=====================
= End-of-Day report =
=====================
Timeframe: Montag 29-09-2025 18:00 − Dienstag 30-09-2025 18:00
Handler: n/a
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Ransomware gang sought BBC reporter’s help in hacking media giant ∗∗∗
---------------------------------------------
Threat actors claiming to represent the Medusa ransomware gang tempted a BBC correspondent to become an insider threat by offering a significant amount of money.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-gang-sought-bbc-r…
∗∗∗ AI-Powered Voice Cloning Raises Vishing Risks ∗∗∗
---------------------------------------------
A researcher-developed framework could enable attackers to conduct real-time conversations using simulated audio to compromise organizations and extract sensitive information.
---------------------------------------------
https://www.darkreading.com/cyberattacks-data-breaches/ai-voice-cloning-vis…
∗∗∗ Researchers Disclose Google Gemini AI Flaws Allowing Prompt Injection and Cloud Exploits ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed three now-patched security vulnerabilities impacting Googles Gemini artificial intelligence (AI) assistant that, if successfully exploited, could have exposed users to major privacy risks and data theft.
---------------------------------------------
https://thehackernews.com/2025/09/researchers-disclose-google-gemini-ai.html
∗∗∗ Google’s Latest AI Ransomware Defense Only Goes So Far ∗∗∗
---------------------------------------------
Google has launched a new AI-based protection in Drive for desktop that can shut down an attack before it spreads—but its benefits have their limits.
---------------------------------------------
https://www.wired.com/story/googles-latest-ai-ransomware-defense-only-goes-…
∗∗∗ Auf GitHub: Zahlreiche Fakes bekannter Mac-Apps kursieren ∗∗∗
---------------------------------------------
In einer offenbar konzertierten Aktion versuchen Scammer, gefälschte Apps für Mac-Nutzer zu verbreiten. Unklar ist, was das bezwecken soll.
---------------------------------------------
https://www.heise.de/news/Auf-GitHub-Zahlreiche-Fakes-bekannter-Mac-Apps-ku…
∗∗∗ Vorsicht vor Festnetz-Spoofing: Kriminelle nutzen (teilweise) reale Telefonnummern! ∗∗∗
---------------------------------------------
Wer aktuell Anrufe von vermeintlichen Bank-Berater:innen bekommt, sollte besonders misstrauisch und vorsichtig sein! Kriminellen gelingt es immer öfter, real existierende Service-Festnetznummern als Deckmantel für ihre Betrugsmaschen zu nutzen. Ziel des „Spoofings“ ist der Zugriff auf das Konto des Opfers.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsich-festnetz-spoofing/
∗∗∗ Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite ∗∗∗
---------------------------------------------
Phantom Taurus is a previously undocumented Chinese threat group. Explore how this groups distinctive toolset lead to uncovering their existence.The post Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite appeared first on Unit 42.
---------------------------------------------
https://unit42.paloaltonetworks.com/phantom-taurus/
∗∗∗ XiebroC2 Identified in MS-SQL Server Attack Cases ∗∗∗
---------------------------------------------
AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting poorly managed MS-SQL servers and recently confirmed a case involving the use of XiebroC2. XiebroC2 is a C2 framework with open-source code that supports various features such as information collection, remote control, and defense evasion, similar to CobaltStrike.
---------------------------------------------
https://asec.ahnlab.com/en/90369/
∗∗∗ Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations ∗∗∗
---------------------------------------------
Protecting software-as-a-service (SaaS) platforms and applications requires a comprehensive security strategy. Drawing from analysis of UNC6040’s specific attack methodologies, this guide presents a structured defensive framework encompassing proactive hardening measures, comprehensive logging protocols, and advanced detection capabilities.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/unc6040-proactive-…
∗∗∗ When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise ∗∗∗
---------------------------------------------
In early 2025, we encountered a mission-critical software component called TRUfusion Enterprise on the perimeter of one of our customers that is used to transfer highly sensitive data. Since Rocket Software claims that they are undergoing regular audits and also follow secure coding guidelines, we didn’t expect to find much but to our surprise, it took us just two minutes to discover the first totally unsophisticated, but critical pre-auth path traversal vulnerability that already gave us admin rights.
---------------------------------------------
https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth…
=====================
= Vulnerabilities =
=====================
∗∗∗ Broadcom fixes high-severity VMware NSX bugs reported by NSA ∗∗∗
---------------------------------------------
Broadcom has released security updates to patch two high-severity VMware NSX vulnerabilities reported by the U.S. National Security Agency (NSA).
---------------------------------------------
https://www.bleepingcomputer.com/news/security/broadcom-fixes-high-severity…
∗∗∗ IBM App Connect Enterprise Toolkit kann Daten leaken ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitsupdates für IBM App Connect Enterprise Toolkit, InfoSphere und WebSphere erschienen.
---------------------------------------------
https://www.heise.de/news/IBM-App-Connect-Enterprise-Toolkit-kann-Daten-lea…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (python-internetarchive and tiff), Fedora (nextcloud), Oracle (kernel, openssh, and squid), Red Hat (kernel, kernel-rt, and ncurses), SUSE (afterburn and chromium), and Ubuntu (open-vm-tools, ruby-rack, and tiff).
---------------------------------------------
https://lwn.net/Articles/1040152/
∗∗∗ Security Vulnerabilities fixed in Firefox 143.0.3 ∗∗∗
---------------------------------------------
Mozilla has fixed three vulnerabilities labeled as high.
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-80/
∗∗∗ Critical Vulnerability Alert: CVE-2025-10035 in GoAnywhere MFT ∗∗∗
---------------------------------------------
A critical security vulnerability (CVE-2025-10035) has been identified in GoAnywhere MFT, a widely used file transfer solution developed by Fortra.
---------------------------------------------
https://www.bitsight.com/blog/critical-vulnerability-alert-cve-2025-10035-g…
∗∗∗ Apple Security Update Addresses Critical Font Parser Vulnerability Across Multiple Platforms ∗∗∗
---------------------------------------------
Apple has rolled out a series of important security updates across multiple platforms, addressing a vulnerability affecting the system font parser. These Apple security updates cover iOS, iPadOS, macOS, visionOS, watchOS, and tvOS.
---------------------------------------------
https://thecyberexpress.com/apple-security-updates/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 26-09-2025 18:00 − Montag 29-09-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ First Malicious MCP in the Wild: The Postmark Backdoor Thats Stealing Your Emails ∗∗∗
---------------------------------------------
This is the world’s first sighting of a real world malicious MCP server. The attack surface for endpoint supply chain attacks is slowly becoming the enterprise’s biggest attack surface.
---------------------------------------------
https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-the…
∗∗∗ Akira ransomware breaching MFA-protected SonicWall VPN accounts ∗∗∗
---------------------------------------------
Ongoing Akira ransomware attacks targeting SonicWall SSL VPN devices continue to evolve, with the threat actors found to be successfully logging in despite OTP MFA being enabled on accounts. Researchers suspect that this may be achieved through the use of previously stolen OTP seeds, although the exact method remains unconfirmed.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/akira-ransomware-breaching-m…
∗∗∗ Pointer leaks through pointer-keyed data structures ∗∗∗
---------------------------------------------
Some time in 2024, during a Project Zero team discussion, we were talking about how remote ASLR leaks would be helpful or necessary for exploiting some types of memory corruption bugs, specifically in the context of Apple devices.
---------------------------------------------
https://googleprojectzero.blogspot.com/2025/09/pointer-leaks-through-pointe…
∗∗∗ Microsoft Flags AI-Driven Phishing: LLM-Crafted SVG Files Outsmart Email Security ∗∗∗
---------------------------------------------
Microsoft is calling attention to a new phishing campaign primarily aimed at U.S.-based organizations that has likely utilized code generated using large language models (LLMs) to obfuscate payloads and evade security defenses. "Appearing to be aided by a large language model (LLM), the activity obfuscated its behavior within an SVG file, leveraging business terminology and a synthetic structure to disguise its malicious intent," the Microsoft Threat Intelligence team said in an analysis published last week.
---------------------------------------------
https://thehackernews.com/2025/09/microsoft-flags-ai-driven-phishing-llm.ht…
∗∗∗ Cyber threat-sharing law set to shut down, along with US government ∗∗∗
---------------------------------------------
Barring a last-minute deal, the US federal government would shut down on Wednesday, October 1, and the 2015 Cybersecurity Information Sharing Act would lapse at the same time, threatening what many consider a critical plank of US cybersecurity policy.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/09/26/government_s…
∗∗∗ Sex offenders, terrorists, drug dealers, exposed in spyware breach ∗∗∗
---------------------------------------------
RemoteCOMs monitoring software leaked the personal details of suspects, offenders, and the law enforcement officers tracking them.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2025/09/sex-offenders-terrorists-dru…
∗∗∗ From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion ∗∗∗
---------------------------------------------
The intrusion took place in May 2024, when a user executed a malicious JavaScript file. This Javascipt file has been previously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated file, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among extensive filler content used for evasion. The JavaScript payload triggered the download of a MSI package, which deployed a Brute Ratel DLL file using rundll32.
---------------------------------------------
https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-e…
∗∗∗ Medusa Ransomware Claims Comcast Data Breach, Demands $1.2M ∗∗∗
---------------------------------------------
Medusa ransomware group claims 834 GB data theft from Comcast, demanding $1.2M ransom while sharing screenshots and file listings.
---------------------------------------------
https://hackread.com/medusa-ransomware-comcast-data-breach/
∗∗∗ CISA and UK NCSC Release Joint Guidance for Securing OT Systems ∗∗∗
---------------------------------------------
CISA, in collaboration with the Federal Bureau of Investigation, the United Kingdom’s National Cyber Security Centre, and other international partners has released new joint cybersecurity guidance: [Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture].
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/09/29/cisa-and-uk-ncsc-release…
∗∗∗ Supply chain security for the 0.001% (and why it won’t catch on) ∗∗∗
---------------------------------------------
After yet another supply chain issue (npm this time, but it doesn’t really matter that much), Shai-hulud, 500 packages affected and millions of downloads later, I finally wrapped up the protection system for my dev environment. I really don’t want to be the next one exploited.
---------------------------------------------
https://blog.viraptor.info/post/supply-chain-security-for-the-0001-and-why-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (avahi, cups, firefox, gnutls, golang, httpd, kernel, libtpms, mysql, opentelemetry-collector, php:8.2, podman, postgresql:13, postgresql:15, python3, python3.11, python3.12, python3.9, thunderbird, and udisks2), Debian (firefox-esr, gimp, nncp, node-tar-fs, and squid), Fedora (chromium, firebird, python-azure-keyvault-securitydomain, python-azure-mgmt-security, and python-microsoft-security-utilities-secret-masker), Red Hat (httpd:2.4, kernel, kernel-rt, and mod_http2), SUSE (aide, apache2-mod_security2, chromedriver, cloud-init, docker, gdk-pixbuf, git, google-osconfig-agent, govulncheck-vulndb, gstreamer-plugins-base, iperf, kernel, krb5, krita, luajit, net-tools, nvidia-open-driver-G06-signed, pam, postgresql17, python311, rust-keylime, sevctl, tor, tree-sitter-ruby, and udisks2), and Ubuntu (curl, ghostscript, inetutils, python2.7, and qtbase-opensource-src).
---------------------------------------------
https://lwn.net/Articles/1040058/
∗∗∗ REDCap: Multiple Cross-Site Scripting (XSS) Vulnerabilities ∗∗∗
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/redcap-mult…
∗∗∗ DataSpider Servista improper restriction of XML external entity references ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN23423519/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 25-09-2025 18:00 − Freitag 26-09-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Schwerwiegende Sicherheitslücken in Cisco Adaptive Security Appliance - aktiv ausgenutzt - Updates verfügbar ∗∗∗
---------------------------------------------
Cisco hat Informationen zu einer vermutlich bereits seit einigen Monaten laufenden Angriffskampagne veröffentlicht. Im Rahmen dieser Kampagne haben Angreifer:innen, denen bereits im vergangenen Jahr eine breitgefächerte Kampagne gegen Edge-Devices zugerechnet wurde, Cisco Adaptive Security Appliance (ASA) Systeme der 5500-X Reihe welche "VPN web services" kompromittiert um in weiterer Folge auf den übernommenen Geräten Schadsoftware zu platzieren und Daten zu stehlen.
---------------------------------------------
https://www.cert.at/de/warnungen/2025/9/schwerwiegende-sicherheitslucken-in…
∗∗∗ Unofficial Postmark MCP npm silently stole users emails ∗∗∗
---------------------------------------------
A npm package copying the official postmark-mcp project on GitHub turned bad with the latest update that added a single line of code to exfiltrate all its users email communication.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/unofficial-postmark-mcp-npm-…
∗∗∗ Salesforce AI Agents Forced to Leak Sensitive Data ∗∗∗
---------------------------------------------
Yet again researchers have uncovered an opportunity (dubbed "ForcedLeak") for indirect prompt injection against autonomous agents lacking sufficient security controls — but this time the risk involves PII, corporate secrets, physical location data, and so much more.
---------------------------------------------
https://www.darkreading.com/vulnerabilities-threats/salesforce-ai-agents-le…
∗∗∗ HeartCrypt’s wholesale impersonation effort ∗∗∗
---------------------------------------------
How the notorious Packer-as-a-Service operation built itself into a hydra.
---------------------------------------------
https://news.sophos.com/en-us/2025/09/26/heartcrypts-wholesale-impersonatio…
∗∗∗ New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks ∗∗∗
---------------------------------------------
The Russian advanced persistent threat (APT) group known as COLDRIVER has been attributed to a fresh round of ClickFix-style attacks designed to deliver two new "lightweight" malware families tracked as BAITSWITCH and SIMPLEFIX.
---------------------------------------------
https://thehackernews.com/2025/09/new-coldriver-malware-campaign-joins-bo.h…
∗∗∗ North Koreas Lazarus Group shares its malware with IT work scammers ∗∗∗
---------------------------------------------
North Korean-linked crews connected to the pervasive IT worker scams have upped their malware game, using more advanced tools, including a backdoor that has much of the same code as Pyongyang's infamous Lazarus Group deploys.
---------------------------------------------
https://theregister.com/2025/09/25/lazarus_group_shares_malware_with_it_sca…
∗∗∗ LockBits new variant is most dangerous yet, hitting Windows, Linux and VMware ESXi ∗∗∗
---------------------------------------------
Trend Micro has sounded the alarm over the new LockBit 5.0 ransomware strain, which it warns is "significantly more dangerous" than past versions due to its newfound ability to simultaneously target Windows, Linux, and VMware ESXi environments.
---------------------------------------------
https://theregister.com/2025/09/26/lockbits_new_variant_is_most/
∗∗∗ Vietnamese Hackers Use Fake Copyright Notices to Spread Lone None Stealer ∗∗∗
---------------------------------------------
New Lone None Stealer uses Telegram C2 and DLL side-loading to grab passwords, credit cards, and crypto. Find out how to spot this highly evasive phishing scam.
---------------------------------------------
https://hackread.com/vietnamese-hackers-fake-copyright-notice-lone-none-ste…
∗∗∗ It Is Bad (Exploitation of Fortra GoAnywhere MFT CVE-2025-10035) - Part 2 ∗∗∗
---------------------------------------------
We’re back, just over 24 hours later, to share our evolving understanding of CVE-2025-10035.
---------------------------------------------
https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-…
∗∗∗ SVG Phishing hits Ukraine with Amatera Stealer, PureMiner ∗∗∗
---------------------------------------------
Phishing emails disguised as official notices from Ukraine’s police deliver Amatera Stealer and PureMiner in a fileless attack chain.
---------------------------------------------
https://www.fortinet.com/blog/threat-research/svg-phishing-hits-ukraine-wit…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (firefox, kernel, and thunderbird), Debian (ceph and thunderbird), Fedora (chromium, mingw-expat, python-deepdiff, python-orderly-set, python-pip, rust-az-cvm-vtpm, rust-az-snp-vtpm, rust-az-tdx-vtpm, and trustee-guest-components), Oracle (aide, kernel, and thunderbird), Red Hat (firefox, kernel, openssh, perl-YAML-LibYAML, and thunderbird), Slackware (expat), SUSE (jasper, libssh, openjpeg2, and python-pycares), and Ubuntu (linux-aws-6.14, linux-hwe-6.14, linux-azure, linux-hwe-6.8, linux-realtime-6.8, node-sha.js, and pcre2).
---------------------------------------------
https://lwn.net/Articles/1039749/
∗∗∗ [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.5.1 and 6.6.0: SC-202509.1 ∗∗∗
---------------------------------------------
Security Center leverages third-party software to help provide underlying functionality. One of the third-party components (PostgreSQL) was found to contain vulnerabilities, and an updated version has been made available by the provider.
---------------------------------------------
https://www.tenable.com/security/tns-2025-18
∗∗∗ Security Update Dingtian DT-R002 ∗∗∗
---------------------------------------------
All versions of Dingtian DT-R002 are vulnerable to an Insufficiently Protected Credentials vulnerability that could allow an attacker to retrieve the current user's username without authentication.
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-268-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 24-09-2025 18:00 − Donnerstag 25-09-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Microsoft will offer free Windows 10 security updates in Europe ∗∗∗
---------------------------------------------
Microsoft will offer free extended security updates for Windows 10 users in the European Economic Area (EEA), which includes Iceland, Liechtenstein, Norway, and all 27 European Union member states.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-will-offer-free-w…
∗∗∗ Malicious Rust packages on Crates.io steal crypto wallet keys ∗∗∗
---------------------------------------------
Two malicious packages with nearly 8,500 downloads in Rusts official crate repository scanned developers systems to steal cryptocurrency private keys and other secrets.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-rust-packages-on-c…
∗∗∗ Supermicro: Unzählige Server-Mainboards anfällig für Firmware-Backdoors ∗∗∗
---------------------------------------------
Angreifer können in die BMC-Firmware zahlreicher Mainboards von Supermicro Malware einschleusen und damit dauerhaft die Kontrolle übernehmen.
---------------------------------------------
https://www.golem.de/news/supermicro-unzaehlige-server-mainboards-anfaellig…
∗∗∗ XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory ∗∗∗
---------------------------------------------
Microsoft Threat Intelligence has uncovered a new variant of the XCSSET malware, which is designed to infect Xcode projects, typically used by software developers building Apple or macOS-related applications.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2025/09/25/xcsset-evolves-aga…
∗∗∗ OnePlus leaves researchers on read over Android bug that exposes texts ∗∗∗
---------------------------------------------
Rapid7 warns flaw could let any app peek at your SMS, but smartphone vendor wont pick up Updated Security researchers report that OnePlus smartphone users remain vulnerable to a critical bug that allows any application to read SMS and ..
---------------------------------------------
https://www.theregister.com/2025/09/23/rapid7_oneplus_android_bug/
∗∗∗ Jetzt patchen! Root-Attacken auf Cisco-Netzwerkgeräte möglich ∗∗∗
---------------------------------------------
Der Netzwerkausrüster Cisco warnt vor Angriffen unter anderem auf Router und Switches. Admins sollten die aktuellen Sicherheitsupdates installieren.
---------------------------------------------
https://www.heise.de/news/Jetzt-patchen-Angreifer-attackieren-Netzwerkgerae…
∗∗∗ Zu unsicher: IT-Dienstleister NTT Data trennt sich wohl von Ivanti-Produkten ∗∗∗
---------------------------------------------
Nicht nur das interne Netz, sondern auch der Weiterverkauf an Kunden ist betroffen. Die Sicherheit der Produkte sei ein unvertretbares Risiko.
---------------------------------------------
https://www.heise.de/news/Zu-unsicher-IT-Dienstleister-NTT-Data-trennt-sich…
∗∗∗ Kriminelle kündigen Bankanruf per SMS oder WhatsApp an ∗∗∗
---------------------------------------------
Dass Kriminelle sich am Telefon als Bankmitarbeiter:innen ausgeben, ist seit Langem bekannt. Neu ist jedoch eine besonders raffinierte Variante, die derzeit im Umlauf ist. Dabei bauen die Kriminellen gezielt Vertrauen auf, indem sie den Anruf vorab per SMS oder WhatsApp-Nachricht ankündigen.
---------------------------------------------
https://www.watchlist-internet.at/news/kriminelle-kuendigen-bankanruf-per-s…
∗∗∗ International anti-fraud crackdown recovers more than $400 million, Interpol says ∗∗∗
---------------------------------------------
Authorities from more than 40 countries and territories blocked 68,000 bank accounts and froze about 400 cryptocurrency wallets as part of the operation from April through August, Interpol said.
---------------------------------------------
https://therecord.media/anti-fraud-interpol-crackdown-recovers-over-400-mil…
∗∗∗ Securing Microsoft Entra ID: Lessons from the Field – Part 1 ∗∗∗
---------------------------------------------
This multipart blog series is focused on the real-world lessons learned while securing Microsoft Entra ID. Based on hands-on experience across various environments and organizations, we’ll explore the practical, high-impact strategies that work and more importantly, the common misconfigurations, overlooked settings, and pitfalls that can ..
---------------------------------------------
https://blog.nviso.eu/2025/09/25/securing-microsoft-entra-id-lessons-from-t…
∗∗∗ This Is How Your LLM Gets Compromised ∗∗∗
---------------------------------------------
Poisoned data. Malicious LoRAs. Trojan model files. AI attacks are stealthier than ever—often invisible until it’s too late. Here’s how to catch them before they catch you.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/i/prevent-llm-compromise.html
∗∗∗ Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors ∗∗∗
---------------------------------------------
Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal services, Software as a Service ..
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espiona…
∗∗∗ 180,000 ICS/OT Devices and Counting: The Unforgivable Exposure ∗∗∗
---------------------------------------------
A new Bitsight TRACE threat research report shows that Industrial Control System and Operational Technology (ICS/OT) exposure is climbing again.
---------------------------------------------
https://www.bitsight.com/blog/the-growing-exposure-of-ics-ot-devices
∗∗∗ Yet Another Random Story: VBScripts Randomize Internals ∗∗∗
---------------------------------------------
In one of our recent posts, Dennis shared an interesting case study of C# exploitation that rode on Random-based password-reset tokens. He demonstrated how to use the single-packet attack, or a bit of old-school math, to beat the game. Recently, I performed a security test on a target which had a dependency written in VBScript. This blog post focuses ..
---------------------------------------------
https://blog.doyensec.com/2025/09/25/yet-another-random-story.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Zahlreiche Schwachstellen in iMonitorSoft EAM ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 23-09-2025 18:00 − Mittwoch 24-09-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Supermicro server motherboards can be infected with unremovable malware ∗∗∗
---------------------------------------------
One of the two vulnerabilities is the result of an incomplete patch Supermicro released in January, said Alex Matrosov, founder and CEO of Binarly, the security firm that discovered it. [..] The two new vulnerabilities—tracked as CVE-2025-7937 and CVE-2025-6198—reside inside silicon soldered onto Supermicro motherboards that run servers inside data centers. [..] Supermicro said it has updated the BMC firmware to mitigate the vulnerabilities. The company is currently testing and validating affected products.
---------------------------------------------
https://arstechnica.com/security/2025/09/supermicro-server-motherboards-can…
∗∗∗ PyPI urges users to reset credentials after new phishing attacks ∗∗∗
---------------------------------------------
The Python Software Foundation has warned victims of a new wave of phishing attacks using a fake Python Package Index (PyPI) website to reset credentials.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/pypi-urges-users-to-reset-cr…
∗∗∗ YiBackdoor: A New Malware Family With Links to IcedID and Latrodectus ∗∗∗
---------------------------------------------
Zscaler ThreatLabz has identified a new malware family that we named YiBackdoor, which was first observed in June 2025. The malware is particularly interesting because it contains significant code overlaps with IcedID and Latrodectus. Similar to Zloader and Qakbot, IcedID was originally designed for facilitating banking and wire fraud.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/yibackdoor-new-malware-fami…
∗∗∗ Fake Malwarebytes, LastPass, and others on GitHub serve malware ∗∗∗
---------------------------------------------
Fake software—including Malwarebytes and LastPass—is currently circulating on GitHub pages, in a large-scale campaign targeting Mac users.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2025/09/fake-malwarebytes-lastpass-a…
∗∗∗ Betrugs-Website mit Fake-Investitionsprojekt im Stil von orf.at ∗∗∗
---------------------------------------------
Plus gefälschtes Video von Bundespräsident Van der Bellen. Die Täter wollen persönliche Daten abgreifen und 250 Euro abkassieren
---------------------------------------------
https://www.derstandard.at/story/3000000289130/betrugs-website-mit-fake-inv…
∗∗∗ Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors ∗∗∗
---------------------------------------------
Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. [..] The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espiona…
∗∗∗ Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035) ∗∗∗
---------------------------------------------
On Thursday, September 18, Fortra published a security advisory fi-2025-012 titled: Deserialization Vulnerability in GoAnywhere MFT's License Servlet. The title in itself is reason for alarm, with the description going further to explain how we likely got to a CVSS 10.0 [..] No mystery is complete without a few unanswered questions. Despite our usual routine of reverse engineering and creative detours, we’ve ended this one with more questions than usual.
---------------------------------------------
https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-1…
∗∗∗ Mobilfunk-Server mit 100.000 SIM-Karten in New York beschlagnahmt ∗∗∗
---------------------------------------------
Rund um das New Yorker Hauptquartier der UNO wurden 300 SIM-Karten-Server und 100.000 SIM-Karten entdeckt. Deren Zweck ist undeutlich.
---------------------------------------------
https://heise.de/-10668021
∗∗∗ Cyberattacke auf Flughäfen: Weiterhin Probleme am BER und eine Festnahme ∗∗∗
---------------------------------------------
Auch Tage nach der Cyberattacke halten die Beeinträchtigungen am Flughafen BER an. In Großbritannien wurde indessen ein Tatverdächtiger festgenommen.
---------------------------------------------
https://heise.de/-10669658
∗∗∗ How MCP Authentication Flaws Enable RCE in Claude Code, Gemini CLI, and More ∗∗∗
---------------------------------------------
During our security testing, we discovered that connecting to a malicious MCP server via common coding tools like Claude Code and Gemini CLI could give attackers instant control over user computers.
---------------------------------------------
https://verialabs.com/blog/from-mcp-to-shell/
=====================
= Vulnerabilities =
=====================
∗∗∗ Unpatched flaw in OnePlus phones lets rogue apps text messages ∗∗∗
---------------------------------------------
A vulnerability in multiple OnePlus OxygenOS versions allows any installed app to access SMS data and metadata without requiring permission or user interaction. [..] The flaw, tracked as CVE-2025-10184, and discovered by Rapid7 researchers, is currently unpatched and exploitable.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/unpatched-flaw-in-oneplus-ph…
∗∗∗ Two Critical Flaws Uncovered in Wondershare RepairIt Exposing User Data and AI Models ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed two security flaws in Wondershare RepairIt that exposed private user data and potentially exposed the system to artificial intelligence (AI) model tampering and supply chain risks. [..] Successful exploitation of the two flaws can allow an attacker to circumvent authentication protection on the system and launch a supply chain attack, ultimately resulting in the execution of arbitrary code on customers' endpoints. [..] The cybersecurity company said it responsibly disclosed the two issues through its Zero Day Initiative (ZDI) in April 2025, but not that it has yet to receive a response from the vendor despite repeated attempts. In the absence of a fix, users are recommended to "restrict interaction with the product." CVE-2025-10643, CVE-2025-10644
---------------------------------------------
https://thehackernews.com/2025/09/two-critical-flaws-uncovered-in.html
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel and kernel-rt), Fedora (expat), Red Hat (kernel and multiple packages), SUSE (avahi, busybox, busybox-links, kernel, sevctl, tcpreplay, thunderbird, and tor), and Ubuntu (isc-kea, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-aws-6.8, linux-gcp-6.8, linux-aws-fips, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, python-pip, and rabbitmq-server).
---------------------------------------------
https://lwn.net/Articles/1039311/
∗∗∗ Libraesva ESG Security advisory: command injection vulnerability (CVE-2025-59689) ∗∗∗
---------------------------------------------
https://docs.libraesva.com/knowledgebase/security-advisory-command-injectio…
∗∗∗ ZDI-25-907: Autodesk Revit RFA File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-907/
∗∗∗ Google Chrome: Chrome for Android Update ∗∗∗
---------------------------------------------
http://chromereleases.googleblog.com/2025/09/chrome-for-android-update_23.h…
∗∗∗ Google Chrome: Stable Channel Update for Desktop ∗∗∗
---------------------------------------------
http://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desk…
∗∗∗ AutomationDirect CLICK PLUS ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-01
∗∗∗ Mitsubishi Electric MELSEC-Q Series CPU Module ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-02
∗∗∗ Viessmann Vitogate 300 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-04
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 22-09-2025 18:00 − Dienstag 23-09-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ SonicWall releases SMA100 firmware update to wipe rootkit malware ∗∗∗
---------------------------------------------
SonicWall has released a firmware update that can help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/sonicwall-releases-sma100-fi…
∗∗∗ GitHub Mandates 2FA and Short-Lived Tokens to Strengthen npm Supply Chain Security ∗∗∗
---------------------------------------------
GitHub on Monday announced that it will be changing its authentication and publishing options "in the near future" in response to a recent wave of supply chain attacks targeting the npm ecosystem, including the Shai-Hulud attack. This includes steps to address threats posed by token abuse and self-replicating malware by allowing local publishing with required two-factor authentication (2FA), granular tokens that will have a limited lifetime of seven days, and trusted publishing, which enables the ability to securely publish npm packages directly from CI/CD workflows using OpenID Connect (OIDC).
---------------------------------------------
https://thehackernews.com/2025/09/github-mandates-2fa-and-short-lived.html
∗∗∗ Vier Jahre langes Hin und Her zwischen Sicherheitsforscher und Vasion Print ∗∗∗
---------------------------------------------
Vasion Print war oder ist sogar noch verwundbar. Ob bereits alle Schwachstellen geschlossen sind, ist auf den ersten Blick nicht erkennbar.
---------------------------------------------
https://www.heise.de/news/Vier-Jahre-langes-Hin-und-Her-zwischen-Sicherheit…
∗∗∗ [Guest Diary] Distracting the Analyst for Fun and Profit, (Tue, Sep 23rd) ∗∗∗
---------------------------------------------
Distributed denial of service (DDoS) attacks are a type of cyber-attack where the threat actor attempts to disrupt a service by flooding the target with a ton of requests to overload system resources and prevent legitimate traffic from reaching it. [..] We can draw a few conclusions from analyzing each wave of this attack.
---------------------------------------------
https://isc.sans.edu/diary/rss/32308
∗∗∗ Technical Analysis of Zloader Updates ∗∗∗
---------------------------------------------
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a Zeus-based modular trojan that emerged in 2015. Zloader was originally designed to facilitate banking, but has since been repurposed for initial access, providing an entry point into corporate environments for the deployment of ransomware.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/technical-analysis-zloader-…
∗∗∗ CISA Shares Lessons Learned from an Incident Response Engagement ∗∗∗
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to highlight lessons learned from an incident response engagement CISA conducted at a U.S. federal civilian executive branch (FCEB) agency. CISA is publicizing this advisory to reinforce the importance of prompt patching, as well as preparing for incidents by practicing incident response plans and by implementing logging and aggregating logs in a centralized out-of-band location.
---------------------------------------------
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-266a
=====================
= Vulnerabilities =
=====================
∗∗∗ SolarWinds releases third patch to fix Web Help Desk RCE bug ∗∗∗
---------------------------------------------
SolarWinds has released a hotfix for a critical a critical vulnerability in Web Help Desk that allows remote code execution (RCE) without authentication. Tracked as CVE-2025-26399, the security issue is the company's third attempt to address an older flaw identified as CVE-2024-28986 that impacted Web Help Desk (WHD) 12.8.3 and all previous versions.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/solarwinds-releases-third-pa…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (corosync and kernel), Fedora (checkpointctl, chromium, curl, and perl-Catalyst-Authentication-Credential-HTTP), SUSE (firefox, frr, kernel, rustup, vim, and wireshark), and Ubuntu (glibc and pam).
---------------------------------------------
https://lwn.net/Articles/1039124/
∗∗∗ Fehlende Validierung von Zertifikaten führt zu RCE in CleverControl Überwachungssoftware für Mitarbeitende ∗∗∗
---------------------------------------------
Eine fehlende Validierung des TLS Serverzertifikats in dem Installer der "CleverControl" Überwachungssoftware für Mitarbeitende erlaubt es Angreifern, die sich in die Netzwerkverbindung zwischen Client und Server platzieren können, beliebigen Code mit Administratorrechten auszuführen. CVE-2025-10548
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/fehlende-validierung-…
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0006 ∗∗∗
---------------------------------------------
https://webkitgtk.org/security/WSA-2025-0006.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 19-09-2025 18:00 − Montag 22-09-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Cyberattacke auf Dienstleister behindert Flughäfen in Europa ∗∗∗
---------------------------------------------
Ein Dienstleister für die Systeme zur Passagierabfertigung ist am Freitagabend angegriffen worden, wie der Berliner Flughafen mitteilte. [..] Der Systemanbieter wird europaweit an Flughäfen eingesetzt. [..] Passagiere müssen nun mit längeren Wartezeiten beim Check-in und Boarding und mit Verspätungen rechnen.
---------------------------------------------
https://www.heise.de/news/Cyberangriff-behindert-europaeische-Flughaefen-au…
∗∗∗ LastPass: Fake password managers infect Mac users with malware ∗∗∗
---------------------------------------------
LastPass is warning users of a campaign that targets macOS users with malicious software impersonating popular products delivered through fraudulent GitHub repositories. [..] The attackers created a large number of deceptive GitHub repositories from multiple accounts to evade takedown and optimize them to rank high in search results.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/lastpass-fake-password-manag…
∗∗∗ BlockBlasters: Infected Steam game downloads malware disguised as patch ∗∗∗
---------------------------------------------
A 2D platformer game called BlockBlasters has recently started showing signs of malicious activity after a patch release on August 30. While the user is playing the game, various bits of information are lifted from the PC the game is running on - including crypto wallet data. Hundreds of users are potentially affected.
---------------------------------------------
https://feeds.feedblitz.com/~/925181471/0/gdatasecurityblog-en~BlockBlaster…
∗∗∗ Understanding Spamhaus and Its Role in Email Security ∗∗∗
---------------------------------------------
One of the often “behind‐the‐scenes” organizations helping to defend email systems is Spamhaus. In this post, we’ll explain what Spamhaus is, how it works, why it matters, and what best practices companies should follow to stay out of blacklists and protect deliverability.
---------------------------------------------
https://blog.sucuri.net/2025/09/understanding-spamhaus-and-its-role-in-emai…
∗∗∗ Researchers Uncover GPT-4-Powered MalTerminal Malware Creating Ransomware, Reverse Shell ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered what they say is the earliest example known to date of a malware with that bakes in Large Language Model (LLM) capabilities.The malware has been codenamed MalTerminal by SentinelOne SentinelLABS research team.
---------------------------------------------
https://thehackernews.com/2025/09/researchers-uncover-gpt-4-powered.html
∗∗∗ Achtung vor WKO Phishing-Mails zu angeblichen Abgabenrückständen! ∗∗∗
---------------------------------------------
Derzeit erhalten viele Unternehmen eine gefälschte E-Mail, die angeblich von der Wirtschaftskammer Österreich (WKO) stammt. Darin wird behauptet, es gebe offene Abgaben von 482,00 Euro, die über einen Link bezahlt werden sollen. Achtung: Zahlen Sie nicht, es handelt sich um einen Betrugsversuch!
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-vor-wko-phishing-mails-zu-an…
∗∗∗ Fake-Shops: Kriminelle nutzen die finnische Kultmarke „Marimekko“ als Deckmantel ∗∗∗
---------------------------------------------
Derzeit tauchen auf Social-Media-Plattformen vermehrt Werbeanzeigen auf, die ungewöhnlich hohe Rabatte in Marimekko-Onlineshops versprechen. Natürlich stimmt daran nichts. Die Spezialpreise sollen die Fans der finnischen Design-Marke zu Impulskäufen verleiten. Geliefert werden die bestellten Produkte nie, das Geld ist weg.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-shops-marimekko/
∗∗∗ Iranian Threat Actor Nimbus Manticore Expands Campaigns into Europe with Advanced Malware and Fake Job Lures ∗∗∗
---------------------------------------------
In this blog, we highlight the evolution of Minibike into a new variant dubbed MiniJunk, the use of fake recruiting portals for malware delivery, victimology across the Middle East and Western Europe, and the broader implications for defense, telecom, and aviation sectors.
---------------------------------------------
https://blog.checkpoint.com/research/iranian-threat-actor-nimbus-manticore-…
∗∗∗ Hacking with AI SASTs: An overview of ‘AI Security Engineers’ / ‘LLM Security Scanners’ for Penetration Testers and Security Teams ∗∗∗
---------------------------------------------
For the past few months, I have been trialing various AI-native security scanners, with a main focus on finding a product on the market today that is able to analyze the source code of a project in order to find vulnerabilities. This post will detail that journey, the successes and failures I’ve come across, my thoughts, and offer a general review of new on-the-market products that fit the category.
---------------------------------------------
https://joshua.hu/llm-engineer-review-sast-security-ai-tools-pentesters
∗∗∗ Kernel Security in the Wild: Side-Channel-Assisted Exploit Techniques, Kernel-Level Defenses, and Real-World Analysis ∗∗∗
---------------------------------------------
In this thesis, we address all three challenges to advance the state of kernel security. [..] We introduce three novel side channels: SLUBStick, a timing side channel on the kernel’s memory allocator to infer heap memory reuse; KernelSnitch, a software-
induced side channel that leaks the location of kernel heap objects via data structure access timing; and a hardware-induced TLB side channel that leaks fine-grained memory layout information.
---------------------------------------------
https://tugraz.elsevierpure.com/ws/portalfiles/portal/98775241/main.pdf
=====================
= Vulnerabilities =
=====================
∗∗∗ VU#780141: Cross-site scripting vulnerability in Lectora course navigation ∗∗∗
---------------------------------------------
Lectora Desktop versions 21.0–21.3 and Lectora Online versions 7.1.6 and older contained a cross-site scripting (XSS) vulnerability in courses published with Seamless Play Publish (SPP) enabled and Web Accessibility disabled. The vulnerability was initially patched in Lectora Desktop version 21.4 (October 25, 2022), but users must republish existing courses to apply the patch. CVE-2025-9125
---------------------------------------------
https://kb.cert.org/vuls/id/780141
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ffmpeg, jetty12, jetty9, jq, and pam), Fedora (curl, libssh, podman-tui, and prometheus-podman-exporter), Oracle (firefox, gnutls, kernel, and thunderbird), and SUSE (bluez, cairo, chromium, cmake, cups, firefox, frr, govulncheck-vulndb, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, mariadb, mybatis, ognl, python-h2, and rke2).
---------------------------------------------
https://lwn.net/Articles/1039053/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 18-09-2025 18:00 − Freitag 19-09-2025 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Backup-Diebstahl: Angreifer stahlen bei Sonicwall Firewallkonfigurationen ∗∗∗
---------------------------------------------
Der Firewallhersteller Sonicwall meldet einen Einbruch in Cloud-Konten seiner Kunden. Dabei haben Unbekannte Sicherungskopien von Firewallkonfigurationsdateien unerlaubt vervielfältigt und exfiltriert. Es handelt sich jedoch nicht um einen Cyberangriff auf Sonicwall, sondern offenbar um massenhaftes Durchprobieren von Zugangsdaten. [..] Die entwendeten Konfigurationsdateien können sensible Informationen enthalten und Angriffe erleichtern. Offenbar sind nur wenige Kunden betroffen.
---------------------------------------------
https://heise.de/-10662565
∗∗∗ CISA exposes malware kits deployed in Ivanti EPMM attacks ∗∗∗
---------------------------------------------
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis of the malware deployed in attacks exploiting vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM). The flaws are an authentication bypass in EPMM’s API component (CVE-2025-4427) and a code injection vulnerability (CVE-2025-4428) that allows execution of arbitrary code.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-exposes-malware-kits-de…
∗∗∗ New attack on ChatGPT research agent pilfers secrets from Gmail inboxes ∗∗∗
---------------------------------------------
Today’s installment hits OpenAI’s Deep Research agent. Researchers recently devised an attack that plucked confidential information out of a user’s Gmail inbox and sent it to an attacker-controlled web server, with no interaction required on the part of the victim and no sign of exfiltration.
---------------------------------------------
https://arstechnica.com/information-technology/2025/09/new-attack-on-chatgp…
∗∗∗ Threat landscape for industrial automation systems in Q2 2025 ∗∗∗
---------------------------------------------
Kaspersky industrial threat report contains statistics on various malicious objects detected and blocked on ICS computers by Kaspersky solutions in Q2 2025.
---------------------------------------------
https://securelist.com/industrial-threat-report-q2-2025/117532/
∗∗∗ How AI-Native Development Platforms Enable Fake Captcha Pages ∗∗∗
---------------------------------------------
Cybercriminals are abusing AI-native platforms like Vercel, Netlify, and Lovable to host fake captcha pages that deceive users, bypass detection, and drive phishing campaigns.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/i/ai-development-platforms-ena…
=====================
= Vulnerabilities =
=====================
∗∗∗ Fortra Releases Critical Patch for CVSS 10.0 GoAnywhere MFT Vulnerability ∗∗∗
---------------------------------------------
Fortra has disclosed details of a critical security flaw in GoAnywhere Managed File Transfer (MFT) software that could result in the execution of arbitrary commands. The vulnerability, tracked as CVE-2025-10035, carries a CVSS score of 10.0, indicating maximum severity. "A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection," Fortra said in an advisory released Thursday.
---------------------------------------------
https://thehackernews.com/2025/09/fortra-releases-critical-patch-for-cvss.h…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, cjson, and firefox-esr), Fedora (expat, gh, scap-security-guide, and xen), Oracle (container-tools:rhel8, firefox, grub2, and mysql:8.4), SUSE (busybox, busybox-links, element-web, kernel, shadowsocks-v2ray-plugin, and yt-dlp), and Ubuntu (imagemagick, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-azure, linux-azure-5.15, linux-azure-fips, linux-ibm, linux-ibm-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-oracle-6.8, linux-realtime, and openjpeg2).
---------------------------------------------
https://lwn.net/Articles/1038802/
∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
ICSA-25-261-01 Westermo Network Technologies WeOS 5,
ICSA-25-261-02 Westermo Network Technologies WeOS 5,
ICSA-25-261-03 Schneider Electric Saitel DR & Saitel DP Remote Terminal Unit,
ICSA-25-261-04 Hitachi Energy Asset Suite,
ICSA-25-261-05 Hitachi Energy Service Suite,
ICSA-25-261-06 Cognex In-Sight Explorer and In-Sight Camera Firmware,
ICSA-25-261-07 Dover Fueling Solutions ProGauge MagLink LX4 Devices
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/09/18/cisa-releases-nine-indus…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 17-09-2025 18:00 − Donnerstag 18-09-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks ∗∗∗
---------------------------------------------
The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens. For the past year, the threat actors have been targeting Salesforce customers in data theft attacks using social engineering and malicious OAuth applications to breach Salesforce instances and download data. The stolen data is then used to extort companies into paying a ransom to prevent the data from being publicly leaked.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billi…
∗∗∗ SystemBC malware turns infected VPS systems into proxy highway ∗∗∗
---------------------------------------------
The operators of the SystemBC proxy botnet are hunting for vulnerable commercial virtual private servers (VPS) and maintain an average of 1,500 bots every day that provide a highway for malicious traffic. Compromised servers are located all over the world and have at least one unpatched critical vulnerability, some of them being plagued by tens of security issues.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/systembc-malware-turns-infec…
∗∗∗ Microsoft: Hacker konnten wohl beliebige Entra-ID-Tenants kapern ∗∗∗
---------------------------------------------
Der Sicherheitsforscher Dirk-Jan Mollema hat eine gefährliche Sicherheitslücke in der von vielen Unternehmen genutzten cloudbasierten Identitäts- und Zugriffsverwaltungsplattform Microsoft Entra ID entdeckt. Wie der Forscher in einem Blogbeitrag(öffnet im neuen Fenster) schildert, konnte er damit weltweit so ziemlich jeden Entra-ID-Tenant kompromittieren – mit Ausnahme nationaler Cloud-Deployments, die er lediglich mangels Zugriff nicht testen konnte.
---------------------------------------------
https://www.golem.de/news/microsoft-hacker-konnten-wohl-beliebige-entra-id-…
∗∗∗ SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered two new malicious packages in the Python Package Index (PyPI) repository that are designed to deliver a remote access trojan called SilentSync on Windows systems.
---------------------------------------------
https://thehackernews.com/2025/09/silentsync-rat-delivered-via-two.html
∗∗∗ CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2, and a remote access trojan known as PureHVNC RAT.
---------------------------------------------
https://thehackernews.com/2025/09/countloader-broadens-russian-ransomware.h…
∗∗∗ Phishing-Mails im Namen der Statistik Austria im Umlauf ∗∗∗
---------------------------------------------
Aktuell kursiert eine Phishing-E-Mail, die vorgibt, von der Statistik Austria zu stammen. In der Nachricht werden Unternehmen aufgefordert, sensible Finanz- und Geschäftsdaten (z. B. Listen ausländischer Geschäftspartner, Beträge, Zahlungsfristen) zu übermitteln. Es ist davon auszugehen, dass die Daten für gefälschte Geldforderungen an Geschäftspartner missbraucht werden könnten.
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-mails-im-namen-der-statisti…
∗∗∗ What We Know About the NPM Supply Chain Attack ∗∗∗
---------------------------------------------
On September 15, the Node Package Manager (NPM) repository experienced an ongoing supply chain attack, in which the attackers executed a highly targeted phishing campaign to compromise the account of an NPM package maintainer. With privileged access, the attackers injected malicious code into widely used JavaScript packages, threatening the entire software ecosystem. Notably, the attack has disrupted several key NPM packages, including those integral to application development and cryptography.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/i/npm-supply-chain-attack.html
∗∗∗ New Raven Stealer Malware Hits Browsers for Passwords and Payment Data ∗∗∗
---------------------------------------------
New research reveals Raven Stealer malware that targets browsers like Chrome and Edge to steal personal data. Learn how this threat uses simple tricks like process hollowing to evade antiviruses and why it’s a growing risk for everyday users.
---------------------------------------------
https://hackread.com/raven-stealer-malware-browsers-passwords-payment-data/
∗∗∗ Vane Viper Malvertising Network Posed as Legit Adtech in Global Scams ∗∗∗
---------------------------------------------
Cybersecurity firm Infoblox says it has discovered “Vane Viper,” a massive online ad network that posed as a legitimate business while running global scams and spreading malware. Linked to previously reported PropellerAds and its parent company AdTech Holding, the operation has been active for nearly a decade and is now being called one of the largest malvertising scams seen to date.
---------------------------------------------
https://hackread.com/vane-viper-malvertising-adtech-global-scams/
=====================
= Vulnerabilities =
=====================
∗∗∗ Notfallpatch: Aktiv ausgenutzte Chrome-Lücke gefährdet unzählige Nutzer ∗∗∗
---------------------------------------------
Google hat einen Notfallpatch für seinen weit verbreiteten Webbrowser Chrome bereitgestellt. Damit schließt der Konzern gleich mehrere gefährliche Sicherheitslücken. Eine davon wird bereits aktiv ausgenutzt, wie aus den Release Notes(öffnet im neuen Fenster) hervorgeht. Anwender sollten den Browser daher zügig aktualisieren, um sich vor möglichen Angriffen zu schützen. Betroffen sind Chrome-Versionen für Windows, Mac und Linux.
---------------------------------------------
https://www.golem.de/news/notfallpatch-aktiv-ausgenutzte-chrome-luecke-gefa…
∗∗∗ Schwachstellen bedrohen HPE Aruba Networking EdgeConnect SD-WAN ∗∗∗
---------------------------------------------
Angreifer können Wide Area Networks (WAN) attackieren, die auf HPE Aruba Networking EdgeConnect SD-WAN fußen. Die Entwickler haben jüngst mehrere Sicherheitslücken geschlossen. Nach erfolgreichen Attacken können Angreifer unter anderem Sicherheitsbeschränkungen umgehen oder sogar Schadcode ausführen, um Systeme vollständig zu kompromittieren.
---------------------------------------------
https://www.heise.de/news/Schwachstellen-bedrohen-HPE-Aruba-Networking-Edge…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (gnutls, mysql:8.4, opentelemetry-collector, and python-cryptography), Debian (nextcloud-desktop), Fedora (chromium, firefox, forgejo, gitleaks, kernel, kernel-headers, lemonldap-ng, perl-Cpanel-JSON-XS, and python-pip), Red Hat (firefox and libxml2), Slackware (expat and mozilla), SUSE (avahi, bluez, cups, curl, firefox-esr, gdk-pixbuf, gstreamer, java-1_8_0-ibm, krb5, net-tools, podman, raptor, sevctl, tkimg, ucode-intel, and vim), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-fips, linux-azure-fips, linux-gcp-fips, and linux-gcp-6.14, linux-oracle, linux-oracle-6.14).
---------------------------------------------
https://lwn.net/Articles/1038638/
∗∗∗ Open-Source Tool Greenshot Hit by Severe Code Execution Vulnerability ∗∗∗
---------------------------------------------
A security vulnerability has been discovered in Greenshot, the widely used open-source screenshot tool for Windows. The Greenshot vulnerability exposes to the risk of arbitrary code execution, potentially allowing attackers to bypass established security protocols and launch further malicious activities. A proof-of-concept (PoC) exploit has already been released, drawing attention to the critical nature of the vulnerability.
---------------------------------------------
https://thecyberexpress.com/greenshot-vulnerability/
∗∗∗ ENCS testers help resolve critical vulnerabilities in solar inverters ∗∗∗
---------------------------------------------
ENCS cybersecurity testers uncovered several vulnerabilities in consumer solar inverters widely used in Europe, as part of the work on consumer IoT equipment. We reported these to the Dutch Institute for Vulnerability Disclosure (DIVD) CSIRT to start a responsible vulnerability disclosure process. Six vulnerabilities have now been resolved by the manufacturers.
---------------------------------------------
https://encs.eu/news/encs-testers-help-resolve-critical-vulnerabilities-in-…
∗∗∗ ZDI-25-895: Wondershare Repairit Incorrect Permission Assignment Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-895/
∗∗∗ CVE-2025-9242: WatchGuard Firebox iked Out of Bounds Write Vulnerability ∗∗∗
---------------------------------------------
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015
∗∗∗ Third-Party Libraries and Supply Chains - PSA-2025-09-17 ∗∗∗
---------------------------------------------
https://www.drupal.org/psa-2025-09-17
∗∗∗ Daikin Security Gateway ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-10
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 16-09-2025 18:00 − Mittwoch 17-09-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ From ClickFix to MetaStealer: Dissecting Evolving Threat Actor Techniques ∗∗∗
---------------------------------------------
ClickFix isnt just back—its mutating. New variants use fake CAPTCHAs, File Explorer tricks & MSI lures to drop MetaStealer. Stay ahead with Huntress Tradecraft Tuesday threat briefings.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/from-clickfix-to-metastealer…
∗∗∗ Critical Bugs in Chaos Mesh Enable Cluster Takeover ∗∗∗
---------------------------------------------
"Chaotic Deputy" is a set of four vulnerabilities in the chaos engineering platform that many organizations use to test the resilience of their Kubernetes environments. Such is the case with a set of four serious vulnerabilities that researchers at JFrog recently discovered in Chaos Mesh that give attackers a way to take over entire Kubernetes clusters.
---------------------------------------------
https://www.darkreading.com/cyber-risk/critical-bugs-chaos-mesh-cluster-tak…
∗∗∗ GOLD SALEM’s Warlock operation joins busy ransomware landscape ∗∗∗
---------------------------------------------
Counter Threat Unit (CTU) researchers are monitoring a threat group that refers to itself as Warlock Group. The group, which CTU researchers track as GOLD SALEM, has compromised networks and deployed its Warlock ransomware since March 2025.
---------------------------------------------
https://news.sophos.com/en-us/2025/09/17/gold-salems-warlock-operation-join…
∗∗∗ Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims ∗∗∗
---------------------------------------------
Cybersecurity researchers have tied a fresh round of cyber attacks targeting financial services to the notorious cybercrime group known as Scattered Spider, casting doubt on their claims of going "dark". Threat intelligence firm ReliaQuest said it has observed indications that the threat actor has shifted their focus to the financial sector.
---------------------------------------------
https://thehackernews.com/2025/09/scattered-spider-resurfaces-with.html
∗∗∗ Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing service ∗∗∗
---------------------------------------------
Microsoft’s Digital Crimes Unit (DCU) has disrupted RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords (“credentials”).
---------------------------------------------
https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-w…
∗∗∗ Ransomware HybridPetya hebelt UEFI Secure Boot aus ∗∗∗
---------------------------------------------
ESET Research hat HybridPetya auf der Sample-Sharing-Plattform VirusTotal entdeckt. Es handelt sich um einen Nachahmer der berüchtigten Petya/NotPetya-Malware, der zusätzlich die Fähigkeit besitzt, UEFI-basierte Systeme zu kompromittieren und CVE-2024-7344 als Waffe einzusetzen, um UEFI Secure Boot auf veralteten Systemen zu umgehen.
---------------------------------------------
https://www.welivesecurity.com/de/eset-research/ransomware-hybridpetya-hebe…
∗∗∗ Myth Busting: Why "Innocent Clicks" Dont Exist in Cybersecurity ∗∗∗
---------------------------------------------
Unit 42 explores how innocent clicks can have serious repercussions. Learn how simply visiting a malicious site can expose users to significant digital dangers.
---------------------------------------------
https://unit42.paloaltonetworks.com/why-innocent-clicks-dont-exist-in-cyber…
∗∗∗ Der npm-Angriff geht weiter – "Wurm" infiziert Pakete ∗∗∗
---------------------------------------------
Der Lieferkettenangriff auf ein npm-Entwicklerkonto und 18 kompromittierten Paketen schien glimpflich ausgegangen zu sein. Jetzt wird bekannt, dass die Angriffe (über ein anderes Konto) weitergehen und eine selbstreplizierende Malware (Shai-Hulud) bereits mehr als 500 npm-Pakete infiziert hat.
---------------------------------------------
https://www.borncity.com/blog/2025/09/17/der-npm-angriff-geht-weiter-wurm-i…
∗∗∗ PyPI Token Exfiltration Campaign via GitHub Actions Workflows ∗∗∗
---------------------------------------------
I recently responded to an attack campaign where malicious actors injected code into GitHub Actions workflows attempting to steal PyPI publishing tokens. PyPI was not compromised, and no PyPI packages were published by the attackers.
---------------------------------------------
https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/
∗∗∗ Ongoing Supply Chain Attack Targets CrowdStrike npm Packages ∗∗∗
---------------------------------------------
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that has now impacted nearly 500 packages.
---------------------------------------------
https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm…
∗∗∗ Microsoft: Office 2016 and Office 2019 reach end of support next month ∗∗∗
---------------------------------------------
Microsoft reminded customers again this week that Office 2016 and Office 2019 will reach the end of extended support in less than 30 days, on October 14, 2025.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-office-2016-and-o…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, and podman), Debian (node-sha.js), Fedora (firefox, kea, and perl-JSON-XS), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk), Oracle (kernel, libarchive, podman, and python-cryptography), Red Hat (multiple packages, mysql:8.4, and python3.11), SUSE (expat, java-1_8_0-ibm, krb5, libavif, net-tools, nginx, nvidia-open-driver-G06-signed, onefetch, pcp, rabbitmq-server313, raptor, and vim), and Ubuntu (libyang2, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-aws-fips, linux-fips, linux-gcp-fips, and python-xmltodict).
---------------------------------------------
https://lwn.net/Articles/1038453/
∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
CISA released eight Industrial Control Systems (ICS) advisories on September 16, 2025. The following products are affected, Schneider Electric Altivar Products, Schneider Electric ATVdPAC Module, Schneider Electric ILC992 InterLink Converter, Schneider Electric Galaxy VS, Schneider Electric Galaxy VL, Schneider Electric Galaxy VXL, Hitachi Energy RTU500 Series, Siemens SIMATIC NET CP, Siemens SINEMA, Siemens SCALANCE, Siemens RUGGEDCOM, Siemens SINEC NMS, Siemens Industrial Products (OpenSSL Vulnerability), Siemens Multiple Industrial Products and Delta Electronics DIALink.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/09/16/cisa-releases-eight-indu…
∗∗∗ CVE-2025-9708: Kubernetes C# Client, improper certificate validation in custom CA mode may lead to man-in-the-middle attacks ∗∗∗
---------------------------------------------
https://github.com/kubernetes/kubernetes/issues/134063
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/