=====================
= End-of-Day report =
=====================
Timeframe: Montag 23-06-2025 18:00 − Dienstag 24-06-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Auswirkungen des militärischen Konfliktes zwischen Israel und dem Iran auf Österreich ∗∗∗
---------------------------------------------
Vorliegende Analysen internationaler Behörden und Sicherheitsunternehmen verzeichnen seit dem Beginn der aktuellen militärischen Auseinandersetzung zwischen Israel und dem Iran verstärkte Aktivitäten von Bedrohungsakteuren aller Konfliktparteien. [..] Laut unseren bisherigen Beobachtungen gab es bisher noch keine direkten Angriffe oder Auswirkungen auf lokale Unternehmen oder Organisationen.
---------------------------------------------
https://www.cert.at/de/aktuelles/2025/6/auswirkungen
∗∗∗ FileFix attack weaponizes Windows File Explorer for stealthy commands ∗∗∗
---------------------------------------------
A cybersecurity researcher has developed FileFix, a variant of the ClickFix social engineering attack that tricks users into executing malicious commands via the File Explorer address bar in Windows.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/filefix-attack-weaponizes-wi…
∗∗∗ Polizei-Handys seit Cyberangriff nicht nutzbar ∗∗∗
---------------------------------------------
Ein Angriff auf die Diensthandys der Polizei in Mecklenburg-Vorpommern könnte größere Folgen haben als angenommen. Derzeit sind die Handys nicht im Einsatz.
---------------------------------------------
https://heise.de/-10456563
∗∗∗ BSI warnt: Immer weniger Menschen nutzen 2FA und sichere Passwörter ∗∗∗
---------------------------------------------
Eine neue Untersuchung des BSI zeigt einen bedenklichen Trend. Menschen verhalten sich im Netz trotz hoher Bedrohungslage immer unvorsichtiger.
---------------------------------------------
https://www.golem.de/news/bsi-warnt-immer-weniger-menschen-nutzen-2fa-und-s…
∗∗∗ Remote code execution in CentOS Web Panel - CVE-2025-48703 ∗∗∗
---------------------------------------------
This exploitation scenario has been tested on versions 0.9.8.1204 and 0.9.8.1188 on Centos7 and reported to CWP developers the 13th of May 2025 as CVE-2025-48703. It allows a remote attacker who knows a valid username on a CWP instance to execute pre-authenticated arbitrary commands on the server. The vulnerability has been patched on latest version 0.9.8.1205 during June 2025.
---------------------------------------------
https://fenrisk.com/rce-centos-webpanel
∗∗∗ The State of Ransomware 2025 ∗∗∗
---------------------------------------------
Explore the causes and consequences of ransomware in 2025 based on findings from a vendor-agnostic survey of 3,400 organizations hit by ransomware in the last year.
---------------------------------------------
https://news.sophos.com/en-us/2025/06/24/the-state-of-ransomware-2025/
∗∗∗ Echo Chamber Jailbreak Tricks LLMs Like OpenAI and Google into Generating Harmful Content ∗∗∗
---------------------------------------------
Cybersecurity researchers are calling attention to a new jailbreaking method called Echo Chamber that could be leveraged to trick popular large language models (LLMs) into generating undesirable responses, irrespective of the safeguards put in place.
---------------------------------------------
https://thehackernews.com/2025/06/echo-chamber-jailbreak-tricks-llms-like.h…
∗∗∗ Hackers Exploit Misconfigured Docker APIs to Mine Cryptocurrency via Tor Network ∗∗∗
---------------------------------------------
Misconfigured Docker instances are the target of a campaign that employs the Tor anonymity network to stealthily mine cryptocurrency in susceptible environments.
---------------------------------------------
https://thehackernews.com/2025/06/hackers-exploit-misconfigured-docker.html
∗∗∗ A Deep Dive into a Modular Malware Family ∗∗∗
---------------------------------------------
In today’s blog post we highlighted an interesting malware family targeting various systems with diverse capabilities, including stealing credit card information and WordPress credentials. Additionally, we detailed a novel bundle of credit card skimmers and malicious WordPress plugins which combines malicious actions with features developed for the attacker’s convenience.
---------------------------------------------
https://www.wordfence.com/blog/2025/06/a-deep-dive-into-a-modular-malware-f…
=====================
= Vulnerabilities =
=====================
∗∗∗ Splunk Security Advisories 2025-06-23 ∗∗∗
---------------------------------------------
Splunk released 4 security advisories (1x critical).
---------------------------------------------
https://advisory.splunk.com//advisories
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (dns-root-data and xorg-server), Fedora (glibc, mingw-glib2, and optipng), Red Hat (iputils, kernel, kernel-rt, krb5, libarchive, mod_auth_openidc, mod_proxy_cluster, and xorg-x11-server-Xwayland), SUSE (python313), and Ubuntu (fig2dev, gnuplot, gss-ntlmssp, linux, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-oracle, linux-aws-5.15, linux-gcp-5.15, linux-ibm-5.15, linux-lowlatency-hwe-5.15, linux-oracle-5.15, linux-aws-fips, linux-fips, linux-gcp-fips, linux-hwe-5.15, and linux-intel-iot-realtime, linux-realtime).
---------------------------------------------
https://lwn.net/Articles/1026646/
∗∗∗ Kanboard: Sicherheitslücke ermöglicht Kontoübernahme ∗∗∗
---------------------------------------------
In dem Open-Source-Kanban Kanboard können Angreifer Links fälschen, die zur Kontoübernahme führen. [..] Die Kanboard-Entwickler stellen aktualisierte Quellen und auch Docker-Container bereit, sie verlinken sie in den Release-Notes und erörtern das Docker-Update.
---------------------------------------------
https://heise.de/-10457116
∗∗∗ Mozilla Firefox June 24, 2025 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/
∗∗∗ f5: K000151924: runc vulnerability CVE-2024-45310 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000151924
∗∗∗ Case update: DIVD-2025-00032 - Unauthenticated Arbitrary Remote Code Execution in Pterodactyl ∗∗∗
---------------------------------------------
https://csirt.divd.nl/cases/DIVD-2025-00032/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 20-06-2025 18:00 − Montag 23-06-2025 18:00
Handler: Felician Fuchs
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ WordPress Motors theme flaw mass-exploited to hijack admin accounts ∗∗∗
---------------------------------------------
Hackers are exploiting a critical privilege escalation vulnerability in the WordPress theme "Motors" to hijack administrator accounts and gain complete control of a targeted site.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wordpress-motors-theme-flaw-…
∗∗∗ Canada says Salt Typhoon hacked telecom firm via Cisco flaw ∗∗∗
---------------------------------------------
The Canadian Centre for Cyber Security and the FBI confirm that the Chinese state-sponsored Salt Typhoon hacking group is also targeting Canadian telecommunication firms, breaching a telecom provider in February.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/canada-says-salt-typhoon-hac…
∗∗∗ ConnectUnwise: Threat actors abuse ConnectWise as builder for signed malware ∗∗∗
---------------------------------------------
Since March 2025 there has been a noticeable increase in infections and fake applications using validly signed ConnectWise samples. We reveal how bad signing practices allow threat actors to abuse this legitimate software to build and distribute their own signed malware and what security vendors can do to detect them.
---------------------------------------------
https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware
∗∗∗ SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play ∗∗∗
---------------------------------------------
SparkKitty, a new Trojan spy for iOS and Android, spreads through untrusted websites, the App Store, and Google Play, stealing images from users galleries.
---------------------------------------------
https://securelist.com/sparkkitty-ios-android-malware/116793/
∗∗∗ Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms ∗∗∗
---------------------------------------------
The threat actors behind the Qilin ransomware-as-a-service (RaaS) scheme are now offering legal counsel for affiliates to put more pressure on victims to pay up, as the cybercrime group intensifies its activity and tries to fill the void left by its rivals. The new feature takes the form of a "Call Lawyer" feature on the affiliate panel, per Israeli cybersecurity company Cybereason.
---------------------------------------------
https://thehackernews.com/2025/06/qilin-ransomware-adds-call-lawyer.html
∗∗∗ Google Adds Multi-Layered Defenses to Secure GenAI from Prompt Injection Attacks ∗∗∗
---------------------------------------------
Google has revealed the various safety measures that are being incorporated into its generative artificial intelligence (AI) systems to mitigate emerging attack vectors like indirect prompt injections and improve the overall security posture for agentic AI systems.
---------------------------------------------
https://thehackernews.com/2025/06/google-adds-multi-layered-defenses-to.html
∗∗∗ XDigo Malware Exploits Windows LNK Flaw in Eastern European Government Attacks ∗∗∗
---------------------------------------------
Cybersecurity researchers have uncovered a Go-based malware called XDigo that has been used in attacks targeting Eastern European governmental entities in March 2025. The attack chains are said to have leveraged a collection of Windows shortcut (LNK) files as part of a multi-stage procedure to deploy the malware, French cybersecurity company HarfangLab said.
---------------------------------------------
https://thehackernews.com/2025/06/xdigo-malware-exploits-windows-lnk-flaw.h…
∗∗∗ Rekord bei DDoS-Attacke mit 7,3 TBit/s ∗∗∗
---------------------------------------------
Cloudflare hat Mitte Mai den "größten jemals registrierten" Denial-of-Service-Angriff (DDoS) mit bislang kaum für möglich gehaltenen 7,3 Terabit pro Sekunde (TBit/s) blockiert. Dies teilte der US-Anbieter rund um Lösungen für IT-Sicherheit und Internetperformance am Freitag mit.
---------------------------------------------
https://www.heise.de/news/Junk-Traffic-Flut-Rekord-DDoS-Angriff-auf-Provide…
∗∗∗ Gefälschte Mahn-SMS im Namen des Finanzministeriums! ∗∗∗
---------------------------------------------
Derzeit gibt es eine Phishing-Welle mit angeblichen SMS des Bundesministeriums für Finanzen (BMF). Darin wird behauptet, dass eine Pfändung bevorsteht, weil angeblich mehrere Mahnungen ignoriert wurden. Achtung: Zahlen Sie diese Forderung nicht! Die Nachricht stammt nicht vom Finanzministerium und Ihr Geld landet bei Kriminellen.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-mahn-sms-im-namen-des-fi…
∗∗∗ New Detection Method Uses Hackers’ Own Jitter Patterns Against Them ∗∗∗
---------------------------------------------
A new detection method from Varonis Threat Labs turns hackers sneaky random patterns into a way to catch hidden cyberattacks. Learn about Jitter-Trap and how it boosts cybersecurity defenses.
---------------------------------------------
https://hackread.com/cyber-detection-hackers-jitter-patterns-against-them/
∗∗∗ Report Warns of Sophisticated DDoS Campaigns Crippling Global Banks ∗∗∗
---------------------------------------------
A new FS-ISAC and Akamai report warns that sophisticated DDoS attacks are severely impacting the global financial sector, leading to multi-day outages. Learn about these evolving threats and how institutions can strengthen defences.
---------------------------------------------
https://hackread.com/sophisticated-ddos-campaigns-crippling-global-banks/
∗∗∗ Mehr Sicherheit, weniger Handarbeit: AWS bringt die KI-Security ∗∗∗
---------------------------------------------
Security Hub, Shield und GuardDuty XTD erhalten neue Funktionen: Mit einer speziell trainierten KI will AWS wichtige Sicherheitsmaßnahmen beschleunigen.
---------------------------------------------
https://heise.de/-10455859
∗∗∗ Ukrainian Government Systems Targeted With Backdoors Hidden in Cloud APIs and Docs ∗∗∗
---------------------------------------------
Russia-linked hackers are back at it again, this time with upgraded tools and a stealthier playbook targeting Ukrainian government systems.
---------------------------------------------
https://thecyberexpress.com/ukrainian-government-systems-targeted/
=====================
= Vulnerabilities =
=====================
∗∗∗ Öffnen reicht: Winrar-Lücke lässt Angreifer Schadcode ausführen ∗∗∗
---------------------------------------------
Der Entwickler von Winrar hat in seinem weit verbreiteten Packprogramm eine gefährliche Sicherheitslücke geschlossen, die es Angreifern ermöglicht, auf fremden Systemen eigenen Code zur Ausführung zu bringen. Der Patch scheint bisher nur in der am 10. Juni veröffentlichten Beta-Version Winrar 7.12 Beta 1 enthalten zu sein.
---------------------------------------------
https://www.golem.de/news/packprogramm-winrar-schwachstelle-ermoeglicht-aus…
∗∗∗ IBM QRadar SIEM: Autoupdate-Dateien mit Schadcode verseuchbar ∗∗∗
---------------------------------------------
Angreifer können an mehreren Sicherheitslücken in IBM QRadar SIEM ansetzen und im schlimmsten Fall Schadcode ausführen. Ein Sicherheitspatch schließt mehrere Lücken.
---------------------------------------------
https://www.heise.de/news/IBM-QRadar-SIEM-Autoupdate-Dateien-mit-Schadcode-…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (libblockdev and open-vm-tools), Debian (debian-security-support, gdk-pixbuf, konsole, and node-send), Fedora (apache-commons-beanutils, chromium, clamav, dotnet9.0, libblockdev, mediawiki, mingw-python-setuptools, pam, perl-File-Find-Rule, python-pycares, python-setuptools, spdlog, udisks2, and xorg-x11-server-Xwayland), Mageia (chromium-browser-stable), Oracle (apache-commons-beanutils, container-tools:ol8, gimp:2.8, idm:DL1, perl-FCGI:0.78, and postgresql), Red Hat (container-tools:rhel8, delve, git-lfs, go-toolset:rhel8, grafana, kernel, mod_auth_openidc, and spice-client-win), SUSE (apache-commons-beanutils, apache2-mod_security2, distribution, gstreamer-plugins-good, icu, ignition, perl, python310, python311, python312, and python39), and Ubuntu (apache-log4j1.2 and botan).
---------------------------------------------
https://lwn.net/Articles/1026498/
∗∗∗ Fortinet: Buffer overflow in fgfmd ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-24-036
∗∗∗ F5: K000151740, Ruby vulnerability CVE-2024-47220 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000151740
∗∗∗ Fortinet: Teleport Remote Authentication Bypass ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/threat-signal-report/6132
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 18-06-2025 18:00 − Freitag 20-06-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Telecom giant Viasat breached by Chinas Salt Typhoon hackers ∗∗∗
---------------------------------------------
Satellite communications company Viasat is the latest victim of China's Salt Typhoon cyber-espionage group, which has previously hacked into the networks of multiple other telecom providers in the United States and worldwide.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/telecom-giant-viasat-breache…
∗∗∗ Grok und Mixtral ohne Grenzen: Neue KI-Tools erzeugen Phishing-Mails und Malware ∗∗∗
---------------------------------------------
WormGPT war eines der ersten großen Sprachmodelle, das speziell für cyberkriminelle Aktivitäten vorgesehen war und äußerst überzeugende Phishing-Mails generieren konnte. Während das Original schon nach wenigen Wochen wieder verschwand, sind neue LLMs unter gleichem Namen an dessen Stelle getreten.
---------------------------------------------
https://www.golem.de/news/wormgpt-ist-zurueck-neue-ki-modelle-unterstuetzen…
∗∗∗ Cyberangriffe: Nordkoreanische Hacker faken Vorgesetzte in Videokonferenzen ∗∗∗
---------------------------------------------
Die nordkoreanische Hackergruppe Bluenoroff verwendet Bleeping Computer zufolge seit einiger Zeit eine perfide Methode, um Malware in Unternehmen einzuschleusen. Das Ziel ist offenbar, Kryptogeld abzuzweigen – dafür ist die Bluenoroff-Gruppierung, die eine Untergruppe von Lazarus sein soll, bekannt.
---------------------------------------------
https://www.golem.de/news/cyberangriffe-nordkoreanische-hacker-faken-vorges…
∗∗∗ Cybersicherheit: Iran soll israelische Sicherheitskameras gehackt haben ∗∗∗
---------------------------------------------
Iranische Hacker sollen auf private Überwachungskameras in Israel zugegriffen haben, um Informationen zu sammeln. Wie Bloomberg mit Verweis auf einen Beitrag im israelischen Rundfunk berichtet, hat ein ehemaliger israelischer Cybersicherheitsbeamter die Bevölkerung dazu aufgefordert, private Überwachungskameras abzuschalten oder deren Passwörter zu ändern.
---------------------------------------------
https://www.golem.de/news/cybersicherheit-iran-soll-israelische-sicherheits…
∗∗∗ Analysis of a Malicious WordPress Plugin: The Covert Redirector ∗∗∗
---------------------------------------------
A few weeks ago, we received a support request from a website owner who was experiencing unexpected redirects. Visitors landed on the website normally, but after about 4–5 seconds, the site redirected them to unrelated and suspicious websites. During the investigation, we discovered a malicious plugin that was responsible for this behavior, continuing the trend of attackers using fake WordPress plugins.
---------------------------------------------
https://blog.sucuri.net/2025/06/analysis-of-a-malicious-wordpress-plugin-th…
∗∗∗ New Malware Campaign Uses Cloudflare Tunnels to Deliver RATs via Phishing Chains ∗∗∗
---------------------------------------------
A new campaign is making use of Cloudflare Tunnel subdomains to host malicious payloads and deliver them via malicious attachments embedded in phishing emails. The ongoing campaign has been codenamed SERPENTINE#CLOUD by Securonix.
---------------------------------------------
https://thehackernews.com/2025/06/new-malware-campaign-uses-cloudflare.html
∗∗∗ Proxy: Umgehung von Beschränkungen in Apache Traffic Server möglich ∗∗∗
---------------------------------------------
In Apache Traffic Server (ATS), einem quelloffenen Proxy-Server, wurden zwei Sicherheitslücken entdeckt. Angreifer können sie missbrauchen, um damit Zugriffsbeschränkungen zu umgehen oder Denial-of-Service-Attacken auszuführen. Aktualisierte Quellen stehen bereit, um die Schwachstellen auszubessern.
---------------------------------------------
https://www.heise.de/news/Proxy-Umgehung-von-Beschraenkungen-in-Apache-Traf…
∗∗∗ Resurgence of the Prometei Botnet ∗∗∗
---------------------------------------------
In March 2025, Unit 42 researchers identified a wave of Prometei attacks. Prometei refers to both the botnet and the malware family used to operate it. This malware family, which includes both Linux and Windows variants, allows attackers to remotely control compromised systems for cryptocurrency mining (particularly Monero) and credential theft. This article focuses on the resurgence of the Linux variant.
---------------------------------------------
https://unit42.paloaltonetworks.com/prometei-botnet-2025-activity/
∗∗∗ Joint Analysis by AhnLab and NCSC on TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking ∗∗∗
---------------------------------------------
ince November 2024, AhnLab has been working with the NCSC to analyze the malicious IRC server and related malware to classify the unidentified threat actor as Larva-24013 and trace their activities, and has confirmed their association with the Shadow Force group. AhnLab manages malicious activities in four stages through the “Threat Actor Naming and Taxonomy,” classifying threat actors as “Larva” (unidentified threat actors) and “Arthropod” (identified threat actors). Following AhnLab’s threat actor taxonomy and naming convention, the threat actor has been identified and named TA-ShadowCricket.
---------------------------------------------
https://asec.ahnlab.com/en/88137/
∗∗∗ Scammers Insert Fake Support Numbers on Real Apple, Netflix, PayPal Pages ∗∗∗
---------------------------------------------
Cybercriminals are finding clever new ways to trick people, even on the official websites of major companies. Malwarebytes Senior Director of Research, Jérôme Segura, has identified a widespread scam where fake phone numbers for customer support are being inserted directly onto the legitimate help pages of well-known brands.
---------------------------------------------
https://hackread.com/scammers-fake-support-numbers-real-apple-netflix-paypa…
∗∗∗ Banana Squad Hides Data-Stealing Malware in Fake GitHub Repositories ∗∗∗
---------------------------------------------
ReversingLabs researchers recently uncovered a new and worrying attack method led by a group called Banana Squad. This group, first identified by Checkmarx researchers in October 2023, is known for their sneaky methods, with their name coming from an early harmful internet address, bananasquadru.
---------------------------------------------
https://hackread.com/banana-squad-data-stealing-malware-github-repositories/
∗∗∗ New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack ∗∗∗
---------------------------------------------
A new and concerning cyber threat, dubbed Mocha Manakin, has been identified by cybersecurity research firm Red Canary. First tracked in January 2025, this threat uniquely combines social engineering tricking people with specially built malicious software.
---------------------------------------------
https://hackread.com/mocha-manakin-malware-nodeinitrat-via-clickfix-attack/
∗∗∗ What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia ∗∗∗
---------------------------------------------
In cooperation with external partners, Google Threat Intelligence Group (GTIG) observed a Russia state-sponsored cyber threat actor impersonating the U.S. Department of State. From at least April through early June 2025, this actor targeted prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs). Once the target shares the ASP passcode, the attackers establish persistent access to the victim’s mailbox. Two distinct campaigns are detailed in this post. This activity aligns with Citizen Lab’s recent research on social engineering attacks against ASPs, another useful resource for high risk users.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-…
∗∗∗ Same Sea, New Phish: Russian Government-Linked Social Engineering Targets App-Specific Passwords ∗∗∗
---------------------------------------------
In recent years, users’ familiarity with common phishing tactics, increasingly advanced detection and blocking by platforms, and the rise in use of Multi-Factor Authentication (MFA), have all contributed to changes in the ways that attackers phish accounts. The introduction of more secure forms of MFA, such as hardware security keys, has also closed off certain avenues of social engineering. .
---------------------------------------------
https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-…
∗∗∗ Betrüger nutzen Briefpost zur Abzocke der Ledger-Wallet ∗∗∗
---------------------------------------------
Wer mit Krypto-Währungen und Assets hantiert, hat sicherlich zumindest mit Hardware-Wallets wie der von Ledger geliebäugelt. Einem Leser trudelte nun ein unzureichend frankierter Brief in die Hände. Damit versuchen Kriminelle, die Ledger-Krypto-Wallet zu übernehmen und leerzuräumen.
---------------------------------------------
https://heise.de/-10453136
∗∗∗ Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion ∗∗∗
---------------------------------------------
On June 11, 2025, Huntress received contact from a partner saying that an end user had downloaded, potentially, a malicious Zoom extension. The depth of the intrusion became immediately apparent upon installing the Huntress EDR agent, and after some analysis, it was discovered that the lure used to gain access was received by the victim several weeks prior. This post aims to provide a detailed analysis from beginning to end of the intrusion, including a full breakdown of several new pieces of malware used by the threat actors.
---------------------------------------------
https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis
∗∗∗ Israel-Iran Conflict Sparks Wider Cyber Conflict, New Malware ∗∗∗
---------------------------------------------
The Israel-Iran conflict that began with Israeli attacks on Iranian nuclear and military targets on June 13 has sparked a wider cyber conflict in the region, including the launch of new malware campaigns.
---------------------------------------------
https://thecyberexpress.com/israel-iran-conflict-hacktivism/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (gvisor-tap-vsock), Debian (activemq and chromium), Fedora (kea, python-django4.2, python-django5, python-setuptools, and rust-git-interactive-rebase-tool), Oracle (ipa and kernel), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, git-lfs, go-toolset:rhel8, golang, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, gvisor-tap-vsock, podman, and skopeo), Slackware (libblockdev and xorg), SUSE (gdm, gstreamer-plugins-base, ignition, kernel, pam, redis, s390-tools, screen, systemd, and xorg-x11-server), and Ubuntu (godot, golang-1.22, libblockdev, node-express, pam, samba, and udisks2).
---------------------------------------------
https://lwn.net/Articles/1026007/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by SUSE (apache2-mod_security2, augeas, ghc-pandoc, gstreamer, ignition, kernel, libblockdev, libxml2, nodejs20, openssl-3, pam_pkcs11, perl, python3, systemd, ucode-intel, webkit2gtk3, and xen) and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-gcp-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-aws-fips, linux-gcp-fips, python3.13, python3.12, and roundcube).
---------------------------------------------
https://lwn.net/Articles/1026281/
∗∗∗ Kritische Schwachstellen CVE-2025-6018 und CVE-2025-6019 in Linux-Systemen ∗∗∗
---------------------------------------------
Sicherheitsforscher von Qualys TRU haben zwei verknüpfte, kritische Schwachstellen in Linux aufgedeckt. Ausgehend von SUSE 15 führt die LPE-Kette bei Standardkonfigurationen vieler Linux-Distributionen direkt zum Root-Zugriff.
---------------------------------------------
https://www.borncity.com/blog/2025/06/19/kritische-schwachstellen-in-linux-…
∗∗∗ Cisco Meraki MX und Z: Angreifer können VPN-Verbindungen unterbrechen ∗∗∗
---------------------------------------------
Der Cisco AnyConnect VPN Server von Cisco Meraki MX und Z ist verwundbar. Außerdem können Angreifer an einer Schwachstelle in ClamAV ansetzen. Sicherheitspatches stehen zum Download bereit. Bislang gibt es keine Berichte zu Attacken.
---------------------------------------------
https://heise.de/-10452498
∗∗∗ ZDI-25-408: PEAK-System Driver PCANFD_ADD_FILTERS Time-Of-Check Time-Of-Use Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-408/
∗∗∗ ZDI-25-410: Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-410/
∗∗∗ ZDI-25-409: RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-409/
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (June 9, 2025 to June 15, 2025) ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2025/06/wordfence-intelligence-weekly-wordpr…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 17-06-2025 18:00 − Mittwoch 18-06-2025 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Cybersecurity takes a big hit in new Trump executive order ∗∗∗
---------------------------------------------
Cybersecurity practitioners are voicing concerns over a recent executive order issued by the White House that guts requirements for: securing software the government uses, punishing people who compromise sensitive networks, preparing new encryption schemes that will withstand attacks from quantum computers, and other existing controls.
---------------------------------------------
https://arstechnica.com/security/2025/06/cybersecurity-take-a-big-hit-in-ne…
∗∗∗ Instagram BMO ads use AI deepfakes to scam banking customers ∗∗∗
---------------------------------------------
Instagram ads impersonating financial institutions like Bank of Montreal (BMO) and EQ Bank (Equitable Bank) are being used to target Canadian consumers with phishing scams and investment fraud. Some ads use AI-powered deepfake videos in an attempt to collect your personal information, while others use official branding to drive traffic outside of the platform to lookalike illicit domains that are not affiliated with banks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/instagram-bmo-ads-use-ai-dee…
∗∗∗ Schutz vor Cyberangriffen: Der Iran nimmt sich selbst vom Netz ∗∗∗
---------------------------------------------
Der Iran schränkt seine Verbindung zum weltweiten Internet offenbar gezielt ein, um sich infolge des seit dem 13. Juni andauernden israelisch-iranischen Krieges vor möglichen Cyberattacken aus Israel zu schützen. Zunächst wurde lediglich die Geschwindigkeit gedrosselt. Einem X-Beitrag von Netblocks zufolge ist der Datenverkehr des Iran innerhalb kürzester Zeit um 75 Prozent zurückgegangen.
---------------------------------------------
https://www.golem.de/news/schutz-vor-cyberangriffen-der-iran-nimmt-sich-sel…
∗∗∗ LangSmith Bug Could Expose OpenAI Keys and User Data via Malicious Agents ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed a now-patched security flaw in LangChain's LangSmith platform that could be exploited to capture sensitive data, including API keys and user prompts.
---------------------------------------------
https://thehackernews.com/2025/06/langchain-langsmith-bug-let-hackers.html
∗∗∗ Google Chrome Zero-Day CVE-2025-2783 Exploited by TaxOff to Deploy Trinper Backdoor ∗∗∗
---------------------------------------------
A now-patched security flaw in Google Chrome was exploited as a zero-day by a threat actor known as TaxOff to deploy a backdoor codenamed Trinper. The attack, observed in mid-March 2025 by Positive Technologies, involved the use of a sandbox escape vulnerability tracked as CVE-2025-2783 (CVSS score: 8.3).
---------------------------------------------
https://thehackernews.com/2025/06/google-chrome-zero-day-cve-2025-2783.html
∗∗∗ Exploring Netstalking – Mapping the Hidden Corners of the Internet ∗∗∗
---------------------------------------------
Netstalking is the art of exploring little-known, rarely visited parts of the internet—ranging from forgotten photo archives and open surveillance cameras to defunct servers and prototype systems—using techniques like IP scanning, deep web search, and network archaeology. The activity originated in 2009 among Russian internet subcultures and draws its name from the “S.T.A.L.K.E.R.” mythos.
---------------------------------------------
https://www.darknet.org.uk/2025/06/exploring-netstalking-mapping-the-hidden…
∗∗∗ Minecraft Players Targeted in Sophisticated Malware Campaign ∗∗∗
---------------------------------------------
This campaign reminds us that even the most familiar digital spaces can become a playground for cyber criminals. By disguising malware as Minecraft mods, attackers were able to quietly target an engaged and unsuspecting user base with a multistage, Java-based infection chain. Because these files often appear harmless and can slip past traditional defenses, any Minecraft player is at risk.
---------------------------------------------
https://blog.checkpoint.com/research/minecraft-players-targeted-in-sophisti…
∗∗∗ Scattered Spider hackers targeting insurance industry following retail hits, Google warns ∗∗∗
---------------------------------------------
A group of hackers behind a recent string of attacks on retail stores in the U.K. and U.S. has shifted its focus to insurance firms in recent days, according to cybersecurity researchers.
---------------------------------------------
https://therecord.media/scattered-spider-targeting-insurance-sector-followi…
∗∗∗ When legitimate tools go rogue ∗∗∗
---------------------------------------------
Attackers are increasingly hiding in plain sight, using the same tools IT and security teams rely on for daily operations. This blog breaks down common techniques and provides recommendations to defenders.
---------------------------------------------
https://blog.talosintelligence.com/when-legitimate-tools-go-rogue/
∗∗∗ CVE Trends to Watch: Real-World Risks to Telecom and Professional Services ∗∗∗
---------------------------------------------
Between 2023-2025, there was a 38% increase in CVEs. Learn which industry sectors have seen the highest levels of CVEs, & which CVEs had the highest impact.
---------------------------------------------
https://www.bitsight.com/blog/cve-trends-by-sector
∗∗∗ Achtstellige Passwörter unzureichend: Datenschutzstrafe für Genfirma 23andme ∗∗∗
---------------------------------------------
2023 wurden fast 7 Millionen Datensätze von Kunden 23andmes im Darknet feilgeboten. Großbritannien verhängt eine Millionenstrafe.
---------------------------------------------
https://heise.de/-10450679
∗∗∗ AMD stopft Sicherheitslecks in Krypto-Coprozessor und TPM ∗∗∗
---------------------------------------------
AMD hat im Juni aktualisierte Firmware veröffentlicht, die teils hochriskante Sicherheitslücken in den Prozessoren schließt. Betroffen sind etwa die Krypto-Coprozessoren sowie das Firmware-TPM moderner Ryzen- und zum Teil auch der abgespeckten Athlon-CPUs.
---------------------------------------------
https://heise.de/-10451026
∗∗∗ Malvertising: Bösartige Werbung schiebt Anbieterseiten falsche Nummern unter ∗∗∗
---------------------------------------------
Betrüger schieben mit Werbelinks in Suchergebnissen echten Anbieterseiten falsche Telefonnummern unter, warnen IT-Sicherheitsforscher.
---------------------------------------------
https://heise.de/-10451518
∗∗∗ 2025 Blockchain and Cryptocurrency Threat Report: Malware in the Open Source Supply Chain ∗∗∗
---------------------------------------------
An in-depth analysis of credential stealers, crypto drainers, cryptojackers, and clipboard hijackers abusing open source package registries to compromise Web3 development environments.
---------------------------------------------
https://socket.dev/blog/2025-blockchain-and-cryptocurrency-threat-report?ut…
∗∗∗ libxml2 Maintainer Ends Embargoed Vulnerability Reports, Citing Unsustainable Burden ∗∗∗
---------------------------------------------
Libxml2’s solo maintainer drops embargoed security fixes, highlighting the burden on unpaid volunteers who keep critical open source software secure.
---------------------------------------------
https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-rep…
=====================
= Vulnerabilities =
=====================
∗∗∗ BeyondTrust warns of pre-auth RCE in Remote Support software ∗∗∗
---------------------------------------------
BeyondTrust has released security updates to fix a high-severity flaw in its Remote Support (RS) and Privileged Remote Access (PRA) solutions that can let unauthenticated attackers gain remote code execution on vulnerable servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/beyondtrust-warns-of-pre-aut…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gst-plugins-bad1.0, konsole, and libblockdev), Oracle (buildah, containernetworking-plugins, gimp, git-lfs, gvisor-tap-vsock, kernel, libvpx, podman, and skopeo), Red Hat (apache-commons-beanutils and thunderbird), Slackware (xorg), SUSE (gdm, golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter, golang-github-prometheus-prometheus, govulncheck-vulndb, grafana, kernel, Multi-Linux Manager, Multi-Linux Manager Client Tools, openssl-3, pam, python-cryptography, python-requests, python-setuptools, python3-requests, SUSE Manager Server, systemd, ucode-intel, xorg-x11-server, and xwayland), and Ubuntu (dwarfutils, mujs, node-katex, xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04, and xorg-server, xwayland).
---------------------------------------------
https://lwn.net/Articles/1025862/
∗∗∗ Citrix Netscaler ADC: Kritische Sicherheitslücken dringend fixen ∗∗∗
---------------------------------------------
Von den Schwachstellen sind die NetScaler ADC- und Gateway-Versionen 14.1 vor 14.1-43.56, 13.1 vor 13.1-58.32 sowie diverse FIPS-Varianten betroffen. Wichtig: Ältere Versionen (12.1 und 13.0) sind End-of-Life (EOL) und erhalten keine Sicherheitsupdates mehr. Von Citrix ist die empfohlene Maßnahme ein umgehendes Update auf die gepatchten Versionen (z.B. 14.1-43.56, 13.1-58.32). Nach dem Update sollten alle aktiven ICA- und PCoIP-Sitzungen auf allen NetScaler-Appliances beendet werden, um eine vollständige Absicherung zu gewährleisten.
---------------------------------------------
https://www.borncity.com/blog/2025/06/18/citrix-netscaler-adc-kritische-sic…
∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
CISA released five Industrial Control Systems (ICS) advisories on June 17, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/06/17/cisa-releases-five-indus…
∗∗∗ CISA Flags CVE-2023-0386 as Actively Exploited Linux Kernel Privilege Escalation Threat ∗∗∗
---------------------------------------------
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about the active exploitation of a critical Linux kernel vulnerability, officially listed as CVE-2023-0386. The vulnerability, which carries a CVSS score of 7.8, is categorized as a Linux Kernel Privilege Escalation flaw. It stems from improper ownership management within the Linux kernel’s OverlayFS subsystem. If exploited successfully, attackers can escalate privileges on affected systems, gain unauthorized access, and potentially execute arbitrary code with elevated rights.
---------------------------------------------
https://thecyberexpress.com/cisa-warns-cve-2023-0386-linux-vulnerability/
∗∗∗ Windows 11: Out-of-Band-Update KB5063060 mit Error 0x800f0818 / 0x80070306 ∗∗∗
---------------------------------------------
Noch ein kurzer Nachtrag zu den im Juni 2025 veröffentlichten Sicherheitsupdates für Windows 10 und Windows 11. Diese verursachen bei manchen Anwendern diverse Probleme. So wirft das zum 11. Juni 2025 nachgeschobene Out-of-Band-Update KB5063060 bei manchen Nutzern den Installationsfehler 0x800f0818 oder 0x80070306.
---------------------------------------------
https://www.borncity.com/blog/2025/06/18/windows-11-out-of-band-update-kb50…
∗∗∗ Chrome for Android Update ∗∗∗
---------------------------------------------
http://chromereleases.googleblog.com/2025/06/chrome-for-android-update_17.h…
∗∗∗ LS Electric GMWin 4 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-168-02
∗∗∗ Dover Fueling Solutions ProGauge MagLink LX Consoles ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-168-05
∗∗∗ Fuji Electric Smart Editor ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-168-04
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 16-06-2025 18:00 − Dienstag 17-06-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Apple: Sicherheitslücke in diversen Betriebssystemen wird angegriffen ∗∗∗
---------------------------------------------
Die neu attackierte Schwachstelle betrifft nach Apples Angaben Messages. "Ein Logikfehler kann bei der Verarbeitung von bösartig präparierten Fotos oder Videos auftreten, die mittels eines iCloud-Links geteilt wurden", schreiben die Entwickler dazu (CVE-2025-43200 / EUVD-2025-18428, CVSS steht noch aus, Risikoeinstufung fehlt derzeit). Sie erklären weiter: "Apple weiß von einem Bericht, demzufolge dieses Problem in einem extrem ausgeklügelten Angriff gegen bestimmte Zielpersonen ausgenutzt worden sein könnte." Der Schwachstelleneintrag stammt vom Montag dieser Woche. Sicherheitsmitteilungen zu den diversen Betriebssystemen und -versionen hat Apple hingegen bereits am Donnerstag vergangener Woche aktualisiert oder neu veröffentlicht.
---------------------------------------------
https://heise.de/-10449241
∗∗∗ Cross-Site Scripting (XSS) Schwachstelle CVE-2025-4123 in Grafana ∗∗∗
---------------------------------------------
In der Open-Source-Software Grafana wurde die Tage eine Cross-Site Scripting (XSS) Schwachstelle CVE-2025-4123 öffentlich. Es ist ein kritischer offener Redirect-Fehler in Grafana, der zur Übernahme von Konten führen könnte. [..] Sonic Wall hat dies bereits zum 5. Juni 2025 im Beitrag High-Severity Open Redirect Vulnerability in Grafana Leads to Account Takeover: CVE-2025-4123 öffentlich gemacht. Die Schwachstelle CVE-2025-4123 ist laut dem Grafana Sicherheitshinweis Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin vom 21. Mai 2025 in den Versionen v10.4.18+security-01, v11.2.9+security-01, v11.3.6+security-01, v11.4.4+security-01, v11.5.4+security-01, v11.6.1+security-01 und v12.0.0+security-01 behoben.
---------------------------------------------
https://www.borncity.com/blog/2025/06/17/cross-site-scripting-xss-schwachst…
∗∗∗ Water Curse Targets Infosec Pros via Poisoned GitHub Repositories ∗∗∗
---------------------------------------------
The emerging threat group attacks the supply chain via weaponized repositories posing as legitimate pen-testing suites and other tools that are poisoned with malware.
---------------------------------------------
https://www.darkreading.com/cyberattacks-data-breaches/water-curse-targets-…
∗∗∗ How Long Until the Phishing Starts? About Two Weeks, (Tue, Jun 17th) ∗∗∗
---------------------------------------------
I recently added an account to my Google Workspace domain (montance[dot]com). Friday, May 16th, 10:10 am, to be exact. Something interesting to note about the domain configuration is there’s a catchall account in place, so all email addresses are valid. Starting May 28th the new account started receiving targeted phishing email messages. [..] Nothing especially surprising, but a reminder that they’re watching for opportunities. Someone new at the company and eager to appear responsive seems like a good phishing target!
---------------------------------------------
https://isc.sans.edu/diary/rss/32052
∗∗∗ TP-Link Router Flaw CVE-2023-33538 Under Active Exploit, CISA Issues Immediate Alert ∗∗∗
---------------------------------------------
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security flaw in TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability in question is CVE-2023-33538 (CVSS score: 8.8), a command injection bug that could result in the execution of arbitrary system commands when processing the ssid1 parameter in a specially crafted HTTP GET request.
---------------------------------------------
https://thehackernews.com/2025/06/tp-link-router-flaw-cve-2023-33538.html
∗∗∗ New Flodrix Botnet Variant Exploits Langflow AI Server RCE Bug to Launch DDoS Attacks ∗∗∗
---------------------------------------------
Cybersecurity researchers have called attention to a new campaign thats actively exploiting a recently disclosed critical security flaw in Langflow to deliver the Flodrix botnet malware.
---------------------------------------------
https://thehackernews.com/2025/06/new-flodrix-botnet-variant-exploits.html
∗∗∗ Eine Kühlbox voll Stiegl Bier? Vorsicht vor Fake-Gewinnspiel! ∗∗∗
---------------------------------------------
Aktuell schwappt eine Phishing-Welle durch österreichische WhatsApp-Konten. Angeblich verlost die Stiegl Brauerei eine Kühlbox voll Bier. Dahinter versteckt sich aber nichts anderes als eine altbekannte Kombination aus Abo-Falle und Phishing-Attacke – mit einer raffinierten Neuerung.
---------------------------------------------
https://www.watchlist-internet.at/news/stiegl-bier-fake-phishing/
∗∗∗ Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation ∗∗∗
---------------------------------------------
We analyze two new KimJongRAT stealer variants, combining new research with existing knowledge. One uses a Portable Executable (PE) file and the other PowerShell.
---------------------------------------------
https://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/
=====================
= Vulnerabilities =
=====================
∗∗∗ Hard-Coded b Password in Sitecore XP Sparks Major RCE Risk in Enterprise Deployments ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed three security flaws in the popular Sitecore Experience Platform (XP) that could be chained to achieve pre-authenticated remote code execution. Sitecore Experience Platform is an enterprise-oriented software that provides users with tools for content management, digital marketing, and analytics and reports. [..] This also means that the exploit chain only works if users have installed Sitecore using installers for versions ≥ 10.1. Users are likely not impacted if they were previously running a version prior to 10.1 and then upgraded to a newer vulnerable version, assuming the old database is being migrated, and not the database embedded within the installation package. WT-2025-0024 (CVE-2025-XXXXX), WT-2025-0032 (CVE-2025-XXXXX), WT-2025-0025 (CVE-2025-XXXXX)
---------------------------------------------
https://thehackernews.com/2025/06/hard-coded-b-password-in-sitecore-xp.html
∗∗∗ Veeam: Vulnerabilities Resolved in Veeam Backup & Replication 12.3.2 ∗∗∗
---------------------------------------------
CVE-2025-23121: A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user. Severity: Critical
---------------------------------------------
https://www.veeam.com/kb4743
∗∗∗ ASUS Armoury Crate bug lets attackers get Windows admin privileges ∗∗∗
---------------------------------------------
Armoury Crate is the official system control software for Windows from ASUS, providing a centralized interface to control RGB lighting (Aura Sync), adjust fan curves, manage performance profiles and ASUS peripherals, as well as download drivers and firmware updates. [..] Cisco Talos validated that CVE-2025-3464 impacts Armoury Crate version 5.9.13.0, but ASUS' bulletin notes that the flaw impacts all versions between 5.9.9.0 and 6.1.18.0. [..] A high-severity vulnerability in ASUS Armoury Crate software could allow threat actors to escalate their privileges to SYSTEM level on Windows machines. The security issue is tracked as CVE-2025-3464 and received a severity score of 8.8 out of 10.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/asus-armoury-crate-bug-lets-…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, buildah, containernetworking-plugins, firefox, gstreamer1-plugins-bad-free, libsoup3, podman, skopeo, sqlite, thunderbird, unbound, valkey, varnish, and xz), Debian (webkit2gtk), Fedora (fido-device-onboard, python-django4.2, rust-git-interactive-rebase-tool, and thunderbird), Red Hat (libsoup), Slackware (libxml2), SUSE (java-11-openjdk, kernel, and wireshark), and Ubuntu (c3p0, dojo, python-django, python3.13, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, and requests).
---------------------------------------------
https://lwn.net/Articles/1025734/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 13-06-2025 18:00 − Montag 16-06-2025 18:00
Handler: Felician Fuchs
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Washington Posts email system hacked, journalists accounts compromised ∗∗∗
---------------------------------------------
Email accounts of several Washington Post journalists were compromised in a cyberattack believed to have been carried out by a foreign government.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/washington-posts-email-syste…
∗∗∗ Kali Linux 2025.2 released with 13 new tools, car hacking updates ∗∗∗
---------------------------------------------
Kali Linux 2025.2, the second release of the year, is now available for download with 13 new tools and an expanded car hacking toolkit.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/kali-linux-20252-released-wi…
∗∗∗ BKA schaltet Darknet-Marktplatz "Archetyp Market" ab ∗∗∗
---------------------------------------------
Das BKA hat den mutmaßlichen Betreiber des Online-Drogenmarktplatzes "Archetyp Market" am Mittwoch vergangener Woche in Barcelona festgenommen.
---------------------------------------------
https://www.heise.de/news/BKA-schaltet-Darknet-Marktplatz-Archetyp-Market-a…
∗∗∗ Die Hersteller von Staatstrojanern sind Gegner – keine Verbündeten ∗∗∗
---------------------------------------------
Die Leiterin von Googles Threat-Intelligence-Abteilung macht klar, warum sie solche Firmen als Gegner betrachtet. Zudem erläutert sie im Gespräch die wachsende Relevanz von KI für Angreifer und die Gefahr aus Nordkorea.
---------------------------------------------
https://www.derstandard.at/story/3000000273949/die-hersteller-von-staatstro…
∗∗∗ Hackers Leak Data of 10,000 VirtualMacOSX Customers in Alleged Breach ∗∗∗
---------------------------------------------
Hackers leak data of 10,000 VirtualMacOSX customers in alleged breach, exposing names, emails, passwords, and financial details on a hacking forum.
---------------------------------------------
https://hackread.com/hackers-leak-virtualmacosx-customers-data-breach/
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM AIX/VIOS und DataPower Gateway für Schadcode-Attacken anfällig ∗∗∗
---------------------------------------------
Wenn Angreifer erfolgreich an Sicherheitslücken in IBM AIX/VIOS und DataPower Gateway ansetzen, kann Schadcode auf Systeme gelangen und diese kompromittieren. Updates schließen die Schwachstellen.
---------------------------------------------
https://www.heise.de/news/IBM-AIX-VIOS-und-DataPower-Gateway-fuer-Schadcode…
∗∗∗ Angreifer können Server über Schwachstelle in Dell iDRAC Tools attackieren ∗∗∗
---------------------------------------------
Angreifer können an einer Sicherheitslücke in Dell iDRAC Tools ansetzen, um Server zu attackieren. Mittlerweile haben die Entwickler die Schwachstelle geschlossen.
---------------------------------------------
https://www.heise.de/news/Sicherheitsluecke-in-Dell-iDRAC-Tools-gefaehrdet-…
∗∗∗ Dell ControlVault: Angreifer können Systeme vollständig kompromittieren ∗∗∗
---------------------------------------------
In Dells ControlVault klaffen Sicherheitslücken in den Treibern und der Firmware, die Angreifern das Einschleusen und Ausführen von Schadcode und damit die Übernahme von Systemen ermöglichen. Dell bietet aktualisierte Software an, um die Sicherheitslecks zu schließen.
---------------------------------------------
https://www.heise.de/news/Dell-ControlVault-Angreifer-koennen-Systeme-volls…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (.NET 8.0 and .NET 9.0), Arch Linux (curl, ghostscript, go, konsole, python-django, roundcubemail, and samba), Fedora (aerc, chromium, golang-x-perf, libkrun, python3.11, python3.12, rust-kbs-types, rust-sev, rust-sevctl, valkey, and wireshark), Gentoo (Konsole and sysstat), Oracle (.NET 9.0), Red Hat (bootc, grub2, keylime-agent-rust, python3.12-cryptography, rpm-ostree, rust-bootupd, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (apache2-mod_auth_openidc, docker, grub2, java-1_8_0-openj9, kernel, less, python-Django, screen, and sqlite3), and Ubuntu (cifs-utils and modsecurity-apache).
---------------------------------------------
https://lwn.net/Articles/1025618/
∗∗∗ Tenable: Nessus Agent Version 10.8.5 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2025-11
∗∗∗ Chromium: CVE-2025-5959 Type Confusion in V8 ∗∗∗
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-5959
∗∗∗ Chromium: CVE-2025-5958 Use after free in Media ∗∗∗
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-5958
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 12-06-2025 18:00 − Freitag 13-06-2025 18:00
Handler: Guenes Holler
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ Trend Micro fixes critical vulnerabilities in multiple products ∗∗∗
---------------------------------------------
Trend Micro has released security updates to address multiple critical-severity remote code execution and authentication bypass vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer products.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/trend-micro-fixes-six-critic…
∗∗∗ Nach über 100 Jahren: Cyberangriff drängt deutsche Firma in die Insolvenz ∗∗∗
---------------------------------------------
Der in Euskirchen ansässige Serviettenhersteller Fasana hat nach einem Cyberangriff Zahlungsprobleme. Hacker haben den Betrieb vollständig lahmgelegt.
---------------------------------------------
https://www.golem.de/news/nach-ueber-100-jahren-cyberangriff-draengt-deutsc…
∗∗∗ [Guest Diary] Anatomy of a Linux SSH Honeypot Attack: Detailed Analysis of Captured Malware, (Fri, Jun 13th) ∗∗∗
---------------------------------------------
This is a Guest Diary by Michal Ambrozkiewicz, an ISC intern as part of the SANS.edu Bachelor ..
---------------------------------------------
https://isc.sans.edu/diary/Guest+Diary+Anatomy+of+a+Linux+SSH+Honeypot+Atta…
∗∗∗ WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network ∗∗∗
---------------------------------------------
The threat actors behind the VexTrio Viper Traffic Distribution Service (TDS) have been linked to other TDS services like Help TDS and Disposable TDS, indicating that the sophisticated cybercriminal operation is a sprawling enterprise of its own ..
---------------------------------------------
https://thehackernews.com/2025/06/wordpress-sites-turned-weapon-how.html
∗∗∗ "Anmeldung mit nicht erkanntem Gerät": Phishing-Attacke im Namen von PayPal ∗∗∗
---------------------------------------------
Ein angeblicher Login in ein bestehendes PayPal-Profil ruft die ebenso angebliche Sicherheitsabteilung des Unternehmens auf den Plan. Hinter den alarmierenden E-Mails und SMS-Nachrichten steckt aber nichts weiter als eine klassische Phishing-Masche.
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-attacke-paypal/
∗∗∗ Bert ransomware: what you need to know ∗∗∗
---------------------------------------------
Bert is a recently-discovered strain of ransomware that encrypts victims files and demands a payment for the decryption key. Read more in my article on the Fortra blog.
---------------------------------------------
https://www.fortra.com/blog/bert-ransomware-what-you-need-know
∗∗∗ Serverless Tokens in the Cloud: Exploitation and Detections ∗∗∗
---------------------------------------------
Understand the mechanics of serverless authentication: three simulated attacks across major CSPs offer effective approaches for application developers.
---------------------------------------------
https://unit42.paloaltonetworks.com/serverless-authentication-cloud/
∗∗∗ Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider ∗∗∗
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this advisory in response to ransomware actors leveraging unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. This incident reflects a broader pattern of ransomware actors ..
---------------------------------------------
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a
∗∗∗ E-Mail-Sicherheit: Verstärkte Angriffe mit SVG ∗∗∗
---------------------------------------------
Immer mehr Phishing-Kampagnen nutzen das wenig bekannte Vektorgrafik-Format SVG. Das kann nämlich Skripte enthalten, die dann beim Öffnen ausgeführt werden.
---------------------------------------------
https://heise.de/-10444330
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, glibc, kernel, and mod_security), Fedora (chromium, gh, mingw-icu, nginx-mod-modsecurity, python3.10, python3.9, thunderbird, valkey, and yarnpkg), Oracle (.NET 8.0, .NET 9.0, glibc, grafana-pcp, kernel, libxml2, mod_security, nodejs:20, and thunderbird), SUSE (audiofile, helm, kubernetes-old, kubernetes1.23, kubernetes1.24, libcryptopp, postgresql15, thunderbird, and valkey), and Ubuntu (linux-nvidia-tegra-igx).
---------------------------------------------
https://lwn.net/Articles/1025354/
∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
CISA released ten Industrial Control Systems (ICS) advisories on June 12, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.ICSA-25-162-01 Siemens Tecnomatix Plant SimulationICSA-25-162-02 Siemens RUGGEDCOM APE1808ICSA-25-162-03 Siemens SCALANCE and RUGGEDCOMICSA-25-162-04 ..
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/06/12/cisa-releases-ten-indust…
∗∗∗ [R1] Nessus Agent Version 10.8.5 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2025-11
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 11-06-2025 18:00 − Donnerstag 12-06-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ CRA Vulnerability Reports: why would we not share them with other CSIRTs? ∗∗∗
---------------------------------------------
The Cyber Resilience Act (Regulation (EU) 2024/2847) defines security requirements for products with digital elements and requires vendors to report to national CSIRTs if a vulnerability in one of their products is actively exploited.
---------------------------------------------
https://www.cert.at/en/blog/2025/6/cra-vulnerability-reports-why-would-we-n…
∗∗∗ Fog ransomware attack uses unusual mix of legitimate and open-source tools ∗∗∗
---------------------------------------------
Fog ransomware hackers are using an uncommon toolset, which includes open-source pentesting utilities and a legitimate employee monitoring software called Syteca.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fog-ransomware-attack-uses-u…
∗∗∗ Password-spraying attacks target 80,000 Microsoft Entra ID accounts ∗∗∗
---------------------------------------------
Hackers have been using the TeamFiltration pentesting framework to target more than 80,000 Microsoft Entra ID accounts at hundreds of organizations worldwide.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/password-spraying-attacks-ta…
∗∗∗ Google Bug Allowed Brute-Forcing of Any User Phone Number ∗∗∗
---------------------------------------------
Google has fixed a security vulnerability in its page for recovering account details that allowed anyone to access the page and brute-force the private phone number of any user. The flaw posed a significant risk to Google users by exposing them to risk of phishing and other attacks.
---------------------------------------------
https://www.darkreading.com/vulnerabilities-threats/google-bug-brute-forcin…
∗∗∗ Air-Gapped-Systeme: Malware leitet Daten über hochfrequenten Schall aus ∗∗∗
---------------------------------------------
Der bekannte Sicherheitsforscher Mordechai Guri hat eine neue Angriffstechnik vorgestellt, mit der sich Daten von Air-Gapped-Systemen ohne eigene Netzwerkanbindung über eine Smartwatch exfiltrieren lassen. Der Smartattack genannte Angriff basiert auf einer Datenübertragung mittels Schallwellen in einem derart hohen Frequenzbereich, dass sie für Menschen je nach Hörvermögen kaum bis gar nicht wahrnehmbar sind.
---------------------------------------------
https://www.golem.de/news/air-gapped-systeme-malware-leitet-daten-ueber-hoc…
∗∗∗ Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks ∗∗∗
---------------------------------------------
Former members tied to the Black Basta ransomware operation have been observed sticking to their tried-and-tested approach of email bombing and Microsoft Teams phishing to establish persistent access to target networks.
---------------------------------------------
https://thehackernews.com/2025/06/former-black-basta-members-use.html
∗∗∗ Kritische Sicherheitslücke in Microsoft 365 Copilot zeigt Risiko von KI-Agenten ∗∗∗
---------------------------------------------
Der KI-Agent von M365 konnte per E-Mail und ohne Mausklick zur Freigabe sensibler Informationen verführt werden. Microsoft hat die Lücke jetzt geschlossen.
---------------------------------------------
https://www.heise.de/news/Kritische-Sicherheitsluecke-in-Microsoft-365-Copi…
∗∗∗ Markenfälschungen im Netz: Eine wachsende Gefahr für den österreichischen Onlinehandel ∗∗∗
---------------------------------------------
Kaum eine Marke ist im Internet noch vor Fälschungen sicher: Kriminelle verwenden gestohlene Logos und Produktbilder beliebter Händler, um täuschend echte Fake-Shops zu erstellen. Neben bekannten Marken sind auch kleine und mittlere Unternehmen (KMU) zunehmend betroffen. Im Rahmen einer Studie des Österreichischen Instituts für angewandte Telekommunikation (ÖIAT) wurde das Ausmaß der Markenfälschungen im Internet untersucht und konkrete Handlungsempfehlungen fürs KMU erarbeitet.
---------------------------------------------
https://www.watchlist-internet.at/news/markenfaelschungen-im-netz-eine-wach…
∗∗∗ JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique ∗∗∗
---------------------------------------------
We recently discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code. Threat actors commonly use this type of campaign to invisibly redirect victims from legitimate websites to malicious pages that serve malware, exploits and spam.
---------------------------------------------
https://unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-…
∗∗∗ Fortinet: Angreifer können VPN-Verbindungen umleiten ∗∗∗
---------------------------------------------
Mehrere Produkte von Fortinet sind verwundbar. Angreifer können an Sicherheitslücken in FortiADC, FortiAnalyzer, FortiClientEMS, FortiClientWindows, FortiManager, FortiManager Cloud, FortiOS, FortiPAM, FortiProxy, FortiSASE und FortiWeb ansetzen. Im schlimmsten Fall kann es zur Ausführung von Schadcode kommen.
---------------------------------------------
https://heise.de/-10441108
=====================
= Vulnerabilities =
=====================
∗∗∗ Phishing-Angriffe mit manipulierten SVG-Dateien - Vorsicht geboten ∗∗∗
---------------------------------------------
CERT.at warnt vor stark zunehmenden Phishing-Kampagnen, bei denen manipulierte SVG-Dateien (Scalable Vector Graphics) als E-Mail-Anhänge verwendet werden. Diese Angriffsmethode wird seit mehreren Monaten verstärkt beobachtet und stellt eine ernsthafte Bedrohung dar, da SVG-Dateien von vielen Sicherheitslösungen nicht ausreichend geprüft werden.
---------------------------------------------
https://www.cert.at/de/warnungen/2025/6/phishing-angriffe-mit-manipulierten…
∗∗∗ GitLab patches high severity account takeover, missing auth issues ∗∗∗
---------------------------------------------
GitLab has released security updates to address multiple vulnerabilities in the company's DevSecOps platform, including ones enabling attackers to take over accounts and inject malicious jobs in future pipelines. The company released GitLab Community and Enterprise versions 18.0.2, 17.11.4, and 17.10.8 to address these security flaws and urged all admins to upgrade immediately.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/gitlab-patches-high-severity…
∗∗∗ Thunderbird: HTML-Mails können Zugangsdaten verraten, Update verfügbar ∗∗∗
---------------------------------------------
Mozilla hat Updates für Thunderbird veröffentlicht. Sie stopfen ein Sicherheitsleck bei der Anzeige von HTML-E-Mails.
---------------------------------------------
https://www.heise.de/news/Thunderbird-HTML-Mails-koennen-Zugangsdaten-verra…
∗∗∗ Palo Alto stopft hochriskante Lücken in PAN-OS und GlobalProtect ∗∗∗
---------------------------------------------
Palo Alto Networks hat Sicherheitsmitteilungen zu Schwachstellen in mehreren Produkten wie dem PAN-OS-Betriebssystem oder der GlobalProtect-App herausgegeben. Angreifer können die Sicherheitslücken missbrauchen, um Befehle einzuschleusen und mit erhöhten Rechten auszuführen, Schadcode einzuschleusen und auszuführen oder unbefugt Traffic einzusehen.
---------------------------------------------
https://www.heise.de/news/Palo-Alto-stopft-hochriskante-Luecken-in-PAN-OS-u…
∗∗∗ Reflected Cross-Site Scripting in ONLYOFFICE Docs (DocumentServer) ∗∗∗
---------------------------------------------
ONLYOFFICE Docs was affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which were reflected in the server's HTML response.
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scr…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel), Debian (chromium, gst-plugins-bad1.0, node-tar-fs, and ublock-origin), Gentoo (Emacs, File-Find-Rule, GStreamer, GStreamer Plugins, GTK+ 3, LibreOffice, Node.js, OpenImageIO, Python, PyPy, Qt, X.Org X server, XWayland, and YAML-LibYAML), Mageia (mariadb and roundcubemail), Red Hat (go-toolset:rhel8, golang, grafana, grafana-pcp, gstreamer1-plugins-bad-free, libxml2, libxslt, mod_security, nodejs:20, and perl-FCGI:0.78), Slackware (mozilla), SUSE (docker, docker-compose, iputils, kernel, libsoup, open-vm-tools, rabbitmq-server, rabbitmq-server313, wget, and yelp), and Ubuntu (libsoup2.4 and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/1025208/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 10-06-2025 18:00 − Mittwoch 11-06-2025 18:00
Handler: Alexander Riepl
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Microsoft Outlook to block more risky attachments used in attacks ∗∗∗
---------------------------------------------
Microsoft announced it will expand the list of blocked attachments in Outlook Web and the new Outlook for Windows starting next month.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-outlook-to-block-m…
∗∗∗ ConnectWise rotating code signing certificates over security concerns ∗∗∗
---------------------------------------------
ConnectWise is warning customers that it is rotating the digital code signing certificates used to sign ScreenConnect, ConnectWise Automate, and ConnectWise RMM executables over security concerns.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/connectwise-rotating-code-si…
∗∗∗ Zehntausende Überwachungskameras streamen ungeschützt ins Netz ∗∗∗
---------------------------------------------
Überwachungskameras sind überall – in U-Bahnen, an Türklingeln und in Fahrstühlen. Oft bemerkt man sie gar nicht, weil es mittlerweile so kleine und unscheinbare Modelle gibt. Amerikanische Sicherheitsforscher warnen nun aber davor, wie einfach es für Dritte ist, sich Zugriff auf die Feeds solcher Überwachungskameras zu verschaffen. Bei einem Test konnten die Experten von Bitsight Live-Feeds von insgesamt 40.000 Kameras abrufen, die mit dem Internet verbunden waren.
---------------------------------------------
https://futurezone.at/digital-life/zehntausende-ueberwachungskameras-stream…
∗∗∗ Quasar RAT Delivered Through Bat Files, (Wed, Jun 11th) ∗∗∗
---------------------------------------------
RAT's are popular malware. They are many of them in the wild, Quasar[1] being one of them. The malware has been active for a long time and new campaigns come regularly back on stage. I spotted an interesting .bat file (Windows script) that attracted my attention because it is very well obfuscated.
---------------------------------------------
https://isc.sans.edu/diary/rss/32036
∗∗∗ Trump Quietly Throws Out Bidens Cyber Policies ∗∗∗
---------------------------------------------
An anonymous reader quotes a report from Axios: President Trump quietly took a red pen to much of the Biden administrations cyber legacy in a little-noticed move late Friday. Under an executive order signed just before the weekend, Trump is tossing out some of the major touchstones of Bidens cyber policy legacy - while keeping a few others. The order preserves efforts around post-quantum cryptography, advanced encryption standards, and border gateway protocol security, along with the Cyber
---------------------------------------------
https://it.slashdot.org/story/25/06/10/2044217/trump-quietly-throws-out-bid…
∗∗∗ Ungeklärte Phishing-Vorfälle rund um Booking.com ∗∗∗
---------------------------------------------
Hotels in Südtirol haben vermehrt mit kompromittierten Extranet-Zugängen von Booking.com zu tun, über die sie mit Gästen kommunizieren. Noch ist unklar, warum.
---------------------------------------------
https://www.heise.de/news/Ungeklaerte-Phishing-Vorfaelle-rund-um-Booking-co…
∗∗∗ UEFI-BIOS-Lücken: SecureBoot-Umgehung und Firmware-Austausch möglich ∗∗∗
---------------------------------------------
Zwei unterschiedliche Sicherheitslücken in diversen UEFI-BIOS-Versionen mehrerer Anbieter ermöglichen die Umgehung des SecureBoot-Mechanismus. In UEFI-BIOSen von Insyde können Angreifer sogar die Firmware austauschen. Verwundbare Systeme lassen sich damit vollständig kompromittieren. Proof-of-Concept-Code dafür ist öffentlich verfügbar. Systemhersteller arbeiten an BIOS-Updates zum Schließen der Lücken.
---------------------------------------------
https://www.heise.de/news/UEFI-BIOS-Luecken-SecureBoot-Umgehung-und-Firmwar…
∗∗∗ Reflective Kerberos Relay Attack Against Domain-Joined Windows Clients and Servers ∗∗∗
---------------------------------------------
RedTeam Pentesting has developed the Reflective Kerberos Relay Attack which remotely allows low-privileged Active Directory domain users to obtain NT AUTHORITY\SYSTEM privileges on domain-joined Windows computers. This vulnerability affects all domain-joined Windows hosts that do not require SMB signing of incoming connections. In their default configurations, this includes all Windows 10 and 11 versions up to 23H2 and all Windows Server versions including 2025 24H2 and excluding domain controllers.
---------------------------------------------
https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-002/
∗∗∗ Inside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day ∗∗∗
---------------------------------------------
Inside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day
---------------------------------------------
https://blog.checkpoint.com/research/inside-stealth-falcons-espionage-campa…
∗∗∗ UK cyber agency pushes for strategic policy agenda as government efforts stall ∗∗∗
---------------------------------------------
Following years-long delays in the United Kingdom bringing forward new cybersecurity legislation, what seems to be an increasingly exasperated National Cyber Security Centre (NCSC) called on Monday for the country to adopt a strategic policy agenda to tackle the growing risks.
---------------------------------------------
https://therecord.media/ncsc-pushes-uk-government-create-strategic-cyber-po…
∗∗∗ Operation Secure: INTERPOL Disrupts 20,000 Infostealer Domains, 32 Arrested ∗∗∗
---------------------------------------------
An international cybercrime operation coordinated by INTERPOL has led to the takedown of more than 20,000 malicious IPs and domains used to deploy infostealer malware across the Asia-Pacific region.
---------------------------------------------
https://hackread.com/operation-secure-interpol-disrupts-infostealer-domains/
∗∗∗ Hydroph0bia (CVE-2025-4275) - a trivial SecureBoot bypass for UEFI-compatible firmware based on Insyde H2O, part 1 ∗∗∗
---------------------------------------------
This post will be about a vulnerability I dubbed Hydroph0bia (as a pun on Insyde H2O) aka CVE-2025-4275 or INSYDE-SA-2025002.
---------------------------------------------
https://coderush.me/hydroph0bia-part1/
∗∗∗ NTLM reflection is dead, long live NTLM reflection! – An in-depth analysis of CVE-2025-33073 ∗∗∗
---------------------------------------------
For nearly two decades, Windows has been plagued with NTLM reflection vulnerabilities. In this article, we present CVE-2025-33073, a logical vulnerability which bypasses NTLM reflection mitigations and allows an authenticated remote attacker to execute arbitrary commands as SYSTEM on any machine which does not enforce SMB signing. The vulnerability discovery, the complete analysis of the root cause as well as the patch by Microsoft will be detailed in this blogpost.
---------------------------------------------
https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live…
∗∗∗ Infuencing LLM Output using logprobs and Token Distribution ∗∗∗
---------------------------------------------
What if you could influence an LLM's output not by breaking its rules, but by bending its probabilities? In this deep-dive, we explore how small changes in user input (down to a single token) can shift the balance between “true” and “false”, triggering radically different completions.
---------------------------------------------
https://blog.sicuranext.com/infuencing-llm-output-using-logprobs-and-token-…
∗∗∗ Software Supply Chain Attacks Have Surged in Recent Months ∗∗∗
---------------------------------------------
IT and software supply chain attacks have surged in recent months, as threat actors have gotten better at exploiting supply chain vulnerabilities, Cyble threat intelligence researchers reported this week. In a June 9 blog post, Cyble researchers said software supply chain attacks have grown from just under 13 a month during February-September 2024 to just over 16 a month from October 2024 to May 2025, an increase of 25%. However, the last two months have seen an average of nearly 25 cyberattacks with supply chain impact, a near-doubling of supply chain attacks from the year-ago period.
---------------------------------------------
https://thecyberexpress.com/software-supply-chain-attacks-have-surged/
∗∗∗ Undocumented Root Shell Access bei SIMCom Modem ∗∗∗
---------------------------------------------
Das SIMCom SIM7600G Modem unterstützt einen undokumentierten AT Befehl, welcher es einem lokalen/physischen Angreifer ermöglicht, Systembefehle mit root-Berechtigungen auf dem Modem auszuführen. Der Stand der Entfernung des Backdoor-Kommandos ist unklar, da sich der Hersteller nach zahlreichen Kontaktversuchen nicht mehr gemeldet hat.
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/undocumented-root-she…
=====================
= Vulnerabilities =
=====================
∗∗∗ New Secure Boot flaw lets attackers install bootkit malware, patch now ∗∗∗
---------------------------------------------
Security researchers have disclosed a new Secure Boot bypass tracked as CVE-2025-3052 that can be used to turn off security on PCs and servers and install bootkit malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-secure-boot-flaw-lets-at…
∗∗∗ Patch Tuesday, June 2025 Edition ∗∗∗
---------------------------------------------
Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public.
