- Daily - CERT.at

Tageszusammenfassung - 12.12.2025
by Daily end-of-shift report 12 Dec '25

12 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-12-2025 18:00 − Freitag 12-12-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ NIS-2 in Österreich umgesetzt (NISG 2026) ∗∗∗ --------------------------------------------- Das Netz- und Informationssystemsicherheitsgesetz 2026 (NISG 2026) wurde heute (12.12.2025) im Nationalrat beschlossen. Die Kundmachung erfolgt nach Beschluss des Bundesrates und Unterzeichnung des Bundespräsidenten. Das Gesetz wird neun Monate nach seiner Kundmachung (voraussichtlich im Herbst 2026) in Kraft treten. --------------------------------------------- https://certitude.consulting/blog/de/nis-2-in-osterreich-umgesetzt-nisg-202… ∗∗∗ Technical Analysis of the BlackForce Phishing Kit ∗∗∗ --------------------------------------------- Zscaler ThreatLabz identified a new phishing kit named BlackForce, which was first observed in the beginning of August 2025 with at least five distinct versions. BlackForce is capable of stealing credentials and performing Man-in-the-Browser (MitB) attacks to steal one-time tokens and bypass multi-factor authentication (MFA). The phishing kit is actively marketed and sold on Telegram forums for €200–€300. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-blackfor… ∗∗∗ Cybersecurity Performance Goals 2.0 for Critical Infrastructure ∗∗∗ --------------------------------------------- Today, CISA released updated Cross-Sector Cybersecurity Performance Goals (CPG 2.0) with measurable actions for critical infrastructure owners and operators to achieve a foundational level of cybersecurity. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/11/cybersecurity-performanc… ∗∗∗ SHADOW-VOID-042 Targets Multiple Industries with Void Rabisu-like Tactics ∗∗∗ --------------------------------------------- In November, a targeted spear-phishing campaign was observed using Trend Micro-themed lures against various industries, but this was quickly detected and thwarted by the Trend Vision One™ platform. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html ∗∗∗ Malicious VSCode Marketplace extensions hid trojan in fake PNG file ∗∗∗ --------------------------------------------- A stealthy campaign with 19 extensions on the VSCode Marketplace has been active since February, targeting developers with malware hidden inside dependency folders. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-vscode-marketplace… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, luksmeta, mysql, mysql:8.0, mysql:8.4, tomcat, and wireshark), Debian (chromium, kernel, and tzdata), Fedora (brotli, dr_libs, perl-Alien-Brotli, python-urllib3, singularity-ce, wireshark, and yarnpkg), Oracle (firefox, grafana, lasso, libsoup3, luksmeta, ruby, ruby:3.3, tomcat, and wireshark), Slackware (mozilla), SUSE (container-suseconnect, kubernetes-client, libpoppler-cpp2, postgresql14, postgresql15, and python3), and Ubuntu (c-ares, keystone, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux-azure, linux-azure-4.15, linux-oracle,, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-hwe-6.8, linux-oracle-6.8, linux-raspi, linux-realtime, linux-intel-iot-realtime, and python-urllib3). --------------------------------------------- https://lwn.net/Articles/1050251/ ∗∗∗ New Windows RasMan zero-day flaw gets free, unofficial patches ∗∗∗ --------------------------------------------- Free unofficial patches are available for a new Windows zero-day vulnerability that allows attackers to crash the Remote Access Connection Manager (RasMan) service. RasMan is a critical Windows system service that starts automatically, runs in the background with SYSTEM-level privileges, and manages VPN, Point-to-Point Protocol over Ethernet (PPoE), and other remote network connections. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/new-windows-rasman-zero-day… ∗∗∗ Fernwartung ScreenConnect: Kritische Lücke ermöglicht Schadcodeausführung ∗∗∗ --------------------------------------------- In der Fernwartungssoftware Connectwise ScreenConnect können angemeldete Angreifer Schadcode einschleusen. Ein Update steht bereit. --------------------------------------------- https://www.heise.de/news/Fernwartung-ScreenConnect-Kritische-Luecke-ermoeg… ∗∗∗ GitLab: Angreifer können Wiki-Seiten mit Malware anlegen ∗∗∗ --------------------------------------------- Die DevSecOps-Plattform GitLab ist verwundbar. In aktuellen Versionen haben die Entwickler mehrere Sicherheitslücken geschlossen. Im schlimmsten Fall können Angreifer Systeme kompromittieren. --------------------------------------------- https://www.heise.de/news/GitLab-Angreifer-koennen-Wiki-Seiten-mit-Malware-… ∗∗∗ New React RSC Vulnerabilities Enable DoS and Source Code Exposure ∗∗∗ --------------------------------------------- The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. --------------------------------------------- https://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.html ∗∗∗ Google fixes super-secret 8th Chrome 0-day ∗∗∗ --------------------------------------------- Google issued an emergency fix for a Chrome vulnerability already under exploitation, which marks the world's most popular browser's eighth zero-day bug of 2025. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/12/11/google_fixes… ∗∗∗ DSA-6080-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00246.html ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-adds-one-known-expl… ∗∗∗ CISA Releases 12 Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-releases-12-industr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.12.2025
by Daily end-of-shift report 11 Dec '25

11 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-12-2025 18:00 − Donnerstag 11-12-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Identitätsklau möglich: Gravierende Sicherheitsmängel bei eID-Karten aufgedeckt ∗∗∗ --------------------------------------------- Seit 2021 können EU-Bürger in Deutschland eine sogenannte eID-Karte beantragen, um sich beispielsweise bei Onlinediensten auszuweisen. Recherchen der Süddeutschen Zeitung zufolge gibt es bei der Beantragung dieser Karten aber erhebliche Sicherheitsprobleme, weil Ämter wohl oft nicht sauber prüfen können, wer eigentlich der Antragsteller ist. Mögliche Folgen sind Missbrauch für Geldwäsche und andere betrügerische Aktivitäten. --------------------------------------------- https://www.golem.de/news/identitaetsklau-moeglich-gravierende-sicherheitsm… ∗∗∗ Brisantes Datenleck auf Docker Hub: Über 10.000 Docker-Images leaken Zugangsdaten ∗∗∗ --------------------------------------------- Sicherheitsforscher von Flare haben auf Docker Hub bereitgestellte Docker-Images auf enthaltene Anmeldeinformationen durchsucht und sind fündig geworden. Laut eigenem Blogbeitrag fanden die Forscher bei einem einmonatigen Suchlauf in mehr als 10.000 Images unzählige Geheimnisse von über 100 verschiedenen Organisationen – darunter ein Fortune-500-Unternehmen und eine große staatliche Bank. --------------------------------------------- https://www.golem.de/news/docker-hub-zugangsdaten-in-ueber-10-000-docker-im… ∗∗∗ NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new fully-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control (C2) purposes. --------------------------------------------- https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html ∗∗∗ SMS vom Bundeskanzleramt? Phishing-Falle statt Rückerstattung ∗∗∗ --------------------------------------------- Eine SMS-Nachricht, versendet im Namen des Bundeskanzleramts, verspricht eine Rückerstattung von über 100 Euro. Dahinter verbirgt sich aber wenig überraschend nichts anderes als eine Phishing-Falle. Kriminelle wollen über diesen Weg an Login-Daten für Onlinebanking gelangen. --------------------------------------------- https://www.watchlist-internet.at/news/bundeskanzleramt-phishing-rueckersta… ∗∗∗ Scammers Sent 40,000 E-Signature Phishing Emails to 6,000 Firms in Just 2 Weeks ∗∗∗ --------------------------------------------- Phishing campaign: Scammers sent over 40,000 spoofed SharePoint, DocuSign and e-sign emails to companies, hiding malicious links behind trusted redirect services. --------------------------------------------- https://hackread.com/scammers-e-signature-phishing-emails/ ∗∗∗ New ‘DroidLock’ Android Malware Locks Users Out, Spies via Front Camera ∗∗∗ --------------------------------------------- Zimperium zLabs reveals DroidLock, a new Android malware acting like ransomware that can hijack Android devices, steal credentials via phishing, and stream your screen via VNC. --------------------------------------------- https://hackread.com/droidlock-android-malware-users-spy-camera/ ∗∗∗ Active Attacks Exploit Gladinets Hard-Coded Keys for Unauthorized Access and Code Execution ∗∗∗ --------------------------------------------- Huntress is warning of a new actively exploited vulnerability in Gladinet's CentreStack and Triofox products stemming from the use of hard-coded cryptographic keys that have affected nine organizations so far. --------------------------------------------- https://thehackernews.com/2025/12/hard-coded-gladinet-keys-let-attackers.ht… ∗∗∗ .NET SOAPwn Flaw Opens Door for File Writes and Remote Code Execution via Rogue WSDL ∗∗∗ --------------------------------------------- New research has uncovered exploitation primitives in the .NET Framework that could be leveraged against enterprise-grade applications to achieve remote code execution. WatchTowr Labs, which has codenamed the "invalid cast vulnerability" SOAPwn, said the issue impacts Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. But the number of affected vendors is likely to be longer given the widespread use of .NET. --------------------------------------------- https://thehackernews.com/2025/12/net-soapwn-flaw-opens-door-for-file.html ∗∗∗ New ConsentFix attack hijacks Microsoft accounts via Azure CLI ∗∗∗ --------------------------------------------- A new variation of the ClickFix attack dubbed 'ConsentFix' abuses the Azure CLI OAuth app to hijack Microsoft accounts without the need for a password or to bypass multi-factor authentication (MFA) verifications. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-consentfix-attack-hijack… ∗∗∗ Hackers exploit unpatched Gogs zero-day to breach 700 servers ∗∗∗ --------------------------------------------- An unpatched zero-day vulnerability in Gogs, a popular self-hosted Git service, has enabled attackers to gain remote code execution on Internet-facing instances and compromise hundreds of servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-gogs-zero-day-rce-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, firefox-esr, libsndfile, and rear), Fedora (httpd, perl-CGI-Simple, and tinyproxy), Oracle (firefox, kernel, libsoup, mysql8.4, tigervnc, tomcat, tomcat9, and uek-kernel), SUSE (alloy, curl, dovecot24, fontforge, glib2, himmelblau, java-17-openjdk, java-21-openjdk, kernel, krb5, lasso, libvirt, mozjs128, mysql-connector-java, nvidia-open-driver-G07-signed-check, openssh, poppler, postgresql17, postgresql18, python-cbor2, python-Django, python310, python311-Django, runc, strongswan, tomcat11, and xwayland), and Ubuntu (binutils, libpng1.6, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-hwe-6.14, linux-raspi, linux, linux-aws, linux-gcp, linux-realtime, and qtbase-opensource-src). --------------------------------------------- https://lwn.net/Articles/1050117/ ∗∗∗ Google warnt vor Sicherheitslücke: Chrome-Nutzer werden attackiert ∗∗∗ --------------------------------------------- Ein Notfallupdate für den Webbrowser Chrome schließt mehrere gefährliche Sicherheitslücken. Mindestens eine davon wird bereits ausgenutzt. --------------------------------------------- https://www.golem.de/news/google-warnt-vor-sicherheitsluecke-chrome-nutzer-… ∗∗∗ Barracuda RMM: Kritische Sicherheitslücken erlauben Codeschmuggel ∗∗∗ --------------------------------------------- IT-Verantwortliche, die ihre IT mit Barracuda RMM – ehemals unter dem Namen Managed Workplace bekannt – verwalten, sollten schleunigst den bereitstehenden Hotfix 2025.1.1 installieren, sofern das noch nicht geschehen ist. Er schließt mehrere Sicherheitslücken, von denen gleich drei die Höchstwertung CVSS 10 erhalten und damit ein großes Risiko darstellen. --------------------------------------------- https://heise.de/-11111274 ∗∗∗ WinRAR: Codeschmuggel-Lücke wird attackiert ∗∗∗ --------------------------------------------- Im Packprogramm WinRAR klafft bis zur Version 7.12 Beta 1 eine Sicherheitslücke, die Angreifern das Einschleusen von Schadcode erlaubt. Attacken auf diese Lücken wurden nun beobachtet. Wer WinRAR einsetzt, sollte daher zügig auf eine neuere Version aktualisieren. --------------------------------------------- https://heise.de/-11111474 ∗∗∗ ZDI-25-1060: Senstar Symphony FetchStoredLicense Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1060/ ∗∗∗ MISP v2.5.28 Release: Security, Dashboard Upgrade, and Community Enhancements ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.28 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 10.12.2025
by Daily end-of-shift report 10 Dec '25

10 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-12-2025 18:00 − Mittwoch 10-12-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Der doppelte Login: Phishing-Versuch bei der Salzburg AG ∗∗∗ --------------------------------------------- Mit Phishing-Mails locken Kriminelle die Kund:innen der Salzburg AG auf eine gefälschte Login-Seite. Der erste Anmeldeversuch schlägt zwar fehl, übermittelt aber Usernamen und Passwort an die Betrüger:innen – und öffnet die echte Eingabemaske. Da der zweite Versuch klappt, schöpfen die Opfer keinen Verdacht. Warum die Masche auch für Nicht-Kund:innen relevant ist, erklärt dieser Artikel. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-doppelter-login/ ∗∗∗ 01flip: Multi-Platform Ransomware Written in Rust ∗∗∗ --------------------------------------------- In June 2025, we observed a new ransomware family named 01flip targeting a limited set of victims in the Asia-Pacific region. 01flip ransomware is fully written in the Rust programming language and supports multi-platform architectures by leveraging the cross-compilation feature of Rust. --------------------------------------------- https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/ ∗∗∗ Opportunistic Pro-Russia Hacktivists Attack US and Global Critical Infrastructure ∗∗∗ --------------------------------------------- CISA, in partnership with Federal Bureau of Investigation, the National Security Agency, Department of Energy, Environmental Protection Agency, the Department of Defense Cyber Crime Center, and other international partners published a joint cybersecurity advisory, Pro-Russia Hacktivists Create Opportunistic Attacks Against US and Global Critical Infrastructure. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/09/opportunistic-pro-russia… ∗∗∗ Spiderman Phishing Kit Targets European Banks with Real-Time Credential Theft ∗∗∗ --------------------------------------------- Varonis threat analysts warn about Spiderman, a dangerous new kit that automates attacks against European banks and crypto customers, stealing a victim’s full identity profile. --------------------------------------------- https://hackread.com/spiderman-phishing-kit-european-banks-credential-theft/ ===================== = Vulnerabilities = ===================== ∗∗∗ Besser manuell patchen: Hacker nutzen gefährliche Lücke im Notepad++-Updater aus ∗∗∗ --------------------------------------------- Angreifer verbreiten über eine Sicherheitslücke im Updater von Notepad++ Malware. Der Entwickler warnt und rät zum Update – aber besser von Hand. --------------------------------------------- https://www.golem.de/news/besser-manuell-patchen-hacker-nutzen-gefaehrliche… ∗∗∗ Patchday: Angreifer nutzen Sicherheitslücke in Windows und Windows Server aus ∗∗∗ --------------------------------------------- Derzeit haben Angreifer unter anderem Windows 11 und Windows Server 2022 im Visier. Demzufolge sollten Admins sicherstellen, dass Windows Update auf ihren Systemen aktiv ist und die aktuellen Sicherheitspatches installiert sind. --------------------------------------------- https://www.heise.de/news/Patchday-Angreifer-nutzen-Sicherheitsluecke-in-Wi… ∗∗∗ Bitdefender: Sicherheitsleck ermöglicht Rechteausweitung im Virenschutz ∗∗∗ --------------------------------------------- In der Virenschutzsoftware von Bitdefender wurde eine Sicherheitslücke entdeckt, die Angreifern das Ausweiten ihrer Rechte im System ermöglicht. Betroffen sind diverse Bitdefender-Varianten. Aktualisierungen zum Ausbessern der Schwachstelle sind verfügbar. --------------------------------------------- https://www.heise.de/news/Bitdefender-Sicherheitsleck-ermoeglicht-Rechteaus… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (abrt and kernel), Debian (libpng1.6, libsoup2.4, pdns-recursor, webkit2gtk, and wordpress), Fedora (imhex, libwebsockets, lunasvg, python3-docs, and python3.14), Mageia (python3 and webkit2), Red Hat (abrt, firefox, mysql8.4, and postgresql:15), Slackware (mozilla), SUSE (gegl, gnutls, go1.24, go1.25, libpng16-16, openssh, postgresql13, python-Jinja2, and sssd), and Ubuntu (fonttools and netty). --------------------------------------------- https://lwn.net/Articles/1049939/ ∗∗∗ Fortinet-Patchday: SSO-Login in vielen Produkten umgehbar ∗∗∗ --------------------------------------------- Angreifer können verschiedene Fortinet-Produkte attackieren und sich unter anderem unbefugt Zugriff verschaffen. Sicherheitsupdates stehen zum Download bereit. Bislang sind keine Berichte zu laufenden Attacken bekannt. Admins sollten mit dem Patchen aber nicht zu lange warten. --------------------------------------------- https://heise.de/-11109878 ∗∗∗ Ivanti stopft kritische Sicherheitlücke im Endpoint Manager ∗∗∗ --------------------------------------------- Ein Update für Ivantis Endpoint Manager schließt unter anderem eine kritische Sicherheitslücke, durch die Angreifer Javascript einschleusen können. --------------------------------------------- https://heise.de/-11110277 ∗∗∗ DSA-6075-1 wordpress - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00241.html ∗∗∗ ZDI-25-1045: Schneider Electric PowerChute Serial Shutdown Directory Traversal Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1045/ ∗∗∗ ZDI-25-1042: Siemens Simcenter Femap IGS File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1042/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 140.6 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-96/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 146 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-95/ ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/09/cisa-releases-three-indu… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/09/cisa-adds-two-known-expl… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/05/cisa-adds-one-known-expl… ∗∗∗ K000158128: SQLite vulnerability CVE-2025-6965 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158128 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 09.12.2025
by Daily end-of-shift report 09 Dec '25

09 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-12-2025 18:00 − Dienstag 09-12-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malicious VSCode extensions on Microsofts registry drop infostealers ∗∗∗ --------------------------------------------- Two malicious extensions on Microsoft's Visual Studio Code Marketplace infect developers' machines with information-stealing malware that can take screenshots, steal credentials, crypto wallets, and hijack browser sessions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-… ∗∗∗ Ransomware gangs turn to Shanya EXE packer to hide EDR killers ∗∗∗ --------------------------------------------- Multiple ransomware gangs are using a packer-as-a-service platform named Shanya to help them deploy payloads that disable endpoint detection and response solutions on victim systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-turn-to-sha… ∗∗∗ North Korean hackers exploit React2Shell flaw in EtherRAT malware attacks ∗∗∗ --------------------------------------------- A new malware implant called EtherRAT, deployed in a recent React2Shell attack, runs five separate Linux persistence mechanisms and leverages Ethereum smart contracts for communication with the attacker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit… ∗∗∗ ‘Broadside’ Mirai Variant Targets Maritime Logistics Sector ∗∗∗ --------------------------------------------- Yet another variant of the Mirai botnet is threatening the maritime logistics sector by exploiting a critical flaw in digital recording devices used by companies on seagoing vessels. The attacks allow for remote command injection via the vulnerability, enabling attackers to establish Netlink-based process monitoring for persistence and other malicious activities. --------------------------------------------- https://www.darkreading.com/threat-intelligence/broadside-mirai-variant-mar… ∗∗∗ Lumma Stealer: Danger lurking in fake game updates from itch.io and Patreon ∗∗∗ --------------------------------------------- After patches on mainstream gaming platforms like Steam, indie game platforms as well as Patreon have become the latest platforms for distributing malware. --------------------------------------------- https://feeds.feedblitz.com/~/932262560/0/gdatasecurityblog-en~Lumma-Steale… ∗∗∗ Attacken laufen bereits: Rund 29.000 Server über React-Lücke angreifbar ∗∗∗ --------------------------------------------- Angreifer attackieren eine React2Shell genannte kritische Lücke im React-Framework. Allein in Deutschland gibt es noch über 3.000 anfällige Server. --------------------------------------------- https://www.golem.de/news/attacken-laufen-bereits-rund-29-000-server-ueber-… ∗∗∗ Zero-Click Agentic Browser Attack Can Delete Entire Google Drive Using Crafted Emails ∗∗∗ --------------------------------------------- A new agentic browser attack targeting Perplexity's Comet browser that's capable of turning a seemingly innocuous email into a destructive action that wipes a user's entire Google Drive contents, findings from Straiker STAR Labs show. --------------------------------------------- https://thehackernews.com/2025/12/zero-click-agentic-browser-attack-can.html ∗∗∗ Android Malware FvncBot, SeedSnatcher, and ClayRat Gain Stronger Data Theft Features ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of two new Android malware families dubbed FvncBot and SeedSnatcher, as another upgraded version of ClayRat has been spotted in the wild. --------------------------------------------- https://thehackernews.com/2025/12/android-malware-fvncbot-seedsnatcher.html ∗∗∗ Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new campaign dubbed JS#SMUGGLER that has been observed leveraging compromised websites as a distribution vector for a remote access trojan named NetSupport RAT. --------------------------------------------- https://thehackernews.com/2025/12/experts-confirm-jssmuggler-uses.html ∗∗∗ STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware ∗∗∗ --------------------------------------------- Canadian organizations have emerged as the focus of a targeted cyber campaign orchestrated by a threat activity cluster known as STAC6565. --------------------------------------------- https://thehackernews.com/2025/12/stac6565-targets-canada-in-80-of.html ∗∗∗ Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading ∗∗∗ --------------------------------------------- The threat actor known as Storm-0249 is likely shifting from its role as an initial access broker to adopt a combination of more advanced tactics like domain spoofing, DLL side-loading, and fileless PowerShell execution to facilitate ransomware attacks. --------------------------------------------- https://thehackernews.com/2025/12/storm-0249-escalates-ransomware-attacks.h… ∗∗∗ Novel clickjacking attack relies on CSS and SVG ∗∗∗ --------------------------------------------- Security researcher Lyra Rebane has devised a novel clickjacking attack that relies on Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS). --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/12/05/css_svg_clic… ∗∗∗ Crims using social media images, videos in virtual kidnapping scams ∗∗∗ --------------------------------------------- Criminals are altering social media and other publicly available images of people to use as fake proof of life photos in "virtual kidnapping" and extortion scams, the FBI warned on Friday. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/12/05/virtual_kidn… ∗∗∗ New Prompt Injection Attack Vectors Through MCP Sampling ∗∗∗ --------------------------------------------- This article examines the security implications of the Model Context Protocol (MCP) sampling feature in the context of a widely used coding copilot application. MCP is a standard for connecting large language model (LLM) applications to external data sources and tools. --------------------------------------------- https://unit42.paloaltonetworks.com/model-context-protocol-attack-vectors/ ∗∗∗ New BYOVD loader behind DeadLock ransomware attack ∗∗∗ --------------------------------------------- Talos observed a threat actor leveraging a BYOVD technique to disable endpoint detection and escalate privileges in an attack that eventually delivered DeadLock ransomware as the payload. --------------------------------------------- https://blog.talosintelligence.com/byovd-loader-deadlock-ransomware/ ∗∗∗ Space Bears Ransomware Claims Comcast Data Theft Through QuasarBreach ∗∗∗ --------------------------------------------- Space Bears ransomware group is claiming that it obtained internal Comcast material by exploiting a breach at Quasar Inc., a telecommunications engineering contractor based in Georgia. --------------------------------------------- https://hackread.com/space-bears-ransomware-comcast-quasar-breach/ ∗∗∗ ChrimeraWire Trojan Fakes Chrome Activity to Manipulate Search Rankings ∗∗∗ --------------------------------------------- ChrimeraWire is a new Windows trojan that automates web browsing through Chrome to simulate user activity and manipulate search engine rankings. --------------------------------------------- https://hackread.com/chrimerawire-trojan-fakes-chrome-search-activity/ ∗∗∗ SimpleX Chat X Account Hacked, Fake Site Promotes Crypto Wallet Scam ∗∗∗ --------------------------------------------- SimpleX Chat’s X account hacked to promote fake crypto site urging users to connect wallets. Site mimicked official design to steal funds. --------------------------------------------- https://hackread.com/simplex-chat-x-account-hacked-fake-site-wallet-scam/ ∗∗∗ Coupongogo: Remote-Controlled Crypto Stealer Targeting Developers on GitHub ∗∗∗ --------------------------------------------- Deep dive into the Coupongogo browser extension (v1.1.12): The alarming cryptostealer waiting for activation. --------------------------------------------- https://www.rastersec.com/blog/coupongogo-cryptostealer ∗∗∗ CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones ∗∗∗ --------------------------------------------- CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability. --------------------------------------------- https://www.ibm.com/think/x-force/cve-2023-20078-technical-analysis ∗∗∗ Malicious Crate Mimicking ‘Finch’ Exfiltrates Credentials via a Hidden Dependency ∗∗∗ --------------------------------------------- Socket found a Rust typosquat (finch-rust) that loads sha-rust to steal credentials, using impersonation and an unpinned dependency to auto-deliver updates. --------------------------------------------- https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credent… ∗∗∗ Researchers Uncover 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE Attacks ∗∗∗ --------------------------------------------- Over 30 security vulnerabilities have been disclosed in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution. --------------------------------------------- https://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.html ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-6073-1 ffmpeg - security update ∗∗∗ --------------------------------------------- Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed. --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00239.html ∗∗∗ Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack. The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity. --------------------------------------------- https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html ∗∗∗ Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks ∗∗∗ --------------------------------------------- A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence. The remote code execution vulnerability in question is CVE-2025-6389 (CVSS score: 9.8), which affects all versions of the plugin prior to and including 8.3. It has been patched in version 8.4, released on August 5, 2025. The plugin has more than 1,700 active installations. --------------------------------------------- https://thehackernews.com/2025/12/sneeit-wordpress-rce-exploited-in-wild.ht… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, krita, lasso, and libpng1.6), Fedora (abrt, cef, chromium, tinygltf, webkitgtk, and xkbcomp), Oracle (buildah, delve and golang, expat, python-kdcproxy, qt6-qtquick3d, qt6-qtsvg, sssd, thunderbird, and valkey), Red Hat (webkit2gtk3), and SUSE (git-bug, go1, and libpng12-0). --------------------------------------------- https://lwn.net/Articles/1049657/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, and webkit2gtk3), Fedora (abrt and mingw-libpng), Mageia (apache and libpng), Oracle (abrt, go-toolset:rhel8, kernel, sssd, and webkit2gtk3), Red Hat (kernel and kernel-rt), SUSE (gimp, gnutls, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, and postgresql13), and Ubuntu (gnupg2, python-apt, radare2, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1049769/ ∗∗∗ iOS 26.2: Apple behebt kritische Bugs im zweiten Release Candidate ∗∗∗ --------------------------------------------- Das wahrscheinlich letzte große iOS-Update des Jahres, iOS 26.2, lässt etwas länger auf sich warten: Apple hat stattdessen am Montagabend deutscher Zeit einen zweiten Release Candidate des Updates für das iPhone-Betriebssystem veröffentlicht. Was genau im RC2 geändert wurde, verrieten die Kalifornier bisher nicht. Es gilt aber als sicher, dass einer oder mehrere kritische Fehler behoben werden. Offen bleibt, wann mit dem finalen Release zu rechnen ist. --------------------------------------------- https://heise.de/-11108257 ∗∗∗ Multiple vulnerabilities in ABB Terra AC Wallbox ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN84024274/ ∗∗∗ Multiple vulnerabilities in GroupSession ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN19940619/ ∗∗∗ SAP-Patchday: 14 Sicherheitswarnungen zum Jahresende ∗∗∗ --------------------------------------------- https://www.heise.de/news/SAP-Patchday-14-Sicherheitswarnungen-zum-Jahresen… ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 140.6 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-94/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.31 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-93/ ∗∗∗ Security Vulnerabilities fixed in Firefox 146 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-92/ ∗∗∗ Vulnerability Summary for the Week of December 1, 2025 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb25-342 ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/08/cisa-adds-two-known-expl… ∗∗∗ K000158118: PostgreSQL vulnerabilities CVE-2025-8713, CVE-2025-8715 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158118 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 05.12.2025
by Daily end-of-shift report 05 Dec '25

05 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-12-2025 18:00 − Freitag 05-12-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ React2Shell - Angriffe gegen verwundbare Anwendungen auf von Basis React.JS und weiterer Frameworks ∗∗∗ --------------------------------------------- Diese Woche wurden kritische Sicherheitslücken in den React Server Components veröffentlicht. Diese Schwachstellen ermöglichen unauthentifizierte Remote-Code Execution sofern Anwendungen die betroffenen Server Components einsetzen. Mittlerweile wird diese Sicherheitslücke aktiv ausgenutzt um verwundbare Installationen zu kompromittieren. Proof-of-Concept Exploits sind bereits öffentlich zugänglich. CVE-Nummer(n): CVE-2025-55182 --------------------------------------------- https://www.cert.at/de/warnungen/2025/12/react2shell-angriffe-gegen-verwund… ∗∗∗ CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far ∗∗∗ --------------------------------------------- GreyNoise is already seeing opportunistic, largely automated exploitation attempts consistent with the newly disclosed React Server Components (RSC) “Flight” protocol RCE—often referred to publicly as “React2Shell” and tracked as CVE-2025-55182. --------------------------------------------- https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-expl… ∗∗∗ Cloudflare blames todays outage on emergency React2Shell patch ∗∗∗ --------------------------------------------- Cloudflare has blamed todays outage on the emergency patching of a critical React remote code execution vulnerability, which is now actively exploited in attacks. [..] "The issue was not caused, directly or indirectly, by a cyber attack on Cloudflare’s systems or malicious activity of any kind. Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components," Cloudflare CTO Dane Knecht noted in a post-mortem. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloudflare-blames-todays-out… ∗∗∗ Cybersecurity industry overreacts to React vulnerability, starts panic, burns own house down again ∗∗∗ --------------------------------------------- The disclosure write up is great — it’s full of facts, and explains when you are and aren’t vulnerable. I don’t think anybody knows how to parse it and people have started taking actions before even knowing what they’re doing. [..] Check with your developers and suppliers if they even use React v19 yet. They most probably don’t, in which case you aren’t vulnerable. --------------------------------------------- https://doublepulsar.com/cybersecurity-industry-overreacts-to-react-vulnera… ∗∗∗ Hackers are exploiting ArrayOS AG VPN flaw to plant webshells ∗∗∗ --------------------------------------------- Threat actors have been exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users. Array Networks fixed the vulnerability in a May security update, but has not assigned an identifier, complicating efforts to track the flaw and patch management. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-array… ∗∗∗ FBI warns of virtual kidnapping scams using altered social media photos ∗∗∗ --------------------------------------------- The FBI warns that criminals are altering images shared on social media and using them as fake proof of life photos in virtual kidnapping ransom scams. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-virtual-kidnapp… ∗∗∗ Asus supplier hit by ransomware attack as gang flaunts alleged 1 TB haul ∗∗∗ --------------------------------------------- Laptop maker says a vendor breach exposed some phone camera code, but not its own systems Asus has admitted that a third-party supplier was popped by cybercrims after the Everest ransomware gang claimed it had rifled through the tech titans internal files. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/12/05/asus_supplie… ∗∗∗ SMS Phishers Pivot to Points, Taxes, Fake Retailers ∗∗∗ --------------------------------------------- Over the past week, thousands of domain names were registered for scam websites that purport to offer T-Mobile customers the opportunity to claim a large number of rewards points. The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones. --------------------------------------------- https://krebsonsecurity.com/2025/12/sms-phishers-pivot-to-points-taxes-fake… ∗∗∗ Warnung: Neue Phishing-E-Mails im Namen der WKO im Umlauf ∗∗∗ --------------------------------------------- Kriminelle imitieren besonders gern bekannte Organisationen. Aktuell ist erneut die WKO betroffen. Bei einer neuen Phishing-Variante werden Empfänger:innen unter dem Vorwand einer „Qualitätssicherung“ dazu aufgefordert, ihre Daten zu überprüfen. --------------------------------------------- https://www.watchlist-internet.at/news/wko-phishing-e-mails-datenerfassung/ ∗∗∗ A Hidden Pattern Within Months of Credential-Based Attacks Against Palo Alto GlobalProtect ∗∗∗ --------------------------------------------- GreyNoise detected a surge of 7,000+ IPs attempting to log into GlobalProtect, sharing fingerprints with a surge in SonicWall API scanning and earlier Palo Alto campaigns, exposing a persistent credential-based attack pattern. --------------------------------------------- https://www.greynoise.io/blog/hidden-pattern-credential-based-attacks-palo-… ∗∗∗ November CVEs Fell 25% YoY, Driven by Slowdowns at Major CNAs ∗∗∗ --------------------------------------------- 2025 CVE volume is still running ahead of 2024 overall, even as November cooled off year over year. [..] For security teams, the practical takeaway is to be careful about using “global CVE count” as a proxy for risk. CVE volume can still be useful as a publishing health signal, especially when concentrated among a small number of high-output CNAs and programs. --------------------------------------------- https://socket.dev/blog/november-cves-fell-25-yoy-driven-by-slowdowns-at-ma… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, firefox, gimp:2.8, go-toolset:rhel8, ipa, kea, kernel, kernel-rt, pcs, qt6-qtquick3d, qt6-qtsvg, systemd, and valkey), Debian (chromium and unbound), Fedora (alexvsbus, CuraEngine, fcgi, libcoap, python-kdcproxy, texlive-base, timg, and xpdf), Mageia (digikam, darktable, libraw, gnutls, python-django, unbound, webkit2, and xkbcomp), Oracle (bind, firefox, gimp:2.8, haproxy, ipa, java-25-openjdk, kea, kernel, libsoup3, libssh, libtiff, openssl, podman, qt6-qtsvg, squid, systemd, vim, and xorg-x11-server-Xwayland), Slackware (httpd and libpng), SUSE (chromedriver, kernel, and python-mistralclient), and Ubuntu (cups, linux-azure, linux-gcp, linux-gcp, linux-gke, linux-gkeop, linux-ibm-6.8, linux-iot, and mame). --------------------------------------------- https://lwn.net/Articles/1049417/ ∗∗∗ VU#441887: Duc contains a stack buffer overflow vulnerability in the buffer_get function, allowing for out-of-bounds memory read ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/441887 ∗∗∗ Drupal: Security advisories for contributed projects ∗∗∗ --------------------------------------------- https://www.drupal.org/security/contrib ∗∗∗ Socomec DIRIS Digiware M series and Easy Config, PDF XChange Editor vulnerabilities ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/socomec-diris-digiware-m-series-and-easy… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 04.12.2025
by Daily end-of-shift report 04 Dec '25

04 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-12-2025 18:30 − Donnerstag 04-12-2025 18:30 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Fraudulent gambling network may be a nation-state spying operation ∗∗∗ --------------------------------------------- A sprawling infrastructure that has been bilking unsuspecting people through fraudulent gambling websites for 14 years is likely a dual operation run by a nation-state-sponsored group that is targeting government and private-industry organizations in the US and Europe, researchers said Wednesday. --------------------------------------------- https://arstechnica.com/security/2025/12/fraudulent-gambling-network-may-be… ∗∗∗ Sparkurs bei MacOS: Apple verärgert Forscher mit gekürzten Bug-Bounty-Prämien ∗∗∗ --------------------------------------------- Forscher, die Sicherheitslücken in dem Apple-Betriebssystem MacOS erkunden und an den Hersteller melden, erhalten dafür künftig geringere Belohnungen. Darauf machte kürzlich der Sicherheitsforscher Csaba Fitzl in einem Beitrag auf Linkedin aufmerksam. Er wirft Apple vor, MacOS mit diesem Schritt abzuwerten und sich nicht mehr für den Datenschutz der Nutzer zu interessieren. --------------------------------------------- https://www.golem.de/news/macos-apple-veraergert-forscher-mit-gekuerzten-bu… ∗∗∗ Attempts to Bypass CDNs, (Wed, Dec 3rd) ∗∗∗ --------------------------------------------- Currently, in order to provide basic DDoS protection and filter aggressive bots, some form of Content Delivery Network (CDN) is usually the simplest and most cost-effective way to protect a web application. In a typical setup, DNS is used to point clients to the CDN, and the CDN will then forward the request to the actual web server. There are a number of companies offering services like this, and cloud providers will usually have solutions like this as well. --------------------------------------------- https://isc.sans.edu/diary/rss/32532 ∗∗∗ Nation-State Attack or Compromised Government? [Guest Diary], (Thu, Dec 4th) ∗∗∗ --------------------------------------------- The ISC internship didn't just teach me about security, it changed how I thought about threats entirely. There's something intriguing about watching live attacks materialize on your DShield Honeypot, knowing that somewhere across the world, an attacker just made a move. And the feedback loop of writing detailed attack observations, then having experienced analysts critique and refine your analysis? That's where real learning happens. One attack observation in particular stands out as a perfect example of what makes this internship so powerful. Let me show you what I discovered! --------------------------------------------- https://isc.sans.edu/diary/rss/32536 ∗∗∗ Record 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hosts ∗∗∗ --------------------------------------------- The botnet has prominently targeted telecommunication providers, gaming companies, hosting providers, and financial services. Also tackled by Cloudflare was a 14.1 Bpps DDoS attack from the same botnet. AISURU is believed to be powered by a massive network comprising an estimated 1-4 million infected hosts worldwide. --------------------------------------------- https://thehackernews.com/2025/12/record-297-tbps-ddos-attack-linked-to.html ∗∗∗ Gartenfreude oder Betrugsfalle? Warnung vor betrügerischen Pflanzenshops ∗∗∗ --------------------------------------------- Der Beginn des Winters ist einer der besten Zeitpunkte, um Obstbäume zu pflanzen. Das wissen nicht nur Gartenfreund:innen, sondern leider auch Kriminelle. Immer mehr Fake-Shops locken mit vermeintlich attraktiven Angeboten und führen Konsument:innen in die Falle. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-betruegerischen-pflanzen… ∗∗∗ BRICKSTORM Backdoor ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) assess People’s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems. CISA, NSA, and Cyber Centre are releasing this Malware Analysis Report to share indicators of compromise (IOCs) and detection signatures based off analysis of eight BRICKSTORM samples. CISA, NSA, and Cyber Centre urge organizations to use the IOCs and detection signatures to identify BRICKSTORM malware samples. --------------------------------------------- https://www.cisa.gov/news-events/analysis-reports/ar25-338a ∗∗∗ ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading ∗∗∗ --------------------------------------------- Job seekers looking out for opportunities might instead find their personal devices compromised, as a ValleyRAT campaign propagated through email leverages Foxit PDF Reader for concealment and DLL side-loading for initial entry. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html ∗∗∗ Fake ChatGPT Atlas Browser Used in ClickFix Attack to Steal Passwords ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a critical ChatGPT Atlas browser attack, confirming the danger of the ongoing surge in the ClickFix threat. --------------------------------------------- https://hackread.com/fake-chatgpt-atlas-clickfix-steal-passwords/ ∗∗∗ Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue ∗∗∗ --------------------------------------------- Despite extensive scrutiny and public reporting, commercial surveillance vendors continue to operate unimpeded. A prominent name continues to surface in the world of mercenary spyware, Intellexa. Known for its “Predator” spyware, the company was sanctioned by the US Government. New Google Threat Intelligence Group (GTIG) analysis shows that Intellexa is evading restrictions and thriving. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/intellexa-zero-day… ∗∗∗ New Stealthy Linux Malware Combines Mirai DDoS Botnet with Cryptominer ∗∗∗ --------------------------------------------- Cyble researchers have identified new Linux malware that combines Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, enabling both network disruption and financial profit in the same threat campaign. --------------------------------------------- https://thecyberexpress.com/linux-malware-mirai-botnet-cryptominer/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (expat and libxml2), Debian (openvpn and webkit2gtk), Fedora (gi-loadouts, kf6-kcoreaddons, kf6-kguiaddons, kf6-kjobwidgets, kf6-knotifications, kf6-kstatusnotifieritem, kf6-kunitconversion, kf6-kwidgetsaddons, kf6-kxmlgui, nanovna-saver, persepolis, python-ezdxf, python-pyside6, sigil, stb, syncplay, tinyproxy, torbrowser-launcher, ubertooth, and usd), Mageia (cups), SUSE (cups, gegl, icinga2, mozjs128, and Security), and Ubuntu (ghostscript, kernel, linux, linux-aws, linux-aws-5.15, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-hwe, linux-kvm, linux-oracle, linux-aws-fips, linux-fips, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-fips, linux-gcp, linux-gcp-4.15, linux-hwe, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-gcp-6.14, linux-raspi, linux-gcp-fips, linux-intel-iot-realtime, linux-realtime, linux-raspi, linux-raspi-realtime, linux-xilinx, and postgresql-14, postgresql-16, postgresql-17). --------------------------------------------- https://lwn.net/Articles/1049251/ ∗∗∗ Cross-Site Scripting in Nextcloud: Development files shipped in files_pdfviewer app ∗∗∗ --------------------------------------------- Nextcloud’s PDF viewer uses an outdated version of PDF.js vulnerable to CVE-2024-4367. Attackers with regular user access to a Nextcloud instance are able to prepare a special link. If this link is visited by other logged-in users a cross-site scripting is executed and attackers get access to that users’ files. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-003/ ∗∗∗ Jetzt patchen! Kritische Schadcodelücke bedroht React ∗∗∗ --------------------------------------------- Softwareentwickler, die mit React arbeiten, sollten die JavaScript-Programmbibliothek aus Sicherheitsgründen umgehend auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer eine Schwachstelle ausnutzen und Systeme durch das Ausführen von Schadcode vollständig kompromittieren. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-11102366 ∗∗∗ Chrome 143.0.7499.40 / 41 schließt Schwachstellen ∗∗∗ --------------------------------------------- Zum 2. Dezember 2025 hat Google den Chrome-Browser auf die Versionen 143.0.7499.40 / 41 aktualisiert, um gleich mehrere Schwachstellen zu schließen. Auch der Extended Stable Chromium-Entwicklungszweig hat ein Update erhalten. Ich ziehe mal einige Informationen zu diesen Themen nachfolgend kurz zusammen. --------------------------------------------- https://www.borncity.com/blog/2025/12/04/chrome-143-0-7499-40-41-schliesst-… ∗∗∗ DSA-6069-1 openvpn - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00235.html ∗∗∗ K000158050: SQLite vulnerability CVE-2019-8457 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158050 ∗∗∗ K000158042: Apache HTTP server vulnerabilities CVE-2024-47252 and CVE-2025-49812 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158042 ∗∗∗ K000158059: Next.js vulnerability CVE-2025-66478 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158059 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 03.12.2025
by Daily end-of-shift report 03 Dec '25

03 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-12-2025 18:00 − Mittwoch 03-12-2025 18:30 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Aisuru botnet behind new record-breaking 29.7 Tbps DDoS attack ∗∗∗ --------------------------------------------- In just three months, the massive Aisuru botnet launched more than 1,300 distributed denial-of-service attacks, one of them setting a new record with a peak at 29.7 terabits per second. --------------------------------------------- https://www.bleepingcomputer.com/news/security/aisuru-botnet-behind-new-rec… ∗∗∗ Deep dive into DragonForce ransomware and its Scattered Spider connection ∗∗∗ --------------------------------------------- DragonForce expanded its ransomware operation in 2025 by working with English-speaking hackers known for advanced social engineering and initial access. Acronis explains how the "Scattered Spider" collaboration enables coordinated, multistage intrusions across major environments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/deep-dive-into-dragonforce-r… ∗∗∗ Technical Analysis of Matanbuchus 3.0 ∗∗∗ --------------------------------------------- Matanbuchus is a malicious downloader, written in C++, which has been offered as a Malware-as-a-Service (MaaS) since 2020. Over this time, Matanbuchus has undergone several development stages. In July 2025, version 3.0 of Matanbuchus was identified in-the-wild. Matanbuchus offers threat actors the option to deploy additional payloads and perform hands-on keyboard activity via shell commands. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-matanbuc… ∗∗∗ Grundrechte: Gericht stoppt Massenüberwachung des Schweizer Geheimdienstes ∗∗∗ --------------------------------------------- Das Schweizer Bundesverwaltungsgericht erklärt die Fernmeldeaufklärung des Nachrichtendienstes des Bundes nach Klage von Bürgerrechtlern für verfassungswidrig. --------------------------------------------- https://www.heise.de/news/Grundrechte-Gericht-stoppt-Massenueberwachung-des… ∗∗∗ Falsche Schlangen: Neues von MuddyWater ∗∗∗ --------------------------------------------- MuddyWater hat es auf kritische Infrastrukturen in Israel und Ägypten abgesehen und setzt dabei auf maßgeschneiderte Malware, verbesserte Taktiken und ein vorhersehbares Spielbuch. --------------------------------------------- https://www.welivesecurity.com/de/eset-research/falsche-schlangen-neues-von… ∗∗∗ Aktuelle Welle: Phishing im Namen der Volksbank ∗∗∗ --------------------------------------------- Seit einigen Wochen versenden Kriminelle ihre Phishing-Versuche besonders häufig im Namen der Volksbank. Sie setzen dabei auf die altbekannten E-Mails bzw. SMS-Nachrichten. Wer dem Link zur „Datenaktualisierung“ oder „Konto-Entsperrung“ folgt, läuft Gefahr, Logindaten für Onlinebanking preiszugeben. --------------------------------------------- https://www.watchlist-internet.at/news/starke-welle-phishing-volksbank/ ∗∗∗ India backs off mandatory cyber safety app after surveillance backlash ∗∗∗ --------------------------------------------- Mobile phone makers will no longer be required to load the Indian governments Sanchar Saathi app onto new devices after the initial announcement prompted pushback from companies and privacy groups. --------------------------------------------- https://therecord.media/india-drops-mandate-sanchar-saathi-app-privacy-surv… ∗∗∗ Small numbers of Notepad++ users reporting security woes ∗∗∗ --------------------------------------------- I’ve heard from 3 orgs now who’ve had security incidents on boxes with Notepad++ installed, where it appears Notepad++ processes have spawned the initial access. These have resulted in hands on keyboard threat actors. --------------------------------------------- https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-… ∗∗∗ Everest Ransomware Claims ASUS Breach and 1TB Data Theft ∗∗∗ --------------------------------------------- Everest ransomware group claims it breached ASUS, stealing over 1TB of data including camera source code. ASUS has been given 21 hours to respond via Qtox. --------------------------------------------- https://hackread.com/everest-ransomware-asus-breach-1tb-data/ ∗∗∗ Paying the Ransom: A Short-Term Fix or Long-Term Risks? ∗∗∗ --------------------------------------------- Ransomware attacks rose by nearly 25% in 2024. If compromised, should you pay ransomware demands or not? We review the risks, reasons to pay or not, and more. --------------------------------------------- https://www.bitsight.com/blog/paying-ransom-for-ransomware ∗∗∗ Industrielle Kontrollsysteme: Iskra iHUB bleibt vorerst ohne Sicherheitspatch ∗∗∗ --------------------------------------------- Für einige industrielle Steuerungs- und Automatisierungssysteme von etwa Mitsubishi sind Sicherheitsupdates erschienen. Eine kritische Lücke bleibt aber offen. --------------------------------------------- https://heise.de/-11101017 ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability & Patch Roundup — November 2025 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2025/11/vulnerability-patch-roundup-november-2025.h… ∗∗∗ 100,000 WordPress Sites Affected by Remote Code Execution Vulnerability in Advanced Custom Fields: Extended WordPress Plugin ∗∗∗ --------------------------------------------- On November 18th, 2025, we received a submission for an unauthenticated Remote Code Execution vulnerability in Advanced Custom Fields: Extended, a WordPress plugin with more than 100,000 active installations. This vulnerability can be leveraged to execute code remotely. --------------------------------------------- https://www.wordfence.com/blog/2025/12/100000-wordpress-sites-affected-by-r… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (containerd, mako, and xen), Fedora (forgejo, nextcloud, openbao, rclone, restic, and tigervnc), Oracle (firefox, kernel, libtiff, libxml2, and postgresql), SUSE (libecpg6, lightdm-kde-greeter, python-cbor2, python-mistralclient-doc, python315, and python39), and Ubuntu (kdeconnect, linux, linux-aws, linux-realtime, python-django, and unbound). --------------------------------------------- https://lwn.net/Articles/1049103/ ∗∗∗ Microsoft schließt stillschweigend LNK-Schwachstelle CVE-2025-9491 ∗∗∗ --------------------------------------------- Seit Ende August 2025 ist eine LNK-File-Schwachstelle (CVE-2025-9491) bekannt. Diese lässt sich unter Windows für eine Remote Code-Ausführung missbrauchen. Microsoft wollte erst keinen Patch bereitstellen, hat dann aber doch was per Update getan. --------------------------------------------- https://www.borncity.com/blog/2025/12/03/microsoft-schliesst-stillschweigen… ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released five Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-336-01 Industrial Video & Control LongwatchICSA-25-336-02 Iskra iHUB and iHUB Lite. ICSMA-25-336-01 Mirion Medical EC2 Software NMIS BioDose. ICSA-25-201-01 Mitsubishi Electric CNC Series (Update A) and ICSA-23-157-02 Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (Update C). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/02/cisa-releases-five-indus… ∗∗∗ ZDI-25-1039: (Pwn2Own) Synology BeeStation Plus auth_info Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1039/ ∗∗∗ Splunk SVD-2025-1209: Third-Party Package Updates in Splunk Enterprise - December 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1209 ∗∗∗ Splunk SVD-2025-1206: Incorrect permissions assignment on Splunk Universal Forwarder for Windows during new installation or upgrade ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1206 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 02.12.2025
by Daily end-of-shift report 02 Dec '25

02 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Montag 01-12-2025 18:00 − Dienstag 02-12-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Glassworm malware returns in third wave of malicious VS Code packages ∗∗∗ --------------------------------------------- The Glassworm campaign, which first emerged on the OpenVSX and Microsoft Visual Studio marketplaces in October, is now in its third wave, with 24 new packages added on the two platforms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/glassworm-malware-returns-in… ∗∗∗ [Guest Diary] Hunting for SharePoint In-Memory ToolShell Payloads, (Tue, Dec 2nd) ∗∗∗ --------------------------------------------- In July 2025, many of us were introduced to the Microsoft SharePoint exploit chain known as ToolShell. ToolShell exploits the deserialization and authentication bypass vulnerabilities, CVE-2025-53770 [2] and CVE-2025-53771 [3], in on-premises SharePoint Server 2016, 2019, and Subscription editions. --------------------------------------------- https://isc.sans.edu/diary/rss/32524 ∗∗∗ Iran-Linked Hackers Hits Israeli Sectors with New MuddyViper Backdoor in Targeted Attacks ∗∗∗ --------------------------------------------- Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors have emerged as the target of a new set of attacks undertaken by Iranian nation-state actors that have delivered a previously undocumented backdoor called MuddyViper. --------------------------------------------- https://thehackernews.com/2025/12/iran-linked-hackers-hits-israeli_2.html ∗∗∗ Stealthy browser extensions waited years before infecting 4.3M Chrome, Edge users with backdoors and spyware ∗∗∗ --------------------------------------------- And some are still active in the Microsoft Edge store A seven-year malicious browser extension campaign infected 4.3 million Google Chrome and Microsoft Edge users with malware, including backdoors and spyware sending peoples data to servers in China. --------------------------------------------- https://www.theregister.com/2025/12/01/chrome_edge_malicious_browser_extens… ∗∗∗ Dont say "Jehova" to an LLM ∗∗∗ --------------------------------------------- The Rabbi in the old skit from Monty Python's "Life of Brian" fell for it, and for a long time, philosophers argued whether quoting someone is fundamentally different to just saying the sentence. I remember a story where one actor smuggled a wedding promise in a co-actor's copy of his lines: After the vow was made on the set and the sentence couldn't be found in the official script: is the actor now bound in real life by his promise? --------------------------------------------- https://www.cert.at/en/blog/2025/12/dont-say-jehova-to-an-llm ∗∗∗ Proxyearth Tool Lets Anyone Trace Users in India with Just a Mobile Number ∗∗∗ --------------------------------------------- Proxyearth is a new site that shows names, Aadhaar numbers, and live locations of users in India using only mobile numbers, raising serious privacy and security concerns. --------------------------------------------- https://hackread.com/proxyearth-trace-users-india-mobile-number/ ∗∗∗ Android TV: YouTube-Client SmartTube war mit Malware verseucht ∗∗∗ --------------------------------------------- Unbekannte konnten SmartTube mit Malware verseuchen und die Version kurzzeitig in Umlauf bringen. Nun gibt der Entwickler Einblicke zum Vorfall. --------------------------------------------- https://heise.de/-11099310 ∗∗∗ Shai-Hulud 2.0 Aftermath: Trends, Victimology and Impact ∗∗∗ --------------------------------------------- A deeper look at the Shai-Hulud 2.0 supply chain attack: reviewing the infection spread, victimology, leaked secrets distribution, and community response so far. --------------------------------------------- https://www.wiz.io/blog/shai-hulud-2-0-aftermath-ongoing-supply-chain-attack ∗∗∗ 68% Of Phishing Websites Are Protected by CloudFlare ∗∗∗ --------------------------------------------- Earlier this year, our CTI team set out to build something wed been thinking about for a while: a phishing intelligence pipeline that could actually keep up with the threat. We combined feeds from hundreds of independent sources with our own real-time hunt for suspicious SSL/TLS certificates. --------------------------------------------- https://blog.sicuranext.com/68-of-phishing-websites-are-protected-by-cloudf… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (gnutls, libpng, mingw-python3, python-spotipy, source-to-image, unbound, and webkitgtk), Mageia (libpng), SUSE (bash-git-prompt, gitea-tea, java-17-openjdk, java-21-openjdk, kernel, openssh, python, and shadowsocks-v2ray-plugin, v2ray-core), and Ubuntu (binutils, openjdk-17-crac, openjdk-21-crac, and openjdk-25-crac). --------------------------------------------- https://lwn.net/Articles/1048973/ ∗∗∗ Patchday: Attacken auf Geräte mit Android 13, 14, 15 und 16 beobachtet ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für verschiedene Androidversionen erschienen. Es gibt bereits Attacken. --------------------------------------------- https://heise.de/-11099576 ∗∗∗ Qualcomm Issues Critical Security Alert Over Secure Boot Vulnerability ∗∗∗ --------------------------------------------- Qualcomm warned partners and device manufacturers about multiple newly discovered vulnerabilities that span its chipset ecosystem. The Qualcomm released a detailed security bulletin on December 1, 2025, outlining six high-priority weaknesses in its proprietary software, including one flaw that directly compromises the secure boot process, one of the most sensitive stages in a device’s startup chain. --------------------------------------------- https://thecyberexpress.com/qualcomm-2025-security-alert/ ∗∗∗ Critical SQL Injection Flaw Exposes Sensitive Data in Devolutions Server ∗∗∗ --------------------------------------------- A batch of new vulnerabilities in Devolutions Server targets organizations that depend on the platform to manage privileged accounts, passwords, and sensitive authentication data. Devolutions has released a security advisory, identified as DEVO-2025-0018, warning customers of multiple vulnerabilities, including a critical flaw that could enable attackers to extract confidential data directly from the system’s database. --------------------------------------------- https://thecyberexpress.com/devolutions-server-sql-injection-flaw/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 01.12.2025
by Daily end-of-shift report 01 Dec '25

01 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-11-2025 18:00 − Montag 01-12-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Arkanix Stealer: Newly discovered short term profit malware ∗∗∗ --------------------------------------------- Recently, we stumbled upon a new stealer named Arkanix. This stealer possibly belongs to the short-lived category of stealers which aim for short-term quick financial gains. --------------------------------------------- https://feeds.feedblitz.com/~/930747470/0/gdatasecurityblog-en~Arkanix-Stea… ∗∗∗ Bis zu 16 Jahre alt: Zehntausende gültige Zugangsdaten bei Gitlab geleakt ∗∗∗ --------------------------------------------- Ein Forscher hat alle öffentlichen Gitlab-Repos auf Zugangsdaten gescannt. Er fand mehr als 17.000, erhielt aber nur eine recht dürftige Belohnung. --------------------------------------------- https://www.golem.de/news/bis-zu-16-jahre-alt-zehntausende-gueltige-zugangs… ∗∗∗ North Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware ∗∗∗ --------------------------------------------- The North Korean threat actors behind the Contagious Interview campaign have continued to flood the npm registry with 197 more malicious packages since last month. --------------------------------------------- https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html ∗∗∗ New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control ∗∗∗ --------------------------------------------- A new Android malware named Albiriox has been advertised under a malware-as-a-service (MaaS) model to offer a "full spectrum" of features to facilitate on-device fraud (ODF), screen manipulation, and real-time interaction with infected devices. --------------------------------------------- https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html ∗∗∗ Google and Apple ordered to stop fake government TXTs ∗∗∗ --------------------------------------------- Singapore’s government last week told Google and Apple to prevent fake government messages. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/12/01/asia_tech_ne… ∗∗∗ The WIRED Guide to Digital Opsec for Teens ∗∗∗ --------------------------------------------- Practicing good “operations security” is essential to staying safe online. Here’s a complete guide for teenagers (and anyone else) who wants to button up their digital lives. --------------------------------------------- https://www.wired.com/story/digital-opsec-for-teens/ ∗∗∗ how i found a europa.eu compromise (thanks to cricket) ∗∗∗ --------------------------------------------- While looking for a way to stream the India vs Pakistan cricket match on 14th September 2025, I stumbled across a suspicious search result on a europa.eu dev subdomain. It was being abused for blackhat SEO and redirecting users to scam streaming sites. I traced similar behavior across other high-profile domains, reported the issue to CERT-EU via email (after some Twitter help) and the problem was later confirmed as fixed on 6th November 2025. This post walks through how I found it, how I reported it and what we can learn from it. --------------------------------------------- https://blog.himanshuanand.com/2025/11/how-i-found-a-europa.eu-compromise-t… ∗∗∗ Südkorea: Bei Onlinehändler Daten zu zwei Dritteln der Bevölkerung abgegriffen ∗∗∗ --------------------------------------------- Ein inzwischen nicht mehr bei Coupang arbeitender Angestellter soll bei Südkoreas größtem Onlinehändler Daten zur gesamten Kundschaft abgegriffen haben. --------------------------------------------- https://www.heise.de/news/Suedkorea-Bei-Onlinehaendler-Daten-zu-zwei-Dritte… ∗∗∗ Webinar: Smartphone, Tablet & Co sicher nutzen ∗∗∗ --------------------------------------------- Wie kann ich meine persönlichen Daten am Smartphone, Tablet & Co. schützen? Wie erkenne ich Viren und Trojaner auf meinem Gerät - und was ist dann zu tun? In diesem Webinar zeigen wir Ihnen die wichtigsten Sicherheitseinstellungen – von Berechtigungen über Datenschutz bis hin zu Nutzungszeiten. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-smartphone-tablet-co-sicher-… ∗∗∗ Fußballtrikots zum Schnäppchenpreis? Bei diesen Fake-Shops gibt es nur Eigentore ∗∗∗ --------------------------------------------- Fußballspieler:innen aufgepasst! Gerade wimmelt es von Fake-Shops mit günstigen Trikots. --------------------------------------------- https://www.watchlist-internet.at/news/fussballtrikots-zum-schnaeppchenprei… ∗∗∗ Awareness für Web-Security: Die OWASP Top Ten 2025 ∗∗∗ --------------------------------------------- Der erste Release Candidate der neuen OWASP Top Ten enthüllt die größten Sicherheitsrisiken in der Webentwicklung – von Konfiguration bis Software Supply Chain. --------------------------------------------- https://heise.de/-11098119 ∗∗∗ India Enforces Mandatory SIM-Binding for Messaging Apps Under New DoT Rules ∗∗∗ --------------------------------------------- India’s Department of Telecommunications (DoT) has introduced a shift in the way messaging platforms operate in the country, mandating the adoption of SIM-binding as a core security requirement. Under the Telecommunication Cybersecurity Amendment Rules, 2025, all major messaging services, including Telegram, and regional platforms such as Arattai, must ensure that their applications remain continuously linked to an active SIM card on the user’s device. --------------------------------------------- https://thecyberexpress.com/sim-binding-dot-rule/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#633103: Insufficient Session Cookie Invalidation in nopCommerce ASP.NET Core eCommerce Platform ∗∗∗ --------------------------------------------- nopCommerce, an ecommerce platform, fails to invalidate session cookies upon user logout or session termination, enabling attackers to use the captured cookie to gain access to the application. Version 4.70 and after, with the exception of 4.80.3, fixes the vulnerability put forth by CVE-2025-11699. Users on version 4.80.3, or any version of nopCommerce prior to version 4.70, should update to the latest version, 4.90.3, as soon as possible. --------------------------------------------- https://kb.cert.org/vuls/id/633103 ∗∗∗ CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include a security flaw impacting OpenPLC ScadaBR, citing evidence of active exploitation. --------------------------------------------- https://thehackernews.com/2025/11/cisa-adds-actively-exploited-xss-bug.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bind9.18, cups, gimp, ipa, kernel, libssh, mingw-expat, openssl, pcs, sssd, tigervnc, and valkey), Debian (gnome-shell-extension-gsconnect, mistral-dashboard, pagure, python-mistralclient, pytorch, qtbase-opensource-src, sogo, tryton-server, and unbound), Fedora (cef, drupal7, glib2, linux-firmware, migrate, pack, pgadmin4, rnp, and unbound), Slackware (libxslt), SUSE (cpp-httplib, curl, glib2, grub2, kernel, libcoap-devel, libcryptopp, libwireshark19, postgresql15, and postgresql17), and Ubuntu (edk2). --------------------------------------------- https://lwn.net/Articles/1048817/ ∗∗∗ Sicherheitsupdate: Präparierte XML-Dateien können GeoServer lahmlegen ∗∗∗ --------------------------------------------- Nutzen Angreifer erfolgreich Schwachstellen in GeoServer aus, können sie unter anderem Schadcode ausführen. In aktuellen Versionen haben die Entwickler nun die Sicherheitsprobleme gelöst. --------------------------------------------- https://heise.de/-11097923 ∗∗∗ Microsoft Entra ID blockt externe Fremd-Scripte ∗∗∗ --------------------------------------------- Kleiner Nachtrag von letzter Woche, der Administratoren in Unternehmensumgebungen tangieren kann. Microsoft will die Sicherheit der Microsoft Entra ID-Authentifizierung verbessern. Dazu sollen indem externe Skriptinjektionen blockiert werden, wie ein Entwickler in einem Blog-Beitrag im Microsoft Entra-Blog erklärt hat. --------------------------------------------- https://www.borncity.com/blog/2025/12/01/microsoft-entra-id-blockt-externe-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 28.11.2025
by Daily end-of-shift report 28 Nov '25

28 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-11-2025 18:00 − Freitag 28-11-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Malicious LLMs empower inexperienced hackers with advanced tools ∗∗∗ --------------------------------------------- Unrestricted large language models (LLMs) like WormGPT 4 and KawaiiGPT are improving their capabilities to generate malicious code, delivering functional scripts for ransomware encryptors and lateral movement. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-llms-empower-inexp… ∗∗∗ GreyNoise launches free scanner to check if youre part of a botnet ∗∗∗ --------------------------------------------- GreyNoise Labs has launched a free tool called GreyNoise IP Check that lets users check if their IP address has been observed in malicious scanning operations, like botnet and residential proxy networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/greynoise-launches-free-scan… ∗∗∗ Seit Wochen auf Github: Virenscanner scheitern an öffentlichem Android-Trojaner ∗∗∗ --------------------------------------------- Ein neuer Android-Trojaner namens Radzarat kursiert seit Wochen auf Github. Nur die wenigsten Virenscanner sehen ihn bisher als Bedrohung. --------------------------------------------- https://www.golem.de/news/auf-github-verfuegbar-virenscanner-erkennen-oeffe… ∗∗∗ Tomiris wreaks Havoc: New tools and techniques of the APT group ∗∗∗ --------------------------------------------- Kaspersky discloses new tools and techniques discovered in 2025 Tomiris activities: multi-language reverse shells, Havoc and AdaptixC2 open-source frameworks, communications via Discord and Telegram. --------------------------------------------- https://securelist.com/tomiris-new-tools/118143/ ∗∗∗ Prompt Injection Through Poetry ∗∗∗ --------------------------------------------- In a new paper, “Adversarial Poetry as a Universal Single-Turn Jailbreak Mechanism in Large Language Models,” researchers found that turning LLM prompts into poetry resulted in jailbreaking the models. --------------------------------------------- https://www.schneier.com/blog/archives/2025/11/prompt-injection-through-poe… ∗∗∗ MS Teams Guest Access Can Remove Defender Protection When Users Join External Tenants ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a cross-tenant blind spot that allows attackers to bypass Microsoft Defender for Office 365 protections via the guest access feature in Teams. --------------------------------------------- https://thehackernews.com/2025/11/ms-teams-guest-access-can-remove.html ∗∗∗ The Anatomy of a Bulletproof Hoster: A Data-Driven Reconstruction of Media Land ∗∗∗ --------------------------------------------- This post uses the leaked internal database of Media Land, a sanctioned bulletproof hosting provider, to reconstruct how its platform organised customers, subscriptions, virtual machines, and IP address space across billing, compute, and network layers. --------------------------------------------- https://disclosing.observer/2025/11/24/bulletproof-hoster-anatomy-data-driv… ∗∗∗ How CVSS v4.0 works: characterizing and scoring vulnerabilities ∗∗∗ --------------------------------------------- This blog explains why vulnerability scoring matters, how CVSS works, and what’s new in version 4.0. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/11/how-cvss-v4-0-works-characte… ∗∗∗ Achtung, Falle! Gefälschte BMF-Rückerstattung-Mails im Umlauf ∗∗∗ --------------------------------------------- Wer aktuell eine E-Mail im Postfach hat, in der das Bundesministerium für Finanzen (BMF) eine Steuerrückerstattung verspricht, sollte vorsichtig sein. Denn derzeit versenden Kriminelle solche E-Mails, um Sie zur Preisgabe von Daten und zur Überweisung von Geld zu bewegen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-falle-gefaelschte-bmf-ruecke… ∗∗∗ 3 OAuth TTPs Seen This Month — and How to Detect Them with Entra ID Logs ∗∗∗ --------------------------------------------- How OAuth tokens, JWT fields and Entra sign-in logs reveal attacker behavior, and how to turn those signals into reliable detections. --------------------------------------------- https://www.wiz.io/blog/recent-oauth-attacks-detection-strategies ===================== = Vulnerabilities = ===================== ∗∗∗ Installer of INZONE Hub may insecurely load Dynamic Link Libraries ∗∗∗ --------------------------------------------- The installer of INZONE Hub provided by Sony Corporation may insecurely load Dynamic Link Libraries. --------------------------------------------- https://jvn.jp/en/jp/JVN28247549/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (krita and tryton-server), Oracle (bind9.18, ipa, kernel, libssh, redis, redis:7, sqlite, sssd, and vim), Slackware (cups), SUSE (containerd, cups, curl, dovecot24, git-bug, gitea-tea, glib2, grub2, himmelblau, java-25-openjdk, kernel, libmicrohttpd, libvirt, pnpm, powerpc-utils, python311, python313, redis, rnp, runc, sssd, tomcat11, unbound, and xwayland), and Ubuntu (cups, libxml2, openvpn, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1048596/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 27.11.2025
by Daily end-of-shift report 27 Nov '25

27 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-11-2025 18:00 − Donnerstag 27-11-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Ein kurzer Blick auf das NISG 2026 ∗∗∗ --------------------------------------------- Wirklich viel hat sich zwischen dem abgelehnten Entwurf von 2024 und dem am 20. November eingebrachten Text nicht geändert. Ich will hier nur kurz zwei Punke ansprechen. Recital 44: [..] Wie schon im Sommer angemerkt, ist uns nicht klar, was der EU-Gesetzgeber uns damit sagen will. [..] Eine kurze Umfrage im CSIRTs Network hat gezeigt, dass auch die anderen Teams an dieser Frage kiefeln. --------------------------------------------- https://www.cert.at/de/blog/2025/11/ein-kurzer-blick-auf-das-nisg-2026 ∗∗∗ Shai-Hulud v2 Spreads From npm to Maven, as Campaign Exposes Thousands of Secrets ∗∗∗ --------------------------------------------- The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. The Socket Research Team said it identified a Maven Central package named org.mvnpm:posthog-node:4.18.1 that embeds the same two components associated with Sha1-Hulud: the "setup_bun.js" loader and the main payload "bun_environment.js. --------------------------------------------- https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.h… ∗∗∗ New ShadowV2 botnet malware used AWS outage as a test opportunity ∗∗∗ --------------------------------------------- A new Mirai-based botnet malware named ShadowV2 has been observed targeting IoT devices from D-Link, TP-Link, and other vendors with exploits for known vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-shadowv2-botnet-malware-… ∗∗∗ Zendesk users targeted as Scattered Lapsus$ Hunters spin up fake support sites ∗∗∗ --------------------------------------------- ReliaQuest finds fresh crop of phishing domains and toxic tickets Scattered Lapsus$ Hunters may be circling Zendesk users for its latest extortion campaign, with new phishing domains and weaponized helpdesk tickets uncovered by ReliaQuest. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/11/27/scattered_la… ∗∗∗ Rituals Adventkalender zu gewinnen? Vorsicht vor der Phishing-Falle! ∗∗∗ --------------------------------------------- Die neueste virale Variante: Ein angeblich kostenloser Adventkalender von Rituals. Dahinter versteckt sich allerdings eine Kombination aus unterschiedlichen Betrugsmaschen: Abo-Falle & Diebstahl von Kreditkartendaten, garniert mit einem Kettenbrief. --------------------------------------------- https://www.watchlist-internet.at/news/rituals-adventkalender-phishing/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kdeconnect, libssh, and samba), Fedora (7zip, docker-buildkit, and docker-buildx), Oracle (bind, buildah, cups, delve and golang, expat, firefox, gimp, go-rpm-macros, haproxy, kernel, lasso, libsoup, libtiff, mingw-expat, openssl, podman, python-kdcproxy, qt5-qt3d, runc, squid, thunderbird, tigervnc, valkey, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (buildah, cloudflared, containerd, expat, firefox, gnutls, helm, kernel, libxslt, mysql-connector-java, ongres-scram, openbao, openexr, openssh, podman, python311, python312, ruby2.5, rubygem-rack, runc, samba, sssd, tiff, unbound, and yelp), and Ubuntu (edk2, ffmpeg, h2o, python3.13, rust-openssl, and valkey) --------------------------------------------- https://lwn.net/Articles/1048448/ ∗∗∗ GitLab Patch Release: 18.6.1, 18.5.3, 18.4.5 ∗∗∗ --------------------------------------------- GitLab releases fixes for vulnerabilities in patch releases. [..] We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. --------------------------------------------- https://about.gitlab.com/releases/2025/11/26/patch-release-gitlab-18-6-1-re… ∗∗∗ Sicherheitsupdates: Angreifer können Anmeldung von Asus-Routern umgehen ∗∗∗ --------------------------------------------- Unter anderem eine kritische Sicherheitslücke gefährdet Router von Asus. Es kann Schadcode auf Geräte gelangen. [..] Welche Modelle konkret betroffen sind, geht aus dem Sicherheitsbereich der Asus-Website nicht hervor. Dort wird nur „Asus-Router-Firmware“ als verwundbar genannt. [..] Am gefährlichsten gilt eine „kritische“ Schwachstelle (CVE-2025-59366) in der AiCloud-Komponente. [..] Drei weitere Lücken (CVE-2025-59370, CVE-2025-59371, CVE-2025-12003) sind mit dem Bedrohungsgrad „hoch“ versehen. --------------------------------------------- https://heise.de/-11093767 ∗∗∗ ABB Ability Camera Connect Vulnerabilities in outdated 3rd party component (VLC) ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=4HZM000603&Language… ∗∗∗ Splunk: SVD-2025-1104: Third-Party Package Updates in Splunk SOAR - November 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1104 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 26.11.2025
by Daily end-of-shift report 26 Nov '25

26 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-11-2025 18:30 − Mittwoch 26-11-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Old tech, new vulnerabilities: NTLM abuse, ongoing exploitation in 2025 ∗∗∗ --------------------------------------------- This article covers NTLM relay, credential forwarding, and other NTLM-related vulnerabilities and cyberattacks discovered in 2025. --------------------------------------------- https://securelist.com/ntlm-abuse-in-2025/118132/ ∗∗∗ Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malicious extension on the Chrome Web Store thats capable of injecting a stealthy Solana transfer into a swap transaction and transferring the funds to an attacker-controlled cryptocurrency wallet. --------------------------------------------- https://thehackernews.com/2025/11/chrome-extension-caught-injecting.html ∗∗∗ Qilin Ransomware Turns South Korean MSP Breach Into 28-Victim Korean Leaks Data Heist ∗∗∗ --------------------------------------------- South Koreas financial sector has been targeted by what has been described as a sophisticated supply chain attack that led to the deployment of Qilin ransomware. --------------------------------------------- https://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.h… ∗∗∗ HashJack attack shows AI browsers can be fooled with a simple ‘#’ ∗∗∗ --------------------------------------------- Hashtag-do-whatever-I-tell-you Cato Networks says it has discovered a new attack, dubbed "HashJack," that hides malicious prompts after the "#" in legitimate URLs, tricking AI browser assistants into executing them while dodging traditional network and server-side defenses. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/11/25/hashjack_att… ∗∗∗ Zscaler Threat Hunting Discovers and Reconstructs a Sophisticated Water Gamayun APT Group Attack ∗∗∗ --------------------------------------------- This blog is intended to share an in-depth analysis of a recent multi-stage attack attributed to the Water Gamayun advanced persistent threat group (APT). Drawing on telemetry, forensic reconstruction, and known threat intelligence, the Zscaler Threat Hunting team reconstructed how a seemingly innocuous web search led to a sophisticated exploitation of a Windows MMC vulnerability, ultimately delivering hidden PowerShell payloads and final malware loaders. --------------------------------------------- https://www.zscaler.com/blogs/security-research/water-gamayun-apt-attack ∗∗∗ Studie: [EXTERN]-Tags schützen nicht vor Phishing ∗∗∗ --------------------------------------------- Eine großangelegte Simulation an einer deutschen Universitätsklinik zeigt: Gängige Schutzmaßnahmen wie [EXTERN]-Tags versagen, technische Filter wirken. --------------------------------------------- https://www.heise.de/news/Studie-EXTERN-Tags-schuetzen-nicht-vor-Phishing-1… ∗∗∗ So erkennen Sie Fake-Apotheken wie grazapotheke.com ∗∗∗ --------------------------------------------- Mit Beginn der Erkältungssaison steigt die Nachfrage nach Onlineapotheken. Doch neben seriösen Anbietern tummeln sich auch gefährliche Fälschungen im Netz. Ein Beispiel ist grazapotheke.com, die rezeptpflichtige Medikamente scheinbar frei verkauft. --------------------------------------------- https://www.watchlist-internet.at/news/so-erkennen-sie-fake-apotheken-wie-g… ∗∗∗ The Golden Scale: Tis the Season for Unwanted Gifts ∗∗∗ --------------------------------------------- Unit 42 shares further updates of cybercrime group Scattered LAPSUS$ Hunters. Secure your organization this holiday season. The post The Golden Scale: Tis the Season for Unwanted Gifts appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/new-shinysp1d3r-ransomware/ ∗∗∗ MySQL 8.0 fällt am 30. April 2026 aus dem Support ∗∗∗ --------------------------------------------- Baut sich ein weiteres Software-Problem in der IT-Landschaft auf? Das Open Source-Datenbanksystem MySQL ist sehr populär und breit im Einsatz. Aber MySQL 8.0 fällt am 30. April 2026 aus dem Support. --------------------------------------------- https://www.borncity.com/blog/2025/11/26/mysql-8-0-faellt-am-30-april-2026-… ∗∗∗ Sharjah Police Experiment Exposes How Easily People Fall for Fake QR Codes ∗∗∗ --------------------------------------------- A cybersecurity experiment conducted by Sharjah Police has revealed how easily QR codes can mislead individuals, particularly when these codes promise conveniences such as free WiFi. The police placed an unbranded QR code in a public area with a simple message, “Free WiFi”, to measure how many people would scan it without verifying its source. The results revealed that 89 members of the public scanned the code without asking who placed it or whether it was legitimate. --------------------------------------------- https://thecyberexpress.com/free-wifi-qr-code-risk-experiment/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#521113: Forge JavaScript library impacted by a vulnerability in signature verification. ∗∗∗ --------------------------------------------- The Forge JavaScript library provides TLS-related cryptographic utilities. A vulnerability that allows signature verification to be bypassed through crafted manipulation of ASN.1 structures, particularly in fields such as Message Authentication Code (MAC) data, was identified. --------------------------------------------- https://kb.cert.org/vuls/id/521113 ∗∗∗ ZDI-25-1019: Arista NG Firewall replace_marker Exposed Dangerous Function Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to to bypass authentication on affected installations of Arista NG Firewall. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-6979. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1019/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bind, binutils, delve and golang, expat, firefox, haproxy, kernel, libsoup3, libssh, libtiff, openssh, openssl, pam, podman, python-kdcproxy, shadow-utils, squid, thunderbird, vim, xorg-x11-server-Xwayland, and zziplib), Debian (cups-filters, libsdl2, linux-6.1, net-snmp, pdfminer, rails, and tryton-sao), Fedora (chromium, docker-buildkit, docker-buildx, and sudo-rs), Gentoo (librnp), Mageia (webkit2), SUSE (amazon-ssm-agent, buildah, curl, dpdk, fontforge-20251009, kernel, libIex-3_4-33, librnp0, python311, rclone, and sssd), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-aws-6.14, linux-oracle-6.14, linux-aws-fips, linux-fips, linux-gcp-fips, linux-realtime, linux-realtime-6.8, mupdf, openjdk-17, openjdk-8, and openjdk-lts). --------------------------------------------- https://lwn.net/Articles/1048195/ ∗∗∗ CISA Releases Seven Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released seven Industrial Control Systems (ICS) Advisories: ICSA-25-329-01 Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt, Share. ICSA-25-329-02 Rockwell Automation Arena Simulation. ICSA-25-329-03 Zenitel TCIV-3+. ICSA-25-329-04 Opto 22 groov View. ICSA-25-329-05 Festo Compact Vision System, Control Block, Controller, and Operator Unit products. ICSA-25-329-06 SiRcom SMART. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/11/25/cisa-releases-seven-indu… ∗∗∗ Nvidia DGX Spark, NeMo: Kritische Lücken gefährden KI-Hard- und Software ∗∗∗ --------------------------------------------- Nvidias KI-Hard- und Software DGX Spark und NeMo Framework sind verwundbar. Sicherheitsupdates schließen mehrere Schwachstellen. Im schlimmsten Fall können Angreifer Systeme nach der Ausführung von Schadcode in Gänze kompromittieren. Bislang gibt es keine Berichte zu laufenden Attacken. --------------------------------------------- https://heise.de/-11092387 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 25.11.2025
by Daily end-of-shift report 25 Nov '25

25 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Montag 24-11-2025 19:30 − Dienstag 25-11-2025 18:30 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Malicious Blender model files deliver StealC infostealing malware ∗∗∗ --------------------------------------------- A Russian-linked campaign delivers the StealC V2 information stealer malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-blender-model-file… ∗∗∗ Tor switches to new Counter Galois Onion relay encryption algorithm ∗∗∗ --------------------------------------------- Tor has announced improved encryption and security for the circuit traffic by replacing the old tor1 relay encryption algorithm with a new design called Counter Galois Onion (CGO). --------------------------------------------- https://www.bleepingcomputer.com/news/security/tor-switches-to-new-counter-… ∗∗∗ JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new campaign thats leveraging a combination of ClickFix lures and fake adult websites to deceive users into running malicious commands under the guise of a "critical" Windows security update. --------------------------------------------- https://thehackernews.com/2025/11/jackfix-uses-fake-windows-update-pop.html ∗∗∗ Years of JSONFormatter and CodeBeautify Leaks Expose Thousands of Passwords and API Keys ∗∗∗ --------------------------------------------- New research has found that organizations in various sensitive sectors, including governments, telecoms, and critical infrastructure, are pasting passwords and credentials into online tools like JSONformatter and CodeBeautify that are used to format and validate code. --------------------------------------------- https://thehackernews.com/2025/11/years-of-jsonformatter-and-codebeautify.h… ∗∗∗ Ex-CISA officials, CISOs dispel hacklore, spread cybersecurity truths ∗∗∗ --------------------------------------------- Dont believe everything you read Afraid of connecting to public Wi-Fi? Terrified to turn your Bluetooth on? You may be falling for "hacklore," tall tales about cybersecurity that distract you from real dangers. Dozens of chief security officers and ex-CISA officials have launched an effort and website to dispel these myths and show you how not to get hacked for real. --------------------------------------------- www.theregister.com/2025/11/24/hacklore_launch/ ∗∗∗ Is Your Android TV Streaming Box Part of a Botnet? ∗∗∗ --------------------------------------------- On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmart may seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix, ESPN and Hulu, all for a one-time fee of around $400. But security experts warn these TV boxes require intrusive software that forces the user’s network to relay Internet traffic for others, traffic that is often tied to cybercrime activity such as advertising fraud and account takeovers. --------------------------------------------- https://krebsonsecurity.com/2025/11/is-your-android-tv-streaming-box-part-o… ∗∗∗ New ClickFix wave infects users with hidden malware in images and fake Windows updates ∗∗∗ --------------------------------------------- ClickFix just got more convincing, hiding malware in PNG images and faking Windows updates to make users run dangerous commands. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/11/new-clickfix-wave-infects-us… ∗∗∗ UEFI SecureBoot DB Update: Microsoft 2023er CAs installieren ∗∗∗ --------------------------------------------- Die SecureBoot-Zertifikate (KEK und DB) von Microsoft stammen aus dem Jahr 2011 und laufen im Jahr 2026 ab. --------------------------------------------- https://hitco.at/blog/uefi-secureboot-db-update-installieren/ ∗∗∗ Meldungen häufen sich: Kopierte Kleinanzeigen füllen Fake-Shops ∗∗∗ --------------------------------------------- Kriminelle stopfen ihre Fake-Shops immer öfter mit Bildmaterial und Produktinfos von Kleinanzeigen-Portalen voll. Komplette Annoncen landen, leicht verändert und mit einem ordentlichen Rabatt, in den betrügerischen Stores. --------------------------------------------- https://www.watchlist-internet.at/news/kopierte-kleinanzeigen-fuellen-fake-… ∗∗∗ Russia arrests young cybersecurity entrepreneur on treason charges ∗∗∗ --------------------------------------------- Details of the case are classified, but Russian media say Timur Kilin may have drawn official ire after publicly criticizing the state-owned messaging app Max and the government’s anti-cybercrime legislation. --------------------------------------------- https://therecord.media/russia-arrests-tech-entrepreneur-treason ∗∗∗ Update Firefox to Patch CVE-2025-13016 Vulnerability Affecting 180 Million Users ∗∗∗ --------------------------------------------- AI security firm AISLE revealed CVE-2025-13016, a critical Firefox Wasm bug that risked 180M users for six months. Learn how the memory flaw allowed code execution. --------------------------------------------- https://hackread.com/update-firefox-patch-cve-2025-13016-vulnerability/ ∗∗∗ Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications ∗∗∗ --------------------------------------------- CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications (apps). These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/11/24/spyware-allows-cyber-thr… ∗∗∗ The Hidden Dangers of Calendar Subscriptions: 4 Million Devices at Risk ∗∗∗ --------------------------------------------- Bitsight TRACE discovered more than 390 abandoned domains related to iCalendar synchronization (sync) requests for subscribed calendars, potentially putting ~4 million devices at risk. --------------------------------------------- https://www.bitsight.com/blog/hidden-dangers-calendar-subscriptions-4-milli… ∗∗∗ Stop Putting Your Passwords Into Random Websites (Yes, Seriously, You Are The Problem) ∗∗∗ --------------------------------------------- Welcome to watchTowr vs the Internet, part 68.That feeling you’re experiencing? Dread. You should be used to it by now. As is fast becoming an unofficial and, apparently, frowned upon tradition - we identified incredible amounts of publicly exposed passwords, secrets, keys and more for very sensitive environments - and then spent a number of months working out if we could travel back in time to a period in which we just hadn't. --------------------------------------------- https://labs.watchtowr.com/stop-putting-your-passwords-into-random-websites… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, firefox, go-rpm-macros, kernel, kernel-rt, podman, and thunderbird), Debian (erlang, python-gevent, and r-cran-gh), Fedora (buildah, chromium, k9s, kubernetes1.33, kubernetes1.34, podman, python-mkdocs-include-markdown-plugin, and webkitgtk), Gentoo (Chromium, Google Chrome, Microsoft Edge. Opera, qtsvg, redict, redis, UDisks, and WebKitGTK+), Mageia (cups-filters and ruby-rack), Oracle (kernel and libssh), Red Hat (.NET 8.0, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (act, bind, cups-filters, govulncheck-vulndb, grub2, libebml, python39, and tcpreplay), and Ubuntu (linux-raspi, linux-raspi-realtime, openjdk-21, openjdk-25, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4, and runc-app, runc-stable). --------------------------------------------- https://lwn.net/Articles/1047950/ ∗∗∗ Synology-SA-25:15 ActiveProtect Agent ∗∗∗ --------------------------------------------- Synology has released a security update for the ActiveProtect Agent on Windows to address a vulnerability: CVE-2025-13593 allows local users to write arbitrary files with restricted content.Please refer to the Affected Products table for the corresponding updates. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_15 ∗∗∗ Azure Bastion mit schwerer Schwachstelle CVE-2025-49752 ∗∗∗ --------------------------------------------- Der Microsoft Azure Bastion-Dienst zum sicheren und nahtlosen RDP- und SSH-Zugriff auf virtuelle Azure-Maschinen (VMs) weist für alle Bereitstellungen vor dem 20. November 2025 eine schwere Schwachstelle CVE-2025-49752 (CVSS Score 10.0) auf. --------------------------------------------- https://www.borncity.com/blog/2025/11/25/azure-bastion-mit-schwerer-schwach… ∗∗∗ Asus stopft hochriskante Rechteausweitungslücke in MyAsus ∗∗∗ --------------------------------------------- Asus warnt vor einer als hochriskant eingestuften Sicherheitslücke in der MyAsus-Software. Ein Update steht bereit. --------------------------------------------- https://heise.de/-11090371 ∗∗∗ Security Advisory for SiRcom SMART Alert (SiSA) ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-06 ∗∗∗ Security Advisory for Festo Compact Vision System, Control Block, Controller, and Operator Unit products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-05 ∗∗∗ Security Advisory for Zenitel TCIV-3+ ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 ∗∗∗ Security Advisory for Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 24.11.2025
by Daily end-of-shift report 24 Nov '25

24 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-11-2025 18:00 − Montag 24-11-2025 19:30 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Shai-Hulud 2.0: Ongoing Supply Chain Attack ∗∗∗ --------------------------------------------- Detect and mitigate malicious npm packages linked to the recent Shai-Hulud-style campaign. Over 25,000 affected repositories across ~350 unique users. --------------------------------------------- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack ∗∗∗ How to know if your Asus router is one of thousands hacked by China-state hackers ∗∗∗ --------------------------------------------- So far, the hackers are laying low, likely for later use. --------------------------------------------- https://arstechnica.com/security/2025/11/thousands-of-hacked-asus-routers-a… ∗∗∗ CrowdStrike catches insider feeding information to hackers ∗∗∗ --------------------------------------------- American cybersecurity firm CrowdStrike has confirmed that an insider shared screenshots taken on internal systems with hackers after they were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/crowdstrike-catches-insider-… ∗∗∗ Ausgesperrt aus dem eigenen Körper: Zauberkünstler vergisst Passwort für Hand-Chip ∗∗∗ --------------------------------------------- Ein Magier hat sich durch ein vergessenes Passwort dauerhaft aus dem RFID-Chip in seiner eigenen Hand ausgesperrt. --------------------------------------------- https://www.golem.de/news/ausgesperrt-aus-dem-eigenen-koerper-zauberkuenstl… ∗∗∗ ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access ∗∗∗ --------------------------------------------- A recently patched security flaw in Microsoft Windows Server Update Services (WSUS) has been exploited by threat actors to distribute malware known as ShadowPad. --------------------------------------------- https://thehackernews.com/2025/11/shadowpad-malware-actively-exploits.html ∗∗∗ ShinyHunters does not like Salesforce at all, claims the crew accessed Gainsight 3 months ago ∗∗∗ --------------------------------------------- Shiny talks to The Reg EXCLUSIVE ShinyHunters has claimed responsibility for the Gainsight breach that allowed the data thieves to snarf data from hundreds more Salesforce customers. --------------------------------------------- www.theregister.com/2025/11/21/shinyhunters_salesforce_gainsight_breach/ ∗∗∗ Amazon Is Using Specialized AI Agents for Deep Bug Hunting ∗∗∗ --------------------------------------------- Born out of an internal hackathon, Amazon’s Autonomous Threat Analysis system uses a variety of specialized AI agents to detect weaknesses and propose fixes to the company’s platforms. --------------------------------------------- https://www.wired.com/story/amazon-autonomous-threat-analysis/ ∗∗∗ DHL-Phishing zur Online-Handel-Blütezeit ∗∗∗ --------------------------------------------- Mit der "Cyber-Week" startet der Online-Handel in den Jahresendspurt. Online-Betrüger wollen Opfer mit angeblichen Nachzahlungen ködern. --------------------------------------------- https://www.heise.de/news/DHL-Phishing-zur-Online-Handel-Bluetezeit-1108844… ∗∗∗ Fahrradhersteller Woom: IT-Einbruch durch Cybergang INC Ransom ∗∗∗ --------------------------------------------- Vor zwei Wochen gab es einen IT-Einbruch beim Kinderradhersteller Woom. Die Cybergang INC Ransom droht mit Datenveröffentlichung. --------------------------------------------- https://www.heise.de/news/Fahrradhersteller-Woom-IT-Einbruch-durch-Cybergan… ∗∗∗ IT-Sicherheit: BSI will Webmail-Anbieter stärker in die Pflicht nehmen ∗∗∗ --------------------------------------------- Die E-Mail-Sicherheit lastet größtenteils auf den Schultern der Anwender, moniert das BSI. Es sieht die Betreiber etwa bei der Anmeldung in der Verantwortung. --------------------------------------------- https://www.heise.de/news/IT-Sicherheit-BSI-will-Webmail-Anbieter-staerker-… ∗∗∗ Matrix Push C2 abuses browser notifications to deliver phishing and malware ∗∗∗ --------------------------------------------- Attackers can send highly realistic push notifications through your browser, including fake alerts that can lead to malware or phishing pages. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/11/matrix-push-c2-abuses-browse… ∗∗∗ Vorsicht vor gefälschten Rückerstattungen der ÖGK! ∗∗∗ --------------------------------------------- Derzeit verbreitet sich erneut eine Phishing-Welle, die viele Österreicher:innen betrifft. In betrügerischen E-Mails wird behauptet, man habe Anspruch auf eine Rückerstattung der Österreichischen Gesundheitskasse (ÖGK). Wer der Aufforderung folgt, führt jedoch eine Überweisung an Kriminelle durch. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-rueckersta… ∗∗∗ Kundendaten von US-Banken nach Cyberattacke womöglich kompromittiert ∗∗∗ --------------------------------------------- Ein Cyberangriff auf den Dienstleister SitusAMC könnte Kundendaten großer US-Banken wie JPMorgan Chase, Citi und Morgan Stanley kompromittiert haben. --------------------------------------------- https://www.derstandard.at/story/3000000297610/kundendaten-von-us-banken-na… ∗∗∗ SmbCrawler – SMB Share Discovery and Secret-Hunting ∗∗∗ --------------------------------------------- SmbCrawler is a credentialed SMB share crawler for red teams that discovers misconfigured shares and hunts secrets across Windows networks. --------------------------------------------- https://www.darknet.org.uk/2025/11/smbcrawler-smb-share-discovery-and-secre… ∗∗∗ GhostAd: Hidden Google Play Adware Drains Devices and Disrupts Millions of Users ∗∗∗ --------------------------------------------- Check Point researchers uncover a large-scale Android adware campaign that silently drains resources and disrupts normal phone use through persistent background activity. During an internal threat-hunting investigation, Check Point Harmony Mobile Detection Team identified a network of Android applications on Google Play masquerading as harmless utility and emoji-editing tools. --------------------------------------------- https://blog.checkpoint.com/research/ghostad-hidden-google-play-adware-drai… ∗∗∗ SesameOp: Neuartige Backdoor in OpenAI API für C&C missbraucht ∗∗∗ --------------------------------------------- Sicherheitsforscher von Microsoft sind auf eine neuartige Backdoor in der OpenAI Assistant API gestoßen, und haben diese SesameOp genannt. Diese neuartige Backdoor, die von einem Angreifer verwendet wurde, nutzt die API des OpenAI Assistant, um Befehls- und Kontrollfunktionen für Cyberangriffe zu implementieren. --------------------------------------------- https://www.borncity.com/blog/2025/11/22/sesameop-neuartige-backdoor-in-ope… ∗∗∗ Smartmeter: Daten wecken Begehrlichkeiten (der Polizei in Sacramento) ∗∗∗ --------------------------------------------- Smartmeter erfassen ja den Stromverbrauch in Haushalten, und es gibt große Bedenken, dass diese neue Technologie missbraucht werden könnte. In den USA hat die Stadt Sacramento einen entsprechenden Skandal, bei dem der Betreiber der intelligenten Stromzähler ohne richterlichen Beschluss an die örtliche Polizei weitergegeben hat. Die Praxis wurde jetzt von einem Richter gestoppt. --------------------------------------------- https://www.borncity.com/blog/2025/11/23/smartmeter-daten-wecken-begehrlich… ∗∗∗ WTF: Schlüssel weg – Kryptologen kommen nicht an ihre Wahlergebnisse ∗∗∗ --------------------------------------------- Eine renommierte Gruppe von Kryptologie-Forschern nutzt ein ausgefeiltes Schutzsystem – und fällt ihm schließlich selbst zum Opfer. --------------------------------------------- https://heise.de/-11088550 ∗∗∗ A Reverse Engineer’s Anatomy of the macOS Boot Chain & Security Architecture ∗∗∗ --------------------------------------------- The security of the macOS platform on Apple Silicon is not defined by the kernel; it is defined by the physics of the die. Before the first instruction of kernelcache is fetched, a complex, cryptographic ballet has already concluded within the Application Processor (AP). This section dissects the immutable hardware logic that establishes the initial link in the Chain of Trust. --------------------------------------------- http://stack.int.mov/a-reverse-engineers-anatomy-of-the-macos-boot-chain-se… ===================== = Vulnerabilities = ===================== ∗∗∗ Grafana warns of max severity admin spoofing vulnerability ∗∗∗ --------------------------------------------- Grafana Labs is warning of a maximum severity vulnerability (CVE-2025-41115) in its Enterprise product that can be exploited to treat new users as administrators or for privilege escalation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/grafana-warns-of-max-severit… ∗∗∗ CISA warns Oracle Identity Manager RCE flaw is being actively exploited ∗∗∗ --------------------------------------------- The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning government agencies to patch an Oracle Identity Manager tracked as CVE-2025-61757 that has been exploited in attacks, potentially as a zero-day. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-oracle-identity-m… ∗∗∗ Malware im Anmarsch: Kritische Windows-Lücke ermöglicht Angriffe über JPEG-Daten ∗∗∗ --------------------------------------------- Forscher warnen vor einer kritischen Sicherheitslücke in einer Windows-Bibliothek. Angreifer können über JPEG-Bilddaten Schadcode einschleusen. --------------------------------------------- https://www.golem.de/news/malware-im-anmarsch-kritische-windows-luecke-ermo… ∗∗∗ Jetzt patchen! Schadcode-Attacken auf Oracle Identity Manager beobachtet ∗∗∗ --------------------------------------------- Es gibt Hinweise, dass Angreifer Oracle Identity Manager bereits seit August dieses Jahres attackieren. Ein Sicherheitsupdate ist vorhanden. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Schadcode-Attacken-auf-Oracle-Ident… ∗∗∗ HCL BigFix: Sicherheitsprobleme bei SAML-Authentifizierung ∗∗∗ --------------------------------------------- Die Endpoint-Management-Plattform BigFix von HCL ist verwundbar. Nun haben die Entwickler eine kritische Sicherheitslücke geschlossen. --------------------------------------------- https://www.heise.de/news/HCL-BigFix-Sicherheitsprobleme-bei-SAML-Authentif… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (calibre, chromium, cri-o1.32, cri-o1.33, cri-o1.34, dotnet10.0, dovecot, gnutls, gopass, gopass-hibp, gopass-jsonapi, kubernetes1.31, kubernetes1.32, kubernetes1.33, kubernetes1.34, and linux-firmware), Mageia (ffmpeg, kernel, kmod-xtables-addons & kmod-virtualbox, kernel-linus, konsole, and redis), Red Hat (bind and bind-dyndb-ldap and kernel), SUSE (act, alloy, amazon-ssm-agent, ansible-12, ansible-core, blender, chromium, cups-filters, curl, elfutils, expat, firefox, glib2, grub2, helm, kernel, libipa_hbac-devel, libxslt, nvidia-container-toolkit, ongres-scram, openexr, podman, poppler, runc, samba, sssd, thunderbird, and tomcat), and Ubuntu (cups-filters, linux, linux-aws, linux-gcp, linux-hwe-6.14, linux-oracle, linux-realtime, linux-oem-6.14, and linux-realtime-6.14). --------------------------------------------- https://lwn.net/Articles/1047682/ ∗∗∗ Synology-SA-25:14 DSM (PWN2OWN 2025) ∗∗∗ --------------------------------------------- Synology has released a security update for the DSM to address ZDI-CAN-28409: CVE-2025-13392 allows remote attackers to bypass authentication with prior knowledge of the distinguished name (DN).Please refer to the Affected Products table for the corresponding updates. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_14 ∗∗∗ VU#761751: fluentbit contains stack buffer overflow, authentication bypass, and path traversal flaws ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/761751 ∗∗∗ F5: K000157948, BIND vulnerability CVE-2025-40780 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000157948 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 21.11.2025
by Daily end-of-shift report 21 Nov '25

21 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-11-2025 18:00 − Freitag 21-11-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ ‘Matrix Push’ C2 Tool Hijacks Browser Notifications for Phishing ∗∗∗ --------------------------------------------- Have you ever given two seconds of thought to a browser notification? No? Thats what hackers are counting on. --------------------------------------------- https://www.darkreading.com/threat-intelligence/matrix-push-c2-tool-hijacks… ∗∗∗ Schutz vor Betrug: Wo bleibt Österreichs SMS-Firewall? ∗∗∗ --------------------------------------------- Beim angekündigten Schutzmechanismus gegen Phishing-SMS hat sich offenbar kaum etwas getan. --------------------------------------------- https://futurezone.at/netzpolitik/sms-firewall-oesterreich-spamnachrichten-… ∗∗∗ ToddyCat: your hidden email assistant. Part 1 ∗∗∗ --------------------------------------------- Kaspersky experts analyze the ToddyCat APT attacks targeting corporate email. We examine the new version of TomBerBil, the TCSectorCopy and XstReader tools, and methods for stealing access tokens from Outlook. --------------------------------------------- https://securelist.com/toddycat-apt-steals-email-data-from-outlook/118044/ ∗∗∗ Fired techie admits sabotaging ex-employer, causing $862K in damage ∗∗∗ --------------------------------------------- PowerShell script locked thousands of workers out of their accounts An Ohio IT contractor has pleaded guilty to breaking into his former employers systems and causing nearly $1 million worth of damage after being fired. --------------------------------------------- https://www.theregister.com/2025/11/20/it_contractor_sabotage/ ∗∗∗ LLM-generated malware is improving, but dont expect autonomous attacks tomorrow ∗∗∗ --------------------------------------------- Researchers tried to get ChatGPT to do evil, but it didnt do a good job LLMs are getting better at writing malware - but theyre still not ready for prime time. --------------------------------------------- https://www.theregister.com/2025/11/20/llmgenerated_malware_improving/ ∗∗∗ Virenscanner ClamAV: Große Aufräumaktion der Entwickler angekündigt ∗∗∗ --------------------------------------------- Entrümpelung beim Virenscanner ClamAV: Cisco lässt die Entwickler alte Signaturen rauswerfen, auch alte Docker-Images müssen gehen. --------------------------------------------- https://www.heise.de/news/Virenscanner-ClamAV-Entwickler-starten-Entruempel… ∗∗∗ Budget Samsung phones shipped with unremovable spyware, say researchers ∗∗∗ --------------------------------------------- Samsung is under fire again for shipping phones in parts of the world with a hidden system app, AppCloud, that users can’t easily remove. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/11/budget-samsung-phones-shippe… ∗∗∗ Vorsicht vor Fake-Shops rund um den Black Friday ∗∗∗ --------------------------------------------- Der Black Friday steht vor der Tür und viele Online-Händler locken bereits jetzt mit großzügigen Rabatten. Doch Sparfüchse sollten vor einer Bestellung genau hinsehen, denn auch betrügerische Shops versuchen, von der erhöhten Kauflaune zu profitieren. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-rund-um-den-… ∗∗∗ NIS2: Gesetz für mehr Cybersicherheit ist auf dem Weg ∗∗∗ --------------------------------------------- Die Regierung holt ein Versäumnis nach: Das Gesetz hätte schon vor einem Jahr beschlossen werden sollen --------------------------------------------- https://www.derstandard.at/story/3000000297503/nis2-gesetz-fuer-mehr-cybers… ∗∗∗ Inside Europe’s AI-Fuelled GLP-1 Scam Epidemic: How Criminal Networks Are Hijacking the Identities of the NHS, AEMPS, ANSM, BfArM and AIFA to Sell Fake Weight-Loss Products ∗∗∗ --------------------------------------------- The global appetite for GLP-1 medications like Ozempic, Wegovy and Mounjaro have created something far more dangerous than a cultural trend. It has created the perfect opening for cyber criminals who understand how desperation, scarcity and online misinformation intersect. As clinics struggle with shortages and manufacturers warn of supply limits extending .. --------------------------------------------- https://blog.checkpoint.com/research/inside-europes-ai-fuelled-glp-1-scam-e… ∗∗∗ Stolen VPN Credentials Most Common Ransomware Attack Vector ∗∗∗ --------------------------------------------- Compromised VPN credentials are the most common initial access vector for ransomware attacks, according to a new report. Nearly half of ransomware attacks in the third quarter abused compromised VPN credentials as the initial access point, according to research from Beazley Security, the cybersecurity arm of Beazley Insurance. Nearly a quarter of initial access .. --------------------------------------------- https://thecyberexpress.com/stolen-vpn-credentials-most-common-ransomware-a… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-885: (0Day) Digilent DASYLab DSB File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-885/ ∗∗∗ CVE-2025-50165: Critical Flaw in Windows Graphics Component ∗∗∗ --------------------------------------------- https://www.zscaler.com/blogs/security-research/cve-2025-50165-critical-fla… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 20.11.2025
by Daily end-of-shift report 20 Nov '25

20 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-11-2025 18:00 − Donnerstag 20-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critics scoff after Microsoft warns AI feature can infect machines and pilfer data ∗∗∗ --------------------------------------------- Integration of Copilot Actions into Windows is off by default, but for how long? --------------------------------------------- https://arstechnica.com/security/2025/11/critics-scoff-after-microsoft-warn… ∗∗∗ Salesforce investigates customer data theft via Gainsight breach ∗∗∗ --------------------------------------------- Salesforce says it revoked refresh tokens linked to Gainsight-published applications while investigating a new wave of data theft attacks targeting customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/salesforce-investigates-cust… ∗∗∗ Sicherheitslücke wird ausgenutzt: Angreifer attackieren 7-Zip-Nutzer ∗∗∗ --------------------------------------------- Ältere Versionen des Packprogramms 7-Zip weisen eine gefährliche Schadcode-Lücke auf, die inzwischen ausgenutzt wird. Nutzer sollten handeln. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-wird-ausgenutzt-angreifer-attac… ∗∗∗ Fake-Softwareupdates: Cyberspione verteilen Malware über manipulierten DNS-Traffic ∗∗∗ --------------------------------------------- Eine APT-Gruppe leitet gezielt DNS-Traffic kompromittierter Router um, um Anwendern falsche Softwareupdates mit einer Backdoor unterzuschieben. --------------------------------------------- https://www.golem.de/news/dns-traffic-umgeleitet-cyberspione-verbreiten-mal… ∗∗∗ Banking-Trojaner: Neue Android-Malware liest verschlüsselte Chats mit ∗∗∗ --------------------------------------------- Egal ob Signal, Telegram oder Whatsapp - kein Chat kann sich vor dem Sturnus-Trojaner verstecken. Opfer bemerken den Datenklau nicht. --------------------------------------------- https://www.golem.de/news/banking-trojaner-neue-android-malware-liest-versc… ∗∗∗ Blockchain and Node.js abused by Tsundere: an emerging botnet ∗∗∗ --------------------------------------------- Kaspersky GReAT experts discovered a new campaign featuring the Tsundere botnet. Node.js-based bots abuse web3 smart contracts and are spread via MSI installers and PowerShell scripts. --------------------------------------------- https://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117… ∗∗∗ Inside the dark web job market ∗∗∗ --------------------------------------------- This report examines how employment and recruitment function on the dark web, based on over 2,000 job-related posts collected from shadow forums between January 2023 and June 2025. --------------------------------------------- https://securelist.com/dark-web-job-market-2023-2025/118057/ ∗∗∗ SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp ∗∗∗ --------------------------------------------- Trustwave SpiderLabs researchers have recently identified a banking Trojan we dubbed Eternidade Stealer, which is distributed through WhatsApp hijacking and social engineering lures. In this blog post, we will break down the techniques used in the campaign and highlight the new tools employed by the threat group. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spiderlabs-… ∗∗∗ Iran-Linked Hackers Mapped Ship AIS Data Days Before Real-World Missile Strike Attempt ∗∗∗ --------------------------------------------- Threat actors with ties to Iran engaged in cyber warfare as part of efforts to facilitate and enhance physical, real-world attacks, a trend that Amazon has called cyber-enabled kinetic targeting.The development is a sign that the lines between state-sponsored cyber attacks and kinetic warfare are increasingly blurring, necessitating the need for a new category of warfare, the tech giants .. --------------------------------------------- https://thehackernews.com/2025/11/iran-linked-hackers-mapped-ship-ais.html ∗∗∗ Zu gut, um wahr zu sein? Vorsicht vor betrügerischen Kredit-Angeboten! ∗∗∗ --------------------------------------------- Kein Einkommensnachweis nötig? Die Zinsen weit unter dem üblichen Niveau? Maximale Flexibilität? Kriminelle locken ihre Opfer mit unrealistischen Kredit-Versprechen in die Falle. Sie drängen sie zur Überweisung verschiedenster Steuern, Gebühren etc. – zu einer Auszahlung kommt es allerdings nie. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-kredit-angebote/ ∗∗∗ NSO seeks to overturn WhatsApp case, saying it is ‘catastrophic’ for the spyware maker ∗∗∗ --------------------------------------------- In a court filing ahead of the ruling, NSO told the judge that blocking it from targeting WhatsApp infrastructure to implant its spyware could “put NSO’s entire enterprise at risk” and “force NSO out of business.” --------------------------------------------- https://therecord.media/nso-seeks-to-overturn-whatsapp-case ∗∗∗ Reoccurring Use of Highly Suspicious PDF Editors to Infiltrate Environments ∗∗∗ --------------------------------------------- The activities observed are the following: — File is downloaded from conmateapp[.]com ortrm[.]conmateapp[.]com (OSINT suggests that these are downloaded through ads but this has not .. --------------------------------------------- https://www.truesec.com/hub/blog/reoccurring-use-of-highly-suspicious-pdf-e… ∗∗∗ FortiWeb CVE‑2025‑64446: What We’re Seeing in the Wild ∗∗∗ --------------------------------------------- GreyNoise has begun seeing active exploitation of CVE‑2025‑64446, the critical path‑traversal flaw that lets an unauthenticated actor run administrative commands on Fortinet FortiWeb appliances. --------------------------------------------- https://www.greynoise.io/blog/fortiweb-cve-2025-64446 ∗∗∗ Palo Alto Scanning Surges 40X in 24 Hours, Marking 90-Day High ∗∗∗ --------------------------------------------- GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals. Beginning on 14 November 2025, activity rapidly intensified, culminating in a 40x surge within 24 hours, marking a new 90-day high. --------------------------------------------- https://www.greynoise.io/blog/palo-alto-scanning-surges-90-day-high -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 19.11.2025
by Daily end-of-shift report 19 Nov '25

19 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-11-2025 18:00 − Mittwoch 19-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New ShadowRay attacks convert Ray clusters into crypto miners ∗∗∗ --------------------------------------------- A global campaign dubbed ShadowRay 2.0 hijacks exposed Ray Clusters by exploiting an old code execution flaw to turn them into a self-propagating cryptomining botnet. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-shadowray-attacks-conver… ∗∗∗ Russian bulletproof hosting provider sanctioned over ransomware ties ∗∗∗ --------------------------------------------- Today, the United States, the United Kingdom, and Australia announced sanctions targeting Russian bulletproof hosting (BPH) providers that have supported ransomware gangs and other cybercrime operations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-sanctions-russian-bulletp… ∗∗∗ Gen Z ist bei Passwörtern so schlecht wie 80-Jährige ∗∗∗ --------------------------------------------- Das beliebteste Passwort weltweit lautet: “Passwort”. --------------------------------------------- https://futurezone.at/digital-life/passwort-gen-z-aeltere-generation-80-jae… ∗∗∗ Microsoft: Windows 11 bekommt hardwarebeschleunigtes Bitlocker ∗∗∗ --------------------------------------------- Bisher war Bitlocker ausschließlich als Softwareverschlüsselung vorgesehen. Das soll sich in Windows bald ändern. --------------------------------------------- https://www.golem.de/news/microsoft-windows-11-bekommt-hardwarebeschleunigt… ∗∗∗ NIS-2-Richtlinie: Zentrale Anlaufstelle für Cybervorfälle geplant ∗∗∗ --------------------------------------------- Firmen sollen in der EU künftig Sicherheitsvorfälle nur noch bei einer Behörde melden müssen. Das soll den Berichtsaufwand verringern. --------------------------------------------- https://www.golem.de/news/nis-2-richtlinie-zentrale-anlaufstelle-fuer-cyber… ∗∗∗ IT threat evolution in Q3 2025. Mobile statistics ∗∗∗ --------------------------------------------- The report features statistics on mobile threats for the third quarter of 2025, along with interesting findings and trends from the quarter, including an increase in ransomware activity in Germany, and more. --------------------------------------------- https://securelist.com/malware-report-q3-2025-mobile-statistics/118013/ ∗∗∗ IT threat evolution in Q3 2025. Non-mobile statistics ∗∗∗ --------------------------------------------- The report presents key trends and statistics on malware that targets personal computers running Windows and macOS, as well as Internet of Things (IoT) devices, during the third quarter of 2025. --------------------------------------------- https://securelist.com/malware-report-q3-2025-pc-iot-statistics/118020/ ∗∗∗ Sneaky 2FA Phishing Kit Adds BitB Pop-ups Designed to Mimic the Browser Address Bar ∗∗∗ --------------------------------------------- The malware authors associated with a Phishing-as-a-Service (PhaaS) kit known as Sneaky 2FA have incorporated Browser-in-the-Browser (BitB) functionality into their arsenal, underscoring the continued evolution of such offerings and further making it easier for .. --------------------------------------------- https://thehackernews.com/2025/11/sneaky-2fa-phishing-kit-adds-bitb-pop.html ∗∗∗ Tens of thousands more ASUS routers pwned by suspected, evolving China operation ∗∗∗ --------------------------------------------- Researchers say attacks are laying the groundwork for stealthy espionage activity Around 50,000 ASUS routers have been compromised in a sophisticated attack that researchers believe may be linked to China, according to findings released today by SecurityScorecards STRIKE team. --------------------------------------------- https://www.theregister.com/2025/11/19/thousands_more_asus_routers_pwned/ ∗∗∗ Fakeshops: Vorsicht bei Black-Week- und Heizöl-Angeboten ∗∗∗ --------------------------------------------- Die Verbraucherzentrale NRW warnt vor Fakeshops mit vermeintlichen Heizöl-Schnäppchen. Die Black-Week lockt Betrüger auf den Plan. --------------------------------------------- https://www.heise.de/news/Fakeshops-Vorsicht-bei-Black-Week-und-Heizoel-Ang… ∗∗∗ Sicherheitslücken: Solarwinds Platform und Serv-U für Attacken anfällig ∗∗∗ --------------------------------------------- Angreifer können Solarwinds Netzwerkmonitoringlösung Platform und die Dateitransfersoftware Serv-U attackieren. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-Solarwinds-Platform-und-Serv-U… ∗∗∗ Vorsicht: Kombinierte Phishing & Abo-Falle statt neuem iPhone 17 pro! ∗∗∗ --------------------------------------------- Das neueste iPhone – völlig kostenlos – direkt nach Hause geschickt! Gibt’s nicht? Gibt’s tatsächlich nicht! Hinter dem verlockenden Angebot versteckt sich in Wahrheit nichts anderes als eine Betrugs-Kombi aus Kreditkartendiebstahl und Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-falle-iphone-17-pro/ ∗∗∗ Anatomy of an Akira Ransomware Attack: When a Fake CAPTCHA Led to 42 Days of Compromise ∗∗∗ --------------------------------------------- Unit 42 outlines a Howling Scorpius attack delivering Akira ransomware that originated from a fake CAPTCHA and led to a 42-day compromise. --------------------------------------------- https://unit42.paloaltonetworks.com/fake-captcha-to-compromise/ ∗∗∗ Unwanted Gifts: Major Campaign Lures Targets with Fake Party Invites ∗∗∗ --------------------------------------------- Prolific threat actor delivering RMM packages using variety of lures, including seasonal party invites --------------------------------------------- https://www.security.com/threat-intelligence/rmm-logmein-attacks ∗∗∗ LG battery subsidiary says ransomware attack targeted overseas facility ∗∗∗ --------------------------------------------- A "specific overseas facility" fell prey to a ransomware attack but is now operating normally, according to LG Energy Solution — the South Korean multinationals battery-making subsidiary. --------------------------------------------- https://therecord.media/lg-energy-solution-ransomware-incident-battery-maker -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 18.11.2025
by Daily end-of-shift report 18 Nov '25

18 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Montag 17-11-2025 18:00 − Dienstag 18-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft: Azure hit by 15 Tbps DDoS attack using 500,000 IP addresses ∗∗∗ --------------------------------------------- Microsoft said today that the Aisuru botnet hit its Azure network with a 15.72 terabits per second (Tbps) DDoS attack, launched from over 500,000 IP addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-aisuru-botnet-use… ∗∗∗ RondoDox botnet malware now hacks servers using XWiki flaw ∗∗∗ --------------------------------------------- The RondoDox botnet malware is now exploiting a critical remote code execution (RCE) flaw in XWiki Platform tracked as CVE-2025-24893. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rondodox-botnet-malware-now-… ∗∗∗ The Tycoon 2FA Phishing Platform and the Collapse of Legacy MFA ∗∗∗ --------------------------------------------- Tycoon 2FA enables turnkey real-time MFA relays behind 64,000+ attacks this year, proving legacy MFA collapses the moment a phishing kit targets it. Learn from Token Ring how biometric, phishing-proof FIDO2 hardware blocks these relay attacks before they succeed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/the-tycoon-2fa-phishing-plat… ∗∗∗ Sicherheitslücke in V8: Hacker attackieren Chrome-Nutzer über Javascript-Engine ∗∗∗ --------------------------------------------- Zur Ausnutzung der Chrome-Lücke reicht der bloße Aufruf einer bösartigen Webseite. Angreifer können daraufhin Schadcode zur Ausführung bringen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-in-v8-angreifer-attackieren-chr… ∗∗∗ A Simple WhatsApp Security Flaw Exposed 3.5 Billion Phone Numbers ∗∗∗ --------------------------------------------- By plugging tens of billions of phone numbers into WhatsApp’s contact discovery tool, researchers found “the most extensive exposure of phone numbers” ever—along with profile photos and more. --------------------------------------------- https://www.wired.com/story/a-simple-whatsapp-security-flaw-exposed-billion… ∗∗∗ IT-Vorfall: Stadtwerke Detmold nicht mehr erreichbar ∗∗∗ --------------------------------------------- Die Stadtwerke Detmold sind Opfer eines IT-Angriffs geworden. Sie sind derzeit nicht mehr erreichbar. Die Versorgung soll gesichert sein. --------------------------------------------- https://www.heise.de/news/Stadtwerke-Detmold-nach-IT-Vorfall-offline-110829… ∗∗∗ Common Kubernetes misconfigurations and how to avoid them ∗∗∗ --------------------------------------------- TL;DR Introduction Kubernetes has changed the way we deploy and scale workloads. It’s powerful, flexible, and very good at hiding a lot of complexity. It is also very good at hiding security problems until someone starts poking at it. Attackers usually take the path of least resistance. If they find an exposed API, dashboard, or port, that is often .. --------------------------------------------- https://www.pentestpartners.com/security-blog/common-kubernetes-misconfigur… ∗∗∗ ASFINAG Phishing-Welle fordert Bezahlung angeblicher Verkehrsstrafe ∗∗∗ --------------------------------------------- Eine Verkehrsstrafe möchte man meist schnell begleichen, um zusätzliche Kosten zu vermeiden. Genau diesen Reflex nutzen derzeit Kriminelle aus: Im Umlauf befindet sich eine gefälschte Mahn-SMS, die angeblich von der ASFINAG stammt. --------------------------------------------- https://www.watchlist-internet.at/news/asfinag-phishing-welle-fordert-bezah… ∗∗∗ MI5 warns of Chinese spies using LinkedIn to gain intel on lawmakers ∗∗∗ --------------------------------------------- The alert identifies two specific LinkedIn profiles, featuring fake personas, that are being used by China’s Ministry of State Security in an attempt to build relationships in Westminster and gain intelligence. --------------------------------------------- https://therecord.media/mi5-warns-chinese-spies-using-linkedin-lawmakers ∗∗∗ Russian suspect detained in Thailand is allegedly tied to Void Blizzard group ∗∗∗ --------------------------------------------- More details are emerging about a 35-year-old Russian man arrested by Thai police in Phuket earlier this month with reported help from the FBI. --------------------------------------------- https://therecord.media/russian-arrested-thailand-allegedly-void-blizzard-a… ∗∗∗ Breaking Down S3 Ransomware: Variants, Attack Paths and Trend Vision One™ Defenses ∗∗∗ --------------------------------------------- In this blog entry, Trend™ Research explores how ransomware actors are shifting their focus to cloud-based assets, including the tactics used to compromise business-critical data in AWS environments. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/k/s3-ransomware.html ∗∗∗ When Bulletproof Hosting Proves Bulletproof: The Stark Industries Shell Game ∗∗∗ --------------------------------------------- EU sanctions hit Stark Industries in May 2025. GreyNoise data shows how the group quietly rebranded to THE.Hosting and kept its malicious infrastructure running. --------------------------------------------- https://www.greynoise.io/blog/stark-industries-shell-game ∗∗∗ Nordkoreas Remote-Angestellte: Fünf Helfer in den USA bekennen sich schuldig ∗∗∗ --------------------------------------------- Schon seit Jahren lässt Nordkorea Menschen über das Internet in den USA arbeiten, um an Gehälter zu kommen. Nun zeigt sich in den USA, wie dabei geholfen wird. --------------------------------------------- https://heise.de/-11082874 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libwebsockets), Fedora (chromium and fvwm3), Mageia (apache, firefox, and postgresql13, postgresql15), Oracle (idm:DL1), Red Hat (bind, bind9.18, firefox, and openssl), SUSE (alloy, ghostscript, and openssl-1_0_0), and Ubuntu (ffmpeg and freeglut). --------------------------------------------- https://lwn.net/Articles/1046891/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 17.11.2025
by Daily end-of-shift report 17 Nov '25

17 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-11-2025 18:00 − Montag 17-11-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Jaguar Land Rover cyberattack cost the company over $220 million ∗∗∗ --------------------------------------------- Jaguar Land Rover (JLR) published its financial results for July 1 to September 30, warning that the cost of a recent cyberattack totaled £196 million ($220 million) in the quarter. --------------------------------------------- https://www.bleepingcomputer.com/news/security/jaguar-land-rover-cyberattac… ∗∗∗ Decades-old 'Finger' protocol abused in ClickFix malware attacks ∗∗∗ --------------------------------------------- The decades-old "finger" command is making a comeback, with threat actors using the protocol to retrieve remote commands to execute on Windows devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-… ∗∗∗ DoorDash email spoofing vulnerability sparks messy disclosure dispute ∗∗∗ --------------------------------------------- A vulnerability in DoorDashs systems could allow anyone to send "official" DoorDash-themed emails right from companys authorized servers, paving a near-perfect phishing channel. DoorDash has now patched the issue, but a contentious disclosure dispute has erupted, with both sides accusing each other of acting in bad faith. --------------------------------------------- https://www.bleepingcomputer.com/news/security/doordash-email-spoofing-vuln… ∗∗∗ Cursor Issue Paves Way for Credential-Stealing Attacks ∗∗∗ --------------------------------------------- Researchers discovered a security weakness in the AI-powered coding tool that allows malicious MCP server to hijack Cursors internal browser. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/cursor-issue-credential… ∗∗∗ Ransomware: Kunden- und Mitarbeiterdaten von Logitech gehackt ∗∗∗ --------------------------------------------- Der Zubehörhersteller Logitech hat ein Datenleck eingeräumt. Der Angriff erfolgte wohl über Oracle-Software. --------------------------------------------- https://www.golem.de/news/ransomware-kunden-und-mitarbeiterdaten-von-logite… ∗∗∗ Rust Adoption Drives Android Memory Safety Bugs Below 20% for First Time ∗∗∗ --------------------------------------------- Google has disclosed that the companys continued adoption of the Rust programming language in Android has resulted in the number of memory safety vulnerabilities falling below 20% for the first time. --------------------------------------------- https://thehackernews.com/2025/11/rust-adoption-drives-android-memory.html ∗∗∗ Overconfidence is the new zero-day as teams stumble through cyber simulations ∗∗∗ --------------------------------------------- Readiness metrics have flatlined since 2023, with most sectors slipping backward as teams fumble crisis drills. Teams that think theyre ready for a major cyber incident are scoring barely 22 percent accuracy and taking more than a day to contain simulated attacks, according to new data out Monday. --------------------------------------------- www.theregister.com/2025/11/17/immersive_cyber_resilience_report/ ∗∗∗ DOJ Issued Seizure Warrant to Starlink Over Satellite Internet Systems Used at Scam Compound ∗∗∗ --------------------------------------------- A new US law enforcement initiative is aimed at crypto fraudsters targeting Americans—and now seeks to seize infrastructure it claims is crucial to notorious scam compounds. --------------------------------------------- https://www.wired.com/story/doj-issued-seizure-warrants-to-starlink-over-sa… ∗∗∗ Cyberangriff: Bundestagspolizei warnt Fraktionen vor gefährlichen USB-Sticks ∗∗∗ --------------------------------------------- In vielen Abgeordnetenbüros sind Postsendungen auf Englisch mit einem USB-Stick eingegangen. Die Polizei mahnt, solche Geräte nicht an Computer anzuschließen. --------------------------------------------- https://www.heise.de/news/Cyberangriff-Bundestagspolizei-warnt-Fraktionen-v… ∗∗∗ Autonome KI-Cyberattacke: Hat sie wirklich so stattgefunden? ∗∗∗ --------------------------------------------- Eine weitgehend autonome, KI-gesteuerte Cyberattacke will Anthropic nicht nur entdeckt, sondern auch gestoppt haben. Aber stimmt das wirklich? --------------------------------------------- https://www.heise.de/news/Autonomer-KI-Cyberangriff-Zweifel-an-Anthropics-U… ∗∗∗ IT-Vorfall bei Washington Post: Daten von knapp 10.000 Leuten abgeflossen ∗∗∗ --------------------------------------------- Über eine Oracle-Schwachstelle sind Kriminelle auch bei der Washington Post eingedrungen. Daten von fast 10.000 Menschen sind abgeflossen. --------------------------------------------- https://www.heise.de/news/IT-Vorfall-bei-Washington-Post-Daten-von-knapp-10… ∗∗∗ Cyberangriffe erschüttern Börsen: Massive finanzielle Folgen ∗∗∗ --------------------------------------------- Eine neue Umfrage zeigt drastische finanzielle Folgen von Cyberangriffen: 70 Prozent der börsennotierten Unternehmen mussten ihre Gewinnprognosen anpassen. --------------------------------------------- https://www.heise.de/news/Studie-Cyberangriffe-treffen-Aktienkurse-und-Fina… ∗∗∗ Scammers are sending bogus copyright warnings to steal your X login ∗∗∗ --------------------------------------------- A copyright violation sounds serious, so cybercriminals are faking messages from the DMCA to lure you into handing over your X credentials. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/11/scammers-are-sending-bogus-c… ∗∗∗ Advent, Advent – nicht alles glänzt! Vorsicht vor unseriösen Adventkalender-Shops! ∗∗∗ --------------------------------------------- Adventkalender versüßen Groß und Klein die Vorweihnachtszeit. Doch alle Jahre wieder versuchen auch unseriöse Anbieter, Profit aus dem Weihnachtsgeschäft zu schlagen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-unserioesen-adventkalen… ∗∗∗ Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT ∗∗∗ --------------------------------------------- Two campaigns delivering Gh0st RAT to Chinese speakers show a deep understanding of the target populations virtual environment and online behavior. --------------------------------------------- https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-r… ∗∗∗ Initial Access Brokers (IAB) in 2025 – >From Dark Web Listings to Supply Chain Ransomware Events ∗∗∗ --------------------------------------------- Initial access brokers in 2025, how dark web access listings feed ransomware supply chain events like JLR, and what CISOs can do to detect and disrupt them. --------------------------------------------- https://www.darknet.org.uk/2025/11/initial-access-brokers-iab-in-2025-from-… ∗∗∗ From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion ∗∗∗ --------------------------------------------- The intrusion took place in May 2024, when a user executed a malicious JavaScript file. This JavaScript file has been previously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated file, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among extensive filler content used for evasion. --------------------------------------------- https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-e… ∗∗∗ Cat’s Got Your Files: Lynx Ransomware ∗∗∗ --------------------------------------------- The intrusion began in early March 2025 with a single successful Remote Desktop Protocol (RDP) logon to an internet-exposed system. Notably, there was no evidence of credential stuffing, brute forcing, or other failed authentication attempts from the source IP, indicating the threat actor likely possessed valid credentials before the activity occurred. --------------------------------------------- https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware/ ∗∗∗ MISP v2.5.25 Release Notes ∗∗∗ --------------------------------------------- This release introduces a security fix, significant performance improvements for REST searches, new default feeds, and several important bug fixes. Security: Fixed a vulnerability that could expose user passwords in workflows. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.25 ∗∗∗ AIPAC Discloses Data Breach, Says Hundreds Affected ∗∗∗ --------------------------------------------- AIPAC reports data breach after external system access, hundreds affected, investigation ongoing with added security steps. --------------------------------------------- https://hackread.com/aipac-data-breach-hundreds-affected/ ∗∗∗ EchoGram Flaw Bypasses Guardrails in Major LLMs ∗∗∗ --------------------------------------------- HiddenLayer reveals the EchoGram vulnerability, which bypasses safety guardrails on GPT-5.1 and other major LLMs, giving security teams just a 3-month head start. --------------------------------------------- https://hackread.com/echogram-flaw-bypass-guardrails-major-llms/ ∗∗∗ Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem ∗∗∗ --------------------------------------------- Last year, Mandiant published a blog post highlighting suspected Iran-nexus espionage activity targeting the aerospace, aviation, and defense industries in the Middle East. In this follow-up post, Mandiant discusses additional tactics, techniques, and procedures (TTPs) observed in incidents Mandiant has responded to. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc154… ∗∗∗ No Leak, No Problem - Bypassing ASLR with a ROP Chain to Gain RCE ∗∗∗ --------------------------------------------- After my previous post on ARM exploitation, where we crafted an exploit for a known vulnerability, I decided to continue the research on a more modern IoT target. In this follow-up post, I will take you through building a considerably more complex binary exploit. We will explore the path from firmware extraction and analysis to the discovery of a previously unknown vulnerability and its exploitation. --------------------------------------------- https://modzero.com/en/blog/no-leak-no-problem/ ∗∗∗ npm Malware Campaign Uses Adspect Cloaking to Deliver Malicious Redirects ∗∗∗ --------------------------------------------- The Socket Threat Research Team recently discovered dino_reborn, an npm threat actor with seven packages constructing an intricate malware campaign. Upon visiting a fake website constructed by one of the packages, the threat actor determines if the visitor is a victim or a security researcher. If the visitor is a victim, they see a fake CAPTCHA, eventually bringing them to a malicious site. If they are a security researcher, only a few tells on the fake website would tip them off that something nefarious may be occurring. --------------------------------------------- https://socket.dev/blog/npm-malware-campaign-uses-adspect-cloaking-to-deliv… ∗∗∗ MacOS Infection Vector: Using AppleScripts to bypass Gatekeeper ∗∗∗ --------------------------------------------- This gives an overview of how .scpt AppleScript are used to creatively deliver macOS malware, such as fake office documents or fake Zoom/Teams updates. Previously a technique seen with APT campaigns for macOS, we can now see samples coming from the macOS stealer ecosystem like MacSync and Odyssey. --------------------------------------------- https://pberba.github.io/security/2025/11/11/macos-infection-vector-applesc… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Fortinet FortiWeb wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke (CVE-2025-64446) in Fortinet FortiWeb erlaubt es unauthentifizierten Angreifer:innen, eigene Admin-Konten zu erstellen und somit die vollständige Kontrolle über betroffene Geräte zu erlangen. Die Schwachstelle wird mindestens seit dem 6. Oktober 2025 aktiv ausgenutzt und Exploitcode ist bereits öffentlich verfügbar. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/11/kritische-sicherheitslucke-in-fort… ∗∗∗ Mehrere Sicherheitslücken bedrohen Cisco Catalyst Center ∗∗∗ --------------------------------------------- Sicherheitsupdates schließen mehrere Schwachstellen in Ciscos Netzwerk-Kontrollzentrum Catalyst Center. --------------------------------------------- https://www.heise.de/news/Admin-Sicherheitsluecke-bedroht-Cisco-Catalyst-Ce… ∗∗∗ Microsoft Patch Tuesday, November 2025 Edition ∗∗∗ --------------------------------------------- Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited. Microsoft also fixed a glitch that prevented some Windows 10 users from taking advantage of an extra year of security updates, which is nice because the zero-day flaw and other critical weaknesses patched today affect all versions of Windows, including Windows 10. --------------------------------------------- https://krebsonsecurity.com/2025/11/microsoft-patch-tuesday-november-2025-e… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-base1.0, lasso, and thunderbird), Fedora (bind9-next, chromium, containerd, fvwm3, luksmeta, opentofu, python-pdfminer, python-uv-build, ruff, rust-get-size-derive2, rust-get-size2, rust-regex, rust-regex-automata, rust-reqsign, rust-reqsign-aws-v4, rust-reqsign-command-execute-tokio, rust-reqsign-core, rust-reqsign-file-read-tokio, rust-reqsign-http-send reqwest, suricata, uv, and xmedcon), Mageia (apache-commons-beanutils, apache-commons-fileupload, apache-commons-lang, botan2, python-django, spdlog, stardict, webkit2, and yelp-xsl), Slackware (xpdf), and SUSE (bind, chromedriver, firefox, kernel, libxml2, and openssh). --------------------------------------------- https://lwn.net/Articles/1046756/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 14.11.2025
by Daily end-of-shift report 14 Nov '25

14 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-11-2025 18:00 − Freitag 14-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RCE flaw in ImunifyAV puts millions of Linux-hosted sites at risk ∗∗∗ --------------------------------------------- The ImunifyAV malware scanner for Linux server, used by tens of millions of websites, is vulnerable to a remote code execution vulnerability that could be exploited to compromise the hosting environment. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rce-flaw-in-imunifyav-puts-m… ∗∗∗ New ‘IndonesianFoods’ worm floods npm with 100,000 packages ∗∗∗ --------------------------------------------- A self-spreading package published on npm spams the registry by spawning new packages every every seven seconds, creating large volumes of junk. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-indonesianfoods-worm-flo… ∗∗∗ DoorDash hit by new data breach in October exposing user information ∗∗∗ --------------------------------------------- DoorDash has disclosed a data breach that hit the food delivery platform this October. Beginning yesterday evening, DoorDash, which serves millions of customers across the U.S., Canada, Australia, and New Zealand, started emailing those impacted by the newly discovered security incident. --------------------------------------------- https://www.bleepingcomputer.com/news/security/doordash-hit-by-new-data-bre… ∗∗∗ ASUS warns of critical auth bypass flaw in DSL series routers ∗∗∗ --------------------------------------------- ASUS has released new firmware to patch a critical authentication bypass security flaw impacting several DSL series router models. --------------------------------------------- https://www.bleepingcomputer.com/news/security/asus-warns-of-critical-auth-… ∗∗∗ NIS-2-Umsetzung: Bundestag beschließt umstrittenes Cybersicherheitsgesetz ∗∗∗ --------------------------------------------- NIS 2 kann für Netzbetreiber fehlende Rechtssicherheit, Wirtschaftsrisiken und unnötige Bürokratie bringen. Noch kann der Bundesrat etwas ändern. --------------------------------------------- https://www.golem.de/news/nis-2-umsetzung-bundestag-beschliesst-umstrittene… ∗∗∗ Chinese spies told Claude to break into about 30 critical orgs. Some attacks succeeded ∗∗∗ --------------------------------------------- Anthropic dubs this the first AI-orchestrated cyber snooping campaign Chinese cyber spies used Anthropics Claude Code AI tool to attempt digital break-ins at about 30 high-profile companies and government organizations – and the government-backed snoops "succeeded in a small number of cases," according to a Thursday report from the AI company. --------------------------------------------- https://www.theregister.com/2025/11/13/chinese_spies_claude_attacks/ ∗∗∗ Cybergang cl0p will Daten von Carglass, Fluke und NHS erbeutet haben ∗∗∗ --------------------------------------------- Auf der Darknet-Seite der kriminellen Bande cl0p sind neue Einträge zu Carglass, Fluke und NHS aufgetaucht. Dort will sie Daten geklaut haben. --------------------------------------------- https://www.heise.de/news/Datenlecks-Cybergang-cl0p-will-Daten-von-Carglass… ∗∗∗ FBI: Akira gang has received nearly $250 million in ransoms ∗∗∗ --------------------------------------------- The U.S. and European law enforcement released new information to help organizations defend themselves against the Akira ransomware gang, which has attacked small- and medium-sized businesses for years. --------------------------------------------- https://therecord.media/akira-gang-received-million ∗∗∗ Suspected Russian hacker reportedly detained in Thailand, faces possible US extradition ∗∗∗ --------------------------------------------- Russian news reports and Thai sources said police had detained an alleged Russian hacker on the island of Phuket and transferred him to Bangkok for possible transfer to the U.S. --------------------------------------------- https://therecord.media/russian-hacker-detained-thailand-possible-us-extrad… ∗∗∗ Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics ∗∗∗ --------------------------------------------- In this blog entry, Trend™ Research analyses the layered command-and-control approaches that Lumma Stealer uses to maintain its ongoing operations while enhancing collection of victim-environment data. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-finger… ∗∗∗ When The Impersonation Function Gets Used To Impersonate Users (Fortinet FortiWeb (??) Auth. Bypass) ∗∗∗ --------------------------------------------- The Internet is ablaze, and once again we all have a front-row seat - a bad person, if you can believe it, is doing a bad thing!The first warning of such behaviour came from the great team at Defused:As many are now aware, an unnamed (and potentially silently --------------------------------------------- https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-imp… ∗∗∗ Fortinet: Neuer Exploit missbraucht Zero-Day-Lücke in Firewalls ∗∗∗ --------------------------------------------- IT-Forscher haben neuen Exploit-Code in ihrem Honeypot gefunden. Der attackiert eine bislang unbekannte Fortinet-Sicherheitslücke. --------------------------------------------- https://heise.de/-11078310 ∗∗∗ Nation state threat actor used Claude Code to orchestrate cyber attacks ∗∗∗ --------------------------------------------- We recently argued that an inflection point had been reached in cybersecurity: a point at which AI models had become genuinely useful for cybersecurity operations, both for good and for ill. This was based on systematic evaluations showing cyber capabilities doubling in six months .. --------------------------------------------- https://www.anthropic.com/news/disrupting-AI-espionage ===================== = Vulnerabilities = ===================== ∗∗∗ Security Vulnerabilities fixed in Thunderbird 145 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-90/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 140.5 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-91/ ∗∗∗ Path confusion vulnerability in GUI ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-25-910 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 13.11.2025
by Daily end-of-shift report 13 Nov '25

13 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-11-2025 18:00 − Donnerstag 13-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ November Patch Tuesday does its chores ∗∗∗ --------------------------------------------- A cleanup month brings 63 patches… wait, no, 68… how about 61? --------------------------------------------- https://news.sophos.com/en-us/2025/11/12/november-patch-tuesday-does-its-ch… ∗∗∗ Over 67,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort."The packages were systematically published .. --------------------------------------------- https://thehackernews.com/2025/11/over-46000-fake-npm-packages-flood.html ∗∗∗ Zohocorp ManageEngine: Mehrere Sicherheitslücken in unterschiedlichen Produkten ∗∗∗ --------------------------------------------- Mehrere Schwachstellenberichte zu Lücken in mehreren Zohocorp-ManageEngine-Produkten sind erschienen. Updates stehen bereit. --------------------------------------------- https://www.heise.de/news/Zohocorp-ManageEngine-Mehrere-Sicherheitsluecken-… ∗∗∗ Operation Endgame 3: 1025 Server von Netz genommen ∗∗∗ --------------------------------------------- Internationalen Strafverfolgern ist ein neuerlicher Schlag gegen Malware und dahinterliegende Infrastruktur gelungen. --------------------------------------------- https://www.heise.de/news/Operation-Endgame-3-1025-Server-von-Netz-genommen… ∗∗∗ Citrix Netscaler ADC und Gateway: Update schließt Cross-Site-Scripting-Lücke ∗∗∗ --------------------------------------------- In den Netscaler ADCs und Gateways von Citrix können Angreifer eine Cross-Site-Scripting-Lücke ausnutzen. Updates schließen sie. --------------------------------------------- https://www.heise.de/news/Citrix-Netscaler-ADC-und-Gateway-Update-schliesst… ∗∗∗ Google Sues to Disrupt Chinese SMS Phishing Triad ∗∗∗ --------------------------------------------- Google is suing more than two dozen unnamed individuals allegedly involved in peddling a popular China-based mobile phishing service that helps scammers impersonate hundreds of trusted brands, blast out text message lures, and convert phished payment card data into mobile wallets from Apple and Google. --------------------------------------------- https://krebsonsecurity.com/2025/11/google-sues-to-disrupt-chinese-sms-phis… ∗∗∗ Wenn sich die angebliche Copyright-Verletzung als Betrugsversuch entpuppt ∗∗∗ --------------------------------------------- Immer wieder sorgen E-Mails von vermeintlichen Anwaltskanzleien für Aufregung. Die Empfänger:innen haben angeblich gegen Urheberrechte verstoßen, die Geschädigten fordern Wiedergutmachung. Tatsächlich stimmt hier aber gar nichts. Die Copyright-Verletzung hat nicht stattgefunden, die Anwaltskanzlei existiert nicht. --------------------------------------------- https://www.watchlist-internet.at/news/copyright-verletzung-betrugsversuch/ ∗∗∗ TAG Bulletin: Q3 2025 ∗∗∗ --------------------------------------------- Our bulletin covering coordinated influence operation campaigns terminated on our platforms in Q3 2025. --------------------------------------------- https://blog.google/threat-analysis-group/tag-bulletin-q3-2025/ ∗∗∗ Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery ∗∗∗ --------------------------------------------- NVISO reports a new development to the Contagious Interview campaign. The threat actors have recently resorted to utilizing JSON storage services like JSON Keeper, JSONsilo and npoint.io to host and deliver malware from trojanized code projects, with the lure being a use case or demo project as part of an interview process. Background Contagious Interview .. --------------------------------------------- https://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-js… ∗∗∗ CISA and Partners Release Advisory Update on Akira Ransomware ∗∗∗ --------------------------------------------- Today, Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation, Department of Defense Cyber Crime Center, Department of Health and Human Services, and international partners, released an updated joint Cybersecurity Advisory, #StopRansomware: Akira Ransomware, to provide network defenders with the latest indicators .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/11/13/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-006 ∗∗∗ Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-005 ∗∗∗ Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-008 ∗∗∗ Drupal core - Moderately critical - Defacement - SA-CORE-2025-007 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-007 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 12.11.2025
by Daily end-of-shift report 12 Nov '25

12 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-11-2025 18:00 − Mittwoch 12-11-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Rhadamanthys infostealer disrupted as cybercriminals lose server access ∗∗∗ --------------------------------------------- The Rhadamanthys infostealer operation has been disrupted, with numerous “customers” of the malware-as-a-service reporting that they no longer have access to their servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rhadamanthys-infostealer-dis… ∗∗∗ VU#553375: Unprotected temporary directories in Wolfram Cloud version 14.2 may result in privilege escalation ∗∗∗ --------------------------------------------- Wolfram Cloud version 14.2 allows Java Virtual Machine (JVM) unrestricted access to temporary resources in the /tmp/ directory of the cloud environment which may result in privilege escalation, information exfiltration, and remote code execution. In the same cloud instance, temporary directories of other users may be accessible. --------------------------------------------- https://kb.cert.org/vuls/id/553375 ∗∗∗ WhatsApp Malware Maverick Hijacks Browser Sessions to Target Brazils Biggest Banks ∗∗∗ --------------------------------------------- Threat hunters have uncovered similarities between a banking malware called Coyote and a newly disclosed malicious program dubbed Maverick that has been propagated via WhatsApp. --------------------------------------------- https://thehackernews.com/2025/11/whatsapp-malware-maverick-hijacks.html ∗∗∗ Cl0p Ransomware Lists NHS UK as Victim, Days After Washington Post Breach ∗∗∗ --------------------------------------------- Cl0p ransomware lists NHS UK as a victim days after The Washington Post confirms a major Oracle E-Business breach linked to CVE-2025-61882 --------------------------------------------- https://hackread.com/cl0p-ransomware-nhs-uk-washington-post-breach/ ∗∗∗ @facebookmail.com Invites Exploited to Phish Facebook Business Users ∗∗∗ --------------------------------------------- If you manage Facebook advertising for a small or medium-sized business, open your inbox with suspicion, because attackers have been sending highly convincing invites that look like they come straight from Meta. --------------------------------------------- https://hackread.com/facebookmail-com-invites-phish-facebook-business/ ∗∗∗ Hackers Use KakaoTalk and Google Find Hub in Android Spyware Attack ∗∗∗ --------------------------------------------- North Korea-linked KONNI hackers used KakaoTalk and Google Find Hub to spy on victims and remotely wipe Android devices in a targeted phishing campaign. --------------------------------------------- https://hackread.com/hackers-kakaotalk-google-find-hub-android-spyware/ ∗∗∗ Is It CitrixBleed4? Well, No. Is It Good? Also, No. (Citrix NetScaler Memory Leak & RXSS CVE-2025-12101) ∗∗∗ --------------------------------------------- There’s an elegance to vulnerability research that feels almost poetic - the quiet dance between chaos and control. It’s the art of peeling back the layers of complexity, not to destroy but to understand; to trace the fragile threads that hold systems together and see where they might fray. --------------------------------------------- https://labs.watchtowr.com/is-it-citrixbleed4-well-no-is-it-good-also-no-ci… ∗∗∗ Miniatur Wunderland Ziel von IT-Angriff: Kreditkartendaten abgeflossen ∗∗∗ --------------------------------------------- Cyberkriminelle konnten in das Buchungssystem vom Miniatur Wunderland Hamburg eindringen. Dabei konnten sie offenbar Informationen aus dem Zahlungsverkehr mitlesen. Die Untersuchungen dauern noch an. --------------------------------------------- https://www.heise.de/news/Miniatur-Wunderland-Ziel-von-IT-Angriff-Kreditkar… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft November 2025 Patch Tuesday fixes 1 zero-day, 63 flaws ∗∗∗ --------------------------------------------- Today is Microsoft's November 2025 Patch Tuesday, which includes security updates for 63 flaws, including one actively exploited zero-day vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2025-pat… ∗∗∗ Synology fixes BeeStation zero-days demoed at Pwn2Own Ireland ∗∗∗ --------------------------------------------- Synology has addressed a critical-severity remote code execution (RCE) vulnerability in BeeStation products that was demonstrated at the recent Pwn2Own hacking competition. The security issue (CVE-2025-12686) is described as a ‘buffer copy without checking the size of input’ problem, and can be exploited to allow arbitrary code execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/synology-fixes-beestation-ze… ∗∗∗ Avast und AVG: Kritische Sicherheitslücke stillschweigend behoben ∗∗∗ --------------------------------------------- In den Malware-Schutzprogrammen der Marken Avast und AVG stand eine als kritisch eingeordnete Sicherheitslücke offen. Die ist inzwischen geschlossen, ebenso eine weitere, weniger schwerwiegende in Avast Free Antivirus. --------------------------------------------- https://www.heise.de/news/Avast-und-AVG-Kritische-Sicherheitsluecke-stillsc… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, and libtiff), Debian (kernel, libarchive, rust-sudo-rs, and squid), Fedora (chromium, dotnet8.0, forgejo, ruby, and webkitgtk), Oracle (bind, bind9.18, kernel, kernel-uek*, libtiff, and runc), Red Hat (firefox, kernel, and kernel-rt), Slackware (mozilla), SUSE (buildah, colord, containerd, kernel, lasso, libsoup, micropython, ongres-scram, openssh, proxy-helm, uyuni-tools, python-pdfminer.six, qatengine, qatlib, regclient, and runc), and Ubuntu (raptor and raptor2). --------------------------------------------- https://lwn.net/Articles/1046173/ ∗∗∗ Patchday Adobe: Schadcode-Lücken bedrohen InDesign & Co. ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für unter anderem Adobe Illustrator, InCopy und Photoshop erschienen. --------------------------------------------- https://heise.de/-11074930 ∗∗∗ Patchday: Intel dichtet zig Sicherheitslücken ab ∗∗∗ --------------------------------------------- Intel hat auch einen Patchday veranstaltet und 30 Sicherheitsmitteilungen mit Updates veröffentlicht. Davon sind sieben hochriskant. --------------------------------------------- https://heise.de/-11075454 ∗∗∗ DSA-6053-1 linux - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00219.html ∗∗∗ ZDI-25-991: Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-991/ ∗∗∗ CVE-2025-13042: Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desk… ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/11/12/cisa-adds-three-known-ex… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.11.2025
by Daily end-of-shift report 11 Nov '25

11 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Montag 10-11-2025 18:00 − Dienstag 11-11-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Quantum Route Redirect PhaaS targets Microsoft 365 users worldwide ∗∗∗ --------------------------------------------- A new phishing automation platform named Quantum Route Redirect is using around 1,000 domains to steal Microsoft 365 users credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/quantum-route-redirect-phaas… ∗∗∗ How a CPU spike led to uncovering a RansomHub ransomware attack ∗∗∗ --------------------------------------------- A sudden CPU spike turned out to be the first clue of an in-progress RansomHub ransomware attack. Varonis breaks down how their team traced the attack from fake browser updates to domain-admin takeover, ultimately stopping the attack before files were encrypted. --------------------------------------------- https://www.bleepingcomputer.com/news/security/how-a-cpu-spike-led-to-uncov… ∗∗∗ Fernzugriff aus China: Briten untersuchen ihre Elektrobusse auf Kill-Switch ∗∗∗ --------------------------------------------- Eine Untersuchung aus Norwegen ruft weitere Behörden auf den Plan. Der chinesische Hersteller Yutong soll aus der Ferne seine E-Busse lahmlegen können. --------------------------------------------- https://www.golem.de/news/fernzugriff-aus-china-briten-untersuchen-ihre-ele… ∗∗∗ GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites ∗∗∗ --------------------------------------------- The malware known as GootLoader has resurfaced yet again after a brief spike in activity earlier this March, according to new findings from Huntress. The cybersecurity company said it observed three GootLoader infections since October 27, 2025, out of which two resulted in hands-on keyboard intrusions with domain controller compromise taking place within 17 hours of initial infection. --------------------------------------------- https://thehackernews.com/2025/11/gootloader-is-back-using-new-font-trick.h… ∗∗∗ Phishers try to lure 5K Facebook advertisers with fake business pages ∗∗∗ --------------------------------------------- One company alone was hit with more than 4,200 emails More than 5,000 businesses that use Facebook for advertising were bombarded by tens of thousands of phishing emails in a credential- and data-stealing campaign. --------------------------------------------- www.theregister.com/2025/11/10/5k_facebook_advertising_customers_phishing/ ∗∗∗ Unsichtbarer Wurm in Visual Studio Extensions: GlassWorm lebt ∗∗∗ --------------------------------------------- Der Mitte Oktober entdeckte Supply-Chain-Angriff über die Marktplätze von Visual Studio Code geht offenbar weiter: Auf dem Open-VSX-Marktplatz der Eclipse Foundation sind drei weitere Pakete mit GlassWorm aufgetaucht. --------------------------------------------- https://www.heise.de/news/Schadsoftware-weiter-aktiv-GlassWorm-erneut-in-Op… ∗∗∗ Achtung Phishing: WKO fordert keine Datenaktualisierung per E-Mail! ∗∗∗ --------------------------------------------- Aktuell kursiert eine neue Phishing-Variante im Namen der WKO. In der E-Mail werden Sie aufgefordert, Ihre Handelsregister-, Verzeichnis- oder Unternehmensdaten zu aktualisieren. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-phishing-wko-fordert-keine-d… ∗∗∗ You Thought It Was Over? Authentication Coercion Keeps Evolving ∗∗∗ --------------------------------------------- A new type of authentication coercion attack exploits an obscure and rarely monitored remote procedure call (RPC) interface. --------------------------------------------- https://unit42.paloaltonetworks.com/authentication-coercion/ ∗∗∗ Russian hacker to plead guilty to aiding Yanluowang ransomware group ∗∗∗ --------------------------------------------- Court documents show evidence proving Volkov served as an initial access broker for the ransomware gang — breaking into the network of victims and then offering his access for a percentage of the ransom. --------------------------------------------- https://therecord.media/russian-hacker-to-plead-guilty-aiding-ransomware-gr… ∗∗∗ Cyber Action Toolkit: breaking down the barriers to resilience ∗∗∗ --------------------------------------------- How the NCSC’s "Cyber Action Toolkit" is helping small businesses to improve their cyber security. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/cat-breaking-down-resilience-barriers ∗∗∗ Cisco Finds Open-Weight AI Models Easy to Exploit in Long Chats ∗∗∗ --------------------------------------------- Cisco’s new research shows that open-weight AI models, while driving innovation, face serious security risks as multi-turn attacks, including conversational persistence, can bypass safeguards and expose data. --------------------------------------------- https://hackread.com/cisco-open-weight-ai-models-long-chat-exploit/ ∗∗∗ Fake NPM Package With 206K Downloads Targeted GitHub for Credentials ∗∗∗ --------------------------------------------- Veracode Threat Research exposed a targeted typosquatting attack on npm, where the malicious package @acitons/artifact stole GitHub tokens. Learn how this supply chain failure threatened the GitHub organisations code. --------------------------------------------- https://hackread.com/fake-npm-package-downloads-github-credentials/ ∗∗∗ BSI zur Cybersicherheit: Stabil unsicher ∗∗∗ --------------------------------------------- Das aktuelle BSI-Lagebild zeigt eklatante Probleme auf – während der zuständige Minister auf die Wirksamkeit neuer Maßnahmen hofft. --------------------------------------------- https://heise.de/-11074222 ∗∗∗ MacOS Infection Vector: Using AppleScripts to bypass Gatekeeper ∗∗∗ --------------------------------------------- TLDR This gives an overview of how .scpt AppleScript are used to creatively deliver macOS malware, such as fake office documents or fake Zoom/Teams updates. Previously a technique seen with APT campaigns for macOS, we can now see samples coming from the macOS stealer ecosystem like MacSync and Odyssey. --------------------------------------------- https://pberba.github.io/security/2025/11/11/macos-infection-vector-applesc… ===================== = Vulnerabilities = ===================== ∗∗∗ Popular JavaScript library expr-eval vulnerable to RCE flaw ∗∗∗ --------------------------------------------- A critical vulnerability in the popular expr-eval JavaScript library, with over 800,000 weekly downloads on NPM, can be exploited to execute code remotely through maliciously crafted input. --------------------------------------------- https://www.bleepingcomputer.com/news/security/popular-javascript-library-e… ∗∗∗ SAP fixes hardcoded credentials flaw in SQL Anywhere Monitor ∗∗∗ --------------------------------------------- SAP has released its November security updates that address multiple security vulnerabilities, including a maximum severity flaw in the non-GUI variant of the SQL Anywhere Monitor and a critical code injection issue in the Solution Manager platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sap-fixes-hardcoded-credenti… ∗∗∗ Root-Sicherheitslücke bedroht IBMs Datenbanksystem Db2 ∗∗∗ --------------------------------------------- Angreifer können Systeme mit IBM Db2 und Business Automation Workflow attackieren und im schlimmsten Fall Root-Rechte erlangen, um PCs zu kompromittieren. Sicherheitspatches stehen zum Download bereit. --------------------------------------------- https://www.heise.de/news/Root-Sicherheitsluecke-bedroht-IBMs-Datenbanksyst… ∗∗∗ Sicherheitslücke in Dell Display and Peripheral Manager gefährdet PCs ∗∗∗ --------------------------------------------- Wenn Angreifer erfolgreich an einer Lücke in Dell Display and Peripheral Manager unter Windows ansetzen, können sie sich höhere Nutzerrechte verschaffen. In einer aktuellen Version der Software haben die Entwickler eine Sicherheitslücke geschlossen. Bislang gibt es keine Hinweise auf bereits laufende Attacken. --------------------------------------------- https://heise.de/-11073226 ∗∗∗ Security Vulnerabilities fixed in Firefox 145 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/ ∗∗∗ Ivanti November 2025 Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/november-2025-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 10.11.2025
by Daily end-of-shift report 10 Nov '25

10 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-11-2025 18:00 − Montag 10-11-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Malicious NuGet packages drop disruptive time bombs ∗∗∗ --------------------------------------------- Several malicious packages on NuGet have sabotage payloads scheduled to activate in 2027 and 2028, targeting database implementations and Siemens S7 industrial control devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-nuget-packages-dro… ∗∗∗ ClickFix Campaign Targets Hotels, Spurs Secondary Customer Attacks ∗∗∗ --------------------------------------------- Attackers compromise hospitality providers with an infostealer and RAT malware and then use stolen data to launch phishing attacks against customers via both email and WhatsApp. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/clickfix-targets-hot… ∗∗∗ Secure boot certificate rollover is real but probably wont hurt you ∗∗∗ --------------------------------------------- LWN wrote an article which opens with the assertion "Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September". This is, depending on interpretation, either misleading or just plain wrong, but also theres not a good source of truth here, so. --------------------------------------------- https://mjg59.dreamwidth.org/72892.html ∗∗∗ Whisper Leak: A novel side-channel attack on remote language models ∗∗∗ --------------------------------------------- Microsoft has discovered a side-channel attack on language models which allows adversaries to conclude model conversation topics, despite being encrypted. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/11/07/whisper-leak-a-nov… ∗∗∗ Honeypot: Requests for (Code) Repositories ∗∗∗ --------------------------------------------- This is just a quick diary entry to report that I saw requests on my honeypot for (code) repositories. --------------------------------------------- https://isc.sans.edu/diary/rss/32460 ∗∗∗ Slot Gacor: The Rise of Online Casino Spam ∗∗∗ --------------------------------------------- Online casino spam has been without a doubt one of the most prevalent types of spam content that we’ve seen on infected websites in recent years. An extremely common method of promoting low-quality or otherwise undesirable websites is for spammers to hack websites and fill them full of backlinks to pump their SEO. --------------------------------------------- https://blog.sucuri.net/2025/11/slot-gacor-the-rise-of-online-casino-spam.h… ∗∗∗ Allianz UK joins growing list of Clop’s Oracle E-Business Suite victims ∗∗∗ --------------------------------------------- Insurance giant’s UK arm says cybercriminals misattributed the real victim Allianz UK confirms it was one of the many companies that fell victim to the Clop gangs Oracle E-Business Suite (EBS) attack after crims reported that they had attacked a subsidiary. --------------------------------------------- www.theregister.com/2025/11/10/allianz_uk_joins_growing_list/ ∗∗∗ Watchguard Firebox: Gefährdung durch Standardpasswort für Admin ∗∗∗ --------------------------------------------- Watchguard versieht die Firebox-Firewalls mit Standardpasswörtern. Angreifer können sich dadurch leicht Admin-Rechte verschaffen. --------------------------------------------- https://www.heise.de/news/Watchguard-Firebox-Gefaehrdung-durch-Standardpass… ∗∗∗ Drilling Down on Uncle Sam’s Proposed TP-Link Ban ∗∗∗ --------------------------------------------- The U.S. government is reportedly preparing to ban the sale of wireless routers and other networking gear from TP-Link Systems, a tech company that currently enjoys an estimated 50% market share among home users and small businesses. Experts say while the proposed ban may have more to do with TP-Links ties to China than any specific technical threats, much of the rest of the industry serving this market also sources hardware from China and ships products that are insecure fresh out of the box. --------------------------------------------- https://krebsonsecurity.com/2025/11/drilling-down-on-uncle-sams-proposed-tp… ∗∗∗ Handy-Guthaben aufladen? Vorsicht vor gefälschter HoT-Website ∗∗∗ --------------------------------------------- Eine neue Betrugsmasche richtet sich derzeit gegen Kund:innen des Mobilfunkanbieters HoT. Im Internet ist eine täuschend echt gestaltete Website aufgetaucht, die vorgibt, den offiziellen Aufladeservice von HoT bereitzustellen. Wer dort sein Guthaben für Handy oder WLAN aufladen möchte, läuft Gefahr, seine Kreditkartendaten an Kriminelle weiterzugeben. --------------------------------------------- https://www.watchlist-internet.at/news/handy-guthaben-aufladen-vorsicht-vor… ∗∗∗ Hack halts Dutch broadcaster, forcing radio hosts back to LPs ∗∗∗ --------------------------------------------- A Dutch TV and radio broadcaster has found itself at the mercy of cybercriminals after suffering a cyber attack, and leaving it scrambling to find ways to play music to its listeners. Read more in my article on the Hot for Security blog. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/hack-halts-dutch-broa… ∗∗∗ Dont call it Cyber Command 2.0: Master plan for digital forces will take years to implement ∗∗∗ --------------------------------------------- The latest model for improving U.S. Cyber Command is circulating at the Pentagon. Some of the initiatives will spill into the next decade — an approach that is sure to create friction on Capitol Hill and beyond. --------------------------------------------- https://therecord.media/revised-cyber-command-master-plan-dod-pentagon ∗∗∗ Short-term renewal of cyber information sharing law appears in bill to end shutdown ∗∗∗ --------------------------------------------- An expired 2015 law that gives companies liability protection when they share cyberthreat information with the federal government would be renewed through January 30 under Senate legislation to end the government shutdown. --------------------------------------------- https://therecord.media/cisa-2015-information-sharing-law-renewal-bill-endi… ∗∗∗ Russian missile barrage disrupts internet, customs databases in Ukraine ∗∗∗ --------------------------------------------- Emergency blackouts lasting up to 12 hours were introduced following the attack, with Kyiv and other regions facing widespread internet and communication outages, according to internet watchdog NetBlocks. --------------------------------------------- https://therecord.media/russian-missile-barrage-disrupts-internet-ukraine ∗∗∗ Phishing-Kampagne zielt auf Führungskräfte ∗∗∗ --------------------------------------------- In letzter Zeit scheinen Führungskräfte und leitende Angestellte aus unterschiedlichen Branchen verstärkt ins Visier von Cyberkriminellen zu geraten. Diese versuchen die Adressaten mittels Phishing-Mails zur Herausgabe von Daten zu überlisten. --------------------------------------------- https://www.borncity.com/blog/2025/11/08/phishing-kampagne-zielt-auf-fuehru… ∗∗∗ No Place Like Localhost: Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480 ∗∗∗ --------------------------------------------- Mandiant Threat Defense has uncovered exploitation of an unauthenticated access vulnerability within Gladinet’s Triofox file-sharing and remote access platform. This now-patched n-day vulnerability, assigned CVE-2025-12480, allowed an attacker to bypass authentication and access the application configuration pages, enabling the upload and execution of arbitrary payloads. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerabil… ∗∗∗ EU will DSGVO schleifen – nicht nur bei Cookie-Bannern ∗∗∗ --------------------------------------------- Der von der EU-Kommission geplante "digitale Omnibus" würde bestehende Datenschutzrechte aufweichen. Es geht etwa um Cookies und das Training von KI-Systemen. --------------------------------------------- https://heise.de/-11071630 ∗∗∗ The state of the Rust dependency ecosystem ∗∗∗ --------------------------------------------- Over the past few days, I analyzed over 200,000 crates from crates.io to uncover patterns in maintenance, developer engagement, security, and overall ecosystem health. The results: a mix of fascinating insights, concerning trends, and reasons for optimism. --------------------------------------------- https://00f.net/2025/10/17/state-of-the-rust-ecosystem/ ∗∗∗ Balancer hack analysis and guidance for the DeFi ecosystem ∗∗∗ --------------------------------------------- On November 3, 2025, attackers exploited a vulnerability in Balancer v2 to drain more than $100M across nine blockchain networks. The attack targeted a number of Balancer v2 pools, exploiting a rounding direction error. --------------------------------------------- https://blog.trailofbits.com/2025/11/07/balancer-hack-analysis-and-guidance… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own ∗∗∗ --------------------------------------------- QNAP has fixed seven zero-day vulnerabilities that security researchers exploited to hack QNAP network-attached storage (NAS) devices during the Pwn2Own Ireland 2025 competition. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-fixes-seven-nas-zero-da… ∗∗∗ Sicherheitslücken in RunC: Angreifer können aus Docker-Containern ausbrechen ∗∗∗ --------------------------------------------- Administratoren sollten aufpassen, welche Docker-Images sie nutzen. Angreifer können sich Root-Zugriff auf das Hostsystem verschaffen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-in-runc-angreifer-koennen-aus-… ∗∗∗ runC Container Escape Vulnerabilities ∗∗∗ --------------------------------------------- High-severity vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) were disclosed in early November 2025. A malicious or compromised container image can abuse how runc handles masked paths, bind-mounts, and special files to write to the host /proc filesystem and escape the container boundary - enabling remote code execution on the host, persistence, or cluster-wide denial-of-service. These issues affect virtually all Linux container stacks that use runc (Docker, containerd, CRI-O, Kubernetes, and managed services). --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6248 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 07.11.2025
by Daily end-of-shift report 07 Nov '25

07 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-11-2025 18:00 − Freitag 07-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ID verification laws are fueling the next wave of breaches ∗∗∗ --------------------------------------------- ID laws are forcing companies to store massive amounts of sensitive data, turning compliance into a security risk. Acronis explains how integrated backup and cybersecurity platforms help MSPs reduce complexity and close the gaps attackers exploit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/id-verification-laws-are-fue… ∗∗∗ Test der EFF: Diese Anti-Virus-Tools schützen am besten vor Spionage-Apps ∗∗∗ --------------------------------------------- Mit Stalkerware lassen sich leicht Mitmenschen ausspionieren. Ein neuer Test zeigt, welche Anti-Virus-Tools für Android den besten Schutz bieten. --------------------------------------------- https://www.golem.de/news/test-der-eff-diese-anti-virus-tools-schuetzen-am-… ∗∗∗ The Cats Out of the Bag: A Meow Attack Data Corruption Campaign Simulation via MAD-CAT ∗∗∗ --------------------------------------------- In 2024, I published Feline Hackers Among Us? (A Deep Dive and Simulation of the Meow Attack), which explored the notorious Meow attack campaign that had plagued unsecured databases since 2020. That article focused on demonstrating the attack against a single MongoDB instance using a simple Python script. A proof-of-concept that illustrates how devastating misconfigurations can be. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-cats-ou… ∗∗∗ Google Launches New Maps Feature to Help Businesses Report Review-Based Extortion Attempts ∗∗∗ --------------------------------------------- Google on Thursday said its rolling out a dedicated form to allow businesses listed on Google Maps to report extortion attempts made by threat actors who post inauthentic bad reviews on the platform and demand ransoms to remove the negative .. --------------------------------------------- https://thehackernews.com/2025/11/google-launches-new-maps-feature-to.html ∗∗∗ Gootloader malware back for the attack, serves up ransomware ∗∗∗ --------------------------------------------- Move fast - miscreants compromised a domain controller in 17 hours Gootloader JavaScript malware, commonly used to deliver ransomware, is back in action after a period of reduced activity. --------------------------------------------- https://www.theregister.com/2025/11/06/gootloader_back_ransomware/ ∗∗∗ Cybercrims plant destructive time bomb malware in industrial .NET extensions ∗∗∗ --------------------------------------------- Multi-year wait for destruction comes to an end for mystery attackers Security experts have helped remove malicious NuGet packages planted in 2023 that were designed to destroy systems years in advance, with some payloads not due to hit .. --------------------------------------------- https://www.theregister.com/2025/11/07/cybercriminals_plant_destructive_tim… ∗∗∗ Cisco: Tausende Firewalls verwundbar, neue Angriffswege beobachtet ∗∗∗ --------------------------------------------- Zum Missbrauch der seit Ende September bekannten Sicherheitslücken in Cisco-Firewalls haben Angreifer neue Wege gefunden. Tausende sind verwundbar. --------------------------------------------- https://www.heise.de/news/Cisco-Tausende-Firewalls-verwundbar-neue-Angriffs… ∗∗∗ Groupware Zimbra: Updates stopfen mehrere Sicherheitslücken ∗∗∗ --------------------------------------------- In der Groupware Zimbra haben die Entwickler mit aktualisierten Paketen mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Groupware-Zimbra-Updates-stopfen-mehrere-Sicherhe… ∗∗∗ Supply-Chain-Attacken: Fast jedes dritte Unternehmen betroffen ∗∗∗ --------------------------------------------- Ist die Firmen-IT zu gut geschützt, attackieren Angreifer gezielt Zulieferer. Knapp 28 Prozent der Firmen sind betroffen – viele davon mit spürbaren Folgen. --------------------------------------------- https://www.heise.de/news/Supply-Chain-Attacken-Fast-jedes-dritte-Unternehm… ∗∗∗ Exploiting AgTech connectivity to corner the grain market ∗∗∗ --------------------------------------------- I live in the countryside & as a result, know quite a few farmers. The subject of connected farming systems comes up quite a lot in the local pub. Those of you who have watched Clarkson’s Farm will understand just how complex and confusing some tractor systems .. --------------------------------------------- https://www.pentestpartners.com/security-blog/exploiting-agtech-connectivit… ∗∗∗ “Pay up or we share the tapes”: Hackers target massage parlour clients in blackmail scheme ∗∗∗ --------------------------------------------- South Korean police have uncovered a hacking operation that stole sensitive data from massage parlours and blackmailed their male clientele. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/pay-up-or-we-share-th… ∗∗∗ LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices ∗∗∗ --------------------------------------------- Commercial-grade LANDFALL spyware exploits CVE-2025-21042 in Samsung Android’s image processing library. The spyware was embedded in malicious DNG files. --------------------------------------------- https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-androi… ∗∗∗ “I Paid Twice” Scam Infects Booking.com Users with PureRAT via ClickFix ∗∗∗ --------------------------------------------- Cybersecurity firm Sekoia reports a widespread fraud where criminals compromise hotel systems (Booking.com, Expedia and others) with PureRAT malware, then use stolen reservation data to phish and defraud guests. --------------------------------------------- https://hackread.com/i-paid-twice-scam-booking-com-purerat-clickfix/ ∗∗∗ What’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299) ∗∗∗ --------------------------------------------- Happy Friday, friends and.. others.We’re glad/sorry to hear that your week has been good/bad, and it’s the weekend/but at least it’s almost the weekend!What’re We Doing Today, Mr Fox?Today, in a tale that seems all too --------------------------------------------- https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remot… ∗∗∗ Hausärztin: "Elektronische Patientenakte ist ein digitaler Pappkarton" ∗∗∗ --------------------------------------------- Datenschutz, Technik und Vertrauen bei der elektronischen Patientenakte. Darüber diskutierten Fachleute im rheinland-pfälzischen Landtag. --------------------------------------------- https://heise.de/-11069279 ∗∗∗ Kubevirt security audit ∗∗∗ --------------------------------------------- Security is a core concern in the development of any open-source project. To ensure reliability and resilience, many teams choose to conduct independent audits that help identify potential weaknesses and strengthen their systems. In this context, Quarkslab experts recently performed a security assessment of the KubeVirt with the goal of supporting its .. --------------------------------------------- http://blog.quarkslab.com/kubevirt-security-audit.html ∗∗∗ Results from Testing Six AI Models on Advanced Security Exploits ∗∗∗ --------------------------------------------- We ran three advanced security vulnerabilities through GPT-5, o3, Claude, Gemini, and Grok. --------------------------------------------- https://blog.kilocode.ai/p/we-tested-6-ai-models-on-3-advanced ∗∗∗ 9 Malicious NuGet Packages Deliver Time-Delayed Destructive Payloads ∗∗∗ --------------------------------------------- Sockets Threat Research Team discovered nine malicious NuGet packages that inject time-delayed destructive payloads into database operations and target industrial control systems. Published under the NuGet alias shanhai666 between 2023 and 2024, these packages terminate the host application process with 20% probability on each database query after specific .. --------------------------------------------- https://socket.dev/blog/9-malicious-nuget-packages-deliver-time-delayed-des… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily