=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 30-07-2025 18:00 − Donnerstag 31-07-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Hackers Exploit Critical WordPress Theme Flaw to Hijack Sites via Remote Plugin Install ∗∗∗
---------------------------------------------
The vulnerability, tracked as CVE-2025-5394, carries a CVSS score of 9.8. Security researcher Thái An has been credited with discovering and reporting the bug. According to Wordfence, the shortcoming relates to an arbitrary file upload affecting all versions of the plugin prior to and including 7.8.3. It has been addressed in version 7.8.5 released on June 16, 2025.
---------------------------------------------
https://thehackernews.com/2025/07/hackers-exploit-critical-wordpress.html
∗∗∗ N. Korean Hackers Used Job Lures, Cloud Account Access, and Malware to Steal Millions in Crypto ∗∗∗
---------------------------------------------
The North Korea-linked threat actor known as UNC4899 has been attributed to attacks targeting two different organizations by approaching their employees via LinkedIn and Telegram.
---------------------------------------------
https://thehackernews.com/2025/07/n-korean-hackers-used-job-lures-cloud.html
∗∗∗ Scammers Unleash Flood of Slick Online Gaming Sites ∗∗∗
---------------------------------------------
Fraudsters are flooding Discord and other social media platforms with ads for hundreds of polished online gaming and wagering websites that lure people with free credits and eventually abscond with any cryptocurrency funds deposited by players. Here’s a closer look at the social engineering tactics and remarkable traits of this sprawling network of more than 1,200 scam sites.
---------------------------------------------
https://krebsonsecurity.com/2025/07/scammers-unleash-flood-of-slick-online-…
∗∗∗ Vorsicht vor dieser iCloud Phishing-Mail ∗∗∗
---------------------------------------------
„Letzte Mitteilung: Ihre Fotos und Videos werden gelöscht – ergreifen Sie Maßnahmen!“ Mit diesem Betreff versenden Kriminelle aktuell Phishing-Mails, die scheinbar von iCloud stammen. Unter dem Vorwand, das Speicherabonnement müsse verlängert werden, versuchen sie, an Zahlungsdaten zu gelangen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-dieser-icloud-phishing-…
∗∗∗ Patents by Silk Typhoon-linked company shed light on Beijing’s offensive hacking capabilities ∗∗∗
---------------------------------------------
SentinelOne's threat researchers pored through recent Justice Department indictments of prominent Chinese hackers and mapped out the country’s evolving web of private companies that are hired to launch cyberattacks on behalf of the government.
---------------------------------------------
https://therecord.media/patents-silk-typhoon-company-beijing
∗∗∗ GreyNoise Uncovers Early Warning Signals for Emerging Vulnerabilities ∗∗∗
---------------------------------------------
It’s well known that the window between CVE disclosure and active exploitation has narrowed. But what happens before a CVE is even disclosed? In our latest research “Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities,” GreyNoise analyzed hundreds of spikes in malicious activity — scanning, brute forcing, exploit attempts, and more — targeting edge technologies. We discovered a consistent and actionable trend: in the vast majority of cases, these spikes were followed by the disclosure of a new CVE affecting the same technology within six weeks.
---------------------------------------------
https://www.greynoise.io/blog/greynoise-uncovers-early-warning-signals-emer…
∗∗∗ In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network ∗∗∗
---------------------------------------------
Hackers planted a Raspberry Pi equipped with a 4G modem in the network of an unnamed bank in an attempt to siphon money out of the financial institution's ATM system, researchers reported Wednesday.
---------------------------------------------
https://arstechnica.com/security/2025/07/in-search-of-riches-hackers-plant-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (firefox, java-21-openjdk, kernel, thunderbird, and unbound), Debian (chromium and systemd), Fedora (libtiff), Oracle (java-21-openjdk, libtpms, nodejs:22, redis:7, thunderbird, and unbound), Red Hat (firefox, redis, and thunderbird), SUSE (apache2, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, java-11-openjdk, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestf, libarchive, nvidia-open-driver-G06-signed, redis, and rmt-server), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-gcp-6.14, linux-hwe-6.14, linux-oem-6.14, linux-raspi, linux-realtime, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux, linux-aws, linux-kvm, linux-aws, linux-lts-xenial, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-fips, linux-intel-iot-realtime, linux-realtime, linux-oracle, linux-oracle-6.8, linux-realtime, and sqlite3).
---------------------------------------------
https://lwn.net/Articles/1032083/
∗∗∗ Schnell installieren: Apple fixt Zero-Day-Angriff in WebKit ∗∗∗
---------------------------------------------
Apples in der Nacht zum Mittwoch erschienene Updates für iOS, iPadOS und macOS sollten dringend schnell eingespielt werden: Wie nun erst bekannt wurde, wird damit auch ein WebKit-Bug gefixt, für den es bereits einen Exploit gibt. Dieser wird allerdings bislang nur verwendet, um Chrome-Nutzer anzugreifen, wie es in der zugehörigen NIST-Meldung heißt (CVE-2025-6558). Der Fehler wird mit "Severity: High" bewertet. Verwirrend: Apple warnt in seinen Sicherheitsunterlagen nicht vor bekannten aktiven Angriffen – offenbar, weil es für den Apple-Browser Safari noch keine entsprechenden Berichte gibt.
---------------------------------------------
https://heise.de/-10505297
∗∗∗ Sicherheitsupdate: Schwachstellen gefährden HCL BigFix Remote Control ∗∗∗
---------------------------------------------
Die Endpoint-Management-Plattform HCL BigFix ist verwundbar (CVE-2025-31965 "hoch"), und Angreifer können unbefugt Daten einsehen oder mit viel Aufwand und richtigem Timing sogar auf einen privaten Schlüssel zugreifen. Die Schwachstellen finden sich konkret in HCL BigFix Remote Control. Eine abgesicherte Version steht zum Download bereit.
---------------------------------------------
https://heise.de/-10505415
∗∗∗ CVE-2025-8292 - DSA-5968-1 chromium - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2025/msg00132.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 29-07-2025 18:00 − Mittwoch 30-07-2025 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Attackers Can Use Browser Extensions to Inject AI Prompts ∗∗∗
---------------------------------------------
A brand-new cyberattack vector allows threat actors to use a poisoned browser extension to inject malicious prompts into all of the top generative AI tools on the market, including ChatGPT, Gemini, and others.
---------------------------------------------
https://www.darkreading.com/vulnerabilities-threats/attackers-use-browser-e…
∗∗∗ PyPI Warns of Ongoing Phishing Campaign Using Fake Verification Emails and Lookalike Domain ∗∗∗
---------------------------------------------
The maintainers of the Python Package Index (PyPI) repository have issued a warning about an ongoing phishing attack thats targeting users in an attempt to redirect them to fake PyPI sites. The attack involves sending email messages bearing the subject line "[PyPI] Email verification" that are sent from the email address noreply(a)pypj[.]org (note that the domain is not "pypi[.]org").
---------------------------------------------
https://thehackernews.com/2025/07/pypi-warns-of-ongoing-phishing-campaign.h…
∗∗∗ 2025 Unit 42 Global Incident Response Report: Social Engineering Edition ∗∗∗
---------------------------------------------
Social engineering thrives on trust and is now boosted by AI. Unit 42 incident response data explains why its surging. We detail eight critical countermeasures.
---------------------------------------------
https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-r…
∗∗∗ Google Project Zero to publicly announce bugs within a week of reporting them ∗∗∗
---------------------------------------------
The vulnerability hunters at Google Project Zero want to address what they call the "upstream patch gap," when a vendor has a fix available but the downstream product providers havent integrated it yet.
---------------------------------------------
https://therecord.media/google-project-zero-publicly-announce-vulnerabiliti…
∗∗∗ Decryptor released for FunkSec ransomware; Avast works with law enforcement to help victims ∗∗∗
---------------------------------------------
Cybersecurity company Avast released a decryptor for the short-lived FunkSec ransomware and said it is assisting dozens of the gangs targets with the process.
---------------------------------------------
https://therecord.media/funksec-ransomware-decryptor-avast
∗∗∗ New Choicejacking Attack Steals Data from Phones via Public Chargers ∗∗∗
---------------------------------------------
Choicejacking is a new USB attack that tricks phones into sharing data at public charging stations, bypassing security prompts in milliseconds.
---------------------------------------------
https://hackread.com/choicejacking-attack-steals-data-phones-public-charger…
∗∗∗ CISA Releases Part One of Zero Trust Microsegmentation Guidance ∗∗∗
---------------------------------------------
This guidance provides a high-level overview of microsegmentation, focusing on its key concepts, associated challenges and potential benefits, and includes recommended actions to modernize network security and advance zero trust principles.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/07/29/cisa-releases-part-one-z…
=====================
= Vulnerabilities =
=====================
∗∗∗ New Lenovo UEFI firmware updates fix Secure Boot bypass flaws ∗∗∗
---------------------------------------------
Lenovo is warning about high-severity BIOS flaws that could allow attackers to potentially bypass Secure Boot in all-in-one desktop PC models that use customized Insyde UEFI (Unified Extensible Firmware Interface).
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-lenovo-uefi-firmware-upd…
∗∗∗ Apple Patches Safari Vulnerability Also Exploited as Zero-Day in Google Chrome ∗∗∗
---------------------------------------------
Apple on Tuesday released security updates for its entire software portfolio, including a fix for a vulnerability that Google said was exploited as a zero-day in the Chrome web browser earlier this month. The vulnerability, tracked as CVE-2025-6558 (CVSS score: 8.8), is an incorrect validation of untrusted input in the browser's ANGLE and GPU components that could result in a sandbox escape via a crafted HTML page.
---------------------------------------------
https://thehackernews.com/2025/07/apple-patches-safari-vulnerability-also.h…
∗∗∗ Critical Dahua Camera Flaws Enable Remote Hijack via ONVIF and File Upload Exploits ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed now-patched critical security flaws in the firmware of Dahua smart cameras that, if left unaddressed, could allow attackers to hijack control of susceptible devices.
---------------------------------------------
https://thehackernews.com/2025/07/critical-dahua-camera-flaws-enable.html
∗∗∗ Autodesk Security Advisory 29.07.2025 ∗∗∗
---------------------------------------------
Certain Autodesk products use a shared component that is affected by multiple vulnerabilities listed below. Exploitation of these vulnerabilities can lead to code execution. Exploitation of these vulnerabilities requires user interaction.
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0015
∗∗∗ Sicherheitsupdates: Angreifer können auf Dell ECS und ObjectScale zugreifen ∗∗∗
---------------------------------------------
Angreifer können mit vergleichsweise wenig Aufwand auf Dell Elastic Cloud Storage (ECS) und ObjectScale zugreifen. Damit setzten Firmen unter anderem Cloudspeicher auf. Liegen dort wichtige Daten, können unbefugte Zugriffe weitreichende Folgen haben. Sicherheitsupdates schließen die Schwachstelle.
---------------------------------------------
https://www.heise.de/news/Sicherheitsupdates-Angreifer-koennen-auf-Dell-ECS…
∗∗∗ Stable Channel Update for Desktop ∗∗∗
---------------------------------------------
The Stable channel has been updated to 138.0.7204.183/.184 for Windows, Mac and 138.0.7204.183 for Linux which will roll out over the coming days/weeks. This update includes 4 security fixes.
---------------------------------------------
http://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desk…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (firefox, icu, kernel-rt, libtpms, redis:6, redis:7, and sqlite), Fedora (chromium and cloud-init), Oracle (icu, java-1.8.0-openjdk, java-21-openjdk, kernel, nodejs:22, perl, and sqlite), SUSE (docker, java-1_8_0-openj9, libxml2, python-starlette, and thunderbird), and Ubuntu (cloud-init, linux-azure, linux-azure-5.4, linux-azure-fips, linux-raspi, linux-raspi-5.4, and perl).
---------------------------------------------
https://lwn.net/Articles/1031919/
∗∗∗ Zahnarzt Praxis-Verwaltung-System (PVS): Sicherheitslücken beim CGM Z1 – Teil 1 ∗∗∗
---------------------------------------------
Von der Firma CompuGroup Medical (CGM) wird auch ein Praxis-Verwaltungssystem (PVS) für Zahnärzte vertrieben. Das System ist laut Firmenaussage bei über 7.000 Zahnärzten im Einsatz. Eine anonym bleiben wollende Quelle informierte mich Anfang des Jahres über potentielle Sicherheitsprobleme in dieser Software. Inzwischen hat es ein Software-Update gegeben, mit dem diese Probleme ausgeräumt sein sollten. Ich fasse mal den Sachverhalt in einigen Blog-Beiträgen zusammen.
---------------------------------------------
https://www.borncity.com/blog/2025/07/30/sicherheit-beim-zahnarzt-pvs-z1/
∗∗∗ Delta Electronics DTN Soft ∗∗∗
---------------------------------------------
According to Delta Electronics, if a version of DTN Soft prior to v2.1.0 is installed, it should be updated to v2.1.0 or later. If DTM Soft is also installed, it should be updated to v1.6.0.0 (released on March 25, 2025) or later. Successful exploitation of this vulnerability could allow an attacker to use a specially crafted project file to execute arbitrary code.
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-03
∗∗∗ TP-Link Archer C50 router is vulnerable to configuration-file decryption ∗∗∗
---------------------------------------------
https://kb.cert.org/vuls/id/554637
∗∗∗ Security update for Tenable Patch Management Fixes One Vulnerability ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2025-15
∗∗∗ CISA: Security update for National Instruments LabVIEW ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-01
∗∗∗ CISA: Security update for Samsung HVAC DMS ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-02
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 28-07-2025 18:00 − Dienstag 29-07-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ OpenAI’s ChatGPT Agent casually clicks through “I am not a robot” verification test ∗∗∗
---------------------------------------------
On Friday, OpenAI's new ChatGPT Agent, which can perform multistep tasks for users, proved it can pass through one of the Internet's most common security checkpoints by clicking Cloudflare's anti-bot verification—the same checkbox that's supposed to keep automated programs like itself at bay.
---------------------------------------------
https://arstechnica.com/information-technology/2025/07/openais-chatgpt-agen…
∗∗∗ Exploit available for critical Cisco ISE bug exploited in attacks ∗∗∗
---------------------------------------------
Security researcher Bobby Gould has published a blog post demonstrating a complete exploit chain for CVE-2025-20281, an unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE).
---------------------------------------------
https://www.bleepingcomputer.com/news/security/exploit-available-for-critic…
∗∗∗ Endgame Gear mouse config tool infected users with malware ∗∗∗
---------------------------------------------
Gaming peripherals maker Endgame Gear is warning that malware was hidden in its configuration tool for the OP1w 4k v2 mouse hosted on the official website between June 26 and July 9, 2025. The infected file was hosted on 'endgamegear.com/gaming-mice/op1w-4k-v2,' so users downloading the tool from that page during this period were infected.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/endgame-gear-mouse-config-to…
∗∗∗ Critical Flaw in Vibe-Coding Platform Base44 Exposed Apps ∗∗∗
---------------------------------------------
The rise of "vibe coding" platforms that enable developers to build software with minimal traditional coding could create a slew of new security risks for organizations. A recent example is a now-patched vulnerability in the Base44 AI-powered development platform that allowed unauthorized users to gain complete access to private enterprise applications hosted on the service.
---------------------------------------------
https://www.darkreading.com/application-security/critical-flaw-vibe-coding-…
∗∗∗ Parasitic Sharepoint Exploits ∗∗∗
---------------------------------------------
Last week, newly exploited SharePoint vulnerabilities took a lot of our attention. It is fair to assume that last Monday (July 21st), all exposed vulnerable SharePoint installs were exploited. Of course, there is nothing to prevent multiple exploitation of the same instance, and a lot of that certainly happened. But why exploit it yourself if you can just take advantage of backdoors left behind by prior exploits? A number of these backdoors were widely publicised. The initial backdoor "spinstall0.aspx", was frequently observed and Microsoft listed various variations of this filename [1].
---------------------------------------------
https://isc.sans.edu/diary/rss/32148
∗∗∗ Windows auf veraltete libcurl-Bibliotheken in Programmen überprüfen ∗∗∗
---------------------------------------------
Microsoft liefert die cURL-Bibliothek häufiger mit veralteten Versionen, die Sicherheitslücken aufweisen, aus. Auch Software-Pakete kommen mit uralten libcurl-Dateien daher. Wie kann ich prüfen, ob da irgendwelche Altlasten auf meinen Systemen schlummern?
---------------------------------------------
https://www.borncity.com/blog/2025/07/29/software-und-die-veralteten-libcur…
∗∗∗ Gunra Ransomware Group Unveils Efficient Linux Variant ∗∗∗
---------------------------------------------
Gunra ransomware was first observed in April 2025 in a campaign that targeted Windows systems using techniques inspired by the infamous Conti ransomware. Our monitoring of the ransomware landscape revealed that threat actors behind Gunra have expanded with a Linux variant, signaling a strategic move toward cross-platform targeting.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/g/gunra-ransomware-linux-varia…
∗∗∗ SAP NetWeaver Vulnerability Used in Auto-Color Malware Attack on US Firm ∗∗∗
---------------------------------------------
Darktrace uncovers the first exploit of a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy Auto-Color backdoor malware. Learn how this evasive Linux RAT targets systems for remote code execution and how AI-powered defence thwarts multi-stage attacks.
---------------------------------------------
https://hackread.com/sap-netweaver-vulnerability-auto-color-malware-us-firm/
∗∗∗ Stack Overflows, Heap Overflows, and Existential Dread (SonicWall SMA100 CVE-2025-40596, CVE-2025-40597 and CVE-2025-40598) ∗∗∗
---------------------------------------------
Our initial journey started with analyzing SonicWall N-days that were receiving coveted attention from our friendly APT groups. But somewhere along the way - deep in a fog of malformed headers and reverse proxy schenanigans - we stumbled across vulnerabilities that feel like they were preserved in amber from a more naïve era of C programming.
---------------------------------------------
https://labs.watchtowr.com/stack-overflows-heap-overflows-and-existential-d…
∗∗∗ Security: CERT@VDE wird erste deutsche Schaltzentrale für Sicherheitslücken ∗∗∗
---------------------------------------------
Das Sicherheits- und Computer-Notfallteam des Elektrotechnik- und IT-Verbands VDE spielt international seit wenigen Tagen eine wichtigere Rolle. Die Branchenvereinigung teilte am Freitag mit, dass das eigene Computer Emergency Response Team CERT@VDE zur zentralen Stelle im Kampf gegen IT-Sicherheitslücken im Bereich der Industrieautomation mit Fokus auf kleine und mittlere Unternehmen aufgestiegen sei. Dessen Arbeit zur Koordination von Security-Problemen in diesem Sektor erhält damit eine weltweite Bedeutung.
---------------------------------------------
https://heise.de/-10502241
∗∗∗ Attacking GenAI applications and LLMs – Sometimes all it takes is to ask nicely! ∗∗∗
---------------------------------------------
Generative AI and LLM technologies have shown great potential in recent years, and for this reason, an increasing number of applications are starting to integrate them for multiple purposes. These applications are becoming increasingly complex, adopting approaches that involve multiple specialized agents, each focused on one or more tasks, interacting with one another and using external tools to access information, perform operations, or carry out tasks that LLMs are not capable of handling directly (e.g., mathematical computations).
---------------------------------------------
https://security.humanativaspa.it/attacking-genai-applications-and-llms-som…
=====================
= Vulnerabilities =
=====================
∗∗∗ CVE-2025-26397 - ZDI-25-654: SolarWinds TFTP Server Deserialization of Untrusted Data Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds TFTP Server. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the internal TFTP communications endpoint, which listens on the localhost interface on TCP port 8099 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-654/
∗∗∗ Jetzt patchen! Attacken auf PaperCut NG/MF beobachtet ∗∗∗
---------------------------------------------
Aufgrund derzeit laufender Angriffe sollten Admins sicherstellen, dass sie eine aktuelle Ausgabe der Druckermanagementsoftware PaperCut NG/MF installiert haben. Sind Attacken erfolgreich, können Angreifer im schlimmsten Fall Schadcode auf Systeme schieben und ausführen. Sicherheitsupdates sind schon länger verfügbar.
---------------------------------------------
https://www.heise.de/news/Jetzt-patchen-Attacken-auf-PaperCut-NG-MF-beobach…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (freerdp, git-lfs, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, icu, ipa, iputils, krb5, libvpx, nodejs:22, osbuild-composer, perl, python-tornado, qt6-qtbase, sqlite, unbound, valkey, wireshark, and yggdrasil), Debian (libfastjson and php8.2), Fedora (glibc), Oracle (firefox, icu, perl, and unbound), Red Hat (389-ds-base, glib2, icu, libtpms, redis:6, redis:7, and yelp), SUSE (boost, forgejo-longterm, java-11-openj9, java-17-openj9, java-1_8_0-openj9, kernel, nginx, and salt), and Ubuntu (linux-xilinx-zynqmp, openjdk-8, openjdk-lts, poppler, and sqlite3).
---------------------------------------------
https://lwn.net/Articles/1031812/
∗∗∗ Samsung Security Updates for Smart TV, Audio and Displays ∗∗∗
---------------------------------------------
https://security.samsungtv.com/securityUpdates
∗∗∗ CVE-2025-2179 GlobalProtect App: Non Admin User Can Disable the GlobalProtect App (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2025-2179
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 25-07-2025 18:00 − Montag 28-07-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Supply-chain attacks on open source software are getting out of hand ∗∗∗
---------------------------------------------
It has been a busy week for supply-chain attacks targeting open source software available in public repositories, with successful breaches of multiple developer accounts that resulted in malicious packages being pushed to unsuspecting users.
---------------------------------------------
https://arstechnica.com/security/2025/07/open-source-repositories-are-seein…
∗∗∗ Amazon AI coding agent hacked to inject data wiping commands ∗∗∗
---------------------------------------------
As reported by 404 Media, on July 13, a hacker using the alias ‘lkmanka58’ added unapproved code on Amazon Q’s GitHub to inject a defective wiper that wouldn’t cause any harm, but rather sent a message about AI coding security.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/amazon-ai-coding-agent-hacke…
∗∗∗ Sophisticated Shuyal Stealer Targets 19 Browsers, Demonstrates Advanced Evasion ∗∗∗
---------------------------------------------
A new infostealing malware making the rounds can exfiltrate credentials and other system data even from browsing software considered more privacy-focused than mainstream options.
---------------------------------------------
https://www.darkreading.com/endpoint-security/shuyal-stealer-targets-19-bro…
∗∗∗ French submarine secrets surface after cyber attack ∗∗∗
---------------------------------------------
European defence giant Naval Group has confirmed that it is investigating an alleged cyber attack which has seen what purports to be sensitive internal data published on the internet by hackers.
---------------------------------------------
https://www.bitdefender.com/en-us/blog/hotforsecurity/french-submarine-secr…
∗∗∗ The Homograph Illusion: Not Everything Is As It Seems ∗∗∗
---------------------------------------------
A subtle yet dangerous email attack vector: homograph attacks. Threat actors are using visually similar, non-Latin characters to bypass security filters.
---------------------------------------------
https://unit42.paloaltonetworks.com/homograph-attacks/
∗∗∗ ToxicPanda: The Android Banking Trojan Targeting Europe ∗∗∗
---------------------------------------------
What is ToxicPanda? Bitsight Trace dives into detail on the banking malware, from impact breadth, delivery, technical analysis, and more.
---------------------------------------------
https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study
∗∗∗ EU-Satelliteninternet: UK, Norwegen und Ukraine können sich IRIS2 anschließen ∗∗∗
---------------------------------------------
EU-Raumfahrtkommissar Kubiliius hat europäische Drittstaaten eingeladen, bei dem als Starlink-Alternative gedachten Satellitennetzwerk IRIS2 voll einzusteigen.
---------------------------------------------
https://www.heise.de/news/EU-Satelliteninternet-UK-Norwegen-und-Ukraine-koe…
∗∗∗ How I hacked my washing machine ∗∗∗
---------------------------------------------
If you've known me for some amount of time you knew this was something that was bound to happen eventually. Yesterday (and technically today), me and a friend went on an endeavor to hack our washing machine, partially for the fun of it, and partially because there's actually a practical use for it.
---------------------------------------------
https://nexy.blog/2025/07/27/how-i-hacked-my-washing-machine/
∗∗∗ Protecting the Evidence in Real-Time with KQL Queries ∗∗∗
---------------------------------------------
A few weeks ago, I published a post titled Detecting Ransomware Final Stage Activities with KQL Queries where I shared different phases and detections during the last phase of a ransomware attack. Every time I read it, I realize just how broad and complex this topic truly is.
---------------------------------------------
https://detect.fyi/protecting-the-evidence-in-real-time-with-kql-queries-ac…
∗∗∗ Lionishackers: Analyzing a corporate database seller ∗∗∗
---------------------------------------------
Outpost24’s threat intelligence researchers have been analyzing a corporate database seller known as "Lionishackers". They’re a financially motivated threat actor focused on exfiltrating and selling corporate databases. This post explores how they operate, where their attacks are taking place, and the current level of threat they pose.
---------------------------------------------
https://outpost24.com/blog/lionishackers-corporate-database-seller/
=====================
= Vulnerabilities =
=====================
∗∗∗ Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks ∗∗∗
---------------------------------------------
More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/post-smtp-plugin-flaw-expose…
∗∗∗ Critical Flaws in Niagara Framework Threaten Smart Buildings and Industrial Systems Worldwide ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered over a dozen security vulnerabilities impacting Tridiums Niagara Framework that could allow an attacker on the same network to compromise the system under certain circumstances.
---------------------------------------------
https://thehackernews.com/2025/07/critical-flaws-in-niagara-framework.html
∗∗∗ Support ausgelaufen: Admin-Attacke auf LG Netzwerkkamera LNV5110R möglich ∗∗∗
---------------------------------------------
Die Netzwerkkamera LNV5110R von LG Innotek sollte nicht mehr benutzt werden: Die US-Sicherheitsbehörde CISA (Cybersecurity & Infrastructure Security Agency) warnt vor einer Sicherheitslücke, für die es kein Sicherheitsupdate mehr geben wird.
---------------------------------------------
https://www.heise.de/news/Support-ausgelaufen-Admin-Attacke-auf-LG-Netzwerk…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (audiofile, libcaca, libetpan, libxml2, php7.4, snapcast, and thunderbird), Fedora (glibc, iputils, mingw-binutils, and thunderbird), Red Hat (kernel, kernel-rt, mod_auth_openidc, and mod_auth_openidc:2.3), SUSE (afterburn, apache2, atop, chromedriver, chromium, cloud-init, deepin-feature-enable, firefox, firefox-esr, grafana, grype-db, gstreamer-plugins-bad, javamail, jupyter-jupyterlab-templates, jupyter-nbdime, konsole, libetebase, libxmp, minio-client-20250721T052808Z, MozillaFirefox, MozillaFirefox-branding-SLE, opera, pdns-recursor, perl-Authen-SASL, polkit, python-Django, python3-pycares, python311-starlette, rpi-imager, ruby3.4-rubygem-thor, spdlog, thunderbird, varnish, viewvc, and xtrabackup), and Ubuntu (openjdk-21-crac).
---------------------------------------------
https://lwn.net/Articles/1031667/
∗∗∗ Sicherheitsproblem: Hartkodierte Zugangsdaten gefährden PCs mit MyASUS ∗∗∗
---------------------------------------------
Die MyASUS-App kann zum Einfallstor für Angreifer werden. Schuld sind zwei Sicherheitslücken, die aber mittlerweile geschlossen sind. Wer das Tool nicht aktualisiert, riskiert unbefugte Zugriffe auf bestimmte Services.
---------------------------------------------
https://www.heise.de/news/Sicherheitsproblem-Hartkodierte-Zugangsdaten-gefa…
∗∗∗ SyStrack LsiAgent.exe contains an improper DLL search order, allowing an attacker to execute arbitrary code and priv esc ∗∗∗
---------------------------------------------
https://kb.cert.org/vuls/id/335798
∗∗∗ Mehrere Stored Cross-Site Scripting Schwachstellen im Optimizely Episerver Content Management System ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-stored-cross-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 24-07-2025 18:00 − Freitag 25-07-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Hacker sneaks infostealer malware into early access Steam game ∗∗∗
---------------------------------------------
A threat actor called EncryptHub has compromised a game on Steam to distribute info-stealing malware to unsuspecting users downloading the title. A few days ago, the hacker (also tracked as Larva-208), injected malicious binaries into the Chemia game files hosted on Steam.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hacker-sneaks-infostealer-ma…
∗∗∗ New Koske Linux malware hides in cute panda images ∗∗∗
---------------------------------------------
A new Linux malware named Koske may have been developed with artificial intelligence and is using seemingly benign JPEG images of panda bears to deploy malware directly into system memory. Researchers from cybersecurity company AquaSec analyzed Koske and described it as "a sophhisticated Linux threat." Based on the observed adaptive behavior, the researchers believe that the malware was developed using large language models (LLMs) or automation frameworks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-koske-linux-malware-hide…
∗∗∗ CastleLoader Malware Infects 469 Devices Using Fake GitHub Repos and ClickFix Phishing ∗∗∗
---------------------------------------------
Cybersecurity researchers have shed light on a new versatile malware loader called CastleLoader that has been put to use in campaigns distributing various information stealers and remote access trojans (RATs). The activity employs Cloudflare-themed ClickFix phishing attacks and fake GitHub repositories opened under the names of legitimate applications, Swiss cybersecurity company PRODAFT said in a report shared with The Hacker News.
---------------------------------------------
https://thehackernews.com/2025/07/castleloader-malware-infects-469.html
∗∗∗ Phishers Target Aviation Execs to Scam Customers ∗∗∗
---------------------------------------------
KrebsOnSecurity recently heard from a reader whose boss’s email account got phished and was used to trick one of the company’s customers into sending a large payment to scammers. An investigation into the attacker’s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries.
---------------------------------------------
https://krebsonsecurity.com/2025/07/phishers-target-aviation-execs-to-scam-…
∗∗∗ From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944 ∗∗∗
---------------------------------------------
In mid 2025, Google Threat Intelligence Group (GITG) identified a sophisticated and aggressive cyber campaign targeting multiple industries, including retail, airline, and insurance. This was the work of UNC3944, a financially motivated threat group that has exhibited overlaps with public reporting of "0ktapus," "Octo Tempest," and "Scattered Spider." Following public alerts from the Federal Bureau of Investigation (FBI), the group's targeting became clear. GTIG observed that the group was suspected of turning its ransomware and extortion operations to the U.S. retail sector. The campaign soon broadened further, with airline and transportation organizations in North America having also become targets.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (git, kernel, nginx:1.24, and sudo), Fedora (dpkg, java-21-openjdk, java-25-openjdk, java-latest-openjdk, and valkey), Oracle (apache-commons-vfs, sudo, tigervnc, and xorg-x11-server), Red Hat (kernel, krb5, and openssh), SUSE (gnutls, ImageMagick, iputils, kernel-livepatch-MICRO-6-0-RT_Update_10, kubernetes1.18, libarchive, ovmf, python, and salt), and Ubuntu (iputils, linux-aws-6.14, linux-raspi, openjdk-21, and openjdk-24).
---------------------------------------------
https://lwn.net/Articles/1031426/
∗∗∗ Angriffe gegen Citrix Netscaler CVE-2025-6543 ∗∗∗
---------------------------------------------
https://www.cert.at/de/aktuelles/2025/7/angriffe-gegen-citrix-netscaler-cve…
∗∗∗ CVE-2025-38350 - ZDI-25-651: (Pwn2Own) Red Hat Enterprise Linux CBS Packet Scheduling Use-After-Free Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-651/
∗∗∗ Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ CISA Releases Six Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/07/24/cisa-releases-six-indust…
∗∗∗ Medtronic MyCareLink Patient Monitor ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-205-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 23-07-2025 18:00 − Donnerstag 24-07-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Microsoft: SharePoint servers also targeted in ransomware attacks ∗∗∗
---------------------------------------------
A China-based hacking group is deploying Warlock ransomware on Microsoft SharePoint servers vulnerable to widespread attacks targeting the recently patched ToolShell zero-day exploit chain.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-servers…
∗∗∗ Hackers breach Toptal GitHub account, publish malicious npm packages ∗∗∗
---------------------------------------------
Hackers compromised Toptal's GitHub organization account and used their access to publish ten malicious packages on the Node Package Manager (NPM) index. The packages included data-stealing code that collected GitHub authentication tokens and then wiped the victims' systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-breach-toptal-github…
∗∗∗ Threat Actor Mimo Targets Magento and Docker to Deploy Crypto Miners and Proxyware ∗∗∗
---------------------------------------------
The threat actor behind the exploitation of vulnerable Craft Content Management System (CMS) instances has shifted its tactics to target Magento CMS and misconfigured Docker instances. The activity has been attributed to a threat actor tracked as Mimo (aka Hezb), which has a long history of leveraging N-day security flaws in various web applications to deploy cryptocurrency miners.
---------------------------------------------
https://thehackernews.com/2025/07/threat-actor-mimo-targets-magento-and.html
∗∗∗ Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access ∗∗∗
---------------------------------------------
Cybersecurity researchers have uncovered a new stealthy backdoor concealed within the "mu-plugins" directory in WordPress sites to grant threat actors persistent access and allow them to perform arbitrary actions.
---------------------------------------------
https://thehackernews.com/2025/07/hackers-deploy-stealth-backdoor-in.html
∗∗∗ China-Based APTs Deploy Fake Dalai Lama Apps to Spy on Tibetan Community ∗∗∗
---------------------------------------------
The Tibetan community has been targeted by a China-nexus cyber espionage group as part of two campaigns conducted last month ahead of the Dalai Lama's 90th birthday on July 6, 2025. The multi-stage attacks have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz.
---------------------------------------------
https://thehackernews.com/2025/07/china-based-apts-deploy-fake-dalai-lama.h…
∗∗∗ Stealthy cyber spies linked to China compromising virtualization software globally ∗∗∗
---------------------------------------------
A cyber-espionage campaign linked to a sophisticated hacking group believed to be based in China is continuing to compromise virtualization and networking infrastructure used by enterprises globally, according to a new deep-dive report by cybersecurity company Sygnia.
---------------------------------------------
https://therecord.media/stealthy-china-spies-fire-ant-virtualization-softwa…
∗∗∗ Unmasking the new Chaos RaaS group attacks ∗∗∗
---------------------------------------------
Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks.
---------------------------------------------
https://blog.talosintelligence.com/new-chaos-ransomware/
∗∗∗ Comeback von Lumma und NoName057(16): Cybercrime-Zerschlagung misslungen ∗∗∗
---------------------------------------------
Gelingt Strafverfolgungsbehörden ein größerer Schlag gegen Akteure und Infrastrukturen des Cybercrime, so ist der Rückgang der verbrecherischen Aktivitäten selten von Dauer: Nach ein paar internen Umbauten setzen sie ihre Angriffe häufig fort, als sei (fast) nichts geschehen.
---------------------------------------------
https://heise.de/-10498191
∗∗∗ Mitel warns of critical MiVoice MX-ONE authentication bypass flaw ∗∗∗
---------------------------------------------
Mitel Networks has released security updates to patch a critical-severity authentication bypass vulnerability impacting its MiVoice MX-ONE enterprise communications platform.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/mitel-warns-of-critical-mivo…
=====================
= Vulnerabilities =
=====================
∗∗∗ SonicWall urges admins to patch critical RCE flaw in SMA 100 devices ∗∗∗
---------------------------------------------
SonicWall urges customers to patch SMA 100 series appliances against a critical authenticated arbitrary file upload vulnerability that can let attackers gain remote code execution. The security flaw (tracked as CVE-2025-40599) is caused by an unrestricted file upload weakness in the devices' web management interfaces, which can allow remote threat actors with administrative privileges to upload arbitrary files to the system.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, firefox-esr, and mediawiki), Fedora (firefox), Oracle (git, kernel, redis, and sudo), Red Hat (aardvark-dns, firefox, kernel, and thunderbird), Slackware (httpd), SUSE (php7, php8, and salt), and Ubuntu (linux-raspi-realtime and ruby-rack).
---------------------------------------------
https://lwn.net/Articles/1031274/
∗∗∗ K000152680: BusyBox vulnerability CVE-2024-58251 ∗∗∗
---------------------------------------------
Attackers can launch network applications as local users leading to a denial-of-service (DoS). As attackers require local access to run netstat commands, the attack is limited to only the netstat command.
---------------------------------------------
https://my.f5.com/manage/s/article/K000152680
∗∗∗ K000152678: BusyBox vulnerability CVE-2025-46394 ∗∗∗
---------------------------------------------
An attacker could exploit this vulnerability by creating a TAR archive containing malicious files with names manipulated by escape sequences. When a user lists or extracts the contents of the archives, these malicious files might not be visible in the standard terminal output and may overwrite existing files.
---------------------------------------------
https://my.f5.com/manage/s/article/K000152678
∗∗∗ DSA-5964-1 firefox-esr - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2025/msg00128.html
∗∗∗ DSA-5965-1 chromium - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2025/msg00129.html
∗∗∗ CVE-2025-6983 - TP-Link Archer C1200 vulnerable to clickjacking ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN39913189/
∗∗∗ CVE-2025-8092 - COOKiES Consent Management - Moderately critical - Cross-site Scripting ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2025-092
∗∗∗ CVE-2025-7745 - 2025-07-24: Cyber Security Advisory -AC500 V2 Buffer overread on Modbus protocol ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=3ADR011432&Language…
∗∗∗ CVE-2025-8069 - AWS Client VPN Windows Client Local Privilege Escalation ∗∗∗
---------------------------------------------
https://aws.amazon.com/de/security/security-bulletins/AWS-2025-014/
∗∗∗ CVE-2024-58256 - Security Advisory - OS Command Injection Vulnerability in Huawei EnzoH Products ∗∗∗
---------------------------------------------
http:www.huawei.com/en/psirt/security-advisories/2025/huawei-sa-OCIViHEP-en.html
∗∗∗ [R1] Tenable Identity Exposure Version 3.77.12 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2025-14
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 22-07-2025 18:00 − Mittwoch 23-07-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Major European healthcare network discloses security breach ∗∗∗
---------------------------------------------
AMEOS Group, an operator of a massive healthcare network in Central Europe, has announced it has suffered a security breach that may have exposed customer, employee, and partner information.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/major-european-healthcare-ne…
∗∗∗ CISA warns of hackers exploiting SysAid vulnerabilities in attacks ∗∗∗
---------------------------------------------
CISA has warned that attackers are actively exploiting two security vulnerabilities in the SysAid IT service management (ITSM) software to hijack administrator accounts.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploi…
∗∗∗ US nuclear weapons agency reportedly hacked in SharePoint attacks ∗∗∗
---------------------------------------------
Unknown threat actors have reportedly breached the National Nuclear Security Administrations (NNSA) network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/us-nuclear-weapons-agency-re…
∗∗∗ Mehr als 700 Modelle: Unzählige Drucker werden über Sicherheitslücken attackiert ∗∗∗
---------------------------------------------
Hunderte Druckermodelle von Brother, Fujifilm, Konica Minolta, Ricoh und Toshiba sind angreifbar. Angreifer nutzen die Sicherheitslücken nun aus.
---------------------------------------------
https://www.golem.de/news/mehr-als-700-modelle-unzaehlige-drucker-werden-ue…
∗∗∗ CCC und GFF: Verfassungsbeschwerde gegen Polizeisoftware von Palantir ∗∗∗
---------------------------------------------
Die bayerische Polizei ist begeistert von der Palantir-Software. Doch Bürgerrechtlern und Hackern geht der Einsatz zu weit.
---------------------------------------------
https://www.golem.de/news/ccc-und-gff-verfassungsbeschwerde-gegen-polizeiso…
∗∗∗ Google Launches OSS Rebuild to Expose Malicious Code in Widely Used Open-Source Packages ∗∗∗
---------------------------------------------
Google has announced the launch of a new initiative called OSS Rebuild to bolster the security of the open-source package ecosystems and prevent software supply chain attacks. "As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers" Matthew Suozzo, Google Open Source Security.
---------------------------------------------
https://thehackernews.com/2025/07/google-launches-oss-rebuild-to-expose.html
∗∗∗ Malware Injected into 7 npm Packages After Maintainer Tokens Stolen in Phishing Attack ∗∗∗
---------------------------------------------
Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers npm tokens. The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories.
---------------------------------------------
https://thehackernews.com/2025/07/malware-injected-into-6-npm-packages.html
∗∗∗ New Coyote Malware Variant Exploits Windows UI Automation to Steal Banking Credentials ∗∗∗
---------------------------------------------
The Windows banking trojan known as Coyote has become the first known malware strain to exploit the Windows accessibility framework called UI Automation (UIA) to harvest sensitive information.
---------------------------------------------
https://thehackernews.com/2025/07/new-coyote-malware-variant-exploits.html
∗∗∗ Suspected Admin of XSS.IS Cybercrime Forum Arrested in Ukraine ∗∗∗
---------------------------------------------
Suspected admin of XSS.IS, a major Russian-language cybercrime forum, arrested in Ukraine after years of running malware and data trade operations.
---------------------------------------------
https://hackread.com/suspected-xss-is-admin-cybercrime-forum-arrest-ukraine/
∗∗∗ Soco404: Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload ∗∗∗
---------------------------------------------
Wiz Research has identified a new iteration of a broader malicious cryptomining campaign, which we’ve dubbed Soco404.
---------------------------------------------
https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fa…
∗∗∗ Critical Vulnerability in Popular npm form-data Package Used Across Millions of Installs ∗∗∗
---------------------------------------------
A critical security vulnerability has been disclosed in the widely used npm package form-data, which sees more than 100 million downloads each week across various projects. The vulnerability, classified as "Use of Insufficiently Random Values" affects multiple versions of the package and can lead to HTTP Parameter Pollution (HPP) attacks.
---------------------------------------------
https://socket.dev/blog/critical-vulnerability-in-popular-npm-form-data-pac…
=====================
= Vulnerabilities =
=====================
∗∗∗ Chrome, Firefox & Thunderbird: Neue Versionen beheben Schwachstellen ∗∗∗
---------------------------------------------
Frische Browser- und Mailclient-Releases von Google und Mozilla beseitigen Lücken mit teils hohem Schweregrad.
---------------------------------------------
https://www.heise.de/news/Chrome-Firefox-Thunderbird-Neue-Versionen-beheben…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (cloud-init, fence-agents, git, kernel, and kernel-rt), Debian (openjdk-11), Fedora (firefox, golang, libinput, transfig, and yasm), Mageia (qtbase5, qtbase6), Red Hat (fence-agents, go-toolset:rhel8, golang, kernel, and python-setuptools), Slackware (mozilla), SUSE (cyradm, gstreamer-plugins-base, and xen), and Ubuntu (gdk-pixbuf, jq, linux-gcp, linux-gcp-6.8, linux-oracle, ruby-sinatra, thunderbird, and unbound).
---------------------------------------------
https://lwn.net/Articles/1031104/
∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
CISA released nine Industrial Control Systems (ICS) advisories on July 22, 2025: DuraComm DP-10iN-100-MU, Lantronix Provisioning Manager, Schneider Electric EcoStruxure, Schneider Electric EcoStruxure Power Operation, Schneider Electric System Monitor Application, Schneider Electric EcoStruxture IT Data Center Expert, ICSA-25-175-03 Schneider Electric Modicon Controllers (Update A), ICSA-25-175-04 Schneider Electric EVLink WallBox (Update A), ICSA-25-014-02 Schneider Electric Vijeo Designer (Update A).
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/07/22/cisa-releases-nine-indus…
∗∗∗ [CVE-2025-48932] Invision Community <= 4.7.20 (calendar/view.php) SQL Injection Vulnerability ∗∗∗
---------------------------------------------
https://www.reddit.com/r/netsec/comments/1m757kw/cve202548932_invision_comm…
∗∗∗ [CVE-2025-48933] Invision Community <= 5.0.7 (oauth/callback) Reflected Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://www.reddit.com/r/netsec/comments/1m7578r/cve202548933_invision_comm…
∗∗∗ ZDI-25-629: (0Day) Ashlar-Vellum Cobalt LI File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-629/
∗∗∗ ZDI-25-640: (0Day) Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-640/
∗∗∗ ZDI-25-639: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-639/
∗∗∗ ZDI-25-638: (0Day) Ashlar-Vellum Cobalt VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-638/
∗∗∗ Firefox 141.0 released ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1030971/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 21-07-2025 18:00 − Dienstag 22-07-2025 18:00
Handler: Felician Fuchs
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Ring denies breach after users report suspicious logins ∗∗∗
---------------------------------------------
Ring is warning that a backend update bug is responsible for customers seeing a surge in unauthorized devices logged into their account on May 28th.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ring-denies-breach-after-use…
∗∗∗ Cisco: Maximum-severity ISE RCE flaws now exploited in attacks ∗∗∗
---------------------------------------------
Cisco is warning that three recently patched critical remote code execution vulnerabilities in Cisco Identity Services Engine (ISE) are now being actively exploited in attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisco-maximum-severity-ise-r…
∗∗∗ Iran-Linked DCHSpy Android Malware Masquerades as VPN Apps to Spy on Dissidents ∗∗∗
---------------------------------------------
Cybersecurity researchers have unearthed new Android spyware artifacts that are likely affiliated with the Iranian Ministry of Intelligence and Security (MOIS) and have been distributed to targets by masquerading as VPN apps and Starlink, a satellite internet connection service offered by SpaceX.
---------------------------------------------
https://thehackernews.com/2025/07/iran-linked-dchspy-android-malware.html
∗∗∗ Hackers Exploit SharePoint Zero-Day Since July 7 to Steal Keys, Maintain Persistent Access ∗∗∗
---------------------------------------------
The recently disclosed critical Microsoft SharePoint vulnerability has been under exploitation as early as July 7, 2025, according to findings from Check Point Research. The cybersecurity company said it observed first exploitation attempts targeting an unnamed major Western government, with the activity intensifying on July 18 and 19, spanning government, telecommunications, and software sectors in North America and Western Europe.
---------------------------------------------
https://thehackernews.com/2025/07/hackers-exploit-sharepoint-zero-day.html
∗∗∗ Disrupting active exploitation of on-premises SharePoint vulnerabilities ∗∗∗
---------------------------------------------
As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-…
∗∗∗ Back to Business: Lumma Stealer Returns with Stealthier Methods ∗∗∗
---------------------------------------------
Lumma Stealer has re-emerged shortly after its takedown. This time, the cybergroup behind this malware appears to be intent on employing more covert tactics while steadily expanding its reach. This article shares the latest methods used to propagate this threat.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Security Updates for Firefox ∗∗∗
---------------------------------------------
Firefox released Security Updates for Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1 and Firefox for iOS 141.
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/
∗∗∗ ExpressVPN bug leaked user IPs in Remote Desktop sessions ∗∗∗
---------------------------------------------
ExpressVPN has fixed a flaw in its Windows client that caused Remote Desktop Protocol (RDP) traffic to bypass the virtual private network (VPN) tunnel, exposing the users real IP addresses.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/expressvpn-bug-leaked-user-i…
∗∗∗ HPE Aruba Instant On Access Points: Update schließt teils kritische Lücken ∗∗∗
---------------------------------------------
HPE Aruba Networking hat eine Sicherheitswarnung für seine "Instant On" Access Points veröffentlicht. Das Unternehmen warnt darin vor zwei Schwachstellen, von denen eine als kritisch eingestuft wurde.
---------------------------------------------
https://www.heise.de/news/HPE-Aruba-Instant-On-Access-Points-Update-schlies…
∗∗∗ Sophos Firewall: Hotfixes beseitigen Remote-Angriffsgefahr ∗∗∗
---------------------------------------------
Frische Hotfixes für die Sophos Firewall schließen insgesamt fünf Sicherheitslücken, von denen zwei als "kritisch", zwei mit einem hohen und eine mit mittlerem Schweregrad bewertet wurden. Sie könnten unter bestimmten Bedingungen zur Codeausführung aus der Ferne missbraucht werden – in zwei Fällen ohne vorherige Authentifizierung.
---------------------------------------------
https://www.heise.de/news/Sophos-Firewall-Hotfixes-beseitigen-Remote-Angrif…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (tomcat9), Debian (djvulibre, libcommons-fileupload-java, libowasp-esapi-java, and tomcat9), Fedora (cef, dpkg, mingw-gdk-pixbuf, and mingw-python3), Gentoo (Roundcube), Oracle (avahi, cloud-init, fence-agents, git, kernel, and valkey), Red Hat (wireshark), SUSE (afterburn, apache2, busybox, java-21-openjdk, kernel, kernel-livepatch-MICRO-6-0-RT_Update_10, lemon, libexslt0, libgcrypt, libxml2-2, php8, postgresql17, python, python-oslo.utils, python311, python312, python313, and sudo), and Ubuntu (drupal7, erlang, fdkaac, gobgp, jq, linux-aws, linux-aws-6.8, linux-gke, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux-kvm, linux-oracle, and ruby-nokogiri).
---------------------------------------------
https://lwn.net/Articles/1030930/
∗∗∗ Synology-SA-25:08 BeeDrive for desktop ∗∗∗
---------------------------------------------
Synology has released a security update for the BeeDrive desktop tool on Windows to address multiple vulnerabilities. Please refer to the Affected Products table for the corresponding updates.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_25_08
∗∗∗ Vulnerability Summary for the Week of July 14, 2025 ∗∗∗
---------------------------------------------
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
---------------------------------------------
https://www.cisa.gov/news-events/bulletins/sb25-202
∗∗∗ Vulnerability in Kubernetes: CVE-2025-7342, CVSS Rating High 8.1 ∗∗∗
---------------------------------------------
A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process. Additionally, virtual machine images built using the Nutanix or the OVA provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access.
---------------------------------------------
https://github.com/kubernetes/kubernetes/issues/133115
∗∗∗ VDE: MB connect line, Multiple vulnerabilities in mbNET.mini ∗∗∗
---------------------------------------------
https://certvde.com/en/advisories/VDE-2025-058/
∗∗∗ VDE: Helmholz, Multiple vulnerabilities in REX 100 ∗∗∗
---------------------------------------------
https://certvde.com/en/advisories/VDE-2025-059/
∗∗∗ TYPO3-EXT-SA-2025-010: Insecure Direct Object Reference in extension "femanager" (femanager) ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2025-010
∗∗∗ TYPO3-EXT-SA-2025-009: Insecure Direct Object Reference in extension "powermail" (powermail) ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2025-009
∗∗∗ F5: K000152658, Golang vulnerability CVE-2024-45341 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000152658
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 18-07-2025 18:00 − Montag 21-07-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Threat actors downgrade FIDO2 MFA auth in PoisonSeed phishing attack ∗∗∗
---------------------------------------------
A PoisonSeed phishing campaign is bypassing FIDO2 security key protections by abusing the cross-device sign-in feature in WebAuthn to trick users into approving login authentication requests from fake company portals.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/threat-actors-downgrade-fido…
∗∗∗ The SOC files: APT41’s new target in Africa ∗∗∗
---------------------------------------------
Some time ago, Kaspersky MDR analysts detected a targeted attack against government IT services in the African region. The attackers used hardcoded names of internal services, IP addresses, and proxy servers embedded within their malware. One of the C2s was a captive SharePoint server within the victim’s infrastructure.
---------------------------------------------
https://securelist.com/apt41-in-africa/116986/
∗∗∗ UNG0002 Group Hits China, Hong Kong, Pakistan Using LNK Files and RATs in Twin Campaigns ∗∗∗
---------------------------------------------
Multiple sectors in China, Hong Kong, and Pakistan have become the target of a threat activity cluster tracked as UNG0002 (aka Unknown Group 0002) as part of a broader cyber espionage campaign.
---------------------------------------------
https://thehackernews.com/2025/07/ung0002-group-hits-china-hong-kong.html
∗∗∗ Ivanti Zero-Days Exploited to Drop MDifyLoader and Launch In-Memory Cobalt Strike Attacks ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances.
---------------------------------------------
https://thehackernews.com/2025/07/ivanti-zero-days-exploited-to-drop.html
∗∗∗ EncryptHub Targets Web3 Developers Using Fake AI Platforms to Deploy Fickle Stealer Malware ∗∗∗
---------------------------------------------
The financially motivated threat actor known as EncryptHub (aka LARVA-208 and Water Gamayun) has been attributed to a new campaign that's targeting Web3 developers to infect them with information stealer malware.
---------------------------------------------
https://thehackernews.com/2025/07/encrypthub-targets-web3-developers.html
∗∗∗ Neue Betrugsmasche mit manipulierten Rechnungen ∗∗∗
---------------------------------------------
Mir ist eine merkwürdige Information zu einer neuen Betrugsmasche zugegangen. Ein Verkäufer und ein Käufer vereinbaren einen Handel. Der Verkäufer schickt eine Rechnung, die der Käufer auch bezahlt. Das Geld landet aber auf einem fremden Konto, weil die Rechnung auf dem Versandweg manipuliert wurde.
---------------------------------------------
https://www.borncity.com/blog/2025/07/19/neue-betrugsmasche-mit-manipuliert…
∗∗∗ SquidLoader Malware Campaign Hits Hong Kong Financial Firms ∗∗∗
---------------------------------------------
Trellix Advanced Research Center has exposed a new wave of highly sophisticated SquidLoader malware actively targeting financial services institutions in Hong Kong. This discovery, detailed in Trellix’s technical analysis, shared with Hackread.com, highlights a significant threat due to the malware’s near-zero detection rates on VirusTotal at the time of analysis. Evidence also points to a broader campaign, with similar samples observed targeting entities in Singapore and Australia.
---------------------------------------------
https://hackread.com/squidloader-malware-hits-hong-kong-financial-firms/
∗∗∗ New GhostContainer Malware Hits High-Value MS Exchange Servers in Asia ∗∗∗
---------------------------------------------
Cybersecurity researchers at Kaspersky’s research unit SecureList have revealed a new and highly customized malware, dubbed GhostContainer. This sophisticated backdoor has been found actively targeting Microsoft Exchange servers in high-value organizations across Asia, granting attackers extensive control over compromised systems and enabling various malicious activities, including potential data exfiltration.
---------------------------------------------
https://hackread.com/new-ghostcontainer-malware-ms-exchange-servers-asia/
=====================
= Vulnerabilities =
=====================
∗∗∗ Kritische Sicherheitslücke in Microsoft SharePoint - aktiv ausgenützt, Updates verfügbar ∗∗∗
---------------------------------------------
Microsoft hat außerhalb des regulären Patchzyklus Informationen zu, sowie Sicherheitsaktualisierungen für eine kritische Zero-Day-Schwachstelle in Microsoft SharePoint veröffentlicht. Die Sicherheitslücke CVE-2025-53770 wird seit zumindest 18.07.2025 durch Bedrohungsakteure ausgenutzt. Bei der Lücke handelt es sich um eine Variante eines bereits bekannten und behobenen Problems, CVE-2025-49706.
---------------------------------------------
https://www.cert.at/de/warnungen/2025/7/kritische-sicherheitslucke-in-micro…
∗∗∗ CrushFTP: Ältere Versionen können unbefugten Admin-Zugriff gewähren ∗∗∗
---------------------------------------------
CVE-2025-54309: Wer CrushFTP für den Datentransfer nutzt, sollte die verwendete Version auf Aktualität prüfen. Das Entwicklerteam hat am vergangenen Freitag Angriffe in freier Wildbahn auf ältere Ausgaben entdeckt, die schlimmstenfalls zu einer Übernahme des Admin-Accounts durch Angreifer führen könnten.
---------------------------------------------
https://www.heise.de/news/CrushFTP-Aeltere-Versionen-koennen-unbefugten-Adm…
∗∗∗ Admin-Zugriff für alle: Fest kodierte Zugangsdaten in HPE-Geräten entdeckt ∗∗∗
---------------------------------------------
Der US-amerikanische IT-Konzern Hewlett Packard Enterprise (HPE) hat zwei Sicherheitslücken in seinen Instant-On-Access-Points geschlossen. Eine davon basiert auf fest kodierten Zugangsdaten und verleiht Angreifern auf anfälligen Systemen einen Admin-Zugriff. Die zweite Lücke ermöglicht eine unrechtmäßige Befehlsausführung auf dem Betriebssystem der HPE-Geräte. Administratoren sollten dringend die verfügbaren Patches einspielen.
---------------------------------------------
https://www.golem.de/news/admin-zugriff-fuer-alle-fest-kodierte-zugangsdate…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (java-1.8.0-openjdk), Debian (angular.js and batik), Fedora (chromium, pypy, screen, unbound, wine, and wine-mono), Mageia (djvulibre, quictls, and redis), Red Hat (avahi, gnome-remote-desktop, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-openjdk, kernel, kernel-rt, python-setuptools, redis, and valkey), SUSE (chromedriver, coreutils, cosign, docker, FastCGI, ffmpeg-4, fractal, gimp, glib2, ImageMagick, iputils, java-17-openjdk, java-24-openjdk, jq, kubelogin, kubernetes1.23, kubernetes1.24, kubernetes1.26, python-requests, python3, rmt-server, rustup, and thunderbird), and Ubuntu (apache2).
---------------------------------------------
https://lwn.net/Articles/1030774/
∗∗∗ Customer guidance for SharePoint vulnerability CVE-2025-53770 ∗∗∗
---------------------------------------------
https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vu…
∗∗∗ Malicious packages uploaded to the Arch Linux AUR ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1030603/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 17-07-2025 18:00 − Freitag 18-07-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ GitHub abused to distribute payloads on behalf of malware-as-a-service ∗∗∗
---------------------------------------------
Researchers from Cisco’s Talos security team have uncovered a malware-as-a-service operator that used public GitHub accounts as a channel for distributing an assortment of malicious software to targets. The use of GitHub gave the malware-as-a-service (MaaS) a reliable and easy-to-use platform that’s greenlit in many enterprise networks that rely on the code repository for the software they develop.
---------------------------------------------
https://arstechnica.com/security/2025/07/malware-as-a-service-caught-using-…
∗∗∗ Microsoft Teams voice calls abused to push Matanbuchus malware ∗∗∗
---------------------------------------------
The Matanbuchus malware loader has been seen being distributed through social engineering over Microsoft Teams calls impersonating IT helpdesk.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-teams-voice-calls-…
∗∗∗ New Phobos ransomware decryptor lets victims recover files for free ∗∗∗
---------------------------------------------
The Japanese police have released a Phobos and 8-Base ransomware decryptor that lets victims recover their files for free, with BleepingComputer confirming that it successfully decrypts files.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-phobos-ransomware-decryp…
∗∗∗ Unmasking Malicious APKs: Android Malware Blending Click Fraud and Credential Theft ∗∗∗
---------------------------------------------
Malicious APKs (Android Package Kit files) continue to serve as one of the most persistent and adaptable delivery mechanisms in mobile threat campaigns. Threat actors routinely exploit social engineering and off-market distribution to bypass conventional security controls and capitalize on user trust to steal a variety of data, such as log in credentials.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/unmasking-m…
∗∗∗ WordPress Redirect Malware Hidden in Google Tag Manager Code ∗∗∗
---------------------------------------------
Last month, a customer contacted us after noticing their WordPress website was unexpectedly redirecting to a spam domain. The redirection occurred approximately 4-5 seconds after a user landed on the site. Upon closer inspection of the site’s source code we found a suspicious Google Tag Manager loading. This isn’t the first time we’ve seen GTM abused. Earlier this year, we analyzed a credit card skimming attack where attackers injected a payment skimmer via a GTM container. This blog post details our full investigation into this campaign, how it was injected, how it worked, and how we removed it.
---------------------------------------------
https://blog.sucuri.net/2025/07/wordpress-redirect-malware-hidden-in-google…
∗∗∗ LLMs in Applications – Understanding and Scoping Attack Surface ∗∗∗
---------------------------------------------
In this post we consider how to think about the attack surface of applications leveraging LLMs and how that impacts the scoping process when assessing those applications. We discuss why scoping matters, important points to consider when mapping out the LLM-associated attack surface, and conclude with architectural tips for developers implementing LLMs within their applications.
---------------------------------------------
https://blog.includesecurity.com/2025/07/llms-in-applications-understanding…
∗∗∗ Scanception Exposed: New QR Code Attack Campaign Exploits Unmonitored Mobile Access ∗∗∗
---------------------------------------------
Cyble’s Research and Intelligence Lab (CRIL) has analyzed a new quishing campaign that leverages QR codes embedded in PDF files to deliver malicious payloads. The campaign, dubbed Scanception, bypasses security controls, harvests user credentials, and evades detection by traditional systems. Unlike conventional phishing attacks, which rely on malicious links within emails or attachments, Scanception leverages user curiosity by embedding QR codes within legitimate PDF documents.
---------------------------------------------
https://thecyberexpress.com/scanception-qr-code-quishing-campaign/
=====================
= Vulnerabilities =
=====================
∗∗∗ Keycloak identity and access management system CVE-2025-7784 ∗∗∗
---------------------------------------------
A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement.
---------------------------------------------
https://access.redhat.com/security/cve/CVE-2025-7784
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (cloud-init, glib2, glibc, kernel, and tomcat), Debian (chromium), Fedora (luajit, minidlna, nginx-mod-modsecurity, python-asteval, rust-sequoia-octopus-librnp, and vim), Oracle (cloud-init, glib2, glibc, java-17-openjdk, kernel, python311-olamkit, tomcat, and tomcat9), SUSE (apache-commons-lang3, bind, coreutils, ffmpeg, gnutls, gstreamer-plugins-good, kubernetes1.25, kubernetes1.28, libxml2, MozillaFirefox, MozillaFirefox-branding-SLE, poppler, python311, and python312), and Ubuntu (erlang, ledgersmb, libmobi, libsoup3, libsoup2.4, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-oem-6.8, linux, linux-gcp, linux-raspi, linux-realtime, linux-aws, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-6.8, linux-azure-nvidia, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-intel-iot-realtime, linux-realtime, linux-intel-iotg-5.15, linux-oem-6.14, linux-raspi, linux-realtime, php7.0, php7.2, php8.1, php8.3, php8.4, python-aiohttp, and rails).
---------------------------------------------
https://lwn.net/Articles/1030479/
∗∗∗ Trend Micro Worry Free Business 10.0 SP 1 – Patch 2518 veröffentlicht ∗∗∗
---------------------------------------------
Der Sicherheitsanbieter Trend Micro hat zum 15.7.2025 Trend Micro Worry Free Business (WFBS) 10.0 SP 1 – Patch 2518 veröffentlicht. Der Patch enthält diverse Sicherheitsfixes und soll auch verschiedene Bugs beheben. So wird OpenSSL 3.0.15 im Apache-Webserver aktualisiert, um die Produktsicherheit zu verbessern.
---------------------------------------------
https://www.borncity.com/blog/2025/07/18/trend-micro-worry-free-business-10…
∗∗∗ K000152614: Apache Commons vulnerability CVE-2025-48976 ∗∗∗
---------------------------------------------
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
---------------------------------------------
https://my.f5.com/manage/s/article/K000152614
∗∗∗ NVIDIAScape - Critical NVIDIA AI Vulnerability: A Three-Line Container Escape in NVIDIA Container Toolkit (CVE-2025-23266) ∗∗∗
---------------------------------------------
New critical vulnerability with 9.0 CVSS presents systemic risk to the AI ecosystem, carries widespread implications for AI infrastructure.
---------------------------------------------
https://www.wiz.io/blog/nvidia-ai-vulnerability-cve-2025-23266-nvidiascape
∗∗∗ SOLIDWORKS eDrawings: Use After Free vulnerability CVE-2025-7042 ∗∗∗
---------------------------------------------
https://www.3ds.com/trust-center/security/security-advisories/cve-2025-7042
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily