product, Vulnerability name longer than the average piece of spaghetti.
---------------------------------------------
https://labs.watchtowr.com/why-use-app-level-auth-when-every-database-has-a…
=====================
= Vulnerabilities =
=====================
∗∗∗ Splunk: SVD-2026-0603: Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise ∗∗∗
---------------------------------------------
In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2026-0603
∗∗∗ phpBB: Kritische Sicherheitslücke ermöglicht Kompromittierung ∗∗∗
---------------------------------------------
In der Forensoftware phpBB haben IT-Forscher eine kritische Sicherheitslücke entdeckt, die Zugang mit jedem angelegten Konto ermöglicht.
---------------------------------------------
https://www.heise.de/news/phpBB-Kritische-Sicherheitsluecke-ermoeglicht-Kom…
∗∗∗ LWN: Security updates for Monday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1077945/
∗∗∗ Zahlreiche kritische Schwachstellen in Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-kritische-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 11-06-2026 18:00 − Freitag 12-06-2026 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Pharma giant Novo Nordisk discloses breach of clinical trials data ∗∗∗
---------------------------------------------
Danish pharmaceutical giant Novo Nordisk, the worlds largest producer of insulin, disclosed a data breach affecting patient information from some clinical trials.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/pharmaceutical-giant-novo-no…
∗∗∗ 336 Millionen Euro in Bitcoin gewaschen: Geldwäschedienst AudiA6 zerschlagen ∗∗∗
---------------------------------------------
Ein AudiA6 genannter Geldwäschedienst ließ Hacker und Betrüger Bitcoin-Transaktionen in Millionenhöhe verschleiern. Doch damit ist jetzt Schluss.
---------------------------------------------
https://www.golem.de/news/336-millionen-euro-in-bitcoin-gewaschen-geldwaesc…
∗∗∗ Kernel-Bug: FreeBSD-Exploit "Bumsrakete" verleiht Root-Zugriff ∗∗∗
---------------------------------------------
Ein Exploit namens Bumsrakete gefährdet alle FreeBSD-Versionen der letzten fünf Jahre. Die Entdecker nehmen es mit reichlich Humor.
---------------------------------------------
https://www.golem.de/news/kernel-bug-freebsd-exploit-bumsrakete-verleiht-ro…
∗∗∗ LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of three now-patched security flaws impacting LangGraph, including a critical vulnerability chain that could result in remote code execution.LangGraph is an open-source framework created by LangChain to ..
---------------------------------------------
https://thehackernews.com/2026/06/langgraph-flaw-chain-exposes-self.html
∗∗∗ INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator ∗∗∗
---------------------------------------------
An INTERPOL-led operation last month resulted in the disruption of Sniper Dz, a decade-long phishing-as-a-service (PhaaS) platform, Group-IB said Thursday.The effort, codenamed Operation Ramz, took place between October 2025 and February ..
---------------------------------------------
https://thehackernews.com/2026/06/interpol-takes-down-sniper-dz-phishing.ht…
∗∗∗ Drug Sites Hijacked Spotify’s Search Ranking Through Fake Podcasts ∗∗∗
---------------------------------------------
A joint congressional report describes a spam operation that turned tens of thousands of fake podcasts into search-engine bait for illegal pharmacy and scam sites.
---------------------------------------------
https://www.wired.com/story/drug-sites-hijacked-spotifys-search-ranking-thr…
∗∗∗ Ivanti Sentry: Verwirrung um Status von kritischem Befehlsschmuggel-Leck ∗∗∗
---------------------------------------------
Ivanti warnt aktuell vor kritischen Sicherheitslücken in Sentry. Die CISA warnt vor Angriffen, Ivanti wiegelt jedoch ab.
---------------------------------------------
https://www.heise.de/news/Ivanti-Sentry-Wirrwar-um-Missbrauch-kritischer-Be…
∗∗∗ Ubiquiti UniFi OS: Kritische Lücken erlauben Codeschmuggel ∗∗∗
---------------------------------------------
Ubiquiti warnt vor teils kritischen Sicherheitslücken in UniFi OS. Aktualisierte Software steht bereit, um sie zu schließen.
---------------------------------------------
https://www.heise.de/news/Ubiquiti-UniFi-OS-Kritische-Luecken-erlauben-Code…
∗∗∗ Fake verification pages are stealing Steam accounts from players ∗∗∗
---------------------------------------------
A convincing fake FACEIT verification page is stealing Steam accounts by using a fake login window that looks completely legitimate.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intel/2026/06/fake-verification-pa…
∗∗∗ Hundreds of AUR packages compromised ∗∗∗
---------------------------------------------
Hundreds of orphaned packages hosted by the Arch User Repository (AUR) have been compromised by an attacker who has added a malicious npm package (atomic-lockfile) that can exfiltrate sensitive data. The project is currently working on cleaning up the mess. There is a list of affected packages and post (possibly NSFW domain) by"sodiboo" with additional information ..
---------------------------------------------
https://lwn.net/Articles/1077718/
∗∗∗ Decade-Long SniperDz Phishing Network Disrupted in Operation Ramz ∗∗∗
---------------------------------------------
Group-IB, INTERPOL and Algerian Police dismantle decade-old SniperDZ phishing network used to steal credentials, with its alleged developer arrested.
---------------------------------------------
https://hackread.com/authorities-dismantle-sniperdz-phishing-network/
∗∗∗ Marking Your Own Homework (Check Point Remote Access VPN IKEv1 Authentication Bypass CVE-2026-50751) ∗∗∗
---------------------------------------------
It is yet another day in this parallel universe of security, where the devices we bolt onto the edge of our networks to keep the bad people out are, with remarkable consistency, the exact thing that let the bad ..
---------------------------------------------
https://labs.watchtowr.com/marking-your-own-homework-check-point-remote-acc…
=====================
= Vulnerabilities =
=====================
∗∗∗ CVE-2026-45257: LPE in FreeBSD via kTLS-RX ∗∗∗
---------------------------------------------
https://bumsrake.de
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 10-06-2026 18:00 − Donnerstag 11-06-2026 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks ∗∗∗
---------------------------------------------
Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-ha…
∗∗∗ Neuer Bitlocker-Bypass: Chaotic Eclipse wirft weiter mit Windows-Exploits um sich ∗∗∗
---------------------------------------------
Chaotic Eclipse ist wohl doch nicht so erschöpft wie behauptet. Ein neuer Exploit zur Umgehung von Bitlocker auf Windows-Geräten ist noch drin.
---------------------------------------------
https://www.golem.de/news/neuer-bitlocker-bypass-chaotic-eclipse-wirft-weit…
∗∗∗ Chinese agents caught rebuilding botnets and stirring the pot on AI datacenter debate ∗∗∗
---------------------------------------------
PRC eyes are watching you
---------------------------------------------
https://www.theregister.com/security/2026/06/11/china-linked-operators-revi…
∗∗∗ Every employee’s password was stored in a single Excel file ∗∗∗
---------------------------------------------
The CEO thought this was the best way to deal with some email issues
---------------------------------------------
https://www.theregister.com/security/2026/06/11/every-employees-password-wa…
∗∗∗ CISA Tells US Agencies to Fix Security Bugs in as Little as 3 Days Thanks to AI Threats ∗∗∗
---------------------------------------------
“Defenders cannot afford to take weeks to patch,” one Cybersecurity and Infrastructure Security Agency official warned on Wednesday.
---------------------------------------------
https://www.wired.com/story/cisa-ai-vulnerability-directive/
∗∗∗ OpenSSL: Präparierte Signatur kann Weg für Schadcode ebnen ∗∗∗
---------------------------------------------
In aktuellen Versionen haben die OpenSSL-Entwickler insgesamt 18 Sicherheitslücken geschlossen.
---------------------------------------------
https://www.heise.de/news/OpenSSL-Praeparierte-Signatur-kann-Weg-fuer-Schad…
∗∗∗ Intel-Aus: So lange will Apple Sicherheitspatches liefern ∗∗∗
---------------------------------------------
Mit macOS 27 ist das x86-Zeitalter bei Apple vorbei. Immerhin soll es noch über einen längeren Zeitraum Patches geben. Wie vollständig die sind – unklar.
---------------------------------------------
https://www.heise.de/news/macOS-Apple-teilt-mit-wie-lange-es-Intel-Sicherhe…
∗∗∗ FreeBSD: Rechteausweitungslücke mit augenzwinkerndem Codenamen ∗∗∗
---------------------------------------------
Auch in FreeBSD haben IT-Forscher eine Sicherheitslücke gefunden, die die Rechteausweitung ermöglicht. Name: „Bumsrakete[tm]“.
---------------------------------------------
https://www.heise.de/news/FreeBSD-Rechteausweitungsluecke-mit-augenzwinkern…
∗∗∗ GenAI Is Both Hunter and Hunted at Pwn2Own Berlin 2026 ∗∗∗
---------------------------------------------
This year’s Pwn2Own competition in Berlin revealed just how much of the AI stack remains exposed -- and the gap between what these tools promise and what they can withstand point to the fragile security foundations underneath.
---------------------------------------------
https://www.trendmicro.com/en_us/research/26/f/pwn2own-genai.html
=====================
= Vulnerabilities =
=====================
∗∗∗ SVD-2026-0609: Improper Access Control in Splunk Enterprise ∗∗∗
---------------------------------------------
In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability edit_saved_search_owner could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control.
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2026-0609
∗∗∗ SVD-2026-0606: Improper Input Validation through Protocol-Relative URL in Classic Dashboards in Splunk Enterprise ∗∗∗
---------------------------------------------
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.The vulnerability exists because the URL classifier in classic dashboards
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2026-0606
∗∗∗ SVD-2026-0605: Improper Input Validation through Classic Dashboards in Splunk Enterprise ∗∗∗
---------------------------------------------
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server.The vulnerability exists because URL validation on the external content dialog is incomplete, which can allow for requests to
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2026-0605
∗∗∗ SVD-2026-0601: Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway ∗∗∗
---------------------------------------------
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.The Remote Code Execution is possible because of unsafe deserialization of App
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2026-0601
∗∗∗ Oracle Security Alert Advisory - CVE-2026-35273 ∗∗∗
---------------------------------------------
https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
∗∗∗ Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-047
∗∗∗ Composer - Critical - Unsupported - SA-CONTRIB-2026-046 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-046
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 09-06-2026 18:00 − Mittwoch 10-06-2026 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ OpenClaw AI agent found falling for phishing attacks, spills user data ∗∗∗
---------------------------------------------
Phishing simulation on an OpenClaw email agent with various configuration profiles showed that it was susceptible to tactics commonly used to compromise human users.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/openclaw-ai-agent-found-fall…
∗∗∗ Wurm-Attacken möglich: Kernel-Lücke lässt Angreifer Windows-Systeme kapern ∗∗∗
---------------------------------------------
Microsofts Juni-Updates schließen über 500 Sicherheitslücken. Eine davon ermöglicht automatisierte Schadcode-Attacken auf Windows-Systeme.
---------------------------------------------
https://www.golem.de/news/wurm-attacken-moeglich-kernel-luecke-laesst-angre…
∗∗∗ Servicenow: Großer Cloudanbieter informiert Kunden über Datenpanne ∗∗∗
---------------------------------------------
Bei Servicenow konnten Angreifer ohne Authentifizierung über ein API Kundendaten ausleiten. Mindestens ein Cyberakteur hat das ausgenutzt.
---------------------------------------------
https://www.golem.de/news/servicenow-grosser-cloudanbieter-informiert-kunde…
∗∗∗ Ivanti tells Sentry customers to patch now as critical bugs hit 10.0 and 9.9 ∗∗∗
---------------------------------------------
Remote, unauthenticated RCE with root privileges is about as bad as it gets
---------------------------------------------
https://www.theregister.com/patches/2026/06/10/ivanti-urges-sentry-users-to…
∗∗∗ GitHub pulls pin on npms auto-run scripts ∗∗∗
---------------------------------------------
Shai-Hulud worm exploited exactly this. Better late than never, says everyone except the malware authors
---------------------------------------------
https://www.theregister.com/devops/2026/06/10/github-pulls-pin-on-npms-auto…
∗∗∗ Wait, binding.gyp Can Do What? Exploring npms Weirdest Build System ∗∗∗
---------------------------------------------
It has only been a couple of days since the Miasma attack hit 32 official Red Hat packages on npm. The worm added a malicious preinstall script to each compromised package, so that node index.js ran automatically the moment you installed the dependency, harvesting cloud credentials, CI tokens, SSH keys and more before you ever ran a single line of your ..
---------------------------------------------
https://www.aikido.dev/blog/exploring-binding-gyp-npm-build-system
∗∗∗ Bundesregierung will KI-Sicherheitsinstitut gründen ∗∗∗
---------------------------------------------
Mit einer neuen Einrichtung will die Bundesregierung ihre Analysefähigkeiten bei KI-Modellen stärken. Minister Wildberger verspricht „Experten auf Weltniveau“.
---------------------------------------------
https://www.heise.de/news/Bundesregierung-will-KI-Sicherheitsinstitut-gruen…
∗∗∗ Datenleck: Cyberangriff auf französischen Regierungs-Messenger Tchap ∗∗∗
---------------------------------------------
Frankreichs Digitalstelle DINUM räumt ein Datenleck beim Regierungs-Messenger Tchap ein. Angreifer konnten ein Konto kompromittieren.
---------------------------------------------
https://www.heise.de/news/Datenleck-Cyberangriff-auf-franzoesischen-Regieru…
∗∗∗ Fortinet schließt Befehlsschmuggel-Lücke in FortiSandbox und mehr ∗∗∗
---------------------------------------------
Fortinet warnt vor einer kritischen Sicherheitslücke in FortiSandbox und weiteren Lecks in FortiPortal und FortiOS/FortiProxy.
---------------------------------------------
https://www.heise.de/news/Fortinet-schliesst-Befehlsschmuggel-Luecke-in-For…
∗∗∗ Phishing: Banken nutzen halbseidene Domains ∗∗∗
---------------------------------------------
Namhafte Banken wie die Sparkassen warnen zwar vor Phishing, nutzen aber selbst Phishing-artige Domains. Es ginge sicher besser.
---------------------------------------------
https://www.heise.de/news/Phishing-Banken-nutzen-halbseidene-Domains-113274…
∗∗∗ E-Mail-Fälschung bei Exchange Online: Ghost-Sender betrifft viele Unternehmen ∗∗∗
---------------------------------------------
Nicht alle Unternehmenskunden von Microsofts Maildienst sind betroffen. Ein Prüfdienst schafft Klarheit und zeigt die möglichen Auswirkungen.
---------------------------------------------
https://www.heise.de/news/Ghost-Sender-Exchange-Online-laesst-gefaelschte-E…
∗∗∗ Who Runs the Ransomware Group ‘The Gentlemen?’ ∗∗∗
---------------------------------------------
A cybercrime group known as The Gentlemen has emerged as the second most active ransomware gang by victim count, rapidly attracting a talented pool of hackers through an aggressive recruitment strategy that promises affiliates 90 percent of any ransom paid by victims. This post examines clues pointing to a real life identity for the administrator of The Gentlemen ransomware group.
---------------------------------------------
https://krebsonsecurity.com/2026/06/who-runs-the-ransomware-group-the-gentl…
∗∗∗ FinanzOnline-Phishing: "Neuer Bescheid" in der DataBox als Lockmittel ∗∗∗
---------------------------------------------
Aktuell rollt wieder einmal eine Phishing-Welle im Namen von FinanzOnline. Darin dreht sich alles um einen vermeintlichen Bescheid, der in der DataBox von FinanzOnline wartet und eine Gutschrift verspricht. Dieser existiert natürlich nicht. Konkret abgesehen haben es die Kriminellen auf Logindaten ihrer Opfer.
---------------------------------------------
https://www.watchlist-internet.at/news/finanzonline-phishing-bescheid-daten…
∗∗∗ Microsoft Patch Tuesday Juni 2026 & "RoguePlanet" ∗∗∗
---------------------------------------------
Im Rahmen des diesmonatigen Patchdays hat Microsoft Sicherheitsupdates für rund 200 Schwachstellen veröffentlicht. Damit übertrifft dieser Patchday den bisherigen Rekord von 167 Lücken aus dem Oktober 2025 deutlich. Über 30 der behobenen Sicherheitslücken sind als "Critical" eingestuft. Besonders im Blick behalten sollten Administrator:innen drei Probleme, die bereits vor Verfügbarkeit eines Patches öffentlich bekannt waren. Alle drei werden von ..
---------------------------------------------
https://www.cert.at/de/aktuelles/2026/6/microsoft-patch-tuesday-juni-2026
∗∗∗ More Evidence That Words Dont Mean What We Thought They Meant (Ivanti Sentry Pre-Auth OS Command Injection CVE-2026-10520) ∗∗∗
---------------------------------------------
Today, Ivanti published an advisory.“No way?” we hear you say. "Yes way!" a random dog screams back at you, across the street.Today’s rare advisory outlines two vulnerabilities in Ivanti’s Sentry product, appealing directly to our inner desire for sophisticated ..
---------------------------------------------
https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thoug…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 08-06-2026 18:00 − Dienstag 09-06-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ High-severity vulnerability in Linux caused by a single errant character ∗∗∗
---------------------------------------------
The presence of a single mis-issued exclamation point in code implementing nf_tables introduced a use-after-free, a class of vulnerability that corrupts memory by placing malicious code at memory addresses that haven’t been properly freed of their previous contents. [..] The vulnerability was fixed in the kernel in February. Security firm FuzzingLabs demonstrated a proof of concept exploit in April. Exodus Intelligence, which discovered the bug, included its own PoC exploit in Monday’s post. It worked on Debian and Ubuntu.
---------------------------------------------
https://arstechnica.com/security/2026/06/a-single-errant-character-in-the-l…
∗∗∗ WhatsApp says it disrupted new NSO spyware phishing attacks ∗∗∗
---------------------------------------------
WhatsApp has detected and stopped spear-phishing campaigns allegedly conducted by the NSO Group after investigating user reports of social engineering attacks. [..] The firm has been on the U.S. sanctioned entities list since November 2021, due to supplying to foreign governments software products that were used against people and organizations in the U.S.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/whatsapp-says-it-disrupted-n…
∗∗∗ „Bestätigen Sie Ihre Reservierung!“ – Betrugsklassiker im Namen von booking.com ∗∗∗
---------------------------------------------
Nachdem Kriminelle im April 2026 Kontakt- und Reservierungsdaten von booking.com erbeutet hatten, setzt nun die dazugehörige Betrugswelle ein. Über WhatsApp sollen die Opfer zur „erneuten Bestätigung einer Reservierung“ gedrängt werden. Reale Buchungsinfos wie Hotelname und An- bzw. Abreisedatum lassen die Nachricht vermeintlich seriös wirken. Abgesehen haben es die Betrüger:innen auf Geld und Zahlungsinformationen.
---------------------------------------------
https://www.watchlist-internet.at/news/reservierung-betrugsklassiker-bookin…
∗∗∗ When “Hi, This Is IT” Comes Through Microsoft Teams ∗∗∗
---------------------------------------------
Attackers are increasingly targeting collaboration platforms like Microsoft Teams. [..] If external chat is open, attackers will use it.
---------------------------------------------
https://unit42.paloaltonetworks.com/microsoft-teams-phishing/
∗∗∗ Microsoft benachrichtigt einige Kunden über Downloads infizierter GitHub-Pakete ∗∗∗
---------------------------------------------
Zum Wochenende hatte ich über eine Infektion von GitHub-Repositories mit Microsoft Tools berichtet. Diese waren mit einem Infostealer für AI-Tokens infiziert. Nun bestätigt, dass man eine kleine Anzahl Kunden benachrichtigt habe, die die kompromittierten Repositories mit den Tools heruntergeladen haben.
---------------------------------------------
https://borncity.com/blog/2026/06/09/microsoft-benachrichtigt-einige-kunden…
∗∗∗ Hidden in Plain Sight: PowerShell Visibility Most Defender XDR Analysts Miss ∗∗∗
---------------------------------------------
Discover how an often-overlooked telemetry source in Microsoft Defender XDR can reveal PowerShell script activity that traditional process hunting misses.
---------------------------------------------
https://detect.fyi/hidden-in-plain-sight-powershell-visibility-most-defende…
∗∗∗ Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels ∗∗∗
---------------------------------------------
Socket Threat Research team identified a newer PyPI wave connected to the broader Mini Shai-Hulud, Miasma, and Hades supply chain attacks. This wave expands beyond the 37 malicious PyPI wheels covered in our weekend report and shows that the threat actors are iterating quickly across delivery mechanisms, package themes, and runtime triggers.
---------------------------------------------
https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms-target-bioin…
=====================
= Vulnerabilities =
=====================
∗∗∗ Ivanti: Security Advisory Ivanti Sentry (CVE-2026-10520, CVE-2026-10523) ∗∗∗
---------------------------------------------
An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access ...
---------------------------------------------
https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-1…
∗∗∗ Ivanti: Security Advisory Ivanti Endpoint Manager Mobile (EPMM) (CVE-2026-6973 & CVE-2026-10727) ∗∗∗
---------------------------------------------
A configuration control vulnerability in the Ivanti Endpoint Manager Mobile before 12.9.0.1, 12.8.0.3 and 12.7.0.2 versions allows a remote authenticated attacker to inject arbitrary Apache directives, leading to remote code execution. ...
---------------------------------------------
https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-…
∗∗∗ TYPO3 Security Advisories 09.06.2026 ∗∗∗
---------------------------------------------
TYPO3 has published 14 new security advisories.
---------------------------------------------
https://typo3.org/security
∗∗∗ XEN Security Advisories 09.06.2026 ∗∗∗
---------------------------------------------
Xenbits has published 4 new security advisories.
---------------------------------------------
https://xenbits.xen.org/xsa/
∗∗∗ SAP-Patchday: Kritische Lücken in SAP NetWeaver und weitere Schwachstellen ∗∗∗
---------------------------------------------
Zum Juni-Patchday kümmert sich SAP um 15 neue Schwachstellen in mehreren Produkten. Gleich drei kritische betreffen NetWeaver.
---------------------------------------------
https://www.heise.de/news/SAP-Patchday-Kritische-Luecken-in-SAP-NetWeaver-u…
∗∗∗ Vulnerability Resolved in Veeam Backup & Replication 12.3.2.4854 ∗∗∗
---------------------------------------------
A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user. CVE-2026-44963
---------------------------------------------
https://www.veeam.com/kb4869
∗∗∗ LWN: Security updates for Tuesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1077163/
∗∗∗ Waves Central: Zahlreiche Local Privilege Escalation Schwachstellen in Waves Audio Waves Central ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-local-priv…
∗∗∗ Google: Jetzt updaten! Chrome-Update stopft attackierte Lücke und 73 weitere ∗∗∗
---------------------------------------------
https://heise.de/-11322503
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 05-06-2026 18:00 − Montag 08-06-2026 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ C0XMO botnet spreads via DD-WRT router flaw, kills rival malware ∗∗∗
---------------------------------------------
A new variant of the Gafgyt botnet called C0XMO is targeting DD-WRT router firmware and can move to other device types with various CPU architectures.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/c0xmo-botnet-spreads-via-dd-…
∗∗∗ Over 20,000 Instagram accounts stolen in Meta AI support hack ∗∗∗
---------------------------------------------
Meta has revealed that 20,225 Instagram users had their accounts hijacked in a recent incident where attackers used Meta's AI-powered support system to reset passwords.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/meta-ai-support-data-breach-…
∗∗∗ Angst vor Russland: Hacker entschuldigen sich bei attackierter Firma ∗∗∗
---------------------------------------------
Ein Cyberakteur entpuppt sich als "Ransomware-Trottel des Tages". Er hat ein Ziel attackiert, das ihm wirklich Probleme bereiten kann.
---------------------------------------------
https://www.golem.de/news/angst-vor-russland-hacker-entschuldigen-sich-bei-…
∗∗∗ VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances ∗∗∗
---------------------------------------------
A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka GRIMBOLT) and AGENTPSD to target Linux systems.
---------------------------------------------
https://thehackernews.com/2026/06/verdantbamboo-deploys-bsd-variant-of.html
∗∗∗ Google warnt: Angreifer geben sich als IT-Techniker aus und betreten Büros ∗∗∗
---------------------------------------------
Die Google Threat Intelligence Group warnt vor der Gruppe UNC3753. Die Angreifer geben sich vor Ort als IT-Techniker aus, um Daten per USB-Stick zu stehlen.
---------------------------------------------
https://www.heise.de/news/Google-warnt-Angreifer-geben-sich-als-IT-Technike…
∗∗∗ Passwortmanager Dashlane: Angreifer kopieren fast 20 Passwort-Vaults ∗∗∗
---------------------------------------------
Dashlane informiert darüber, dass Angreifer nach massiven Brute-Force-Attacken rund 20 Passwort-Vaults kopiert haben.
---------------------------------------------
https://www.heise.de/news/Passwortmanager-Dashlane-Angreifer-kopieren-fast-…
∗∗∗ Schweizer Rüstungsunternehmen RUAG zahlt Lösegeld an Cybergang ∗∗∗
---------------------------------------------
Nachdem die Cybergang Akira bei der RUAG-Tochter Mecanex USA Daten abgezogen hat, hat RUAG ein Lösegeld gezahlt.
---------------------------------------------
https://www.heise.de/news/Schweizer-Ruestungsunternehmen-RUAG-zahlt-Loesege…
∗∗∗ Recovery Scam: Fake-Agenturen schädigen Opfer erneut ∗∗∗
---------------------------------------------
Sie versprechen Hilfe bei der Wiederbeschaffung von Vermögen, das durch eine Betrugsmasche gestohlen wurde. Die Website zur angeblichen Agentur sieht ansprechend aus, nutzt reale Impressumsdaten und übersteht damit erste Überprüfungen. Tatsächlich stecken hinter diesem Angebot Kriminelle, die frühere Opfer erneut bestehlen wollen. So funktioniert der Betrug nach dem Betrug.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-agenturen-schaedigen-opfer/
∗∗∗ Got a LinkedIn message from a recruiter? It might be Chinese intelligence, warn FBI and MI5 ∗∗∗
---------------------------------------------
If you've ever received an out-of-the-blue message via LinkedIn from a recruiter offering some well-paid consultancy work, intelligence agencies have a message for you: be very careful.
---------------------------------------------
https://www.bitdefender.com/en-us/blog/hotforsecurity/linkedin-recruiter-ch…
∗∗∗ Israelische Firma Bright Data missbraucht mit Backdoor in Apps Millionen Smart-TV ∗∗∗
---------------------------------------------
Eine israelische Firma ist dabei aufgeflogen, dass sie Millionen Smart TV-Geräte in Zombi-Proxys verwandelt hat, um AI-Web-Scraping durchzuführen. Dazu wurden entsprechende Backdoors in Apps für Smart TV-Geräte eingebaut. Einige Anbieter wie Roku, Fire TV und Google TV haben diese Praxis untersagt. Aber Samsung- und LG-Smart TV-Geräte fungieren heimlich als Ausgangsknoten für KI-basiertes Web-Scraping, wie eine Untersuchung gezeigt hat.
---------------------------------------------
https://borncity.com/blog/2026/06/06/israelische-firma-bright-data-missbrau…
∗∗∗ New Pink Extortion Group Targets Microsoft 365 Cloud Data Via Vishing Scams ∗∗∗
---------------------------------------------
Cybersecurity researchers are warning businesses about Pink Extortion Group, a threat actor that uses voice phishing to bypass multi-factor authentication and steal files from cloud environments.
---------------------------------------------
https://hackread.com/pink-extortion-microsoft-365-cloud-data-vishing-scams/
∗∗∗ Did Claude Increase Bugs in rsync? ∗∗∗
---------------------------------------------
A simple distributional analysis of every rsync release with bug data. Nothing complicated, answers only one question: are the Claude-assisted releases unusually buggy?
---------------------------------------------
https://alexispurslane.github.io/rsync-analysis/
∗∗∗ How a USB-connected speaker can infect a PC without ever being touched ∗∗∗
---------------------------------------------
Operating system makers take many steps to prevent their wares from accepting commands from remote devices. The safeguards, designed to thwart malicious attacks, typically require hackers to jump through all kinds of hoops to bypass the measures. But what if remote code execution were as simple as being within Bluetooth range of a speaker connected to the targeted device?
---------------------------------------------
https://arstechnica.com/security/2026/06/highly-reviewed-speaker-can-be-hac…
=====================
= Vulnerabilities =
=====================
∗∗∗ Angriffe gegen Checkpoint VPN Lösungen - Hotfix verfügbar ∗∗∗
---------------------------------------------
Checkpoint warnt vor beobachteten Angriffen gegen die Produkte Checkpoint Security Gateway und Checkpoint Spark Firewall. Auswirkungen Die zugrunde liegende Sicherheitslücke CVE-2026-50751 erlaubt unbefugten Zugriff auf das VPN.
---------------------------------------------
https://www.cert.at/de/warnungen/2026/6/angriffe-gegen-checkpoint-vpn-losun…
∗∗∗ Critical UniFi OS bug lets hackers gain root without authentication ∗∗∗
---------------------------------------------
Attackers can chain three already fixed vulnerabilities in the Ubiquiti UniFi OS server to execute remote code with root privileges and without authentication. The security issues are tracked as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910. They have been addressed in May and impact UniFi OS Server versions 5.0.6 and earlier.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/critical-unifi-os-bug-lets-h…
∗∗∗ SolarWinds Serv-U: Angreifer missbrauchen DoS-Lücke in FTP-Server ∗∗∗
---------------------------------------------
In SolarWinds-Serv-U-Servern können Angreifer eine Schwachstelle für Denial-of-Service-Angriffe missbrauchen. Laut CISA tun sie das bereits.
---------------------------------------------
https://www.heise.de/news/SolarWinds-Serv-U-Angreifer-missbrauchen-DoS-Luec…
∗∗∗ VMware: Mehrere Produkte mit Stored-Cross-Site-Scripting-Lücken ∗∗∗
---------------------------------------------
Broadcom warnt vor mehreren Stored-Cross-Site-Scripting-Lücken in VMware Cloud Foundation und weiteren Produkten. Updates helfen.
---------------------------------------------
https://www.heise.de/news/VMware-Mehrere-Produkte-mit-Stored-Cross-Site-Scr…
∗∗∗ Comodo Internet Security: DoS-Bug ohne Sicherheitsupdate ∗∗∗
---------------------------------------------
Wer sich eine Internet Security Suite installiert, möchte den Rechner absichern. Im Fall von Comodo kommt eine Sicherheitslücke mit.
---------------------------------------------
https://www.heise.de/news/Comodo-Internet-Security-DoS-Bug-ohne-Sicherheits…
∗∗∗ Critical Everest Forms Pro flaw exploited to take over WordPress sites ∗∗∗
---------------------------------------------
Hackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin, which lets them take complete control of a WordPress website. The security issue affects versions 1.9.12 and earlier of the plugin and can be leveraged without authentication to execute arbitrary code on the server.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/critical-everest-forms-pro-f…
∗∗∗ Kein Patch verfügbar: Bitlocker-Exploit Bitskrieg veröffentlicht ∗∗∗
---------------------------------------------
Microsofts empfohlene Korrektur für den Bitlocker-Exploit Yellowkey ist offenbar unvollständig. Mit Bitskrieg soll sie sich umgehen lassen.
---------------------------------------------
https://www.golem.de/news/kein-patch-verfuegbar-bitlocker-exploit-bitskrieg…
∗∗∗ LWN Security updates for Monday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1076983/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 03-06-2026 18:00 − Freitag 05-06-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Unauthenticated RCE as QSECOFR via IBM i Management Central ∗∗∗
---------------------------------------------
Management Central is one of those services that has been running quietly on IBM i systems for over two decades. Many administrators don’t know it’s there, and its protocol security missed the scrutiny of researchers until now. The combination of a custom binary protocol, client-controlled authentication flags, and a derived usedForAuth field that can be trivially satisfied resulted in unauthenticated root-level command execution.
---------------------------------------------
https://blog.silentsignal.eu/2026/06/05/unauthenticated-rce-as-qsecofr-via-…
∗∗∗ New IronWorm malware hits 36 packages in npm supply-chain attack ∗∗∗
---------------------------------------------
A new supply-chain attack has infected 36 packages on the Node Package Manager (npm) index with infostealer malware called IronWorm. The malware targets 86 environment variables (key-value pairs) and 20 credential files that may contain OpenAI, AWS, Anthropic, and npm credentials, vault configuration files, SSH keys, and Exodus cryptocurrency wallet files.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-ironworm-malware-hits-36…
∗∗∗ Software supply chain attacks: check your dependencies ∗∗∗
---------------------------------------------
This blog, aimed at cyber security professionals, exposes the insidious nature of recent attacks, underlining the growing threat from software supply chains, and how attackers are able to exploit them. We explain how organisations can check if they have been affected by such a supply chain attack, and recommend actions to take to mitigate compromise and prevent further spread.
---------------------------------------------
https://www.ncsc.gov.uk/blogs/software-supply-chain-attacks-check-your-depe…
∗∗∗ Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT ∗∗∗
---------------------------------------------
Cybersecurity researchers have flagged a new malspam campaign that makes use of Googles DoubleClick domain as a way to evade detection and ultimately deliver a remote access trojan (RAT) named DesckVB RAT. [..] The attack begins when an unsuspecting user opens an HTML file that's attached to a phishing email. The file triggers a meta-refresh browser redirect to a Google DoubleClick Campaign Manager click-tracking URL, from where the user is steered to another redirector, which decodes the Base64-encoded email address and leads the victim to a landing page containing a "Download PDF" button.
---------------------------------------------
https://thehackernews.com/2026/06/google-doubleclick-abused-in-new.html
∗∗∗ Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS ∗∗∗
---------------------------------------------
Cybersecurity researchers have flagged a large-scale operation that impersonates open-source and freeware projects to funnel unsuspecting users through a Traffic Distribution System (TDS) and deliver malware families like Remus Stealer, AnimateClipper, and the SessionGate framework. [..] Attack chains specifically target users looking for such tools on search engines like Google, causing the bogus sites to be surfaced on top of the search results.
---------------------------------------------
https://thehackernews.com/2026/06/fake-sites-mimicking-open-source-tools.ht…
∗∗∗ EU-Paket für digitale Souveränität: „Gefahr einer technologischen Entkopplung“ ∗∗∗
---------------------------------------------
Das neue Tech-Souveränitätspaket der EU erntet gemischte Reaktionen: Open-Source-Verfechter jubeln, doch US-Branchenverbände warnen vor schweren Marktstörungen.
---------------------------------------------
https://heise.de/-11318218
∗∗∗ Analyse zum Souveränitätspaket der EU: Krisenfest per Gesetz? ∗∗∗
---------------------------------------------
Die EU-Kommission hat ein großes Paket vorgestellt, das den Staatenbund technologisch souveräner machen soll. Immerhin ein Anfang, analysiert Falk Steiner.
---------------------------------------------
https://heise.de/-11318875
∗∗∗ Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog ∗∗∗
---------------------------------------------
A newly released federal audit now documents NIST’s long-running NVD backlog, with findings that are hard to square with two years of public assurances that the database was being brought back under control.
---------------------------------------------
https://socket.dev/blog/federal-audit-finds-nist-wasted-funds-with-no-plan-…
∗∗∗ A Post-Quantum Future for Lets Encrypt ∗∗∗
---------------------------------------------
Let’s Encrypt is committed to a post-quantum-safe Web PKI. The path we’re planning to take is Merkle Tree Certificates (“MTCs”), a new approach that adds post-quantum authentication to the web without sacrificing the speed and reliability that have made TLS universal. This post is about these plans and why we believe MTCs are worth pursuing as a key to a post-quantum future.
---------------------------------------------
https://letsencrypt.org/2026/06/03/pq-certs.html
∗∗∗ The Interesting Case of WSL for Payload Staging ∗∗∗
---------------------------------------------
Windows Subsystem for Linux (WSL) lets you run a Linux environment directly on Windows without a traditional virtual machine or dual-boot setup. [..] This is a case study in indirect command execution — a class of techniques where the process responsible for a malicious action is not the process that appears in telemetry.
---------------------------------------------
https://detect.fyi/the-interesting-case-of-wsl-for-payload-staging-bfaa0f69…
∗∗∗ IT-Forscher zeigen anpassungsfähigen KI-Wurm ∗∗∗
---------------------------------------------
IT-Forscher untersuchen, ob künstliche Intelligenz eine Bedrohung darstellt. Dabei haben sie eine neue Bedrohungsart entwickelt: Ein KI-Wurm, der maßgeschneiderte Angriffe auf jedes Ziel startet, dem er begegnet.
---------------------------------------------
https://www.heise.de/news/IT-Forscher-zeigen-anpassungsfaehigen-KI-Wurm-113…
∗∗∗ Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 ∗∗∗
---------------------------------------------
We include indicators of activity and mitigations for PAN-OS vulnerability CVE-2026-0257.
---------------------------------------------
https://unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Drupal: Anti-Spam by CleanTalk - Moderately critical - Cross site scripting - SA-CONTRIB-2026-042 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-042
∗∗∗ Drupal: Commerce Core - Moderately critical - Cross site scripting - SA-CONTRIB-2026-041 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-041
∗∗∗ Drupal: TacJS - Moderately critical - Improper Access Control - SA-CONTRIB-2026-040 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-040
∗∗∗ Drupal: LocalGov Workflows - Moderately critical - Information disclosure - SA-CONTRIB-2026-039 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-039
∗∗∗ Cisco Webex Meetings Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Unified Communications Manager Server-Side Request Forgery Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Finesse Remote File Inclusion Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Catalyst SD-WAN Manager Authenticated Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ LWN: Security updates for Thursday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1076364/
∗∗∗ LWN: Security updates for Friday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1076605/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 02-06-2026 18:00 − Mittwoch 03-06-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Absicherung von Software: Anthropic öffnet „Project Glasswing“ für Europa ∗∗∗
---------------------------------------------
Anthropic will den Zugriff auf sein leistungsstärkstes KI-Modell Mythos deutlich ausweiten und Organisationen in mehr als 15 Staaten damit nach Sicherheitslücken in systemrelevanter Software suchen lassen. Das hat das KI-Unternehmen jetzt mitgeteilt, ohne das aber aufzuschlüsseln. [..] Anthropic hat Mythos Anfang April vorgestellt und erklärt, dass das Modell so gefährlich sei, dass es nur Firmen zur Verfügung gestellt wird, die an IT-Sicherheit arbeiten.
---------------------------------------------
https://heise.de/-11316440
∗∗∗ Trump gibt sich exklusiven Zugriff auf neue KI vor allen anderen ∗∗∗
---------------------------------------------
Geheimes Benchmarking von KI, Zugriff für die US-Regierung vor allen anderen, staatliche Suche nach Software-Bugs. Das und mehr ordnet der US-Präsident an.
---------------------------------------------
https://www.heise.de/news/Trump-gibt-sich-exklusiven-Zugriff-auf-neue-KI-vo…
∗∗∗ Android bekommt Anrufererkennung gegen Betrugsanrufe ∗∗∗
---------------------------------------------
Google baut einen neuen Mechanismus in Android ein, der betrügerische Anrufe mit gefälschten Kontakten unterbinden soll. Betrugsversuche mit gefälschten Caller-IDs (der übertragenen Anrufer-Rufnummer) soll das eindämmen.
---------------------------------------------
https://heise.de/-11316362
∗∗∗ Codex Discovered a Hidden HTTP/2 Bomb ∗∗∗
---------------------------------------------
We’re publishing HTTP/2 Bomb, a remote denial-of-service exploit against most major web servers, including: nginx, Apache httpd, Microsoft IIS, Envoy, Cloudflare Pingora [..] The vulnerable behavior exists in each server's default HTTP/2 configuration. [..] A curious search on Shodan revealed 880,000+ websites supporting HTTP/2 and running one of these servers, though many sit behind a CDN, which is much harder to bring down. [..] A home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds. [..] We disclosed the issue to nginx in April. They responded by importing the max_headers directive from freenginx, shipping it in 1.29.8 the next day. At this point, we consider the attack public.
---------------------------------------------
https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
∗∗∗ Over 116,000 Mincraft systems infected in WeedHack malware campaign ∗∗∗
---------------------------------------------
A large-scale malware campaign dubbed WeedHack is targeting Minecraft players and has infected more than 116,000 systems since January. The malware is distributed through Minecraft-related malicious mods, clients, cheats, and utilities that are promoted over YouTube and SEO (search engine optimization) poisoning.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/over-116-000-mincraft-system…
∗∗∗ Argamal: Malware hidden in hentai games ∗∗∗
---------------------------------------------
The DLLs were spawned by different games written using various game engines and programming languages, including RenPy (Python) and RPG Maker MV (JavaScript), among others. However, they all had one thing in common: they were all hentai games.
---------------------------------------------
https://securelist.com/argamal-rat-distributed-with-hentai-games/119999/
∗∗∗ Espionage Campaign Targeted Stock Exchange Executive for Five Months ∗∗∗
---------------------------------------------
The attackers' focus throughout was on a single objective: long-term, incremental theft of the contents of a single Outlook mailbox, exfiltrated through Dropbox and OneDrive Personal in small batches over a period of five months to avoid raising suspicions or triggering alerts on the system. This was a tightly focused and highly targeted campaign, with five months being a significant dwell time for an attacker. It is notable to see the different techniques and approaches used by the attacker in order to stay under the radar and maintain persistent access. [..] The initial infection vector used by the attackers in this incident is unknown.
---------------------------------------------
https://www.security.com/threat-intelligence/stock-exchange-espionage
=====================
= Vulnerabilities =
=====================
∗∗∗ Acer working to patch max severity zero-days in Wave 7 routers ∗∗∗
---------------------------------------------
Acer is working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers. [..] The first zero-day, a broken access control vulnerability tracked as CVE-2026-49200, can allow unauthenticated attackers to remotely access plaintext credentials stored in log archives. [..] The second one (CVE-2026-49201) stems from a hardcoded cryptographic key that lets remote attackers without privileges gain persistent backdoor access to the router. [..] While no security patches are available yet for these two flaws, Acer says it's working on fixes that should be released by the end of the month.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/acer-warns-of-max-severity-z…
∗∗∗ Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of an unpatched issue that could be exploited to disclose a users NTLMv2 hash to the attacker. [..] As a result, a threat actor could leverage the captured hash to conduct relay attacks and gain deeper access into a network. Following responsible disclosure on April 15, 2026, Microsoft declined to address the issue, stating "only Important and Critical severity cases meet our bar for servicing."
---------------------------------------------
https://thehackernews.com/2026/06/unpatched-windows-search-uri.html
∗∗∗ GitHub-Drama 1: Sicherheitsforscher veröffentlicht 0-Day-Schwachstelle ∗∗∗
---------------------------------------------
Ein weiterer Sicherheitsforscher hat die koordinierte Offenlegung von Schwachstellen beim Microsoft Security Resource Center (MSRC) übersprungen und eine kritische 1-Klick-GitHub-Schwachstelle öffentlich gemacht. Mit der Schwachstelle in VSCode lassen sich GitHub-Tokens stehlen, und der Entdecker hatte keine Lust mit dem MSRC zu diskutieren. [..] Der Sicherheitsforscher hat einen funktionierenden Proof-of-Concept veröffentlicht. [..] Er empfiehlt, die Daten der Website http://github[.]dev zu löschen, um das Risiko zu mindern, solange das Problem öffentlich bekannt ist.
---------------------------------------------
https://borncity.com/blog/2026/06/03/github-drama-1-sicherheitsforscher-ver…
∗∗∗ LWN: Security updates for Wednesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1076117/
∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 151.0.3 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2026-54/
∗∗∗ Paloalto: CVE-2026-0249 GlobalProtect App: Certificate Validation Bypass Vulnerabilities (Severity: LOW) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2026-0249
∗∗∗ Solarwinds: WHD 2026.2 release notes ∗∗∗
---------------------------------------------
https://documentation.solarwinds.com/en/success_center/whd/content/release_…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 01-06-2026 18:00 − Dienstag 02-06-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Passwortmanager: Hacker erbeuten Passwort-Tresore von Dashlane-Nutzern ∗∗∗
---------------------------------------------
Infolge eines Brute-Force-Angriffs wurden einige Dashlane-Nutzer temporär gesperrt. Die Angreifer sollen zudem an Passwort-Tresore gelangt sein.
---------------------------------------------
https://www.golem.de/news/brute-force-attacke-angreifer-erbeuten-passwort-t…
∗∗∗ New Wave Of Phishing Emails with SVG Files, (Tue, Jun 2nd) ∗∗∗
---------------------------------------------
This time, the SVG files are really simple and even don’t contain any graphical element but a simple piece of JavaScript that will redirect the victim's browser to the phishing page.
---------------------------------------------
https://isc.sans.edu/diary/rss/33040
∗∗∗ CVSS: NIST schränkt Bewertung von IT-Sicherheitslücken ein ∗∗∗
---------------------------------------------
Das US-amerikanische National Institute of Standards and Technology (NIST) wird die Bewertung von IT-Sicherheitslücken mit den bekannten CVSS-Schweregraden weitgehend einstellen. Das ist eine der Maßnahmen, mit denen NIST den wachsenden Rückstau seiner National Vulnerability Database (NVD) bekämpfen möchte. Wie das vereinbar ist mit der rechtlichen Verpflichtung, CVSS (Common Vulnerability Scoring System) zu berechnen, bleibt offen – aber wo kein Kläger, da kein Richter.
---------------------------------------------
https://www.heise.de/news/CVSS-NIST-schraenkt-Bewertung-von-IT-Sicherheitsl…
∗∗∗ Red-Hat-Infostealer kommt auf mehr als 100.000 Downloads ∗∗∗
---------------------------------------------
Ende Mai haben Cyberkriminelle in einer Lieferkettenattacke, die mittels eines Mini-Shai-Hulud-Klons erfolgte, bösartige Versionen von npm-Paketen verbreitet. Ziel der Malware, die sich selbst Miasma nennt, waren die Managed Cloud Services von Red Hat. Mittlerweile sind keine bösartigen Paketversionen mehr im Umlauf. Sicherheitsexperten raten dennoch dazu, die Credentials zu rotieren.
---------------------------------------------
https://www.heise.de/news/Mini-Shai-Hulud-Klon-Miasma-nimmt-Red-Hat-ins-Vis…
∗∗∗ Fake virus alerts are invading mobile games ∗∗∗
---------------------------------------------
Sometimes it happens. You’re happily playing a game on your phone or laptop when suddenly alarms pop up out of nowhere: “Your device is infected!” [..] Unfortunately, cybercriminals sometimes manage to buy advertising space and use it to defraud gamers.
---------------------------------------------
https://www.malwarebytes.com/blog/mobile/2026/06/fake-virus-alerts-are-inva…
∗∗∗ Vorsicht, Phishing: Spar-Gewinnspiel zu Bier-Paketen ist ein Fake! ∗∗∗
---------------------------------------------
Der Sommer naht mit Riesenschritten und die thematisch passenden Betrugsmaschen schießen aus dem Boden wie Schwammerl. Eine Falle, die im Vorjahr für besonders viel Aufsehen gesorgt hat, feiert dabei ein Comeback: Es geht um ein Bier-Gewinnspiel! Die optische und inhaltliche Gestaltung hat sich im Vergleich zur 2025er-Variante zwar etwas geändert, die Abläufe sind allerdings dieselben geblieben. Ein kleines Update.
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-spar-gewinnspiel-bier/
∗∗∗ ASFINAG-Phishing: Über eine Fake-Mail an die Kreditkartendaten ∗∗∗
---------------------------------------------
Erwischt beim Fahren ohne Vignette? Mit der Zahlung einer Ersatzmaut in Höhe von 12,36 Euro oder dem nachträglichen Kauf einer 10-Tages-Vignette ist die Angelegenheit aus der Welt geschafft? Was auf den ersten Blick aussieht wie eine echte Benachrichtigung der ASFINAG, ist in Wahrheit eine neue Phishing-Welle.
---------------------------------------------
https://www.watchlist-internet.at/news/asfinag-phishing-mail-kreditkartenda…
∗∗∗ Hacker stehlen Hunderte Instagram-Konten über Metas KI-Support ∗∗∗
---------------------------------------------
Die Schatten eines ausgelagerten Instagram-Supports an eine KI. Hackern ist es gelungen, langjährige, hochkarätige Instagram-Konten zu kapern. Dazu haben Sie die Funktion zum Passwort-Reset aufgerufen und den KI-Support-Chatbot von Meta einfach gebeten, die mit dem Konto verknüpfte E-Mail-Adresse zu ändern.
---------------------------------------------
https://borncity.com/blog/2026/06/02/hacker-stehlen-hunderte-instagram-kont…
∗∗∗ Ivanti EPMM ‘Sleeper Shells’ not so sleepy? ∗∗∗
---------------------------------------------
In late January 2026, an advisory covering two remote code execution vulnerabilities (CVE-2026-1281 & CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM) was published. [..] In a recent incident that NVISO CSIRT handled, we came across a compromised Ivanti EPMM device, and the logs quickly revealed that the aforementioned vulnerabilities were used to compromise the device. From the log entries, we quickly identified what we believe is the same webshell Defused was reporting on.
---------------------------------------------
https://blog.nviso.eu/2026/03/13/ivanti-epmm-sleeper-shells-not-so-sleepy/
∗∗∗ New WordPress Malware Uses Steam Profile Comments to Hide C2 Instructions ∗∗∗
---------------------------------------------
GoDaddy researchers found WordPress malware using Steam Community profile comments to hide encoded command and control data, with nearly 1,980 sites affected.
---------------------------------------------
https://hackread.com/wordpress-malware-steam-profile-comments-instructions/
=====================
= Vulnerabilities =
=====================
∗∗∗ LWN: Security updates for Tuesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1075966/
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2026-0003 ∗∗∗
---------------------------------------------
https://webkitgtk.org/security/WSA-2026-0003.html
∗∗∗ Zyxel security advisory for buffer overflow vulnerabilities in the UPnP function of certain 4G LTE/5G NR CPE and DSL/Ethernet CPE ∗∗∗
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-…
∗∗∗ Android: Patchday: 18 kritische Sicherheitslücken bedrohen Android 14, 15, 16 ∗∗∗
---------------------------------------------
https://heise.de/-11314546
∗∗∗ Samsung: Juni-Patchday bei Samsung: Zahlreiche Sicherheitslücken gestopft ∗∗∗
---------------------------------------------
https://heise.de/-11315093
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/