=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 20-08-2025 18:00 − Donnerstag 21-08-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ iPhone, iPad und Mac: Aktiv ausgenutzte Sicherheitslücke gefährdet Apple-Nutzer ∗∗∗
---------------------------------------------
Notfallupdates schließen eine aktiv ausgenutzte Sicherheitslücke in iOS, iPadOS und MacOS. Anwender sollten dringend patchen.
---------------------------------------------
https://www.golem.de/news/iphone-ipad-und-mac-aktiv-ausgenutzte-sicherheits…
∗∗∗ Airtell Router Scans, and Mislabeled usernames ∗∗∗
---------------------------------------------
Looking at new usernames collected by our Cowrie honeypots, you will first of all notice a number of HTTP headers. It is very common for attackers to scan for web servers on ports that are covered by our Telnet honeypots. The result ..
---------------------------------------------
https://isc.sans.edu/forums/diary/Airtell+Router+Scans+and+Mislabeled+usern…
∗∗∗ Neue Tricks mit QR-Codes ∗∗∗
---------------------------------------------
QR-Codes sind beliebte Vehikel für Verbrecher, Hyperlinks an Sicherheitssystemen vorbei zum Opfer zu schleusen. Der Einfallsreichtum ist groß.
---------------------------------------------
https://www.heise.de/news/Neue-Tricks-mit-QR-Codes-10559942.html
∗∗∗ Docker Desktop: Kritische Sicherheitslücke erlaubt Host-Zugriff ∗∗∗
---------------------------------------------
In Docker Desktop können bösartige Container auf das Host-System durchgreifen, Schutzmaßnahmen greifen nicht. Ein Update hilft.
---------------------------------------------
https://www.heise.de/news/Docker-Desktop-Kritische-Sicherheitsluecke-erlaub…
∗∗∗ Modern Solution: Verurteilter IT-Experte reicht Verfassungsbeschwerde ein ∗∗∗
---------------------------------------------
Das Urteil gegen einen nach dem Hackerparagrafen verurteilten Sicherheitsforscher ist rechtskräftig. Der Verurteilte geht nun nach Karlsruhe.
---------------------------------------------
https://www.heise.de/news/Modern-Solution-Verurteilter-IT-Experte-reicht-Ve…
∗∗∗ SIM-Swapper, Scattered Spider Hacker Gets 10 Years ∗∗∗
---------------------------------------------
A 21-year-old Florida man at the center of a prolific cybercrime group known as "Scattered Spider" was sentenced to 10 years in federal prison today, and ordered to pay roughly $13 million in restitution to victims. Noah Michael Urban of Palm Coast, Fla. pleaded guilty in April 2025 to charges of wire fraud and conspiracy. Florida prosecutors alleged Urban ..
---------------------------------------------
https://krebsonsecurity.com/2025/08/sim-swapper-scattered-spider-hacker-get…
∗∗∗ Achtung, Phishing-Falle: FinanzOnline will keine Infos zu Krypto-Beständen einholen! ∗∗∗
---------------------------------------------
Aufgrund einer neuen „Steuervorschrift für Kryptowährungen“ verlangt „FinanzOnline“ aktuell via E-Mail vermeintlich die Übermittlung umfassender Informationen rund um Krypto-Vermögen. Natürlich meldet sich hier nicht das echte Finanzportal. Vielmehr versuchen Kriminelle über diese Masche an die Zugangsdaten der Krypto-Wallets ihrer Opfer zu gelangen.
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-falle-finanzonline-krypto/
∗∗∗ Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth ∗∗∗
---------------------------------------------
A campaign leverages CVE-2024-36401 to stealthily monetize victims bandwidth where legitimate software development kits (SDKs) are deployed for passive income.
---------------------------------------------
https://unit42.paloaltonetworks.com/attackers-sell-your-bandwidth-using-sdk…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 19-08-2025 18:00 − Mittwoch 20-08-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ PyPI now blocks domain resurrection attacks used for hijacking accounts ∗∗∗
---------------------------------------------
The Python Package Index (PyPI) has introduced new protections against domain resurrection attacks that enable hijacking accounts through password resets.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/pypi-now-blocks-domain-resur…
∗∗∗ Hackers steal Microsoft logins using legitimate ADFS redirects ∗∗∗
---------------------------------------------
Hackers are using a novel technique that combines legitimate office.com links with Active Directory Federation Services (ADFS) to redirect users to a phishing page that steals Microsoft 365 logins.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-steal-microsoft-logi…
∗∗∗ Experts Find AI Browsers Can Be Tricked by PromptFix Exploit to Run Malicious Hidden Prompts ∗∗∗
---------------------------------------------
Cybersecurity researchers have demonstrated a new prompt injection technique called PromptFix that tricks a generative artificial intelligence (GenAI) model into carrying out intended actions by embedding the malicious instruction inside a ..
---------------------------------------------
https://thehackernews.com/2025/08/experts-find-ai-browsers-can-be-tricked.h…
∗∗∗ Like burglars closing a door, Apache ActiveMQ attackers patch critical vuln after breaking in ∗∗∗
---------------------------------------------
Intruders hoped no one would notice their presence Criminals exploiting a critical vulnerability in open source Apache ActiveMQ middleware are fixing the flaw that allowed them access, after establishing persistence on Linux servers.
---------------------------------------------
https://www.theregister.com/2025/08/19/apache_activemq_patch_malware/
∗∗∗ Commvault: Hochriskante Lücke ermöglicht Einschleusen von Schadcode ∗∗∗
---------------------------------------------
In der Backup-Software Commvault können Angreifer Sicherheitslücken missbrauchen, um etwa Schadcode einzuschleusen. Updates stehen bereit.
---------------------------------------------
https://www.heise.de/news/Commvault-Hochriskante-Luecke-ermoeglicht-Einschl…
∗∗∗ Infoniqa-IT-Vorfall: Cyberbande will umfangreich Daten kopiert haben ∗∗∗
---------------------------------------------
Vergangene Woche wurde ein IT-Vorfall bei HR-Softwareanbieter Infoniqa bekannt. Nun behauptet eine Cybergang Daten kopiert zu haben.
---------------------------------------------
https://www.heise.de/news/Infoniqa-IT-Vorfall-Cyberbande-will-umfangreich-D…
∗∗∗ Impressumsdiebstahl und funktionierende Links: Vorsicht vor besonders ausgeklügelten Fake-Shops! ∗∗∗
---------------------------------------------
Je mehr Aufwand Kriminelle bei der Nachahmung eines Online-Shops betreiben, desto schwieriger ist es, den Betrug zu erkennen. In einem aktuellen Fall nutzen sie nicht nur reale Impressumsdaten, sondern verlinken von ihren Fake-Shops aus zusätzlich zur echten Website und auf die echten Social-Media-Profile des Unternehmens. Woran sich die Falle dennoch relativ einfach erkennen lässt.
---------------------------------------------
https://www.watchlist-internet.at/news/besonders-ausgekluegelte-fake-shops/
∗∗∗ Major Belgian telecom firm says cyberattack compromised data on 850,000 accounts ∗∗∗
---------------------------------------------
The company said no critical data was accessed, but the hacker "gained access to one of our IT systems that contains the following data: name, first name, telephone number, SIM card number, PUK code, tariff plan.”
---------------------------------------------
https://therecord.media/belgian-telecom-says-cyberattack-compromised-data-o…
∗∗∗ Feds charge alleged administrator of ‘sophisticated’ Rapper Bot botnet ∗∗∗
---------------------------------------------
A 22-year-old Oregon man has been charged with running a powerful botnet-for-hire service used to launch hundreds of thousands of cyberattacks worldwide, the U.S. Justice Department said.
---------------------------------------------
https://therecord.media/feds-charge-botnet-admin
∗∗∗ Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices ∗∗∗
---------------------------------------------
A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide, targeting key sectors for intelligence gathering.
---------------------------------------------
https://blog.talosintelligence.com/static-tundra/
∗∗∗ Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware ∗∗∗
---------------------------------------------
Warlock ransomware exploits unpatched Microsoft SharePoint vulnerabilities to gain access, escalate privileges, steal credentials, move laterally, and deploy ransomware with data exfiltration across enterprise environments.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/h/warlock-ransomware.html
∗∗∗ A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor ∗∗∗
---------------------------------------------
Straight from Mandiant Threat Defense, the "Frontline Bulletin" series brings you the latest on the most intriguing compromises we are seeing in the wild right now, equipping our community to understand and respond to the most compelling threats we observe. This edition dissects an infection involving two threat groups, UNC5518 and UNC5774, leading to the deployment of ..
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflak…
∗∗∗ Guess Who Would Be Stupid Enough To Rob The Same Vault Twice? Pre-Auth RCE Chains in Commvault ∗∗∗
---------------------------------------------
We’re back, and we’ve finished telling everyone that our name was on the back of Phrack!!!!1111 Whatever, nerds.Today, were back to scheduled content. Like our friendly neighbourhood ransomware gangs and APT groups, weve continued to spend ..
---------------------------------------------
https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same…
∗∗∗ Researcher Exposes Zero-Day Clickjacking Vulnerabilities in Major Password Managers ∗∗∗
---------------------------------------------
At DEF CON 33, Czech Republic based security researcher Marek Tóth, unveiled a series of unpatched zero-day clickjacking security vulnerabilities impacting the browser-based plugins for a wide range of password managers including: 1Password, Bitwarden, Dashlane, Enpass, iCloud Passwords, Keeper, LastPass, LogMeOnce, NordPass, ProtonPass, and ..
---------------------------------------------
https://socket.dev/blog/password-manager-clickjacking
∗∗∗ Marshal madness: A brief history of Ruby deserialization exploits ∗∗∗
---------------------------------------------
This post traces the decade-long evolution of Ruby Marshal deserialization exploits, demonstrating how security researchers have repeatedly bypassed patches and why fundamental changes to the Ruby ecosystem are needed rather than continued patch-and-hope approaches.
---------------------------------------------
https://blog.trailofbits.com/2025/08/20/marshal-madness-a-brief-history-of-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (webkit2gtk), Fedora (firefox and libarchive), Red Hat (python3.11-setuptools and python3.12-setuptools), Slackware (mozilla), SUSE (apache2-mod_security2, cairo-devel, cflow, docker, glibc, go1.25, govulncheck-vulndb, gstreamer-0_10-plugins-base, jq, kernel, libarchive, libssh, libxslt, openbao, python-urllib3, systemd, and xz), and Ubuntu (apache2, libssh, libxml2, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, ..
---------------------------------------------
https://lwn.net/Articles/1034546/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 18-08-2025 18:00 − Dienstag 19-08-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ In mehreren Webportalen: Reihenweise fest kodierte Zugangsdaten bei Intel entdeckt ∗∗∗
---------------------------------------------
Ein Forscher hat in Webportalen von Intel gravierende Sicherheitslücken gefunden. Teilweise standen Passwörter clientseitig im Code.
---------------------------------------------
https://www.golem.de/news/in-mehreren-webportalen-reihenweise-fest-kodierte…
∗∗∗ GodRAT – New RAT targeting financial institutions ∗∗∗
---------------------------------------------
Kaspersky experts analyze GodRAT, a new Gh0st RAT-based tool attacking financial firms. It is likely a successor of the AwesomePuppet RAT connected to the Winnti group.
---------------------------------------------
https://securelist.com/godrat/117119/
∗∗∗ The State of Ransomware in Retail 2025 ∗∗∗
---------------------------------------------
361 IT and cybersecurity leaders reveal the ransomware realities for retail businesses today.
---------------------------------------------
https://news.sophos.com/en-us/2025/08/19/the-state-of-ransomware-in-retail-…
∗∗∗ 493 Cases of Sextortion Against Children Linked to Notorious Scam Compounds ∗∗∗
---------------------------------------------
Scam compounds in Cambodia, Myanmar, and Laos have conned people out of billions. New research shows they may be linked to child sextortion crimes too.
---------------------------------------------
https://www.wired.com/story/child-sextorition-scam-compounds-southeast-asia/
∗∗∗ Marokko zerrt deutsche Zeitungen wegen Spyware-Berichten vor den BGH ∗∗∗
---------------------------------------------
Marokko steht unter Verdacht, die Spyware Pegasus gegen Anwälte, Journalisten und Politiker eingesetzt zu haben. Deutsche Medien berichteten, Marokko ist sauer.
---------------------------------------------
https://www.heise.de/news/Marokko-zieht-gegen-deutsche-Spyware-Berichtersta…
∗∗∗ Angriffe auf N-able N-central laufen, mehr als 1000 Systeme ungepatcht ∗∗∗
---------------------------------------------
Noch mehr als tausend Instanzen von des RMM N-able N-central sind für kritische Lücken anfällig. Die werden bereits attackiert.
---------------------------------------------
https://www.heise.de/news/Angriffe-auf-N-able-N-central-laufen-mehr-als-100…
∗∗∗ Kostenlos 10.000.000 Robux bekommen? Achtung, Fake-Angebot! ∗∗∗
---------------------------------------------
Die Online-Spieleplattform „Roblox“ ist besonders bei Kindern und Jugendlichen beliebt – und grundsätzlich kostenlos. Um bestimmte Funktionen und Inhalte freizuschalten, braucht es aber eine In-Game-Währung namens „Robux“. Und die ist wiederum nur gegen echtes Geld erhältlich. Kriminelle versuchen deshalb, User mit dem Versprechen von kostenlosen „Robux“ in die Falle zu locken.
---------------------------------------------
https://www.watchlist-internet.at/news/robux-fake-angebot/
∗∗∗ Fashionable Phishing Bait: GenAI on the Hook ∗∗∗
---------------------------------------------
GenAI-created phishing campaigns misuse tools ranging from website builders to text generators in order to create more convincing and scalable attacks.
---------------------------------------------
https://unit42.paloaltonetworks.com/genai-phishing-bait/
∗∗∗ Ransomware gang masking PipeMagic backdoor as ChatGPT desktop app: Microsoft ∗∗∗
---------------------------------------------
Hackers are disguising a powerful strain of malware as a ChatGPT desktop application in preparation for ransomware attacks, Microsoft said.
---------------------------------------------
https://therecord.media/ransomware-gang-masking-pipemagic-backdoor
∗∗∗ UK ‘agrees to drop’ demand over Apple iCloud encryption, US intelligence head claims ∗∗∗
---------------------------------------------
The United Kingdom is backing down from a controversial legal demand targeting Apple, U.S. Director of National Intelligence Tulsi Gabbard claimed on social media.
---------------------------------------------
https://therecord.media/uk-agrees-drop-apple-encryption
∗∗∗ Trend Micro Unmasks Global "Task Scam" Industry ∗∗∗
---------------------------------------------
Trend Micro today released new research revealing the mechanics and scale of a rapidly growing fraud model known as "task scams": sophisticated online job scams that lure victims into repetitive digital tasks and systematically strip them of funds through escalating deposit demands.
---------------------------------------------
https://newsroom.trendmicro.com/2025-08-19-Trend-Micro-Unmasks-Global-Task-…
∗∗∗ Fake Copyright Notices Drop New Noodlophile Stealer Variant ∗∗∗
---------------------------------------------
Morphisec warns of a new Noodlophile Stealer variant spread via fake copyright phishing emails, using Dropbox links ..
---------------------------------------------
https://hackread.com/phishing-scam-fake-copyright-notice-noodlophile-steale…
∗∗∗ How Indirect Prompt Injections Exploit Context, Format, and Salience ∗∗∗
---------------------------------------------
A breakdown of indirect prompt injection attacks using real-world cases (emails, code comments, diagrams). Introduces the CFS model (Context, Format, Salience) to explain what makes some payloads more likely to succeed.
---------------------------------------------
https://www.fogel.dev/prompt_injection_cfs_framework
∗∗∗ Trivial C# Random Exploitation ∗∗∗
---------------------------------------------
Exploiting random number generators requires math, right? Thanks to C#’sRandom, that is not necessarily the case! I ran into an HTTP 2.0 web serviceissuing password reset tokens from a custom encoding of (new Random()).Next(min, max) output. This led to a critical account takeover.Exploitation did not require scripting, math or libraries. Just several clicksin Burp. While I ..
---------------------------------------------
https://blog.doyensec.com/2025/08/19/trivial-exploit-on-C-random.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Security Vulnerabilities fixed in Firefox 142 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-64/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 14-08-2025 18:00 − Montag 18-08-2025 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Jetzt patchen! Attacken auf Fortinet-IT-Sicherheitslösungen können bevorstehen ∗∗∗
---------------------------------------------
Beide Schwachstellen (FortiSIEM CVE-2025-25256 "kritisch", FortiWeb CVE-2025-52970 "hoch") haben die Fortinet-Entwickler am vergangenen Patchday geschlossen. Kurz darauf warnten sie davor, dass Exploitcode zum Ausnutzen der Lücke in FortiSIEM in Umlauf ist.
---------------------------------------------
https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Fortinet-IT-Sicherheit…
∗∗∗ Should Security Solutions Be Secure? Maybe Were All Wrong - Fortinet FortiSIEM Pre-Auth Command Injection (CVE-2025-25256) ∗∗∗
---------------------------------------------
Today we’re looking at CVE-2025-25256 - a pre-authentication command injection in FortiSIEM that lets an attacker compromise an organization’s SIEM (!!!). [..] It’s the kind of “one platform to rule your SOC” solution that we believe (suspect, hope, imagine, guess, pray) might feel impressively safety-first. Except, obviously, this time it didn't because the bar remains so incredibly low.
---------------------------------------------
https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-a…
∗∗∗ Gefälschtes Gewinnspiel für Wiener Linien Jahreskarte im Umlauf ∗∗∗
---------------------------------------------
Derzeit kursieren auf Facebook gefälschte Postings, die im Namen der Wiener Linien ein Gewinnspiel für eine Halbjahreskarte bewerben. Bei Teilnahme wird suggeriert, dass man automatisch gewonnen habe. Achtung: Es handelt sich um einen Betrugsversuch, der darauf abzielt, an Bankdaten zu gelangen!
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschtes-gewinnspiel-fuer-wiener…
∗∗∗ Verbesserung von nur 1,7 Prozent: Phishing-Training fast immer wirkungslos ∗∗∗
---------------------------------------------
Eine große Studie in einem US-Gesundheitsunternehmen zeigt, dass gängige Phishing-Trainings das Risiko kaum senken – egal wie intensiv oder interaktiv sie sind.
---------------------------------------------
https://www.heise.de/news/Verbesserung-von-nur-1-7-Prozent-Phishing-Trainin…
∗∗∗ MadeYouReset: Neue DDoS-Angriffstechnik legt Webserver lahm ∗∗∗
---------------------------------------------
Forscher haben eine neue Sicherheitslücke entdeckt, die viele gängige HTTP/2-Implementierungen betrifft. Server lassen sich mit wenig Aufwand überlasten. [..] Als anfällig gelten mehrere weitverbreitete HTTP/2-Serverimplementierungen wie Netty, Apache Tomcat, H2O, SwiftNIO und F5 BIG-IP. Weitere betroffene Implementierungen sowie etwaige Reaktionen der Anbieter sind in einer Meldung des CERT Coordination Center der Carnegie Mellon University zu finden.
---------------------------------------------
https://www.golem.de/news/madeyoureset-neue-ddos-angriffstechnik-legt-webse…
∗∗∗ Evolution of the PipeMagic backdoor: from the RansomExx incident to CVE-2025-29824 ∗∗∗
---------------------------------------------
We examine the evolution of the PipeMagic backdoor and the TTPs of its operators – from the RansomExx incident in 2022 to attacks in Brazil and Saudi Arabia, and the exploitation of CVE-2025-29824 in 2025.
---------------------------------------------
https://securelist.com/pipemagic/117270/
∗∗∗ How Researchers Collect Indicators of Compromise ∗∗∗
---------------------------------------------
Today, we'll demonstrate a simple workflow showing how researchers use various tools to collect indicators of compromise (IOCs) and develop appropriate signatures from detonated malware.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/how-researc…
∗∗∗ ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure ∗∗∗
---------------------------------------------
"The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications," Hunt.io said in a report.
---------------------------------------------
https://thehackernews.com/2025/08/ermac-v30-banking-trojan-source-code.html
∗∗∗ Mobile Phishers Target Brokerage Accounts in ‘Ramp and Dump’ Cashout Scheme ∗∗∗
---------------------------------------------
Cybercriminal groups peddling sophisticated phishing kits that convert stolen card data into mobile wallets have recently shifted their focus to targeting customers of brokerage services, new research shows. Undeterred by security controls at these trading platforms that block users from wiring funds directly out of accounts, the phishers have pivoted to using multiple compromised brokerage accounts in unison to manipulate the prices of foreign stocks.
---------------------------------------------
https://krebsonsecurity.com/2025/08/mobile-phishers-target-brokerage-accoun…
∗∗∗ Scammers turn to ‘ghost-tapping’ retail fraud to launder funds ∗∗∗
---------------------------------------------
In a report released Thursday, researchers at Recorded Future’s Insikt Group detailed what they call “ghost-tapping” — when stolen payment card details are uploaded onto a burner phone and used in-person to purchase goods.
---------------------------------------------
https://therecord.media/scammers-ghost-tapping-retail-fraud-launder-cash
∗∗∗ Cyberattack on Dutch prosecution service is keeping speed cameras offline ∗∗∗
---------------------------------------------
Who knew zero-days could be so useful to highway speedsters? The lingering effects of a cyberattack on the Public Prosecution Service of the Netherlands are preventing it from reactivating speed cameras across the country.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/08/15/cyberattack_…
∗∗∗ KI-gestützte Cyberangriffe: Experten beobachten zunehmenden LLM-Einsatz ∗∗∗
---------------------------------------------
Sicherheitsforscher sehen aktuell eine Zunahme KI-unterstützter Angriffe und damit einen Wendepunkt im Cyberwettrüsten. [..] Ukrainische Behörden und mehrere Cybersicherheitsunternehmen konnten die Schadsoftware im Juli erstmals nachweisen. [..] Mit dem zunehmenden Einsatz von KI-Agenten sehen Experten ein neues Risiko für die Zukunft.
---------------------------------------------
https://www.heise.de/news/KI-gestuetzte-Cyberangriffe-Experten-beobachten-z…
∗∗∗ Terraform Cloud token abuse turns speculative plan into remote code execution ∗∗∗
---------------------------------------------
Platforms like Terraform are great for making cloud management easier, but that same convenience can work in an attacker’s favour. Increasingly, we’re seeing Terraform used as a pivot point, letting attackers sidestep the usual security roadblocks of MFA and conditional access via token abuse, which remain one of the weaker links in the chain.
---------------------------------------------
https://www.pentestpartners.com/security-blog/terraform-token-abuse-specula…
∗∗∗ libxml2 Maintainer Ends Embargoed Vulnerability Reports, Citing Unsustainable Burden ∗∗∗
---------------------------------------------
The lone volunteer maintainer of libxml2, one of the open source ecosystem’s most widely used XML parsing libraries, has announced a policy shift that drops support for embargoed security vulnerability reports. This change highlights growing frustration among unpaid maintainers bearing the brunt of big tech’s security demands without compensation or support.
---------------------------------------------
https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-rep…
∗∗∗ Technical Analysis of SAP Exploit Script (Visual Composer “Metadata Uploader” Exploit)… ∗∗∗
---------------------------------------------
This script targets a critical zero-day vulnerability (now identified as CVE-2025–31324) in SAP NetWeaver’s Visual Composer Metadata Uploader component. The vulnerability is a missing authorization check on the HTTP endpoint /developmentserver/metadatauploader, allowing unauthenticated file uploads to the server’s filesystem. [..] The blog contains further pseudo code for detection and examples for another way to exploit the vulnerability.
---------------------------------------------
https://detect.fyi/technical-analysis-of-sap-exploit-script-visual-composer…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel and webkit2gtk3), Debian (aide and postgresql-13), Fedora (libtiff, mupdf, and pandoc), SUSE (cairo, chromium, gstreamer-plugins-base, ImageMagick, iputils, kubernetes1.23, kubernetes1.26, matrix-synapse, Mesa, pgadmin4, python3, qemu, and rz-pm), and Ubuntu (aide).
---------------------------------------------
https://lwn.net/Articles/1033901/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (go-toolset:rhel8, kernel, and kernel-rt), Fedora (chromium), Oracle (libxml2), Red Hat (go-toolset:rhel8, golang, kernel, kernel-rt, openjpeg2, rsync, and tigervnc), and SUSE (apache-commons-lang3, chromedriver, fractal, framework_tool, go1.23-openssl, go1.24-openssl, grub2, gstreamer-devtools, gstreamer-plugins-rs, jasper, libavif, lighttpd, nginx, podman, postgresql13, postgresql14, postgresql15, postgresql16, python311-pypdf, ruby2.5, rust-keylime, tiff, tomcat, tomcat10, and tomcat11).
---------------------------------------------
https://lwn.net/Articles/1034267/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 13-08-2025 18:00 − Donnerstag 14-08-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Spike in Fortinet VPN brute-force attacks raises zero-day concerns ∗∗∗
---------------------------------------------
A massive spike in brute-force attacks targeted Fortinet SSL VPNs earlier this month, followed by a switch to FortiManager, marked a deliberate shift in targeting that has historically preceded new vulnerability disclosures.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/spike-in-fortinet-vpn-brute-…
∗∗∗ New downgrade attack can bypass FIDO auth in Microsoft Entra ID ∗∗∗
---------------------------------------------
Security researchers have created a new FIDO downgrade attack against Microsoft Entra ID that tricks users into authenticating with weaker login methods, making them susceptible to phishing and session hijacking.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-downgrade-attack-can-byp…
∗∗∗ When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub’s Expanding Arsenal ∗∗∗
---------------------------------------------
Trustwave SpiderLabs researchers have recently identified an EncryptHub campaign that combines social engineering with abuse of the Brave Support platform to deliver malicious payloads via the CVE-2025-26633 vulnerability. In this blog post, we will break down the techniques used in the campaign and highlight the new tools employed by the threat group.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/when-hacker…
∗∗∗ A Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode ∗∗∗
---------------------------------------------
The motivation behind writing this post is that we want to provide the kind of resource that we wouldve liked to have seen more of when starting our own careers in malware research.
---------------------------------------------
https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Info…
∗∗∗ Crypto24 Ransomware Group Blends Legitimate Tools with Custom Malware for Stealth Attacks ∗∗∗
---------------------------------------------
Crypto24 is a ransomware group that stealthily blends legitimate tools with custom malware, using advanced evasion techniques to bypass security and EDR technologies.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/h/crypto24-ransomware-stealth-…
=====================
= Vulnerabilities =
=====================
∗∗∗ N-central 2025.3.1 ∗∗∗
---------------------------------------------
This release includes a critical security fix for CVE-2025-8875 and CVE-2025-8876. These vulnerabilities require authentication to exploit.
---------------------------------------------
https://status.n-able.com/2025/08/13/announcing-the-ga-of-n-central-2025-3-…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel, python3.11-setuptools, thunderbird, and toolbox), Debian (chromium), Fedora (open62541 and perl-Authen-SASL), Oracle (git, kernel, konsole, and webkit2gtk3), SUSE (framework-inputmodule-control and poppler), and Ubuntu (apache2, mysql-8.0, mysql-8.4, node-qs, request-tracker5, and ruby-sidekiq).
---------------------------------------------
https://lwn.net/Articles/1033737/
∗∗∗ Rockwell Automation Security Advisories 14.08.2025 ∗∗∗
---------------------------------------------
Rockwell Automation has released 6 new security advisories (3x Critical, 3x High)
---------------------------------------------
https://www.rockwellautomation.com/en-us/trust-center/security-advisories.h…
∗∗∗ Sicherheitspatches: Angreifer können Schadcode auf GitLab-Servern verankern ∗∗∗
---------------------------------------------
Die GitLab-Entwickler haben insgesamt zwölf Sicherheitslücken geschlossen. Angreifer können Systeme kompromittieren. [..] In einer Warnmeldung versichern die Verantwortlichen, dass GitLab.com bereits abgesichert sei. Sie empfehlen, dass Admins von On-premise-Instanzen die reparierten Ausgaben 18.0.6, 18.1.4 oder 18.2.2 zeitnah installieren sollten. Noch gibt es keine Informationen, ob bereits Attacken laufen.
---------------------------------------------
https://heise.de/-10523017
∗∗∗ Nvidia stopft Sicherheitslücken in KI-Software ∗∗∗
---------------------------------------------
In diverser KI-Software von Nvidia haben die Entwickler Sicherheitslücken gefunden. Diese stellen teils ein hohes Risiko dar. [..] Betroffen sind die Nvidia-Projekte Apex, Isaac-GR00T, Megatron LM, Merlin Transformers4Rec, NeMo Framework sowie WebDataset.
---------------------------------------------
https://heise.de/-10524310
∗∗∗ Foxit PDF Reader: Präparierte PDFs können Schadcode auf PCs schleusen ∗∗∗
---------------------------------------------
Sicherheitsupdates für Foxit PDF Reader und Editor schließen mehrere Sicherheitslücken. [..] Im schlimmsten Fall kann Schadcode auf Systeme gelangen und diese vollständig kompromittieren. Das kann etwa über mit JavaScript präparierte PDFs erfolgen (etwa CVE-2025-55313 "hoch"). Dabei ist aber davon auszugehen, dass Opfer mitspielen und so eine Datei öffnen müssen, damit eine Attacke eingeleitet werden kann.
---------------------------------------------
https://heise.de/-10524778
∗∗∗ Drupal: Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2025-097
∗∗∗ Drupal: Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2025-096
∗∗∗ Drupal: Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2025-096
∗∗∗ ABB: 2025-08-12: Cyber Security Advisory -ABB AbilityTM zenon Remote Transport Vulnerability ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=2NGA002743&Language…
∗∗∗ ABB: 2025-08-11: Cyber Security Advisory -ELSB/BLBA ASPECT advisory several CVEs ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A4462&Lan…
∗∗∗ TYPO3-PSA-2025-001: Sanitization bypass in SVG Sanitizer ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-psa-2025-001
∗∗∗ Siemens: SSA-395458 V1.0: Account Hijacking Vulnerability in Mendix SAML Module ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-395458.html
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (August 4, 2025 to August 10, 2025) ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2025/08/wordfence-intelligence-weekly-wordpr…
∗∗∗ Bosch: Vulnerabilities in ctrlX OS - Setup ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-129652.html
∗∗∗ Bosch: Denial of Service on Rexroth Fieldbus Couplers ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-757244.html
∗∗∗ Kubernetes: CVE-2025-5187 ∗∗∗
---------------------------------------------
https://github.com/kubernetes/kubernetes/issues/133471
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 12-08-2025 18:00 − Mittwoch 13-08-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Docker Hub still hosts dozens of Linux images with the XZ backdoor ∗∗∗
---------------------------------------------
The XZ-Utils backdoor, first discovered in March 2024, is still present in at least 35 Linux images on Docker Hub, potentially putting users, organizations, and their data at risk.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/docker-hub-still-hosts-dozen…
∗∗∗ New trends in phishing and scams: how AI and social media are changing the game ∗∗∗
---------------------------------------------
Common tactics in phishing and scams in 2025: learn about the use of AI and deepfakes, phishing via Telegram, Google Translate and Blob URLs, biometric data theft, and more.
---------------------------------------------
https://securelist.com/new-phishing-and-scam-trends-in-2025/117217/
∗∗∗ Geld zurück nach Krypto-Betrug? Vorsicht vor Recovery Scam! ∗∗∗
---------------------------------------------
Was einmal geklappt hat, kann wieder funktionieren. Darauf hoffen Kriminelle und kontaktieren jene Menschen, denen sie in der Vergangenheit durch Krypto- bzw. Investmentbetrug geschadet haben. Sie geben sich als Agentur, Behörde etc. aus, die dabei helfen kann, das verlorene Geld zurückzuholen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-recovery-scam/
∗∗∗ The MedusaLocker ransomware gang is hiring penetration testers ∗∗∗
---------------------------------------------
MedusaLocker, the ransomware-as-a-service group that has been active since 2019 is openly recruiting for penetration testers to help it compromise more businesses.
---------------------------------------------
https://www.fortra.com/blog/medusalocker-ransomware-gang-hiring-penetration…
∗∗∗ Malvertising campaign leads to PS1Bot, a multi-stage malware framework ∗∗∗
---------------------------------------------
Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.”
---------------------------------------------
https://blog.talosintelligence.com/ps1bot-malvertising-campaign/
∗∗∗ Microsoft Patchday August 2025: Sicherheitseinschätzungen von Tenable ∗∗∗
---------------------------------------------
Zum 12. August 2025 hat Microsoft zum Patchday Sicherheitsupdates für die noch im Support befindlichen Produkte veröffentlich und Schwachstellen geschlossen. [..] Inzwischen liegt mir eine Einschätzung seitens Tenable im Hinblick auf die Auswirkungen der Schwachstellen vor, die ich hier einfach zur Information in den Blog einstelle.
---------------------------------------------
https://www.borncity.com/blog/2025/08/13/microsoft-patchday-august-2025-sic…
=====================
= Vulnerabilities =
=====================
∗∗∗ Exchange Server Sicherheitsupdates August 2025 ∗∗∗
---------------------------------------------
Microsoft hat zum 12. August 2025 das "August 2025" Sicherheitsupdate für Exchange Server freigegeben. Das Sicherheitsupdate gilt Exchange Server 2016, Exchange Server 2019, und erstmals für Exchange Server Subscription Edition (SE).
---------------------------------------------
https://www.borncity.com/blog/2025/08/12/exchange-server-sicherheitsupdates…
∗∗∗ Microsoft Security Update Summary (12. August 2025) ∗∗∗
---------------------------------------------
Microsoft hat am 12. August 2025 Sicherheitsupdates für Windows-Clients und -Server, für Office – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 107 Schwachstellen (CVEs), eine davon wurde als 0-day klassifiziert und war öffentlich bekannt.
---------------------------------------------
https://www.borncity.com/blog/2025/08/12/microsoft-security-update-summary-…
∗∗∗ Angriff über Websites: Kritische Grafik-Schwachstellen gefährden Windows-Nutzer ∗∗∗
---------------------------------------------
Während sich CVE-2025-50165 nur auf Windows 11 24H2 und Windows Server 2025 bezieht, ist die Zahl der anfälligen Systeme im Falle von CVE-2025-53766 deutlich höher. [..] Beide lassen sich demnach über das Netzwerk ausnutzen und erfordern vorab keinerlei Authentifizierung oder Nutzerinteraktion. Die Angriffskomplexität ist laut Microsoft jeweils gering.
---------------------------------------------
https://www.golem.de/news/angriff-ueber-websites-kritische-grafik-schwachst…
∗∗∗ AMD und Intel stopfen zahlreiche Sicherheitslücken ∗∗∗
---------------------------------------------
AMD und Intel haben im August Updates herausgegeben, die zahlreiche Sicherheitslücken in VGA- sowie Netzwerktreibern und Prozessoren schließen.
---------------------------------------------
https://heise.de/-10520732
∗∗∗ Patchday: Mehrere Fortinet-Produkte sind angreifbar ∗∗∗
---------------------------------------------
Am gefährlichsten gilt einer Warnmeldung zufolge eine "kritische" Sicherheitslücke (CVE-2025-25256) in der IT-Sicherheitslösung FortiSIEM. An dieser Stelle können Angreifer ohne Authentifizierung mit präparierten CLI-Anfragen ansetzen, um Schadcode auszuführen. [..] Wie ein Sicherheitsforscher in einem Beitrag schreibt, können Angreifer die Authentifizierung von FortiWeb-Firewalls umgehen.
---------------------------------------------
https://heise.de/-10519770
∗∗∗ Zoom: Windows-Clients ermöglichen Angriffe aus dem Netz ∗∗∗
---------------------------------------------
Zwei Sicherheitslücken meldet Zoom in den Windows-Clients. Sie ermöglicht Angreifern aus dem Netz ohne vorherige Anmeldung, ihre Rechte auszuweiten. [..] Details dazu, wie Angriffe aussehen könnten, nennen sie hingegen nicht.
---------------------------------------------
https://heise.de/-10520206
∗∗∗ Adobe Patch Tuesday Fixes Over 60 Vulnerabilities Across 13 Products ∗∗∗
---------------------------------------------
Adobe has issued a new set of security patches addressing more than 60 vulnerabilities across 13 of its widely used software products. This update, part of the company’s routine Adobe Patch Tuesday cycle, includes critical fixes for applications ranging from Adobe Commerce and Illustrator to its Substance 3D suite.
---------------------------------------------
https://thecyberexpress.com/adobe-security-update-2/
∗∗∗ VU#767506: HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames ∗∗∗
---------------------------------------------
OverviewA vulnerability has been discovered within many HTTP/2 implementations allowing for denial of service (DoS) attacks through HTTP/2 control frames. This vulnerability is colloquially known as "MadeYouReset" and is tracked as CVE-2025-8671. [..] Various vendors have provided patches and statements to address the vulnerability. Please review their statements below.
---------------------------------------------
https://kb.cert.org/vuls/id/767506
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache2, kernel, linux-6.1, openjdk-17, and pgpool2), Fedora (glib2, matrix-synapse, openjpeg, python3-docs, and python3.13), Oracle (gdk-pixbuf2, glibc, java-1.8.0-openjdk, kernel, libxml2, python-requests, python3.11-setuptools, and thunderbird), SUSE (amber-cli, apache-commons-lang3, eclipse-jgit, go1.23, go1.24, govulncheck-vulndb, grub2, icinga2, kubernetes1.23, libgcrypt, python3, python313, sccache, slurm, tiff, and webkit2gtk3), and Ubuntu (linux-oracle).
---------------------------------------------
https://lwn.net/Articles/1033588/
∗∗∗ Palo Alto Networks Security Advisories 2025-08-13 ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/
∗∗∗ f5: K000152635: Quarterly Security Notification (August 2025) ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000152635
∗∗∗ Johnson Controls iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-02
∗∗∗ Santesoft Sante PACS Server ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-224-01
∗∗∗ AVEVA PI Integrator ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-04
∗∗∗ Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-01
∗∗∗ Schneider Electric EcoStruxure Power Monitoring Expert ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-03
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 11-08-2025 18:00 − Dienstag 12-08-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs ∗∗∗
---------------------------------------------
The Netherlands National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability tracked as CVE-2025-6543 was exploited to breach "critical organizations" in the country.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/netherlands-citrix-netscaler…
∗∗∗ Over 3,000 NetScaler devices left unpatched against CitrixBleed 2 bug ∗∗∗
---------------------------------------------
Over 3,300 Citrix NetScaler devices remain unpatched against a critical vulnerability that allows attackers to bypass authentication by hijacking user sessions, nearly two months after patches were released.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/over-3-000-netscaler-devices…
∗∗∗ Scam hunter scammed by tax office impersonators ∗∗∗
---------------------------------------------
Scam hunter Julie-Anne Kearns, who helps scam victims online, opened up about a tax scam she fell for herself.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2025/08/scam-hunter-scammed-by-tax-o…
∗∗∗ Russian-Linked Curly COMrades Deploy MucorAgent Malware in Europe ∗∗∗
---------------------------------------------
A new report from Bitdefender reveals the Russian-linked hacking group Curly COMrades is targeting Eastern Europe with a new backdoor called MucorAgent. Learn how they’re using advanced tactics to steal data.
---------------------------------------------
https://hackread.com/russian-curly-comrades-mucoragent-malware-europe/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (Multiple CVEs) ∗∗∗
---------------------------------------------
Ivanti has released updates for Ivanti Connect Secure which addresses medium, high, and critical vulnerabilities. At the time of disclosure, there have been no reports of customers being exploited by this vulnerability.
---------------------------------------------
https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Connect…
∗∗∗ August Security Advisory Ivanti Virtual Application Delivery Controller (vADC previously vTM) (CVE-2025-8310) ∗∗∗
---------------------------------------------
Ivanti has released updates for Ivanti Virtual Application Delivery Controller (vADC), previously Virtual Traffic Manager (vTM), which addresses one medium severity vulnerability. Successful exploitation could lead to account takeover. At the time of disclosure, there have been no reports of customers being exploited by this vulnerability.
---------------------------------------------
https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Virtual…
∗∗∗ 40,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in UiCore Elements WordPress Plugin ∗∗∗
---------------------------------------------
On June 13th, 2025, we received a submission for an Arbitrary File Read vulnerability in UiCore Elements, a WordPress plugin with more than 40,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to read arbitrary files on the server, which can contain sensitive information. During the disclosure process, our investigation revealed that the vulnerability leveraged an underlying issue in Elementor’s import functionality.
---------------------------------------------
https://www.wordfence.com/blog/2025/08/40000-wordpress-sites-affected-by-ar…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel, kernel-rt, and python-requests), Debian (ca-certificates-java), Fedora (chromium, clash-meta, mingw-python3, openjpeg, php-adodb, and toolbox), Mageia (kernel and kernel-linus), SUSE (chromium, ImageMagick, libgcrypt, libssh, libxml2, opensc, postgresql14, and postgresql16), and Ubuntu (dnsmasq, linux-gcp-6.8, linux-raspi, linux-oracle-6.14, and openjdk-17).
---------------------------------------------
https://lwn.net/Articles/1033445/
∗∗∗ Vtenext 25.02: A three-way path to RCE ∗∗∗
---------------------------------------------
Multiple vulnerabilities in vtenext 25.02 and prior versions allow unauthenticated attackers to bypass authentication through three separate vectors, ultimately leading to remote code execution on the underlying server.
---------------------------------------------
https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/
∗∗∗ OMSA-2025-0004: Omnissa Workspace ONE UEM addresses multiple vulnerabilities (CVE-2025-25229, CVE-2025-25231) ∗∗∗
---------------------------------------------
https://www.omnissa.com/omsa-2025-0004/
∗∗∗ OMSA-2025-0003: Omnissa Secure Email Gateway (SEG) updates address Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-25235) ∗∗∗
---------------------------------------------
https://www.omnissa.com/omsa-2025-0003/
∗∗∗ Matrix protocol vulnerabilities fixed in room version 12 ∗∗∗
---------------------------------------------
https://matrix.org/blog/2025/08/security-release/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 08-08-2025 18:00 − Montag 11-08-2025 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ WinRAR zero-day flaw exploited by RomCom hackers in phishing attacks ∗∗∗
---------------------------------------------
A recently fixed WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing attacks to install the RomCom malware. [..] The flaw is a directory traversal vulnerability that was fixed in WinRAR 7.13, which allows specially crafted archives to extract files into a file path selected by the attacker.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/winrar-zero-day-flaw-exploit…
∗∗∗ Command Injection in Jenkins via Git Parameter (CVE-2025-53652) ∗∗∗
---------------------------------------------
On July 9, Jenkins disclosed CVE-2025-53652 (aka SECURITY-34191), one of 31 plugin vulnerabilities announced that day. [..] was disclosed as medium severity, but it enables command injection via the Jenkins Git Parameter plugin. [..] Around 15,000 Jenkins servers appear to allow unauthenticated access, making RCE viable in the wild. [..] The patch can be disabled, so detection remains important even after upgrading.
---------------------------------------------
https://www.vulncheck.com/blog/git-parameter-rce
∗∗∗ EU law to protect journalists from spyware takes effect ∗∗∗
---------------------------------------------
Critics from press freedom groups say member states have not taken steps to give the law any teeth.
---------------------------------------------
https://therecord.media/eu-law-to-protect-journalists-from-spyware-takes-ef…
∗∗∗ Sicherheitslücken: Hacker knackt Auto über Webportal des Herstellers ∗∗∗
---------------------------------------------
Er konnte nicht nur aus der Ferne unzählige fremde Autos orten, entriegeln und starten, sondern auch nach Belieben die Halterdaten abfragen. [..] Zveare stellte seine Entdeckungen am vergangenen Sonntag auf der Def Con in Las Vegas vor. Den Angaben zufolge konnte er sich in dem besagten Händlerportal ein "nationales Administratorkonto" erstellen und erhielt damit einen weitreichenden Zugriff, der "nur wenigen ausgewählten Unternehmensnutzern vorbehalten ist" und "eine Vielzahl von lustigen Exploits" ermöglichte.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecken-hacker-knackt-auto-ueber-webpo…
∗∗∗ Spionage: Rauchwarnmelder in Abhörwanzen verwandelt ∗∗∗
---------------------------------------------
Zwei junge Sicherheitsforscher haben im Rahmen der Def Con in Las Vegas Sicherheitslücken in smarten Rauchwarnmeldern des Typs Halo 3C aufgedeckt. [..] Der Hersteller der Halo-3C-Warnmelder hört auf den Namen IPVideo und ist laut der Webseite seit 2023 Teil von Motorola Solutions. Das Unternehmen hat dem Wired-Bericht zufolge bereits ein Firmwareupdate bereitgestellt, um die von Garcia und seinem Kollegen entdeckten Sicherheitslücken zu schließen. Mit der Cloud verbundene Geräte sollen das Update automatisch erhalten.
---------------------------------------------
https://www.golem.de/news/spionage-smarte-rauchwarnmelder-in-abhoerwanzen-v…
∗∗∗ Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models ∗∗∗
---------------------------------------------
Cybersecurity researchers have uncovered multiple security flaws in Dells ControlVault3 firmware and its associated Windows APIs that could have been abused by attackers to bypass Windows login, extract cryptographic keys, as well as maintain access even after a fresh operating system install by deploying undetectable malicious implants into the firmware. [..] Attackers can chain the vulnerabilities, which were presented at the Black Hat USA security conference, to escalate their privileges after initial access, bypass authentication controls, and maintain persistence on compromised systems that survive operating system updates or reinstallations.
---------------------------------------------
https://thehackernews.com/2025/08/researchers-reveal-revault-attack.html
∗∗∗ DEF CON hackers plug security holes in US water systems amid tsunami of threats ∗∗∗
---------------------------------------------
A DEF CON hacker walks into a small-town water facility … no, this is not the setup for a joke or a (super-geeky) odd-couple rom-com. It's a true story that happened at five utilities across four states.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/08/10/def_con_hack…
∗∗∗ libarchive: Sicherheitslücke entpuppt sich als kritisch ∗∗∗
---------------------------------------------
In der Open-Source-Kompressionsbibliothek libarchive klafft eine Sicherheitslücke, die zunächst als lediglich niedriges Risiko eingestuft wurde. [..] Die ursprüngliche Meldung der Lücke an das libarchive-Projekt durch Tobias Stöckmann mitsamt eines Proof-of-Concept-Exploits fand bereits am 10. Mai dieses Jahres statt. Am 20. Mai haben die Entwickler die Version 3.8.0 von libarchive herausgegeben. Die öffentliche Schwachstellenmeldung erfolgte am 9. Juni ebenfalls auf Github. Dort wurde auch die CVE-Nummer CVE-2025-5914 zugewiesen, jedoch zunächst mit dem Schweregrad CVSS 3.9, Risiko "niedrig", wie Red Hat die Lücke einordnete.
---------------------------------------------
https://www.heise.de/news/libarchive-Sicherheitsluecke-entpuppt-sich-als-kr…
∗∗∗ Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild ∗∗∗
---------------------------------------------
CVE-2025-32433 allows for remote code execution in sshd for certain versions of Erlang programming language’s OTP. We reproduced this CVE and share our findings.
---------------------------------------------
https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/
∗∗∗ BadCam Attack Turns Trusted Linux Webcams into Stealthy USB Weapons ∗∗∗
---------------------------------------------
A new class of USB-based attacks has come to light. [..] Attackers can now exploit vulnerabilities in commonly used USB webcams running embedded Linux, transforming them into BadUSB devices capable of injecting keystrokes and executing covert operations independently of the host operating system.
---------------------------------------------
https://thecyberexpress.com/badcam-linux-webcam/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base and libxml2), Debian (distro-info-data, gnutls28, modsecurity-crs, and node-tmp), Fedora (chromium, incus, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, varnish, and xen), Red Hat (kernel, kernel-rt, and rhc), and SUSE (chromedriver, ffmpeg-4, go1.23, go1.24, go1.25, govulncheck-vulndb, himmelblau, iperf, keylime-ima-policy, net-tools, sqlite3, texmaker, tomcat, and zabbix).
---------------------------------------------
https://lwn.net/Articles/1033328/
∗∗∗ SQUID-2025:1 Buffer Overflow in URN Handling ∗∗∗
---------------------------------------------
https://github.com/squid-cache/squid/security/advisories/GHSA-w4gv-vw3f-29g3
∗∗∗ Xerox® FreeFlow® Core v8.0.5 ∗∗∗
---------------------------------------------
https://securitydocs.business.xerox.com/wp-content/uploads/2025/08/Xerox-Se…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 07-08-2025 18:00 − Freitag 08-08-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ New EDR killer tool used by eight different ransomware groups ∗∗∗
---------------------------------------------
A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of 'EDRKillShifter,' developed by RansomHub, has been observed in attacks by eight different ransomware gangs. Such tools help ransomware operators turn off security products on breached systems so they can deploy payloads, escalate privileges, attempt lateral movement, and ultimately encrypt devices on the network without being detected.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-edr-killer-tool-used-by-…
∗∗∗ Why blow up satellites when you can just hack them? ∗∗∗
---------------------------------------------
Four countries have now tested anti-satellite missiles (the US, China, Russia, and India), but it's much easier and cheaper just to hack them. In a briefing at the Black Hat conference in Las Vegas, Milenko Starcik and Andrzej Olchawa from German biz VisionSpace Technologies demonstrated how easy it is by exploiting software vulnerabilities in the software used in the satellites themselves, as well as the ground stations that control them.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/08/07/balck_hat_sa…
∗∗∗ US confirms takedown of BlackSuit ransomware gang that racked up $370 million in ransoms ∗∗∗
---------------------------------------------
U.S. law enforcement agencies provided new details on an operation that dismantled critical infrastructure used by the BlackSuit ransomware gang after the organization’s leak site was replaced with a takedown banner nearly two weeks ago. The group — which rebranded from its Royal name after a devastating 2023 attack that shut down the city of Dallas — successfully attacked more than 450 entities in the U.S. Since emerging in 2022, the gang secured more than $370 million in ransom payments, according to U.S. investigators.
---------------------------------------------
https://therecord.media/us-confirms-blacksuit-takedown
∗∗∗ Abusing Ubuntu 24.04 features for root privilege escalation ∗∗∗
---------------------------------------------
With the recent release of Ubuntu 24.04, we at Snyk Security Labs thought it would be interesting to examine the latest version of this Linux distribution to see if we could find any interesting privilege escalation vulnerabilities. In this post, we have seen that it only takes the leveraging of one small vulnerability, combined with a number of features, to achieve a chain of exploitation resulting in a full privilege escalation. Even where security controls are in place preventing the direct exploitation of a small vulnerability it may still be possible to finesse limited exploitation potential into a much greater impact.
---------------------------------------------
https://labs.snyk.io/resources/abusing-ubuntu-root-privilege-escalation/
∗∗∗ Oops Safari, I think You Spilled Something ∗∗∗
---------------------------------------------
In February 2023, researchers at Exodus Intelligence discovered a bug in the Data Flow Graph (DFG) compiler of WebKit, the browser engine used by Safari. This bug, CVE-2024-44308, was patched by Apple in November 2024. While it was alive, its exploit was chained with PAC and APRR bypasses on Apple Silicon to yield renderer remote code execution capabilities on macOS and iOS. Such capabilities, and many others including LPEs and RCEs on Windows and Linux, are available to Exodus’ customers.
---------------------------------------------
https://blog.exodusintel.com/2025/08/04/oops-safari-i-think-you-spilled-som…
∗∗∗ 60 Malicious Ruby Gems Used in Targeted Credential Theft Campaign ∗∗∗
---------------------------------------------
Socket’s Threat Research Team has uncovered a long-running supply chain attack in the RubyGems ecosystem. Since at least March 2023, a threat actor using the aliases zon, nowon, kwonsoonje, and soonje has published 60 malicious gems posing as automation tools for Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver. These gems deliver their advertised functionality, such as bulk posting or engagement, but covertly exfiltrate credentials (usernames and passwords) to threat actor-controlled infrastructure, which classifies them as infostealer malware.
---------------------------------------------
https://socket.dev/blog/60-malicious-ruby-gems-used-in-targeted-credential-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (gdk-pixbuf2, glibc, kernel, kernel-rt, libxml2, and opentelemetry-collector), Fedora (firefox, mingw-opencv, moby-engine, varnish, webkitgtk, xen, and yarnpkg), Oracle (firefox, gdk-pixbuf2, glibc, kernel, libblockdev, libxml2, python-requests, python3.12-setuptools, and qt5-qt3d), Red Hat (libxml2, pcs, and sudo), and SUSE (agama, chromium, dpkg, ghostscript, iperf, kubo, libIex-3_3-32, libpoppler-cpp2, libsoup, libtiff-devel-32bit, nginx, python-urllib3, ruby2.5, tgt, traefik, and traefik2).
---------------------------------------------
https://lwn.net/Articles/1033009/
∗∗∗ CISA Issues ED 25-02: Mitigate Microsoft Exchange Vulnerability ∗∗∗
---------------------------------------------
Today, CISA issued Emergency Directive (ED) 25-02: Mitigate Microsoft Exchange Vulnerability in response to CVE-2025-53786, a vulnerability in Microsoft Exchange server hybrid deployments. ED 25-02 directs all Federal Civilian Executive Branch (FCEB) agencies with Microsoft Exchange hybrid environments to implement required mitigations by 9:00 AM EDT on Monday, August 11, 2025. This vulnerability presents significant risk to all organizations operating Microsoft Exchange hybrid-joined configurations that have not yet implemented the April 2025 patch guidance.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/08/07/cisa-issues-ed-25-02-mit…
∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/08/07/cisa-releases-ten-indust…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 06-08-2025 18:00 − Donnerstag 07-08-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ New Ghost Calls tactic abuses Zoom and Microsoft Teams for C2 operations ∗∗∗
---------------------------------------------
A new post-exploitation command-and-control (C2) evasion method called Ghost Calls abuses TURN servers used by conferencing apps like Zoom and Microsoft Teams to tunnel traffic through trusted infrastructure.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-ghost-calls-tactic-abuse…
∗∗∗ Wave of 150 crypto-draining extensions hits Firefox add-on store ∗∗∗
---------------------------------------------
A malicious campaign dubbed GreedyBear has snuck onto the Mozilla add-ons store, targeting Firefox users with 150 malicious extensions and stealing an estimated $1,000,000 from unsuspecting victims.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wave-of-150-crypto-draining-…
∗∗∗ Critical Zero-Day Bugs Crack Open CyberArk, HashiCorp Password Vaults ∗∗∗
---------------------------------------------
Secrets managers hold all the keys to an enterprises kingdom. Two popular ones had longstanding, critical, unauthenticated RCE vulnerabilities.
---------------------------------------------
https://www.darkreading.com/cybersecurity-operations/critical-zero-day-bugs…
∗∗∗ Researchers Uncover ECScape Flaw in Amazon ECS Enabling Cross-Task Credential Theft ∗∗∗
---------------------------------------------
Cybersecurity researchers have demonstrated an "end-to-end privilege escalation chain" in Amazon Elastic Container Service (ECS) that could be exploited by an attacker to conduct lateral movement, access sensitive data, and seize control of the cloud environment.
---------------------------------------------
https://thehackernews.com/2025/08/researchers-uncover-ecscape-flaw-in.html
∗∗∗ How To Find SQL Injection Vulnerabilities in WordPress Plugins and Themes ∗∗∗
---------------------------------------------
SQL Injection (SQLi), a vulnerability almost as old as database-driven web applications themselves (CWE-89), persists as a classic example of failing to neutralize user-supplied input before its used in a SQL query. So why does this well-understood vulnerability type continue to exist?
---------------------------------------------
https://www.wordfence.com/blog/2025/08/how-to-find-sql-injection-vulnerabil…
∗∗∗ New Promptware Attack Hijacks User’s Gemini AI Via Google Calendar Invite ∗∗∗
---------------------------------------------
Cybersecurity researchers demonstrate a new attack on Google Gemini AI for Workspace. Discover how a simple calendar invite can be used to perform phishing, steal emails, and even control home appliances.
---------------------------------------------
https://hackread.com/promptware-attack-hijack-gemini-ai-google-calendar-inv…
∗∗∗ Unveiling a New Variant of the DarkCloud Campaign ∗∗∗
---------------------------------------------
In early July 2025, a new DarkCloud campaign was observed in the wild by Fortinet’s FortiGuard Labs team. It began with a phishing email containing an attached RAR archive. I subsequently investigated this campaign and conducted a step-by-step analysis.
---------------------------------------------
https://feeds.fortinet.com/~/922857380/0/fortinet/blogs~Unveiling-a-New-Var…
∗∗∗ HTTP/1.1 must die: the desync endgame ∗∗∗
---------------------------------------------
Upstream HTTP/1.1 is inherently insecure and regularly exposes millions of websites to hostile takeover. Six years of attempted mitigations have hidden the issue, but failed to fix it. This paper introduces several novel classes of HTTP desync attack capable of mass compromise of user credentials.
---------------------------------------------
https://portswigger.net/research/http1-must-die
∗∗∗ Malicious npm Packages Target WhatsApp Developers with Remote Kill Switch ∗∗∗
---------------------------------------------
Two npm packages masquerading as WhatsApp developer libraries include a kill switch that deletes all files if the phone number isn’t whitelisted.
---------------------------------------------
https://socket.dev/blog/malicious-npm-packages-target-whatsapp-developers-w…
=====================
= Vulnerabilities =
=====================
∗∗∗ 6,500 Axis Servers Expose Remoting Protocol, 4,000 in U.S. Vulnerable to Exploits ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed multiple security flaws in video surveillance products from Axis Communications that, if successfully exploited, could expose them to takeover attacks.
---------------------------------------------
https://thehackernews.com/2025/08/6500-axis-servers-expose-remoting.html
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (glibc, kernel, libxml2, python-requests, and python-setuptools), Debian (chromium), Fedora (chromium, firefox, gdk-pixbuf2, iputils, libsoup3, libssh, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, and poppler), Gentoo (Composer and Spreadsheet-ParseExcel), Oracle (glibc, kernel, libxml2, python-setuptools, sqlite, and virt:rhel and virt-devel:rhel), Red Hat (libxml2), SUSE (grub2, libarchive, libgcrypt, and python311), and Ubuntu (cifs-utils and poppler).
---------------------------------------------
https://lwn.net/Articles/1032861/
∗∗∗ Erhöhte Bedrohungsaktivität gegen SonicWall Gen 7 Firewalls mit SSLVPN - Sofortmaßnahmen empfohlen ∗∗∗
---------------------------------------------
Update: 07. August 2025 Ergänzung von technischen Indikatoren für eine forensische Untersuchung möglicherweise betroffener Geräte sowie Informationen zu der angeblich relevanten Schwachstelle.
---------------------------------------------
https://www.cert.at/de/warnungen/2025/8/erhohte-bedrohungsaktivitat-gegen-s…
∗∗∗ Sicherheitslücken: Angreifer können IBM Tivoli Monitoring crashen lassen ∗∗∗
---------------------------------------------
IBMs IT-Verwaltungssoftware Tivoli Monitoring ist verwundbar und Angreifer können an zwei Sicherheitslücken ansetzen. Ein Update zum Schließen der Lücken steht zum Download bereit.
---------------------------------------------
https://heise.de/-10513072
∗∗∗ EG4 Electronics EG4 Inverters ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07
∗∗∗ Dreame Technology iOS and Android Mobile Applications ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-06
∗∗∗ Packet Power EMX and EG ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-05
∗∗∗ Rockwell Automation Arena ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-04
∗∗∗ Burk Technology ARC Solo ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-03
∗∗∗ Johnson Controls FX80 and FX90 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-02
∗∗∗ Delta Electronics DIAView ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily