=====================
= End-of-Day report =
=====================
Timeframe: Montag 02-06-2025 18:00 − Dienstag 03-06-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Malicious RubyGems pose as Fastlane to steal Telegram API data ∗∗∗
---------------------------------------------
Two malicious RubyGems packages posing as popular Fastlane CI/CD plugins redirect Telegram API requests to attacker-controlled servers to intercept and steal data.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-rubygems-pose-as-f…
∗∗∗ Android Trojan Crocodilus Now Active in 8 Countries, Targeting Banks and Crypto Wallets ∗∗∗
---------------------------------------------
A growing number of malicious campaigns have leveraged a recently discovered Android banking trojan called Crocodilus to target users in Europe and South America. The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis and detection, and includes the ability to create new contacts in the victims contacts list.
---------------------------------------------
https://thehackernews.com/2025/06/android-trojan-crocodilus-now-active-in.h…
∗∗∗ How Good Are the LLM Guardrails on the Market? A Comparative Study on the Effectiveness of LLM Content Filtering Across Major GenAI Platforms ∗∗∗
---------------------------------------------
We compare the effectiveness of content filtering guardrails across major GenAI platforms and identify common failure cases across different systems. [..] A Comparative Study on the Effectiveness of LLM Content Filtering Across Major GenAI Platforms appeared first on Unit 42.
---------------------------------------------
https://unit42.paloaltonetworks.com/comparing-llm-guardrails-across-genai-p…
∗∗∗ Cyberattacks Hit Top Retailers: Cartier, North Face Among Latest Victims ∗∗∗
---------------------------------------------
North Face, Cartier, and Next Step Healthcare are the latest victims in a string of cyberattacks compromising customer data. Explore the methods used by attackers and the wider impact on retail security.
---------------------------------------------
https://hackread.com/cyberattacks-retailers-cartier-north-face-victims/
∗∗∗ Inside RansomHub: Tactics, Targets, and What It Means for You ∗∗∗
---------------------------------------------
What is RansomHub ransomware? We dive into the groups TTPs, latest attacks and news, & mitigation strategies you should know in 2025.
---------------------------------------------
https://www.bitsight.com/blog/guide-to-ransomhub-ransomware-2025
=====================
= Vulnerabilities =
=====================
∗∗∗ Google stopft attackierte Lücke in Chrome ∗∗∗
---------------------------------------------
In der Javascript-Engine V8 von Google Chrome ermöglicht eine Schwachstelle Angreifern, außerhalb vorgesehener Speichergrenzen zu lesen und zu schreiben. Für diese Schwachstelle ist ein Exploit in freier Wildbahn aufgetaucht, sie wird daher offenbar bereits attackiert.
---------------------------------------------
https://www.heise.de/news/Google-stopft-attackierte-Luecke-in-Chrome-104232…
∗∗∗ Sicherheitsupdate: Vielfältige Attacken auf HPE StoreOnce möglich ∗∗∗
---------------------------------------------
Acht Softwareschwachstellen in der Backuplösung StoreOnce von HPE machen Systeme attackierbar. Darunter findet sich eine "kritische" Lücke. Über weitere Angriffe kann Schadcode auf PCs gelangen. Eine gegen mögliche Attacken geschützte Version steht ab sofort zum Download bereit.
---------------------------------------------
https://www.heise.de/news/Sicherheitsupdate-Vielfaeltige-Attacken-auf-HPE-S…
∗∗∗ Angreifer können Roundcube Webmail mit Schadcode attackieren ∗∗∗
---------------------------------------------
Webadmins sollten ihre Roundcube-Webmail-Instanzen zeitnah auf den aktuellen Stand bringen. In aktuellen Ausgaben haben die Entwickler eine Sicherheitslücke geschlossen, über die Schadcode auf Systeme gelangen kann.
---------------------------------------------
https://www.heise.de/news/Kritische-Schadcode-Luecke-bedroht-Roundcube-Webm…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (varnish), Debian (asterisk and roundcube), Fedora (systemd), Mageia (golang), Red Hat (ghostscript, perl-CPAN, python36:3.6, and rsync), SUSE (govulncheck-vulndb, libsoup-2_4-1, and postgresql, postgresql16, postgresql17), and Ubuntu (mariadb, open-vm-tools, php-twig, and python-tornado).
---------------------------------------------
https://lwn.net/Articles/1023625/
∗∗∗ SVD-2025-0604: Third-Party Package Updates in Splunk Universal Forwarder - June 2025 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2025-0604
∗∗∗ SVD-2025-0603: Third-Party Package Updates in Splunk Enterprise - June 2025 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2025-0603
∗∗∗ SVD-2025-0602: Incorrect permission assignment on Universal Forwarder for Windows during new installation or upgrade ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2025-0602
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 30-05-2025 18:00 − Montag 02-06-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Exploit details for max severity Cisco IOS XE flaw now public ∗∗∗
---------------------------------------------
Technical details about a maximum-severity Cisco IOS XE WLC arbitrary file upload flaw tracked as CVE-2025-20188 have been made publicly available, bringing us closer to a working exploit.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/exploit-details-for-max-seve…
∗∗∗ Deutscher Rüstungskonzern: Cybergang leakt interne Daten von Rheinmetall ∗∗∗
---------------------------------------------
Der deutsche Rüstungskonzern Rheinmetall ist offenbar Ziel einer Cyberattacke geworden, bei der vertrauliche Daten in die Hände der Angreifer gelangt sind. Die Hackergruppe Babuk2 hatte Rheinmetall schon am 4. April auf ihre Datenleckseite aufgenommen. Jetzt berichtete Tagesschau.de, dass auch die Datenschutzbehörde NRW sowie das Bundesamt für Sicherheit in der Informationstechnik über den Vorfall informiert worden seien.
---------------------------------------------
https://www.golem.de/news/deutscher-ruestungskonzern-cybergang-leakt-intern…
∗∗∗ Fake Recruiter Emails Target CFOs Using Legit NetBird Tool Across 6 Global Regions ∗∗∗
---------------------------------------------
Cybersecurity researchers have warned of a new spear-phishing campaign that uses a legitimate remote access tool called Netbird to target Chief Financial Officers (CFOs) and financial executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia.
---------------------------------------------
https://thehackernews.com/2025/06/fake-recruiter-emails-target-cfos-using.h…
∗∗∗ Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump ∗∗∗
---------------------------------------------
A mystery whistleblower calling himself GangExposed has exposed key figures behind the Conti and Trickbot ransomware crews, publishing a trove of internal files and naming names. The leaks include thousands of chat logs, personal videos, and ransom negotiations tied to some of the most notorious cyber-extortion gangs — believed to have raked in billions from companies, hospitals, and individuals worldwide.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/05/31/gangexposed_…
∗∗∗ RCEs and more in the KUNBUS GmbH Revolution Pi PLC ∗∗∗
---------------------------------------------
We found four vulnerabilities by downloading and extracting Revolution Pi’s latest firmware version (01/2025). We didn’t even need to buy the device, although one would look great on our ICS demo rig! All were found with static code analysis but demonstrated by installing the firmware to a standard Raspberry Pi.
---------------------------------------------
https://www.pentestpartners.com/security-blog/rces-and-more-in-the-kunbus-g…
∗∗∗ The remote desktop puzzle. DFIR techniques for dealing with RDP Bitmap Cache ∗∗∗
---------------------------------------------
A lot of people are aware of RDP and what its functions are. It’s known for providing remote access and making life easier for administrators and users. With that comes insight for forensic investigators, regarding the ‘bitmap cache’. This is often overlooked, but when analysed correctly can provide some great understanding about what’s happened on a system.
---------------------------------------------
https://www.pentestpartners.com/security-blog/the-remote-desktop-puzzle-dfi…
∗∗∗ LOLCLOUD - Azure Arc - C2aaS ∗∗∗
---------------------------------------------
Exploring Azure Arc’s overlooked C2aaS potential. Attacking and Defending against its usage and exploring usecases.
---------------------------------------------
https://blog.zsec.uk/azure-arc-c2aas/
=====================
= Vulnerabilities =
=====================
∗∗∗ New Linux Flaws Allow Password Hash Theft via Core Dumps in Ubuntu, RHEL, Fedora ∗∗∗
---------------------------------------------
Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems.
---------------------------------------------
https://thehackernews.com/2025/05/new-linux-flaws-allow-password-hash.html
∗∗∗ 2025-06-02: Cyber Security Advisory - ELSB/Home Solutions Outdated SW Components in ABB Welcome IP-Gateway ∗∗∗
---------------------------------------------
An attacker who successfully exploits these vulnerabilities could potentially gain unauthorized access
and potentially compromise the system's - and log-file - confidentiality, integrity and availability.
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A8948&Lan…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (espeak-ng, kitty, kmail-account-wizard, krb5, libreoffice, libvpx, net-tools, python-flask-cors, symfony, tcpdf, thunderbird, and twitter-bootstrap3), Fedora (chromium, dropbear, firefox, gstreamer1-plugins-bad-free, python-tornado, systemd, and thunderbird), Mageia (coreutils, deluge, glib2.0, and redis), Oracle (firefox, kernel, and systemd), Red Hat (firefox, kernel, kernel-rt, varnish, varnish:6, and zlib), SUSE (bind, curl, dnsdist, docker, ffmpeg-7, firefox, glibc, golang-github-prometheus-alertmanager, govulncheck-vulndb, icinga2, iputils, java-11-openjdk, java-1_8_0-ibm, kea, kernel, libopenssl-3-devel, libsoup, libxml2, nodejs-electron, open-vm-tools, openbao, perl-Net-Dropbox-API, pluto, poppler, postgresql14, postgresql15, postgresql16, postgresql17, python312-setuptools, runc, s390-tools, skopeo, sqlite3, thunderbird, and unbound), and Ubuntu (apport and libphp-adodb).
---------------------------------------------
https://lwn.net/Articles/1023501/
∗∗∗ Multiple vulnerabilities in wivia 5 ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN51394666/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 28-05-2025 18:00 − Freitag 30-05-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Interlock ransomware gang deploys new NodeSnake RAT on universities ∗∗∗
---------------------------------------------
The Interlock ransomware gang is deploying a previously undocumented remote access trojan (RAT) named NodeSnake against educational institutes for persistent access to corporate networks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/interlock-ransomware-gang-de…
∗∗∗ APT41 malware abuses Google Calendar for stealthy C2 communication ∗∗∗
---------------------------------------------
The Chinese APT41 hacking group uses a new malware named 'ToughProgress' that exploits Google Calendar for command-and-control (C2) operations, hiding malicious activity behind a trusted cloud service.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/apt41-malware-abuses-google-…
∗∗∗ Threat actors abuse Google Apps Script in evasive phishing attacks ∗∗∗
---------------------------------------------
Threat actors are abusing the ‘Google Apps Script’ development platform to host phishing pages that appear legitimate and steal login credentials.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/threat-actors-abuse-google-a…
∗∗∗ ConnectWise breached in cyberattack linked to nation-state hackers ∗∗∗
---------------------------------------------
IT management software firm ConnectWise says a suspected state-sponsored cyberattack breached its environment and impacted a limited number of ScreenConnect customers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/connectwise-breached-in-cybe…
∗∗∗ Everest Group Extorts Global Orgs via SAPs HR Tool ∗∗∗
---------------------------------------------
Extortionist-cum-information broker "Everest Group" has pulled off a swath of attacks against large organizations in the Middle East, Africa, Europe, and North America, and is now extorting victims over records stolen from their human resources departments.
---------------------------------------------
https://www.darkreading.com/cyberattacks-data-breaches/everest-group-extort…
∗∗∗ Sicherheitslücke: Warum ChatGPT oft den gesamten Onedrive-Ordner lesen kann ∗∗∗
---------------------------------------------
Forscher warnen vor einer Sicherheitslücke in Microsofts File Picker für Onedrive. Apps wie ChatGPT können weitaus mehr lesen, als Anwender erwarten.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecke-warum-chatgpt-oft-den-gesamten-…
∗∗∗ Exploits and vulnerabilities in Q1 2025 ∗∗∗
---------------------------------------------
This report contains statistics on vulnerabilities and published exploits, along with an analysis of the most noteworthy vulnerabilities we observed in the first quarter of 2025.
---------------------------------------------
https://securelist.com/vulnerabilities-and-exploits-in-q1-2025/116624/
∗∗∗ New Windows RAT Evades Detection for Weeks Using Corrupted DOS and PE Headers ∗∗∗
---------------------------------------------
Cybersecurity researchers have taken the wraps off an unusual cyber attack that leveraged malware with corrupted DOS and PE headers, according to new findings from Fortinet.
---------------------------------------------
https://thehackernews.com/2025/05/new-windows-rat-evades-detection-for.html
∗∗∗ Attack on LexisNexis Risk Solutions exposes data on 300k + ∗∗∗
---------------------------------------------
LexisNexis Risk Solutions (LNRS) is the latest big-name organization to disclose a serious cyberattack leading to data theft, with the number of affected individuals pegged at 364,333.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/05/28/attack_on_le…
∗∗∗ Billions of cookies up for grabs as experts warn over session security ∗∗∗
---------------------------------------------
A VPN vendor says billions of stolen cookies currently on sale either on dark web or Telegram-based marketplaces remain active and exploitable. More than 93.7 billion of them are currently available for criminals to buy online and of those, between 7-9 percent are active, on average, according to NordVPN's breakdown of stolen cookies by country.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/05/29/billions_of_…
∗∗∗ U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams ∗∗∗
---------------------------------------------
The U.S. government today imposed economic sanctions on Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams known as “pig butchering.” In January 2025, KrebsOnSecurity detailed how Funnull was being used as a content delivery network that catered to cybercriminals seeking to route their traffic through U.S.-based cloud providers.
---------------------------------------------
https://krebsonsecurity.com/2025/05/u-s-sanctions-cloud-provider-funnull-as…
∗∗∗ Fake Bitdefender website used to spread infostealer malware ∗∗∗
---------------------------------------------
The attackers created a website that closely mimics Bitdefender’s legitimate Windows download page. Victims are infected after clicking a seemingly authentic “Download for Windows” button, which delivers a malicious archive. The archive contains executable files configured to deploy VenomRAT, which is used for remote access, keylogging and data exfiltration.
---------------------------------------------
https://therecord.media/fake-bitdefender-website-venomrat-infostealer
∗∗∗ Microsoft Entra Design Lets Guest Users Gain Azure Control, Researchers Say ∗∗∗
---------------------------------------------
Cybersecurity researchers at BeyondTrust are warning about a little-known but dangerous issue within Microsoft’s Entra identity platform. The issue isn’t some hidden bug or overlooked vulnerability; it’s a feature, built into the system by design, that attackers can exploit.
---------------------------------------------
https://hackread.com/microsoft-entra-design-guest-users-gain-azure-control/
∗∗∗ Threat Actor Claims TikTok Breach, Puts 428 Million Records Up for Sale ∗∗∗
---------------------------------------------
A newly emerged threat actor, going by the alias “Often9,” has posted on a prominent cybercrime and database trading forum, claiming to possess 428 million unique TikTok user records. The post is titled “TikTok 2025 Breach – 428M Unique Lines.”
---------------------------------------------
https://hackread.com/threat-actor-tiktok-breach-428-million-records-sale/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (firefox-esr, libvpx, net-tools, php-twig, python-tornado, setuptools, varnish, webpy, yelp, and yelp-xsl), Fedora (xen), Mageia (cimg and ghostscript), Oracle (gstreamer1-plugins-bad-free, kernel, libsoup, thunderbird, and unbound), Red Hat (firefox, mingw-freetype and spice-client-win, pcs, and varnish:6), Slackware (curl and mozilla), SUSE (apparmor, containerd, dnsdist, go1.23-openssl, go1.24, gstreamer-plugins-bad, ImageMagick, jetty-minimal, python-tornado, python313-setuptools, s390-tools, thunderbird, tomcat10, ucode-intel, and wxWidgets-3_2), and Ubuntu (ffmpeg, krb5, libsoup3, libsoup2.4, linux-aws-5.4, linux-aws-fips, linux-fips, linux-oracle-6.8, net-tools, and python-setuptools, setuptools).
---------------------------------------------
https://lwn.net/Articles/1023072/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, firefox, ghostscript, gstreamer1-plugins-bad-free, libsoup3, mingw-freetype, perl, ruby, sqlite, thunderbird, unbound, valkey, and xz), Debian (chromium, firefox-esr, libavif, linux-6.1, modsecurity-apache, mydumper, systemd, and thunderbird), Fedora (coreutils, dnsdist, docker-buildx, maturin, mingw-python-flask, mingw-python-flit-core, ruff, rust-hashlink, rust-rusqlite, and thunderbird), Red Hat (pcs), SUSE (augeas, brltty, brotli, ca-certificates-mozilla, dnsdist, glibc, grub2, kernel, libsoup, libsoup2, libxml2, open-vm-tools, perl, postgresql13, postgresql15, postgresql16, postgresql17, python-cryptography, python-httpcore, python-h11, python311, runc, s390-tools, slurm, slurm_20_11, slurm_22_05, slurm_23_02, slurm_24_11, tomcat, and webkit2gtk3), and Ubuntu (linux-aws).
---------------------------------------------
https://lwn.net/Articles/1023259/
∗∗∗ On Demand JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP11 IF03 ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 27-05-2025 18:00 − Mittwoch 28-05-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers ∗∗∗
---------------------------------------------
GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise discovered it with AI-powered tooling, and what defenders need to know.
---------------------------------------------
https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-rou…
∗∗∗ DragonForce Ransomware Strikes MSP in Supply Chain Attack ∗∗∗
---------------------------------------------
DragonForce, a ransomware "cartel" that has gained significant popularity since its debut in 2023, attacked an MSP as part of a recent supply chain attack, via known SimpleHelp bugs.
---------------------------------------------
https://www.darkreading.com/application-security/dragonforce-ransomware-msp…
∗∗∗ Zanubis in motion: Tracing the active evolution of the Android banking malware ∗∗∗
---------------------------------------------
A comprehensive historical breakdown of Zanubis changes, including RC4 and AES encryption, credentials stealing and new targets in Peru, provided by Kaspersky GReAT experts.
---------------------------------------------
https://securelist.com/evolution-of-zanubis-banking-trojan-for-android/1165…
∗∗∗ Fake Java Update Popup Found in Malicious WordPress Plugin ∗∗∗
---------------------------------------------
We recently assisted a customer who reported a persistent and concerning "Java Update" pop-up appearing on their WordPress website. This type of deceptive notification is a common tactic used by attackers to compromise website visitors. Our investigation revealed a malicious plugin operating stealthily within their WordPress environment.
---------------------------------------------
https://blog.sucuri.net/2025/05/fake-java-update-popup-found-in-malicious-w…
∗∗∗ OneDrive File Picker Flaw Provides ChatGPT and Other Web Apps Full Read Access to Users’ Entire OneDrive ∗∗∗
---------------------------------------------
Oasis Securitys research team uncovered a flaw in Microsofts OneDrive File Picker that allows websites to access a user’s entire OneDrive content, rather than just the specific files selected for upload via OneDrive File Picker. Researchers estimate that hundreds of apps are affected, including ChatGPT, Slack, Trello, and ClickUp – meaning millions of users may have already granted these apps access to their OneDrive.
---------------------------------------------
https://www.oasis.security/resources/blog/onedrive-file-picker-security-fla…
∗∗∗ Chinese spies blamed for attempted hack on Czech government network ∗∗∗
---------------------------------------------
Czech authorities said they assessed with “a high degree of certainty” that a Chinese cyber-espionage group known as APT31, Judgment Panda, Bronze Vinewood or RedBravo tried to hack into a government network.
---------------------------------------------
https://therecord.media/czechia-accuses-china-cyber-espionage-apt31
∗∗∗ New Phishing Campaign Uses DBatLoader to Drop Remcos RAT: What Analysts Need to Know ∗∗∗
---------------------------------------------
ANY.RUN analysts recently uncovered a stealthy phishing campaign delivering the Remcos RAT (Remote Access Trojan) through a loader malware known as DBatLoader. This attack chain relies on a blend of obfuscated scripts, User Account Control (UAC) bypass, and LOLBAS (Living-Off-the-Land Binaries and Scripts) abuse to stay hidden from traditional detection methods.
---------------------------------------------
https://hackread.com/new-phishing-campaign-dbatloader-drop-remcos-rat/
∗∗∗ Malware Hidden in AI Models on PyPI Targets Alibaba AI Labs Users ∗∗∗
---------------------------------------------
ReversingLabs discovers new malware hidden inside AI/ML models on PyPI, targeting Alibaba AI Labs users.
---------------------------------------------
https://hackread.com/malware-ai-models-pypi-targets-alibaba-ai-labs-users/
∗∗∗ Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day ∗∗∗
---------------------------------------------
On May 8, GreyNoise observed a highly coordinated reconnaissance campaign launched by 251 malicious IP addresses, all geolocated to Japan and hosted by Amazon AWS. The infrastructure and execution suggest centralized planning.
---------------------------------------------
https://www.greynoise.io/blog/coordinated-cloud-based-scanning-operation-ta…
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitslücken: IBM Guardium Data Protection als Einfallstor für Angreifer ∗∗∗
---------------------------------------------
Aufgrund von mehreren Schwachstellen kann es zu Datenlecks im Kontext von IBM Guardium Data Protection kommen. Updates schaffen Abhilfe.
---------------------------------------------
https://www.heise.de/news/Sicherheitsluecken-IBM-Guardium-Data-Protection-a…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free and kernel), Arch Linux (bind and varnish), Debian (glibc and syslog-ng), Fedora (microcode_ctl, mozilla-ublock-origin, nodejs20, and nodejs22), Mageia (firefox, nss, rootcerts, open-vm-tools, sqlite3, and thunderbird), Oracle (gstreamer1-plugins-bad-free, kernel, libsoup, nodejs:22, php, php:8.2, php:8.3, python-tornado, redis, and redis:7), Red Hat (libsoup, pcs, and python-tornado), Slackware (mozilla), SUSE (bind, dnsdist, elemental-operator, govulncheck-vulndb, gstreamer-plugins-bad, jetty-annotations, jq, libnss_slurm2, libyelp0, mariadb, nvidia-open-driver-G06-signed, prometheus-blackbox_exporter, python-h11, python-httpcore, python-setuptools, python312, python39-setuptools, screen, sqlite3, umoci, and webkit2gtk3), and Ubuntu (cifs-utils, glibc, linux-aws, linux-intel-iotg-5.15, linux-nvidia-tegra-igx, linux-raspi, linux-aws-fips, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oracle, linux-raspi, linux-raspi-5.4, and net-tools).
---------------------------------------------
https://lwn.net/Articles/1022853/
∗∗∗ Security Vulnerabilities fixed in Thunderbird 128.11 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-46/
∗∗∗ Security Vulnerabilities fixed in Thunderbird 139 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-45/
∗∗∗ F5: K000151516, Python urllib vulnerability CVE-2019-9947 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000151516
∗∗∗ F5: K000151520, Python vulnerabilities CVE-2018-20852, CVE-2014-4616, and CVE-2013-7040 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000151520
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 26-05-2025 18:00 − Dienstag 27-05-2025 18:00
Handler: Felician Fuchs
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ MATLAB dev confirms ransomware attack behind service outage ∗∗∗
---------------------------------------------
MathWorks, a leading developer of mathematical computing and simulation software, has revealed that a recent ransomware attack is behind an ongoing service outage.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/mathworks-blames-ransomware-…
∗∗∗ Not Every CVE Deserves a Fire Drill: Focus on What’s Exploitable ∗∗∗
---------------------------------------------
Not every "critical" vulnerability is a critical risk. Picus Exposure Validation cuts through the noise by testing whats actually exploitable in your environment — so you can patch what matters.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/not-every-cve-deserves-a-fir…
∗∗∗ Chinese-Owned VPNs ∗∗∗
---------------------------------------------
One one my biggest worries about VPNs is the amount of trust users need to place in them, and how opaque most of them are about who owns them and what sorts of data they retain. A new study found that many commercials VPNS are (often surreptitiously) owned by Chinese companies. It would be hard for U.S. users to avoid the Chinese VPNs. The ownership of many appeared deliberately opaque, with several concealing their structure behind layers of offshore shell companies.
---------------------------------------------
https://www.schneier.com/blog/archives/2025/05/chinese-owned-vpns.html
∗∗∗ Cyber Security Operations Center: ESA will mehr IT-Sicherheit ∗∗∗
---------------------------------------------
Die Raumfahrtagentur ESA verstärkt ihre IT-Sicherheitsbemühungen. Dazu eröffnete sie nun das Cyber Security Operations Center.
---------------------------------------------
https://www.heise.de/news/Cyber-Security-Operations-Center-ESA-will-mehr-IT…
∗∗∗ Dutch intelligence unmasks previously unknown Russian hacking group Laundry Bear ∗∗∗
---------------------------------------------
Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard.
---------------------------------------------
https://therecord.media/laundry-bear-void-blizzard-russia-hackers-netherlan…
∗∗∗ Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites ∗∗∗
---------------------------------------------
Mandiant Threat Defense has been investigating an UNC6032 campaign that weaponizes the interest around AI tools, in particular those tools which can be used to generate videos based on user prompts. UNC6032 utilizes fake “AI video generator” websites to distribute malware leading to the deployment of payloads such as Python-based infostealers and several backdoors.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-wea…
=====================
= Vulnerabilities =
=====================
∗∗∗ GitHub MCP Exploited: Accessing private repositories via MCP ∗∗∗
---------------------------------------------
We showcase a critical vulnerability with the official GitHub MCP server, allowing attackers to access private repository data. The vulnerability is among the first discovered by Invariants security analyzer for detecting toxic agent flows.
---------------------------------------------
https://invariantlabs.ai/blog/mcp-github-vulnerability
∗∗∗ Update für ManageEngine ADAudit Plus stopft hochriskante Sicherheitslücken ∗∗∗
---------------------------------------------
In ManageEngine ADAudit Plus hat Hersteller Zoho zwei als hohes Risiko eingestufte Schwachstellen ausgebessert.
---------------------------------------------
https://www.heise.de/news/Update-fuer-ManageEngine-ADAudit-Plus-stopft-hoch…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free, libsoup, and python-tornado), Debian (libavif and pgbouncer), Red Hat (gstreamer1-plugins-bad-free, mingw-freetype and spice-client-win, and webkit2gtk3), SUSE (firefox, govulncheck-vulndb, and python310-setuptools), and Ubuntu (flask, intel-microcode, openjdk-17-crac, tika, and Tomcat).
---------------------------------------------
https://lwn.net/Articles/1022703/
∗∗∗ Security Vulnerabilities fixed in Firefox ESR 128.11 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/
∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.24 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-43/
∗∗∗ Security Vulnerabilities fixed in Firefox 139 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-42/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 23-05-2025 18:00 − Montag 26-05-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Feds charge 16 Russians allegedly tied to botnets used in cyberattacks and spying ∗∗∗
---------------------------------------------
An example of how a single malware operation can enable both criminal and state-sponsored hacking.
---------------------------------------------
https://arstechnica.com/security/2025/05/feds-charge-16-russians-allegedly-…
∗∗∗ Gitlab Duo: Versteckter Kommentar lässt KI-Tool privaten Code leaken ∗∗∗
---------------------------------------------
Gitlab Duo hatte zuletzt ernste Sicherheitsprobleme. Angreifer konnten privaten Quellcode abgreifen oder Schadcode in fremde Softwareprojekte einschleusen.
---------------------------------------------
https://www.golem.de/news/gitlab-duo-versteckter-kommentar-laesst-ki-tool-p…
∗∗∗ Fake Google Meet Page Tricks Users into Running PowerShell Malware ∗∗∗
---------------------------------------------
Last month, a customer reached out to us after noticing suspicious URLs on their WordPress site. Visitors reported being prompted to perform unusual actions.We began our investigation, scanning the site for common ..
---------------------------------------------
https://blog.sucuri.net/2025/05/fake-google-meet-page-tricks-users-into-run…
∗∗∗ Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Technique ∗∗∗
---------------------------------------------
The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector."The ClickFix technique is particularly risky because it allows the malware to execute in memory ..
---------------------------------------------
https://thehackernews.com/2025/05/hackers-use-tiktok-videos-to-distribute.h…
∗∗∗ Operation Endgame 2: 15 Millionen E-Mail-Adressen und 43 Millionen Passwörter ∗∗∗
---------------------------------------------
Bei "Operation Endgame 2.0" kamen viele Millionen Adressen und Passwörter von Opfern ans Licht. Have I Been Pwned hat sie aufgenommen.
---------------------------------------------
https://www.heise.de/news/Operation-Endgame-2-15-Millionen-E-Mail-Adressen-…
∗∗∗ Neuer Lieferkettenangriff mit bösartigen Skripten in npm-Paketen ∗∗∗
---------------------------------------------
Ein neuer Angriff auf die Lieferkette bedroht Workstations und CI-Umgebungen. Das bösartige Skript spioniert interne Daten für weitere Attacken aus.
---------------------------------------------
https://www.heise.de/news/Neuer-Lieferkettenangriff-mit-boesartigen-Skripte…
∗∗∗ Kriminelle Gruppe "Careto" angeblich von spanischer Regierung gelenkt ∗∗∗
---------------------------------------------
Nicht nur China und Russland steuern Cybergangs. Ehemalige Kaspersky-Mitarbeiter behaupten, die Bande "Careto" werde von Spanien gelenkt.
---------------------------------------------
https://www.heise.de/news/Kriminelle-Gruppe-Careto-angeblich-von-spanischer…
∗∗∗ Hacker bietet 1,2 Milliarden Facebook-Nutzerdaten im Darknet – ist es ein Fake? ∗∗∗
---------------------------------------------
Gab es ein neues Datenleck bei Meta-Tochter Facebook? Ein Hacker behauptet 1,2 Milliarden Facebook-Nutzerdaten über eine API abgezogen zu haben und bietet diese im Darknet zum Kauf an. Es gibt aber Zweifel, ob diese Daten neu sind.
---------------------------------------------
https://www.borncity.com/blog/2025/05/23/hacker-bietet-12-milliarden-facebo…
∗∗∗ Offensive Threat Intelligence ∗∗∗
---------------------------------------------
CTI isn’t just for blue teams. Used properly, it sharpens red team tradecraft, aligns ops to real-world threats, and exposes blind spots defenders often miss. It’s not about knowing threats, it’s about becoming them long enough to help others beat them.
---------------------------------------------
https://blog.zsec.uk/offensive-cti/
∗∗∗ Joint Analysis by AhnLab and NCSC on TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking ∗∗∗
---------------------------------------------
AhnLab and the National Cyber Security Center (NCSC) have released a report that details the activities of the TA-ShadowCricket group from 2023 to the present.
---------------------------------------------
https://asec.ahnlab.com/en/88137/
∗∗∗ ConnectWise ScreenConnect Tops List of Abused RATs in 2025 Attacks ∗∗∗
---------------------------------------------
Cofense Intelligences May 2025 report exposes how cybercriminals are abusing legitimate Remote Access Tools (RATs) like ConnectWise and Splashtop to deliver malware and steal data. Learn about this growing threat.
---------------------------------------------
https://hackread.com/connectwise-screenconnect-tops-abused-rats-2025/
∗∗∗ BadSuccessor Exploits Windows Server 2025 Flaw for Full AD Takeover ∗∗∗
---------------------------------------------
Akamai researchers reveal a critical flaw in Windows Server 2025 dMSA feature that allows attackers to compromise any…
---------------------------------------------
https://hackread.com/badsuccessor-exploits-windows-server-2025-takeover/
∗∗∗ How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation ∗∗∗
---------------------------------------------
In this post I’ll show you how I found a zeroday vulnerability in the Linux kernel using OpenAI’s o3 model. I found the vulnerability with nothing more complicated than the o3 API – no scaffolding, no agentic frameworks, no tool use.
---------------------------------------------
https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-re…
∗∗∗ Bypassing MTE with CVE-2025-0072 ∗∗∗
---------------------------------------------
In this post, I’ll look at CVE-2025-0072, a vulnerability in the Arm Mali GPU, and show how it can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled.
---------------------------------------------
https://github.blog/security/vulnerability-research/bypassing-mte-with-cve-…
∗∗∗ The Windows Registry Adventure #7: Attack surface analysis ∗∗∗
---------------------------------------------
In the first three blog posts of this series, I sought to outline what the Windows Registry actually is, its role, history, and where to find further information about it. In the subsequent three posts, my goal was to describe in detail how this mechanism works internally ..
---------------------------------------------
https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventu…
=====================
= Vulnerabilities =
=====================
∗∗∗ DSA-5924-1 intel-microcode - security update ∗∗∗
---------------------------------------------
This update ships updated CPU microcode for some types of Intel CPUs. Inparticular it provides mitigations for the Indirect Target Selection(ITS) vulnerability (CVE-2024-28956) and the Branch Privilege Injectionvulnerability (CVE-2024-45332).For CPUs affected to ITS (Indirect Target Selection), to fully mitigatethe vulnerability it is also necessary to ..
---------------------------------------------
https://lists.debian.org/debian-security-announce/2025/msg00087.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 22-05-2025 18:00 − Freitag 23-05-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ TikTok videos now push infostealer malware in ClickFix attacks ∗∗∗
---------------------------------------------
As Trend Micro recently discovered, the threat actors behind this TikTok social engineering campaign are using videos likely generated using AI that ask viewers to run commands claiming to activate Windows and Microsoft Office, as well as premium features in various legitimate software like CapCut and Spotify.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/tiktok-videos-now-push-infos…
∗∗∗ FBI warns of Luna Moth extortion attacks targeting law firms ∗∗∗
---------------------------------------------
The FBI warned that an extortion gang known as the Silent Ransom Group has been targeting U.S. law firms over the last two years in callback phishing and social engineering attacks. Also known as Luna Moth, Chatty Spider, and UNC3753, this threat group has been active since 2022 and was also behind BazarCall campaigns that provided initial access to corporate networks for Ryuk and Conti ransomware attacks
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-warns-of-luna-moth-extor…
∗∗∗ The Windows Registry Adventure #7: Attack surface analysis ∗∗∗
---------------------------------------------
In this blog post, we get to the heart of the matter, the actual security of the Windows Registry. I'd like to talk about what made a feature that was initially meant to be just a quick test of my fuzzing infrastructure draw me into manual research for the next 1.5 ~ 2 years, and result in Microsoft fixing (so far) 53 CVEs. I will describe the various areas that are important in the context of low-level security research, from very general ones, such as the characteristics of the codebase that allow security bugs to exist in the first place, to more specific ones, like all possible entry points to attack the registry, the impact of vulnerabilities and the primitives they generate, and some considerations on effective fuzzing and where more bugs might still be lurking.
---------------------------------------------
https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventu…
∗∗∗ GitLab Duo Vulnerability Enabled Attackers to Hijack AI Responses with Hidden Prompts ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites.
---------------------------------------------
https://thehackernews.com/2025/05/gitlab-duo-vulnerability-enabled.html
∗∗∗ ViciousTrap Uses Cisco Flaw to Build Global Honeypot from 5,300 Compromised Devices ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed that a threat actor codenamed ViciousTrap has compromised nearly 5,300 unique network edge devices across 84 countries and turned them into a honeypot-like network.
---------------------------------------------
https://thehackernews.com/2025/05/vicioustrap-uses-cisco-flaw-to-build.html
∗∗∗ Oops: DanaBot Malware Devs Infected Their Own PCs ∗∗∗
---------------------------------------------
The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling DanaBot, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The FBI says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware.
---------------------------------------------
https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-thei…
∗∗∗ Fake-Geburtstagsgeschenk: Abofalle im Namen von Rituals im Umlauf ∗∗∗
---------------------------------------------
Derzeit sind betrügerische E-Mails im Umlauf, die angeblich von Rituals stammen. Sie versprechen eine luxuriöse Geburtstags-Geschenkbox zum Sonderpreis von nur zwei Euro. Doch Vorsicht: Hinter dem scheinbar großzügigen Angebot verbirgt sich keine echte Überraschung, sondern eine teure Abofalle!
---------------------------------------------
https://www.watchlist-internet.at/news/fake-geburtstagsgeschenk-abofalle-im…
∗∗∗ Sicherheitsrisiko AD-Verwaltung und Gruppe Authenticated Users ∗∗∗
---------------------------------------------
Ein Blog-Leser hat mich die Tage auf ein möglicherweise bei einigen Active Directory-Systemen bestehende Sicherheitsrisiko hingewiesen. Sind in der Active-Directory-Gruppe Authenticated Users externe Konten enthalten, könnten Freigaben interner Dienste (Drucker etc.) ungewollt externen Nutzern offen stehen.
---------------------------------------------
https://www.borncity.com/blog/2025/05/22/sicherheitsrisiko-ad-verwaltung-un…
∗∗∗ Information Leakage Caused by DB Client Tool ∗∗∗
---------------------------------------------
In recent breach incidents, threat actors have been observed not only accessing systems, but also directly querying internal databases and stealing sensitive information. Particularly, more threat actors are installing DB client tools directly on targeted systems to exfiltrate data, and legitimate tools such as DBeaver, Navicat, and sqlcmd are being used in this process.
---------------------------------------------
https://asec.ahnlab.com/en/88134/
∗∗∗ Scarcity signals: Are rare activities red flags? ∗∗∗
---------------------------------------------
Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones.
---------------------------------------------
https://blog.talosintelligence.com/scarcity-signals-are-rare-activities-red…
∗∗∗ Operation Endgame 2.0: 20 Haftbefehle, Hunderte Server außer Gefecht gesetzt ∗∗∗
---------------------------------------------
Internationale Strafverfolger gehen weiter gegen Malware-Autoren vor. Im Rahmen der "Operation Endgame 2.0" haben die Sicherheitsbehörden aus Deutschland – das BKA und die Generalstaatsanwaltschaft Frankfurt am Main – die Cyberkriminellen nun empfindlich getroffen. Allein in Deutschland nahmen die Behörden 50 Server vom Netz, 650 Domains sind nicht mehr unter der Kontrolle der Cybergangster.
---------------------------------------------
https://heise.de/-10394215
∗∗∗ Fault Injection-Angriffe auf die Mikrocontroller nRF54L15 und STM32L051 (SYSS-2025-022/-033) ∗∗∗
---------------------------------------------
Der Begriff "Fault Injection" bezeichnet eine Klasse von Schwachstellen, bei denen Angreifende gezielt versuchen, Fehlerzustände in Systemen zu erzeugen. Diese Fehlerzustände führen dabei zu abnormalem Verhalten der Systeme und können ausgenutzt werden, um Sicherheitsbeschränkungen zu umgehen. So ist es beispielsweise möglich, kryptografische Schlüssel zu extrahieren oder Lesebeschränkungen von internen Datenspeichern zu umgehen.
---------------------------------------------
https://www.syss.de/pentest-blog/fault-injection-angriffe-auf-die-mikrocont…
=====================
= Vulnerabilities =
=====================
∗∗∗ 2025-05-22: Cyber Security Advisory - ASPECT advisory several CVEs ∗∗∗
---------------------------------------------
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021&Lan…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (dotnet9.0, dropbear, ghostscript, nbdkit, openssh, python-watchfiles, rpm-ostree, yelp, yelp-xsl, and zsync), Oracle (firefox and kernel), Red Hat (osbuild-composer), Slackware (aaa_glibc and mozilla), SUSE (chromedriver, open-vm-tools, postgresql14, python-cryptography, and thunderbird), and Ubuntu (linux-aws, linux-hwe-5.4, python, and sqlite3).
---------------------------------------------
https://lwn.net/Articles/1022352/
∗∗∗ Infoblox NetMRI is vulnerable to CVE-2024-54188 ∗∗∗
---------------------------------------------
https://support.infoblox.com/s/article/Infoblox-NetMRI-is-vulnerable-to-CVE…
∗∗∗ [R1] Tenable Network Monitor Version 6.5.1 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2025-10
∗∗∗ Lantronix Device Installer ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-01
∗∗∗ Rockwell Automation FactoryTalk Historian ThingWorx ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-02
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 21-05-2025 18:00 − Donnerstag 22-05-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Strafverfolger beschlagnahmen Lumma Stealer-Infrastruktur (Mai 2025) ∗∗∗
---------------------------------------------
In einer koordinierten Aktion haben US-Strafverfolger die Infrastruktur (C & C-Server) des Lumma-Infostealers beschlagnahmt und die Funktion lahm gelegt. Die Malware ist für zahlreiche Cyberangriffe auf Nutzer mit Abgreifen von Informationen verantwortlich und es waren fast 400.000 PC infiziert. [..] Microsoft bezeichnet den Akteur, der Lumma als Malware-as-a-service (MaaS) anbietet, als Storm-2477. [..] Das Ganze erfolgte in Zusammenarbeit mit Strafverfolgungsbehörden (FBI, Europol, JC3) und Industriepartnern (ESET, Bitsight, Lumen, Cloudflare, CleanDNS und GMO Registry).
---------------------------------------------
https://www.borncity.com/blog/2025/05/22/strafverfolger-beschlagen-lumma-st…
∗∗∗ 3AM ransomware uses spoofed IT calls, email bombing to breach networks ∗∗∗
---------------------------------------------
A 3AM ransomware affiliate is conducting highly targeted attacks using email bombing and spoofed IT support calls to socially engineer employees into giving credentials for remote access to corporate systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/3am-ransomware-uses-spoofed-…
∗∗∗ Signal now blocks Microsoft Recall screenshots on Windows 11 ∗∗∗
---------------------------------------------
Signal has updated its Windows app to protect users privacy by blocking Microsofts AI-powered Recall feature from taking screenshots of their conversations. [..] This new privacy feature, dubbed "screen security," is now enabled by default on all Windows 11 devices, where Recall continuously takes screenshots of all active windows every few seconds and analyzes them to build a database that can be searched using natural language. When enabled, screen security will set a Digital Rights Management (DRM) flag on Signal's app windows, blocking their content from being captured by Recall or other Windows apps and features.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/signal-now-blocks-microsoft-…
∗∗∗ Storm-0558 and the Dangers of Cross-Tenant Token Forgery ∗∗∗
---------------------------------------------
Modern cloud ecosystems often place a single identity provider in charge of handling logins and tokens for a wide range of customers. This approach certainly streamlines single sign-on (SSO) for end users, but it also places enormous trust in a single set of signing keys. If those private keys are compromised, attackers can create tokens that appear valid to any service that relies on them.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/storm-0558-…
∗∗∗ Another Fake Cloudflare Verification Targets WordPress Sites ∗∗∗
---------------------------------------------
A new Cloudflare infection has once again been targeting WordPress sites. This new iteration of malware mimics a legitimate-looking Cloudflare verification page, which then tricks victims into following various commands and downloading malware. This style of malware is not new – our researcher Ben Martin wrote about a similar campaign targeting WordPress sites back in March. The difference between this new infection and previous ones is the location of where the malware is located – spread out among multiple themes and fake plugins. Additionally, this variant is delivered in three stages, which helps the attacker avoid detection and maintain control over what is delivered at each step.
---------------------------------------------
https://blog.sucuri.net/2025/05/another-fake-cloudflare-verification-target…
∗∗∗ Datenleck bei Coinbase: Massive Phishing-Welle rollt ∗∗∗
---------------------------------------------
Nachdem Hacker zahlreiche Kund:innendaten der Krypto-Plattform gestohlen und weiterverkauft haben, werden aktuell vermehrt Phishing-Versuche im Namen von Coinbase gemeldet. Die Kriminellen kontaktieren Ihre Opfer entweder per E-Mail oder via Telefon mit dem Ziel, an sensible Informationen zu kommen oder Überweisungen zu veranlassen.
---------------------------------------------
https://www.watchlist-internet.at/news/datenleck-bei-coinbase-phishing/
∗∗∗ BadSuccessor: dMSA zur Privilegien-Erhöhung in Active Directory missbrauchen ∗∗∗
---------------------------------------------
In Windows Server 2025 wurden delegated Managed Service Accounts (dMSAs) neu eingeführt. Das sind Service-Konten für das Active Directory (AD), die neue Funktionen ermöglichen sollen. Sicherheitsforscher sind nun darauf gestoßen, dass durch den Missbrauch von dMSAs Angreifer jeden Principal in der Domäne übernehmen können. [..] Derzeit will Microsoft das Problem aus obigen Gründen nicht fixen – sondern das Problem irgendwann in Zukunft beheben (es gibt also keinen Patch).
---------------------------------------------
https://www.borncity.com/blog/2025/05/22/badsuccessor-dmsa-zur-privilegien-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host ∗∗∗
---------------------------------------------
Cybersecurity researchers have uncovered multiple critical security vulnerabilities impacting the Versa Concerto network security and SD-WAN orchestration platform that could be exploited to take control of susceptible instances. It's worth noting that the identified shortcomings remain unpatched despite responsible disclosure on February 13, 2025, prompting a public release of the issues following the end of the 90-day deadline.
---------------------------------------------
https://thehackernews.com/2025/05/unpatched-versa-concerto-flaws-let.html
∗∗∗ Cisco Security Advisories 2025-05-21 ∗∗∗
---------------------------------------------
Cisco hat 10 neue Security Advisories veröffentlicht. Zwei der neuen Advisories sind als “High” eingestuft und 8 als “Medium”. Die als "High" eingestuften Advisories betreffen Schwachstellen in Cisco Identity Services Engine RADIUS und Cisco Unified Intelligence Center.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs…
∗∗∗ Mozilla Security Advisories 2025-05-20 ∗∗∗
---------------------------------------------
Thunderbird (critical) and Firefox (low)
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel, kernel-rt, and webkit2gtk3), Fedora (mozilla-ublock-origin and sudo-rs), Oracle (.NET 8.0, compat-openssl10, grafana, osbuild-composer, redis:6, ruby:2.5, and webkit2gtk3), SUSE (dante, firefox-esr, gnuplot, govulncheck-vulndb, grype, postgresql13, postgresql14, postgresql15, postgresql16, postgresql17, python-tornado6, python314, thunderbird, ucode-intel, and xen), and Ubuntu (bind9, libfcgi-perl, linux-ibm-5.4, linux-oracle-5.4, postgresql-17, and Tomcat).
---------------------------------------------
https://lwn.net/Articles/1022189/
∗∗∗ Authentifizierung: Kritische Lücke in Samlify macht Angreifer zu Admins ∗∗∗
---------------------------------------------
Admins, die Single-Sign-On-Anmeldungen (SSO) über die weitverbreitete Node.js-Bibliothek Samlify realisieren, sollten den verfügbaren Sicherheitspatch zeitnah installieren. Geschieht das nicht, können Angreifer die Authentifizierung umgehen und mit weitreichenden Rechten auf Systeme zugreifen. [..] Auf die "kritische" Sicherheitslücke (CVE-2025-47949) sind Sicherheitsforscher von Endor Labs gestoßen.
---------------------------------------------
https://heise.de/-10392315
∗∗∗ Angreifer können mit VMware erstellte virtuelle Maschinen crashen ∗∗∗
---------------------------------------------
Aus der Warnmeldung geht hervor, dass die am gefährlichsten eingestufte Schwachstelle (CVE-2025-41225 "hoch") vCenter Server betrifft. An dieser Stelle kann ein authentifizierter Angreifer eigene Befehle ausführen. Verfügt ein Angreifer über Gast-VM-Rechte, kann er für eine Gast-VM einen DoS-Zustand erzeugen (CVE-2025-41226 "mittel"). So etwas führt in der Regel zu Abstürzen. Weiterhin sind noch weitere DoS-Attacken (CVE-2025-41227 "mittel") und XSS-Angriffe (CVE-2025-41228 "mittel") möglich.
---------------------------------------------
https://heise.de/-10392911
∗∗∗ Drupal Security Advisories 2025-05-21 ∗∗∗
---------------------------------------------
https://www.drupal.org/security
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (May 12, 2025 to May 18, 2025) ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 20-05-2025 18:00 − Mittwoch 21-05-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Windows 11’s most important new feature is post-quantum cryptography. Here’s why. ∗∗∗
---------------------------------------------
For the first time, new quantum-safe algorithms can be invoked using standard Windows APIs.
---------------------------------------------
https://arstechnica.com/security/2025/05/heres-how-windows-11-aims-to-make-…
∗∗∗ VanHelsing ransomware builder leaked on hacking forum ∗∗∗
---------------------------------------------
The VanHelsing ransomware-as-a-service operation published the source code for its affiliate panel, data leak blog, and Windows encryptor builder after an old developer tried to sell it on the RAMP cybercrime forum.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/vanhelsing-ransomware-builde…
∗∗∗ Dero miner zombies biting through Docker APIs to build a cryptojacking horde ∗∗∗
---------------------------------------------
Kaspersky experts break down an updated cryptojacking campaign targeting containerized environments: a Dero crypto miner abuses the Docker API. [..] The entire attack vector is automated via two malware implants: the previously unknown propagation malware nginx and the Dero crypto miner.
---------------------------------------------
https://securelist.com/dero-miner-infects-containers-through-docker-api/116…
∗∗∗ Chrome kann unsichere Passwörter künftig komplett selbst ändern ∗∗∗
---------------------------------------------
Googles Chrome-Browser soll bald automatisch Passwörter ändern können, wenn bei der Anmeldung damit erkannt wird, dass es kompromittiert wurde. [..] Im Idealfall bekommen Nutzer und Nutzerinnen in Chrome dann künftig einen Hinweis, wenn ein gespeichertes Passwort in einem Datenleck gefunden wurde und können den Browser dazu bringen, das Passwort durch ein sicheres zu ersetzen. Das wird dann im Passwortmanager von Chrome abgespeichert, das unsichere wird ersetzt. Die automatische Passwortänderung benötigt dafür insgesamt nur einen Klick.
---------------------------------------------
https://heise.de/-10391298
∗∗∗ Sicherheitsbehörden warnen vor russischer Spionage mit IP-Kameras ∗∗∗
---------------------------------------------
Mutmaßliche Mitarbeiter des russischen Militärgeheimdienstes GRU haben sich Zugriff auf Netzwerke und IP-Kameras von Betreibern kritischer Infrastrukturen (KRITIS) verschafft. Das melden unter anderem NSA, FBI, der Bundesnachrichtendienst (BND) und die Bundesämter für Verfassungsschutz (BfV) sowie Sicherheit in der Informationstechnik (BSI).[..] Betroffen sind laut einer Mitteilung der Behörden vor allem Unternehmen aus der Logistikbranche.
---------------------------------------------
https://heise.de/-10391927
∗∗∗ CISA, NIST Researchers Develop Metric to Determine Likelihood of Vulnerability Exploitation ∗∗∗
---------------------------------------------
Researchers from the U.S. National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have developed a new security metric to determine the likelihood that a vulnerability has been exploited. In a paper published this week, Peter Mell, formerly of NIST, and CISA’s Jonathan Spring outlined their vulnerability exploit metric that augments the work of the Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) catalog.
---------------------------------------------
https://thecyberexpress.com/cisa-nist-vulnerability-exploit-metric/
=====================
= Vulnerabilities =
=====================
∗∗∗ Lücke in OpenPGP.js gefährdet verschlüsselten E-Mail-Verkehr ∗∗∗
---------------------------------------------
In OpenPGP.js, einer weitverbreiteten Javascript-Implementierung von OpenPGP, klafft eine gefährliche Sicherheitslücke, durch die sich das Ergebnis der Signaturprüfung fälschen lässt. Laut einer Sicherheitsmeldung auf Github kann ein Angreifer speziell manipulierte Daten an die Funktionen openpgp.verify oder openpgp.decrypt übergeben, um verschlüsselte und/oder signierte Nachrichten zu spoofen. CVE-2025-47934
---------------------------------------------
https://www.golem.de/news/manipulationsgefahr-luecke-in-openpgp-js-gefaehrd…
∗∗∗ Mehrere Schwachstellen bei eCharge Hardy Barth cPH2 und cPP2 Ladestationen ∗∗∗
---------------------------------------------
Hardy Barth EV charging station products are affected by critical vulnerabilities that can be exploited through both physical access and unauthenticated network access. These vulnerabilities pose significant risks, including system compromise, data breaches, and operational disruptions within EV charging infrastructures. [..] The vendor has not provided a fix for any of the reported vulnerabilities.
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelle…
∗∗∗ Mehrere Sicherheitslücken bedrohen VMware Cloud Foundation ∗∗∗
---------------------------------------------
Wie aus einer Warnmeldung hervorgeht, sind die Lücken (CVE-2025-41229, CVE-2025-41230, CVE-2025-41231) mit dem Bedrohungsgrad "hoch" eingestuft. Nutzen Angreifer die Schwachstellen erfolgreich aus, können sie etwa im Netzwerk über den Port 443 auf sensitive Informationen oder interne Services zugreifen.
---------------------------------------------
https://heise.de/-10390932
∗∗∗ Millions of Node.js Apps at Risk Due to Critical Multer Vulnerabilities ∗∗∗
---------------------------------------------
Two high-severity security flaws have been identified in Multer, a popular middleware used in Node.js applications for handling file uploads. The Multer vulnerabilities, tracked as CVE-2025-47944 and CVE-2025-47935, affect all versions from 1.4.4-lts.1 up to but not including 2.0.0. According to the GitHub post, the two vulnerabilities “allow an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request.
---------------------------------------------
https://thecyberexpress.com/multer-vulnerabilities-expose-node-js/
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (.NET 8.0, avahi, buildah, compat-openssl10, compat-openssl11, expat, firefox, gimp, git, grafana, libsoup, libxslt, mod_auth_openidc, nginx, nodejs:22, osbuild-composer, php, redis, redis:7, skopeo, thunderbird, vim, webkit2gtk3, xterm, and yelp), Arch Linux (dropbear, freetype2, go, nodejs, nodejs-lts-iron, nodejs-lts-jod, python-django, webkit2gtk, webkit2gtk-4.1, webkitgtk-6.0, and wpewebkit), Debian (mongo-c-driver), Fedora (openssh, perl-Mojolicious, thunderbird, yelp, and yelp-xsl), Red Hat (firefox, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-ibm-semeru-certified-jdk, java-21-openjdk, kernel, libxslt, ruby, ruby:3.1, ruby:3.3, unbound, and webkit2gtk3), SUSE (glib2, grub2, kernel, libwebp, openssh, and s390-tools), and Ubuntu (linux, linux-azure, linux-azure-6.11, linux-gcp, linux-gcp-6.11, linux-hwe-6.11, linux-oem-6.11, linux-raspi, linux-realtime, linux-azure, linux-azure-5.15, linux-nvidia-tegra, linux-azure, linux-azure-6.8, linux-oem-6.8, linux-azure, linux-kvm, linux-azure-fips, linux-azure-nvidia, linux-gcp, linux-gcp-6.8, linux-gkeop, linux-gke, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, mariadb-10.6, and postgresql-12, postgresql-14, postgresql-16).
---------------------------------------------
https://lwn.net/Articles/1022030/
∗∗∗ Assured Telematics Inc (ATI) Fleet Management System with Geotab Integration ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-11
∗∗∗ Vertiv Liebert RDU101 and UNITY ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-10
∗∗∗ AutomationDirect MB-Gateway ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-09
∗∗∗ Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-04
∗∗∗ f5: K000151431: Intel Ethernet Controller and Adapter vulnerability CVE-2024-24983 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000151431
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 19-05-2025 18:00 − Dienstag 20-05-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Hazy Hawk gang exploits DNS misconfigs to hijack trusted domains ∗∗∗
---------------------------------------------
A threat actor named Hazy Hawk has been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDS).
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hazy-hawk-gang-exploits-dns-…
∗∗∗ 100+ Fake Chrome Extensions Found Hijacking Sessions, Stealing Credentials, Injecting Ads ∗∗∗
---------------------------------------------
An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code.
---------------------------------------------
https://thehackernews.com/2025/05/100-fake-chrome-extensions-found.html
∗∗∗ Bypass SharePoint Restricted View to exfiltrate data using Copilot AI and more… ∗∗∗
---------------------------------------------
Overall, we’ve proven that although a fair amount of effort has been put into enforcing the restrictions of Restricted View there are plenty of ways to circumvent them. Therefore, it is important for administrators and users to understand that it can not be relied on to secure data against motivated attackers.
---------------------------------------------
https://www.pentestpartners.com/security-blog/bypass-sharepoint-restricted-…
∗∗∗ Duping Cloud Functions: An emerging serverless attack vector ∗∗∗
---------------------------------------------
Cisco Talos built on Tenable’s discovery of a Google Cloud Platform vulnerability to uncover how attackers could exploit similar techniques across AWS and Azure.
---------------------------------------------
https://blog.talosintelligence.com/duping-cloud-functions-an-emerging-serve…
∗∗∗ Compromised RVTools Installer Spreading Bumblebee Malware ∗∗∗
---------------------------------------------
RVTools installer on its official site was found delivering malware. Research shows it spread Bumblebee loader. Users urged to verify downloads.
---------------------------------------------
https://hackread.com/compromised-rvtools-installer-drop-bumblebee-malware/
∗∗∗ Gehärtete Images von Docker verbessern die Sicherheit und entlasten Entwickler ∗∗∗
---------------------------------------------
Mit den Hardened Images (DHI) bietet Docker sichere, schlanke und Compliance-konforme Images. Mit dabei sind unter anderem Microsoft, Neo4J oder GitLab.
---------------------------------------------
https://heise.de/-10388766
=====================
= Vulnerabilities =
=====================
∗∗∗ TYPO3 Security Advisories Tue. 20th May, 2025 ∗∗∗
---------------------------------------------
TYPO3 has released 11 new security advisories.
---------------------------------------------
https://typo3.org/help/security-advisories
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (dropbear, firefox-esr, intel-microcode, net-tools, openafs, thunderbird, and xrdp), Fedora (chromium, micropython, syslog-ng, webkitgtk, and xen), Mageia (dropbear and openssh), Oracle (.NET 9.0, kernel, libjpeg-turbo, and yelp and yelp-xsl), Red Hat (compat-openssl11, git-lfs, grafana, kernel, and osbuild and osbuild-composer), Slackware (mozilla), SUSE (cargo-c, gimp, iputils-20240905, kernel, libraw, microcode_ctl, openssh, pnpm, python311-cramjam, python311-httptools, python311-jwcrypto, python311-loguru, python311-mechanize, python311-nltk, python311-oauthlib, python311-py7zr, python311-pycapnp, python311-pyspnego, python311-pywayland, python311-suds, python311-treq, python311-ujson, python311-waitress, ruby3.4-rubygem-actionmailer, ruby3.4-rubygem-actiontext, ruby3.4-rubygem-activerecord, ruby3.4-rubygem-activestorage, ruby3.4-rubygem-fluentd, ruby3.4-rubygem-globalid, ruby3.4-rubygem-jquery-rails, ruby3.4-rubygem-kramdown, ruby3.4-rubygem-loofah, ruby3.4-rubygem-multi_xml, ruby3.4-rubygem-puma, ruby3.4-rubygem-rails, ruby3.4-rubygem-rails-html-sanitizer, ruby3.4-rubygem-sprockets, ruby3.4-rubygem-web-console, ruby3.4-rubygem-websocket-extensions, ucode-intel-20250512, and valkey), and Ubuntu (dotnet8, dotnet9, linux, linux-aws, linux-aws-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-oracle, linux, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-fips, linux-gcp, linux-gcp-5.15, linux-gcp-fips, linux-gke, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, and linux-xilinx-zynqmp).
---------------------------------------------
https://lwn.net/Articles/1021740/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, openjdk-11, openjdk-17, and wireless-regdb), Fedora (iputils, open-vm-tools, sfnt2woff-zopfli, and woff), Red Hat (postgresql:12), SUSE (apache2-mod_auth_openidc, brltty, helm, python-maturin, and rubygem-rack), and Ubuntu (linux-azure-fips).
---------------------------------------------
https://lwn.net/Articles/1021812/
∗∗∗ 22,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Motors WordPress Theme ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2025/05/22000-wordpress-sites-affected-by-pr…
∗∗∗ Danfoss AK-SM 8xxA Series ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-03
∗∗∗ National Instruments Circuit Design Suite ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-02
∗∗∗ ABUP IoT Cloud Platform ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily