=====================
= End-of-Day report =
=====================
Timeframe: Freitag 03-07-2026 18:00 − Montag 06-07-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Sicherheitswarnungen: Node.js will KI-Flut mit KI bekämpfen ∗∗∗
---------------------------------------------
In der Node.js-Community ist eine Diskussion darüber entstanden, wie sie weiter mit der Vielzahl an LLM-generierten Sicherheitsmeldungen verfahren soll.
---------------------------------------------
https://www.heise.de/news/Sicherheitswarnungen-Node-js-will-KI-Flut-mit-KI-…
∗∗∗ WhatsApp-Benutzernamen wecken Befürchtungen an möglichem Identitätsdiebstahl ∗∗∗
---------------------------------------------
Betrüger könnten WhatsApp-Benutzernamen bekannter Personen zu kriminellen Zwecken missbrauchen, warnen Sicherheitsexperten. Reservierungen sind bereits möglich.
---------------------------------------------
https://heise.de/-11354304
∗∗∗ When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website ∗∗∗
---------------------------------------------
The OAuth 2.0 Device Authorization Grant specification was designed to streamline authentication for Smart TVs, IoT devices, and printers. Today, threat actors are weaponizing it.
---------------------------------------------
https://securelist.com/microsoft-device-code-phishing-attack/120350/
∗∗∗ SkillCloak Lets Malicious AI Agent Skills Evade Static Scanners with Self-Extracting Packing ∗∗∗
---------------------------------------------
Scanners meant to catch malicious add-on "skills" for AI coding agents can be fooled by a few simple changes that leave the malware working, according to a new study from researchers at the Hong Kong University of Science and Technology. Their strongest trick slipped past every scanner tested more than 90% of the time, and the same team built a runtime checker that catches most of the disguised skills the scanners miss.
---------------------------------------------
https://thehackernews.com/2026/07/new-skillcloak-technique-lets-malicious.h…
∗∗∗ Opera GX Flaw Let Malicious Sites Auto-Install Mods to Steal Data From Visited Pages ∗∗∗
---------------------------------------------
Researchers found a flaw in Opera GX, the gaming-focused version of the Opera browser, that let a malicious website silently install a browser add-on and use it to lift specific data from the pages a victim visits.In a proof of concept, they reconstructed a signed-in users full Gmail address from a single visit, with no click. [..] The fix shipped in Opera GX version 130.0.5847.89, so anyone on a current build is already covered; you can confirm yours at opera://about. There is no CVE.
---------------------------------------------
https://thehackernews.com/2026/07/opera-gx-flaw-let-malicious-sites-auto.ht…
∗∗∗ PDF-Abo-Falle: Wenn aus 99 Cent ein teures Abo wird ∗∗∗
---------------------------------------------
Wer eine PDF-Datei schnell online bearbeiten möchte, stößt auf zahlreiche Dienste, die kostenlos oder besonders günstig wirken. Nach der Bearbeitung wird häufig lediglich ein kleiner Betrag von 99 Cent für den Download verlangt. Was viele nicht bemerken: Im Hintergrund wird oft ein teures Abo abgeschlossen.
---------------------------------------------
https://www.watchlist-internet.at/news/pdf-abo-falle/
∗∗∗ AI Used in Ransomware Attack ∗∗∗
---------------------------------------------
Using AI to automate part or all of the attack chain is also more of an evolution than a revolution in ransomware. [..] Nevertheless, the attack shows how the use of AI can lead to faster, if still unsophisticated, attacks that give victims less time to react.
---------------------------------------------
https://www.truesec.com/hub/blog/ai-used-in-ransomware-attack
=====================
= Vulnerabilities =
=====================
∗∗∗ OPNsense-Update beseitigt kritische Rootlücke und weitere Sicherheitsrisiken ∗∗∗
---------------------------------------------
Die kürzlich erschienenen Versionen 26.1.11 und 26.4.1(p1) von OPNsense, einer quelloffenen Firewall- und Routing-Plattform auf FreeBSD-Basis, bringen Sicherheitsfixes mit. Unter den geschlossenen Lücken befindet sich auch eine kritische: CVE-2026-57155 (CVSS-Score 9.9 von 10.0) hätte unter bestimmten Voraussetzungen zur Rechteausweitung und letztlich zur kompletten Firewall-Übernahme missbraucht werden können.
---------------------------------------------
https://www.heise.de/news/OPNsense-Update-beseitigt-kritische-Rootluecke-un…
∗∗∗ HestiaCP Admin Takeover & RCE ∗∗∗
---------------------------------------------
A low privileged user in HestiaCP can exploit a Broken Authorisation flaw to takeover Admin accounts. [..] A patch can be found here. This currently needs to be applied manually until HestiaCP decide to create a release. CVE-2026-12196
---------------------------------------------
https://projectblack.io/blog/hestiacp-admin-takeover-rce/
∗∗∗ Dell: DSA-2026-278: Security Update for Dell PowerProtect Data Domain Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.dell.com/support/kbdoc/de-de/000481268/dsa-2026-278-security-up…
∗∗∗ Coolify: Authenticated RCE via SHELL_SAFE_COMMAND_PATTERN regression → host root ∗∗∗
---------------------------------------------
https://github.com/coollabsio/coolify/security/advisories/GHSA-chg4-63hm-xv…
∗∗∗ LWN: Security updates for Monday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1081495/
∗∗∗ Roundcube: Security updates 1.6.17 and 1.7.2 released ∗∗∗
---------------------------------------------
https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 02-07-2026 18:00 − Freitag 03-07-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices ∗∗∗
---------------------------------------------
Google has significantly degraded NetNut, one of the biggest networks that turns home devices into rented relays for other people's traffic.
---------------------------------------------
https://thehackernews.com/2026/07/google-disrupts-netnut-residential.html
∗∗∗ Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials ∗∗∗
---------------------------------------------
Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access.
---------------------------------------------
https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.ht…
∗∗∗ Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer ∗∗∗
---------------------------------------------
A previously undocumented threat actor known as Armored Likho has been attributed to cyber attacks targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan.
---------------------------------------------
https://thehackernews.com/2026/07/armored-likho-targets-government.html
∗∗∗ Indirect Prompt Injection in Web Content Targets AI Agents ∗∗∗
---------------------------------------------
AI agents are increasingly changing how users interact with web content, making the content itself a growing attack surface for threat actors. Just as a human user can be socially engineered through phishing, AI agents are also susceptible to similar attacks. Indirect prompt injection (IPI) is an example of these types of attacks that embed malicious instructions in the content retrieved by an AI agent (websites, documents, email, etc.) to influence the agent’s reasoning during task execution. Zscaler ThreatLabz has observed malicious websites that impersonate legitimate services and use IPI to manipulate AI-driven workflows.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/indirect-prompt-injection-w…
∗∗∗ Fake Google and Cloudflare verification pages spread multiple malware families ∗∗∗
---------------------------------------------
ClickFix attacks, which trick people into running malicious commands themselves, continue to evolve. This latest campaign uses fake Google and Cloudflare verification pages to convince victims to infect their own devices.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intel/2026/07/fake-google-and-clou…
∗∗∗ The Gentlemen ransomware: what you need to know ∗∗∗
---------------------------------------------
Despite the impeccably polite name, there is nothing polite or refined about this particular gang of cybercriminals. In little more than a year, The Gentlemen has gone from relative obscurity to becoming one of the most active ransomware operations on the planet. First surfacing in mid-2025, The Gentlemen is a ransomware-as-a-service (RaaS) operation that appears to have splintered away from the notorious Qilin ransomware group.
---------------------------------------------
https://www.fortra.com/blog/gentlemen-ransomware-what-you-need-know
∗∗∗ It’s 37oC, And All We Can Think About Is ColdFusion (Adobe ColdFusion Security Bulletin APSB26-68 CVE Bonanza) ∗∗∗
---------------------------------------------
We’re back, melting - we’ve tried shouting, screaming, and throwing things at the Sun, and it is just not working.
---------------------------------------------
https://labs.watchtowr.com/its-37oc-and-all-we-can-think-about-is-coldfusio…
∗∗∗ Mitglied im Sonderausschuss zu Pegasus: EU-Abgeordneter mit Spyware attackiert ∗∗∗
---------------------------------------------
Vor Jahren hat das Europaparlament Angriffe mit der Pegasus-Spyware in der EU untersucht. Ein stellvertretendes Ausschussmitglied wurde da selbst angegriffen.
---------------------------------------------
https://heise.de/-11352514
∗∗∗ How GitHub used secret scanning to reach inbox zero ∗∗∗
---------------------------------------------
GitHub had 20,000+ secret scanning alerts across 15,000 repositories. Here’s how we separated signal from noise, built remediation workflows, and reached inbox zero in nine months.
---------------------------------------------
https://github.blog/security/application-security/how-github-used-secret-sc…
=====================
= Vulnerabilities =
=====================
∗∗∗ Behörde warnt: Microsoft-Sharepoint-Server werden attackiert ∗∗∗
---------------------------------------------
Angreifer nutzen eine gefährliche Sicherheitslücke in Microsoft Sharepoint aus, um Schadcode einzuschleusen. Admins sollten handeln.
---------------------------------------------
https://www.golem.de/news/behoerde-warnt-microsoft-sharepoint-server-werden…
∗∗∗ Jetzt updaten: Kritische Lücken in Ubiquiti UniFi erlauben Remote-Angriffe ∗∗∗
---------------------------------------------
Mehrere Produkte aus Ubiquitis UniFi-Ökosystem sind von teils kritischen Lücken betroffen. Admins sollten die abgesicherten Versionen zügig einspielen.
---------------------------------------------
https://www.heise.de/news/Jetzt-updaten-Kritische-Luecken-in-Ubiquiti-UniFi…
∗∗∗ Angriff per USB-Stick: KI findet gefährliche Lücke in populärem FatFs-Treiber ∗∗∗
---------------------------------------------
Das bloße Anschließen eines USB-Sticks reicht aus, um auf vielen Embedded- und IoT-Geräten Schadcode einzuschleusen. Einen Patch gibt es bisher nicht. (Sicherheitslücke, Speichermedien)
---------------------------------------------
https://www.golem.de/news/angriff-per-usb-stick-ki-findet-gefaehrliche-luec…
∗∗∗ LWN Security updates for Friday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1081187/
∗∗∗ NCSC-2026-0219 [1.00] [M/H] Kwetsbaarheden verholpen in GitHub Enterprise Server ∗∗∗
---------------------------------------------
https://advisories.ncsc.nl/advisory?id=NCSC-2026-0219
∗∗∗ NCSC-2026-0220 [1.00] [M/H] Kwetsbaarheden verholpen in Rancher door Rancher Labs ∗∗∗
---------------------------------------------
https://advisories.ncsc.nl/advisory?id=NCSC-2026-0220
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 01-07-2026 18:00 − Donnerstag 02-07-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Cisco finally confirms attackers exploiting Unified CM flaw ∗∗∗
---------------------------------------------
Cisco confirmed that attackers are now exploiting a Unified Communications Manager (Unified CM) vulnerability patched in early June.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisco-finally-confirms-attac…
∗∗∗ 6 security settings every GitHub maintainer should enable this week ∗∗∗
---------------------------------------------
These six free settings will not make your project unhackable. Nothing will. What they will do is close the easy doors. Turn these on, and your project will be meaningfully harder to attack than it was before.
---------------------------------------------
https://github.blog/security/6-security-settings-every-github-maintainer-sh…
∗∗∗ Ransomware im Anmarsch: Hacker greifen mit fieser Interpol-Masche an ∗∗∗
---------------------------------------------
Angreifer geben sich bei Unternehmen als Personal von Interpol aus und ködern mit angeblichen Beweismitteln. Doch stattdessen gibt es Ransomware.
---------------------------------------------
https://www.golem.de/news/ransomware-im-anmarsch-hacker-greifen-mit-fieser-…
∗∗∗ Falsche Rechnungen und Chatpartner bei ZumDaten, MichVerlieben & Co. ∗∗∗
---------------------------------------------
Eine Rechnung über mehrere hundert Euro von einer Datingplattform, bei der Sie nie ein Konto angelegt haben? Genau das berichten derzeit zahlreiche Betroffene. Doch nicht nur Menschen, die sich nie angemeldet haben, geraten ins Visier: Auch Registrierte können durch fragwürdige Praktiken viel Geld verlieren. Was hinter den Maschen von michverlieben.com, zumdaten.com und Co. steckt – und wie Sie sich dagegen wehren können.
---------------------------------------------
https://www.watchlist-internet.at/news/falsche-zahlungsaufforderungen-von-d…
∗∗∗ New ChocoPoC malware targets researchers via trojanized PoC exploits ∗∗∗
---------------------------------------------
Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering a Python-based remote access trojan (RAT) named ChocoPoC that can execute commands and steal sensitive data in a campaign believed to target cybersecurity researchers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-chocopoc-malware-targets…
∗∗∗ Medtronic notifies customers impacted by ShinyHunters data breach ∗∗∗
---------------------------------------------
Healthcare device firm Medtronic is notifying affected customers about a data breach that exposed their personal data to an unauthorized third party.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/medtronic-notifies-customers…
∗∗∗ Opera rolls out Paste Protect feature to fight ClickFix attacks ∗∗∗
---------------------------------------------
Opera has introduced Paste Protect, a security feature designed to block ClickFix-style attacks that trick users into executing malicious commands through social engineering.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/opera-rolls-out-paste-protec…
∗∗∗ VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer ∗∗∗
---------------------------------------------
Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs.
---------------------------------------------
https://thehackernews.com/2026/07/veildrop-malware-chain-uses-blogger.html
∗∗∗ Unpatched Argo CD Repo-Server Flaw Could Let Attackers Take Over Kubernetes Clusters ∗∗∗
---------------------------------------------
Argo CD, a widely used tool for deploying software to Kubernetes, has an unpatched flaw in its repo-server component that lets an unauthenticated attacker run code, provided they can reach the component's internal network port. Synacktiv, which found the bug, says it can lead to a full cluster takeover. There is no fix and no CVE. The firm says it reported the flaw to Argo CD's maintainers in January 2025; roughly eighteen months later, it remains unpatched, so it published the details to warn users.
---------------------------------------------
https://thehackernews.com/2026/07/unpatched-argo-cd-repo-server-flaw.html
∗∗∗ FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations ∗∗∗
---------------------------------------------
The recently discovered financially-motivated FortiBleed campaign has been attributed to INC and Lynx ransomware operations, indicating that the verified, stolen credentials were intended for follow-on intrusions.
---------------------------------------------
https://thehackernews.com/2026/07/fortibleed-credential-theft-linked-to.html
∗∗∗ Fehler in „E-Mail-Adresse verbergen“ von Apple weiter ohne Fix ∗∗∗
---------------------------------------------
„Hide my E-Mail“ oder „E-Mail-Adresse verbergen“ soll eigentlich User vor Spam und Co. schützen. Es gibt aber eine Lücke. Die Entdecker warten weiter auf Apple.
---------------------------------------------
https://heise.de/-11351055
∗∗∗ PamStealer: a Rust-based macOS infostealer that validates credentials through PAM ∗∗∗
---------------------------------------------
Jamf Threat Labs investigates PamStealer, a macOS infostealer disguised as the legitimate Maccy clipboard manager that uses a two-stage attack chain to silently harvest data and clipboard contents while evading detection.
---------------------------------------------
https://www.jamf.com/blog/pamstealer-macos-infostealer-applescript-rust/
=====================
= Vulnerabilities =
=====================
∗∗∗ WinRAR flaw could allow attackers to take control of your computer ∗∗∗
---------------------------------------------
A new WinRAR update fixes a serious security flaw, but without automatic updates many users could miss the patch.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2026/07/winrar-flaw-could-allow-atta…
∗∗∗ Schwachstellen in Synology MailPlus Server lassen Angreifer passieren ∗∗∗
---------------------------------------------
Netzwerkspeicher von Synology mit MailPlus Server sind attackierbar. Ein Sicherheitspatch schafft Abhilfe.
---------------------------------------------
https://heise.de/-11351331
∗∗∗ ClamAV Vulnerabilities Affecting Cisco Products: July 2026 ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Catalyst Center Arbitrary File Read Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Drupal Security Advisories 2026-July-01 ∗∗∗
---------------------------------------------
https://www.drupal.org/security
∗∗∗ SVD-2026-0701: Third-Party Package Updates in Python for Scientific Computing - July 2026 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2026-0701
∗∗∗ LWN Security updates for Thursday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1080956/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 30-06-2026 18:00 − Mittwoch 01-07-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ CitrixBleed To Infinity And Beyond (Citrix NetScaler Pre-Auth Memory Overread CVE-2026-8451) ∗∗∗
---------------------------------------------
For those that don’t start violently wretching when the phrase “Citrix NetScaler” is uttered, we have another word to whisper: “CitrixBleed”. As many know, the term CitrixBleed now refers to not a single vulnerability, but an entire class of Memory Disclosure-esque vulnerabilities in Citrix NetScaler devices, many of which have played roles in breaches and incidents in recent memory. [..] We’ve given up counting the numbers, and so we’ve decided to call this vulnerability “CitrixBleed To Infinity And Beyond”.
---------------------------------------------
https://labs.watchtowr.com/citrixbleed-to-infinity-and-beyond-citrix-netsca…
∗∗∗ Over 900 Oracle E-Business instances exposed to ongoing attacks ∗∗∗
---------------------------------------------
Over 900 Oracle E-Business Suite (EBS) instances have been found exposed online amid ongoing attacks exploiting a critical security flaw.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/over-900-oracle-e-business-i…
∗∗∗ The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign ∗∗∗
---------------------------------------------
Kaspersky experts have uncovered a malicious network infrastructure for delivering AsyncRAT. The Trojan is dropped via compromised ScreenConnect software. In this post, we break down the infection chain and analyze the C2 infrastructure.
---------------------------------------------
https://securelist.com/tr/the-soc-files-screenconnect-campaign-with-asyncra…
∗∗∗ Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data ∗∗∗
---------------------------------------------
New Microsoft research shows how attackers can hijack AI agents that act on a users behalf, using nothing more than a poisoned tool description to make the agent quietly hand over company data to an outsider.The trick is that the agent never breaks a rule. Every step looks routine, so in a default setup no alarm may fire.
---------------------------------------------
https://thehackernews.com/2026/06/microsoft-warns-poisoned-mcp-tool.html
∗∗∗ RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS ∗∗∗
---------------------------------------------
A new two-stage malware family called RustDuck is hijacking home routers, IP cameras, Android boxes, and poorly secured servers, then stitching them into a network built to knock websites and online services offline. [..] RustDuck does not lean on a single clever trick. It sprays a mix of old, well-known weaknesses and hopes one sticks. The first is the oldest in the book: devices left on the internet with weak or default passwords on their remote-login services (Telnet and SSH). Guess the password, walk in.
---------------------------------------------
https://thehackernews.com/2026/06/rustduck-botnet-rebuilds-in-rust-to.html
∗∗∗ Phantom Squatting: AI-Hallucinated Domains as a Software Supply Chain Vector ∗∗∗
---------------------------------------------
Unit 42 researchers found that large language models (LLMs) consistently hallucinate web domains for legitimate brands. Adversaries are actively weaponizing this vector by registering these nonexistent domains to intercept traffic generated by AI systems. We call this phenomenon phantom squatting, and it poses a significant risk to the software supply chain.
---------------------------------------------
https://unit42.paloaltonetworks.com/phantom-squatting-hallucinated-web-doma…
∗∗∗ ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365 ∗∗∗
---------------------------------------------
Cisco Talos identified a fully-featured phishing-as-a-service (PhaaS) operator panel, branded "ARToken," that shares infrastructure, API contracts, and operational patterns with the EvilTokens platform documented by Sekoia and Microsoft in early 2026.
---------------------------------------------
https://blog.talosintelligence.com/artoken-inside-an-eviltokens-affiliate-p…
∗∗∗ Browser-Only Ransomware: From LLM Hallucinations to a Practical Attack Technique ∗∗∗
---------------------------------------------
In this research, DeepSeek connected unrealistic browser-malware concepts with a real browser capability, turning an AI-generated malware hallucination into a plausible browser-native ransomware technique. Although the generated sample was incomplete, it exposed a practical abuse path based on the File System Access API and access to photo directories.
---------------------------------------------
https://research.checkpoint.com/2026/browser-only-ransomware-from-llm-hallu…
=====================
= Vulnerabilities =
=====================
∗∗∗ Adobe patches seven max severity ColdFusion, Campaign flaws ∗∗∗
---------------------------------------------
Adobe has released security patches for seven maximum-severity vulnerabilities in the ColdFusion web app development platform and the Campaign Classic marketing automation platform.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/adobe-patches-seven-max-seve…
∗∗∗ Riesiges Update: 382 Sicherheitslücken in Google Chrome entdeckt ∗∗∗
---------------------------------------------
Die neueste Chrome-Version schließt fast 400 teils kritische Sicherheitslücken. Auch für Edge, Vivaldi und Brave dürften entsprechende Updates folgen.
---------------------------------------------
https://www.golem.de/news/riesiges-update-382-sicherheitsluecken-in-google-…
∗∗∗ Citrix Patches Six NetScaler Flaws Allowing File Read and Denial-of-Service ∗∗∗
---------------------------------------------
Citrix on Tuesday released security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition. CVE-2026-8451 (CVSS score: 8.8) - An insufficient input validation vulnerability leading to memory overread when NetScaler ADC or NetScaler Gateway is configured as a SAML IDP.
---------------------------------------------
https://thehackernews.com/2026/07/citrix-patches-six-netscaler-flaws.html
∗∗∗ Root-Sicherheitslücken in alternativer Router-Firmware OpenWRT geschlossen ∗∗∗
---------------------------------------------
Die OpenWRT-Entwickler haben in einer aktuellen Version unter anderem mehrere kritische Sicherheitslücken geschlossen. [..] Am gefährlichsten gilt eine „kritische“ Lücke mit einem CVSSS Score 9.9 von 10 in LuCI. Eine CVE-Nummer wurde offensichtlich bislang nicht vergeben. Voraussetzung für eine Attacke ist, dass der VPN-Dienst Tailscale installiert ist.
---------------------------------------------
https://www.heise.de/news/Root-Sicherheitsluecken-in-alternativer-Router-Fi…
∗∗∗ HCL BigFix: PC-Fernverwaltung: Man-in-the-Middle-Attacken auf HCL BigFix möglich ∗∗∗
---------------------------------------------
https://www.heise.de/news/PC-Fernverwaltung-Man-in-the-Middle-Attacken-auf-…
∗∗∗ LWN: Security updates for Wednesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1080689/
∗∗∗ mozilla: Security Vulnerabilities fixed in Thunderbird 140.12.1 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2026-64/
∗∗∗ mozilla: Security Vulnerabilities fixed in Thunderbird 152.0.1 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2026-63/
∗∗∗ Genucenter: Publish SBA-ADV-20260424-01: Genucenter Disclosure of SNMP Credentials ∗∗∗
---------------------------------------------
https://github.com/sbaresearch/advisories/commit/d78bf80a4103af68e8c17ba027…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 29-06-2026 18:00 − Dienstag 30-06-2026 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Parkstrafe per SMS? Kriminelle haben es auf Kreditkartendaten abgesehen! ∗∗∗
---------------------------------------------
Alles beginnt mit einer SMS-Nachricht zu einer angeblich offenen Parkstrafe. Am Ende hat das Opfer den Kriminellen sein Auto-Kennzeichen und die Kreditkartendaten übermittelt. Eine Phishing-Falle, die klassischer nicht sein könnte. Und so funktioniert sie.
---------------------------------------------
https://www.watchlist-internet.at/news/parkstrafe-per-sms-kreditkartendaten/
∗∗∗ Sicherheitslücken ohne Ende: Flut an KI-Bug-Reports überfordert Github ∗∗∗
---------------------------------------------
Github kommt bei der Bearbeitung von Sicherheitsmeldungen nicht mehr hinterher. Es gibt wohl einen Rückstau von mehreren Wochen.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecken-ohne-ende-flut-an-ki-bug-repor…
∗∗∗ Fernwartung SimpleHelp: Schwachstelle wird angegriffen ∗∗∗
---------------------------------------------
In der Fernwartungssoftware SimpleHelp klafft eine Sicherheitslücke, die die Höchstwertung beim Risiko erreicht. Sie wurde Mitte des Monats bekannt. Jetzt haben IT-Sicherheitsexperten Cyberangriffe auf das Sicherheitsleck beobachtet.
---------------------------------------------
https://heise.de/-11348620
∗∗∗ CISA: Windows BlueHammer flaw now exploited by ransomware gangs ∗∗∗
---------------------------------------------
CISA confirmed on Monday that ransomware gangs have begun exploiting a high-severity Microsoft Defender privilege escalation vulnerability that has previously been abused in zero-day attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-windows-bluehammer-flaw…
∗∗∗ Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input ∗∗∗
---------------------------------------------
Microsoft has found a malicious Chrome extension that posed as the AI search engine Perplexity and quietly logged what people searched for. It routed every query and every character typed into the address bar through an attacker-controlled server before redirecting users to real results.
---------------------------------------------
https://thehackernews.com/2026/06/malicious-perplexity-chrome-extension.html
∗∗∗ Daktronics: Straßenschilder durch Controller-Lücken manipulierbar ∗∗∗
---------------------------------------------
Durch Sicherheitslücken in Daktronics-Controllern können Angreifer LED-Anzeigetafeln kompromittieren – unter anderem solche am Straßenrand.
---------------------------------------------
https://www.golem.de/news/daktronics-strassenschilder-durch-controller-luec…
∗∗∗ Enterprise Tech In, Shell Out (Progress Kemp LoadMaster Uninitialized Heap to Pre-Auth RCE CVE-2026-8037) ∗∗∗
---------------------------------------------
This time, we're looking at Progress Kemp LoadMaster, a load balancer that sits at the edge of a lot of enterprise networks. Edge appliances have a habit of becoming the way in rather than the thing keeping people out, and CVE-2026-8037 keeps that streak alive: a pre-authentication Remote Code Execution vulnerability accessible to anyone who can access the API. So, in probably a predictable turn of events, we're back doing what we do best.
---------------------------------------------
https://labs.watchtowr.com/enterprise-tech-in-shell-out-progress-kemp-loadm…
∗∗∗ Bot-Schutz: Googles reCaptcha mit Handgesten fällt auf Fotos rein ∗∗∗
---------------------------------------------
Google hat vergangene Woche angekündigt, den reCaptcha-Bot-Schutz mit Handgesten auszustatten. Das lässt sich mit Fotos aushebeln.
---------------------------------------------
https://heise.de/-11348830
∗∗∗ Longinus: 2 Boundaries in One Bug, Piercing Chrome’s Renderer and V8 Sandbox with a Single Vulnerability, CVE-2026-6307 ∗∗∗
---------------------------------------------
To understand the bug, we first need a high-level overview of TurboFan, how it inlines JS-to-Wasm calls, and how its deoptimization metadata decides what kind of value should be reconstructed after a lazy deopt. Furthermore, we need to understand how V8 heap sandbox works and why this single vulnerability allows attackers to do two things at once: 1) gain arbitrary read/write primitives in the sandbox, and 2) escape the sandbox to write outside of it.
---------------------------------------------
https://nebusec.ai/research/v8-cve-2026-6307-writeup/
∗∗∗ Unprivileged root via a use-after-free in DRM GEM change_handle (CVE-2026-46215) ∗∗∗
---------------------------------------------
A use-after-free in the DRM GEM core ioctl DRM_IOCTL_GEM_CHANGE_HANDLE lets any local user with access to a render node escalate to root. drm_gem_change_handle_ioctl() moves a GEM object from one handle to another, but it never adjusts the object’s handle_count. For a short window the object has two IDR entries while its handle count still reads 1, and a concurrent DRM_IOCTL_GEM_CLOSE on the old handle drives that count to 0 and frees the object while the new handle is still pointing at it. The dangling handle is the use-after-free.
---------------------------------------------
https://cyberstan.co.uk/drm-lpe-linux/
∗∗∗ Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates ∗∗∗
---------------------------------------------
Malicious Chrome and Firefox extensions posed as free VPNs while stealing clipboard data through later extension updates.
---------------------------------------------
https://socket.dev/blog/chrome-and-firefox-extensions-free-vpns-add-clipboa…
=====================
= Vulnerabilities =
=====================
∗∗∗ iOS 26.5.2, iPadOS 26.5.2 und macOS 26.5.2: Wichtige Sicherheitsfixes wegen KI ∗∗∗
---------------------------------------------
Apple hat am Montagabend insgesamt drei Betriebssysteme aktualisiert sowie seinen Browser Safari für macOS 15 (Sequoia) und 14 (Sonoma) auf einen neuen Stand gebracht. Systeme und Browser enthalten keine bekannten Neuerungen, dafür stopfen sie diverse Sicherheitslöcher, die Apple laut eigenen Angaben auch aufgrund der neuen Gefahren durch KI flotter liefert.
---------------------------------------------
https://www.heise.de/news/iOS-26-5-2-iPadOS-26-5-2-und-macOS-26-5-2-Wichtig…
∗∗∗ ipv6_frag_escape: Linux LPE - Reliable Jail/Container Escape ∗∗∗
---------------------------------------------
A reliable unprivileged container / jail escape proof of concept for CentOS / RHEL 10.It rides a now fixed IPv6 fragmentation bug in __ip6_append_data() (closed upstream by 38becddc, no CVE), an in-slab linear overflow into the skb_shared_info at the tail of a packet's own head object. This README documents the exploitation chain only. It does not cover the trigger.
---------------------------------------------
https://github.com/sgkdev/ipv6_frag_escape
∗∗∗ LWN Security updates for Tuesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1080439/
∗∗∗ DGM3103SCT vulnerable to OS command injection ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN28979424/
∗∗∗ Security Vulnerabilities fixed in Firefox 152.0.4 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2026-62/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 26-06-2026 18:00 − Montag 29-06-2026 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Cybersecurity firms targeted by fraudulent OpenAI organization invites ∗∗∗
---------------------------------------------
Threat actors are creating OpenAI tenants that impersonate legitimate companies and inviting employees to join them, in what appears to be a ploy to trick targets into submitting sensitive company information in chats and projects.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cybersecurity-firms-targeted…
∗∗∗ Polymarket customers lose $3 million in supply-chain attack ∗∗∗
---------------------------------------------
Polymarket says it will fully reimburse customers who lost an estimated $3 million after hackers injected a malicious script into the platforms frontend following a breach at a third-party vendor.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/polymarket-customers-lose-3-…
∗∗∗ Hackers now exploit critical Oracle E-Business flaw in attacks ∗∗∗
---------------------------------------------
Attackers have begun exploiting a critical vulnerability (CVE-2026-46817) in the Oracle E-Business Suite (EBS) financial application, according to threat intelligence company Defused.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-oracle-e-business-suite-…
∗∗∗ Root-Zugriff möglich: Exploits für gefährliche Lücke im Linux-Kernel geleakt ∗∗∗
---------------------------------------------
Admins sollten zügig ihre Linux-Systeme absichern. Auf Github sind Exploits für eine Root-Lücke in Debian, Ubuntu und RHEL aufgetaucht.
---------------------------------------------
https://www.golem.de/news/root-zugriff-moeglich-exploits-fuer-gefaehrliche-…
∗∗∗ The Gentlemen are knocking: сustom backdoors and evolving tactics ∗∗∗
---------------------------------------------
Kaspersky researchers analyze incidents related to The Gentlemen RaaS group, disclose their tools and TTPs, and find a new ransomware variant.
---------------------------------------------
https://securelist.com/the-gentlemen-raas/120447/
∗∗∗ Microsoft Adds Another Year To Windows 10 Extended Update Program ∗∗∗
---------------------------------------------
Microsoft has quietly extended free Windows 10 security updates for consumers by another year, pushing the Extended Security Updates (ESU) programs end date from October 12, 2026, to October 12, 2027. "The ESU support page was updated with that date, and Microsofts blog post on the program has a new editors note confirming the change," reports Ars Technica. From the report: The prevalence of Windows across so many devices and form factors has given Microsoft a ..
---------------------------------------------
https://tech.slashdot.org/story/26/06/26/0029235/microsoft-adds-another-yea…
∗∗∗ New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks ∗∗∗
---------------------------------------------
A newly discovered cyber attack campaign has been observed delivering a previously undocumented malware family called SharkLoader that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts.Kaspersky, which is tracking the activity under the moniker StrikeShark, said the campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, ..
---------------------------------------------
https://thehackernews.com/2026/06/new-sharkloader-malware-deploys-cobalt.ht…
∗∗∗ Microsoft keeps Windows Server 2022 hotpatching alive into 2027 ∗∗∗
---------------------------------------------
In the Azure Edition, of course
---------------------------------------------
https://www.theregister.com/security/2026/06/29/microsoft-keeps-windows-ser…
∗∗∗ Critical Unauthenticated Remote Code Execution in Splunk Enterprise (CVE-2026-20253) ∗∗∗
---------------------------------------------
Splunk disclosed a critical unauthenticated remote code execution (RCE) vulnerability in Splunk Enterprise tracked as CVE-2026-20253 on June 10, 2026. The vulnerability has a CVSS score of 9.8 and stems from missing authentication on a PostgreSQL sidecar service recovery endpoint that can be reached through the Splunk Web interface, which proxies requests to the internal PostgreSQL sidecar service without enforcing authentication. A successful attacker can create or truncate ..
---------------------------------------------
https://www.zscaler.com/blogs/security-research/critical-unauthenticated-re…
∗∗∗ Taiwan: Cybersicherheitsbehörde warnt vor Überwachung durch billige eSIMs ∗∗∗
---------------------------------------------
Günstig für den Urlaub erworbene eSIMs könnten Datenverkehr durch China leiten, warnt Taiwans Digitalministerium. Dabei könnten Daten abgegriffen werden.
---------------------------------------------
https://www.heise.de/news/Taiwanische-Cybersicherheitsbehoerde-warnt-vor-Ue…
∗∗∗ FBI-Warnung: Russischer Geheimdienst sieht es auf Messenger-Backup-Keys ab ∗∗∗
---------------------------------------------
Russische Angreifer geben sich inzwischen als Messenger-Support aus, der Zugriff auf die Backup-Wiederherstellungsschlüssel braucht.
---------------------------------------------
https://www.heise.de/news/FBI-Warnung-Russischer-Geheimdienst-sieht-es-auf-…
∗∗∗ Cyberangriffe auf Hotel- und Gastgewerbe: Täter nisten sich ein ∗∗∗
---------------------------------------------
Microsoft Threat Intelligence beobachtet eine mehrstufige Angriffswelle auf das Hotel- und Gastgewerbe in Asien und Europa.
---------------------------------------------
https://www.heise.de/news/Cyberangriffe-auf-Hotel-und-Gastgewerbe-Taeter-ni…
∗∗∗ Kritische libssh2-Lücke: Proof-of-Concept-Exploit veröffentlicht ∗∗∗
---------------------------------------------
Vergangene Woche wurde eine Sicherheitslücke in libssh2 bekannt. Jetzt ist Exploit-Code aufgetaucht, der sie missbrauchen kann.
---------------------------------------------
https://www.heise.de/news/Kritische-libssh2-Luecke-Proof-of-Concept-Exploit…
∗∗∗ Hacking-Fähigkeiten von Chinas KI Z.ai angeblich so gut wie die von Claude ∗∗∗
---------------------------------------------
Zhipu AIs offenes Modell GLM-5.2 erreicht laut Sicherheitsexperten die Fähigkeiten von Anthropics Mythos bei der Bug-Erkennung.
---------------------------------------------
https://www.heise.de/news/Hacking-Faehigkeiten-von-Chinas-KI-Z-ai-angeblich…
∗∗∗ Harnessing Harnesses - Climbing the LLM Hills ∗∗∗
---------------------------------------------
Trying to coerce useful work out of LLMs without the harness is like supervising a room full of drunk toddlers, each convinced theyre helping, none of them checking with each other and falling over the next.
---------------------------------------------
https://blog.zsec.uk/harnessing-harnesses/
∗∗∗ From Perimeter to Proof: The New Architecture of Email Security ∗∗∗
---------------------------------------------
How identity, investigation, browser security, and AI are reshaping the future of email defense.
---------------------------------------------
https://softwareanalyst.substack.com/p/from-perimeter-to-proof-the-new-arch…
∗∗∗ Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages ∗∗∗
---------------------------------------------
Latest wave affects legitimate @immobiliarelabs Backstage packages, with malicious npm releases published across GitLab and LDAP authentication plugin families on June 26, 2026.Socket Threat Research is tracking a fresh compromise in the ongoing Miasma Mini Shai-Hulud supply chain campaign. The latest activity affects legitimate npm packages published under the @immobiliarelabs scope, including Backstage plugins used for GitLab integration and LDAP authentication ..
---------------------------------------------
https://socket.dev/blog/miasma-mini-shai-hulud-hits-immobiliarelabs-npm-pac…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 25-06-2026 18:00 − Freitag 26-06-2026 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ New macOS malware embeds fake errors to confuse AI analysis tools ∗∗∗
---------------------------------------------
A newly discovered macOS malware dubbed "Gaslight" is designed to confuse AI-assisted malware analysis tools by hiding prompt injection strings and fake debugging data within the executable.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-macos-malware-embeds-fak…
∗∗∗ Order-tracking app Shop abused to push callback phishing attacks ∗∗∗
---------------------------------------------
Threat actors are increasingly abusing Shop, the order-tracking app from Shopify, by adding fake purchase receipts in users order histories to trick them into providing sensitive data or installing remote access software.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/order-tracking-app-shop-abus…
∗∗∗ Security boss thought MFA would be too much security ∗∗∗
---------------------------------------------
One rule for the workers, another for execs
---------------------------------------------
https://www.theregister.com/security/2026/06/26/security-boss-thought-mfa-w…
∗∗∗ Miasma campaign poisons 20-plus npm packages, hunts for developer secrets ∗∗∗
---------------------------------------------
Microsoft says latest attack targets Leo Platform and RStreams packages, harvesting creds and going after more maintainers
---------------------------------------------
https://www.theregister.com/security/2026/06/26/miasma-campaign-poisons-20-…
∗∗∗ Amazon Q flaw let booby-trapped Git repos execute code, swipe cloud creds ∗∗∗
---------------------------------------------
Researchers warn many AI coding assistants now execute commands from project configurations
---------------------------------------------
https://www.theregister.com/cyber-crime/2026/06/26/amazon-q-flaw-let-booby-…
∗∗∗ YouTube-Werbeblocker mit 11 Millionen Installationen mit möglicher Hintertür ∗∗∗
---------------------------------------------
Adblock for YouTube kommt auf mehr als 11 Millionen Installationen. Es kann jedoch unkontrolliert Script-Code in jede Seite injizieren.
---------------------------------------------
https://www.heise.de/news/YouTube-Werbeblocker-mit-11-Millionen-Installatio…
∗∗∗ Polymarket: Kriminelle sollen Kryptowerte in Millionenhöhe gestohlen haben ∗∗∗
---------------------------------------------
Bei Polymarket haben Angreifer über eingeschleusten Schadcode Geld von Nutzerkonten gestohlen. Das Wettportal will Betroffene entschädigen.
---------------------------------------------
https://www.heise.de/news/Polymarket-Kriminelle-entwenden-Kryptowerte-in-Mi…
∗∗∗ Malware steals Chrome session cookies to take over your accounts ∗∗∗
---------------------------------------------
A phishing campaign installs a malicious Chrome extension to hijack browser sessions and compromise Windows devices.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2026/06/malware-steals-chrome-sessio…
∗∗∗ The "Akrites" vulnerability-mitigation project launches ∗∗∗
---------------------------------------------
The Linux Foundation, in aletter co-signed by a large range of organizations and companies, hasannounced the launch of "Akrites", a project to fast-track vulnerabilityfixes into projects. As Akrites works upstream to fix projects at the source, we commit to support downstream efforts to secure critical infrastructure before it can be exploited. When patches are ..
---------------------------------------------
https://lwn.net/Articles/1079657/
∗∗∗ Russia used social engineering to breach prominent messaging accounts, Ukraine says ∗∗∗
---------------------------------------------
Ukraines SBU described a long-running Russian operation that used fake tech-support workers to persuade people to hand over credentials to their messaging apps.
---------------------------------------------
https://therecord.media/russia-ukraine-social-engineering-messaging-accounts
∗∗∗ DHS chief says president has met with likely CISA nominee; agency plans to hire 600 ∗∗∗
---------------------------------------------
Once a new CISA director is in place, the agency will ramp up hiring efforts, Homeland Security Secretary Markwayne Mullin told lawmakers. The White House has not yet announced a nominee.
---------------------------------------------
https://therecord.media/cisa-director-nominee-workforce-hires-mullin-house-…
∗∗∗ macOS Flaw Allowed Standard Users to Disable CrowdStrike and Kandji Security Tools ∗∗∗
---------------------------------------------
A macOS XPC flaw let regular users disable CrowdStrike and Kandji tools, exposing security gaps that vendors patched after XM Cyber reported the security issue.
---------------------------------------------
https://hackread.com/macos-flaw-users-disable-crowdstrike-kandji-security-t…
∗∗∗ Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem ∗∗∗
---------------------------------------------
Latest wave affects LeoPlatform/RStreams npm packages, three llxlr-published npm packages, the Verana Blockchain Go module, and GitHub Actions/developer-tool workflows.Socket Threat Research is tracking a new ..
---------------------------------------------
https://socket.dev/blog/miasma-mini-shai-hulud-hits-leoplatform-npm-package…
=====================
= Vulnerabilities =
=====================
∗∗∗ Synology-SA-26:11 Synology MailPlus Server ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_26_11
∗∗∗ [R2] Nessus Version 10.12.1 Fixes SQL Injection Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2026-17
∗∗∗ [R3] Tenable Identity Exposure Version 3.93.5 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2026-16
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 24-06-2026 18:00 − Donnerstag 25-06-2026 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Malicious Edge extension abuses Native Messaging as bridge to malware ∗∗∗
---------------------------------------------
A malicious Microsoft Edge extension dubbed Edgecution has been used in a ransomware attack to escape the browser sandbox and deploy a Python-based backdoor.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-edge-extension-abu…
∗∗∗ Mandiant reveals how Cisco SD-WAN zero-day attacks gained root access ∗∗∗
---------------------------------------------
New details have been revealed on how hackers exploited a Cisco Catalyst SD-WAN vulnerability tracked as CVE-2026-20245 in zero-day attacks to create rogue root accounts on targeted devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/mandiant-reveals-how-cisco-s…
∗∗∗ Inside the 2026 SMB threat landscape: From phishing and scams to fake AI tools ∗∗∗
---------------------------------------------
In the first four months of 2026, Kaspersky solutions detected over 33,300 cyberattacks on SMBs masquerading as popular artificial intelligence (AI) tools – almost five times more than in 2025 and 39% more than the number of attacks disguised as the office and collaboration tools that Kaspersky’s research focuses on.
---------------------------------------------
https://securelist.com/smb-threat-report-2026/120357/
∗∗∗ What do Ports Hear When Nobodys Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th) ∗∗∗
---------------------------------------------
For network defenders and analysts, it's important to understand the depth of the noise and how it should be treated. Observing patterns and structural shifts within the static is essential for keeping pace with an automated, multi-directional threat that never stops running. The infrastructure persists, campaigns evolve, payloads update, and the ports keep listening.
---------------------------------------------
https://isc.sans.edu/diary/rss/33104
∗∗∗ StealC Historical Bot Infection Special Report ∗∗∗
---------------------------------------------
On Wednesday 24th June 2026, international law enforcement partners announced additional successful cyber crime disruption actions as part of the ongoing Operation Endgame initiative. This time the StealC infostealer and Amadey malware-as-a-service families were targeted.
---------------------------------------------
https://www.shadowserver.org/news/stealc-historical-bot-infection-special-r…
∗∗∗ Verfassungsschutz zu Spionage: Unis sollen wachsamer sein ∗∗∗
---------------------------------------------
Sicherheitsbehörden warnen vor chinesischer Wissenschaftsspionage an deutschen Hochschulen. Sind die Forschungseinrichtungen wachsam genug?
---------------------------------------------
https://www.heise.de/news/Verfassungsschutz-zu-Spionage-Unis-sollen-wachsam…
∗∗∗ Raiffeisen Phishingmail fordert zur pushTAN-Aktivierung auf ∗∗∗
---------------------------------------------
Aktuell versenden Kriminelle betrügerische E-Mails im Namen der Raiffeisen Bank. Die Nachrichten fordern Kund:innen auf, über einen Link den pushTAN-Dienst zu aktivieren und führen dabei auf eine gefälschte Website, die Kontodaten abgreift.
---------------------------------------------
https://www.watchlist-internet.at/news/raiffeisen-phishingmail-fordert-push…
∗∗∗ Introduction to COM usage by Windows threats ∗∗∗
---------------------------------------------
Component Object Model (COM) is a fundamental Windows technology used by legitimate applications for object activation, inter-process communication, automation and language-independent component reuse. Those same qualities make it useful to threat actors.
---------------------------------------------
https://blog.talosintelligence.com/introduction-to-com-usage-by-windows-thr…
∗∗∗ Windows 10: Sicherheitsupdates für Privatkunden jetzt doch noch bis Oktober 2027 ∗∗∗
---------------------------------------------
Microsoft hat das ESU-Programm für Privatkunden ohne große Vorankündigung um ein weiteres Jahr verlängert.
---------------------------------------------
https://heise.de/-11344923
∗∗∗ Behind the console: An AiTM phishing kit harvesting AWS console credentials and beyond ∗∗∗
---------------------------------------------
Datadog Security Research investigates a June 2026 adversary-in-the-middle phishing campaign that cloned the AWS console login page to harvest victim credentials and multi-factor authentication codes.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phi…
∗∗∗ Ignore DNSSEC if you like MITM attacks ∗∗∗
---------------------------------------------
It really bothers me that almost all distributions and operating systems don’t validate DNSSEC by default. The above attacks are feasible on almost anyone, purely because of lousy defaults.
---------------------------------------------
https://whynothugo.nl/journal/2026/06/24/ignore-dnssec-if-you-like-mitm-att…
=====================
= Vulnerabilities =
=====================
∗∗∗ LWN: Security updates for Thursday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1079551/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 23-06-2026 18:00 − Mittwoch 24-06-2026 18:00
Handler: Alexander Riepl
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ New macOS ClickFix attack silently mounts DMGs to push infostealer ∗∗∗
---------------------------------------------
A new macOS ClickFix campaign is using Terminal commands to silently download, mount, and launch info-stealing malware from malicious disk image (DMG) files.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-si…
∗∗∗ Cisco Unified CM flaw CVE-2026-20230 now exploited in attacks ∗∗∗
---------------------------------------------
A high-severity SSRF vulnerability, tracked as CVE-2026-20230, in Cisco Unified Communications Manager Server is now being exploited in attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisco-unified-cm-sme-flaw-cv…
∗∗∗ Stealthy Mistic backdoor linked to ransomware access broker KongTuke ∗∗∗
---------------------------------------------
A new backdoor dubbed Mistic has been observed in financially motivated attacks targeting organizations in the insurance, education, IT, and professional services sectors.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/stealthy-mistic-backdoor-lin…
∗∗∗ Sicherheitslücke: Millionen von Samsung-Smartphones durch Kernel-Bug gefährdet ∗∗∗
---------------------------------------------
Forscher haben einen gefährlichen Bug im Android-Kernel von Samsung entdeckt, der unzählige Smartphones zwischen Galaxy S9 und S25 betrifft.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecke-acht-jahre-alter-kernel-bug-gef…
∗∗∗ Cisco Unified CM Flaw Exploited After PoC Reveals File-Write Path to Root ∗∗∗
---------------------------------------------
Threat actors have begun to exploit a recently disclosed critical security flaw impacting Cisco Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME).The vulnerability, tracked as CVE-2026-20230 (CVSS score: 8.6), is a case of improper input validation for specific HTTP requests that could allow an unauthenticated, ..
---------------------------------------------
https://thehackernews.com/2026/06/cisco-unified-cm-flaw-exploited-after.html
∗∗∗ Home Assistant: Update stopft Informationsleck ∗∗∗
---------------------------------------------
Die jüngeren Home-Assistant-Updates stopfen unter anderem Informationslecks. Zudem gibt es das Home Assistant OS in neuer Version.
---------------------------------------------
https://www.heise.de/news/Home-Assistant-Update-stopft-Informationsleck-113…
∗∗∗ Ubiquiti UniFi OS-Sicherheitslücken werden angegriffen ∗∗∗
---------------------------------------------
Ende Mai wurden kritische Sicherheitslücken in Ubiquiti UniFi OS bekannt. Inzwischen haben Angreifer diese im Visier.
---------------------------------------------
https://www.heise.de/news/Ubiquiti-UniFi-OS-Sicherheitsluecken-werden-angeg…
∗∗∗ Cyberkriminelle: Die „Wirtschaftsprüfer“, die Sie nie beauftragt haben ∗∗∗
---------------------------------------------
Jede Organisation wird geprüft. Die Frage ist, wer die Prüfung durchführt.
---------------------------------------------
https://www.welivesecurity.com/de/business-security/cyberkriminelle-die-wir…
∗∗∗ Hackergruppe will den Flughafen Wien angegriffen haben ∗∗∗
---------------------------------------------
Als Beweis wurden Frachtpapiere mit Waffenlieferungen veröffentlicht. Laut dem Flughafen Wien sind keine personenbezogenen Daten darunter
---------------------------------------------
https://www.derstandard.at/story/3000000328608/hackergruppe-will-den-flugha…
∗∗∗ Zoho Corp. ManageEngine: Kritische SSO-Lücke ermöglicht Kontenübernahme ∗∗∗
---------------------------------------------
Angreifer können eine kritische Sicherheitslücke in mehreren Zoho Corp. ManageEngine-Produkten missbrauchen, um Konten zu übernehmen.
---------------------------------------------
https://heise.de/-11342888
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (corosync, firefox, kernel, kernel-rt, libpq, memcached, postgresql, postgresql16, postgresql:13, postgresql:16, python-urllib3, python3.14-urllib3, redis:6, skopeo, and vim), Debian (beets, gst-plugins-bad1.0, imagemagick, libmatio, python-urllib3, and u-boot), Fedora (chromium, coturn, frr, grout, materialx, perl-Crypt-DSA, and yt-dlp), Mageia (opensc, perl-Archive-Tar, and podofo), Oracle (fence-agents, libpq, mysql:8.4, and postgresql:16), ..
---------------------------------------------
https://lwn.net/Articles/1079365/
∗∗∗ [R1] Tenable Identity Exposure Version 3.93.5 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2026-16
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 22-06-2026 18:00 − Dienstag 23-06-2026 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Auswirkungen auf die Cybersicherheit von Organisationen durch die Entwicklung im Bereich Künstlicher Intelligenz ∗∗∗
---------------------------------------------
Künstliche Intelligenz verändert die Cybersicherheitslage grundlegend und erfordert neue Maßstäbe in der Reaktionsgeschwindigkeit. Während böswillige Akteure in der Vergangenheit bereits arbeitsteilig auf Künstliche Intelligenz gesetzt hatten – beispielsweise um Phishing-Mails zu verfassen – sind aktuelle KI-Systeme derart leistungsfähig, dass Schwachstellen in Software innerhalb kurzer Zeit sowohl umfassend als auch teilweise autonom erkannt, analysiert und in verwertbare Angriffspfade überführt können. Daraus kann eine Lage entstehen, die Organisationen mit einer erheblich steigenden Zahl neu entdeckter Schwachstellen, Exploits, Patches und Folgevorfällen konfrontiert.
---------------------------------------------
https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2026/2026-2…
∗∗∗ WhatsApp phishing attack uses fake business docs to hack PCs ∗∗∗
---------------------------------------------
An ongoing malware campaign is targeting WhatsApp users in multiple countries with deceptive messages that push VBScript files, leading to remote system access.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/whatsapp-phishing-attack-use…
∗∗∗ Nearly Half of LG Smart TV Apps Are Laced with Proxies ∗∗∗
---------------------------------------------
Everyone worries about the apps on their phone. Almost no one looks at the ones on their TV. We scanned 6,038 of them across LG and Samsung; 2,058 were selling your IP address. On screen, its a relaxing fish tank. Or a clock. Or solitaire. Or puppies. Under the hood, it is a residential proxy: software that can send other peoples internet traffic out through your living room. And we found it everywhere.
---------------------------------------------
https://spur.us/blog/smart-tv-apps-residential-proxy-sdks
∗∗∗ Nach Protesten: AMD bringt RAM-Verschlüsselung TSME zurück ∗∗∗
---------------------------------------------
Ohne Ankündigung hat AMD das Sicherheitsmerkmal TSME bei bestimmten Ryzen-Prozessoren deaktiviert. Kunden protestierten, AMD reagiert.
---------------------------------------------
https://www.heise.de/news/Nach-Protesten-AMD-bringt-RAM-Verschluesselung-TS…
∗∗∗ Secure-Boot: Zertifikatablauf steht an, Microsoft gibt weitere Hilfestellung ∗∗∗
---------------------------------------------
Die ersten Secure-Boot-Zertifikate laufen in diesen Tagen ab. Microsoft legt noch mal Handreichungen nach, für Linux auf Azure-VMs.
---------------------------------------------
https://www.heise.de/news/Secure-Boot-Zertifikate-Ablauf-startet-weitere-Ha…
∗∗∗ The Global Namespace Risk: Universal Bucket Hijacking Technique for Cloud Data Exfiltration ∗∗∗
---------------------------------------------
We recently identified a bucket hijacking technique impacting multiple services across major cloud service providers (CSPs). The attack technique exploits a fundamental architectural flaw that is common across cloud providers and could potentially affect other cloud providers as well.
---------------------------------------------
https://unit42.paloaltonetworks.com/cloud-bucket-hijacking-risks/
∗∗∗ Detecting the Klue supply chain attack in Salesforce instances ∗∗∗
---------------------------------------------
We summarize the Klue supply chain attack and provide detection guidance for Salesforce environments monitored by Datadog Cloud SIEM.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/detecting-the-klue-supply-chain…
∗∗∗ Fake-Shops, Abo-Fallen, Phishing-Gewinnspiele: Wie Kriminelle das Fußball-Fieber nutzen ∗∗∗
---------------------------------------------
Die Weltmeisterschaft in den USA, Mexiko und Kanada ist in vollem Gange. Dass Betrüger:innen von diesem Hype profitieren möchten, überrascht nicht. Dieser Artikel zeigt, welche Strategien und Mechanismen sie für ihre Fallen nutzen.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-shops-abofallen-fussball/
∗∗∗ Introducing Patch the Planet ∗∗∗
---------------------------------------------
What happens when you clear dozens of Trail of Bits engineers’ schedules, pair them with every open-source maintainer they can contact, and unleash the latest frontier models like GPT-5.5-Cyber on critical open-source targets? Thanks to our partnership with OpenAI and its Daybreak initiative, we can report that the impact is hundreds of discovered bugs, 64 pull requests, and 51 issues filed across 19 projects (with many more still undergoing coordinated disclosure). That was just the first week of Patch the Planet.
---------------------------------------------
https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/
=====================
= Vulnerabilities =
=====================
∗∗∗ Pixelsmash: Lücke in FFmpeg-Decoder gefährdet unzählige Systeme ∗∗∗
---------------------------------------------
Sicherheitsforscher von JFrog haben eine gefährliche Sicherheitslücke in dem weitverbreiteten freien Multimedia-Framework FFmpeg aufgedeckt. Wie die Forscher in einem Blogbeitrag schildern, können Angreifer damit zahlreiche auf FFmpeg angewiesene Softwarelösungen zum Absturz bringen. In einigen Fällen, etwa bei Jellyfin und Nextcloud, soll sogar eine Schadcodeausführung möglich sein.
---------------------------------------------
https://www.golem.de/news/pixelsmash-luecke-in-ffmpeg-decoder-gefaehrdet-un…
∗∗∗ LWN Security updates for Tuesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1079083/
∗∗∗ NCSC-2026-0209 [1.00] [M/H] Kwetsbaarheden verholpen in MongoDB Server ∗∗∗
---------------------------------------------
https://advisories.ncsc.nl/advisory?id=NCSC-2026-0209
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/