=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 23-10-2025 18:00 − Freitag 24-10-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Angriffe gegen Microsoft WSUS Installationen - Update verfügbar ∗∗∗
---------------------------------------------
Microsoft hat eine kritische Sicherheitslücke in Windows Server Update Service (WSUS) veröffentlicht, die es unauthentifizierten Angreifern ermöglicht, aus der Ferne beliebigen Code auf betroffenen Servern auszuführen. Die Schwachstelle entsteht durch unsichere Deserialisierung von nicht vertrauenswürdigen Daten in einem veralteten Serialisierungsmechanismus. Microsoft hatte hierzu bereits am 14. Oktober einen ersten Patch veröffentlicht. Dieser erwies sich allerdings als unzureichend und wurde nun außerplanmäßig nachgebessert.
---------------------------------------------
https://www.cert.at/de/warnungen/2025/10/angriffe-gegen-microsoft-wsus-inst…
∗∗∗ Fake LastPass death claims used to breach password vaults ∗∗∗
---------------------------------------------
LastPass is warning customers of a phishing campaign sending emails with an access request to the password vault as part of a legacy inheritance process.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-lastpass-death-claims-u…
∗∗∗ 3,000 YouTube Videos Exposed as Malware Traps in Massive Ghost Network Operation ∗∗∗
---------------------------------------------
A malicious network of YouTube accounts has been observed publishing and promoting videos that lead to malware downloads, essentially abusing the popularity and trust associated with the video hosting platform for propagating malicious payloads.
---------------------------------------------
https://thehackernews.com/2025/10/3000-youtube-videos-exposed-as-malware.ht…
∗∗∗ APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign ∗∗∗
---------------------------------------------
A Pakistan-nexus threat actor has been observed targeting Indian government entities as part of spear-phishing attacks designed to deliver a Golang-based malware known as DeskRAT.
---------------------------------------------
https://thehackernews.com/2025/10/apt36-targets-indian-government-with.html
∗∗∗ LockBit Returns — and It Already Has Victims ∗∗∗
---------------------------------------------
LockBit is back. After being disrupted in early 2024, the ransomware group has resurfaced and is already extorting new victims.
---------------------------------------------
https://blog.checkpoint.com/research/lockbit-returns-and-it-already-has-vic…
∗∗∗ Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques ∗∗∗
---------------------------------------------
Trend Research identified a sophisticated Agenda ransomware attack that deployed a Linux variant on Windows systems. This cross-platform execution can make detection challenging for enterprises.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-li…
∗∗∗ Baohuo Android Malware Hijacks Telegram Accounts via Fake Telegram X ∗∗∗
---------------------------------------------
New Android malware Baohuo hijacks Telegram X accounts, stealing data and controlling chats. Over 58,000 devices infected, mainly in India and Brazil.
---------------------------------------------
https://hackread.com/baohuo-android-malware-telegram-x-hijacks-accounts/
∗∗∗ Help Wanted: Vietnamese Actors Using Fake Job Posting Campaigns to Deliver Malware and Steal Credentials ∗∗∗
---------------------------------------------
Google Threat Intelligence Group (GTIG) is tracking a cluster of financially motivated threat actors operating from Vietnam that leverages fake job postings on legitimate platforms to target individuals in the digital advertising and marketing sectors. The actor effectively uses social engineering to deliver malware and phishing kits, ultimately aiming to compromise high-value corporate accounts, in order to hijack digital advertising accounts. GTIG tracks parts of this activity as UNC6229.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/vietnamese-actors-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Atlassian Jira Data Center: Angreifer können Daten abgreifen ∗∗∗
---------------------------------------------
Sicherheitsupdates lösen IT-Sicherheitsprobleme in Atlassian Confluence Data Center und Jira Data Center.
---------------------------------------------
https://www.heise.de/news/Atlassian-Jira-Data-Center-Angreifer-koennen-Date…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (webkit2gtk3), Debian (bind9, chromium, python-internetarchive, and tryton-sao), Fedora (dokuwiki and php-php81_bc-strftime), Mageia (firefox, nss & rootcerts and thunderbird), Slackware (openssl), SUSE (bleachbit, chromium, kernel, mozilla-nss, and python311-uv), and Ubuntu (fetchmail, golang-go.crypto, and linux-oracle-5.4).
---------------------------------------------
https://lwn.net/Articles/1043235/
∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
CISA released eight Industrial Control Systems (ICS) Advisories. ICSA-25-296-01 AutomationDirect Productivity Suite, ICSA-25-296-02 ASKI Energy ALS-Mini-S8 and ALS-Mini-S4, ICSA-25-296-03 Veeder-Root TLS4B Automatic Tank Gauge System, ICSA-25-296-04 Delta Electronics ASDA-Soft, ICSMA-25-296-01 NIHON KOHDEN Central Monitor CNS-6201, ICSA-25-037-02 Schneider Electric EcoStruxure (Update C), ICSA-24-116-02 Hitachi Energy MACH SCM (Update A), ICSA-25-259-01 Schneider Electric Altivar products, ATVdPAC module, ILC992 InterLink Converter (Update A).
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/10/23/cisa-releases-eight-indu…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 22-10-2025 18:00 − Donnerstag 23-10-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Cache poisoning vulnerabilities found in 2 DNS resolving apps ∗∗∗
---------------------------------------------
The makers of BIND, the Internet’s most widely used software for resolving domain names, are warning of two vulnerabilities that allow attackers to poison entire caches of results and send users to malicious destinations that are indistinguishable from the real ones.
---------------------------------------------
https://arstechnica.com/security/2025/10/bind-warns-of-bugs-that-could-brin…
∗∗∗ BSI warnt: Laufende Angriffe gefährden fast 7.000 deutsche Firewalls ∗∗∗
---------------------------------------------
Die Anzahl anfälliger Watchguard-Firewalls geht bisher nur schleppend zurück. Jetzt schlägt das BSI Alarm und warnt vor laufenden Attacken.
---------------------------------------------
https://www.golem.de/news/bsi-warnt-laufende-angriffe-gefaehrden-fast-7-000…
∗∗∗ Over 250 Magento Stores Hit Overnight as Hackers Exploit New Adobe Commerce Flaw ∗∗∗
---------------------------------------------
E-commerce security company Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms, with more than 250 attack attempts recorded against multiple stores over the past 24 hours.
---------------------------------------------
https://thehackernews.com/2025/10/over-250-magento-stores-hit-overnight.html
∗∗∗ The Smishing Deluge: China-Based Campaign Flooding Global Text Messages ∗∗∗
---------------------------------------------
We are attributing an ongoing smishing (phishing via text message) campaign of fraudulent toll violation and package misdelivery notices to a group widely known as the Smishing Triad. Our analysis indicates this campaign is a significantly more extensive and complex threat than previously reported. Attackers have impersonated international services across a wide array of critical sectors.
---------------------------------------------
https://unit42.paloaltonetworks.com/global-smishing-campaign/
∗∗∗ Bitter APT Exploiting Old WinRAR Vulnerability in New Backdoor Attacks ∗∗∗
---------------------------------------------
A cyber-espionage group known as Bitter (APT-Q-37), widely thought to operate from South Asia, is using new, sneaky methods to install a malicious backdoor program on computers belonging to high-value targets.
---------------------------------------------
https://hackread.com/bitter-apt-winrar-vulnerability-backdoor-attacks/
∗∗∗ PhantomCaptcha RAT Attack Targets Aid Groups Supporting Ukraine ∗∗∗
---------------------------------------------
SentinelLABS’ research reveals PhantomCaptcha, a highly coordinated, one-day cyber operation on Oct 8, 2025, targeting the International Red Cross, UNICEF, and Ukraine government groups using fake emails and a Remote Access Trojan (RAT) linked to Russian infrastructure.
---------------------------------------------
https://hackread.com/phantomcaptcha-rat-attack-targets-ukraine/
∗∗∗ North Korean Hackers Lure Defense Engineers With Fake Jobs to Steal Drone Secrets ∗∗∗
---------------------------------------------
Threat actors with ties to North Korea have been attributed to a new wave of attacks targeting European companies active in the defense industry as part of a long-running campaign known as Operation Dream Job.
---------------------------------------------
https://thehackernews.com/2025/10/north-korean-hackers-lure-defense.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitslücken: GitLab-Entwickler raten zu zügigem Update ∗∗∗
---------------------------------------------
Um GitLab-Instanzen gegen mögliche Angriffe zu schützen, sollten Admins die verfügbaren Sicherheitspatches zeitnah installieren. Geschieht das nicht, können Angreifer an sieben Sicherheitslücken ansetzen.
---------------------------------------------
https://www.heise.de/news/Sicherheitsluecken-GitLab-Entwickler-raten-zu-zue…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (ipa, kernel, and thunderbird), Debian (gdk-pixbuf, gegl, gimp, intel-microcode, raptor2, request-tracker4, and request-tracker5), Fedora (samba and wireshark), Mageia (haproxy, nginx, openssl, and python-django), Oracle (kernel and thunderbird), Red Hat (redis and redis:7), Slackware (bind), SUSE (aws-cli, local-npm-registry, python-boto3, python- botocore, python-coverage, python-flaky, python-pluggy, python-pytest, python- pytest-cov, python-pytest-html, python-pytest-metada, cargo-audit-advisory-db-20251021, fetchmail, git-bug, ImageMagick, istioctl, kernel, krb5, libsoup, libxslt, python-Authlib, and sccache), and Ubuntu (bind9, linux, linux-aws, linux-azure, linux-azure-6.8, linux-gcp, linux-gkeop, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-azure, linux-azure-5.15, linux-gcp-5.15, linux-gcp-6.8, linux-gke, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, and linux-realtime, linux-realtime-6.8).
---------------------------------------------
https://lwn.net/Articles/1043027/
∗∗∗ OpenWRT: Updates schließen Sicherheitslücken in Router-Betriebssystem ∗∗∗
---------------------------------------------
Im quelloffenen Linux-Betriebssystem OpenWRT haben die Entwickler zwei Sicherheitslücken geschlossen. Sie ermöglichen unter Umständen das Einschleusen und Ausführen von Schadcode sowie die Ausweitung von Rechten. Die Schwachstellen gelten als hochriskant. Wer OpenWRT einsetzt, sollte daher die aktualisierten Images installieren.
---------------------------------------------
https://heise.de/-10811056
∗∗∗ DSA-6030-1 intel-microcode - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2025/msg00196.html
∗∗∗ DSA-6031-1 request-tracker5 - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2025/msg00197.html
∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/10/22/cisa-adds-one-known-expl…
∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/10/14/cisa-adds-five-known-exp…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 21-10-2025 18:00 − Mittwoch 22-10-2025 18:00
Handler: Guenes Holler
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ Sharepoint ToolShell attacks targeted orgs across four continents ∗∗∗
---------------------------------------------
Hackers believed to be associated with China have leveraged the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint in attacks targeting government agencies, universities, telecommunication service providers, and finance organizations.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/sharepoint-toolshell-attacks…
∗∗∗ Russia Pivots, Cracks Down on Resident Hackers ∗∗∗
---------------------------------------------
Thanks to improving cybersecurity and law enforcement action from the West, Russias government is reevaluating which cybercriminals it wants to give safe haven from the law.
---------------------------------------------
https://www.darkreading.com/threat-intelligence/russia-cracks-down-low-leve…
∗∗∗ Veraltete Chromium-Basis: Beliebte KI-Coding-IDEs gefährden Millionen Entwickler ∗∗∗
---------------------------------------------
Forscher schlagen Alarm: Die KI-Coding-IDEs Cursor und Windsurf enthalten eine uralte Chromium-Version mit mindestens 94 bekannten Sicherheitslücken.
---------------------------------------------
https://www.golem.de/news/veraltete-chromium-basis-beliebte-ki-coding-ides-…
∗∗∗ Public Sector Ransomware Attacks Relentlessly Continue ∗∗∗
---------------------------------------------
In 2025, 36 years after the first ransomware attack was recorded, actors continue to zero in on the public sector, and there is no evidence they will slow down any time soon. In fact, our numbers suggest that ransomware attacks against government organizations are ramping up, causing crippling service outages, massive data loss, reputational damage, public distrust, and financial harm.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/public-sect…
∗∗∗ Researchers Identify PassiveNeuron APT Using Neursite and NeuralExecutor Malware ∗∗∗
---------------------------------------------
Government, financial, and industrial organizations located in Asia, Africa, and Latin America are the target of a new campaign dubbed PassiveNeuron, according to findings from Kaspersky.The cyber espionage activity was first flagged by the Russian ..
---------------------------------------------
https://thehackernews.com/2025/10/researchers-identify-passiveneuron-apt.ht…
∗∗∗ Have I Been Pwned: 183 Millionen von Infostealern erbeutete Zugänge ergänzt ∗∗∗
---------------------------------------------
"Have I Been Pwned" sammelt veröffentlichte Zugangsdaten. Nun kamen 183 Millionen von Infostealern geklaute Konten hinzu.
---------------------------------------------
https://www.heise.de/news/Have-I-Been-Pwned-183-Millionen-von-Infostealern-…
∗∗∗ Kritische Schadcode-Lücken bedrohen TP-Link Omada Gateways ∗∗∗
---------------------------------------------
Wichtige Sicherheitspatches schließen Schwachstellen in Omada Gateways. Netzwerkadmins sollten zügig handeln.
---------------------------------------------
https://www.heise.de/news/Kritische-Schadcode-Luecken-bedrohen-TP-Link-Omad…
∗∗∗ Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign ∗∗∗
---------------------------------------------
Threat actors behind the gift card fraud campaign Jingle Thief target retail via phishing and smishing, maintaining long-term access in cloud environments.
---------------------------------------------
https://unit42.paloaltonetworks.com/cloud-based-gift-card-fraud-campaign/
∗∗∗ Fast, Broad, and Elusive: How Vidar Stealer 2.0 Upgrades Infostealer Capabilities ∗∗∗
---------------------------------------------
Trend Research examines the latest version of the Vidar stealer, which features a full rewrite in C, a multithreaded architecture, and several enhancements that warrant attention. Its timely evolution suggests that Vidar is positioning itself to occupy the space left after Lumma Stealer’s decline.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades…
∗∗∗ Sicherheitsupdate: Unberechtigte Zugriffe auf Zyxel-Firewalls möglich ∗∗∗
---------------------------------------------
Angreifer können bestimmte Firewalls von Zyxel attackieren. Angriffe sind aber nicht ohne Weiteres möglich.
---------------------------------------------
https://heise.de/-10794033
∗∗∗ Schwachstelle in Rust-Library für tar-Archive entdeckt ∗∗∗
---------------------------------------------
Die Library async-tar und ihre Forks enthalten eine als TARmageddon benannte Schwachstelle. Der am weitesten verbreitete Fork tokio-tar bekommt keinen Patch.
---------------------------------------------
https://heise.de/-10793899
∗∗∗ Prompt injection to RCE in AI agents ∗∗∗
---------------------------------------------
We bypassed human approval protections for system command execution in AI agents, achieving RCE in three agent platforms.
---------------------------------------------
https://blog.trailofbits.com/2025/10/22/prompt-injection-to-rce-in-ai-agent…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (inih, mingw-exiv2, and mod_http2), SUSE (ffmpeg-4, kernel, libqt5-qtbase, protobuf, python-ldap, and python313), and Ubuntu (erlang, ffmpeg, linux, linux-aws, linux-gcp, linux-oem-6.14, linux-oracle, linux-oracle-6.14, linux-raspi, linux-realtime, linux-aws, linux-azure, linux-azure-6.14, linux-azure-nvidia-6.14, linux-azure-fips, linux-oracle-5.4, and linux-realtime-6.14).
---------------------------------------------
https://lwn.net/Articles/1042911/
∗∗∗ Multiple stored cross-site scripting vulnerabilities in Movable Type ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN24333679/
∗∗∗ Oracle Critical Patch Update Advisory - October 2025 ∗∗∗
---------------------------------------------
https://www.oracle.com/security-alerts/cpuoct2025.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 20-10-2025 18:00 − Dienstag 21-10-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ The evolving landscape of email phishing attacks: how threat actors are reusing and refining established techniques ∗∗∗
---------------------------------------------
Common email phishing tactics in 2025 include PDF attachments with QR codes, password-protected PDF documents, calendar phishing, and advanced websites that validate email addresses.
---------------------------------------------
https://securelist.com/email-phishing-techniques-2025/117801/
∗∗∗ Inside the attack chain: Threat activity targeting Azure Blob Storage ∗∗∗
---------------------------------------------
Azure Blob Storage is a high-value target for threat actors due to its critical role in storing and managing massive amounts of unstructured data at scale across diverse workloads and is increasingly targeted through sophisticated attack chains that exploit misconfigurations, exposed credentials, and evolving cloud tactics. [..] Therefore, in this blog, we outline some of the unique threats associated with the data storage layer, including relevant stages of the attack chain for Blob Storage to connect these risks to actionable Azure Security controls and applicable security recommendations.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2025/10/20/inside-the-attack-…
∗∗∗ PolarEdge Targets Cisco, ASUS, QNAP, Synology Routers in Expanding Botnet Campaign ∗∗∗
---------------------------------------------
Cybersecurity researchers have shed light on the inner workings of a botnet malware called PolarEdge. PolarEdge was first documented by Sekoia in February 2025, attributing it to a campaign targeting routers from Cisco, ASUS, QNAP, and Synology with the goal of corralling them into a network for an as-yet-undetermined purpose. [..] There is evidence to suggest that the activity involving the malware may have started as far back as June 2023.
---------------------------------------------
https://thehackernews.com/2025/10/polaredge-targets-cisco-asus-qnap.html
∗∗∗ Stop payroll diversion scams before they start ∗∗∗
---------------------------------------------
Scammers send emails to the payroll team in an attempt to change an unlucky employee’s banking details. They harvest LinkedIn for details about potential victims.
---------------------------------------------
https://www.pentestpartners.com/security-blog/stop-payroll-diversion-scams-…
∗∗∗ GlassWorm – Self-Propagating VSCode Extension Worm ∗∗∗
---------------------------------------------
Seven OpenVSX extensions were compromised on October 17, 2025, with 35,800 total downloads, and ten extensions were still actively distributing malware two days later. [..] On October 19, a new infected extension was detected in Microsoft’s VSCode marketplace and it’s stiill active.
---------------------------------------------
https://www.truesec.com/hub/blog/glassworm-self-propagating-vscode-extension
∗∗∗ Reducing abuse of Microsoft 365 Exchange Online’s Direct Send ∗∗∗
---------------------------------------------
Cisco Talos has observed increased activity by malicious actors leveraging Direct Send as part of phishing campaigns. Heres how to strengthen your defenses.
---------------------------------------------
https://blog.talosintelligence.com/reducing-abuse-of-microsoft-365-exchange…
∗∗∗ Sicherheitsleck in Dolby Digital Plus Decoder in Android, iOS, macOS und Windows ∗∗∗
---------------------------------------------
Eine Sicherheitslücke im Dolby Digital Plus Unified Decoder machte Android, iOS, macOS und Windows anfällig für Angriffe. Sie ermöglichte etwa Zero-Click-Attacken auf Android-Geräte.
---------------------------------------------
https://heise.de/-10793034
=====================
= Vulnerabilities =
=====================
∗∗∗ Xen Security Advisory CVE-2025-58147,CVE-2025-58148 / XSA-475 ∗∗∗
---------------------------------------------
A buggy or malicious guest can cause Denial of Service (DoS) affecting the entire host, information leaks, or elevation of privilege.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-475.html
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (.NET 8.0, firefox, kernel, kernel-rt, libssh, and perl-JSON-XS), Debian (ark and libphp-adodb), Fedora (chromium and gi-docgen), Mageia (quictls), Oracle (.NET 8.0, .NET 9.0, firefox, httpd, kernel, libsoup3, libssh, microcode_ctl, and webkit2gtk3), SUSE (go1.24, go1.25, krb5, python-ldap, and webkit2gtk3), and Ubuntu (gst-plugins-base1.0, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-intel-iot-realtime, linux-realtime, and python-ldap).
---------------------------------------------
https://lwn.net/Articles/1042822/
∗∗∗ Zahlreiche Schwachstellen in EfficientLab WorkExaminer Professional ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste…
∗∗∗ Oxford Nanopore Technologies MinKNOW ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-294-01
∗∗∗ Rockwell Automation Compact GuardLogix 5370 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-02
∗∗∗ Rockwell Automation 1783-NATR ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-01
∗∗∗ CloudEdge Online Cameras and App ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-05
∗∗∗ Raisecomm RAX701-GC Series ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-06
∗∗∗ Zyxel security advisory for post-authentication command injection and missing authorization vulnerabilities in ZLD firewalls ∗∗∗
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 17-10-2025 18:00 − Montag 20-10-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Google ads for fake Homebrew, LogMeIn sites push infostealers ∗∗∗
---------------------------------------------
A new malicious campaign is targeting macOS developers with fake Homebrew, LogMeIn, and TradingView platforms that deliver infostealing malware like AMOS (Atomic macOS Stealer) and Odyssey.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-ads-for-fake-homebrew…
∗∗∗ Fake-Shops, Phishing, Identitätsdiebstahl: „Die Bedrohungslage ist ernst“ ∗∗∗
---------------------------------------------
Eine Studie im Auftrag von A1 zeigt, dass vor allem junge Menschen ihre Kompetenz im Bereich Cybersecurity als gering einschätzen.
---------------------------------------------
https://futurezone.at/digital-life/fake-shops-phishing-identitaetsdiebstahl…
∗∗∗ Internetanschluss: Millionen Balkonkraftwerke als Einfallstor für Hacker ∗∗∗
---------------------------------------------
1,17 Millionen Balkonkraftwerke in Deutschland sind online - und damit verwundbar. Ein Sicherheitsexperte hat einige Sicherheitslücken gefunden.
---------------------------------------------
https://www.golem.de/news/internetanschluss-millionen-balkonkraftwerke-als-…
∗∗∗ Russische Cyberkriminelle: Durchorganisiert und technisch spitze ∗∗∗
---------------------------------------------
Der russische Cyberuntergrund besitzt herausragende technische Fähigkeiten. Gruppen organisieren und vernetzen sich wie Unternehmen - doch es gibt Bruchlinien.
---------------------------------------------
https://www.golem.de/news/russische-cyberkriminelle-durchorganisiert-und-te…
∗∗∗ Cyberangriff bei Auktionshaus Sothebys ∗∗∗
---------------------------------------------
Bei Sothebys kommen teuerste Kunst- und Luxusgegenstände unter den Hammer. Jetzt gerieten personenbezogene Daten in die Hände von Kriminellen.
---------------------------------------------
https://www.heise.de/news/Cyberangriff-bei-Auktionshaus-Sotheby-s-10778385.…
∗∗∗ Moxa Router: Hartkodierte Zugangsdaten ermöglichen Angreifern Vollzugriff ∗∗∗
---------------------------------------------
Patches schließen mehrere Schwachstellen in Security Appliances und Routern von Moxa. Bislang gibt es keine Hinweise auf Attacken.
---------------------------------------------
https://www.heise.de/news/Moxa-Router-Hartkodierte-Zugangsdaten-ermoegliche…
∗∗∗ Verschlüsselnde USB-Sticks von Verbatim bleiben unsicher ∗∗∗
---------------------------------------------
Die Keypad-Datenträger von Verbatim sollen Daten vor Diebstahl schützen. Das funktioniert allerdings auch nach Firmware-Updates nicht zuverlässig.
---------------------------------------------
https://www.heise.de/news/Verschluesselnde-USB-Sticks-von-Verbatim-bleiben-…
∗∗∗ #10TageGegenPhishing: Achtung Telefonbetrug! So gehen die Kriminellen vor ∗∗∗
---------------------------------------------
Immer wieder versuchen Kriminelle, Menschen am Telefon zu täuschen. Dabei geben sie sich als Mitarbeiter:innen von Banken oder bekannten Unternehmen wie Microsoft, PayPal, Amazon oder Apple aus. Ziel ist es, an sensible Daten, Zugänge oder direkt an Geld zu gelangen.
---------------------------------------------
https://www.watchlist-internet.at/news/10tage-telefonbetrug/
∗∗∗ #10TageGegenPhishing: Der „Recovery Scam“ nimmt frühere Opfer erneut ins Visier ∗∗∗
---------------------------------------------
Wenn Kriminelle sich direkt mit dem Versprechen an ehemalige Opfer wenden, gestohlenes Geld oder Krypto-Guthaben zurückzuholen, spricht man von Recovery Scam. Die Betrüger:innen geben sich dabei als Behörde, Agentur oder eine ähnliche Institution aus. Für die Auswahl ihrer Ziele greifen sie auch auf ihre eigenen Datenbanken zurück.
---------------------------------------------
https://www.watchlist-internet.at/news/10tage-recovery-scam/
∗∗∗ Peking schlägt Alarm: US-Spionage bei chinesischer Forschungseinrichtung ∗∗∗
---------------------------------------------
Chinas Staatssicherheitsdienst wirft der NSA monatelange Cyberangriffe auf das Nationale Zeitdienstzentrum vor
---------------------------------------------
https://www.derstandard.at/story/3000000292602/peking-schlaegt-alarm-us-spi…
∗∗∗ SAP behebt schwerwiegende Sicherheitslücken in mehreren Produkten ∗∗∗
---------------------------------------------
Im Rahmen des regulären Oktober-Patchday hat SAP insgesamt 13 Updates für Schwachstellen in seinen Produkten veröffentlicht. Besonders hervorzuheben sind dabei folgende Lücken: CVE-2025-42944, CVSS 10.0, ist eine Deserialization in SAP NetWeaver, mittels welcher unauthentifizierte Angreifer:innen betroffene Systeme vollständig kompromittieren können. Dieses Problem wurde bereits im vergangenen Monat durch SAP adressiert, laut Sicherheitsforscher:innen bietet das ..
---------------------------------------------
https://www.cert.at/de/aktuelles/2025/10/sap-behebt-schwerwiegende-sicherhe…
∗∗∗ She Sells Web Shells by the Seashore (Part III) ∗∗∗
---------------------------------------------
The web shell starts by initializing a PHP session[1]: if the session already exists, the variables are retrieved in the dictionary $_SESSION, ..
---------------------------------------------
https://www.truesec.com/hub/blog/she-sells-web-shells-by-the-seashore-part-…
∗∗∗ KI-Angriffsmethode "Lies-in-the-Loop" ∗∗∗
---------------------------------------------
Schritt für Schritt werden immer mehr Angriffsmethoden für AI-Modelle entdeckt bzw. bekannt. Das Research Team Checkmarx Zero hat eine neue Angriffsmethode gegen KI-Agenten identifiziert, die mit Human-in-the-Loop-Mechanismen arbeiten: Die Researcher sprechen von "Lies-in-the-Loop" (LITL). Die Information liegt ..
---------------------------------------------
https://www.borncity.com/blog/2025/10/18/ki-angriffsmethode-lies-in-the-loo…
∗∗∗ To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER ∗∗∗
---------------------------------------------
COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, swiftly shifted operations after the May 2025 public disclosure of its LOSTKEYS malware, operationalizing new malware families five days later. It is unclear how long COLDRIVER had this malware in ..
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia…
∗∗∗ 131 Spamware Extensions Targeting WhatsApp Flood Chrome Web Store ∗∗∗
---------------------------------------------
This cluster of Chrome extensions comprises 131 rebrands of a single tool, all sharing the same codebase, design patterns, and infrastructure. They are not classic malware, but they function as high-risk spam automation that abuses platform rules. The code injects directly into the WhatsApp Web page, running alongside WhatsApp’s own scripts, ..
---------------------------------------------
https://socket.dev/blog/131-spamware-extensions-targeting-whatsapp-flood-ch…
∗∗∗ Lessons from the BlackBasta Ransomware Attack on Capita ∗∗∗
---------------------------------------------
When a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. On 15 October 2025, the UK Information Commissioner’s Office (ICO) published a detailed 136 page report about the Capita breach. The aim of this blog is to extract actionable cybersecurity lessons ..
---------------------------------------------
https://blog.bushidotoken.net/2025/10/lessons-from-blackbasta-ransomware.ht…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (imagemagick, incus, lxd, pgagent, svgpp, and sysstat), Fedora (chromium, complyctl, fetchmail, firefox, mbedtls, mingw-binutils, mingw-python3, mingw-qt5-qtsvg, mingw-qt6-qtsvg, python3.10, python3.11, python3.12, python3.9, runc, and suricata), Mageia (expat), Red Hat (firefox, kernel, qt5-qtbase, and qt6-qtbase), Slackware (stunnel), SUSE (chromium, coredns, ctdb, firefox, kernel, libexslt0, libpoppler-cpp2, ollama, openssl-1_1, pam, samba, ..
---------------------------------------------
https://lwn.net/Articles/1042680/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 16-10-2025 18:00 − Freitag 17-10-2025 18:00
Handler: Guenes Holler
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ Microsoft: Office 2016 and Office 2019 have reached end of support ∗∗∗
---------------------------------------------
Microsoft reminded customers this week that Office 2016 and Office 2019 have reached the end of extended support on October 14, 2025.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-office-2016-and-o…
∗∗∗ Hackers exploit Cisco SNMP flaw to deploy rootkit on switches ∗∗∗
---------------------------------------------
Threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in Cisco networking devices to deploy a rootkit and target unprotected Linux systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-exploit-cisco-snmp-f…
∗∗∗ Post-exploitation framework now also delivered via npm ∗∗∗
---------------------------------------------
The npm registry contains a malicious package that downloads the AdaptixC2 agent onto victims devices, Kaspersky experts have found. The threat targets Windows, Linux, and macOS.
---------------------------------------------
https://securelist.com/adaptixc2-agent-found-in-an-npm-package/117784/
∗∗∗ A Surprising Amount of Satellite Traffic Is Unencrypted ∗∗∗
---------------------------------------------
We pointed a commercial-off-the-shelf satellite dish at the sky and carried out the most comprehensive public study to date of geostationary satellite communication. A shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens’ voice calls ..
---------------------------------------------
https://www.schneier.com/blog/archives/2025/10/a-surprising-amount-of-satel…
∗∗∗ Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign ∗∗∗
---------------------------------------------
Microsoft on Thursday disclosed that it revoked more than 200 certificates used by a threat actor it tracks as Vanilla Tempest to fraudulently sign malicious binaries in ransomware attacks.The certificates were "used in fake Teams setup files to ..
---------------------------------------------
https://thehackernews.com/2025/10/microsoft-revokes-200-fraudulent.html
∗∗∗ Researchers Uncover WatchGuard VPN Bug That Could Let Attackers Take Over Devices ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of a recently patched critical security flaw in WatchGuard Fireware that could allow unauthenticated attackers to execute arbitrary code.The vulnerability, tracked as CVE-2025-9242 (CVSS score: 9.3), is ..
---------------------------------------------
https://thehackernews.com/2025/10/researchers-uncover-watchguard-vpn-bug.ht…
∗∗∗ Why the F5 Hack Created an ‘Imminent Threat’ for Thousands of Networks ∗∗∗
---------------------------------------------
Networking software company F5 disclosed a long-term breach of its systems this week. The fallout could be severe.
---------------------------------------------
https://www.wired.com/story/f5-hack-networking-software-big-ip/
∗∗∗ Cyberkriminelle erbeuten Kundendaten von Modekonzern Mango ∗∗∗
---------------------------------------------
Kundendaten von Mango geklaut – jetzt warnt der Modekonzern vor gefälschten E-Mails und Anrufen. Was Betroffene jetzt wissen müssen.
---------------------------------------------
https://www.heise.de/news/Cyberkriminelle-erbeuten-Kundendaten-von-Modekonz…
∗∗∗ IP-Telefonie: Cisco und Ubiquiti stellen Sicherheits-Updates bereit ∗∗∗
---------------------------------------------
Aktualisierungen für Ubiquitis UniFi Talk sowie für mehrere IP-Telefonserien von Cisco schließen Sicherheitslücken mit "High"-Einstufung.
---------------------------------------------
https://www.heise.de/news/IP-Telefonie-Cisco-und-Ubiquiti-stellen-Sicherhei…
∗∗∗ Email Bombs Exploit Lax Authentication in Zendesk ∗∗∗
---------------------------------------------
Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously.
---------------------------------------------
https://krebsonsecurity.com/2025/10/email-bombs-exploit-lax-authentication-…
∗∗∗ Threat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities ∗∗∗
---------------------------------------------
A nation-state actor stole BIG-IP source code and information on undisclosed vulnerabilities from F5. We explain what sets this theft apart from others.
---------------------------------------------
https://unit42.paloaltonetworks.com/nation-state-threat-actor-steals-f5-sou…
∗∗∗ A review of the “Concluding report of the High-Level Group on access to data for effective law enforcement” ∗∗∗
---------------------------------------------
As I’ve written here, the EU unveiled a roadmap for addressing the encryption woes of law enforcement agencies in June 2025. As a preparation for this push, a “High-Level Group on access to data for effective ..
---------------------------------------------
https://www.cert.at/en/blog/2025/10/hlg-paper-review
∗∗∗ European police bust network selling thousands of phone numbers to scammers ∗∗∗
---------------------------------------------
Authorities raided a "SIM farm" operation that used tens of thousands of cards to enable fraud in several European countries, including Latvia and Austria.
---------------------------------------------
https://therecord.media/europe-sim-farms-raided-latvia-austria-estonia
∗∗∗ .NET Security Group: Partnerunternehmen erhalten frühzeitig Security-Patches ∗∗∗
---------------------------------------------
Unternehmen mit eigener .NET-Distribution können der bestehenden Sicherheitsgruppe beitreten und frühzeitig Patches für Sicherheitslücken einbinden.
---------------------------------------------
https://heise.de/-10773932
∗∗∗ How I Almost Got Hacked By A Job Interview ∗∗∗
---------------------------------------------
I was 30 seconds away from running malware on my machine. The attack vector? A fake coding interview from a "legitimate" blockchain company. Here's how a sophisticated scam operation almost got me, and why every developer needs to read this.
---------------------------------------------
https://blog.daviddodda.com/how-i-almost-got-hacked-by-a-job-interview
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel and libssh), Debian (firefox-esr and pgpool2), Mageia (varnish & lighttpd), Red Hat (python3, python3.11, python3.12, python3.9, and python39:3.9), SUSE (expat, gstreamer-plugins-rs, kernel, openssl1, pgadmin4, python311-ldap, and squid), and Ubuntu (dotnet8, dotnet9, dotnet10 and mupdf).
---------------------------------------------
https://lwn.net/Articles/1042452/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 15-10-2025 18:00 − Donnerstag 16-10-2025 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Fake LastPass, Bitwarden breach alerts lead to PC hijacks ∗∗∗
---------------------------------------------
An ongoing phishing campaign is targeting LastPass and Bitwarden users with fake emails claiming that the companies were hacked, urging them to download a supposedly more secure desktop version of the password manager.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-lastpass-bitwarden-brea…
∗∗∗ LinkPro Linux Rootkit Uses eBPF to Hide and Activates via Magic TCP Packets ∗∗∗
---------------------------------------------
An investigation into the compromise of an Amazon Web Services (AWS)-hosted infrastructure has led to the discovery of a new GNU/Linux rootkit dubbed LinkPro, according to findings from Synacktiv.
---------------------------------------------
https://thehackernews.com/2025/10/linkpro-linux-rootkit-uses-ebpf-to-hide.h…
∗∗∗ Scammers are still sending us their fake Robinhood security alerts ∗∗∗
---------------------------------------------
A short while ago, our friends at Malwaretips wrote about a text scam impersonating Robinhood, a popular US-based investment app that lets people trade stocks and cryptocurrencies. The scam warns users about supposed “suspicious activity” on their accounts.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2025/10/scammers-are-still-sending-u…
∗∗∗ BeaverTail and OtterCookie evolve with a new Javascript module ∗∗∗
---------------------------------------------
Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea.
---------------------------------------------
https://blog.talosintelligence.com/beavertail-and-ottercookie/
∗∗∗ GreyNoise’s Recent Observations Around F5 ∗∗∗
---------------------------------------------
Amid the security incident involving F5 BIG-IP announced on 15 October 2025, GreyNoise is sharing recent insights into activity targeting BIG-IP to aid in defensive posturing.
---------------------------------------------
https://www.greynoise.io/blog/recent-observations-around-f5
∗∗∗ DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains ∗∗∗
---------------------------------------------
Google Threat Intelligence Group (GTIG) has observed the North Korea (DPRK) threat actor UNC5342 using ‘EtherHiding’ to deliver malware and facilitate cryptocurrency theft, the first time GTIG has observed a nation-state actor adopting this method. This post is part of a two-part blog series on adversaries using EtherHiding, a technique that leverages transactions on public blockchains to store and retrieve malicious payloads—notable for its resilience against conventional takedown and blocklisting efforts.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherh…
∗∗∗ yIKEs (WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242) ∗∗∗
---------------------------------------------
Today is the 8th of November 1996, and we’re thrilled to be exploring this new primitive we call Stack-based Buffer Overflows. It’s a great time to be alive, especially because we don’t have to deal with any of the pain of modern/not-so-modern mitigations. Oh no, wait, it’s 2025 and we are still seeing Stack-based Buffer Overflows in enterprise-grade appliances, and of course, lacking mainstream exploit mitigations.
---------------------------------------------
https://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds…
∗∗∗ US-Forscher belauschen unverschlüsselte Satellitenkommunikation ∗∗∗
---------------------------------------------
US-Forscher haben mit handelsüblicher Ausrüstung den Datenverkehr über Satelliten untersucht. Viele, auch sicherheitsrelevante Daten waren unverschlüsselt.
---------------------------------------------
https://heise.de/-10767623
∗∗∗ Handy-Spionage mit SS7: Tausende Opfer wurden wohl ausgespäht ∗∗∗
---------------------------------------------
Ein österreichisch-indonesisches Unternehmen bietet die Überwachung von Mobilfunkkunden an. Malware ist dafür nicht nötig, aber weitreichender Netzzugriff.
---------------------------------------------
https://heise.de/-10767347
=====================
= Vulnerabilities =
=====================
∗∗∗ Gladinet fixes actively exploited zero-day in file-sharing software ∗∗∗
---------------------------------------------
Gladinet has released security updates for its CentreStack business solution to address a local file inclusion vulnerability (CVE-2025-11371) that threat actors have leveraged as a zero-day since late September.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/gladinet-fixes-actively-expl…
∗∗∗ Chrome, Firefox und Thunderbird: Updates beseitigen potenzielle Einfallstore ∗∗∗
---------------------------------------------
Sowohl für Mozillas Firefox und Thunderbird als auch für Googles Chrome-Browser gibt es Aktualisierungen. Kritische Schwachstellen wurden nicht geschlossen – wohl aber einige Lücken mit "High"-Einstufung, die Cybergangster ausnutzen könnten.
---------------------------------------------
https://www.heise.de/news/Chrome-Firefox-und-Thunderbird-Updates-beseitigen…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel and libsoup3), Debian (chromium and firefox-esr), Fedora (httpd), Oracle (cups, ImageMagick, kernel, and vim), Red Hat (libssh), Slackware (samba), SUSE (alloy, exim, firefox-esr, ImageMagick, kernel, libcryptopp-devel, libQt6Svg6, libsoup-3_0-0, libtiff-devel-32bit, lsd, python3-gi-docgen, python311-Authlib, qt6-base, samba, and squid), and Ubuntu (ffmpeg, linux-oracle-6.8, redict, redis, samba, and subversion).
---------------------------------------------
https://lwn.net/Articles/1042330/
∗∗∗ CVE-2025-55315: Microsoft kills 9.9-rated ASP.NET Core bug – our highest ever score ∗∗∗
---------------------------------------------
Microsoft has patched an ASP.NET Core vulnerability with a CVSS score of 9.9, which security program manager Barry Dorrans said was "our highest ever." The flaw is in the Kestrel web server component and enables security bypass.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/10/16/microsoft_as…
∗∗∗ Samba bei bestimmter Konfiguration über kritische Lücke angreifbar ∗∗∗
---------------------------------------------
Bei aktiviertem WINS-Support können Angreifer unter bestimmten Voraussetzungen Befehle aus der Ferne ausführen. Es gibt wichtige Patches und einen Workaround.
---------------------------------------------
https://heise.de/-10773288
∗∗∗ Open PLC and Planet vulnerabilities ∗∗∗
---------------------------------------------
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one vulnerability in the OpenPLC logic controller and four vulnerabilities in the Planet WGR-500 router.
---------------------------------------------
https://blog.talosintelligence.com/open-plc-and-planet-vulnerabilities/
∗∗∗ Phoenix Contact CHARX SEC-3xxx vulnerable to code injection ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN42282226/
∗∗∗ Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Multiple Cisco Products Snort 3 MIME Denial of Service Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco TelePresence Collaboration Endpoint and RoomOS Software Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XE Software Secure Boot Bypass Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ K000156944: Intel vulnerability CVE-2025-20093 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000156944
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 14-10-2025 18:00 − Mittwoch 15-10-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ F5 says hackers stole undisclosed BIG-IP flaws, source code ∗∗∗
---------------------------------------------
U.S. cybersecurity company F5 disclosed that nation-state hackers breached its systems and stole undisclosed BIG-IP security vulnerabilities and source code.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-breach-f5-to-steal-u…
∗∗∗ Exploit-as-a-Service Resurgence in 2025 – Broker Models, Bundles & Subscription Access ∗∗∗
---------------------------------------------
Exploit-as-a-Service in 2025: how exploit brokerages, subscription bundles, and underground access models are reshaping cyber crime economics.
---------------------------------------------
https://www.darknet.org.uk/2025/10/exploit-as-a-service-resurgence-in-2025-…
∗∗∗ Microsoft: Exchange 2016 and 2019 have reached end of support ∗∗∗
---------------------------------------------
Microsoft has reminded that Exchange Server 2016 and 2019 reached the end of support and advised IT administrators to upgrade servers to Exchange Server SE or migrate to Exchange Online.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-2016-and…
∗∗∗ Microsoft signalisiert Windows 10 21H2 Enterprise LTSC als EOL ∗∗∗
---------------------------------------------
Kurze Information an Besitzer bzw. Administratoren von Windows 10 21H2 Enterprise LTSC (und natürlich der IoT-Version). Administratoren dieser Maschinen erhalten (fälschlich) die Information angezeigt, dass der Support für diese Version nun ende.
---------------------------------------------
https://www.borncity.com/blog/2025/10/15/mega-pleite-microsoft-signalisiert…
∗∗∗ Oops! Its a kernel stack use-after-free: Exploiting NVIDIAs GPU Linux drivers ∗∗∗
---------------------------------------------
This article details two bugs discovered in the NVIDIA Linux Open GPU Kernel Modules and demonstrates how they can be exploited. [..] They were reported to NVIDIA and the vendor issued fixes in their NVIDIA GPU Display Drivers update of October 2025.
---------------------------------------------
http://blog.quarkslab.com/nvidia_gpu_kernel_vmalloc_exploit.html
∗∗∗ Credential Attacks Detected on SonicWall SSLVPN Devices ∗∗∗
---------------------------------------------
A managed security services provider has detected credential attacks on SonicWall SSLVPN devices. The attacks, reported by Huntress, involve “widespread compromise” of SonicWall SSLVPN devices. [..] The report follows a SonicWall advisory that an unauthorized party had accessed firewall configuration backup files for all SonicWall customers who have used the company’s cloud backup service.
---------------------------------------------
https://thecyberexpress.com/credential-attacks-on-sonicwall-sslvpn-devices/
∗∗∗ Dismantling a Critical Supply Chain Risk in VSCode Extension Marketplaces ∗∗∗
---------------------------------------------
Wiz Research identified a pattern of secret leakage by publishers of VSCode IDE Extensions. This occurred across both the VSCode and Open VSX marketplaces, the latter of which is used by AI-powered VSCode forks like Cursor and Windsurf. Critically, in over a hundred cases this included leakage of access tokens granting the ability to update the extension itself. [..] An attacker who discovered this issue would have been able to directly distribute malware to the cumulative 150,000 install base.
---------------------------------------------
https://www.wiz.io/blog/supply-chain-risk-in-vscode-extension-marketplaces
∗∗∗ LinkPro: eBPF rootkit analysis ∗∗∗
---------------------------------------------
eBPF (extended Berkeley Packet Filter) is a technology adopted in Linux for its numerous use cases (observability, security, networking, etc.) and its ability to run in the kernel context while being orchestrated from user space. Threat actors are increasingly abusing it to create sophisticated backdoors and evade traditional system monitoring tools.
---------------------------------------------
https://www.synacktiv.com/en/publications/linkpro-ebpf-rootkit-analysis.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Patchday XXL: Microsoft schließt teils aktiv attackierte Schwachstellen ∗∗∗
---------------------------------------------
Mit mehr als 170 geschlossenen Sicherheitslücken ist Microsofts Patchday diesen Monat überdurchschnittlich umfangreich ausgefallen. Gleich 17 Fixes für kritische Lücken stehen unter anderem für Azure, Copilot, Office sowie den Windows Server Update Service (WSUS) bereit. Überdies machen drei aktiv angegriffene Schwachstellen mit "Important"-Einstufung das (bestenfalls automatische) Einspielen der verfügbaren Updates besonders dringlich.
---------------------------------------------
https://heise.de/-10764876
∗∗∗ Patchday: Adobe schließt kritische Lücken in mehreren Produkten ∗∗∗
---------------------------------------------
Gefährliche Lücken stecken unter anderem in Substance 3D Stager, Connect, Dimension und Illustrator. Aktuelle Security-Fixes schließen sie.
---------------------------------------------
https://www.heise.de/news/Patchday-Adobe-schliesst-kritische-Luecken-in-meh…
∗∗∗ Fortinet aktualisiert unter anderem FortiOS, FortiPAM und FortiSwitch Manager ∗∗∗
---------------------------------------------
Mit dem Schweregrad "High" bewertet wurden Schwachstellen in FortiOS, FortiPAM, FortiSwitch Manager, FortiDLP, Fortilsolator sowie im FortiClient Mac. [..] Zur unbefugten Ausführung von Systembefehlen per Kommandozeile könnten lokale, authentifizierte Angreifer die Schwachstelle CVE-2025-58325 ("Restricted CLI command bypass"; CVSS-Score 7.8) missbrauchen.
---------------------------------------------
https://www.heise.de/news/Fortinet-aktualisiert-unter-anderem-FortiOS-Forti…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel, kernel-rt, vim, and webkit2gtk3), Debian (distro-info-data, https-everywhere, and php-horde-css-parser), Fedora (inih, mingw-exiv2, mirrorlist-server, rust-maxminddb, rust-monitord-exporter, rust-prometheus, rust-prometheus_exporter, rust-protobuf, rust-protobuf-codegen, rust-protobuf-parse, and rust-protobuf-support), Mageia (fetchmail), Oracle (gnutls, kernel, vim, and webkit2gtk3), Red Hat (kernel, kernel-rt, and webkit2gtk3), Slackware (mozilla), SUSE (curl, libxslt, and net-tools), and Ubuntu (linux-azure-5.15, linux-azure-6.8, linux-azure-fips, linux-oracle, linux-oracle-6.14, and linux-raspi).
---------------------------------------------
https://lwn.net/Articles/1042076/
∗∗∗ Google Chrome: Stable Channel Update for Desktop ∗∗∗
---------------------------------------------
http://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desk…
∗∗∗ Rockwell Automation 1715 EtherNet/IP Comms Module ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-287-01
∗∗∗ F5: K000156572: Quarterly Security Notification (October 2025) ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000156572
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 13-10-2025 18:00 − Dienstag 14-10-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Hackers can steal 2FA codes and private messages from Android phones ∗∗∗
---------------------------------------------
Android devices are vulnerable to a new attack that can covertly steal two-factor authentication codes, location timelines, and other private data in less than 30 seconds.
---------------------------------------------
https://arstechnica.com/security/2025/10/no-fix-yet-for-attack-that-lets-ha…
∗∗∗ Chinese hackers abuse geo-mapping tool for year-long persistence ∗∗∗
---------------------------------------------
Chinese state hackers remained undetected in a target environment for more than a year by turning a component in the ArcGIS geo-mapping tool into a web shell.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-geo-ma…
∗∗∗ Secure Boot bypass risk on nearly 200,000 Linux Framework sytems ∗∗∗
---------------------------------------------
Around 200,000 Linux computer systems from American computer maker Framework were shipped with signed UEFI shell components that could be exploited to bypass Secure Boot protections. An attacker could take advantage to load bootkits (e.g. BlackLotus, HybridPetya, and Bootkitty) that can evade OS-level security controls and persist across OS re-installs.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/secure-boot-bypass-risk-on-n…
∗∗∗ Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain ∗∗∗
---------------------------------------------
Cybersecurity researchers have shed light on a previously undocumented threat actor called TA585 that has been observed delivering an off-the-shelf malware called MonsterV2 via phishing campaigns.
---------------------------------------------
https://thehackernews.com/2025/10/researchers-expose-ta585s-monsterv2.html
∗∗∗ npm, PyPI, and RubyGems Packages Found Sending Developer Data to Discord Channels ∗∗∗
---------------------------------------------
Cybersecurity researchers have identified several malicious packages across npm, Python, and Ruby ecosystems that leverage Discord as a command-and-control (C2) channel to transmit stolen data to actor-controlled webhooks.
---------------------------------------------
https://thehackernews.com/2025/10/npm-pypi-and-rubygems-packages-found.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitslücke: Weiterer Notfall-Patch für Oracle E-Business Suite ∗∗∗
---------------------------------------------
Oracle hat ein weiteres außerplanmäßiges Update für die E-Business Suite veröffentlicht. Einer Sicherheitswarnung zufolge lässt sich eine Sicherheitslücke mit der Kennung CVE-2025-61884(öffnet im neuen Fenster) aus der Ferne und ohne Authentifizierung ausnutzen. Angreifer erhalten unter Umständen Zugriff auf vertrauliche Ressourcen.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecke-weiterer-notfall-patch-fuer-ora…
∗∗∗ SAP-Patchday im Oktober behebt mehrere kritische Schwachstellen ∗∗∗
---------------------------------------------
Jetzt updaten: Unter anderem stehen wichtige Sicherheitsupdates und -hinweise für NetWeaver, Print Service und Supplier Relationship Management bereit.
---------------------------------------------
https://www.heise.de/news/SAP-Patchday-im-Oktober-behebt-mehrere-kritische-…
∗∗∗ Jetzt patchen: Veeam Backup & Replication anfällig für Remote Code Execution ∗∗∗
---------------------------------------------
Ein frisch veröffentlichter Patch schützt Veeams Backup-Lösung gleich zweimal vor Codeausführung aus der Ferne. Auch der Agent für Windows wurde abgesichert.
---------------------------------------------
https://www.heise.de/news/Jetzt-patchen-Veeam-Backup-Replication-anfaellig-…
∗∗∗ Totgeglaubter Internet Explorer wird zur Sicherheitslücke: Microsoft reagiert ∗∗∗
---------------------------------------------
Nach aktiven Angriffen hat Microsoft den Internet-Explorer-Modus in Edge drastisch eingeschränkt. Angreifer nutzten sogar Zero-Days für Systemübernahmen.
---------------------------------------------
https://www.heise.de/news/Gefahr-aus-dem-Grab-Microsoft-verbuddelt-IE-noch-…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ghostscript and libfcgi), Fedora (qt5-qtsvg), Red Hat (kernel, perl-FCGI, perl-FCGI:0.78, and vim), SUSE (bluez, curl, podman, postgresql14, python-xmltodict, and udisks2), and Ubuntu (linux-azure, linux-azure-5.4, linux-azure-fips, linux-oracle, and subversion).
---------------------------------------------
https://lwn.net/Articles/1041886/
∗∗∗ Ivanti: October 2025 Security Update ∗∗∗
---------------------------------------------
https://www.ivanti.com/blog/october-2025-security-update
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 10-10-2025 18:01 − Montag 13-10-2025 18:00
Handler: Felician Fuchs
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Oracle releases emergency patch for new E-Business Suite flaw ∗∗∗
---------------------------------------------
Oracle has issued an emergency security update over the weekend to patch another E-Business Suite (EBS) vulnerability that can be exploited remotely by unauthenticated attackers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/oracle-releases-emergency-pa…
∗∗∗ Windows 11 23H2 Home and Pro reach end of support in 30 days ∗∗∗
---------------------------------------------
Microsoft has reminded customers again today that systems running Home and Pro editions of Windows 11 23H2 will stop receiving security updates next month.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/windows-11-23h2-home-and-pr…
∗∗∗ Chinese Hackers Use Velociraptor IR Tool in Ransomware Attacks ∗∗∗
---------------------------------------------
In a new wrinkle for adversary tactics, the Storm-2603 threat group is abusing the digital forensics and incident response (DFIR) tool to gain persistent access to victim networks.
---------------------------------------------
https://www.darkreading.com/cybersecurity-operations/chinese-hackers-veloci…
∗∗∗ New Rust-Based Malware "ChaosBot" Uses Discord Channels to Control Victims PCs ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of a new Rust-based backdoor called ChaosBot that can allow operators to conduct reconnaissance and execute arbitrary commands on compromised hosts.
---------------------------------------------
https://thehackernews.com/2025/10/new-rust-based-malware-chaosbot-hijacks.h…
∗∗∗ Astaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns ∗∗∗
---------------------------------------------
Cybersecurity researchers are calling attention to a new campaign that delivers the Astaroth banking trojan that employs GitHub as a backbone for its operations to stay resilient in the face of infrastructure takedowns.
---------------------------------------------
https://thehackernews.com/2025/10/astaroth-banking-trojan-abuses-github.html
∗∗∗ Microsoft Locks Down IE Mode After Hackers Turned Legacy Feature Into Backdoor ∗∗∗
---------------------------------------------
Microsoft said it has revamped the Internet Explorer (IE) mode in its Edge browser after receiving "credible reports" in August 2025 that unknown threat actors were abusing the backward compatibility feature to gain unauthorized access to users devices.
---------------------------------------------
https://thehackernews.com/2025/10/microsoft-locks-down-ie-mode-after.html
∗∗∗ Invoicely Database Leak Exposes 180,000 Sensitive Records ∗∗∗
---------------------------------------------
Cybersecurity researcher Jeremiah Fowler discovered nearly 180,000 files, including PII and banking details, left exposed on an unprotected database linked to the Invoicely platform. Read about the identity theft and financial fraud risks for over 250,000 businesses worldwide.
---------------------------------------------
https://hackread.com/invoicely-database-leak-expose-sensitive-records/
∗∗∗ 100,000+ IP Botnet Launches Coordinated RDP Attack Wave Against US Infrastructure ∗∗∗
---------------------------------------------
Since October 8, 2025, GreyNoise has tracked a coordinated botnet operation involving over 100,000 unique IP addresses from more than 100 countries targeting Remote Desktop Protocol (RDP) services in the United States.
---------------------------------------------
https://www.greynoise.io/blog/botnet-launches-coordinated-rdp-attack-wave
∗∗∗ Kundendaten von Qantas im Netz – auch die von Troy Hunt ∗∗∗
---------------------------------------------
Im Juli erbeuteten Angreifer wichtige Daten bei der australischen Airline. Noch ist nicht klar, was davon jetzt im Netz kursiert.
---------------------------------------------
https://heise.de/-10750869
∗∗∗ Critical GitHub Copilot Vulnerability Leaks Private Source Code ∗∗∗
---------------------------------------------
In June 2025, I found a critical vulnerability in GitHub Copilot Chat (CVSS 9.6) that allowed silent exfiltration of secrets and source code from private repos, and gave me full control over Copilot’s responses, including suggesting malicious code or links.
---------------------------------------------
https://www.legitsecurity.com/blog/camoleak-critical-github-copilot-vulnera…
∗∗∗ North Korea’s Contagious Interview Campaign Escalates: 338 Malicious npm Packages, 50,000 Downloads ∗∗∗
---------------------------------------------
The Contagious Interview operation continues to weaponize the npm registry with a repeatable playbook. Since our July 14, 2025 update, we have identified and analyzed more than 338 malicious packages with over 50,000 cumulative downloads.
---------------------------------------------
https://socket.dev/blog/north-korea-contagious-interview-campaign-338-malic…
=====================
= Vulnerabilities =
=====================
∗∗∗ VU#538470: Clevo UEFI firmware embedded BootGuard keys compromising Clevos implementation of BootGuard ∗∗∗
---------------------------------------------
Clevo’s UEFI firmware update packages included sensitive private keys used in their Intel Boot Guard implementation. This accidental exposure of the keys could be abused by an attacker to sign malicious firmware using Clevo’s Boot Guard trust chain, potentially compromising the pre-boot UEFI environment on systems where Clevo’s implementation has been adopted.
---------------------------------------------
https://kb.cert.org/vuls/id/538470
∗∗∗ Oracle Security Alert for CVE-2025-61884 - 11 October 2025 ∗∗∗
---------------------------------------------
This Security Alert addresses vulnerability CVE-2025-61884 in Oracle E-Business Suite. This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may allow access to sensitive resources.
---------------------------------------------
https://www.oracle.com/security-alerts/alert-cve-2025-61884.html
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (compat-libtiff3, iputils, kernel, open-vm-tools, and vim), Debian (asterisk, ghostscript, kernel, linux-6.1, and tiff), Fedora (cef, chromium, cri-o1.31, cri-o1.32, cri-o1.33, cri-o1.34, docker-buildx, log4cxx, mingw-poppler, openssl, podman-tui, prometheus-podman-exporter, python-socketio, python3.10, python3.11, python3.12, python3.9, skopeo, and valkey), Mageia (open-vm-tools), Red Hat (compat-libtiff3, kernel, kernel-rt, vim, and webkit2gtk3), and SUSE (distrobuilder, docker-stable, expat, forgejo, forgejo-longterm, gitea-tea, go1.25, haproxy, headscale, open-vm-tools, openssl-3, podman, podofo, ruby3.4-rubygem-rack, and weblate).
---------------------------------------------
https://lwn.net/Articles/1041779/
∗∗∗ Two High Checkmk advisories released ∗∗∗
---------------------------------------------
SBAResearch published the following advisories for checkmk: SBA-ADV-20250724-01: Checkmk Agent Privilege Escalation via Insecure Temporary Files, SBA-ADV-20250730-01: Checkmk Path Traversal.
---------------------------------------------
https://github.com/sbaresearch/advisories/commit/e84ca741ae34d372b4f7b294ad…
∗∗∗ Auth Bypass Flaw in Service Finder WordPress Plugin Under Active Exploit ∗∗∗
---------------------------------------------
An Authentication Bypass (CVE-2025-5947) in Service Finder Bookings plugin allows any unauthenticated attacker to log in as an administrator. Over 13,800 exploit attempts detected. Update to v6.1 immediately.
---------------------------------------------
https://hackread.com/auth-bypass-service-finder-wordpress-plugin-exploit/
∗∗∗ BigBlueButton: Update fürs Webkonferenz-System fixt Denial-of-Service-Lücken ∗∗∗
---------------------------------------------
Die Entwickler des quelloffenen Webkonferenz-Systems BigBlueButton (BBB) für Windows- und Linux-Server haben mit einem Update auf Version 3.0.13 mehrere Angriffsmöglichkeiten beseitigt.
---------------------------------------------
https://heise.de/-10751398
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/