---------------------------------------------
https://krebsonsecurity.com/2025/06/patch-tuesday-june-2025-edition/
∗∗∗ Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities ∗∗∗
---------------------------------------------
Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.”
---------------------------------------------
https://blog.talosintelligence.com/microsoft-patch-tuesday-june-2025/
∗∗∗ Two Mirai Botnets, Lzrd and Resgod Spotted Exploiting Wazuh Flaw ∗∗∗
---------------------------------------------
Cybersecurity experts at Akamai have uncovered a new threat: two separate botnets are actively exploiting a critical flaw in Wazuh security software, open source XDR and SIEM solution, to spread the Mirai malware. This vulnerability, tracked as CVE-2025-24016, affects Wazuh versions 4.4.0 through 4.9.0 and has since been fixed in version 4.9.1. It lets attackers run their own code on a target server by sending a specially crafted request through Wazuh’s API, hence, allowing attackers to take control of affected servers remotely.
---------------------------------------------
https://hackread.com/two-mirai-botnets-lzrd-resgod-exploiting-wazuh-flaw/
∗∗∗ TBK DVRs Botnet Attack ∗∗∗
---------------------------------------------
Threat Actors are actively exploiting CVE-2024-3721, a command injection vulnerability in TBK DVR devices (Digital Video Recorders). This flaw allows unauthenticated remote code execution (RCE) via crafted HTTP requests to the endpoint. The compromised devices are being conscripted into a botnet capable of conducting DDoS attacks. If successfully exploited, there is a potential for significant disruption from DDoS attacks, lateral movement, or further malware delivery.
---------------------------------------------
https://fortiguard.fortinet.com/threat-signal-report/6127
∗∗∗ Patchday: Schadcode-Lücken in Adobe Acrobat, InDesign & Co. geschlossen ∗∗∗
---------------------------------------------
Angreifer können an Sicherheitslücken (CVE-2025-43573 / EUVD-2025-17828) in Adobe Acrobat, Commerce, Experince Manager, InCopy, InDesign, Substance 3D Painter und Substance 3D Sampler ansetzen. Im Rahmen des Juni-Patchdays stellt Adobe Updates zum Download bereit.
---------------------------------------------
https://heise.de/-10439601
∗∗∗ The June 2025 Security Update Review ∗∗∗
---------------------------------------------
https://www.thezdi.com/blog/2025/6/10/the-june-2025-security-update-review
∗∗∗ Security Vulnerabilities fixed in Thunderbird 139.0.2 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-50/
∗∗∗ Security Vulnerabilities fixed in Thunderbird 128.11.1 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-49/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 06-06-2025 18:00 − Dienstag 10-06-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Over 84,000 Roundcube instances vulnerable to actively exploited flaw ∗∗∗
---------------------------------------------
Over 84,000 instances of the Roundcube webmail software are vulnerable to CVE-2025-49113, a critical remote code execution (RCE) vulnerability with a publicly available exploit.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/over-84-000-roundcube-instan…
∗∗∗ FIN6 hackers pose as job seekers to backdoor recruiters’ devices ∗∗∗
---------------------------------------------
In a twist on typical hiring-related social engineering attacks, the FIN6 hacking group impersonates job seekers to target recruiters, using convincing resumes and phishing sites to deliver malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fin6-hackers-pose-as-job-see…
∗∗∗ Windows: Designproblem erlaubt Aushebeln von Gruppenrichtlinien ∗∗∗
---------------------------------------------
In Windows schlummert ein Designproblem, das es normalen Nutzern und Malware erlaubt, von Admins gesetzte Gruppenrichtlinien außer Kraft zu setzen. Ein Bericht von ..
---------------------------------------------
https://www.golem.de/news/windows-designproblem-erlaubt-aushebeln-von-grupp…
∗∗∗ Chinese spy crew appears to be preparing for conflict by backdooring 75+ critical orgs ∗∗∗
---------------------------------------------
SentinelOne discovered the campaign when they tried to hit the security vendors own servers An IT services company, a European media group, and a South Asian government entity are among the more than 75 companies where China-linked groups have planted malware to access strategic networks should a conflict break out.
---------------------------------------------
https://www.theregister.com/2025/06/09/china_malware_flip_switch_sentinelon…
∗∗∗ DanaBleed: DanaBot C2 Server Memory Leak Bug ∗∗∗
---------------------------------------------
DanaBot is a Malware-as-a-Service (MaaS) platform that has been active since 2018. DanaBot operates on an affiliate model, where the malware developer sells access to customers who then distribute and use the malware for activities like credential theft and banking fraud. The developer is responsible for creating the malware, maintaining the ..
---------------------------------------------
https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server…
∗∗∗ Microsoft: Abhilfe für Sicherheitslücke durch gelöschte "inetpub"-Ordner ∗∗∗
---------------------------------------------
Windows-Update hat einen "inetpub"-Ordner angelegt. Wird er gelöscht, blockiert das womöglich weitere Updates. Ein Script hilft.
---------------------------------------------
https://www.heise.de/news/Microsoft-Abhilfe-fuer-Sicherheitsluecke-durch-ge…
∗∗∗ SAP-Patchday: Erneut kritische Sicherheitslücke in Netweaver ∗∗∗
---------------------------------------------
SAP kümmert sich am Juni-Patchday in 14 neuen Sicherheitsnotizen um teils kritische Sicherheitslücken in den Produkten aus Walldorf.
---------------------------------------------
https://www.heise.de/news/SAP-Patchday-Erneut-kritische-Sicherheitsluecke-i…
∗∗∗ Malvertising: Suche nach Standardbefehlen für Macs liefert Infostealer ∗∗∗
---------------------------------------------
Perfide Masche: Bei der Suche nach Standardbefehlen für macOS erscheinen Seiten, die Befehle zur Malware-Installation anzeigen.
---------------------------------------------
https://www.heise.de/news/Malvertising-Suche-nach-Standardbefehlen-fuer-Mac…
∗∗∗ Phishing-Alarm: Ex-Mitarbeiterin verschenkt keine Rabattcodes! ∗∗∗
---------------------------------------------
Videos und Postings auf Social-Media-Plattformen erwecken den Anschein, als würde eine gekündigte Angestellte eines großen Einzelhandelsunternehmens Rabattcodes verschenken. Als Rache am Ex-Arbeitgeber. Tatsächlich versteckt sich dahinter nichts anderes als eine simple Phishing-Falle.
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-alarm-rabattcodes/
∗∗∗ Falsche E-Mails im Namen der WKO im Umlauf! ∗∗∗
---------------------------------------------
Derzeit sind betrügerische E-Mails im Umlauf, die vorgeben, von der Wirtschaftskammer Österreich (WKO) zu stammen. In diesen gefälschten Nachrichten werden Unternehmer:innen zur Zahlung der Kammerumlage 2025 aufgefordert und gleichzeitig dazu verleitet, ihre WKO-Zugangsdaten preiszugeben.
---------------------------------------------
https://www.watchlist-internet.at/news/falsche-e-mails-im-namen-der-wko-im-…
∗∗∗ The Evolution of Linux Binaries in Targeted Cloud Operations ∗∗∗
---------------------------------------------
Using data from machine learning tools, we predict a surge in cloud attacks leveraging reworked Linux Executable and Linkage Format (ELF) files.
---------------------------------------------
https://unit42.paloaltonetworks.com/elf-based-malware-targets-cloud/
∗∗∗ New hacker group uses LockBit ransomware variant to target Russian companies ∗∗∗
---------------------------------------------
In its latest campaign this spring, DarkGaboon was observed deploying LockBit 3.0 ransomware against victims in Russia, Positive Technologies said in a report last week.
---------------------------------------------
https://therecord.media/new-hacker-group-lockbit-target-russia
∗∗∗ Spyware maker cuts ties with Italy after government refused audit into hack of journalist’s phone ∗∗∗
---------------------------------------------
Israel-based spyware maker Paragon and Italys government had a falling out over the companys offer to help investigate what happened on journalist Francesco Cancellatos phone.
---------------------------------------------
https://therecord.media/paragon-spyware-maker-cuts-ties-italy-government
∗∗∗ Coordinated Brute Force Activity Targeting Apache Tomcat Manager Indicates Possible Upcoming Threats ∗∗∗
---------------------------------------------
GreyNoise recently observed a coordinated spike in malicious activity against Apache Tomcat Manager interfaces.
---------------------------------------------
https://www.greynoise.io/blog/coordinated-brute-force-activity-targeting-ap…
∗∗∗ Bitsight Identifies Thousands of Security Cameras Openly Accessible on the Internet ∗∗∗
---------------------------------------------
In our latest research at Bitsight TRACE, we found over 40,000 exposed cameras streaming live on the internet. No passwords. No protections. Just out there. We first raised the alarm in 2023, and based on this latest study, the situation hasn’t gotten any better.
---------------------------------------------
https://www.bitsight.com/blog/bitsight-identifies-thousands-of-compromised-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (golang, nodejs22, thunderbird, and varnish), Debian (gimp, modsecurity-apache, python-tornado, and roundcube), Fedora (chromium, coreutils, fcgi, ghostscript, krb5, libvpx, mingw-gstreamer1-plugins-bad-free, mingw-libsoup, mod_security, and samba), Mageia (php-adodb, systemd, and tomcat), Red Hat (buildah, firefox, glibc, grafana, kernel, libsoup, libxslt, mod_security, perl-FCGI, podman, python-tornado, and skopeo), Slackware (libvpx), and SUSE ..
---------------------------------------------
https://lwn.net/Articles/1024625/
∗∗∗ Security Vulnerabilities fixed in Firefox 139.0.4 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-47/
∗∗∗ June Security Update ∗∗∗
---------------------------------------------
https://www.ivanti.com/blog/june-security-update
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily