Daily

daily@lists.cert.at

1 participants
3208 discussions

Tageszusammenfassung - 16.05.2025
by Daily end-of-shift report 16 May '25

16 May '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-05-2025 18:01 − Freitag 16-05-2025 18:01 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FBI: US officials targeted in voice deepfake attacks since April ∗∗∗ --------------------------------------------- The FBI warned that cybercriminals using AI-generated audio deepfakes to target U.S. officials in voice phishing attacks that started in April. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-us-officials-targeted-in… ∗∗∗ Ransomware gangs increasingly use Skitnet post-exploitation malware ∗∗∗ --------------------------------------------- Ransomware gang members increasingly use a new malware called Skitnet ("Bossnet") to perform stealthy post-exploitation activities on breached networks. The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-increasingl… ∗∗∗ Understanding CSRF: Cross-site Request Forgery Explained ∗∗∗ --------------------------------------------- Cross-Site Request Forgery, often called CSRF (or its other nicknames, Session Riding and XSRF), is a tricky type of attack. In short, it lets attackers make users do things on websites without their consent or knowledge. This attack works by misusing the trust a web application puts in a user’s browser once they’re logged in. By duping the browser into sending fake requests (usually through shady emails or misleading links), CSRF allows unauthorized commands to hit a website. And since these requests seem to come from a legitimate, logged-in user, the website has a hard time spotting the fakes, which can open the door to significant security problems. --------------------------------------------- https://blog.sucuri.net/2025/05/understanding-csrf-cross-site-request-forge… ∗∗∗ Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT. --------------------------------------------- https://thehackernews.com/2025/05/fileless-remcos-rat-delivered-via-lnk.html ∗∗∗ VNC. RDP for all to see ∗∗∗ --------------------------------------------- VNC (Virtual Network Computing) is a widely deployed service in perhaps forgotten corners of legacy enterprise networks. This is mainly because it’s a tried and trusted protocol that simply works, however this is disregarding its security flaws and disadvantages in the modern age. --------------------------------------------- https://www.pentestpartners.com/security-blog/vnc-rdp-for-all-to-see/ ∗∗∗ Operation RoundPress ∗∗∗ --------------------------------------------- This blogpost introduces an operation that we named RoundPress, targeting high-value webmail servers with XSS vulnerabilities, and that we assess with medium confidence is run by the Sednit cyberespionage group. The ultimate goal of this operation is to steal confidential data from specific email accounts. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/operation-roundpress/ ∗∗∗ Commit Stomping ∗∗∗ --------------------------------------------- Commit Stomping is a technique inspired by timestomping, a well-known method used in offensive operations where file metadata is manipulated to hide the true timing of actions. In Git, Commit Stomping involves altering commit timestamps to mislead observers about when changes were introduced. --------------------------------------------- https://blog.zsec.uk/commit-stomping/ ===================== = Vulnerabilities = ===================== ∗∗∗ Printer company provided infected software downloads for half a year ∗∗∗ --------------------------------------------- When Cameron Coward, the Youtuber behind the channel Serial Hobbyism, wanted to review a $6k UV printer and plugged in the USB flash drive with the printer software, the Antivirus software alerted him of a USB-spreading worm and a Floxif infection. Floxif is a file infector that attaches itself to Portable Executable files, so it can spread to network shares, removable drives like USB flash drives or backup storage systems. --------------------------------------------- https://feeds.feedblitz.com/~/918394763/0/gdatasecurityblog-en~Printer-comp… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, kernel, kernel-rt, redis:6, and yelp and yelp-xsl), Debian (chromium), Red Hat (compat-openssl11, kernel, and thunderbird), and SUSE (nbdkit, open-vm-tools, and rustup). --------------------------------------------- https://lwn.net/Articles/1021482/ ∗∗∗ Malicious ‘Checker’ Packages on PyPI Probe TikTok and Instagram for Valid Accounts ∗∗∗ --------------------------------------------- We often hear about the importance of secure data. Have I Been Pwned and similar websites exist to see if passwords or emails are listed online. However, many people do not understand the ramifications of their own leaked data. --------------------------------------------- https://socket.dev/blog/malicious-checker-packages-on-pypi-probe-tiktok-and… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.05.2025
by Daily end-of-shift report 15 May '25

15 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-05-2025 18:01 − Donnerstag 15-05-2025 18:01 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Spies hack high-value mail servers using an exploit from yesteryear ∗∗∗ --------------------------------------------- XSS is short for cross-site scripting. Vulnerabilities result from programming errors found in webserver software that, when exploited, allow attackers to execute malicious code in the browsers of people visiting an affected website. XSS first got attention in 2005, with the creation of the Samy Worm, which knocked MySpace out of commission when it added more than one million MySpace friends to a user named Samy. XSS exploits abounded for the next decade and have gradually fizzled more recently, although this class of attacks continues now. --------------------------------------------- https://arstechnica.com/security/2025/05/spies-hack-high-value-mail-servers… ∗∗∗ Critical Infrastructure Under Siege: OT Security Still Lags ∗∗∗ --------------------------------------------- With critical infrastructure facing constant cyber threats from the Typhoons and other corners, federal agencies and others are warning security for the OT network, a core technology in many critical sectors, is not powered up enough. --------------------------------------------- https://www.darkreading.com/ics-ot-security/critical-infrastructure-ot-secu… ∗∗∗ Beyond the kill chain: What cybercriminals do with their money (Part 1) ∗∗∗ --------------------------------------------- Sophos X-Ops investigates what financially motivated threat actors invest their ill-gotten profits in, once the dust has settled. --------------------------------------------- https://news.sophos.com/en-us/2025/05/15/beyond-the-kill-chain-what-cybercr… ∗∗∗ Technical Analysis of TransferLoader ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a new malware loader that we have named TransferLoader, which has been active since at least February 2025. ThreatLabz has identified three different components (a downloader, a backdoor, and a specialized loader for the backdoor) embedded in TransferLoader binaries. In addition, ThreatLabz has observed TransferLoader being used to deliver Morpheus ransomware. All components of TransferLoader share similarities including various anti-analysis techniques and code obfuscation. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-transfer… ∗∗∗ USA: Bösartige Kommunikationsgeräte in chinesischen Solar-Wechselrichtern ∗∗∗ --------------------------------------------- Bei der Untersuchung von Wechselrichtern aus China durch Experten in den USA wurden in einigen Geräten nicht dokumentierte Kommunikationsgeräte gefunden. US-Energiebehörden wollen das Risiko dieser chinesischen Inverter Medienberichten zufolge neu beurteilen. --------------------------------------------- https://www.heise.de/news/Boesartige-Kommunikationsgeraete-in-Solar-Wechsel… ∗∗∗ Angeblicher Steam-Hack: Datenleck enthält SMS-Sendeprotokolle ∗∗∗ --------------------------------------------- Ein angebliches Datenleck bei der Spieleplattform Steam soll 89 Millionen Datensätze enthalten – ein Unbekannter versucht seit vergangenem Samstag, sie im Darknet für 5.000 US-Dollar zu verkaufen. Doch die Resonanz ist mau und die Brisanz der Daten fraglich. --------------------------------------------- https://heise.de/-10383892 ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal Security Advisories 2025-05-14 ∗∗∗ --------------------------------------------- Drupal has released 7 new security advisories. --------------------------------------------- https://www.drupal.org/security ∗∗∗ Palo Alto Networks Security Advisories 2025-05-14 ∗∗∗ --------------------------------------------- Palo Alto has released 11 new security advisories. --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ Mozilla Foundation Security Advisories 2025-05-13 ∗∗∗ --------------------------------------------- For Thunderbird 138.0.1 and Thunderbird 128.10.1. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (open-vm-tools), Fedora (dnsdist), Gentoo (Node.js and Tracker miners), Red Hat (kernel and xdg-utils), SUSE (audiofile, go1.22-openssl, go1.24, grub2, kernel-devel, openssl-1_1, openssl-3, and python311-Django), and Ubuntu (ruby-rack). --------------------------------------------- https://lwn.net/Articles/1021379/ ∗∗∗ Patchday: Lücken in Intel-Software und -Treibern gestopft ∗∗∗ --------------------------------------------- Angreifer können Computer mit Hard- und Software von Intel attackieren. Sind Attacken erfolgreich, können sie unter anderem Denial-of-Service-Zustände (DoS) erzeugen, die in der Regel zu Abstürzen führen. --------------------------------------------- https://heise.de/-10384160 ∗∗∗ Google warnt: Gefährliche Chrome-Lücke wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Im weit verbreiteten Webbrowser Chrome klaffen mehrere gefährliche Sicherheitslücken, von denen eine bereits aktiv von Angreifern ausgenutzt wird. Davor warnt Google in den Release Notes zu einem am Mittwoch bereitgestellten Update. Betroffen ist nicht nur die Windows-Variante von Google Chrome, sondern auch jene für Mac und Linux. Anwender sollten den Browser zeitnah aktualisieren, um sich vor möglichen Angriffen zu schützen. --------------------------------------------- https://www.golem.de/news/google-warnt-gefaehrliche-chrome-luecke-wird-akti… ∗∗∗ Fortinet dichtet mehrere Lücken ab, Angriffe auf FortiVoice beobachtet ∗∗∗ --------------------------------------------- CVE-2025-32756 is a critical stack-based buffer overflow vulnerability affecting multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This flaw allows unauthenticated remote attackers to execute arbitrary code or commands via crafted HTTP requests, posing a severe security risk. --------------------------------------------- https://www.heise.de/news/Fortinet-dichtet-mehrere-Luecken-ab-Angriffe-auf-… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0004 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0004.html ∗∗∗ Reflected cross-site scripting vulnerability in Ricoh laser printers and MFPs which implement Web Image Monitor ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN20474768/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (May 5, 2025 to May 11, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.05.2025
by Daily end-of-shift report 14 May '25

14 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-05-2025 18:00 − Mittwoch 14-05-2025 18:01 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt ∗∗∗ --------------------------------------------- A new DarkCloud Stealer campaign is using AutoIt obfuscation for malware delivery. The attack chain involves phishing emails, RAR files and multistage payloads. --------------------------------------------- https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit… ∗∗∗ Intel: Ein weiterer Angriff umgeht alle bisherigen CPU-Schutzmaßnahmen ∗∗∗ --------------------------------------------- Intel hat einen Lauf: Eine weitere Sicherheitslücke öffnet viele Prozessoren erneut für Seitenkanalangriffe trotz bisheriger Schutzmaßnahmen. [..] Wie schon der Angriffstyp Training Solo erfordert BPI physischen Zugriff auf ein System. Daher sind die zugehörigen CVE-Nummern CVE-2024-43420, CVE-2025-20623 und CVE-2024-45332 nur mit dem Schweregrad Medium bewertet. --------------------------------------------- https://heise.de/-10383474 ∗∗∗ A Privacy Mechanism That Backfired ∗∗∗ --------------------------------------------- Some bugs are more interesting than others. Last time I mentioned how CVE-2025-24091 was one of my favorite iOS vulnerabilities so far. That was because I wasn’t yet allowed to disclose my actual favorite! This post is about CVE-2025-31212, the most ironic vulnerability I’ve ever found, and here's why... --------------------------------------------- https://rambo.codes/posts/2025-05-12-a-privacy-mechanism-that-backfired ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti EPMM: Remote Code Execution Schwachstellen (CVE-2025-4427, CVE-2025-4428) - Updates verfügbar ∗∗∗ --------------------------------------------- Ivanti veröffentlichte am 13. Mai Updates & Sicherheitsadvisories zu zwei Schwachstellen in Ivanti Endpoint Manager Mobile (EPMM). Die verkettete Ausnutzung der beiden Lücken kann zur unauthentifizierten Ausführung von Schadcode genutzt werden. Ivanti gibt an die Ausnutzung dieser Lücken auf einer limitierten Anzahl an Systemen, bereits vor der Veröffentlichtung des Advisories, beobachtet zu haben. CVE-Nummern: CVE-2025-4427, CVE-2025-4428 --------------------------------------------- https://www.cert.at/de/warnungen/2025/5/ivanti-epmm-rce ∗∗∗ Microsoft primes 71 fixes for May Patch Tuesday ∗∗∗ --------------------------------------------- Five issues actively exploited in the wild, but the real excitement may have been handled in advance. --------------------------------------------- https://news.sophos.com/en-us/2025/05/14/microsoft-primes-71-fixes-for-may-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (emacs, firefox, gnutls, java-17-openjdk, java-21-openjdk, osbuild-composer, python39:3.9, and thunderbird), Arch Linux (screen), Debian (varnish), Fedora (chromium), Gentoo (Atop, FreeType, and Spidermonkey), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk and postgresql15, postgresql13), Oracle (389-ds-base, emacs, firefox, kernel, libsoup, libtiff, mod_auth_openidc:2.3, nodejs:20, nodejs:22, osbuild-composer, python39:3.9, qemu-kvm, ruby, ruby:3.1, ruby:3.3, and thunderbird), Red Hat (.NET 8.0, .NET 9.0, avahi, buildah, corosync, delve and golang, exiv2, expat, firefox, ghostscript, gimp, git, grafana, gvisor-tap-vsock, java-21-openjdk, kernel, kernel-rt, libarchive, libjpeg-turbo, libsoup, libsoup3, libxslt, mod_auth_openidc, nginx, nginx:1.22, nginx:1.24, nodejs22, nodejs:20, nodejs:22, opentelemetry-collector, osbuild-composer, perl, php, php:8.2, php:8.3, podman, python-jinja2, redis, redis:7, rhc, ruby:2.5, skopeo, sqlite, thunderbird, tomcat, tomcat9, valkey, vim, xorg-x11-server-Xwayland, xterm, xz, yelp, and yggdrasil), Slackware (screen), SUSE (apparmor, dirmngr, gimp, golang-github-prometheus-node_exporter, java-11-openj9, java-17-openj9, java-21-openj9, libxmp-devel, python311-Django4, rabbitmq-server313, rke2, and transfig), and Ubuntu (abseil and open-vm-tools). --------------------------------------------- https://lwn.net/Articles/1021199/ ∗∗∗ Patchday Adobe: Schadcode-Attacken auf InDesign und Photoshop möglich ∗∗∗ --------------------------------------------- Adobe schließt Sicherheitslücken in mehreren Anwendungen. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://heise.de/-10382767 ∗∗∗ VIdeokonferenzen: Hochriskante Rechteausweitungslücken in Zoom Workplace Apps ∗∗∗ --------------------------------------------- Zoom meldet mehrere Sicherheitslücken in den Workplace Apps der Videokonferenzsoftware. Eine verpasst den Status "kritisch" nur knapp. --------------------------------------------- https://heise.de/-10383108 ∗∗∗ Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP11 IF03 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ MISP 2.4.209 / 2.5.11 Release Notes Latest ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.05.2025
by Daily end-of-shift report 13 May '25

13 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 12-05-2025 18:00 − Dienstag 13-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sit, Fetch, Steal - Chihuahua Stealer: A new Breed of Infostealer ∗∗∗ --------------------------------------------- Chihuahua Stealer is a newly discovered .NET-based infostealer that blends common malware techniques with unusually advanced features. It first came to our attention through a Reddit post made on April 9, where a user shared an obfuscated PowerShell script, they were tricked into executing via a Google Drive document. --------------------------------------------- https://feeds.feedblitz.com/~/918192962/0/gdatasecurityblog-en~Sit-Fetch-St… ∗∗∗ Türkiye-linked spy crew exploited a messaging app zero-day to snoop on Kurdish army in Iraq ∗∗∗ --------------------------------------------- Turkish spies exploited a zero-day bug in a messaging app to collect info on the Kurdish army in Iraq, according to Microsoft, which says the attacks began more than a year ago. Specifically, the snoops abused CVE-2025-27920, a directory traversal vulnerability in version 2.0.62 of messaging app Output Messenger, and the intrusions began in April 2024. The app's developer Srimax issued a software update in December to patch the hole, however not all users applied the fixes. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/13/turkish_spie… ∗∗∗ As US vuln-tracking falters, EU enters with its own security bug database ∗∗∗ --------------------------------------------- The European Vulnerability Database (EUVD) is now fully operational, offering a streamlined platform to monitor critical and actively exploited security flaws amid the US struggles with budget cuts, delayed disclosures, and confusion around the future of its own tracking systems. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/13/eu_security_… ∗∗∗ SAP-Patchday: Kritische Netweaver-Lücke und viele mehr gestopft ∗∗∗ --------------------------------------------- SAP veröffentlicht im Mai 2025 insgesamt 16 neue Sicherheitsmeldungen. Sie behandeln teils kritische Sicherheitslücken in diversen Produkten aus dem Business-Softwarekatalog des Unternehmens. --------------------------------------------- https://heise.de/-10381863 ∗∗∗ Auditing Moodles core hunting for logical bugs ∗∗∗ --------------------------------------------- The following article explains how, during an audit, we examined Moodle (v4.4.3) and found ways of bypassing all the restrictions preventing SSRF vulnerabilities from being exploited. --------------------------------------------- http://blog.quarkslab.com/auditing-moodles-core-hunting-for-logical-bugs.ht… ∗∗∗ Beyond the Hook: A Technical Deep Dive into Modern Phishing Methodologies ∗∗∗ --------------------------------------------- A technical exploration of modern phishing tactics, from basic HTML pages to advanced MFA-bypassing techniques, with analysis of infrastructure setup and delivery methods used by phishers in 2025. --------------------------------------------- http://blog.quarkslab.com/technical-dive-into-modern-phishing.html ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Updates Everything: May 2025 Edition, (Mon, May 12th) ∗∗∗ --------------------------------------------- Apple released its expected update for all its operating systems. The update, in addition to providing new features, patches 65 different vulnerabilities. Many of these vulnerabilities affect multiple operating systems within the Apple ecosystem. --------------------------------------------- https://isc.sans.edu/diary/rss/31942 ∗∗∗ Perfekt implementierte Sicherungen ausgehebelt: Spectre-Angriffe sind zurück ∗∗∗ --------------------------------------------- Bisherige Schutzmechanismen schützen nicht immer gegen Spectre-artige Seitenkanalangriffe auf Prozessoren, selbst wenn sie perfekt implementiert sind und verschiedene Domains voneinander abschotten. Zu dem Ergebnis kommen Forscher der Systems and Network Security Group an der Vrije Universiteit Amsterdam (VUSec). --------------------------------------------- https://www.heise.de/news/Perfekt-implementierte-Sicherungen-ausgehebelt-Sp… ∗∗∗ 82,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in TheGem WordPress Theme ∗∗∗ --------------------------------------------- On May 4th, 2025, we received a submission for an Arbitrary File Upload vulnerability in TheGem, a WordPress theme with more than 82,000 sales. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. --------------------------------------------- https://www.wordfence.com/blog/2025/05/82000-wordpress-sites-affected-by-ar… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libeconf and rubygems), Fedora (libxmp), Gentoo (glibc), Oracle (java-1.8.0-openjdk, kernel, libxslt, and virtuoso-opensource), SUSE (augeas, git-lfs, kanidm, and tomcat10), and Ubuntu (linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/1020948/ ∗∗∗ Stack-based buffer overflow vulnerability in API ∗∗∗ --------------------------------------------- A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-25-254 ∗∗∗ EPMM Security Update ∗∗∗ --------------------------------------------- To this end, we are issuing an important security update addressing vulnerabilities associated with open-source libraries used in Ivanti Endpoint Manager Mobile (EPMM). At the time of disclosure, we are aware of a very limited number of customers whose solution has been exploited. The issue only affects the on-prem EPMM product. --------------------------------------------- https://www.ivanti.com/blog/epmm-security-update ∗∗∗ Xen Security Advisory CVE-2024-28956 / XSA-469 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-469.html ∗∗∗ Möglichkeit für Replay-Attacken im Tiiwee X1 Alarm System (SYSS-2025-006) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/moeglichkeit-fuer-replay-attacken-im-tiiwe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.05.2025
by Daily end-of-shift report 12 May '25

12 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-05-2025 18:00 − Montag 12-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iClicker site hack targeted students with malware via fake CAPTCHA ∗∗∗ --------------------------------------------- The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/iclicker-hack-targeted-stude… ∗∗∗ Von AMD-Lücke inspiriert: Forscher warnt vor Ransomware im CPU-Microcode ∗∗∗ --------------------------------------------- Eine Ransomware-Infektion kann für Unternehmen weitreichende Folgen haben, die nicht selten auch in einer Insolvenz münden. Durch geeignete Maßnahmen lassen sich die Risiken für solche Sicherheitsvorfälle eindämmen. Der Sicherheitsforscher Christiaan Beek von Rapid7 warnt jedoch vor einer Bedrohung, der gängige Cybersicherheitslösungen wohl bisher wenig entgegenzusetzen haben: Ransomware im Microcode der CPU. --------------------------------------------- https://www.golem.de/news/von-amd-luecke-inspiriert-forscher-warnt-vor-rans… ∗∗∗ It Is 2025, And We Are Still Dealing With Default IoT Passwords And Stupid 2013 Router Vulnerabilities, (Mon, May 12th) ∗∗∗ --------------------------------------------- Unipi Technologies is a company developing programmable logic controllers for a number of different applications like home automation, building management, and industrial controls. The modules produced by Unipi are likely to appeal to a more professional audience. All modules are based on the "Marvis" platform, a customized Linux distribution maintained by Unipi. --------------------------------------------- https://isc.sans.edu/diary/rss/31940 ∗∗∗ A Subtle Form of Siege: DDoS Smokescreens as a Cover for Quiet Data Breaches ∗∗∗ --------------------------------------------- DDoS attacks have long been dismissed as blunt instruments, favored by script kiddies and hacktivists for their ability to overwhelm and disrupt. But in todays fragmented, hybrid-cloud environments, theyve evolved into something far more cunning: a smokescreen. What looks like digital vandalism may actually be a coordinated diversion, engineered to distract defenders from deeper breaches in progress. --------------------------------------------- https://www.tripwire.com/state-of-security/subtle-form-siege-ddos-smokescre… ∗∗∗ Threat Brief: CVE-2025-31324 ∗∗∗ --------------------------------------------- On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50. This threat brief shares a brief overview of the vulnerability and our analysis, and also includes details of what we’ve observed through our incident response services and telemetry. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-313… ∗∗∗ SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths ∗∗∗ --------------------------------------------- sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with elevated privileges. However, misconfigurations and certain vulnerabilities can be exploited to escalate privileges, potentially compromising system security. --------------------------------------------- https://www.darknet.org.uk/2025/05/sudo_killer-auditing-sudo-configurations… ∗∗∗ One-click RCE in ASUS’s preinstalled driver software ∗∗∗ --------------------------------------------- By trawling through the Javascript on the website, and about 700k lines of decompiled code that the exe produced, I managed to create a list of callable endpoints including some unused ones sitting in the exe. --------------------------------------------- https://mrbruh.com/asusdriverhub/ ∗∗∗ CVE-2024-26809: Critical nftables Vulnerability in Linux Kernel Could Lead to Root Access ∗∗∗ --------------------------------------------- A critical security flaw has been discovered in the Linux kernel’s nftables subsystem, which is responsible for packet filtering in modern Linux distributions. This flaw, a double-free vulnerability, allows local attackers to escalate their privileges and execute arbitrary code. --------------------------------------------- https://thecyberexpress.com/cve-2024-26809-nftables-vulnerability/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libbson-xs-perl, postgresql-13, redis, and simplesamlphp), Fedora (chromium, deluge, epiphany, golang-github-nats-io-nkeys, libxmp, nodejs22, perl-Compress-Raw-Lzma, php-adodb, python-h11, and xz), Gentoo (firefox, NVIDIA Drivers, Orc, PAM, and thunderbird), Mageia (libreoffice, python-django, and transfig), Red Hat (emacs, firefox, python39:3.9, and thunderbird), SUSE (bird3, freetype2, ldap-proxy, libmosquitto1, and ruby3.4-rubygem-rack), and Ubuntu (linux, linux-aws, linux-kvm, linux-aws, and linux-fips). --------------------------------------------- https://lwn.net/Articles/1020884 ∗∗∗ TuneUp und Dienste in Avast, AVG, Avira und Norton reißen Sicherheitslücken auf ∗∗∗ --------------------------------------------- Die Virenschutzsoftware der Marken Avast, AVG, Avira und Norton von Gen Digital bringt unter anderem System-Optimierungsdienste und weitere Komponenten mit, die Schwachstellen enthalten. Nutzerinnen und Nutzer der betroffenen Software sollten prüfen, ob sie neuere Versionen installiert haben als die bekannt verwundbaren. --------------------------------------------- https://heise.de/-10379900 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.05.2025
by Daily end-of-shift report 09 May '25

09 May '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-05-2025 18:00 − Freitag 09-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Nationale Policy für die koordinierte Offenlegung von Schwachstellen (CVD) ∗∗∗ --------------------------------------------- Der Umgang mit Schwachstellen in IT Produkten und Dienstleistungen ist eine der spannenden Themen in der IT-Sicherheit. Seitens der Hersteller stellt sich die Frage, wie man am besten selbst Probleme identifiziert, wie man mit Meldungen von Dritten am umgeht, wie der Prozess zur Entwicklung von korrigierten Versionen aussieht und wie man diese neue Version schnell und effizient an die Kunden verteilt. Seitens der Finder (Researcher) stellen sich Fragen nach den rechtlichen Rahmenbedingungen für die Schwachstellensuche: was darf ich, was sicher nicht, und wie kommuniziere ich das Ergebnis am sinnvollsten? --------------------------------------------- https://www.cert.at/de/spezielles/2025/5/nationale-cvd-policy ∗∗∗ Malicious PyPi package hides RAT malware, targets Discord devs since 2022 ∗∗∗ --------------------------------------------- A malicious Python package targeting Discord developers with remote access trojan (RAT) malware was spotted on the Python Package Index (PyPI) after more than three years.[..] Named "discordpydebug," the package was masquerading as an error logger utility for developers working on Discord bots and was downloaded over 11,000 times since it was uploaded on March 21, 2022, even though it has no description or documentation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-package-hides… ∗∗∗ FBI: End-of-life routers hacked for cybercrime proxy networks ∗∗∗ --------------------------------------------- The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-end-of-life-routers-hack… ∗∗∗ Operation PowerOFF Takes Down 9 DDoS-for-Hire Domains ∗∗∗ --------------------------------------------- Four different countries, including the United States and Germany, were included in the latest international operation alongside Europols support. --------------------------------------------- https://www.darkreading.com/threat-intelligence/operation-poweroff-takes-do… ∗∗∗ Lumma Stealer, coming and going ∗∗∗ --------------------------------------------- The high-profile information stealer switches up its TTPs, but keeps the CAPTCHA tactic; we take a deep dive. --------------------------------------------- https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/ ∗∗∗ Warnung: Gefälschtes Anwaltsschreiben könnte Schadsoftware enthalten! ∗∗∗ --------------------------------------------- Derzeit kursieren E-Mails einer angeblichen Anwaltskanzlei, in denen Unternehmen beschuldigt werden, Urheberrechte an Inhalten von Avident Entertainment verletzt zu haben. Über einen Download-Link kann eine Sammlung von Beweisen heruntergeladen werden. Aber Vorsicht: Der Link ist betrügerisch und enthält vermutlich Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/warnung-gefaelschtes-anwaltsschreibe… ∗∗∗ Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources ∗∗∗ --------------------------------------------- Unit 42 details a new malware obfuscation technique where threat actors hide malware in bitmap resources within .NET applications. These deliver payloads like Agent Tesla or XLoader. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-payloads-as-bitmap-resources-… ∗∗∗ Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation ∗∗∗ --------------------------------------------- Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload generation and obfuscation. --------------------------------------------- https://www.darknet.org.uk/2025/05/bantam-advanced-php-backdoor-management-… ∗∗∗ Phishing Attack Uses Blob URIs to Show Fake Login Pages in Your Browser ∗∗∗ --------------------------------------------- Cofense Intelligence reveals a novel phishing technique using blob URIs to create local fake login pages, bypassing email security and stealing credentials. --------------------------------------------- https://hackread.com/phishing-attack-blob-uri-fake-login-pages-browser/ ∗∗∗ Remote-Access-Trojaner in npm-Paket mit 40.000 wöchentlichen Downloads gefunden ∗∗∗ --------------------------------------------- Angreifer hatten das Paket rand-user-agent, das unter anderem für automatische Tests und zum Web-Scraping dient, mit Schadcode versehen. --------------------------------------------- https://heise.de/-10377590 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libapache2-mod-auth-openidc, mariadb-10.5, and openssh), Red Hat (osbuild-composer), Slackware (mariadb), SUSE (apache2-mod_auth_openidc, glib2, ImageMagick, libsoup, libsoup2, libva, openvpn, sqlite3, and weblate), and Ubuntu (libsoup3, php-horde-css-parser, and python-django). --------------------------------------------- https://lwn.net/Articles/1020545/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fossil, libapache2-mod-auth-openidc, and request-tracker4), Fedora (thunderbird), Mageia (firefox and thunderbird), SUSE (389-ds, apparmor, cargo-c, chromium, go1.24, govulncheck-vulndb, java-1_8_0-openjdk, kanidm, libsoup, mozjs102, openssl-1_1, openssl-3, python-Django, sccache, tealdeer, tomcat, transfig, wasm-bindgen, and wireshark), and Ubuntu (libreoffice and python-h11). --------------------------------------------- https://lwn.net/Articles/1020653/ ∗∗∗ Sicherheitslücken: F5 BIG-IP-Appliances sind an mehreren Stellen verwundbar ∗∗∗ --------------------------------------------- https://heise.de/-10377584 ∗∗∗ Joomla: [20250402] - Core - MFA Authentication Bypass ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/964-20250402-core-mfa-authenti… ∗∗∗ Pixmeo OsiriX MD ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-128-01 ∗∗∗ Hitachi Energy RTU500 Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-02 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-01 ∗∗∗ Mitsubishi Electric CC-Link IE TSN ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.05.2025
by Daily end-of-shift report 08 May '25

08 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-05-2025 18:00 − Donnerstag 08-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ WhatsApp provides no cryptographic management for group messages ∗∗∗ --------------------------------------------- The weakness creates the possibility of an insider or hacker adding rogue members. [..] “This means that it is possible for the WhatsApp server to add new members to a group,” Martin R. Albrecht, a researcher at King's College in London, wrote in an email. “A correct client—like the official clients—will display this change but will not prevent it. Thus, any group chat that does not verify who has been added to the chat can potentially have their messages read.” --------------------------------------------- https://arstechnica.com/security/2025/05/whatsapp-provides-no-cryptographic… ∗∗∗ Password crisis deepens in 2025: lazy, reused, and stolen ∗∗∗ --------------------------------------------- A new study of over 19 billion newly exposed passwords manifests a widespread weak password reuse crisis. Lazy keyboard patterns, such as 123456, still reign supreme, and 94% of passwords are reused or duplicated, data leaks from 2024-2025 reveal. Names like Ana rank as the second most popular component. --------------------------------------------- https://cybernews.com/security/password-leak-study-unveils-2025-trends-reus… ∗∗∗ Ransomware: Unbekannte Angreifer leaken LockBit-Datenbank – dank PHP-Exploit? ∗∗∗ --------------------------------------------- Tausende Bitcoin-Adressen, Chatnachrichten und weitere brisante Details des Ransomware-Anbieters kursieren nun im Web. Der LockBit-Support relativiert. --------------------------------------------- https://www.heise.de/news/Ransomware-Unbekannte-Angreifer-leaken-LockBit-Da… ∗∗∗ RCEs and more in the KUNBUS GmbH Revolution Pi PLC ∗∗∗ --------------------------------------------- Four new vulnerabilities in the Revolution Pi industrial PLCs. Two give unauthenticated attackers RCE—potentially a direct impact on safety and operations. [..] Since the vulnerabilities affect ICS equipment, we coordinated disclosure with CISA and KUNBUS’ PSIRT team (security.txt). --------------------------------------------- https://www.pentestpartners.com/security-blog/rces-and-more-in-the-kunbus-g… ∗∗∗ 2,99 € Einfuhrzoll für die Post? Achtung, Phishing! ∗∗∗ --------------------------------------------- Ein Paket hängt im Zoll fest? Die Auslieferung ist nur gegen die Zahlung einer Gebühr möglich? Ein Szenario, das Kriminelle aktuell verstärkt als Betrugsmasche einsetzen. Sie versenden Phishing-Mails im Namen der Post AG und hoffen auf leichtgläubige Opfer. --------------------------------------------- https://www.watchlist-internet.at/news/einfuhrzoll-fuer-die-post/ ∗∗∗ Fake AI Tools Push New Noodlophile Stealer Through Facebook Ads ∗∗∗ --------------------------------------------- Scammers are using fake AI tools and Facebook ads to spread Noodlophile Stealer malware, targeting users with a multi-stage attack to steal credentials. --------------------------------------------- https://hackread.com/fake-ai-tools-noodlophile-stealer-facebook-ads/ ∗∗∗ RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale ∗∗∗ --------------------------------------------- Learn how RedisRaider is targeting publicly accecesibly Redis servers to mine crypocurrency. --------------------------------------------- https://securitylabs.datadoghq.com/articles/redisraider-weaponizing-misconf… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall urges admins to patch VPN flaw exploited in attacks ∗∗∗ --------------------------------------------- Discovered and reported by Rapid7 cybersecurity researcher Ryan Emmons, the three security flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) can be chained by attackers to gain remote code execution as root and compromise vulnerable instances. The vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.15-81sv and higher. [..] SonicWall advised admins to check their SMA devices' logs for any signs of unauthorized logins and enable the web application firewall and multifactor authentication (MFA) on their SMA100 appliances as a safety measure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-pa… ∗∗∗ CISCO Security Advisories 07. - 08.05.2025 ∗∗∗ --------------------------------------------- Cisco has released 29 new security Advisories. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. [..] Note: For exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device. It is not enabled by default. CVE-2025-20188 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Catalyst Center Unauthenticated API Access Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the management API of Cisco Catalyst Center, formerly Cisco DNA Center, could allow an unauthenticated, remote attacker to read and modify the outgoing proxy configuration settings. CVE-2025-20210 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Drupal Security Advisories 07.05.2025 ∗∗∗ --------------------------------------------- Drupal has released 10 new security advisories. --------------------------------------------- https://www.drupal.org/security ∗∗∗ Ubiquiti UniFi Protect: Kritisches Leck ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- In einer Sicherheitsmitteilung erörtert Ubiquiti die Schwachstellen. Bösartige Akteure mit Zugriff auf das Verwaltungsnetzwerk können einen Heap-basierten Pufferüberlauf in den Unifi-Protect-Kameras mit Firmware 4.75.43 und vorherigen provozieren und dadurch beliebigen Code einschleusen und ausführen (CVE-2025-23123, CVSS 10.0, Risiko "kritisch"). --------------------------------------------- https://www.heise.de/news/Ubiquity-UniFi-Protect-Einschleusen-von-Schadcode… ∗∗∗ Mitel SIP-Phones lassen sich beliebige Befehle unterjubeln ∗∗∗ --------------------------------------------- Laut der Sicherheitsmitteilung von Mitel gibt es eine Befehlsschmuggel-Lücke in den SIP-Phones der Baureihen 6800, 6900, 6900w sowie dem 6970-Konferenz-Modell. Angreifer aus dem Netz können dadurch ohne vorherige Authentifizierung Befehle einschleusen, da nicht näher genannte Parameter nicht ausreichend gefiltert werden. Damit können sie System- und Nutzer-Daten und Konfigurationen einsehen oder ändern (CVE-2025-47188, CVSS 9.8, Risiko "kritisch"). --------------------------------------------- https://heise.de/-10376625 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 28, 2025 to May 4, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.05.2025
by Daily end-of-shift report 07 May '25

07 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-05-2025 18:00 − Mittwoch 07-05-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Samsung MagicINFO 9 Server RCE flaw now exploited in attacks ∗∗∗ --------------------------------------------- Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/samsung-magicinfo-9-server-r… ∗∗∗ Apache Parquet exploit tool detect servers vulnerable to critical flaw ∗∗∗ --------------------------------------------- A proof-of-concept exploit tool has been publicly released for a maximum severity Apache Parquet vulnerability, tracked as CVE-2025-30065, making it easy to find vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apache-parquet-exploit-tool-… ∗∗∗ Millionenstrafe für Firma nach WhatsApp-Hack ∗∗∗ --------------------------------------------- Die NSO Group aus Israel hatte einen Bug in WhatsApp genutzt, um Spyware zu installieren. Meta klagte und gewann. --------------------------------------------- https://futurezone.at/digital-life/meta-whatsapp-nso-group-spionagesoftware… ∗∗∗ Zero Day: Windows-Lücke von mindestens zwei Hackergruppen ausgenutzt ∗∗∗ --------------------------------------------- Mindestens zwei Cyberbanden haben sich einer Schwachstelle im CLFS-Treiber von Windows bedient, bevor Microsoft einen Patch ausliefern konnte. --------------------------------------------- https://www.golem.de/news/zero-day-windows-luecke-von-mindestens-zwei-hacke… ∗∗∗ State of ransomware in 2025 ∗∗∗ --------------------------------------------- Kaspersky researchers review ransomware trends for 2024, analyze the most active groups and forecast how this threat will evolve in 2025. --------------------------------------------- https://securelist.com/state-of-ransomware-in-2025/116475/ ∗∗∗ Lights Out and Stalled Factories: Using M.A.T.R.I.X to Learn About Modbus Vulnerabilities ∗∗∗ --------------------------------------------- Let’s explore the critical role of Modbus in energy and manufacturing systems, then demonstrate real-world exploitation techniques using Docker-based simulations and the custom-built Python tool M.A.T.R.I.X. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lights-out-… ∗∗∗ Backupsoftware Commvault: Weitere Lücke angegriffen, Patch offenbar unwirksam ∗∗∗ --------------------------------------------- Zum Wochenende wurden Angriffe auf eine weitere Commvault-Sicherheitslücke bekannt. Das Update zum Abdichten wirkt wohl nicht. --------------------------------------------- https://www.heise.de/news/Backupsoftware-Commvault-Weitere-Luecke-angegriff… ∗∗∗ Wegen Sicherheitslücken: LibreOffice rät von OpenOffice ab ∗∗∗ --------------------------------------------- Die Entwickler von LibreOffice raten vom Konkurrenten OpenOffice ab. Die Apache-Software enthalte Sicherheitslücken und werde nicht weiterentwickelt. --------------------------------------------- https://www.heise.de/news/Wegen-Sicherheitsluecken-LibreOffice-raet-von-Ope… ∗∗∗ NIS2 nicht umgesetzt: EU-Strafe für Deutschland rückt einen Schritt näher ∗∗∗ --------------------------------------------- Die EU-Kommission hat die zweite Stufe des Vertragsverletzungsverfahren gegen Deutschland eingeleitet, weil es die NIS2-Richtlinie noch nicht umgesetzt hat. --------------------------------------------- https://www.heise.de/news/NIS2-nicht-umgesetzt-EU-Strafe-fuer-Deutschland-r… ∗∗∗ Exploiting Copilot AI for SharePoint ∗∗∗ --------------------------------------------- TL;DR AI Assistants are becoming far more common Copilot for SharePoint is Microsoft’s answer to generative AI assistance on SharePoint Attackers will look to exploit anything they can get their .. --------------------------------------------- https://www.pentestpartners.com/security-blog/exploiting-copilot-ai-for-sha… ∗∗∗ Meta lässt sich sechs Wochen Zeit, bis Betrug entfernt wird ∗∗∗ --------------------------------------------- Postings über Kryptoscams oder betrügerische Influencer-Aktionen bleiben auf Facebook und Instagram am längsten von allen online --------------------------------------------- https://www.derstandard.at/story/3000000268532/meta-laesst-sich-sechs-woche… ∗∗∗ Ransomware Attackers Leveraged Privilege Escalation Zero-day ∗∗∗ --------------------------------------------- Exploit used by Play-linked attackers targets the CVE-2025-29824 zero-day vulnerability patched on April 8. --------------------------------------------- https://www.security.com/threat-intelligence/play-ransomware-zero-day ∗∗∗ Unsophisticated Cyber Actor(s) Targeting Operational Technology ∗∗∗ --------------------------------------------- CISA is increasingly aware of unsophisticated cyber actor(s) targeting ICS/SCADA systems within U.S. critical Infrastructure sectors (Oil and Natural Gas), specifically in Energy and Transportation Systems. Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/05/06/unsophisticated-cyber-ac… ∗∗∗ Poland arrests four in global DDoS-for-hire takedown ∗∗∗ --------------------------------------------- The suspects allegedly operated six platforms that offered distributed denial-of-service attacks for as little as 10 euros. --------------------------------------------- https://therecord.media/poland-arrests-four-ddos-hire ∗∗∗ Achtung bei iVentoy, es werden obskure Zertifikate und Treiber installiert ∗∗∗ --------------------------------------------- Kurze Warnung an Leute aus der Blog-Leserschaft, die das Tool iVentoy zur Verteilung von Betriebssystem-Images über ein Netzwerk und einen PXE-Server einsetzen. Es gibt aktuell eine Diskussion, dass das Tool .. --------------------------------------------- https://www.borncity.com/blog/2025/05/07/achtung-bei-iventoy-es-werden-obsk… ∗∗∗ ClickFix Scam: How to Protect Your Business Against This Evolving Threat ∗∗∗ --------------------------------------------- Cybercriminals aren’t always loud and obvious. Sometimes, they play it quiet and smart. One of the tricks of .. --------------------------------------------- https://hackread.com/clickfix-scam-how-to-protect-business-againt-threat/ ∗∗∗ COLDRIVER Using New Malware To Steal Documents >From Western Targets and NGOs ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) has identified a new piece of malware called LOSTKEYS, attributed to the Russian government-backed threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto). LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-do… ===================== = Vulnerabilities = ===================== ∗∗∗ Honeywell MB Secure Authenticated Command Injection ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/authenticated-command… ∗∗∗ Langflow Missing Authentication Vulnerability ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6085 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2025
by Daily end-of-shift report 06 May '25

06 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 05-05-2025 18:00 − Dienstag 06-05-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Man pleads guilty to using malicious AI software to hack Disney employee ∗∗∗ --------------------------------------------- Fake image-generating app allowed man to download 1.1TB of Disney-owned data. --------------------------------------------- https://arstechnica.com/ai/2025/05/man-pleads-guilty-to-using-malicious-ai-… ∗∗∗ Luna Moth extortion hackers pose as IT help desks to breach US firms ∗∗∗ --------------------------------------------- The data-theft extortion group known as Luna Moth, aka Silent Ransom Group, has ramped up callback phishing campaigns in attacks on legal and financial institutions in the United States. --------------------------------------------- https://www.bleepingcomputer.com/news/security/luna-moth-extortion-hackers-… ∗∗∗ "Mirai" Now Exploits Samsung MagicINFO CMS (CVE-2024-7399), (Mon, May 5th) ∗∗∗ --------------------------------------------- Last August, Samsung patched an arbitrary file upload vulnerability that could lead to remote code execution [1]. The announcement was very sparse and did not even include affected .. --------------------------------------------- https://isc.sans.edu/diary/Mirai+Now+Exploits+Samsung+MagicINFO+CMS+CVE2024… ∗∗∗ CISA slammed for role in censorship industrial complex as budget faces possible $500M cut ∗∗∗ --------------------------------------------- Because who needs cybersecurity when there’s culture wars to win President Trumps dream 2026 budget would gut the US govts Cybersecurity and Infrastructure Security Agency, aka CISA, by $491 million - about 17 percent – and accuses the organization of abandoning its core mission in favor of policing online speech. --------------------------------------------- https://www.theregister.com/2025/05/06/cisa_budget_cuts/ ∗∗∗ Signal-Affäre: Modifizierter Messenger stellt nach zweitem Einbruch Betrieb ein ∗∗∗ --------------------------------------------- In der US-Regierung wird eine modifizierte App benutzt, um per Signal zu kommunizieren. Die heißt TeleMessage, wurde zweimal geknackt und vorerst dicht gemacht. --------------------------------------------- https://www.heise.de/news/Signal-Affaere-Modifizierter-Messenger-stellt-nac… ∗∗∗ Peru denies it was hit by ransomware attack following Rhysida claims ∗∗∗ --------------------------------------------- The prolific ransomware gang claimed to have taken over the Peruvian governments domain. --------------------------------------------- https://therecord.media/peru-rhysida-ransomware-claims-denied ∗∗∗ NSA to cut up to 2,000 civilian roles as part of intel community downsizing ∗∗∗ --------------------------------------------- The agency is expected to make the cuts by the end of year, however that deadline could change as it is tied to the Defense Department’s broader push to reduce its budget by 8 percent in each of the next five years. --------------------------------------------- https://therecord.media/nsa-to-cut-up-to-2000-roles-downsizing ∗∗∗ Verizon DBIR 2025: Edge KEVs Are Increasingly Left Unpatched — and More Often Exploited in Breaches ∗∗∗ --------------------------------------------- Edge vulnerabilities are a critical and growing threat. The 2025 DBIR reveals an eightfold surge in exploitation, yet many remain unpatched despite immediate risk. --------------------------------------------- https://www.greynoise.io/blog/verizon-dbir-2025-edge-kevs-increasingly-left… ∗∗∗ Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines ∗∗∗ --------------------------------------------- UNC3944, which overlaps with public reporting on Scattered Spider, is a financially-motivated threat actor characterized by its persistent use of social engineering and brazen communications with victims. In early operations, UNC3944 largely targeted telecommunications-related organizations to support SIM swap operations. However, after shifting to .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-… ∗∗∗ A Timely Reminder: Russia’s Enduring Cyber Threat to Critical Infrastructure ∗∗∗ --------------------------------------------- Russia’s cyber operations — ranging from power-grid disruptions to global ransomware — continue to be among the world’s most prolific and destructive, underscoring the continued .. --------------------------------------------- https://detect.fyi/a-timely-reminder-russias-enduring-cyber-threat-to-criti… ∗∗∗ How to Harden GitHub Actions: The Unofficial Guide ∗∗∗ --------------------------------------------- Build resilient GitHub Actions workflows with lessons from recent attacks. --------------------------------------------- https://www.wiz.io/blog/github-actions-security-guide ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium and kappanhang), Red Hat (osbuild-composer and thunderbird), SUSE (chromedriver), and Ubuntu (c-ares, corosync, mysql-8.0, mysql-8.4, openjdk-17, openjdk-21, openjdk-24, openjdk-8, and openjdk-lts). --------------------------------------------- https://lwn.net/Articles/1020222/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2025
by Daily end-of-shift report 05 May '25

05 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-05-2025 18:00 − Montag 05-05-2025 18:00 Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Magento supply chain attack compromises hundreds of e-stores ∗∗∗ --------------------------------------------- A supply chain attack involving 21 backdoored Magento extensions has compromised between 500 and 1,000 e-commerce stores, including one belonging to a $40 billion multinational. --------------------------------------------- https://www.bleepingcomputer.com/news/security/magento-supply-chain-attack-… ∗∗∗ StealC malware enhanced with stealth upgrades and data theft tools ∗∗∗ --------------------------------------------- The creators of StealC, a widely-used information stealer and malware downloader, have released its second major version, bringing multiple stealth and data theft enhancements. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stealc-malware-enhanced-with… ∗∗∗ Shuffling the Greatest Hits: How DragonForce Ransomware Samples LockBit and Conti Into a Ransomware Jukebox ∗∗∗ --------------------------------------------- DragonForce ransomware has been assessed as a sophisticated threat that tactically deploys payloads derived from leaked source code of both the notorious LockBit 3.0 and Conti ransomware families. While the samples share some similar core functionality, DragonForce distinguishes itself in several .. --------------------------------------------- https://hybrid-analysis.blogspot.com/2025/05/shuffling-greatest-hits-how-dr… ∗∗∗ Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware ∗∗∗ --------------------------------------------- An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years.The activity, which lasted from at least May 2023 to February 2025, .. --------------------------------------------- https://thehackernews.com/2025/05/iranian-hackers-maintain-2-year-access.ht… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/05/02/cisa-adds-two-known-expl… ∗∗∗ CVE-2025-31324: Critical SAP NetWeaver Vulnerability Actively Exploited ∗∗∗ --------------------------------------------- SAP has recently released a critical security patch for a severe vulnerability in SAP NetWeaver Visual Composer that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-31324, has recently been patched with the release of SAP Security Note 3594142. --------------------------------------------- https://www.truesec.com/hub/blog/cve-2025-31324-critical-sap-netweaver-vuln… ∗∗∗ DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door ∗∗∗ --------------------------------------------- The individuals operating under the DragonForce banner and attacking UK high street retailers are using social engineering for entry. I think it’s in the public interest to break down what is happening. --------------------------------------------- https://doublepulsar.com/dragonforce-ransomware-cartel-attacks-on-uk-high-s… ∗∗∗ NPM targeted by malware campaign mimicking familiar library names ∗∗∗ --------------------------------------------- Developers looking for familiar packages from other programming languages are increasingly falling victim to malicious attacks. Summary #The Socket threat research team uncovered a coordinated malware operation across the NPM ecosystem. The actor behind the campaign published dozens of malicious NPM packages that mimic well-known Python, Java, C++, .NET, .. --------------------------------------------- https://socket.dev/blog/npm-targeted-by-malware-campaign-mimicking-familiar… ∗∗∗ Apache Parquet Java Vulnerability CVE-2025-46762 Exposes Systems to Remote Code Execution Attacks ∗∗∗ --------------------------------------------- A vulnerability has been identified in Apache Parquet Java, which could leave systems exposed to remote code execution (RCE) attacks. Apache Parquet contributor Gang Wu discovered, this flaw, tracked as CVE-2025-46762, .. --------------------------------------------- https://thecyberexpress.com/apache-parquet-java-flaw-cve-2025-46762/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, containerd, and vips), Fedora (chromium, java-17-openjdk, nodejs-bash-language-server, nodejs-pnpm, ntpd-rs, redis, rust-hickory-proto, thunderbird, and valkey), Mageia (apache-mod_auth_openidc, fcgi, graphicsmagick, kernel-linus, pam, poppler, and tomcat), Red Hat (firefox, libsoup, nodejs:20, redis:6, .. --------------------------------------------- https://lwn.net/Articles/1020130/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

← Newer
1
2
3
4
5
6
7
8
...
321
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily