Daily

daily@lists.cert.at

1 participants
3166 discussions

Tageszusammenfassung - 14.05.2025
by Daily end-of-shift report 14 May '25

14 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-05-2025 18:00 − Mittwoch 14-05-2025 18:01 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt ∗∗∗ --------------------------------------------- A new DarkCloud Stealer campaign is using AutoIt obfuscation for malware delivery. The attack chain involves phishing emails, RAR files and multistage payloads. --------------------------------------------- https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit… ∗∗∗ Intel: Ein weiterer Angriff umgeht alle bisherigen CPU-Schutzmaßnahmen ∗∗∗ --------------------------------------------- Intel hat einen Lauf: Eine weitere Sicherheitslücke öffnet viele Prozessoren erneut für Seitenkanalangriffe trotz bisheriger Schutzmaßnahmen. [..] Wie schon der Angriffstyp Training Solo erfordert BPI physischen Zugriff auf ein System. Daher sind die zugehörigen CVE-Nummern CVE-2024-43420, CVE-2025-20623 und CVE-2024-45332 nur mit dem Schweregrad Medium bewertet. --------------------------------------------- https://heise.de/-10383474 ∗∗∗ A Privacy Mechanism That Backfired ∗∗∗ --------------------------------------------- Some bugs are more interesting than others. Last time I mentioned how CVE-2025-24091 was one of my favorite iOS vulnerabilities so far. That was because I wasn’t yet allowed to disclose my actual favorite! This post is about CVE-2025-31212, the most ironic vulnerability I’ve ever found, and here's why... --------------------------------------------- https://rambo.codes/posts/2025-05-12-a-privacy-mechanism-that-backfired ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti EPMM: Remote Code Execution Schwachstellen (CVE-2025-4427, CVE-2025-4428) - Updates verfügbar ∗∗∗ --------------------------------------------- Ivanti veröffentlichte am 13. Mai Updates & Sicherheitsadvisories zu zwei Schwachstellen in Ivanti Endpoint Manager Mobile (EPMM). Die verkettete Ausnutzung der beiden Lücken kann zur unauthentifizierten Ausführung von Schadcode genutzt werden. Ivanti gibt an die Ausnutzung dieser Lücken auf einer limitierten Anzahl an Systemen, bereits vor der Veröffentlichtung des Advisories, beobachtet zu haben. CVE-Nummern: CVE-2025-4427, CVE-2025-4428 --------------------------------------------- https://www.cert.at/de/warnungen/2025/5/ivanti-epmm-rce ∗∗∗ Microsoft primes 71 fixes for May Patch Tuesday ∗∗∗ --------------------------------------------- Five issues actively exploited in the wild, but the real excitement may have been handled in advance. --------------------------------------------- https://news.sophos.com/en-us/2025/05/14/microsoft-primes-71-fixes-for-may-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (emacs, firefox, gnutls, java-17-openjdk, java-21-openjdk, osbuild-composer, python39:3.9, and thunderbird), Arch Linux (screen), Debian (varnish), Fedora (chromium), Gentoo (Atop, FreeType, and Spidermonkey), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk and postgresql15, postgresql13), Oracle (389-ds-base, emacs, firefox, kernel, libsoup, libtiff, mod_auth_openidc:2.3, nodejs:20, nodejs:22, osbuild-composer, python39:3.9, qemu-kvm, ruby, ruby:3.1, ruby:3.3, and thunderbird), Red Hat (.NET 8.0, .NET 9.0, avahi, buildah, corosync, delve and golang, exiv2, expat, firefox, ghostscript, gimp, git, grafana, gvisor-tap-vsock, java-21-openjdk, kernel, kernel-rt, libarchive, libjpeg-turbo, libsoup, libsoup3, libxslt, mod_auth_openidc, nginx, nginx:1.22, nginx:1.24, nodejs22, nodejs:20, nodejs:22, opentelemetry-collector, osbuild-composer, perl, php, php:8.2, php:8.3, podman, python-jinja2, redis, redis:7, rhc, ruby:2.5, skopeo, sqlite, thunderbird, tomcat, tomcat9, valkey, vim, xorg-x11-server-Xwayland, xterm, xz, yelp, and yggdrasil), Slackware (screen), SUSE (apparmor, dirmngr, gimp, golang-github-prometheus-node_exporter, java-11-openj9, java-17-openj9, java-21-openj9, libxmp-devel, python311-Django4, rabbitmq-server313, rke2, and transfig), and Ubuntu (abseil and open-vm-tools). --------------------------------------------- https://lwn.net/Articles/1021199/ ∗∗∗ Patchday Adobe: Schadcode-Attacken auf InDesign und Photoshop möglich ∗∗∗ --------------------------------------------- Adobe schließt Sicherheitslücken in mehreren Anwendungen. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://heise.de/-10382767 ∗∗∗ VIdeokonferenzen: Hochriskante Rechteausweitungslücken in Zoom Workplace Apps ∗∗∗ --------------------------------------------- Zoom meldet mehrere Sicherheitslücken in den Workplace Apps der Videokonferenzsoftware. Eine verpasst den Status "kritisch" nur knapp. --------------------------------------------- https://heise.de/-10383108 ∗∗∗ Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP11 IF03 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ MISP 2.4.209 / 2.5.11 Release Notes Latest ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.05.2025
by Daily end-of-shift report 13 May '25

13 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 12-05-2025 18:00 − Dienstag 13-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sit, Fetch, Steal - Chihuahua Stealer: A new Breed of Infostealer ∗∗∗ --------------------------------------------- Chihuahua Stealer is a newly discovered .NET-based infostealer that blends common malware techniques with unusually advanced features. It first came to our attention through a Reddit post made on April 9, where a user shared an obfuscated PowerShell script, they were tricked into executing via a Google Drive document. --------------------------------------------- https://feeds.feedblitz.com/~/918192962/0/gdatasecurityblog-en~Sit-Fetch-St… ∗∗∗ Türkiye-linked spy crew exploited a messaging app zero-day to snoop on Kurdish army in Iraq ∗∗∗ --------------------------------------------- Turkish spies exploited a zero-day bug in a messaging app to collect info on the Kurdish army in Iraq, according to Microsoft, which says the attacks began more than a year ago. Specifically, the snoops abused CVE-2025-27920, a directory traversal vulnerability in version 2.0.62 of messaging app Output Messenger, and the intrusions began in April 2024. The app's developer Srimax issued a software update in December to patch the hole, however not all users applied the fixes. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/13/turkish_spie… ∗∗∗ As US vuln-tracking falters, EU enters with its own security bug database ∗∗∗ --------------------------------------------- The European Vulnerability Database (EUVD) is now fully operational, offering a streamlined platform to monitor critical and actively exploited security flaws amid the US struggles with budget cuts, delayed disclosures, and confusion around the future of its own tracking systems. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/13/eu_security_… ∗∗∗ SAP-Patchday: Kritische Netweaver-Lücke und viele mehr gestopft ∗∗∗ --------------------------------------------- SAP veröffentlicht im Mai 2025 insgesamt 16 neue Sicherheitsmeldungen. Sie behandeln teils kritische Sicherheitslücken in diversen Produkten aus dem Business-Softwarekatalog des Unternehmens. --------------------------------------------- https://heise.de/-10381863 ∗∗∗ Auditing Moodles core hunting for logical bugs ∗∗∗ --------------------------------------------- The following article explains how, during an audit, we examined Moodle (v4.4.3) and found ways of bypassing all the restrictions preventing SSRF vulnerabilities from being exploited. --------------------------------------------- http://blog.quarkslab.com/auditing-moodles-core-hunting-for-logical-bugs.ht… ∗∗∗ Beyond the Hook: A Technical Deep Dive into Modern Phishing Methodologies ∗∗∗ --------------------------------------------- A technical exploration of modern phishing tactics, from basic HTML pages to advanced MFA-bypassing techniques, with analysis of infrastructure setup and delivery methods used by phishers in 2025. --------------------------------------------- http://blog.quarkslab.com/technical-dive-into-modern-phishing.html ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Updates Everything: May 2025 Edition, (Mon, May 12th) ∗∗∗ --------------------------------------------- Apple released its expected update for all its operating systems. The update, in addition to providing new features, patches 65 different vulnerabilities. Many of these vulnerabilities affect multiple operating systems within the Apple ecosystem. --------------------------------------------- https://isc.sans.edu/diary/rss/31942 ∗∗∗ Perfekt implementierte Sicherungen ausgehebelt: Spectre-Angriffe sind zurück ∗∗∗ --------------------------------------------- Bisherige Schutzmechanismen schützen nicht immer gegen Spectre-artige Seitenkanalangriffe auf Prozessoren, selbst wenn sie perfekt implementiert sind und verschiedene Domains voneinander abschotten. Zu dem Ergebnis kommen Forscher der Systems and Network Security Group an der Vrije Universiteit Amsterdam (VUSec). --------------------------------------------- https://www.heise.de/news/Perfekt-implementierte-Sicherungen-ausgehebelt-Sp… ∗∗∗ 82,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in TheGem WordPress Theme ∗∗∗ --------------------------------------------- On May 4th, 2025, we received a submission for an Arbitrary File Upload vulnerability in TheGem, a WordPress theme with more than 82,000 sales. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. --------------------------------------------- https://www.wordfence.com/blog/2025/05/82000-wordpress-sites-affected-by-ar… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libeconf and rubygems), Fedora (libxmp), Gentoo (glibc), Oracle (java-1.8.0-openjdk, kernel, libxslt, and virtuoso-opensource), SUSE (augeas, git-lfs, kanidm, and tomcat10), and Ubuntu (linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/1020948/ ∗∗∗ Stack-based buffer overflow vulnerability in API ∗∗∗ --------------------------------------------- A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-25-254 ∗∗∗ EPMM Security Update ∗∗∗ --------------------------------------------- To this end, we are issuing an important security update addressing vulnerabilities associated with open-source libraries used in Ivanti Endpoint Manager Mobile (EPMM). At the time of disclosure, we are aware of a very limited number of customers whose solution has been exploited. The issue only affects the on-prem EPMM product. --------------------------------------------- https://www.ivanti.com/blog/epmm-security-update ∗∗∗ Xen Security Advisory CVE-2024-28956 / XSA-469 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-469.html ∗∗∗ Möglichkeit für Replay-Attacken im Tiiwee X1 Alarm System (SYSS-2025-006) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/moeglichkeit-fuer-replay-attacken-im-tiiwe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.05.2025
by Daily end-of-shift report 12 May '25

12 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-05-2025 18:00 − Montag 12-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iClicker site hack targeted students with malware via fake CAPTCHA ∗∗∗ --------------------------------------------- The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/iclicker-hack-targeted-stude… ∗∗∗ Von AMD-Lücke inspiriert: Forscher warnt vor Ransomware im CPU-Microcode ∗∗∗ --------------------------------------------- Eine Ransomware-Infektion kann für Unternehmen weitreichende Folgen haben, die nicht selten auch in einer Insolvenz münden. Durch geeignete Maßnahmen lassen sich die Risiken für solche Sicherheitsvorfälle eindämmen. Der Sicherheitsforscher Christiaan Beek von Rapid7 warnt jedoch vor einer Bedrohung, der gängige Cybersicherheitslösungen wohl bisher wenig entgegenzusetzen haben: Ransomware im Microcode der CPU. --------------------------------------------- https://www.golem.de/news/von-amd-luecke-inspiriert-forscher-warnt-vor-rans… ∗∗∗ It Is 2025, And We Are Still Dealing With Default IoT Passwords And Stupid 2013 Router Vulnerabilities, (Mon, May 12th) ∗∗∗ --------------------------------------------- Unipi Technologies is a company developing programmable logic controllers for a number of different applications like home automation, building management, and industrial controls. The modules produced by Unipi are likely to appeal to a more professional audience. All modules are based on the "Marvis" platform, a customized Linux distribution maintained by Unipi. --------------------------------------------- https://isc.sans.edu/diary/rss/31940 ∗∗∗ A Subtle Form of Siege: DDoS Smokescreens as a Cover for Quiet Data Breaches ∗∗∗ --------------------------------------------- DDoS attacks have long been dismissed as blunt instruments, favored by script kiddies and hacktivists for their ability to overwhelm and disrupt. But in todays fragmented, hybrid-cloud environments, theyve evolved into something far more cunning: a smokescreen. What looks like digital vandalism may actually be a coordinated diversion, engineered to distract defenders from deeper breaches in progress. --------------------------------------------- https://www.tripwire.com/state-of-security/subtle-form-siege-ddos-smokescre… ∗∗∗ Threat Brief: CVE-2025-31324 ∗∗∗ --------------------------------------------- On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50. This threat brief shares a brief overview of the vulnerability and our analysis, and also includes details of what we’ve observed through our incident response services and telemetry. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-313… ∗∗∗ SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths ∗∗∗ --------------------------------------------- sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with elevated privileges. However, misconfigurations and certain vulnerabilities can be exploited to escalate privileges, potentially compromising system security. --------------------------------------------- https://www.darknet.org.uk/2025/05/sudo_killer-auditing-sudo-configurations… ∗∗∗ One-click RCE in ASUS’s preinstalled driver software ∗∗∗ --------------------------------------------- By trawling through the Javascript on the website, and about 700k lines of decompiled code that the exe produced, I managed to create a list of callable endpoints including some unused ones sitting in the exe. --------------------------------------------- https://mrbruh.com/asusdriverhub/ ∗∗∗ CVE-2024-26809: Critical nftables Vulnerability in Linux Kernel Could Lead to Root Access ∗∗∗ --------------------------------------------- A critical security flaw has been discovered in the Linux kernel’s nftables subsystem, which is responsible for packet filtering in modern Linux distributions. This flaw, a double-free vulnerability, allows local attackers to escalate their privileges and execute arbitrary code. --------------------------------------------- https://thecyberexpress.com/cve-2024-26809-nftables-vulnerability/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libbson-xs-perl, postgresql-13, redis, and simplesamlphp), Fedora (chromium, deluge, epiphany, golang-github-nats-io-nkeys, libxmp, nodejs22, perl-Compress-Raw-Lzma, php-adodb, python-h11, and xz), Gentoo (firefox, NVIDIA Drivers, Orc, PAM, and thunderbird), Mageia (libreoffice, python-django, and transfig), Red Hat (emacs, firefox, python39:3.9, and thunderbird), SUSE (bird3, freetype2, ldap-proxy, libmosquitto1, and ruby3.4-rubygem-rack), and Ubuntu (linux, linux-aws, linux-kvm, linux-aws, and linux-fips). --------------------------------------------- https://lwn.net/Articles/1020884 ∗∗∗ TuneUp und Dienste in Avast, AVG, Avira und Norton reißen Sicherheitslücken auf ∗∗∗ --------------------------------------------- Die Virenschutzsoftware der Marken Avast, AVG, Avira und Norton von Gen Digital bringt unter anderem System-Optimierungsdienste und weitere Komponenten mit, die Schwachstellen enthalten. Nutzerinnen und Nutzer der betroffenen Software sollten prüfen, ob sie neuere Versionen installiert haben als die bekannt verwundbaren. --------------------------------------------- https://heise.de/-10379900 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.05.2025
by Daily end-of-shift report 09 May '25

09 May '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-05-2025 18:00 − Freitag 09-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Nationale Policy für die koordinierte Offenlegung von Schwachstellen (CVD) ∗∗∗ --------------------------------------------- Der Umgang mit Schwachstellen in IT Produkten und Dienstleistungen ist eine der spannenden Themen in der IT-Sicherheit. Seitens der Hersteller stellt sich die Frage, wie man am besten selbst Probleme identifiziert, wie man mit Meldungen von Dritten am umgeht, wie der Prozess zur Entwicklung von korrigierten Versionen aussieht und wie man diese neue Version schnell und effizient an die Kunden verteilt. Seitens der Finder (Researcher) stellen sich Fragen nach den rechtlichen Rahmenbedingungen für die Schwachstellensuche: was darf ich, was sicher nicht, und wie kommuniziere ich das Ergebnis am sinnvollsten? --------------------------------------------- https://www.cert.at/de/spezielles/2025/5/nationale-cvd-policy ∗∗∗ Malicious PyPi package hides RAT malware, targets Discord devs since 2022 ∗∗∗ --------------------------------------------- A malicious Python package targeting Discord developers with remote access trojan (RAT) malware was spotted on the Python Package Index (PyPI) after more than three years.[..] Named "discordpydebug," the package was masquerading as an error logger utility for developers working on Discord bots and was downloaded over 11,000 times since it was uploaded on March 21, 2022, even though it has no description or documentation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-package-hides… ∗∗∗ FBI: End-of-life routers hacked for cybercrime proxy networks ∗∗∗ --------------------------------------------- The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-end-of-life-routers-hack… ∗∗∗ Operation PowerOFF Takes Down 9 DDoS-for-Hire Domains ∗∗∗ --------------------------------------------- Four different countries, including the United States and Germany, were included in the latest international operation alongside Europols support. --------------------------------------------- https://www.darkreading.com/threat-intelligence/operation-poweroff-takes-do… ∗∗∗ Lumma Stealer, coming and going ∗∗∗ --------------------------------------------- The high-profile information stealer switches up its TTPs, but keeps the CAPTCHA tactic; we take a deep dive. --------------------------------------------- https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/ ∗∗∗ Warnung: Gefälschtes Anwaltsschreiben könnte Schadsoftware enthalten! ∗∗∗ --------------------------------------------- Derzeit kursieren E-Mails einer angeblichen Anwaltskanzlei, in denen Unternehmen beschuldigt werden, Urheberrechte an Inhalten von Avident Entertainment verletzt zu haben. Über einen Download-Link kann eine Sammlung von Beweisen heruntergeladen werden. Aber Vorsicht: Der Link ist betrügerisch und enthält vermutlich Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/warnung-gefaelschtes-anwaltsschreibe… ∗∗∗ Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources ∗∗∗ --------------------------------------------- Unit 42 details a new malware obfuscation technique where threat actors hide malware in bitmap resources within .NET applications. These deliver payloads like Agent Tesla or XLoader. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-payloads-as-bitmap-resources-… ∗∗∗ Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation ∗∗∗ --------------------------------------------- Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload generation and obfuscation. --------------------------------------------- https://www.darknet.org.uk/2025/05/bantam-advanced-php-backdoor-management-… ∗∗∗ Phishing Attack Uses Blob URIs to Show Fake Login Pages in Your Browser ∗∗∗ --------------------------------------------- Cofense Intelligence reveals a novel phishing technique using blob URIs to create local fake login pages, bypassing email security and stealing credentials. --------------------------------------------- https://hackread.com/phishing-attack-blob-uri-fake-login-pages-browser/ ∗∗∗ Remote-Access-Trojaner in npm-Paket mit 40.000 wöchentlichen Downloads gefunden ∗∗∗ --------------------------------------------- Angreifer hatten das Paket rand-user-agent, das unter anderem für automatische Tests und zum Web-Scraping dient, mit Schadcode versehen. --------------------------------------------- https://heise.de/-10377590 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libapache2-mod-auth-openidc, mariadb-10.5, and openssh), Red Hat (osbuild-composer), Slackware (mariadb), SUSE (apache2-mod_auth_openidc, glib2, ImageMagick, libsoup, libsoup2, libva, openvpn, sqlite3, and weblate), and Ubuntu (libsoup3, php-horde-css-parser, and python-django). --------------------------------------------- https://lwn.net/Articles/1020545/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fossil, libapache2-mod-auth-openidc, and request-tracker4), Fedora (thunderbird), Mageia (firefox and thunderbird), SUSE (389-ds, apparmor, cargo-c, chromium, go1.24, govulncheck-vulndb, java-1_8_0-openjdk, kanidm, libsoup, mozjs102, openssl-1_1, openssl-3, python-Django, sccache, tealdeer, tomcat, transfig, wasm-bindgen, and wireshark), and Ubuntu (libreoffice and python-h11). --------------------------------------------- https://lwn.net/Articles/1020653/ ∗∗∗ Sicherheitslücken: F5 BIG-IP-Appliances sind an mehreren Stellen verwundbar ∗∗∗ --------------------------------------------- https://heise.de/-10377584 ∗∗∗ Joomla: [20250402] - Core - MFA Authentication Bypass ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/964-20250402-core-mfa-authenti… ∗∗∗ Pixmeo OsiriX MD ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-128-01 ∗∗∗ Hitachi Energy RTU500 Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-02 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-01 ∗∗∗ Mitsubishi Electric CC-Link IE TSN ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.05.2025
by Daily end-of-shift report 08 May '25

08 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-05-2025 18:00 − Donnerstag 08-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ WhatsApp provides no cryptographic management for group messages ∗∗∗ --------------------------------------------- The weakness creates the possibility of an insider or hacker adding rogue members. [..] “This means that it is possible for the WhatsApp server to add new members to a group,” Martin R. Albrecht, a researcher at King's College in London, wrote in an email. “A correct client—like the official clients—will display this change but will not prevent it. Thus, any group chat that does not verify who has been added to the chat can potentially have their messages read.” --------------------------------------------- https://arstechnica.com/security/2025/05/whatsapp-provides-no-cryptographic… ∗∗∗ Password crisis deepens in 2025: lazy, reused, and stolen ∗∗∗ --------------------------------------------- A new study of over 19 billion newly exposed passwords manifests a widespread weak password reuse crisis. Lazy keyboard patterns, such as 123456, still reign supreme, and 94% of passwords are reused or duplicated, data leaks from 2024-2025 reveal. Names like Ana rank as the second most popular component. --------------------------------------------- https://cybernews.com/security/password-leak-study-unveils-2025-trends-reus… ∗∗∗ Ransomware: Unbekannte Angreifer leaken LockBit-Datenbank – dank PHP-Exploit? ∗∗∗ --------------------------------------------- Tausende Bitcoin-Adressen, Chatnachrichten und weitere brisante Details des Ransomware-Anbieters kursieren nun im Web. Der LockBit-Support relativiert. --------------------------------------------- https://www.heise.de/news/Ransomware-Unbekannte-Angreifer-leaken-LockBit-Da… ∗∗∗ RCEs and more in the KUNBUS GmbH Revolution Pi PLC ∗∗∗ --------------------------------------------- Four new vulnerabilities in the Revolution Pi industrial PLCs. Two give unauthenticated attackers RCE—potentially a direct impact on safety and operations. [..] Since the vulnerabilities affect ICS equipment, we coordinated disclosure with CISA and KUNBUS’ PSIRT team (security.txt). --------------------------------------------- https://www.pentestpartners.com/security-blog/rces-and-more-in-the-kunbus-g… ∗∗∗ 2,99 € Einfuhrzoll für die Post? Achtung, Phishing! ∗∗∗ --------------------------------------------- Ein Paket hängt im Zoll fest? Die Auslieferung ist nur gegen die Zahlung einer Gebühr möglich? Ein Szenario, das Kriminelle aktuell verstärkt als Betrugsmasche einsetzen. Sie versenden Phishing-Mails im Namen der Post AG und hoffen auf leichtgläubige Opfer. --------------------------------------------- https://www.watchlist-internet.at/news/einfuhrzoll-fuer-die-post/ ∗∗∗ Fake AI Tools Push New Noodlophile Stealer Through Facebook Ads ∗∗∗ --------------------------------------------- Scammers are using fake AI tools and Facebook ads to spread Noodlophile Stealer malware, targeting users with a multi-stage attack to steal credentials. --------------------------------------------- https://hackread.com/fake-ai-tools-noodlophile-stealer-facebook-ads/ ∗∗∗ RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale ∗∗∗ --------------------------------------------- Learn how RedisRaider is targeting publicly accecesibly Redis servers to mine crypocurrency. --------------------------------------------- https://securitylabs.datadoghq.com/articles/redisraider-weaponizing-misconf… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall urges admins to patch VPN flaw exploited in attacks ∗∗∗ --------------------------------------------- Discovered and reported by Rapid7 cybersecurity researcher Ryan Emmons, the three security flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) can be chained by attackers to gain remote code execution as root and compromise vulnerable instances. The vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.15-81sv and higher. [..] SonicWall advised admins to check their SMA devices' logs for any signs of unauthorized logins and enable the web application firewall and multifactor authentication (MFA) on their SMA100 appliances as a safety measure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-pa… ∗∗∗ CISCO Security Advisories 07. - 08.05.2025 ∗∗∗ --------------------------------------------- Cisco has released 29 new security Advisories. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. [..] Note: For exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device. It is not enabled by default. CVE-2025-20188 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Catalyst Center Unauthenticated API Access Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the management API of Cisco Catalyst Center, formerly Cisco DNA Center, could allow an unauthenticated, remote attacker to read and modify the outgoing proxy configuration settings. CVE-2025-20210 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Drupal Security Advisories 07.05.2025 ∗∗∗ --------------------------------------------- Drupal has released 10 new security advisories. --------------------------------------------- https://www.drupal.org/security ∗∗∗ Ubiquiti UniFi Protect: Kritisches Leck ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- In einer Sicherheitsmitteilung erörtert Ubiquiti die Schwachstellen. Bösartige Akteure mit Zugriff auf das Verwaltungsnetzwerk können einen Heap-basierten Pufferüberlauf in den Unifi-Protect-Kameras mit Firmware 4.75.43 und vorherigen provozieren und dadurch beliebigen Code einschleusen und ausführen (CVE-2025-23123, CVSS 10.0, Risiko "kritisch"). --------------------------------------------- https://www.heise.de/news/Ubiquity-UniFi-Protect-Einschleusen-von-Schadcode… ∗∗∗ Mitel SIP-Phones lassen sich beliebige Befehle unterjubeln ∗∗∗ --------------------------------------------- Laut der Sicherheitsmitteilung von Mitel gibt es eine Befehlsschmuggel-Lücke in den SIP-Phones der Baureihen 6800, 6900, 6900w sowie dem 6970-Konferenz-Modell. Angreifer aus dem Netz können dadurch ohne vorherige Authentifizierung Befehle einschleusen, da nicht näher genannte Parameter nicht ausreichend gefiltert werden. Damit können sie System- und Nutzer-Daten und Konfigurationen einsehen oder ändern (CVE-2025-47188, CVSS 9.8, Risiko "kritisch"). --------------------------------------------- https://heise.de/-10376625 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 28, 2025 to May 4, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.05.2025
by Daily end-of-shift report 07 May '25

07 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-05-2025 18:00 − Mittwoch 07-05-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Samsung MagicINFO 9 Server RCE flaw now exploited in attacks ∗∗∗ --------------------------------------------- Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/samsung-magicinfo-9-server-r… ∗∗∗ Apache Parquet exploit tool detect servers vulnerable to critical flaw ∗∗∗ --------------------------------------------- A proof-of-concept exploit tool has been publicly released for a maximum severity Apache Parquet vulnerability, tracked as CVE-2025-30065, making it easy to find vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apache-parquet-exploit-tool-… ∗∗∗ Millionenstrafe für Firma nach WhatsApp-Hack ∗∗∗ --------------------------------------------- Die NSO Group aus Israel hatte einen Bug in WhatsApp genutzt, um Spyware zu installieren. Meta klagte und gewann. --------------------------------------------- https://futurezone.at/digital-life/meta-whatsapp-nso-group-spionagesoftware… ∗∗∗ Zero Day: Windows-Lücke von mindestens zwei Hackergruppen ausgenutzt ∗∗∗ --------------------------------------------- Mindestens zwei Cyberbanden haben sich einer Schwachstelle im CLFS-Treiber von Windows bedient, bevor Microsoft einen Patch ausliefern konnte. --------------------------------------------- https://www.golem.de/news/zero-day-windows-luecke-von-mindestens-zwei-hacke… ∗∗∗ State of ransomware in 2025 ∗∗∗ --------------------------------------------- Kaspersky researchers review ransomware trends for 2024, analyze the most active groups and forecast how this threat will evolve in 2025. --------------------------------------------- https://securelist.com/state-of-ransomware-in-2025/116475/ ∗∗∗ Lights Out and Stalled Factories: Using M.A.T.R.I.X to Learn About Modbus Vulnerabilities ∗∗∗ --------------------------------------------- Let’s explore the critical role of Modbus in energy and manufacturing systems, then demonstrate real-world exploitation techniques using Docker-based simulations and the custom-built Python tool M.A.T.R.I.X. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lights-out-… ∗∗∗ Backupsoftware Commvault: Weitere Lücke angegriffen, Patch offenbar unwirksam ∗∗∗ --------------------------------------------- Zum Wochenende wurden Angriffe auf eine weitere Commvault-Sicherheitslücke bekannt. Das Update zum Abdichten wirkt wohl nicht. --------------------------------------------- https://www.heise.de/news/Backupsoftware-Commvault-Weitere-Luecke-angegriff… ∗∗∗ Wegen Sicherheitslücken: LibreOffice rät von OpenOffice ab ∗∗∗ --------------------------------------------- Die Entwickler von LibreOffice raten vom Konkurrenten OpenOffice ab. Die Apache-Software enthalte Sicherheitslücken und werde nicht weiterentwickelt. --------------------------------------------- https://www.heise.de/news/Wegen-Sicherheitsluecken-LibreOffice-raet-von-Ope… ∗∗∗ NIS2 nicht umgesetzt: EU-Strafe für Deutschland rückt einen Schritt näher ∗∗∗ --------------------------------------------- Die EU-Kommission hat die zweite Stufe des Vertragsverletzungsverfahren gegen Deutschland eingeleitet, weil es die NIS2-Richtlinie noch nicht umgesetzt hat. --------------------------------------------- https://www.heise.de/news/NIS2-nicht-umgesetzt-EU-Strafe-fuer-Deutschland-r… ∗∗∗ Exploiting Copilot AI for SharePoint ∗∗∗ --------------------------------------------- TL;DR AI Assistants are becoming far more common Copilot for SharePoint is Microsoft’s answer to generative AI assistance on SharePoint Attackers will look to exploit anything they can get their .. --------------------------------------------- https://www.pentestpartners.com/security-blog/exploiting-copilot-ai-for-sha… ∗∗∗ Meta lässt sich sechs Wochen Zeit, bis Betrug entfernt wird ∗∗∗ --------------------------------------------- Postings über Kryptoscams oder betrügerische Influencer-Aktionen bleiben auf Facebook und Instagram am längsten von allen online --------------------------------------------- https://www.derstandard.at/story/3000000268532/meta-laesst-sich-sechs-woche… ∗∗∗ Ransomware Attackers Leveraged Privilege Escalation Zero-day ∗∗∗ --------------------------------------------- Exploit used by Play-linked attackers targets the CVE-2025-29824 zero-day vulnerability patched on April 8. --------------------------------------------- https://www.security.com/threat-intelligence/play-ransomware-zero-day ∗∗∗ Unsophisticated Cyber Actor(s) Targeting Operational Technology ∗∗∗ --------------------------------------------- CISA is increasingly aware of unsophisticated cyber actor(s) targeting ICS/SCADA systems within U.S. critical Infrastructure sectors (Oil and Natural Gas), specifically in Energy and Transportation Systems. Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/05/06/unsophisticated-cyber-ac… ∗∗∗ Poland arrests four in global DDoS-for-hire takedown ∗∗∗ --------------------------------------------- The suspects allegedly operated six platforms that offered distributed denial-of-service attacks for as little as 10 euros. --------------------------------------------- https://therecord.media/poland-arrests-four-ddos-hire ∗∗∗ Achtung bei iVentoy, es werden obskure Zertifikate und Treiber installiert ∗∗∗ --------------------------------------------- Kurze Warnung an Leute aus der Blog-Leserschaft, die das Tool iVentoy zur Verteilung von Betriebssystem-Images über ein Netzwerk und einen PXE-Server einsetzen. Es gibt aktuell eine Diskussion, dass das Tool .. --------------------------------------------- https://www.borncity.com/blog/2025/05/07/achtung-bei-iventoy-es-werden-obsk… ∗∗∗ ClickFix Scam: How to Protect Your Business Against This Evolving Threat ∗∗∗ --------------------------------------------- Cybercriminals aren’t always loud and obvious. Sometimes, they play it quiet and smart. One of the tricks of .. --------------------------------------------- https://hackread.com/clickfix-scam-how-to-protect-business-againt-threat/ ∗∗∗ COLDRIVER Using New Malware To Steal Documents >From Western Targets and NGOs ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) has identified a new piece of malware called LOSTKEYS, attributed to the Russian government-backed threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto). LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-do… ===================== = Vulnerabilities = ===================== ∗∗∗ Honeywell MB Secure Authenticated Command Injection ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/authenticated-command… ∗∗∗ Langflow Missing Authentication Vulnerability ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6085 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2025
by Daily end-of-shift report 06 May '25

06 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 05-05-2025 18:00 − Dienstag 06-05-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Man pleads guilty to using malicious AI software to hack Disney employee ∗∗∗ --------------------------------------------- Fake image-generating app allowed man to download 1.1TB of Disney-owned data. --------------------------------------------- https://arstechnica.com/ai/2025/05/man-pleads-guilty-to-using-malicious-ai-… ∗∗∗ Luna Moth extortion hackers pose as IT help desks to breach US firms ∗∗∗ --------------------------------------------- The data-theft extortion group known as Luna Moth, aka Silent Ransom Group, has ramped up callback phishing campaigns in attacks on legal and financial institutions in the United States. --------------------------------------------- https://www.bleepingcomputer.com/news/security/luna-moth-extortion-hackers-… ∗∗∗ "Mirai" Now Exploits Samsung MagicINFO CMS (CVE-2024-7399), (Mon, May 5th) ∗∗∗ --------------------------------------------- Last August, Samsung patched an arbitrary file upload vulnerability that could lead to remote code execution [1]. The announcement was very sparse and did not even include affected .. --------------------------------------------- https://isc.sans.edu/diary/Mirai+Now+Exploits+Samsung+MagicINFO+CMS+CVE2024… ∗∗∗ CISA slammed for role in censorship industrial complex as budget faces possible $500M cut ∗∗∗ --------------------------------------------- Because who needs cybersecurity when there’s culture wars to win President Trumps dream 2026 budget would gut the US govts Cybersecurity and Infrastructure Security Agency, aka CISA, by $491 million - about 17 percent – and accuses the organization of abandoning its core mission in favor of policing online speech. --------------------------------------------- https://www.theregister.com/2025/05/06/cisa_budget_cuts/ ∗∗∗ Signal-Affäre: Modifizierter Messenger stellt nach zweitem Einbruch Betrieb ein ∗∗∗ --------------------------------------------- In der US-Regierung wird eine modifizierte App benutzt, um per Signal zu kommunizieren. Die heißt TeleMessage, wurde zweimal geknackt und vorerst dicht gemacht. --------------------------------------------- https://www.heise.de/news/Signal-Affaere-Modifizierter-Messenger-stellt-nac… ∗∗∗ Peru denies it was hit by ransomware attack following Rhysida claims ∗∗∗ --------------------------------------------- The prolific ransomware gang claimed to have taken over the Peruvian governments domain. --------------------------------------------- https://therecord.media/peru-rhysida-ransomware-claims-denied ∗∗∗ NSA to cut up to 2,000 civilian roles as part of intel community downsizing ∗∗∗ --------------------------------------------- The agency is expected to make the cuts by the end of year, however that deadline could change as it is tied to the Defense Department’s broader push to reduce its budget by 8 percent in each of the next five years. --------------------------------------------- https://therecord.media/nsa-to-cut-up-to-2000-roles-downsizing ∗∗∗ Verizon DBIR 2025: Edge KEVs Are Increasingly Left Unpatched — and More Often Exploited in Breaches ∗∗∗ --------------------------------------------- Edge vulnerabilities are a critical and growing threat. The 2025 DBIR reveals an eightfold surge in exploitation, yet many remain unpatched despite immediate risk. --------------------------------------------- https://www.greynoise.io/blog/verizon-dbir-2025-edge-kevs-increasingly-left… ∗∗∗ Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines ∗∗∗ --------------------------------------------- UNC3944, which overlaps with public reporting on Scattered Spider, is a financially-motivated threat actor characterized by its persistent use of social engineering and brazen communications with victims. In early operations, UNC3944 largely targeted telecommunications-related organizations to support SIM swap operations. However, after shifting to .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-… ∗∗∗ A Timely Reminder: Russia’s Enduring Cyber Threat to Critical Infrastructure ∗∗∗ --------------------------------------------- Russia’s cyber operations — ranging from power-grid disruptions to global ransomware — continue to be among the world’s most prolific and destructive, underscoring the continued .. --------------------------------------------- https://detect.fyi/a-timely-reminder-russias-enduring-cyber-threat-to-criti… ∗∗∗ How to Harden GitHub Actions: The Unofficial Guide ∗∗∗ --------------------------------------------- Build resilient GitHub Actions workflows with lessons from recent attacks. --------------------------------------------- https://www.wiz.io/blog/github-actions-security-guide ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium and kappanhang), Red Hat (osbuild-composer and thunderbird), SUSE (chromedriver), and Ubuntu (c-ares, corosync, mysql-8.0, mysql-8.4, openjdk-17, openjdk-21, openjdk-24, openjdk-8, and openjdk-lts). --------------------------------------------- https://lwn.net/Articles/1020222/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2025
by Daily end-of-shift report 05 May '25

05 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-05-2025 18:00 − Montag 05-05-2025 18:00 Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Magento supply chain attack compromises hundreds of e-stores ∗∗∗ --------------------------------------------- A supply chain attack involving 21 backdoored Magento extensions has compromised between 500 and 1,000 e-commerce stores, including one belonging to a $40 billion multinational. --------------------------------------------- https://www.bleepingcomputer.com/news/security/magento-supply-chain-attack-… ∗∗∗ StealC malware enhanced with stealth upgrades and data theft tools ∗∗∗ --------------------------------------------- The creators of StealC, a widely-used information stealer and malware downloader, have released its second major version, bringing multiple stealth and data theft enhancements. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stealc-malware-enhanced-with… ∗∗∗ Shuffling the Greatest Hits: How DragonForce Ransomware Samples LockBit and Conti Into a Ransomware Jukebox ∗∗∗ --------------------------------------------- DragonForce ransomware has been assessed as a sophisticated threat that tactically deploys payloads derived from leaked source code of both the notorious LockBit 3.0 and Conti ransomware families. While the samples share some similar core functionality, DragonForce distinguishes itself in several .. --------------------------------------------- https://hybrid-analysis.blogspot.com/2025/05/shuffling-greatest-hits-how-dr… ∗∗∗ Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware ∗∗∗ --------------------------------------------- An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years.The activity, which lasted from at least May 2023 to February 2025, .. --------------------------------------------- https://thehackernews.com/2025/05/iranian-hackers-maintain-2-year-access.ht… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/05/02/cisa-adds-two-known-expl… ∗∗∗ CVE-2025-31324: Critical SAP NetWeaver Vulnerability Actively Exploited ∗∗∗ --------------------------------------------- SAP has recently released a critical security patch for a severe vulnerability in SAP NetWeaver Visual Composer that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-31324, has recently been patched with the release of SAP Security Note 3594142. --------------------------------------------- https://www.truesec.com/hub/blog/cve-2025-31324-critical-sap-netweaver-vuln… ∗∗∗ DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door ∗∗∗ --------------------------------------------- The individuals operating under the DragonForce banner and attacking UK high street retailers are using social engineering for entry. I think it’s in the public interest to break down what is happening. --------------------------------------------- https://doublepulsar.com/dragonforce-ransomware-cartel-attacks-on-uk-high-s… ∗∗∗ NPM targeted by malware campaign mimicking familiar library names ∗∗∗ --------------------------------------------- Developers looking for familiar packages from other programming languages are increasingly falling victim to malicious attacks. Summary #The Socket threat research team uncovered a coordinated malware operation across the NPM ecosystem. The actor behind the campaign published dozens of malicious NPM packages that mimic well-known Python, Java, C++, .NET, .. --------------------------------------------- https://socket.dev/blog/npm-targeted-by-malware-campaign-mimicking-familiar… ∗∗∗ Apache Parquet Java Vulnerability CVE-2025-46762 Exposes Systems to Remote Code Execution Attacks ∗∗∗ --------------------------------------------- A vulnerability has been identified in Apache Parquet Java, which could leave systems exposed to remote code execution (RCE) attacks. Apache Parquet contributor Gang Wu discovered, this flaw, tracked as CVE-2025-46762, .. --------------------------------------------- https://thecyberexpress.com/apache-parquet-java-flaw-cve-2025-46762/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, containerd, and vips), Fedora (chromium, java-17-openjdk, nodejs-bash-language-server, nodejs-pnpm, ntpd-rs, redis, rust-hickory-proto, thunderbird, and valkey), Mageia (apache-mod_auth_openidc, fcgi, graphicsmagick, kernel-linus, pam, poppler, and tomcat), Red Hat (firefox, libsoup, nodejs:20, redis:6, .. --------------------------------------------- https://lwn.net/Articles/1020130/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.05.2025
by Daily end-of-shift report 02 May '25

02 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-04-2025 18:00 − Freitag 02-05-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Angreifer setzen erneut an älteren Sonicwall-Lücken an ∗∗∗ --------------------------------------------- Aufgrund von laufenden Attacken sollten Admins ihre Fernwartungslösungen der SMA-Serie von Sonicwall umgehend auf den aktuellen Stand bringen. [..] Beide Schwachstellen betreffen die SMA-Reihen SMA 200, 210, 400, 410 und 500v. Die Entwickler versichern, die Lücken ab der Firmware 10.2.1.14-75sv geschlossen zu haben. [..] Sind Attacken erfolgreich, können Angreifer Schadcode ausführen. Die "kritische" Lücke (CVE-2024-38475) betrifft die SMA-Komponente Apache HTTP Server. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Angreifer-setzen-erneut-an-aelteren… ∗∗∗ SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475) ∗∗∗ --------------------------------------------- Another day, another edge device being targeted - it’s a typical Thursday! In today’s blog post, we’re excited to share our previously private analysis of the now exploited in-the-wild N-day vulnerabilities affecting SonicWall’s SMA100 appliance. [..] Although this is a CVE attached to the Apache HTTP Server, it is important to note that due to how CVEs are now assigned, a seperate CVE will not be assigned for SonicWall's [..] As always, we’ve produced a Detection Artefact Generator to demonstrate and achieve pre-auth RCE. --------------------------------------------- https://labs.watchtowr.com/sonicboom-from-stolen-tokens-to-remote-shells-so… ∗∗∗ Why MFA is getting easer to bypass and what to do about it ∗∗∗ --------------------------------------------- As detailed on Thursday by Cisco Talos, an entire ecosystem has cropped up to help criminals defeat these forms of MFA. --------------------------------------------- https://arstechnica.com/security/2025/05/phishing-attacks-that-defeat-mfa-a… ∗∗∗ Windows: Anmeldung mit alten Passwörtern durch RDP möglich ∗∗∗ --------------------------------------------- Laut Microsoft handelt es sich um eine "Design-Entscheidung, die sicherstellt, dass mindestens ein Nutzerkonto dazu in der Lage ist, sich anzumelden, ganz gleich, wie lange das System offline war". Daher treffe dieses Verhalten die Definition einer Schwachstelle nicht. Microsoft habe keine Pläne, etwas daran zu ändern. --------------------------------------------- https://www.heise.de/news/Windows-Log-in-ueber-RDP-mit-widerrufenen-Passwoe… ∗∗∗ Prolific RansomHub Operation Goes Dark ∗∗∗ --------------------------------------------- The chat infrastructure and data-leak site of the notorious ransomware-as-a-service group has been inactive since March 31, according to security vendors. --------------------------------------------- https://www.darkreading.com/cyber-risk/prolific-ransomhub-operation-goes-da… ∗∗∗ Softwareupdates manipuliert: Hacker missbrauchen IPv6-Feature für Cyberattacken ∗∗∗ --------------------------------------------- Spellbinder nutzt den Angaben nach einen Angriffsvektor, der schon mindestens seit 2008 bekannt ist und schon 2011 in einem Blogbeitrag unter der Bezeichnung "SLAAC-Attack" ausführlich beschrieben wurde. [..] Mit Spellbinder lassen sich demnach IPv6-Konfigurationen spoofen, die normalerweise automatisch über eine Methode namens SLAAC (Stateless Address Autoconfiguration) zugewiesen werden. --------------------------------------------- https://www.golem.de/news/softwareupdates-manipuliert-hacker-missbrauchen-i… ∗∗∗ MintsLoader Drops GhostWeaver via Phishing, ClickFix — Uses DGA, TLS for Stealth Attacks ∗∗∗ --------------------------------------------- The malware loader known as MintsLoader has been used to deliver a PowerShell-based remote access trojan called GhostWeaver. "MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts," Recorded Futures Insikt Group said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/05/mintsloader-drops-ghostweaver-via.html ∗∗∗ I StealC You: Tracking the Rapid Changes To StealC ∗∗∗ --------------------------------------------- StealC is a popular information stealer and malware downloader that has been sold since January 2023. In March 2025, StealC version 2 (V2) was introduced with key updates, including a streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption (in the latest variants). The malware’s payload delivery options have been expanded to include Microsoft Software Installer (MSI) packages and PowerShell scripts. --------------------------------------------- https://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid… ∗∗∗ Using Trusted Protocols Against You: Gmail as a C2 Mechanism ∗∗∗ --------------------------------------------- Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. The threat actor’s email is the only potential clue as to their motivation, but once the tunnel is created, the threat actor can exfiltrate data or execute commands that we may not know about through these packages. --------------------------------------------- https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-m… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat, fig2dev, firefox-esr, golang-github-gorilla-csrf, jinja2, libxml2, nagvis, qemu, request-tracker4, request-tracker5, u-boot, and vips), Fedora (firefox, giflib, and thunderbird), Mageia (imagemagick), Red Hat (thunderbird), SUSE (amber-cli, libjxl, and redis), and Ubuntu (h2o, poppler, and postgresql-10). --------------------------------------------- https://lwn.net/Articles/1019645/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, nodejs, openjdk-17, and thunderbird), Fedora (firefox, golang-github-nvidia-container-toolkit, and thunderbird), Mageia (kernel), Oracle (ghostscript, glibc, kernel, libxslt, php:8.1, and thunderbird), SUSE (cmctl, firefox-esr, govulncheck-vulndb, java-21-openjdk, libxml2, poppler, python-h11, and redis), and Ubuntu (docker.io, ghostscript, linux-xilinx-zynqmp, and micropython). --------------------------------------------- https://lwn.net/Articles/1019869/ ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-121-01 KUNBUS GmbH Revolution Pi, ICSMA-25-121-01 MicroDicom DICOM Viewer --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/05/01/cisa-releases-two-indust… ∗∗∗ ZDI-25-267: GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-267/ ∗∗∗ IBM Cognos Analytics: Angreifer können Schadcode hochladen ∗∗∗ --------------------------------------------- https://www.heise.de/news/IBM-Cognos-Analytics-Angreifer-koennen-Schadcode-… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 21, 2025 to April 27, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… ∗∗∗ Tenable: [R1] Sensor Proxy Version 1.2.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-08 ∗∗∗ f5: K000151130: GnuTLS vulnerability CVE-2024-12243 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151130 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.04.2025
by Daily end-of-shift report 30 Apr '25

30 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-04-2025 18:00 − Mittwoch 30-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ AirBorne: Wormable Zero-Click RCE in Apple AirPlay ∗∗∗ --------------------------------------------- Oligo Security Research has discovered a new set of vulnerabilities in Apple’s AirPlay Protocol and the AirPlay Software Development Kit (SDK), which is used by third-party vendors to integrate AirPlay into third-party devices. --------------------------------------------- https://www.oligo.security/blog/airborne ∗∗∗ Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th) ∗∗∗ --------------------------------------------- The activity occured on the 23 April 2025 between 18:00 - 19:00 UTC but since then based on activity reported to DShield (see graphs below) has been happening almost daily. --------------------------------------------- https://isc.sans.edu/diary/rss/31906 ∗∗∗ Yet Another NodeJS Backdoor (YaNB): A Modern Challenge ∗∗∗ --------------------------------------------- During an Advanced Continual Threat Hunt (ACTH) investigation conducted in early March 2025, Trustwave SpiderLabs identified a notable resurgence in malicious campaigns exploiting deceptive CAPTCHA verifications. These campaigns trick users into executing NodeJS-based backdoors, subsequently deploying sophisticated NodeJS Remote Access Trojans (RATs) similar to traditional PE structured legacy RATs. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another… ∗∗∗ Understanding the Deep Web, Dark Web, and Darknet (2025 Guide) ∗∗∗ --------------------------------------------- Understand the difference between Deep Web, Dark Web, and Darknet. Learn how they work, how to access them safely, and why they matter in 2025. --------------------------------------------- https://www.darknet.org.uk/2025/04/understanding-the-deep-web-dark-web-and-… ∗∗∗ The MCP Authorization Spec Is... a Mess for Enterprise ∗∗∗ --------------------------------------------- The Model Context Protocol has created quite the buzz in the AI ecosystem at the moment, but as enterprise organizations look to adopt it, they are confronted with a hard truth: it lacks important security functionality. Up until now, as people experiment with Agentic AI and tool support, they’ve mostly adopted the MCP stdio transport, which means you end up with a 1:1 deployment of MCP server and MCP client. What organizations need is a way to deploy MCP servers remotely and leverage authorization to give resource owner’s access to their data safely. --------------------------------------------- https://blog.christianposta.com/the-updated-mcp-oauth-spec-is-a-mess/ ∗∗∗ Practical Cyber Deception — Introduction to “Chaotic Good” ∗∗∗ --------------------------------------------- Cyber deception isn’t about building expensive honeynets or deploying complex traps — it’s about instilling doubt and confusion in the attacker. By layering practical, tactical deception into your environment, you shift the balance of power: slowing them down, forcing mistakes, and gaining early warning long before real damage is done. From fake servers and canary tokens to ransomware drive traps, deception turns defense from a reactive grind into a strategic, active game. --------------------------------------------- https://detect.fyi/practical-cyber-deception-introduction-to-chaotic-good-2… ∗∗∗ Phishers Take Advantage of Iberian Blackout Before Its Even Over ∗∗∗ --------------------------------------------- Opportunistic threat actors targeted Portuguese and Spanish speakers by spoofing Portugals national airline in a campaign offering compensation for delayed or disrupted flights. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/phishers-take-advant… ===================== = Vulnerabilities = ===================== ∗∗∗ Dell schützt PowerProtect Data Manager und Laptops vor möglichen Attacken ∗∗∗ --------------------------------------------- In einer Warnmeldung führen die Entwickler aus, dass PowerProtect Data Manager über mehrere Lücken in Komponenten von Drittanbietern wie Golang und Spring Framework, aber auch über Lücken in der Anwendung selbst angreifbar ist. Sind Attacken erfolgreich, können sich Angreifer etwa mit lokalem Zugriff und niedrigen Rechten höhere Nutzerrechte verschaffen (CVE-2025-23375 "hoch"). Die Entwickler versichern, die Lücken in PowerProtect Data Manager 19.19.0-15 geschlossen zu haben. --------------------------------------------- https://www.heise.de/news/Dell-schuetzt-PowerProtect-Data-Manager-und-Lapto… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glibc and libraw), Fedora (digikam, icecat, mingw-LibRaw, perl, perl-Devel-Cover, and perl-PAR-Packer), Red Hat (ghostscript, kernel, and kernel-rt), Slackware (mozilla), SUSE (augeas, firefox, and java-11-openjdk), and Ubuntu (binutils, libxml2, and nodejs). --------------------------------------------- https://lwn.net/Articles/1019457/ ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-119-01 Rockwell Automation ThinManager, ICSA-25-119-02 Delta Electronics ISPSoft, ICSA-25-105-05 Lantronix XPort (Update A) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/04/29/cisa-releases-three-indu… ∗∗∗ Mehrere Schwachstellen in Sematell ReplyOne (SYSS-2024-081/-082/-083) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-sematell-replyon… ∗∗∗ f5: K000151082: PostgreSQL vulnerability CVE-2021-32027 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151082 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily