- Daily - CERT.at

Tageszusammenfassung - 13.06.2025
by Daily end-of-shift report 13 Jun '25

13 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-06-2025 18:00 − Freitag 13-06-2025 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Trend Micro fixes critical vulnerabilities in multiple products ∗∗∗ --------------------------------------------- Trend Micro has released security updates to address multiple critical-severity remote code execution and authentication bypass vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer products. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trend-micro-fixes-six-critic… ∗∗∗ Nach über 100 Jahren: Cyberangriff drängt deutsche Firma in die Insolvenz ∗∗∗ --------------------------------------------- Der in Euskirchen ansässige Serviettenhersteller Fasana hat nach einem Cyberangriff Zahlungsprobleme. Hacker haben den Betrieb vollständig lahmgelegt. --------------------------------------------- https://www.golem.de/news/nach-ueber-100-jahren-cyberangriff-draengt-deutsc… ∗∗∗ [Guest Diary] Anatomy of a Linux SSH Honeypot Attack: Detailed Analysis of Captured Malware, (Fri, Jun 13th) ∗∗∗ --------------------------------------------- This is a Guest Diary by Michal Ambrozkiewicz, an ISC intern as part of the SANS.edu Bachelor .. --------------------------------------------- https://isc.sans.edu/diary/Guest+Diary+Anatomy+of+a+Linux+SSH+Honeypot+Atta… ∗∗∗ WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network ∗∗∗ --------------------------------------------- The threat actors behind the VexTrio Viper Traffic Distribution Service (TDS) have been linked to other TDS services like Help TDS and Disposable TDS, indicating that the sophisticated cybercriminal operation is a sprawling enterprise of its own .. --------------------------------------------- https://thehackernews.com/2025/06/wordpress-sites-turned-weapon-how.html ∗∗∗ "Anmeldung mit nicht erkanntem Gerät": Phishing-Attacke im Namen von PayPal ∗∗∗ --------------------------------------------- Ein angeblicher Login in ein bestehendes PayPal-Profil ruft die ebenso angebliche Sicherheitsabteilung des Unternehmens auf den Plan. Hinter den alarmierenden E-Mails und SMS-Nachrichten steckt aber nichts weiter als eine klassische Phishing-Masche. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-attacke-paypal/ ∗∗∗ Bert ransomware: what you need to know ∗∗∗ --------------------------------------------- Bert is a recently-discovered strain of ransomware that encrypts victims files and demands a payment for the decryption key. Read more in my article on the Fortra blog. --------------------------------------------- https://www.fortra.com/blog/bert-ransomware-what-you-need-know ∗∗∗ Serverless Tokens in the Cloud: Exploitation and Detections ∗∗∗ --------------------------------------------- Understand the mechanics of serverless authentication: three simulated attacks across major CSPs offer effective approaches for application developers. --------------------------------------------- https://unit42.paloaltonetworks.com/serverless-authentication-cloud/ ∗∗∗ Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this advisory in response to ransomware actors leveraging unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. This incident reflects a broader pattern of ransomware actors .. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a ∗∗∗ E-Mail-Sicherheit: Verstärkte Angriffe mit SVG ∗∗∗ --------------------------------------------- Immer mehr Phishing-Kampagnen nutzen das wenig bekannte Vektorgrafik-Format SVG. Das kann nämlich Skripte enthalten, die dann beim Öffnen ausgeführt werden. --------------------------------------------- https://heise.de/-10444330 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, glibc, kernel, and mod_security), Fedora (chromium, gh, mingw-icu, nginx-mod-modsecurity, python3.10, python3.9, thunderbird, valkey, and yarnpkg), Oracle (.NET 8.0, .NET 9.0, glibc, grafana-pcp, kernel, libxml2, mod_security, nodejs:20, and thunderbird), SUSE (audiofile, helm, kubernetes-old, kubernetes1.23, kubernetes1.24, libcryptopp, postgresql15, thunderbird, and valkey), and Ubuntu (linux-nvidia-tegra-igx). --------------------------------------------- https://lwn.net/Articles/1025354/ ∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released ten Industrial Control Systems (ICS) advisories on June 12, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.ICSA-25-162-01 Siemens Tecnomatix Plant SimulationICSA-25-162-02 Siemens RUGGEDCOM APE1808ICSA-25-162-03 Siemens SCALANCE and RUGGEDCOMICSA-25-162-04 .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/06/12/cisa-releases-ten-indust… ∗∗∗ [R1] Nessus Agent Version 10.8.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.06.2025
by Daily end-of-shift report 12 Jun '25

12 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-06-2025 18:00 − Donnerstag 12-06-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CRA Vulnerability Reports: why would we not share them with other CSIRTs? ∗∗∗ --------------------------------------------- The Cyber Resilience Act (Regulation (EU) 2024/2847) defines security requirements for products with digital elements and requires vendors to report to national CSIRTs if a vulnerability in one of their products is actively exploited. --------------------------------------------- https://www.cert.at/en/blog/2025/6/cra-vulnerability-reports-why-would-we-n… ∗∗∗ Fog ransomware attack uses unusual mix of legitimate and open-source tools ∗∗∗ --------------------------------------------- Fog ransomware hackers are using an uncommon toolset, which includes open-source pentesting utilities and a legitimate employee monitoring software called Syteca. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fog-ransomware-attack-uses-u… ∗∗∗ Password-spraying attacks target 80,000 Microsoft Entra ID accounts ∗∗∗ --------------------------------------------- Hackers have been using the TeamFiltration pentesting framework to target more than 80,000 Microsoft Entra ID accounts at hundreds of organizations worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/password-spraying-attacks-ta… ∗∗∗ Google Bug Allowed Brute-Forcing of Any User Phone Number ∗∗∗ --------------------------------------------- Google has fixed a security vulnerability in its page for recovering account details that allowed anyone to access the page and brute-force the private phone number of any user. The flaw posed a significant risk to Google users by exposing them to risk of phishing and other attacks. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/google-bug-brute-forcin… ∗∗∗ Air-Gapped-Systeme: Malware leitet Daten über hochfrequenten Schall aus ∗∗∗ --------------------------------------------- Der bekannte Sicherheitsforscher Mordechai Guri hat eine neue Angriffstechnik vorgestellt, mit der sich Daten von Air-Gapped-Systemen ohne eigene Netzwerkanbindung über eine Smartwatch exfiltrieren lassen. Der Smartattack genannte Angriff basiert auf einer Datenübertragung mittels Schallwellen in einem derart hohen Frequenzbereich, dass sie für Menschen je nach Hörvermögen kaum bis gar nicht wahrnehmbar sind. --------------------------------------------- https://www.golem.de/news/air-gapped-systeme-malware-leitet-daten-ueber-hoc… ∗∗∗ Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks ∗∗∗ --------------------------------------------- Former members tied to the Black Basta ransomware operation have been observed sticking to their tried-and-tested approach of email bombing and Microsoft Teams phishing to establish persistent access to target networks. --------------------------------------------- https://thehackernews.com/2025/06/former-black-basta-members-use.html ∗∗∗ Kritische Sicherheitslücke in Microsoft 365 Copilot zeigt Risiko von KI-Agenten ∗∗∗ --------------------------------------------- Der KI-Agent von M365 konnte per E-Mail und ohne Mausklick zur Freigabe sensibler Informationen verführt werden. Microsoft hat die Lücke jetzt geschlossen. --------------------------------------------- https://www.heise.de/news/Kritische-Sicherheitsluecke-in-Microsoft-365-Copi… ∗∗∗ Markenfälschungen im Netz: Eine wachsende Gefahr für den österreichischen Onlinehandel ∗∗∗ --------------------------------------------- Kaum eine Marke ist im Internet noch vor Fälschungen sicher: Kriminelle verwenden gestohlene Logos und Produktbilder beliebter Händler, um täuschend echte Fake-Shops zu erstellen. Neben bekannten Marken sind auch kleine und mittlere Unternehmen (KMU) zunehmend betroffen. Im Rahmen einer Studie des Österreichischen Instituts für angewandte Telekommunikation (ÖIAT) wurde das Ausmaß der Markenfälschungen im Internet untersucht und konkrete Handlungsempfehlungen fürs KMU erarbeitet. --------------------------------------------- https://www.watchlist-internet.at/news/markenfaelschungen-im-netz-eine-wach… ∗∗∗ JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique ∗∗∗ --------------------------------------------- We recently discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code. Threat actors commonly use this type of campaign to invisibly redirect victims from legitimate websites to malicious pages that serve malware, exploits and spam. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-… ∗∗∗ Fortinet: Angreifer können VPN-Verbindungen umleiten ∗∗∗ --------------------------------------------- Mehrere Produkte von Fortinet sind verwundbar. Angreifer können an Sicherheitslücken in FortiADC, FortiAnalyzer, FortiClientEMS, FortiClientWindows, FortiManager, FortiManager Cloud, FortiOS, FortiPAM, FortiProxy, FortiSASE und FortiWeb ansetzen. Im schlimmsten Fall kann es zur Ausführung von Schadcode kommen. --------------------------------------------- https://heise.de/-10441108 ===================== = Vulnerabilities = ===================== ∗∗∗ Phishing-Angriffe mit manipulierten SVG-Dateien - Vorsicht geboten ∗∗∗ --------------------------------------------- CERT.at warnt vor stark zunehmenden Phishing-Kampagnen, bei denen manipulierte SVG-Dateien (Scalable Vector Graphics) als E-Mail-Anhänge verwendet werden. Diese Angriffsmethode wird seit mehreren Monaten verstärkt beobachtet und stellt eine ernsthafte Bedrohung dar, da SVG-Dateien von vielen Sicherheitslösungen nicht ausreichend geprüft werden. --------------------------------------------- https://www.cert.at/de/warnungen/2025/6/phishing-angriffe-mit-manipulierten… ∗∗∗ GitLab patches high severity account takeover, missing auth issues ∗∗∗ --------------------------------------------- GitLab has released security updates to address multiple vulnerabilities in the company's DevSecOps platform, including ones enabling attackers to take over accounts and inject malicious jobs in future pipelines. The company released GitLab Community and Enterprise versions 18.0.2, 17.11.4, and 17.10.8 to address these security flaws and urged all admins to upgrade immediately. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-patches-high-severity… ∗∗∗ Thunderbird: HTML-Mails können Zugangsdaten verraten, Update verfügbar ∗∗∗ --------------------------------------------- Mozilla hat Updates für Thunderbird veröffentlicht. Sie stopfen ein Sicherheitsleck bei der Anzeige von HTML-E-Mails. --------------------------------------------- https://www.heise.de/news/Thunderbird-HTML-Mails-koennen-Zugangsdaten-verra… ∗∗∗ Palo Alto stopft hochriskante Lücken in PAN-OS und GlobalProtect ∗∗∗ --------------------------------------------- Palo Alto Networks hat Sicherheitsmitteilungen zu Schwachstellen in mehreren Produkten wie dem PAN-OS-Betriebssystem oder der GlobalProtect-App herausgegeben. Angreifer können die Sicherheitslücken missbrauchen, um Befehle einzuschleusen und mit erhöhten Rechten auszuführen, Schadcode einzuschleusen und auszuführen oder unbefugt Traffic einzusehen. --------------------------------------------- https://www.heise.de/news/Palo-Alto-stopft-hochriskante-Luecken-in-PAN-OS-u… ∗∗∗ Reflected Cross-Site Scripting in ONLYOFFICE Docs (DocumentServer) ∗∗∗ --------------------------------------------- ONLYOFFICE Docs was affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which were reflected in the server's HTML response. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel), Debian (chromium, gst-plugins-bad1.0, node-tar-fs, and ublock-origin), Gentoo (Emacs, File-Find-Rule, GStreamer, GStreamer Plugins, GTK+ 3, LibreOffice, Node.js, OpenImageIO, Python, PyPy, Qt, X.Org X server, XWayland, and YAML-LibYAML), Mageia (mariadb and roundcubemail), Red Hat (go-toolset:rhel8, golang, grafana, grafana-pcp, gstreamer1-plugins-bad-free, libxml2, libxslt, mod_security, nodejs:20, and perl-FCGI:0.78), Slackware (mozilla), SUSE (docker, docker-compose, iputils, kernel, libsoup, open-vm-tools, rabbitmq-server, rabbitmq-server313, wget, and yelp), and Ubuntu (libsoup2.4 and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1025208/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.06.2025
by Daily end-of-shift report 11 Jun '25

11 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-06-2025 18:00 − Mittwoch 11-06-2025 18:00 Handler: Alexander Riepl Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Microsoft Outlook to block more risky attachments used in attacks ∗∗∗ --------------------------------------------- Microsoft announced it will expand the list of blocked attachments in Outlook Web and the new Outlook for Windows starting next month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-outlook-to-block-m… ∗∗∗ ConnectWise rotating code signing certificates over security concerns ∗∗∗ --------------------------------------------- ConnectWise is warning customers that it is rotating the digital code signing certificates used to sign ScreenConnect, ConnectWise Automate, and ConnectWise RMM executables over security concerns. --------------------------------------------- https://www.bleepingcomputer.com/news/security/connectwise-rotating-code-si… ∗∗∗ Zehntausende Überwachungskameras streamen ungeschützt ins Netz ∗∗∗ --------------------------------------------- Überwachungskameras sind überall – in U-Bahnen, an Türklingeln und in Fahrstühlen. Oft bemerkt man sie gar nicht, weil es mittlerweile so kleine und unscheinbare Modelle gibt. Amerikanische Sicherheitsforscher warnen nun aber davor, wie einfach es für Dritte ist, sich Zugriff auf die Feeds solcher Überwachungskameras zu verschaffen. Bei einem Test konnten die Experten von Bitsight Live-Feeds von insgesamt 40.000 Kameras abrufen, die mit dem Internet verbunden waren. --------------------------------------------- https://futurezone.at/digital-life/zehntausende-ueberwachungskameras-stream… ∗∗∗ Quasar RAT Delivered Through Bat Files, (Wed, Jun 11th) ∗∗∗ --------------------------------------------- RAT's are popular malware. They are many of them in the wild, Quasar[1] being one of them. The malware has been active for a long time and new campaigns come regularly back on stage. I spotted an interesting .bat file (Windows script) that attracted my attention because it is very well obfuscated. --------------------------------------------- https://isc.sans.edu/diary/rss/32036 ∗∗∗ Trump Quietly Throws Out Bidens Cyber Policies ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from Axios: President Trump quietly took a red pen to much of the Biden administrations cyber legacy in a little-noticed move late Friday. Under an executive order signed just before the weekend, Trump is tossing out some of the major touchstones of Bidens cyber policy legacy - while keeping a few others. The order preserves efforts around post-quantum cryptography, advanced encryption standards, and border gateway protocol security, along with the Cyber --------------------------------------------- https://it.slashdot.org/story/25/06/10/2044217/trump-quietly-throws-out-bid… ∗∗∗ Ungeklärte Phishing-Vorfälle rund um Booking.com ∗∗∗ --------------------------------------------- Hotels in Südtirol haben vermehrt mit kompromittierten Extranet-Zugängen von Booking.com zu tun, über die sie mit Gästen kommunizieren. Noch ist unklar, warum. --------------------------------------------- https://www.heise.de/news/Ungeklaerte-Phishing-Vorfaelle-rund-um-Booking-co… ∗∗∗ UEFI-BIOS-Lücken: SecureBoot-Umgehung und Firmware-Austausch möglich ∗∗∗ --------------------------------------------- Zwei unterschiedliche Sicherheitslücken in diversen UEFI-BIOS-Versionen mehrerer Anbieter ermöglichen die Umgehung des SecureBoot-Mechanismus. In UEFI-BIOSen von Insyde können Angreifer sogar die Firmware austauschen. Verwundbare Systeme lassen sich damit vollständig kompromittieren. Proof-of-Concept-Code dafür ist öffentlich verfügbar. Systemhersteller arbeiten an BIOS-Updates zum Schließen der Lücken. --------------------------------------------- https://www.heise.de/news/UEFI-BIOS-Luecken-SecureBoot-Umgehung-und-Firmwar… ∗∗∗ Reflective Kerberos Relay Attack Against Domain-Joined Windows Clients and Servers ∗∗∗ --------------------------------------------- RedTeam Pentesting has developed the Reflective Kerberos Relay Attack which remotely allows low-privileged Active Directory domain users to obtain NT AUTHORITY\SYSTEM privileges on domain-joined Windows computers. This vulnerability affects all domain-joined Windows hosts that do not require SMB signing of incoming connections. In their default configurations, this includes all Windows 10 and 11 versions up to 23H2 and all Windows Server versions including 2025 24H2 and excluding domain controllers. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-002/ ∗∗∗ Inside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day ∗∗∗ --------------------------------------------- Inside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day --------------------------------------------- https://blog.checkpoint.com/research/inside-stealth-falcons-espionage-campa… ∗∗∗ UK cyber agency pushes for strategic policy agenda as government efforts stall ∗∗∗ --------------------------------------------- Following years-long delays in the United Kingdom bringing forward new cybersecurity legislation, what seems to be an increasingly exasperated National Cyber Security Centre (NCSC) called on Monday for the country to adopt a strategic policy agenda to tackle the growing risks. --------------------------------------------- https://therecord.media/ncsc-pushes-uk-government-create-strategic-cyber-po… ∗∗∗ Operation Secure: INTERPOL Disrupts 20,000 Infostealer Domains, 32 Arrested ∗∗∗ --------------------------------------------- An international cybercrime operation coordinated by INTERPOL has led to the takedown of more than 20,000 malicious IPs and domains used to deploy infostealer malware across the Asia-Pacific region. --------------------------------------------- https://hackread.com/operation-secure-interpol-disrupts-infostealer-domains/ ∗∗∗ Hydroph0bia (CVE-2025-4275) - a trivial SecureBoot bypass for UEFI-compatible firmware based on Insyde H2O, part 1 ∗∗∗ --------------------------------------------- This post will be about a vulnerability I dubbed Hydroph0bia (as a pun on Insyde H2O) aka CVE-2025-4275 or INSYDE-SA-2025002. --------------------------------------------- https://coderush.me/hydroph0bia-part1/ ∗∗∗ NTLM reflection is dead, long live NTLM reflection! – An in-depth analysis of CVE-2025-33073 ∗∗∗ --------------------------------------------- For nearly two decades, Windows has been plagued with NTLM reflection vulnerabilities. In this article, we present CVE-2025-33073, a logical vulnerability which bypasses NTLM reflection mitigations and allows an authenticated remote attacker to execute arbitrary commands as SYSTEM on any machine which does not enforce SMB signing. The vulnerability discovery, the complete analysis of the root cause as well as the patch by Microsoft will be detailed in this blogpost. --------------------------------------------- https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live… ∗∗∗ Infuencing LLM Output using logprobs and Token Distribution ∗∗∗ --------------------------------------------- What if you could influence an LLM's output not by breaking its rules, but by bending its probabilities? In this deep-dive, we explore how small changes in user input (down to a single token) can shift the balance between “true” and “false”, triggering radically different completions. --------------------------------------------- https://blog.sicuranext.com/infuencing-llm-output-using-logprobs-and-token-… ∗∗∗ Software Supply Chain Attacks Have Surged in Recent Months ∗∗∗ --------------------------------------------- IT and software supply chain attacks have surged in recent months, as threat actors have gotten better at exploiting supply chain vulnerabilities, Cyble threat intelligence researchers reported this week. In a June 9 blog post, Cyble researchers said software supply chain attacks have grown from just under 13 a month during February-September 2024 to just over 16 a month from October 2024 to May 2025, an increase of 25%. However, the last two months have seen an average of nearly 25 cyberattacks with supply chain impact, a near-doubling of supply chain attacks from the year-ago period. --------------------------------------------- https://thecyberexpress.com/software-supply-chain-attacks-have-surged/ ∗∗∗ Undocumented Root Shell Access bei SIMCom Modem ∗∗∗ --------------------------------------------- Das SIMCom SIM7600G Modem unterstützt einen undokumentierten AT Befehl, welcher es einem lokalen/physischen Angreifer ermöglicht, Systembefehle mit root-Berechtigungen auf dem Modem auszuführen. Der Stand der Entfernung des Backdoor-Kommandos ist unklar, da sich der Hersteller nach zahlreichen Kontaktversuchen nicht mehr gemeldet hat. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/undocumented-root-she… ===================== = Vulnerabilities = ===================== ∗∗∗ New Secure Boot flaw lets attackers install bootkit malware, patch now ∗∗∗ --------------------------------------------- Security researchers have disclosed a new Secure Boot bypass tracked as CVE-2025-3052 that can be used to turn off security on PCs and servers and install bootkit malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-secure-boot-flaw-lets-at… ∗∗∗ Patch Tuesday, June 2025 Edition ∗∗∗ --------------------------------------------- Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public. --------------------------------------------- https://krebsonsecurity.com/2025/06/patch-tuesday-june-2025-edition/ ∗∗∗ Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities ∗∗∗ --------------------------------------------- Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” --------------------------------------------- https://blog.talosintelligence.com/microsoft-patch-tuesday-june-2025/ ∗∗∗ Two Mirai Botnets, Lzrd and Resgod Spotted Exploiting Wazuh Flaw ∗∗∗ --------------------------------------------- Cybersecurity experts at Akamai have uncovered a new threat: two separate botnets are actively exploiting a critical flaw in Wazuh security software, open source XDR and SIEM solution, to spread the Mirai malware. This vulnerability, tracked as CVE-2025-24016, affects Wazuh versions 4.4.0 through 4.9.0 and has since been fixed in version 4.9.1. It lets attackers run their own code on a target server by sending a specially crafted request through Wazuh’s API, hence, allowing attackers to take control of affected servers remotely. --------------------------------------------- https://hackread.com/two-mirai-botnets-lzrd-resgod-exploiting-wazuh-flaw/ ∗∗∗ TBK DVRs Botnet Attack ∗∗∗ --------------------------------------------- Threat Actors are actively exploiting CVE-2024-3721, a command injection vulnerability in TBK DVR devices (Digital Video Recorders). This flaw allows unauthenticated remote code execution (RCE) via crafted HTTP requests to the endpoint. The compromised devices are being conscripted into a botnet capable of conducting DDoS attacks. If successfully exploited, there is a potential for significant disruption from DDoS attacks, lateral movement, or further malware delivery. --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6127 ∗∗∗ Patchday: Schadcode-Lücken in Adobe Acrobat, InDesign & Co. geschlossen ∗∗∗ --------------------------------------------- Angreifer können an Sicherheitslücken (CVE-2025-43573 / EUVD-2025-17828) in Adobe Acrobat, Commerce, Experince Manager, InCopy, InDesign, Substance 3D Painter und Substance 3D Sampler ansetzen. Im Rahmen des Juni-Patchdays stellt Adobe Updates zum Download bereit. --------------------------------------------- https://heise.de/-10439601 ∗∗∗ The June 2025 Security Update Review ∗∗∗ --------------------------------------------- https://www.thezdi.com/blog/2025/6/10/the-june-2025-security-update-review ∗∗∗ Security Vulnerabilities fixed in Thunderbird 139.0.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-50/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 128.11.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-49/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.06.2025
by Daily end-of-shift report 10 Jun '25

10 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-06-2025 18:00 − Dienstag 10-06-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Over 84,000 Roundcube instances vulnerable to actively exploited flaw ∗∗∗ --------------------------------------------- Over 84,000 instances of the Roundcube webmail software are vulnerable to CVE-2025-49113, a critical remote code execution (RCE) vulnerability with a publicly available exploit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-84-000-roundcube-instan… ∗∗∗ FIN6 hackers pose as job seekers to backdoor recruiters’ devices ∗∗∗ --------------------------------------------- In a twist on typical hiring-related social engineering attacks, the FIN6 hacking group impersonates job seekers to target recruiters, using convincing resumes and phishing sites to deliver malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fin6-hackers-pose-as-job-see… ∗∗∗ Windows: Designproblem erlaubt Aushebeln von Gruppenrichtlinien ∗∗∗ --------------------------------------------- In Windows schlummert ein Designproblem, das es normalen Nutzern und Malware erlaubt, von Admins gesetzte Gruppenrichtlinien außer Kraft zu setzen. Ein Bericht von .. --------------------------------------------- https://www.golem.de/news/windows-designproblem-erlaubt-aushebeln-von-grupp… ∗∗∗ Chinese spy crew appears to be preparing for conflict by backdooring 75+ critical orgs ∗∗∗ --------------------------------------------- SentinelOne discovered the campaign when they tried to hit the security vendors own servers An IT services company, a European media group, and a South Asian government entity are among the more than 75 companies where China-linked groups have planted malware to access strategic networks should a conflict break out. --------------------------------------------- https://www.theregister.com/2025/06/09/china_malware_flip_switch_sentinelon… ∗∗∗ DanaBleed: DanaBot C2 Server Memory Leak Bug ∗∗∗ --------------------------------------------- DanaBot is a Malware-as-a-Service (MaaS) platform that has been active since 2018. DanaBot operates on an affiliate model, where the malware developer sells access to customers who then distribute and use the malware for activities like credential theft and banking fraud. The developer is responsible for creating the malware, maintaining the .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server… ∗∗∗ Microsoft: Abhilfe für Sicherheitslücke durch gelöschte "inetpub"-Ordner ∗∗∗ --------------------------------------------- Windows-Update hat einen "inetpub"-Ordner angelegt. Wird er gelöscht, blockiert das womöglich weitere Updates. Ein Script hilft. --------------------------------------------- https://www.heise.de/news/Microsoft-Abhilfe-fuer-Sicherheitsluecke-durch-ge… ∗∗∗ SAP-Patchday: Erneut kritische Sicherheitslücke in Netweaver ∗∗∗ --------------------------------------------- SAP kümmert sich am Juni-Patchday in 14 neuen Sicherheitsnotizen um teils kritische Sicherheitslücken in den Produkten aus Walldorf. --------------------------------------------- https://www.heise.de/news/SAP-Patchday-Erneut-kritische-Sicherheitsluecke-i… ∗∗∗ Malvertising: Suche nach Standardbefehlen für Macs liefert Infostealer ∗∗∗ --------------------------------------------- Perfide Masche: Bei der Suche nach Standardbefehlen für macOS erscheinen Seiten, die Befehle zur Malware-Installation anzeigen. --------------------------------------------- https://www.heise.de/news/Malvertising-Suche-nach-Standardbefehlen-fuer-Mac… ∗∗∗ Phishing-Alarm: Ex-Mitarbeiterin verschenkt keine Rabattcodes! ∗∗∗ --------------------------------------------- Videos und Postings auf Social-Media-Plattformen erwecken den Anschein, als würde eine gekündigte Angestellte eines großen Einzelhandelsunternehmens Rabattcodes verschenken. Als Rache am Ex-Arbeitgeber. Tatsächlich versteckt sich dahinter nichts anderes als eine simple Phishing-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-rabattcodes/ ∗∗∗ Falsche E-Mails im Namen der WKO im Umlauf! ∗∗∗ --------------------------------------------- Derzeit sind betrügerische E-Mails im Umlauf, die vorgeben, von der Wirtschaftskammer Österreich (WKO) zu stammen. In diesen gefälschten Nachrichten werden Unternehmer:innen zur Zahlung der Kammerumlage 2025 aufgefordert und gleichzeitig dazu verleitet, ihre WKO-Zugangsdaten preiszugeben. --------------------------------------------- https://www.watchlist-internet.at/news/falsche-e-mails-im-namen-der-wko-im-… ∗∗∗ The Evolution of Linux Binaries in Targeted Cloud Operations ∗∗∗ --------------------------------------------- Using data from machine learning tools, we predict a surge in cloud attacks leveraging reworked Linux Executable and Linkage Format (ELF) files. --------------------------------------------- https://unit42.paloaltonetworks.com/elf-based-malware-targets-cloud/ ∗∗∗ New hacker group uses LockBit ransomware variant to target Russian companies ∗∗∗ --------------------------------------------- In its latest campaign this spring, DarkGaboon was observed deploying LockBit 3.0 ransomware against victims in Russia, Positive Technologies said in a report last week. --------------------------------------------- https://therecord.media/new-hacker-group-lockbit-target-russia ∗∗∗ Spyware maker cuts ties with Italy after government refused audit into hack of journalist’s phone ∗∗∗ --------------------------------------------- Israel-based spyware maker Paragon and Italys government had a falling out over the companys offer to help investigate what happened on journalist Francesco Cancellatos phone. --------------------------------------------- https://therecord.media/paragon-spyware-maker-cuts-ties-italy-government ∗∗∗ Coordinated Brute Force Activity Targeting Apache Tomcat Manager Indicates Possible Upcoming Threats ∗∗∗ --------------------------------------------- GreyNoise recently observed a coordinated spike in malicious activity against Apache Tomcat Manager interfaces. --------------------------------------------- https://www.greynoise.io/blog/coordinated-brute-force-activity-targeting-ap… ∗∗∗ Bitsight Identifies Thousands of Security Cameras Openly Accessible on the Internet ∗∗∗ --------------------------------------------- In our latest research at Bitsight TRACE, we found over 40,000 exposed cameras streaming live on the internet. No passwords. No protections. Just out there. We first raised the alarm in 2023, and based on this latest study, the situation hasn’t gotten any better. --------------------------------------------- https://www.bitsight.com/blog/bitsight-identifies-thousands-of-compromised-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (golang, nodejs22, thunderbird, and varnish), Debian (gimp, modsecurity-apache, python-tornado, and roundcube), Fedora (chromium, coreutils, fcgi, ghostscript, krb5, libvpx, mingw-gstreamer1-plugins-bad-free, mingw-libsoup, mod_security, and samba), Mageia (php-adodb, systemd, and tomcat), Red Hat (buildah, firefox, glibc, grafana, kernel, libsoup, libxslt, mod_security, perl-FCGI, podman, python-tornado, and skopeo), Slackware (libvpx), and SUSE .. --------------------------------------------- https://lwn.net/Articles/1024625/ ∗∗∗ Security Vulnerabilities fixed in Firefox 139.0.4 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-47/ ∗∗∗ June Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/june-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.06.2025
by Daily end-of-shift report 06 Jun '25

06 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-06-2025 18:00 − Freitag 06-06-2025 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Hacker selling critical Roundcube webmail exploit as tech info disclosed ∗∗∗ --------------------------------------------- Hackers are actively exploiting CVE-2025-49113, a critical vulnerability in the widely used Roundcube open-source webmail application that allows remote execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-selling-critical-roun… ∗∗∗ FBI: BADBOX 2.0 Android malware infects millions of consumer devices ∗∗∗ --------------------------------------------- The FBI is warning that the BADBOX 2.0 malware campaign has infected over 1 million home Internet-connected devices, converting consumer electronics into residential proxies that are used for malicious activity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-badbox-20-android-malwar… ∗∗∗ Critical Fortinet flaws now exploited in Qilin ransomware attacks ∗∗∗ --------------------------------------------- The Qilin ransomware operation has recently joined attacks exploiting two Fortinet vulnerabilities that allow bypassing authentication on vulnerable devices and executing malicious code remotely. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-fortinet-flaws-now-… ∗∗∗ Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721 ∗∗∗ --------------------------------------------- Kaspersky GReAT experts describe the new features of a Mirai variant: the latest botnet infections target TBK DVR devices with CVE-2024-3721. --------------------------------------------- https://securelist.com/mirai-botnet-variant-targets-dvr-devices-with-cve-20… ∗∗∗ Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hard-Coded Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks."Several widely used extensions [...] unintentionally transmit sensitive data over simple HTTP," Yuanjing Guo, a security researcher in the Symantecs Security Technology and .. --------------------------------------------- https://thehackernews.com/2025/06/popular-chrome-extensions-leak-api-keys.h… ∗∗∗ AT&T not sure if new customer data dump is déjà vu ∗∗∗ --------------------------------------------- Re-selling info from an earlier breach? Probably. But which one? AT&T is investigating claims that millions of its customers data are listed for sale on a cybercrime forum in what appears to be a re-release from an earlier hack. --------------------------------------------- https://www.theregister.com/2025/06/05/att_investigates_data_dump/ ∗∗∗ Turning Off the (Information) Flow: Working With the EPA to Secure Hundreds of Exposed Water HMIs ∗∗∗ --------------------------------------------- In October 2024, Censys researchers discovered nearly 400 web-based HMIs for U.S. water facilities exposed online. These were identified via TLS certificate analysis and confirmed through screenshot .. --------------------------------------------- https://censys.com/blog/turning-off-the-information-flow-working-with-the-e… ∗∗∗ Blitz Malware: A Tale of Game Cheats and Code Repositories ∗∗∗ --------------------------------------------- Blitz malware, active since 2024 and updated in 2025, was spread via game cheats. We discuss its infection vector and abuse of Hugging Face for C2. --------------------------------------------- https://unit42.paloaltonetworks.com/blitz-malware-2025/ ∗∗∗ DDoS-Angriffe auf österreichische Unternehmen und Organisationen ∗∗∗ --------------------------------------------- Uns erreichen aktuell vermehrt Berichte von österreichischen Unternehmen und Organisationen über DDoS-Angriffe gegen ihre Systeme und Netzwerke. Betroffen sind Ziele in den verschiedensten Bereichen und Sektoren, ein besonderer Schwerpunkt der Kriminellen lässt sich bisher nicht festmachen. Bei manchen Angriffen liegen deutliche Hinweise .. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/6/ddos-angriffe-auf-osterreichische-u… ∗∗∗ Nigeria jails 9 Chinese nationals for being part of international cyberfraud syndicate ∗∗∗ --------------------------------------------- The group was arrested in December as part of a raid that included 599 Nigerians and 193 other foreign nationals, many of them Chinese, on suspicion of being involved in a range of online crimes. --------------------------------------------- https://therecord.media/nigeria-jails-9-chinese-nationals-cyber-fraud ∗∗∗ Unsecured Database Exposes Data of 3.6 Million Passion.io Creators ∗∗∗ --------------------------------------------- A massive data leak has put the personal information of over 3.6 million app creators, influencers, and .. --------------------------------------------- https://hackread.com/unsecured-database-exposes-passion-io-creators-data/ ∗∗∗ NICKNAME: Zero-Click iMessage Exploit Targeted Key Figures in US, EU ∗∗∗ --------------------------------------------- iVerify’s NICKNAME discovery reveals a zero-click iMessage flaw exploited in targeted attacks on US & EU .. --------------------------------------------- https://hackread.com/nickname-zero-click-imessage-exploit-figures-us-eu/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (go-toolset:rhel8, golang, nodejs:20, nodejs:22, openssh, and python36:3.6), Debian (edk2, libfile-find-rule-perl, and webkit2gtk), Fedora (emacs, libvpx, perl-FCGI, and seamonkey), Mageia (cifs-utils), Red Hat (containernetworking-plugins, go-toolset:rhel8, golang, gvisor-tap-vsock, krb5, mod_auth_openidc:2.3, protobuf, and thunderbird), Slackware (seamonkey), SUSE (gimp, gnutls, haproxy, opensaml, openssh, openvpn, python-cryptography, .. --------------------------------------------- https://lwn.net/Articles/1024317/ ∗∗∗ CISA Releases Seven Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released seven Industrial Control Systems (ICS) advisories on June 5, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.ICSA-25-155-01 CyberData 011209 SIP Emergency IntercomICSA-25-155-02 Hitachi Energy Relion 670, 650 series and SAM600-IO Product ICSA-21-049-02 Mitsubishi Electric FA .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/06/05/cisa-releases-seven-indu… ∗∗∗ ZDI-25-325: Hewlett Packard Enterprise Insight Remote Support processAttachmentDataStream Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-325/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.06.2025
by Daily end-of-shift report 05 Jun '25

05 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-06-2025 18:00 − Donnerstag 05-06-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ BidenCash carding market domains seized in international operation ∗∗∗ --------------------------------------------- Earlier today, law enforcement seized multiple domains of BidenCash, the infamous dark web market for stolen credit cards, personal information, and SSH access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bidencash-carding-market-dom… ∗∗∗ Cisco warns of ISE and CCP flaws with public exploit code ∗∗∗ --------------------------------------------- Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-warns-of-ise-and-ccp-f… ∗∗∗ Researchers Bypass Deepfake Detection With Replay Attacks ∗∗∗ --------------------------------------------- An international group of researchers found that simply rerecording deepfake audio with natural acoustics in the background allows it to bypass detection models at a higher-than-expected rate. --------------------------------------------- https://www.darkreading.com/cybersecurity-analytics/researchers-bypass-deep… ∗∗∗ Für Datenklau: Hacker kapern reihenweise Salesforce-Zugänge ∗∗∗ --------------------------------------------- Sicherheitsforscher der Google Threat Intelligence Group (GTIG) warnen vor laufenden Vishing-Angriffen (Voice Phishing), die darauf abzielen, Zugang zu Salesforce-Instanzen zu erlangen und daraus massenhaft vertrauliche Unternehmensdaten abzugreifen. --------------------------------------------- https://www.golem.de/news/fuer-datenklau-hacker-kapern-reihenweise-salesfor… ∗∗∗ Be Careful With Fake Zoom Client Downloads ∗∗∗ --------------------------------------------- Collaborative tools are really popular these days. Since the COVID-19 pandemic, many people switched to remote work positions and we need to collaborate with our colleagues or customers every day. Tools like Microsoft Teams, Zoom, WebEx, (name your best solution), became popular and must be regularly updated. Yesterday, I received an interesting email with a fake Zoom meeting invitation. --------------------------------------------- https://isc.sans.edu/diary/rss/32014 ∗∗∗ AI kept 15-year-old zombie vuln alive, but its time is drawing near ∗∗∗ --------------------------------------------- Despite multiple developer warnings about the 2010 GitHub Gist containing the path traversal vulnerability in 2012, 2014, and 2018, the flaw appeared in MDN Web Docs documentation and a Stack Overflow snippet. From there, it took up residence in large language models (LLMs) trained on the flawed examples. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/06/05/llm_kept_per… ∗∗∗ Musikhaus Thomann: Kriminelle locken in Fake-Shops ∗∗∗ --------------------------------------------- Der Erfolg des Musik-Versandhändlers ruft zunehmend Betrüger:innen auf den Plan. Diese bauen den Original-Onlineshop detailgetreu nach und bieten Produkte zu unrealistischen Schleuderpreisen. Wer dort bestellt, bekommt allerdings nichts, sondern verliert Geld. Wir verraten, wie Sie die Fakes am einfachsten erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/musikhaus-thomann-fake-shops/ ∗∗∗ Newly identified wiper malware "PathWiper" targets critical infrastructure in Ukraine ∗∗∗ --------------------------------------------- Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling "PathWiper". --------------------------------------------- https://blog.talosintelligence.com/pathwiper-targets-ukraine/ ∗∗∗ Updated Guidance on Play Ransomware ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have issued an updated advisory on Play ransomware, also known as Playcrypt. This advisory highlights new tactics, techniques, and procedures used by the Play ransomware group and provides updated indicators of compromise (IOCs) to enhance threat detection. Since June 2022, Playcrypt has targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/06/04/updated-guidance-play-ra… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Integrated Management Controller Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the SSH connection handling of Cisco Integrated Management Controller (IMC) for Cisco UCS B-Series, UCS C-Series, UCS S-Series, and UCS X-Series Servers could allow an authenticated, remote attacker to access internal services with elevated privileges. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus Dashboard Fabric Controller SSH Host Key Validation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the SSH implementation of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an unauthenticated, remote attacker to impersonate Cisco NDFC-managed devices. This vulnerability is due to insufficient SSH host key validation. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine on Cloud Platforms Static Credential Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Sicherheitsupdates: Dell repariert PowerScale OneFS und Bluetooth-Treiber ∗∗∗ --------------------------------------------- Angreifer können an einer Schwachstelle in Dells NAS-Betriebssystem PowerScale OneFS ansetzen und Dateien löschen. Außerdem macht eine Lücke im Bluetooth-Treiber unzählige Dell-PCs angreifbar. Sicherheitsupdates stehen zum Download. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Dell-repariert-PowerScale-OneF… ∗∗∗ VMware NSX: Hochriskante Sicherheitslücke gestopft ∗∗∗ --------------------------------------------- Broadcom warnt vor teils hochriskanten Sicherheitslücken in der Netzwerkvirtualisierungs- und Sicherheitsplattform VMware NSX. Angreifer können unter anderem Schadcode einschleusen und ausführen. IT-Verantwortliche sollten zügig auf die fehlerbereinigten Versionen aktualisieren. --------------------------------------------- https://www.heise.de/news/VMware-NSX-Hochriskante-Sicherheitsluecke-gestopf… ∗∗∗ Acronis Cyber Protect: Mehrere teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- In der umfangreichen Virenschutz- und Backup-Software Acronis Cyber Protect hat der Hersteller mehrere, teils höchst kritische Sicherheitslücken entdeckt. Diese stopfen die Entwickler mit aktualisierter Software. --------------------------------------------- https://www.heise.de/news/Acronis-Cyber-Protect-Mehrere-teils-kritische-Sic… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and mariadb-10.5), Oracle (firefox, ghostscript, git, go-toolset:ol8, golang, kernel, krb5, mingw-freetype and spice-client-win, nodejs:20, nodejs:22, perl-CPAN, python36:3.6, rsync, varnish, and varnish:6), Red Hat (firefox, thunderbird, and webkit2gtk3), Slackware (curl and python3), SUSE (apache-commons-beanutils, apache2-mod_security2, avahi, buildkit, ca-certificates-mozilla, cloud-regionsrv-client, cloud-regionsrv-client, python-toml, containerd, containerized-data-importer, cups, curl, dnsmasq, docker, elemental-operator, elemental-toolkit, expat, firefox, freetype2, gdk-pixbuf, git, glib2, glibc, gnuplot, gnutls, gpg2, gstreamer, gstreamer-plugins-base, gtk3, haproxy, helm, java-17-openjdk, java-1_8_0-openjdk, keepalived, kernel, kernel-firmware, krb5, kubevirt, less, libarchive, libcryptopp, libdb-4_8, libndp, libpcap, libsoup, libtasn1, libvirt, libX11, libxml2, libxslt, Mesa, mozilla-nss, nghttp2, nvidia-open-driver-G06-signed, opensc, openssh, openssl-3, openssl-3, libpulp, ulp-macros, orc, pam, pam_pkcs11, pam_u2f, patch, pcp, pcr-oracle, shim, perl-Crypt-OpenSSL-RSA, podman, postgresql16, procps, protobuf, python-dnspython, python-Jinja2, python-requests, python-setuptools, python-tornado6, python-urllib3, python311, python311, python-rpm-macros, qemu, rsync, runc, rust-keylime, selinux-policy, sevctl, skopeo, sssd, SUSE Manager Client Tools, systemd, thunderbird, tiff, tpm2.0-tools, tpm2-0-tss, u-boot, ucode-intel, unbound, util-linux, vim, wget, and wpa_supplicant), and Ubuntu (linux-nvidia, python-django, twitter-bootstrap3, twitter-bootstrap4, and wireshark). --------------------------------------------- https://lwn.net/Articles/1024158/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.06.2025
by Daily end-of-shift report 04 Jun '25

04 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-06-2025 18:00 − Mittwoch 04-06-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Coinbase breach tied to bribed TaskUs support agents in India ∗∗∗ --------------------------------------------- A recently disclosed data breach at Coinbase has been linked to India-based customer support representatives from outsourcing firm TaskUs, who threat actors bribed to steal data from the crypto exchange. --------------------------------------------- https://www.bleepingcomputer.com/news/security/coinbase-breach-tied-to-brib… ∗∗∗ Umgehung des Sandboxings: Meta und Yandex de-anonymisieren Android-Nutzer ∗∗∗ --------------------------------------------- Sicherheitsforscher decken eine Methode auf, mit der Meta und Yandex flüchtige Web-Identifikatoren in dauerhafte Nutzeridentitäten umgewandelt haben. --------------------------------------------- https://www.golem.de/news/umgehung-des-sandboxings-meta-und-yandex-de-anony… ∗∗∗ The strange tale of ischhfd83: When cybercriminals eat their own ∗∗∗ --------------------------------------------- This investigation is a good example of how threats can be much more complex than they first appear. From an initial customer query about a new RAT, we uncovered a significant amount of backdoored GitHub repositories, containing multiple kinds of backdoors. --------------------------------------------- https://news.sophos.com/en-us/2025/06/04/the-strange-tale-of-ischhfd83-when… ∗∗∗ Acreed infostealer poised to replace Lumma after global crackdown ∗∗∗ --------------------------------------------- The Acreed malware, which emerged earlier this year, is gaining ground with cybercriminals who otherwise might have used the Lumma infostealer, researchers said. --------------------------------------------- https://therecord.media/acreed-infostealer-arises-after-lumma-takedown ∗∗∗ Angriffe laufen: Connectwise, Craft CMS und Asus-Router im Visier ∗∗∗ --------------------------------------------- Die CISA warnt vor Angriffen auf Sicherheitslecks in Connectwise ScreenConnect, Craft CMS und Asus-Router. Updates stehen bereit. --------------------------------------------- https://heise.de/-10424978 ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday Android: Angreifer können sich höhere Rechte verschaffen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Lücken in Android 13, 14 und 15. Angreifer attackieren Geräte mit Qualcomm-Prozessor. --------------------------------------------- https://www.heise.de/news/Patchday-Android-Angreifer-koennen-sich-hoehere-R… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (git, krb5, perl-CPAN, and rsync), Debian (tcpdf), Fedora (libmodsecurity, lua-http, microcode_ctl, and nextcloud), Red Hat (osbuild-composer), SUSE (389-ds, avahi, ca-certificates-mozilla, docker, expat, freetype2, glib2, gnuplot, gnutls, golang-github-teddysun-v2ray-plugin, golang-github-v2fly-v2ray-core, govulncheck-vulndb, helm, iperf, kernel, kernel-livepatch-MICRO-6-0_Update_2, kernel-livepatch-MICRO-6-0_Update_4, krb5, libarchive, libsoup, libsoup2, libtasn1, libX11, libxml2, libxslt, orc, podman, python-Jinja2, python-requests, python3-setuptools, python310, python311, python39, rubygem-rack, sslh, SUSE Manager Client Tools, SUSE Manager Client Tools and Salt Bundle, ucode-intel, util-linux, and wget), and Ubuntu (libvpx, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-nvidia-tegra, linux-oracle, linux, linux-aws, linux-kvm, linux-aws, linux-lts-xenial, linux-aws-fips, linux-azure-fips, linux-fips, linux-gcp-fips, linux-aws-fips, linux-gcp-fips, linux-azure-fde, linux-fips, and linux-intel-iot-realtime, linux-realtime). --------------------------------------------- https://lwn.net/Articles/1023793/ ∗∗∗ ZDI-25-324: Sante DICOM Viewer Pro DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-324/ ∗∗∗ ZDI-25-323: Action1 Uncontrolled Search Path Element Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-323/ ∗∗∗ ZDI-25-321: GIMP ICO File Parsing Integer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-321/ ∗∗∗ Critical Vulnerability in multiple Mitsubishi Electric MELSEC iQ-F Series Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-153-03 ∗∗∗ Critical Vulnerability in Schneider Electric Wiser Home Automation ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-153-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.06.2025
by Daily end-of-shift report 03 Jun '25

03 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Montag 02-06-2025 18:00 − Dienstag 03-06-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Malicious RubyGems pose as Fastlane to steal Telegram API data ∗∗∗ --------------------------------------------- Two malicious RubyGems packages posing as popular Fastlane CI/CD plugins redirect Telegram API requests to attacker-controlled servers to intercept and steal data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-rubygems-pose-as-f… ∗∗∗ Android Trojan Crocodilus Now Active in 8 Countries, Targeting Banks and Crypto Wallets ∗∗∗ --------------------------------------------- A growing number of malicious campaigns have leveraged a recently discovered Android banking trojan called Crocodilus to target users in Europe and South America. The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis and detection, and includes the ability to create new contacts in the victims contacts list. --------------------------------------------- https://thehackernews.com/2025/06/android-trojan-crocodilus-now-active-in.h… ∗∗∗ How Good Are the LLM Guardrails on the Market? A Comparative Study on the Effectiveness of LLM Content Filtering Across Major GenAI Platforms ∗∗∗ --------------------------------------------- We compare the effectiveness of content filtering guardrails across major GenAI platforms and identify common failure cases across different systems. [..] A Comparative Study on the Effectiveness of LLM Content Filtering Across Major GenAI Platforms appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/comparing-llm-guardrails-across-genai-p… ∗∗∗ Cyberattacks Hit Top Retailers: Cartier, North Face Among Latest Victims ∗∗∗ --------------------------------------------- North Face, Cartier, and Next Step Healthcare are the latest victims in a string of cyberattacks compromising customer data. Explore the methods used by attackers and the wider impact on retail security. --------------------------------------------- https://hackread.com/cyberattacks-retailers-cartier-north-face-victims/ ∗∗∗ Inside RansomHub: Tactics, Targets, and What It Means for You ∗∗∗ --------------------------------------------- What is RansomHub ransomware? We dive into the groups TTPs, latest attacks and news, & mitigation strategies you should know in 2025. --------------------------------------------- https://www.bitsight.com/blog/guide-to-ransomhub-ransomware-2025 ===================== = Vulnerabilities = ===================== ∗∗∗ Google stopft attackierte Lücke in Chrome ∗∗∗ --------------------------------------------- In der Javascript-Engine V8 von Google Chrome ermöglicht eine Schwachstelle Angreifern, außerhalb vorgesehener Speichergrenzen zu lesen und zu schreiben. Für diese Schwachstelle ist ein Exploit in freier Wildbahn aufgetaucht, sie wird daher offenbar bereits attackiert. --------------------------------------------- https://www.heise.de/news/Google-stopft-attackierte-Luecke-in-Chrome-104232… ∗∗∗ Sicherheitsupdate: Vielfältige Attacken auf HPE StoreOnce möglich ∗∗∗ --------------------------------------------- Acht Softwareschwachstellen in der Backuplösung StoreOnce von HPE machen Systeme attackierbar. Darunter findet sich eine "kritische" Lücke. Über weitere Angriffe kann Schadcode auf PCs gelangen. Eine gegen mögliche Attacken geschützte Version steht ab sofort zum Download bereit. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdate-Vielfaeltige-Attacken-auf-HPE-S… ∗∗∗ Angreifer können Roundcube Webmail mit Schadcode attackieren ∗∗∗ --------------------------------------------- Webadmins sollten ihre Roundcube-Webmail-Instanzen zeitnah auf den aktuellen Stand bringen. In aktuellen Ausgaben haben die Entwickler eine Sicherheitslücke geschlossen, über die Schadcode auf Systeme gelangen kann. --------------------------------------------- https://www.heise.de/news/Kritische-Schadcode-Luecke-bedroht-Roundcube-Webm… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (varnish), Debian (asterisk and roundcube), Fedora (systemd), Mageia (golang), Red Hat (ghostscript, perl-CPAN, python36:3.6, and rsync), SUSE (govulncheck-vulndb, libsoup-2_4-1, and postgresql, postgresql16, postgresql17), and Ubuntu (mariadb, open-vm-tools, php-twig, and python-tornado). --------------------------------------------- https://lwn.net/Articles/1023625/ ∗∗∗ SVD-2025-0604: Third-Party Package Updates in Splunk Universal Forwarder - June 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0604 ∗∗∗ SVD-2025-0603: Third-Party Package Updates in Splunk Enterprise - June 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0603 ∗∗∗ SVD-2025-0602: Incorrect permission assignment on Universal Forwarder for Windows during new installation or upgrade ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0602 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.06.2025
by Daily end-of-shift report 02 Jun '25

02 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-05-2025 18:00 − Montag 02-06-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Exploit details for max severity Cisco IOS XE flaw now public ∗∗∗ --------------------------------------------- Technical details about a maximum-severity Cisco IOS XE WLC arbitrary file upload flaw tracked as CVE-2025-20188 have been made publicly available, bringing us closer to a working exploit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-details-for-max-seve… ∗∗∗ Deutscher Rüstungskonzern: Cybergang leakt interne Daten von Rheinmetall ∗∗∗ --------------------------------------------- Der deutsche Rüstungskonzern Rheinmetall ist offenbar Ziel einer Cyberattacke geworden, bei der vertrauliche Daten in die Hände der Angreifer gelangt sind. Die Hackergruppe Babuk2 hatte Rheinmetall schon am 4. April auf ihre Datenleckseite aufgenommen. Jetzt berichtete Tagesschau.de, dass auch die Datenschutzbehörde NRW sowie das Bundesamt für Sicherheit in der Informationstechnik über den Vorfall informiert worden seien. --------------------------------------------- https://www.golem.de/news/deutscher-ruestungskonzern-cybergang-leakt-intern… ∗∗∗ Fake Recruiter Emails Target CFOs Using Legit NetBird Tool Across 6 Global Regions ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of a new spear-phishing campaign that uses a legitimate remote access tool called Netbird to target Chief Financial Officers (CFOs) and financial executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia. --------------------------------------------- https://thehackernews.com/2025/06/fake-recruiter-emails-target-cfos-using.h… ∗∗∗ Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump ∗∗∗ --------------------------------------------- A mystery whistleblower calling himself GangExposed has exposed key figures behind the Conti and Trickbot ransomware crews, publishing a trove of internal files and naming names. The leaks include thousands of chat logs, personal videos, and ransom negotiations tied to some of the most notorious cyber-extortion gangs — believed to have raked in billions from companies, hospitals, and individuals worldwide. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/31/gangexposed_… ∗∗∗ RCEs and more in the KUNBUS GmbH Revolution Pi PLC ∗∗∗ --------------------------------------------- We found four vulnerabilities by downloading and extracting Revolution Pi’s latest firmware version (01/2025). We didn’t even need to buy the device, although one would look great on our ICS demo rig! All were found with static code analysis but demonstrated by installing the firmware to a standard Raspberry Pi. --------------------------------------------- https://www.pentestpartners.com/security-blog/rces-and-more-in-the-kunbus-g… ∗∗∗ The remote desktop puzzle. DFIR techniques for dealing with RDP Bitmap Cache ∗∗∗ --------------------------------------------- A lot of people are aware of RDP and what its functions are. It’s known for providing remote access and making life easier for administrators and users. With that comes insight for forensic investigators, regarding the ‘bitmap cache’. This is often overlooked, but when analysed correctly can provide some great understanding about what’s happened on a system. --------------------------------------------- https://www.pentestpartners.com/security-blog/the-remote-desktop-puzzle-dfi… ∗∗∗ LOLCLOUD - Azure Arc - C2aaS ∗∗∗ --------------------------------------------- Exploring Azure Arc’s overlooked C2aaS potential. Attacking and Defending against its usage and exploring usecases. --------------------------------------------- https://blog.zsec.uk/azure-arc-c2aas/ ===================== = Vulnerabilities = ===================== ∗∗∗ New Linux Flaws Allow Password Hash Theft via Core Dumps in Ubuntu, RHEL, Fedora ∗∗∗ --------------------------------------------- Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems. --------------------------------------------- https://thehackernews.com/2025/05/new-linux-flaws-allow-password-hash.html ∗∗∗ 2025-06-02: Cyber Security Advisory - ELSB/Home Solutions Outdated SW Components in ABB Welcome IP-Gateway ∗∗∗ --------------------------------------------- An attacker who successfully exploits these vulnerabilities could potentially gain unauthorized access and potentially compromise the system's - and log-file - confidentiality, integrity and availability. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A8948&Lan… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (espeak-ng, kitty, kmail-account-wizard, krb5, libreoffice, libvpx, net-tools, python-flask-cors, symfony, tcpdf, thunderbird, and twitter-bootstrap3), Fedora (chromium, dropbear, firefox, gstreamer1-plugins-bad-free, python-tornado, systemd, and thunderbird), Mageia (coreutils, deluge, glib2.0, and redis), Oracle (firefox, kernel, and systemd), Red Hat (firefox, kernel, kernel-rt, varnish, varnish:6, and zlib), SUSE (bind, curl, dnsdist, docker, ffmpeg-7, firefox, glibc, golang-github-prometheus-alertmanager, govulncheck-vulndb, icinga2, iputils, java-11-openjdk, java-1_8_0-ibm, kea, kernel, libopenssl-3-devel, libsoup, libxml2, nodejs-electron, open-vm-tools, openbao, perl-Net-Dropbox-API, pluto, poppler, postgresql14, postgresql15, postgresql16, postgresql17, python312-setuptools, runc, s390-tools, skopeo, sqlite3, thunderbird, and unbound), and Ubuntu (apport and libphp-adodb). --------------------------------------------- https://lwn.net/Articles/1023501/ ∗∗∗ Multiple vulnerabilities in wivia 5 ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN51394666/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.05.2025
by Daily end-of-shift report 30 May '25

30 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-05-2025 18:00 − Freitag 30-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Interlock ransomware gang deploys new NodeSnake RAT on universities ∗∗∗ --------------------------------------------- The Interlock ransomware gang is deploying a previously undocumented remote access trojan (RAT) named NodeSnake against educational institutes for persistent access to corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/interlock-ransomware-gang-de… ∗∗∗ APT41 malware abuses Google Calendar for stealthy C2 communication ∗∗∗ --------------------------------------------- The Chinese APT41 hacking group uses a new malware named 'ToughProgress' that exploits Google Calendar for command-and-control (C2) operations, hiding malicious activity behind a trusted cloud service. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apt41-malware-abuses-google-… ∗∗∗ Threat actors abuse Google Apps Script in evasive phishing attacks ∗∗∗ --------------------------------------------- Threat actors are abusing the ‘Google Apps Script’ development platform to host phishing pages that appear legitimate and steal login credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/threat-actors-abuse-google-a… ∗∗∗ ConnectWise breached in cyberattack linked to nation-state hackers ∗∗∗ --------------------------------------------- IT management software firm ConnectWise says a suspected state-sponsored cyberattack breached its environment and impacted a limited number of ScreenConnect customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/connectwise-breached-in-cybe… ∗∗∗ Everest Group Extorts Global Orgs via SAPs HR Tool ∗∗∗ --------------------------------------------- Extortionist-cum-information broker "Everest Group" has pulled off a swath of attacks against large organizations in the Middle East, Africa, Europe, and North America, and is now extorting victims over records stolen from their human resources departments. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/everest-group-extort… ∗∗∗ Sicherheitslücke: Warum ChatGPT oft den gesamten Onedrive-Ordner lesen kann ∗∗∗ --------------------------------------------- Forscher warnen vor einer Sicherheitslücke in Microsofts File Picker für Onedrive. Apps wie ChatGPT können weitaus mehr lesen, als Anwender erwarten. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-warum-chatgpt-oft-den-gesamten-… ∗∗∗ Exploits and vulnerabilities in Q1 2025 ∗∗∗ --------------------------------------------- This report contains statistics on vulnerabilities and published exploits, along with an analysis of the most noteworthy vulnerabilities we observed in the first quarter of 2025. --------------------------------------------- https://securelist.com/vulnerabilities-and-exploits-in-q1-2025/116624/ ∗∗∗ New Windows RAT Evades Detection for Weeks Using Corrupted DOS and PE Headers ∗∗∗ --------------------------------------------- Cybersecurity researchers have taken the wraps off an unusual cyber attack that leveraged malware with corrupted DOS and PE headers, according to new findings from Fortinet. --------------------------------------------- https://thehackernews.com/2025/05/new-windows-rat-evades-detection-for.html ∗∗∗ Attack on LexisNexis Risk Solutions exposes data on 300k + ∗∗∗ --------------------------------------------- LexisNexis Risk Solutions (LNRS) is the latest big-name organization to disclose a serious cyberattack leading to data theft, with the number of affected individuals pegged at 364,333. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/28/attack_on_le… ∗∗∗ Billions of cookies up for grabs as experts warn over session security ∗∗∗ --------------------------------------------- A VPN vendor says billions of stolen cookies currently on sale either on dark web or Telegram-based marketplaces remain active and exploitable. More than 93.7 billion of them are currently available for criminals to buy online and of those, between 7-9 percent are active, on average, according to NordVPN's breakdown of stolen cookies by country. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/29/billions_of_… ∗∗∗ U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams ∗∗∗ --------------------------------------------- The U.S. government today imposed economic sanctions on Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams known as “pig butchering.” In January 2025, KrebsOnSecurity detailed how Funnull was being used as a content delivery network that catered to cybercriminals seeking to route their traffic through U.S.-based cloud providers. --------------------------------------------- https://krebsonsecurity.com/2025/05/u-s-sanctions-cloud-provider-funnull-as… ∗∗∗ Fake Bitdefender website used to spread infostealer malware ∗∗∗ --------------------------------------------- The attackers created a website that closely mimics Bitdefender’s legitimate Windows download page. Victims are infected after clicking a seemingly authentic “Download for Windows” button, which delivers a malicious archive. The archive contains executable files configured to deploy VenomRAT, which is used for remote access, keylogging and data exfiltration. --------------------------------------------- https://therecord.media/fake-bitdefender-website-venomrat-infostealer ∗∗∗ Microsoft Entra Design Lets Guest Users Gain Azure Control, Researchers Say ∗∗∗ --------------------------------------------- Cybersecurity researchers at BeyondTrust are warning about a little-known but dangerous issue within Microsoft’s Entra identity platform. The issue isn’t some hidden bug or overlooked vulnerability; it’s a feature, built into the system by design, that attackers can exploit. --------------------------------------------- https://hackread.com/microsoft-entra-design-guest-users-gain-azure-control/ ∗∗∗ Threat Actor Claims TikTok Breach, Puts 428 Million Records Up for Sale ∗∗∗ --------------------------------------------- A newly emerged threat actor, going by the alias “Often9,” has posted on a prominent cybercrime and database trading forum, claiming to possess 428 million unique TikTok user records. The post is titled “TikTok 2025 Breach – 428M Unique Lines.” --------------------------------------------- https://hackread.com/threat-actor-tiktok-breach-428-million-records-sale/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (firefox-esr, libvpx, net-tools, php-twig, python-tornado, setuptools, varnish, webpy, yelp, and yelp-xsl), Fedora (xen), Mageia (cimg and ghostscript), Oracle (gstreamer1-plugins-bad-free, kernel, libsoup, thunderbird, and unbound), Red Hat (firefox, mingw-freetype and spice-client-win, pcs, and varnish:6), Slackware (curl and mozilla), SUSE (apparmor, containerd, dnsdist, go1.23-openssl, go1.24, gstreamer-plugins-bad, ImageMagick, jetty-minimal, python-tornado, python313-setuptools, s390-tools, thunderbird, tomcat10, ucode-intel, and wxWidgets-3_2), and Ubuntu (ffmpeg, krb5, libsoup3, libsoup2.4, linux-aws-5.4, linux-aws-fips, linux-fips, linux-oracle-6.8, net-tools, and python-setuptools, setuptools). --------------------------------------------- https://lwn.net/Articles/1023072/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, firefox, ghostscript, gstreamer1-plugins-bad-free, libsoup3, mingw-freetype, perl, ruby, sqlite, thunderbird, unbound, valkey, and xz), Debian (chromium, firefox-esr, libavif, linux-6.1, modsecurity-apache, mydumper, systemd, and thunderbird), Fedora (coreutils, dnsdist, docker-buildx, maturin, mingw-python-flask, mingw-python-flit-core, ruff, rust-hashlink, rust-rusqlite, and thunderbird), Red Hat (pcs), SUSE (augeas, brltty, brotli, ca-certificates-mozilla, dnsdist, glibc, grub2, kernel, libsoup, libsoup2, libxml2, open-vm-tools, perl, postgresql13, postgresql15, postgresql16, postgresql17, python-cryptography, python-httpcore, python-h11, python311, runc, s390-tools, slurm, slurm_20_11, slurm_22_05, slurm_23_02, slurm_24_11, tomcat, and webkit2gtk3), and Ubuntu (linux-aws). --------------------------------------------- https://lwn.net/Articles/1023259/ ∗∗∗ On Demand JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP11 IF03 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.05.2025
by Daily end-of-shift report 28 May '25

28 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-05-2025 18:00 − Mittwoch 28-05-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers ∗∗∗ --------------------------------------------- GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise discovered it with AI-powered tooling, and what defenders need to know. --------------------------------------------- https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-rou… ∗∗∗ DragonForce Ransomware Strikes MSP in Supply Chain Attack ∗∗∗ --------------------------------------------- DragonForce, a ransomware "cartel" that has gained significant popularity since its debut in 2023, attacked an MSP as part of a recent supply chain attack, via known SimpleHelp bugs. --------------------------------------------- https://www.darkreading.com/application-security/dragonforce-ransomware-msp… ∗∗∗ Zanubis in motion: Tracing the active evolution of the Android banking malware ∗∗∗ --------------------------------------------- A comprehensive historical breakdown of Zanubis changes, including RC4 and AES encryption, credentials stealing and new targets in Peru, provided by Kaspersky GReAT experts. --------------------------------------------- https://securelist.com/evolution-of-zanubis-banking-trojan-for-android/1165… ∗∗∗ Fake Java Update Popup Found in Malicious WordPress Plugin ∗∗∗ --------------------------------------------- We recently assisted a customer who reported a persistent and concerning "Java Update" pop-up appearing on their WordPress website. This type of deceptive notification is a common tactic used by attackers to compromise website visitors. Our investigation revealed a malicious plugin operating stealthily within their WordPress environment. --------------------------------------------- https://blog.sucuri.net/2025/05/fake-java-update-popup-found-in-malicious-w… ∗∗∗ OneDrive File Picker Flaw Provides ChatGPT and Other Web Apps Full Read Access to Users’ Entire OneDrive ∗∗∗ --------------------------------------------- Oasis Securitys research team uncovered a flaw in Microsofts OneDrive File Picker that allows websites to access a user’s entire OneDrive content, rather than just the specific files selected for upload via OneDrive File Picker. Researchers estimate that hundreds of apps are affected, including ChatGPT, Slack, Trello, and ClickUp – meaning millions of users may have already granted these apps access to their OneDrive. --------------------------------------------- https://www.oasis.security/resources/blog/onedrive-file-picker-security-fla… ∗∗∗ Chinese spies blamed for attempted hack on Czech government network ∗∗∗ --------------------------------------------- Czech authorities said they assessed with “a high degree of certainty” that a Chinese cyber-espionage group known as APT31, Judgment Panda, Bronze Vinewood or RedBravo tried to hack into a government network. --------------------------------------------- https://therecord.media/czechia-accuses-china-cyber-espionage-apt31 ∗∗∗ New Phishing Campaign Uses DBatLoader to Drop Remcos RAT: What Analysts Need to Know ∗∗∗ --------------------------------------------- ANY.RUN analysts recently uncovered a stealthy phishing campaign delivering the Remcos RAT (Remote Access Trojan) through a loader malware known as DBatLoader. This attack chain relies on a blend of obfuscated scripts, User Account Control (UAC) bypass, and LOLBAS (Living-Off-the-Land Binaries and Scripts) abuse to stay hidden from traditional detection methods. --------------------------------------------- https://hackread.com/new-phishing-campaign-dbatloader-drop-remcos-rat/ ∗∗∗ Malware Hidden in AI Models on PyPI Targets Alibaba AI Labs Users ∗∗∗ --------------------------------------------- ReversingLabs discovers new malware hidden inside AI/ML models on PyPI, targeting Alibaba AI Labs users. --------------------------------------------- https://hackread.com/malware-ai-models-pypi-targets-alibaba-ai-labs-users/ ∗∗∗ Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day ∗∗∗ --------------------------------------------- On May 8, GreyNoise observed a highly coordinated reconnaissance campaign launched by 251 malicious IP addresses, all geolocated to Japan and hosted by Amazon AWS. The infrastructure and execution suggest centralized planning. --------------------------------------------- https://www.greynoise.io/blog/coordinated-cloud-based-scanning-operation-ta… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken: IBM Guardium Data Protection als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Aufgrund von mehreren Schwachstellen kann es zu Datenlecks im Kontext von IBM Guardium Data Protection kommen. Updates schaffen Abhilfe. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-IBM-Guardium-Data-Protection-a… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free and kernel), Arch Linux (bind and varnish), Debian (glibc and syslog-ng), Fedora (microcode_ctl, mozilla-ublock-origin, nodejs20, and nodejs22), Mageia (firefox, nss, rootcerts, open-vm-tools, sqlite3, and thunderbird), Oracle (gstreamer1-plugins-bad-free, kernel, libsoup, nodejs:22, php, php:8.2, php:8.3, python-tornado, redis, and redis:7), Red Hat (libsoup, pcs, and python-tornado), Slackware (mozilla), SUSE (bind, dnsdist, elemental-operator, govulncheck-vulndb, gstreamer-plugins-bad, jetty-annotations, jq, libnss_slurm2, libyelp0, mariadb, nvidia-open-driver-G06-signed, prometheus-blackbox_exporter, python-h11, python-httpcore, python-setuptools, python312, python39-setuptools, screen, sqlite3, umoci, and webkit2gtk3), and Ubuntu (cifs-utils, glibc, linux-aws, linux-intel-iotg-5.15, linux-nvidia-tegra-igx, linux-raspi, linux-aws-fips, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oracle, linux-raspi, linux-raspi-5.4, and net-tools). --------------------------------------------- https://lwn.net/Articles/1022853/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 128.11 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-46/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 139 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-45/ ∗∗∗ F5: K000151516, Python urllib vulnerability CVE-2019-9947 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151516 ∗∗∗ F5: K000151520, Python vulnerabilities CVE-2018-20852, CVE-2014-4616, and CVE-2013-7040 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151520 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.05.2025
by Daily end-of-shift report 27 May '25

27 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 26-05-2025 18:00 − Dienstag 27-05-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MATLAB dev confirms ransomware attack behind service outage ∗∗∗ --------------------------------------------- MathWorks, a leading developer of mathematical computing and simulation software, has revealed that a recent ransomware attack is behind an ongoing service outage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mathworks-blames-ransomware-… ∗∗∗ Not Every CVE Deserves a Fire Drill: Focus on What’s Exploitable ∗∗∗ --------------------------------------------- Not every "critical" vulnerability is a critical risk. Picus Exposure Validation cuts through the noise by testing whats actually exploitable in your environment — so you can patch what matters. --------------------------------------------- https://www.bleepingcomputer.com/news/security/not-every-cve-deserves-a-fir… ∗∗∗ Chinese-Owned VPNs ∗∗∗ --------------------------------------------- One one my biggest worries about VPNs is the amount of trust users need to place in them, and how opaque most of them are about who owns them and what sorts of data they retain. A new study found that many commercials VPNS are (often surreptitiously) owned by Chinese companies. It would be hard for U.S. users to avoid the Chinese VPNs. The ownership of many appeared deliberately opaque, with several concealing their structure behind layers of offshore shell companies. --------------------------------------------- https://www.schneier.com/blog/archives/2025/05/chinese-owned-vpns.html ∗∗∗ Cyber Security Operations Center: ESA will mehr IT-Sicherheit ∗∗∗ --------------------------------------------- Die Raumfahrtagentur ESA verstärkt ihre IT-Sicherheitsbemühungen. Dazu eröffnete sie nun das Cyber Security Operations Center. --------------------------------------------- https://www.heise.de/news/Cyber-Security-Operations-Center-ESA-will-mehr-IT… ∗∗∗ Dutch intelligence unmasks previously unknown Russian hacking group Laundry Bear ∗∗∗ --------------------------------------------- Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard. --------------------------------------------- https://therecord.media/laundry-bear-void-blizzard-russia-hackers-netherlan… ∗∗∗ Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites ∗∗∗ --------------------------------------------- Mandiant Threat Defense has been investigating an UNC6032 campaign that weaponizes the interest around AI tools, in particular those tools which can be used to generate videos based on user prompts. UNC6032 utilizes fake “AI video generator” websites to distribute malware leading to the deployment of payloads such as Python-based infostealers and several backdoors. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-wea… ===================== = Vulnerabilities = ===================== ∗∗∗ GitHub MCP Exploited: Accessing private repositories via MCP ∗∗∗ --------------------------------------------- We showcase a critical vulnerability with the official GitHub MCP server, allowing attackers to access private repository data. The vulnerability is among the first discovered by Invariants security analyzer for detecting toxic agent flows. --------------------------------------------- https://invariantlabs.ai/blog/mcp-github-vulnerability ∗∗∗ Update für ManageEngine ADAudit Plus stopft hochriskante Sicherheitslücken ∗∗∗ --------------------------------------------- In ManageEngine ADAudit Plus hat Hersteller Zoho zwei als hohes Risiko eingestufte Schwachstellen ausgebessert. --------------------------------------------- https://www.heise.de/news/Update-fuer-ManageEngine-ADAudit-Plus-stopft-hoch… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free, libsoup, and python-tornado), Debian (libavif and pgbouncer), Red Hat (gstreamer1-plugins-bad-free, mingw-freetype and spice-client-win, and webkit2gtk3), SUSE (firefox, govulncheck-vulndb, and python310-setuptools), and Ubuntu (flask, intel-microcode, openjdk-17-crac, tika, and Tomcat). --------------------------------------------- https://lwn.net/Articles/1022703/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 128.11 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.24 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-43/ ∗∗∗ Security Vulnerabilities fixed in Firefox 139 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-42/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.05.2025
by Daily end-of-shift report 26 May '25

26 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-05-2025 18:00 − Montag 26-05-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Feds charge 16 Russians allegedly tied to botnets used in cyberattacks and spying ∗∗∗ --------------------------------------------- An example of how a single malware operation can enable both criminal and state-sponsored hacking. --------------------------------------------- https://arstechnica.com/security/2025/05/feds-charge-16-russians-allegedly-… ∗∗∗ Gitlab Duo: Versteckter Kommentar lässt KI-Tool privaten Code leaken ∗∗∗ --------------------------------------------- Gitlab Duo hatte zuletzt ernste Sicherheitsprobleme. Angreifer konnten privaten Quellcode abgreifen oder Schadcode in fremde Softwareprojekte einschleusen. --------------------------------------------- https://www.golem.de/news/gitlab-duo-versteckter-kommentar-laesst-ki-tool-p… ∗∗∗ Fake Google Meet Page Tricks Users into Running PowerShell Malware ∗∗∗ --------------------------------------------- Last month, a customer reached out to us after noticing suspicious URLs on their WordPress site. Visitors reported being prompted to perform unusual actions.We began our investigation, scanning the site for common .. --------------------------------------------- https://blog.sucuri.net/2025/05/fake-google-meet-page-tricks-users-into-run… ∗∗∗ Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Technique ∗∗∗ --------------------------------------------- The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector."The ClickFix technique is particularly risky because it allows the malware to execute in memory .. --------------------------------------------- https://thehackernews.com/2025/05/hackers-use-tiktok-videos-to-distribute.h… ∗∗∗ Operation Endgame 2: 15 Millionen E-Mail-Adressen und 43 Millionen Passwörter ∗∗∗ --------------------------------------------- Bei "Operation Endgame 2.0" kamen viele Millionen Adressen und Passwörter von Opfern ans Licht. Have I Been Pwned hat sie aufgenommen. --------------------------------------------- https://www.heise.de/news/Operation-Endgame-2-15-Millionen-E-Mail-Adressen-… ∗∗∗ Neuer Lieferkettenangriff mit bösartigen Skripten in npm-Paketen ∗∗∗ --------------------------------------------- Ein neuer Angriff auf die Lieferkette bedroht Workstations und CI-Umgebungen. Das bösartige Skript spioniert interne Daten für weitere Attacken aus. --------------------------------------------- https://www.heise.de/news/Neuer-Lieferkettenangriff-mit-boesartigen-Skripte… ∗∗∗ Kriminelle Gruppe "Careto" angeblich von spanischer Regierung gelenkt ∗∗∗ --------------------------------------------- Nicht nur China und Russland steuern Cybergangs. Ehemalige Kaspersky-Mitarbeiter behaupten, die Bande "Careto" werde von Spanien gelenkt. --------------------------------------------- https://www.heise.de/news/Kriminelle-Gruppe-Careto-angeblich-von-spanischer… ∗∗∗ Hacker bietet 1,2 Milliarden Facebook-Nutzerdaten im Darknet – ist es ein Fake? ∗∗∗ --------------------------------------------- Gab es ein neues Datenleck bei Meta-Tochter Facebook? Ein Hacker behauptet 1,2 Milliarden Facebook-Nutzerdaten über eine API abgezogen zu haben und bietet diese im Darknet zum Kauf an. Es gibt aber Zweifel, ob diese Daten neu sind. --------------------------------------------- https://www.borncity.com/blog/2025/05/23/hacker-bietet-12-milliarden-facebo… ∗∗∗ Offensive Threat Intelligence ∗∗∗ --------------------------------------------- CTI isn’t just for blue teams. Used properly, it sharpens red team tradecraft, aligns ops to real-world threats, and exposes blind spots defenders often miss. It’s not about knowing threats, it’s about becoming them long enough to help others beat them. --------------------------------------------- https://blog.zsec.uk/offensive-cti/ ∗∗∗ Joint Analysis by AhnLab and NCSC on TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking ∗∗∗ --------------------------------------------- AhnLab and the National Cyber Security Center (NCSC) have released a report that details the activities of the TA-ShadowCricket group from 2023 to the present. --------------------------------------------- https://asec.ahnlab.com/en/88137/ ∗∗∗ ConnectWise ScreenConnect Tops List of Abused RATs in 2025 Attacks ∗∗∗ --------------------------------------------- Cofense Intelligences May 2025 report exposes how cybercriminals are abusing legitimate Remote Access Tools (RATs) like ConnectWise and Splashtop to deliver malware and steal data. Learn about this growing threat. --------------------------------------------- https://hackread.com/connectwise-screenconnect-tops-abused-rats-2025/ ∗∗∗ BadSuccessor Exploits Windows Server 2025 Flaw for Full AD Takeover ∗∗∗ --------------------------------------------- Akamai researchers reveal a critical flaw in Windows Server 2025 dMSA feature that allows attackers to compromise any… --------------------------------------------- https://hackread.com/badsuccessor-exploits-windows-server-2025-takeover/ ∗∗∗ How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation ∗∗∗ --------------------------------------------- In this post I’ll show you how I found a zeroday vulnerability in the Linux kernel using OpenAI’s o3 model. I found the vulnerability with nothing more complicated than the o3 API – no scaffolding, no agentic frameworks, no tool use. --------------------------------------------- https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-re… ∗∗∗ Bypassing MTE with CVE-2025-0072 ∗∗∗ --------------------------------------------- In this post, I’ll look at CVE-2025-0072, a vulnerability in the Arm Mali GPU, and show how it can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled. --------------------------------------------- https://github.blog/security/vulnerability-research/bypassing-mte-with-cve-… ∗∗∗ The Windows Registry Adventure #7: Attack surface analysis ∗∗∗ --------------------------------------------- In the first three blog posts of this series, I sought to outline what the Windows Registry actually is, its role, history, and where to find further information about it. In the subsequent three posts, my goal was to describe in detail how this mechanism works internally .. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventu… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5924-1 intel-microcode - security update ∗∗∗ --------------------------------------------- This update ships updated CPU microcode for some types of Intel CPUs. Inparticular it provides mitigations for the Indirect Target Selection(ITS) vulnerability (CVE-2024-28956) and the Branch Privilege Injectionvulnerability (CVE-2024-45332).For CPUs affected to ITS (Indirect Target Selection), to fully mitigatethe vulnerability it is also necessary to .. --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00087.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.05.2025
by Daily end-of-shift report 23 May '25

23 May '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-05-2025 18:00 − Freitag 23-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ TikTok videos now push infostealer malware in ClickFix attacks ∗∗∗ --------------------------------------------- As Trend Micro recently discovered, the threat actors behind this TikTok social engineering campaign are using videos likely generated using AI that ask viewers to run commands claiming to activate Windows and Microsoft Office, as well as premium features in various legitimate software like CapCut and Spotify. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tiktok-videos-now-push-infos… ∗∗∗ FBI warns of Luna Moth extortion attacks targeting law firms ∗∗∗ --------------------------------------------- The FBI warned that an extortion gang known as the Silent Ransom Group has been targeting U.S. law firms over the last two years in callback phishing and social engineering attacks. Also known as Luna Moth, Chatty Spider, and UNC3753, this threat group has been active since 2022 and was also behind BazarCall campaigns that provided initial access to corporate networks for Ryuk and Conti ransomware attacks --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-luna-moth-extor… ∗∗∗ The Windows Registry Adventure #7: Attack surface analysis ∗∗∗ --------------------------------------------- In this blog post, we get to the heart of the matter, the actual security of the Windows Registry. I'd like to talk about what made a feature that was initially meant to be just a quick test of my fuzzing infrastructure draw me into manual research for the next 1.5 ~ 2 years, and result in Microsoft fixing (so far) 53 CVEs. I will describe the various areas that are important in the context of low-level security research, from very general ones, such as the characteristics of the codebase that allow security bugs to exist in the first place, to more specific ones, like all possible entry points to attack the registry, the impact of vulnerabilities and the primitives they generate, and some considerations on effective fuzzing and where more bugs might still be lurking. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventu… ∗∗∗ GitLab Duo Vulnerability Enabled Attackers to Hijack AI Responses with Hidden Prompts ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. --------------------------------------------- https://thehackernews.com/2025/05/gitlab-duo-vulnerability-enabled.html ∗∗∗ ViciousTrap Uses Cisco Flaw to Build Global Honeypot from 5,300 Compromised Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed that a threat actor codenamed ViciousTrap has compromised nearly 5,300 unique network edge devices across 84 countries and turned them into a honeypot-like network. --------------------------------------------- https://thehackernews.com/2025/05/vicioustrap-uses-cisco-flaw-to-build.html ∗∗∗ Oops: DanaBot Malware Devs Infected Their Own PCs ∗∗∗ --------------------------------------------- The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling DanaBot, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The FBI says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware. --------------------------------------------- https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-thei… ∗∗∗ Fake-Geburtstagsgeschenk: Abofalle im Namen von Rituals im Umlauf ∗∗∗ --------------------------------------------- Derzeit sind betrügerische E-Mails im Umlauf, die angeblich von Rituals stammen. Sie versprechen eine luxuriöse Geburtstags-Geschenkbox zum Sonderpreis von nur zwei Euro. Doch Vorsicht: Hinter dem scheinbar großzügigen Angebot verbirgt sich keine echte Überraschung, sondern eine teure Abofalle! --------------------------------------------- https://www.watchlist-internet.at/news/fake-geburtstagsgeschenk-abofalle-im… ∗∗∗ Sicherheitsrisiko AD-Verwaltung und Gruppe Authenticated Users ∗∗∗ --------------------------------------------- Ein Blog-Leser hat mich die Tage auf ein möglicherweise bei einigen Active Directory-Systemen bestehende Sicherheitsrisiko hingewiesen. Sind in der Active-Directory-Gruppe Authenticated Users externe Konten enthalten, könnten Freigaben interner Dienste (Drucker etc.) ungewollt externen Nutzern offen stehen. --------------------------------------------- https://www.borncity.com/blog/2025/05/22/sicherheitsrisiko-ad-verwaltung-un… ∗∗∗ Information Leakage Caused by DB Client Tool ∗∗∗ --------------------------------------------- In recent breach incidents, threat actors have been observed not only accessing systems, but also directly querying internal databases and stealing sensitive information. Particularly, more threat actors are installing DB client tools directly on targeted systems to exfiltrate data, and legitimate tools such as DBeaver, Navicat, and sqlcmd are being used in this process. --------------------------------------------- https://asec.ahnlab.com/en/88134/ ∗∗∗ Scarcity signals: Are rare activities red flags? ∗∗∗ --------------------------------------------- Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones. --------------------------------------------- https://blog.talosintelligence.com/scarcity-signals-are-rare-activities-red… ∗∗∗ Operation Endgame 2.0: 20 Haftbefehle, Hunderte Server außer Gefecht gesetzt ∗∗∗ --------------------------------------------- Internationale Strafverfolger gehen weiter gegen Malware-Autoren vor. Im Rahmen der "Operation Endgame 2.0" haben die Sicherheitsbehörden aus Deutschland – das BKA und die Generalstaatsanwaltschaft Frankfurt am Main – die Cyberkriminellen nun empfindlich getroffen. Allein in Deutschland nahmen die Behörden 50 Server vom Netz, 650 Domains sind nicht mehr unter der Kontrolle der Cybergangster. --------------------------------------------- https://heise.de/-10394215 ∗∗∗ Fault Injection-Angriffe auf die Mikrocontroller nRF54L15 und STM32L051 (SYSS-2025-022/-033) ∗∗∗ --------------------------------------------- Der Begriff "Fault Injection" bezeichnet eine Klasse von Schwachstellen, bei denen Angreifende gezielt versuchen, Fehlerzustände in Systemen zu erzeugen. Diese Fehlerzustände führen dabei zu abnormalem Verhalten der Systeme und können ausgenutzt werden, um Sicherheitsbeschränkungen zu umgehen. So ist es beispielsweise möglich, kryptografische Schlüssel zu extrahieren oder Lesebeschränkungen von internen Datenspeichern zu umgehen. --------------------------------------------- https://www.syss.de/pentest-blog/fault-injection-angriffe-auf-die-mikrocont… ===================== = Vulnerabilities = ===================== ∗∗∗ 2025-05-22: Cyber Security Advisory - ASPECT advisory several CVEs ∗∗∗ --------------------------------------------- Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021&Lan… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dotnet9.0, dropbear, ghostscript, nbdkit, openssh, python-watchfiles, rpm-ostree, yelp, yelp-xsl, and zsync), Oracle (firefox and kernel), Red Hat (osbuild-composer), Slackware (aaa_glibc and mozilla), SUSE (chromedriver, open-vm-tools, postgresql14, python-cryptography, and thunderbird), and Ubuntu (linux-aws, linux-hwe-5.4, python, and sqlite3). --------------------------------------------- https://lwn.net/Articles/1022352/ ∗∗∗ Infoblox NetMRI is vulnerable to CVE-2024-54188 ∗∗∗ --------------------------------------------- https://support.infoblox.com/s/article/Infoblox-NetMRI-is-vulnerable-to-CVE… ∗∗∗ [R1] Tenable Network Monitor Version 6.5.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-10 ∗∗∗ Lantronix Device Installer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-01 ∗∗∗ Rockwell Automation FactoryTalk Historian ThingWorx ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.05.2025
by Daily end-of-shift report 22 May '25

22 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-05-2025 18:00 − Donnerstag 22-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Strafverfolger beschlagnahmen Lumma Stealer-Infrastruktur (Mai 2025) ∗∗∗ --------------------------------------------- In einer koordinierten Aktion haben US-Strafverfolger die Infrastruktur (C & C-Server) des Lumma-Infostealers beschlagnahmt und die Funktion lahm gelegt. Die Malware ist für zahlreiche Cyberangriffe auf Nutzer mit Abgreifen von Informationen verantwortlich und es waren fast 400.000 PC infiziert. [..] Microsoft bezeichnet den Akteur, der Lumma als Malware-as-a-service (MaaS) anbietet, als Storm-2477. [..] Das Ganze erfolgte in Zusammenarbeit mit Strafverfolgungsbehörden (FBI, Europol, JC3) und Industriepartnern (ESET, Bitsight, Lumen, Cloudflare, CleanDNS und GMO Registry). --------------------------------------------- https://www.borncity.com/blog/2025/05/22/strafverfolger-beschlagen-lumma-st… ∗∗∗ 3AM ransomware uses spoofed IT calls, email bombing to breach networks ∗∗∗ --------------------------------------------- A 3AM ransomware affiliate is conducting highly targeted attacks using email bombing and spoofed IT support calls to socially engineer employees into giving credentials for remote access to corporate systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/3am-ransomware-uses-spoofed-… ∗∗∗ Signal now blocks Microsoft Recall screenshots on Windows 11 ∗∗∗ --------------------------------------------- Signal has updated its Windows app to protect users privacy by blocking Microsofts AI-powered Recall feature from taking screenshots of their conversations. [..] This new privacy feature, dubbed "screen security," is now enabled by default on all Windows 11 devices, where Recall continuously takes screenshots of all active windows every few seconds and analyzes them to build a database that can be searched using natural language. When enabled, screen security will set a Digital Rights Management (DRM) flag on Signal's app windows, blocking their content from being captured by Recall or other Windows apps and features. --------------------------------------------- https://www.bleepingcomputer.com/news/security/signal-now-blocks-microsoft-… ∗∗∗ Storm-0558 and the Dangers of Cross-Tenant Token Forgery ∗∗∗ --------------------------------------------- Modern cloud ecosystems often place a single identity provider in charge of handling logins and tokens for a wide range of customers. This approach certainly streamlines single sign-on (SSO) for end users, but it also places enormous trust in a single set of signing keys. If those private keys are compromised, attackers can create tokens that appear valid to any service that relies on them. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/storm-0558-… ∗∗∗ Another Fake Cloudflare Verification Targets WordPress Sites ∗∗∗ --------------------------------------------- A new Cloudflare infection has once again been targeting WordPress sites. This new iteration of malware mimics a legitimate-looking Cloudflare verification page, which then tricks victims into following various commands and downloading malware. This style of malware is not new – our researcher Ben Martin wrote about a similar campaign targeting WordPress sites back in March. The difference between this new infection and previous ones is the location of where the malware is located – spread out among multiple themes and fake plugins. Additionally, this variant is delivered in three stages, which helps the attacker avoid detection and maintain control over what is delivered at each step. --------------------------------------------- https://blog.sucuri.net/2025/05/another-fake-cloudflare-verification-target… ∗∗∗ Datenleck bei Coinbase: Massive Phishing-Welle rollt ∗∗∗ --------------------------------------------- Nachdem Hacker zahlreiche Kund:innendaten der Krypto-Plattform gestohlen und weiterverkauft haben, werden aktuell vermehrt Phishing-Versuche im Namen von Coinbase gemeldet. Die Kriminellen kontaktieren Ihre Opfer entweder per E-Mail oder via Telefon mit dem Ziel, an sensible Informationen zu kommen oder Überweisungen zu veranlassen. --------------------------------------------- https://www.watchlist-internet.at/news/datenleck-bei-coinbase-phishing/ ∗∗∗ BadSuccessor: dMSA zur Privilegien-Erhöhung in Active Directory missbrauchen ∗∗∗ --------------------------------------------- In Windows Server 2025 wurden delegated Managed Service Accounts (dMSAs) neu eingeführt. Das sind Service-Konten für das Active Directory (AD), die neue Funktionen ermöglichen sollen. Sicherheitsforscher sind nun darauf gestoßen, dass durch den Missbrauch von dMSAs Angreifer jeden Principal in der Domäne übernehmen können. [..] Derzeit will Microsoft das Problem aus obigen Gründen nicht fixen – sondern das Problem irgendwann in Zukunft beheben (es gibt also keinen Patch). --------------------------------------------- https://www.borncity.com/blog/2025/05/22/badsuccessor-dmsa-zur-privilegien-… ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered multiple critical security vulnerabilities impacting the Versa Concerto network security and SD-WAN orchestration platform that could be exploited to take control of susceptible instances. It's worth noting that the identified shortcomings remain unpatched despite responsible disclosure on February 13, 2025, prompting a public release of the issues following the end of the 90-day deadline. --------------------------------------------- https://thehackernews.com/2025/05/unpatched-versa-concerto-flaws-let.html ∗∗∗ Cisco Security Advisories 2025-05-21 ∗∗∗ --------------------------------------------- Cisco hat 10 neue Security Advisories veröffentlicht. Zwei der neuen Advisories sind als “High” eingestuft und 8 als “Medium”. Die als "High" eingestuften Advisories betreffen Schwachstellen in Cisco Identity Services Engine RADIUS und Cisco Unified Intelligence Center. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Mozilla Security Advisories 2025-05-20 ∗∗∗ --------------------------------------------- Thunderbird (critical) and Firefox (low) --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, and webkit2gtk3), Fedora (mozilla-ublock-origin and sudo-rs), Oracle (.NET 8.0, compat-openssl10, grafana, osbuild-composer, redis:6, ruby:2.5, and webkit2gtk3), SUSE (dante, firefox-esr, gnuplot, govulncheck-vulndb, grype, postgresql13, postgresql14, postgresql15, postgresql16, postgresql17, python-tornado6, python314, thunderbird, ucode-intel, and xen), and Ubuntu (bind9, libfcgi-perl, linux-ibm-5.4, linux-oracle-5.4, postgresql-17, and Tomcat). --------------------------------------------- https://lwn.net/Articles/1022189/ ∗∗∗ Authentifizierung: Kritische Lücke in Samlify macht Angreifer zu Admins ∗∗∗ --------------------------------------------- Admins, die Single-Sign-On-Anmeldungen (SSO) über die weitverbreitete Node.js-Bibliothek Samlify realisieren, sollten den verfügbaren Sicherheitspatch zeitnah installieren. Geschieht das nicht, können Angreifer die Authentifizierung umgehen und mit weitreichenden Rechten auf Systeme zugreifen. [..] Auf die "kritische" Sicherheitslücke (CVE-2025-47949) sind Sicherheitsforscher von Endor Labs gestoßen. --------------------------------------------- https://heise.de/-10392315 ∗∗∗ Angreifer können mit VMware erstellte virtuelle Maschinen crashen ∗∗∗ --------------------------------------------- Aus der Warnmeldung geht hervor, dass die am gefährlichsten eingestufte Schwachstelle (CVE-2025-41225 "hoch") vCenter Server betrifft. An dieser Stelle kann ein authentifizierter Angreifer eigene Befehle ausführen. Verfügt ein Angreifer über Gast-VM-Rechte, kann er für eine Gast-VM einen DoS-Zustand erzeugen (CVE-2025-41226 "mittel"). So etwas führt in der Regel zu Abstürzen. Weiterhin sind noch weitere DoS-Attacken (CVE-2025-41227 "mittel") und XSS-Angriffe (CVE-2025-41228 "mittel") möglich. --------------------------------------------- https://heise.de/-10392911 ∗∗∗ Drupal Security Advisories 2025-05-21 ∗∗∗ --------------------------------------------- https://www.drupal.org/security ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (May 12, 2025 to May 18, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.05.2025
by Daily end-of-shift report 21 May '25

21 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-05-2025 18:00 − Mittwoch 21-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 11’s most important new feature is post-quantum cryptography. Here’s why. ∗∗∗ --------------------------------------------- For the first time, new quantum-safe algorithms can be invoked using standard Windows APIs. --------------------------------------------- https://arstechnica.com/security/2025/05/heres-how-windows-11-aims-to-make-… ∗∗∗ VanHelsing ransomware builder leaked on hacking forum ∗∗∗ --------------------------------------------- The VanHelsing ransomware-as-a-service operation published the source code for its affiliate panel, data leak blog, and Windows encryptor builder after an old developer tried to sell it on the RAMP cybercrime forum. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vanhelsing-ransomware-builde… ∗∗∗ Dero miner zombies biting through Docker APIs to build a cryptojacking horde ∗∗∗ --------------------------------------------- Kaspersky experts break down an updated cryptojacking campaign targeting containerized environments: a Dero crypto miner abuses the Docker API. [..] The entire attack vector is automated via two malware implants: the previously unknown propagation malware nginx and the Dero crypto miner. --------------------------------------------- https://securelist.com/dero-miner-infects-containers-through-docker-api/116… ∗∗∗ Chrome kann unsichere Passwörter künftig komplett selbst ändern ∗∗∗ --------------------------------------------- Googles Chrome-Browser soll bald automatisch Passwörter ändern können, wenn bei der Anmeldung damit erkannt wird, dass es kompromittiert wurde. [..] Im Idealfall bekommen Nutzer und Nutzerinnen in Chrome dann künftig einen Hinweis, wenn ein gespeichertes Passwort in einem Datenleck gefunden wurde und können den Browser dazu bringen, das Passwort durch ein sicheres zu ersetzen. Das wird dann im Passwortmanager von Chrome abgespeichert, das unsichere wird ersetzt. Die automatische Passwortänderung benötigt dafür insgesamt nur einen Klick. --------------------------------------------- https://heise.de/-10391298 ∗∗∗ Sicherheitsbehörden warnen vor russischer Spionage mit IP-Kameras ∗∗∗ --------------------------------------------- Mutmaßliche Mitarbeiter des russischen Militärgeheimdienstes GRU haben sich Zugriff auf Netzwerke und IP-Kameras von Betreibern kritischer Infrastrukturen (KRITIS) verschafft. Das melden unter anderem NSA, FBI, der Bundesnachrichtendienst (BND) und die Bundesämter für Verfassungsschutz (BfV) sowie Sicherheit in der Informationstechnik (BSI).[..] Betroffen sind laut einer Mitteilung der Behörden vor allem Unternehmen aus der Logistikbranche. --------------------------------------------- https://heise.de/-10391927 ∗∗∗ CISA, NIST Researchers Develop Metric to Determine Likelihood of Vulnerability Exploitation ∗∗∗ --------------------------------------------- Researchers from the U.S. National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have developed a new security metric to determine the likelihood that a vulnerability has been exploited. In a paper published this week, Peter Mell, formerly of NIST, and CISA’s Jonathan Spring outlined their vulnerability exploit metric that augments the work of the Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) catalog. --------------------------------------------- https://thecyberexpress.com/cisa-nist-vulnerability-exploit-metric/ ===================== = Vulnerabilities = ===================== ∗∗∗ Lücke in OpenPGP.js gefährdet verschlüsselten E-Mail-Verkehr ∗∗∗ --------------------------------------------- In OpenPGP.js, einer weitverbreiteten Javascript-Implementierung von OpenPGP, klafft eine gefährliche Sicherheitslücke, durch die sich das Ergebnis der Signaturprüfung fälschen lässt. Laut einer Sicherheitsmeldung auf Github kann ein Angreifer speziell manipulierte Daten an die Funktionen openpgp.verify oder openpgp.decrypt übergeben, um verschlüsselte und/oder signierte Nachrichten zu spoofen. CVE-2025-47934 --------------------------------------------- https://www.golem.de/news/manipulationsgefahr-luecke-in-openpgp-js-gefaehrd… ∗∗∗ Mehrere Schwachstellen bei eCharge Hardy Barth cPH2 und cPP2 Ladestationen ∗∗∗ --------------------------------------------- Hardy Barth EV charging station products are affected by critical vulnerabilities that can be exploited through both physical access and unauthenticated network access. These vulnerabilities pose significant risks, including system compromise, data breaches, and operational disruptions within EV charging infrastructures. [..] The vendor has not provided a fix for any of the reported vulnerabilities. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelle… ∗∗∗ Mehrere Sicherheitslücken bedrohen VMware Cloud Foundation ∗∗∗ --------------------------------------------- Wie aus einer Warnmeldung hervorgeht, sind die Lücken (CVE-2025-41229, CVE-2025-41230, CVE-2025-41231) mit dem Bedrohungsgrad "hoch" eingestuft. Nutzen Angreifer die Schwachstellen erfolgreich aus, können sie etwa im Netzwerk über den Port 443 auf sensitive Informationen oder interne Services zugreifen. --------------------------------------------- https://heise.de/-10390932 ∗∗∗ Millions of Node.js Apps at Risk Due to Critical Multer Vulnerabilities ∗∗∗ --------------------------------------------- Two high-severity security flaws have been identified in Multer, a popular middleware used in Node.js applications for handling file uploads. The Multer vulnerabilities, tracked as CVE-2025-47944 and CVE-2025-47935, affect all versions from 1.4.4-lts.1 up to but not including 2.0.0. According to the GitHub post, the two vulnerabilities “allow an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. --------------------------------------------- https://thecyberexpress.com/multer-vulnerabilities-expose-node-js/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, avahi, buildah, compat-openssl10, compat-openssl11, expat, firefox, gimp, git, grafana, libsoup, libxslt, mod_auth_openidc, nginx, nodejs:22, osbuild-composer, php, redis, redis:7, skopeo, thunderbird, vim, webkit2gtk3, xterm, and yelp), Arch Linux (dropbear, freetype2, go, nodejs, nodejs-lts-iron, nodejs-lts-jod, python-django, webkit2gtk, webkit2gtk-4.1, webkitgtk-6.0, and wpewebkit), Debian (mongo-c-driver), Fedora (openssh, perl-Mojolicious, thunderbird, yelp, and yelp-xsl), Red Hat (firefox, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-ibm-semeru-certified-jdk, java-21-openjdk, kernel, libxslt, ruby, ruby:3.1, ruby:3.3, unbound, and webkit2gtk3), SUSE (glib2, grub2, kernel, libwebp, openssh, and s390-tools), and Ubuntu (linux, linux-azure, linux-azure-6.11, linux-gcp, linux-gcp-6.11, linux-hwe-6.11, linux-oem-6.11, linux-raspi, linux-realtime, linux-azure, linux-azure-5.15, linux-nvidia-tegra, linux-azure, linux-azure-6.8, linux-oem-6.8, linux-azure, linux-kvm, linux-azure-fips, linux-azure-nvidia, linux-gcp, linux-gcp-6.8, linux-gkeop, linux-gke, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, mariadb-10.6, and postgresql-12, postgresql-14, postgresql-16). --------------------------------------------- https://lwn.net/Articles/1022030/ ∗∗∗ Assured Telematics Inc (ATI) Fleet Management System with Geotab Integration ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-11 ∗∗∗ Vertiv Liebert RDU101 and UNITY ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-10 ∗∗∗ AutomationDirect MB-Gateway ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-09 ∗∗∗ Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-04 ∗∗∗ f5: K000151431: Intel Ethernet Controller and Adapter vulnerability CVE-2024-24983 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151431 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.05.2025
by Daily end-of-shift report 20 May '25

20 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 19-05-2025 18:00 − Dienstag 20-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hazy Hawk gang exploits DNS misconfigs to hijack trusted domains ∗∗∗ --------------------------------------------- A threat actor named Hazy Hawk has been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDS). --------------------------------------------- https://www.bleepingcomputer.com/news/security/hazy-hawk-gang-exploits-dns-… ∗∗∗ 100+ Fake Chrome Extensions Found Hijacking Sessions, Stealing Credentials, Injecting Ads ∗∗∗ --------------------------------------------- An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code. --------------------------------------------- https://thehackernews.com/2025/05/100-fake-chrome-extensions-found.html ∗∗∗ Bypass SharePoint Restricted View to exfiltrate data using Copilot AI and more… ∗∗∗ --------------------------------------------- Overall, we’ve proven that although a fair amount of effort has been put into enforcing the restrictions of Restricted View there are plenty of ways to circumvent them. Therefore, it is important for administrators and users to understand that it can not be relied on to secure data against motivated attackers. --------------------------------------------- https://www.pentestpartners.com/security-blog/bypass-sharepoint-restricted-… ∗∗∗ Duping Cloud Functions: An emerging serverless attack vector ∗∗∗ --------------------------------------------- Cisco Talos built on Tenable’s discovery of a Google Cloud Platform vulnerability to uncover how attackers could exploit similar techniques across AWS and Azure. --------------------------------------------- https://blog.talosintelligence.com/duping-cloud-functions-an-emerging-serve… ∗∗∗ Compromised RVTools Installer Spreading Bumblebee Malware ∗∗∗ --------------------------------------------- RVTools installer on its official site was found delivering malware. Research shows it spread Bumblebee loader. Users urged to verify downloads. --------------------------------------------- https://hackread.com/compromised-rvtools-installer-drop-bumblebee-malware/ ∗∗∗ Gehärtete Images von Docker verbessern die Sicherheit und entlasten Entwickler ∗∗∗ --------------------------------------------- Mit den Hardened Images (DHI) bietet Docker sichere, schlanke und Compliance-konforme Images. Mit dabei sind unter anderem Microsoft, Neo4J oder GitLab. --------------------------------------------- https://heise.de/-10388766 ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3 Security Advisories Tue. 20th May, 2025 ∗∗∗ --------------------------------------------- TYPO3 has released 11 new security advisories. --------------------------------------------- https://typo3.org/help/security-advisories ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dropbear, firefox-esr, intel-microcode, net-tools, openafs, thunderbird, and xrdp), Fedora (chromium, micropython, syslog-ng, webkitgtk, and xen), Mageia (dropbear and openssh), Oracle (.NET 9.0, kernel, libjpeg-turbo, and yelp and yelp-xsl), Red Hat (compat-openssl11, git-lfs, grafana, kernel, and osbuild and osbuild-composer), Slackware (mozilla), SUSE (cargo-c, gimp, iputils-20240905, kernel, libraw, microcode_ctl, openssh, pnpm, python311-cramjam, python311-httptools, python311-jwcrypto, python311-loguru, python311-mechanize, python311-nltk, python311-oauthlib, python311-py7zr, python311-pycapnp, python311-pyspnego, python311-pywayland, python311-suds, python311-treq, python311-ujson, python311-waitress, ruby3.4-rubygem-actionmailer, ruby3.4-rubygem-actiontext, ruby3.4-rubygem-activerecord, ruby3.4-rubygem-activestorage, ruby3.4-rubygem-fluentd, ruby3.4-rubygem-globalid, ruby3.4-rubygem-jquery-rails, ruby3.4-rubygem-kramdown, ruby3.4-rubygem-loofah, ruby3.4-rubygem-multi_xml, ruby3.4-rubygem-puma, ruby3.4-rubygem-rails, ruby3.4-rubygem-rails-html-sanitizer, ruby3.4-rubygem-sprockets, ruby3.4-rubygem-web-console, ruby3.4-rubygem-websocket-extensions, ucode-intel-20250512, and valkey), and Ubuntu (dotnet8, dotnet9, linux, linux-aws, linux-aws-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-oracle, linux, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-fips, linux-gcp, linux-gcp-5.15, linux-gcp-fips, linux-gke, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, and linux-xilinx-zynqmp). --------------------------------------------- https://lwn.net/Articles/1021740/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, openjdk-11, openjdk-17, and wireless-regdb), Fedora (iputils, open-vm-tools, sfnt2woff-zopfli, and woff), Red Hat (postgresql:12), SUSE (apache2-mod_auth_openidc, brltty, helm, python-maturin, and rubygem-rack), and Ubuntu (linux-azure-fips). --------------------------------------------- https://lwn.net/Articles/1021812/ ∗∗∗ 22,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Motors WordPress Theme ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/22000-wordpress-sites-affected-by-pr… ∗∗∗ Danfoss AK-SM 8xxA Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-03 ∗∗∗ National Instruments Circuit Design Suite ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-02 ∗∗∗ ABUP IoT Cloud Platform ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.05.2025
by Daily end-of-shift report 19 May '25

19 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-05-2025 18:00 − Montag 19-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Curl-Entwickler warnt: Unicode-Trick gefährdet Softwareprojekte auf Github ∗∗∗ --------------------------------------------- Die wenigsten Entwickler dürften die Unterschiede zwischen bestimmten Unicode-Zeichen zuverlässig erkennen. Gerade auf Github ist das ein Problem. --------------------------------------------- https://www.golem.de/news/curl-entwickler-warnt-unicode-trick-gefaehrdet-so… ∗∗∗ Warnung vor brancheneintrag24.com ∗∗∗ --------------------------------------------- Derzeit kursieren betrügerische E-Mails, die von der Adresse info(a)brancheneintrag24.com stammen. Im Anhang befindet sich ein Formular, das Unternehmen angeblich zur Aktualisierung ihres Brancheneintrags auffordert. [..] Mit dem Ausfüllen und Zurücksenden des Formulars wird ein kostenpflichtiger Vertrag abgeschlossen. --------------------------------------------- https://www.zettasecure.com/post/warnung-vor-brancheneintrag24-com ∗∗∗ Fake-Shops: Laufsportbegeisterte im Visier von Kriminellen ∗∗∗ --------------------------------------------- Laufschuhe von Top-Marken zu absoluten Niedrigstpreisen?! Vorsicht! Aktuell tauchen vermehrt Fake-Shops für Sportschuhe und anderes Equipment auf. Wer in einem derartigen Store bestellt, schaut in der Regel durch die Finger. Kommt doch eine Lieferung an, enthält diese nur minderwertige Kopien. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-fuer-laufschuhe/ ∗∗∗ Windows: Bitlocker-Verschlüsselung über Bitpixie (CVE-2023-21563) ausgehebelt ∗∗∗ --------------------------------------------- Die von Microsoft für Windows verwendete Bitlocker-Verschlüsselung für Datenträger lässt sich über die Bitpixie-Schwachstelle (CVE-2023-21563) per Software aushebeln, wenn gewisse Randbedingungen gelten. [..] Der jetzt bekannt gewordene Angriff ist nicht neues, sondern ein Proof of Concept, den Administratoren ggf. in eigenen Systemen testen können. [..] Die Bitpixie-Schwachstelle – und ganz allgemein sowohl hardware- als auch softwarebasierte Angriffe – kann durch Erzwingen einer Pre-Boot-Authentifizierung entschärft werden. --------------------------------------------- https://www.borncity.com/blog/2025/05/18/windows-bitlocker-verschluesselung… ∗∗∗ Windows 10/11: Defender mit simplen Tool Defendnot deaktivierbar ∗∗∗ --------------------------------------------- Microsoft hat in Windows 10 und Windows 11 eine Schnittstelle (API) eingebaut, über die Hersteller von Antivirus-Software bei deren Installation den Microsoft Defender deaktivieren können. Einige Leute (darunter ein Blog-Leser) haben nun gezeigt, wie man mit einer einfachen Software (no-defender oder Defendnot) den Windows Defender deaktivieren kann. --------------------------------------------- https://www.borncity.com/blog/2025/05/19/windows-10-11-defender-mit-simplen… ∗∗∗ Ivanti EPMM Zero-Days: Reconnaissance to Exploitation ∗∗∗ --------------------------------------------- Two critical Ivanti zero-days (CVE-2025-4427 and CVE-2025-4428) are now being actively exploited after a surge in scanning activity last month. When chained together, these vulnerabilities enable unauthenticated remote code execution on Ivanti Endpoint Manager Mobile systems. --------------------------------------------- https://www.greynoise.io/blog/ivanti-epmm-zero-days-reconnaissance-exploita… ∗∗∗ VM escape in Oracle VirtualBox via VGA device ∗∗∗ --------------------------------------------- We provide a proof-of-concept that demonstrates how to exploit this vulnerability to fully escape a virtual machine. --------------------------------------------- https://github.com/google/security-research/security/advisories/GHSA-qx2m-r… ∗∗∗ Passwords are okay, impulsive Internet isnt ∗∗∗ --------------------------------------------- Every few weeks, I come across an article telling us how passwords are bad and how we need to go "passwordless". These pieces are written by mostly well-intended nerds who think technology can solve basic problems in human behavior. --------------------------------------------- https://www.dedoimedo.com/life/passwords-passkeys.html ∗∗∗ New Community Resource: Attribution to IP ∗∗∗ --------------------------------------------- The Curated Intelligence community has shared a new collection for CTI analysts and others who perform cybersecurity research duties. A new GitHub repository has been created that contains a collection of methods to learn who the owner of an IP address is. --------------------------------------------- https://www.curatedintel.org/2025/05/new-community-resource-attribution-to-… ===================== = Vulnerabilities = ===================== ∗∗∗ Mozilla Security Advisories May 17, 2025 ∗∗∗ --------------------------------------------- Firefox ESR 115.23.1, ESR 128.10.1 and 138.0.4. Critical --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Angreifer können Verbindungen von Sonicwall SMA1000 manipulieren ∗∗∗ --------------------------------------------- In einer Warnmeldung führt der Anbieter von Netzwerktechnik aus, dass Angreifer im Zuge einer Server-side-request-forgery-Attacke (SSRF) Anfragen an etwa von ihnen kontrollierte Server umleiten können (CVE-2025-40595 "hoch"). --------------------------------------------- https://heise.de/-10387581 ∗∗∗ Thousands of WordPress Sites at Risk Due to Critical Crawlomatic Plugin Vulnerability ∗∗∗ --------------------------------------------- A severe security vulnerability has been discovered in the popular WordPress plugin, Crawlomatic Multisite Scraper Post Generator, potentially placing thousands of websites at risk. Tracked as CVE-2025-4389, the flaw allows unauthenticated attackers to upload malicious files, which could ultimately lead to remote code execution on affected websites. --------------------------------------------- https://thecyberexpress.com/crawlomatic-plugin-hit-by-cve-2025-4389/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.05.2025
by Daily end-of-shift report 16 May '25

16 May '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-05-2025 18:01 − Freitag 16-05-2025 18:01 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FBI: US officials targeted in voice deepfake attacks since April ∗∗∗ --------------------------------------------- The FBI warned that cybercriminals using AI-generated audio deepfakes to target U.S. officials in voice phishing attacks that started in April. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-us-officials-targeted-in… ∗∗∗ Ransomware gangs increasingly use Skitnet post-exploitation malware ∗∗∗ --------------------------------------------- Ransomware gang members increasingly use a new malware called Skitnet ("Bossnet") to perform stealthy post-exploitation activities on breached networks. The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-increasingl… ∗∗∗ Understanding CSRF: Cross-site Request Forgery Explained ∗∗∗ --------------------------------------------- Cross-Site Request Forgery, often called CSRF (or its other nicknames, Session Riding and XSRF), is a tricky type of attack. In short, it lets attackers make users do things on websites without their consent or knowledge. This attack works by misusing the trust a web application puts in a user’s browser once they’re logged in. By duping the browser into sending fake requests (usually through shady emails or misleading links), CSRF allows unauthorized commands to hit a website. And since these requests seem to come from a legitimate, logged-in user, the website has a hard time spotting the fakes, which can open the door to significant security problems. --------------------------------------------- https://blog.sucuri.net/2025/05/understanding-csrf-cross-site-request-forge… ∗∗∗ Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT. --------------------------------------------- https://thehackernews.com/2025/05/fileless-remcos-rat-delivered-via-lnk.html ∗∗∗ VNC. RDP for all to see ∗∗∗ --------------------------------------------- VNC (Virtual Network Computing) is a widely deployed service in perhaps forgotten corners of legacy enterprise networks. This is mainly because it’s a tried and trusted protocol that simply works, however this is disregarding its security flaws and disadvantages in the modern age. --------------------------------------------- https://www.pentestpartners.com/security-blog/vnc-rdp-for-all-to-see/ ∗∗∗ Operation RoundPress ∗∗∗ --------------------------------------------- This blogpost introduces an operation that we named RoundPress, targeting high-value webmail servers with XSS vulnerabilities, and that we assess with medium confidence is run by the Sednit cyberespionage group. The ultimate goal of this operation is to steal confidential data from specific email accounts. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/operation-roundpress/ ∗∗∗ Commit Stomping ∗∗∗ --------------------------------------------- Commit Stomping is a technique inspired by timestomping, a well-known method used in offensive operations where file metadata is manipulated to hide the true timing of actions. In Git, Commit Stomping involves altering commit timestamps to mislead observers about when changes were introduced. --------------------------------------------- https://blog.zsec.uk/commit-stomping/ ===================== = Vulnerabilities = ===================== ∗∗∗ Printer company provided infected software downloads for half a year ∗∗∗ --------------------------------------------- When Cameron Coward, the Youtuber behind the channel Serial Hobbyism, wanted to review a $6k UV printer and plugged in the USB flash drive with the printer software, the Antivirus software alerted him of a USB-spreading worm and a Floxif infection. Floxif is a file infector that attaches itself to Portable Executable files, so it can spread to network shares, removable drives like USB flash drives or backup storage systems. --------------------------------------------- https://feeds.feedblitz.com/~/918394763/0/gdatasecurityblog-en~Printer-comp… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, kernel, kernel-rt, redis:6, and yelp and yelp-xsl), Debian (chromium), Red Hat (compat-openssl11, kernel, and thunderbird), and SUSE (nbdkit, open-vm-tools, and rustup). --------------------------------------------- https://lwn.net/Articles/1021482/ ∗∗∗ Malicious ‘Checker’ Packages on PyPI Probe TikTok and Instagram for Valid Accounts ∗∗∗ --------------------------------------------- We often hear about the importance of secure data. Have I Been Pwned and similar websites exist to see if passwords or emails are listed online. However, many people do not understand the ramifications of their own leaked data. --------------------------------------------- https://socket.dev/blog/malicious-checker-packages-on-pypi-probe-tiktok-and… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.05.2025
by Daily end-of-shift report 15 May '25

15 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-05-2025 18:01 − Donnerstag 15-05-2025 18:01 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Spies hack high-value mail servers using an exploit from yesteryear ∗∗∗ --------------------------------------------- XSS is short for cross-site scripting. Vulnerabilities result from programming errors found in webserver software that, when exploited, allow attackers to execute malicious code in the browsers of people visiting an affected website. XSS first got attention in 2005, with the creation of the Samy Worm, which knocked MySpace out of commission when it added more than one million MySpace friends to a user named Samy. XSS exploits abounded for the next decade and have gradually fizzled more recently, although this class of attacks continues now. --------------------------------------------- https://arstechnica.com/security/2025/05/spies-hack-high-value-mail-servers… ∗∗∗ Critical Infrastructure Under Siege: OT Security Still Lags ∗∗∗ --------------------------------------------- With critical infrastructure facing constant cyber threats from the Typhoons and other corners, federal agencies and others are warning security for the OT network, a core technology in many critical sectors, is not powered up enough. --------------------------------------------- https://www.darkreading.com/ics-ot-security/critical-infrastructure-ot-secu… ∗∗∗ Beyond the kill chain: What cybercriminals do with their money (Part 1) ∗∗∗ --------------------------------------------- Sophos X-Ops investigates what financially motivated threat actors invest their ill-gotten profits in, once the dust has settled. --------------------------------------------- https://news.sophos.com/en-us/2025/05/15/beyond-the-kill-chain-what-cybercr… ∗∗∗ Technical Analysis of TransferLoader ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a new malware loader that we have named TransferLoader, which has been active since at least February 2025. ThreatLabz has identified three different components (a downloader, a backdoor, and a specialized loader for the backdoor) embedded in TransferLoader binaries. In addition, ThreatLabz has observed TransferLoader being used to deliver Morpheus ransomware. All components of TransferLoader share similarities including various anti-analysis techniques and code obfuscation. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-transfer… ∗∗∗ USA: Bösartige Kommunikationsgeräte in chinesischen Solar-Wechselrichtern ∗∗∗ --------------------------------------------- Bei der Untersuchung von Wechselrichtern aus China durch Experten in den USA wurden in einigen Geräten nicht dokumentierte Kommunikationsgeräte gefunden. US-Energiebehörden wollen das Risiko dieser chinesischen Inverter Medienberichten zufolge neu beurteilen. --------------------------------------------- https://www.heise.de/news/Boesartige-Kommunikationsgeraete-in-Solar-Wechsel… ∗∗∗ Angeblicher Steam-Hack: Datenleck enthält SMS-Sendeprotokolle ∗∗∗ --------------------------------------------- Ein angebliches Datenleck bei der Spieleplattform Steam soll 89 Millionen Datensätze enthalten – ein Unbekannter versucht seit vergangenem Samstag, sie im Darknet für 5.000 US-Dollar zu verkaufen. Doch die Resonanz ist mau und die Brisanz der Daten fraglich. --------------------------------------------- https://heise.de/-10383892 ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal Security Advisories 2025-05-14 ∗∗∗ --------------------------------------------- Drupal has released 7 new security advisories. --------------------------------------------- https://www.drupal.org/security ∗∗∗ Palo Alto Networks Security Advisories 2025-05-14 ∗∗∗ --------------------------------------------- Palo Alto has released 11 new security advisories. --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ Mozilla Foundation Security Advisories 2025-05-13 ∗∗∗ --------------------------------------------- For Thunderbird 138.0.1 and Thunderbird 128.10.1. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (open-vm-tools), Fedora (dnsdist), Gentoo (Node.js and Tracker miners), Red Hat (kernel and xdg-utils), SUSE (audiofile, go1.22-openssl, go1.24, grub2, kernel-devel, openssl-1_1, openssl-3, and python311-Django), and Ubuntu (ruby-rack). --------------------------------------------- https://lwn.net/Articles/1021379/ ∗∗∗ Patchday: Lücken in Intel-Software und -Treibern gestopft ∗∗∗ --------------------------------------------- Angreifer können Computer mit Hard- und Software von Intel attackieren. Sind Attacken erfolgreich, können sie unter anderem Denial-of-Service-Zustände (DoS) erzeugen, die in der Regel zu Abstürzen führen. --------------------------------------------- https://heise.de/-10384160 ∗∗∗ Google warnt: Gefährliche Chrome-Lücke wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Im weit verbreiteten Webbrowser Chrome klaffen mehrere gefährliche Sicherheitslücken, von denen eine bereits aktiv von Angreifern ausgenutzt wird. Davor warnt Google in den Release Notes zu einem am Mittwoch bereitgestellten Update. Betroffen ist nicht nur die Windows-Variante von Google Chrome, sondern auch jene für Mac und Linux. Anwender sollten den Browser zeitnah aktualisieren, um sich vor möglichen Angriffen zu schützen. --------------------------------------------- https://www.golem.de/news/google-warnt-gefaehrliche-chrome-luecke-wird-akti… ∗∗∗ Fortinet dichtet mehrere Lücken ab, Angriffe auf FortiVoice beobachtet ∗∗∗ --------------------------------------------- CVE-2025-32756 is a critical stack-based buffer overflow vulnerability affecting multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This flaw allows unauthenticated remote attackers to execute arbitrary code or commands via crafted HTTP requests, posing a severe security risk. --------------------------------------------- https://www.heise.de/news/Fortinet-dichtet-mehrere-Luecken-ab-Angriffe-auf-… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0004 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0004.html ∗∗∗ Reflected cross-site scripting vulnerability in Ricoh laser printers and MFPs which implement Web Image Monitor ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN20474768/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (May 5, 2025 to May 11, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.05.2025
by Daily end-of-shift report 14 May '25

14 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-05-2025 18:00 − Mittwoch 14-05-2025 18:01 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt ∗∗∗ --------------------------------------------- A new DarkCloud Stealer campaign is using AutoIt obfuscation for malware delivery. The attack chain involves phishing emails, RAR files and multistage payloads. --------------------------------------------- https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit… ∗∗∗ Intel: Ein weiterer Angriff umgeht alle bisherigen CPU-Schutzmaßnahmen ∗∗∗ --------------------------------------------- Intel hat einen Lauf: Eine weitere Sicherheitslücke öffnet viele Prozessoren erneut für Seitenkanalangriffe trotz bisheriger Schutzmaßnahmen. [..] Wie schon der Angriffstyp Training Solo erfordert BPI physischen Zugriff auf ein System. Daher sind die zugehörigen CVE-Nummern CVE-2024-43420, CVE-2025-20623 und CVE-2024-45332 nur mit dem Schweregrad Medium bewertet. --------------------------------------------- https://heise.de/-10383474 ∗∗∗ A Privacy Mechanism That Backfired ∗∗∗ --------------------------------------------- Some bugs are more interesting than others. Last time I mentioned how CVE-2025-24091 was one of my favorite iOS vulnerabilities so far. That was because I wasn’t yet allowed to disclose my actual favorite! This post is about CVE-2025-31212, the most ironic vulnerability I’ve ever found, and here's why... --------------------------------------------- https://rambo.codes/posts/2025-05-12-a-privacy-mechanism-that-backfired ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti EPMM: Remote Code Execution Schwachstellen (CVE-2025-4427, CVE-2025-4428) - Updates verfügbar ∗∗∗ --------------------------------------------- Ivanti veröffentlichte am 13. Mai Updates & Sicherheitsadvisories zu zwei Schwachstellen in Ivanti Endpoint Manager Mobile (EPMM). Die verkettete Ausnutzung der beiden Lücken kann zur unauthentifizierten Ausführung von Schadcode genutzt werden. Ivanti gibt an die Ausnutzung dieser Lücken auf einer limitierten Anzahl an Systemen, bereits vor der Veröffentlichtung des Advisories, beobachtet zu haben. CVE-Nummern: CVE-2025-4427, CVE-2025-4428 --------------------------------------------- https://www.cert.at/de/warnungen/2025/5/ivanti-epmm-rce ∗∗∗ Microsoft primes 71 fixes for May Patch Tuesday ∗∗∗ --------------------------------------------- Five issues actively exploited in the wild, but the real excitement may have been handled in advance. --------------------------------------------- https://news.sophos.com/en-us/2025/05/14/microsoft-primes-71-fixes-for-may-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (emacs, firefox, gnutls, java-17-openjdk, java-21-openjdk, osbuild-composer, python39:3.9, and thunderbird), Arch Linux (screen), Debian (varnish), Fedora (chromium), Gentoo (Atop, FreeType, and Spidermonkey), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk and postgresql15, postgresql13), Oracle (389-ds-base, emacs, firefox, kernel, libsoup, libtiff, mod_auth_openidc:2.3, nodejs:20, nodejs:22, osbuild-composer, python39:3.9, qemu-kvm, ruby, ruby:3.1, ruby:3.3, and thunderbird), Red Hat (.NET 8.0, .NET 9.0, avahi, buildah, corosync, delve and golang, exiv2, expat, firefox, ghostscript, gimp, git, grafana, gvisor-tap-vsock, java-21-openjdk, kernel, kernel-rt, libarchive, libjpeg-turbo, libsoup, libsoup3, libxslt, mod_auth_openidc, nginx, nginx:1.22, nginx:1.24, nodejs22, nodejs:20, nodejs:22, opentelemetry-collector, osbuild-composer, perl, php, php:8.2, php:8.3, podman, python-jinja2, redis, redis:7, rhc, ruby:2.5, skopeo, sqlite, thunderbird, tomcat, tomcat9, valkey, vim, xorg-x11-server-Xwayland, xterm, xz, yelp, and yggdrasil), Slackware (screen), SUSE (apparmor, dirmngr, gimp, golang-github-prometheus-node_exporter, java-11-openj9, java-17-openj9, java-21-openj9, libxmp-devel, python311-Django4, rabbitmq-server313, rke2, and transfig), and Ubuntu (abseil and open-vm-tools). --------------------------------------------- https://lwn.net/Articles/1021199/ ∗∗∗ Patchday Adobe: Schadcode-Attacken auf InDesign und Photoshop möglich ∗∗∗ --------------------------------------------- Adobe schließt Sicherheitslücken in mehreren Anwendungen. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://heise.de/-10382767 ∗∗∗ VIdeokonferenzen: Hochriskante Rechteausweitungslücken in Zoom Workplace Apps ∗∗∗ --------------------------------------------- Zoom meldet mehrere Sicherheitslücken in den Workplace Apps der Videokonferenzsoftware. Eine verpasst den Status "kritisch" nur knapp. --------------------------------------------- https://heise.de/-10383108 ∗∗∗ Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP11 IF03 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ MISP 2.4.209 / 2.5.11 Release Notes Latest ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.05.2025
by Daily end-of-shift report 13 May '25

13 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 12-05-2025 18:00 − Dienstag 13-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sit, Fetch, Steal - Chihuahua Stealer: A new Breed of Infostealer ∗∗∗ --------------------------------------------- Chihuahua Stealer is a newly discovered .NET-based infostealer that blends common malware techniques with unusually advanced features. It first came to our attention through a Reddit post made on April 9, where a user shared an obfuscated PowerShell script, they were tricked into executing via a Google Drive document. --------------------------------------------- https://feeds.feedblitz.com/~/918192962/0/gdatasecurityblog-en~Sit-Fetch-St… ∗∗∗ Türkiye-linked spy crew exploited a messaging app zero-day to snoop on Kurdish army in Iraq ∗∗∗ --------------------------------------------- Turkish spies exploited a zero-day bug in a messaging app to collect info on the Kurdish army in Iraq, according to Microsoft, which says the attacks began more than a year ago. Specifically, the snoops abused CVE-2025-27920, a directory traversal vulnerability in version 2.0.62 of messaging app Output Messenger, and the intrusions began in April 2024. The app's developer Srimax issued a software update in December to patch the hole, however not all users applied the fixes. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/13/turkish_spie… ∗∗∗ As US vuln-tracking falters, EU enters with its own security bug database ∗∗∗ --------------------------------------------- The European Vulnerability Database (EUVD) is now fully operational, offering a streamlined platform to monitor critical and actively exploited security flaws amid the US struggles with budget cuts, delayed disclosures, and confusion around the future of its own tracking systems. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/13/eu_security_… ∗∗∗ SAP-Patchday: Kritische Netweaver-Lücke und viele mehr gestopft ∗∗∗ --------------------------------------------- SAP veröffentlicht im Mai 2025 insgesamt 16 neue Sicherheitsmeldungen. Sie behandeln teils kritische Sicherheitslücken in diversen Produkten aus dem Business-Softwarekatalog des Unternehmens. --------------------------------------------- https://heise.de/-10381863 ∗∗∗ Auditing Moodles core hunting for logical bugs ∗∗∗ --------------------------------------------- The following article explains how, during an audit, we examined Moodle (v4.4.3) and found ways of bypassing all the restrictions preventing SSRF vulnerabilities from being exploited. --------------------------------------------- http://blog.quarkslab.com/auditing-moodles-core-hunting-for-logical-bugs.ht… ∗∗∗ Beyond the Hook: A Technical Deep Dive into Modern Phishing Methodologies ∗∗∗ --------------------------------------------- A technical exploration of modern phishing tactics, from basic HTML pages to advanced MFA-bypassing techniques, with analysis of infrastructure setup and delivery methods used by phishers in 2025. --------------------------------------------- http://blog.quarkslab.com/technical-dive-into-modern-phishing.html ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Updates Everything: May 2025 Edition, (Mon, May 12th) ∗∗∗ --------------------------------------------- Apple released its expected update for all its operating systems. The update, in addition to providing new features, patches 65 different vulnerabilities. Many of these vulnerabilities affect multiple operating systems within the Apple ecosystem. --------------------------------------------- https://isc.sans.edu/diary/rss/31942 ∗∗∗ Perfekt implementierte Sicherungen ausgehebelt: Spectre-Angriffe sind zurück ∗∗∗ --------------------------------------------- Bisherige Schutzmechanismen schützen nicht immer gegen Spectre-artige Seitenkanalangriffe auf Prozessoren, selbst wenn sie perfekt implementiert sind und verschiedene Domains voneinander abschotten. Zu dem Ergebnis kommen Forscher der Systems and Network Security Group an der Vrije Universiteit Amsterdam (VUSec). --------------------------------------------- https://www.heise.de/news/Perfekt-implementierte-Sicherungen-ausgehebelt-Sp… ∗∗∗ 82,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in TheGem WordPress Theme ∗∗∗ --------------------------------------------- On May 4th, 2025, we received a submission for an Arbitrary File Upload vulnerability in TheGem, a WordPress theme with more than 82,000 sales. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. --------------------------------------------- https://www.wordfence.com/blog/2025/05/82000-wordpress-sites-affected-by-ar… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libeconf and rubygems), Fedora (libxmp), Gentoo (glibc), Oracle (java-1.8.0-openjdk, kernel, libxslt, and virtuoso-opensource), SUSE (augeas, git-lfs, kanidm, and tomcat10), and Ubuntu (linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/1020948/ ∗∗∗ Stack-based buffer overflow vulnerability in API ∗∗∗ --------------------------------------------- A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-25-254 ∗∗∗ EPMM Security Update ∗∗∗ --------------------------------------------- To this end, we are issuing an important security update addressing vulnerabilities associated with open-source libraries used in Ivanti Endpoint Manager Mobile (EPMM). At the time of disclosure, we are aware of a very limited number of customers whose solution has been exploited. The issue only affects the on-prem EPMM product. --------------------------------------------- https://www.ivanti.com/blog/epmm-security-update ∗∗∗ Xen Security Advisory CVE-2024-28956 / XSA-469 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-469.html ∗∗∗ Möglichkeit für Replay-Attacken im Tiiwee X1 Alarm System (SYSS-2025-006) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/moeglichkeit-fuer-replay-attacken-im-tiiwe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.05.2025
by Daily end-of-shift report 12 May '25

12 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-05-2025 18:00 − Montag 12-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iClicker site hack targeted students with malware via fake CAPTCHA ∗∗∗ --------------------------------------------- The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/iclicker-hack-targeted-stude… ∗∗∗ Von AMD-Lücke inspiriert: Forscher warnt vor Ransomware im CPU-Microcode ∗∗∗ --------------------------------------------- Eine Ransomware-Infektion kann für Unternehmen weitreichende Folgen haben, die nicht selten auch in einer Insolvenz münden. Durch geeignete Maßnahmen lassen sich die Risiken für solche Sicherheitsvorfälle eindämmen. Der Sicherheitsforscher Christiaan Beek von Rapid7 warnt jedoch vor einer Bedrohung, der gängige Cybersicherheitslösungen wohl bisher wenig entgegenzusetzen haben: Ransomware im Microcode der CPU. --------------------------------------------- https://www.golem.de/news/von-amd-luecke-inspiriert-forscher-warnt-vor-rans… ∗∗∗ It Is 2025, And We Are Still Dealing With Default IoT Passwords And Stupid 2013 Router Vulnerabilities, (Mon, May 12th) ∗∗∗ --------------------------------------------- Unipi Technologies is a company developing programmable logic controllers for a number of different applications like home automation, building management, and industrial controls. The modules produced by Unipi are likely to appeal to a more professional audience. All modules are based on the "Marvis" platform, a customized Linux distribution maintained by Unipi. --------------------------------------------- https://isc.sans.edu/diary/rss/31940 ∗∗∗ A Subtle Form of Siege: DDoS Smokescreens as a Cover for Quiet Data Breaches ∗∗∗ --------------------------------------------- DDoS attacks have long been dismissed as blunt instruments, favored by script kiddies and hacktivists for their ability to overwhelm and disrupt. But in todays fragmented, hybrid-cloud environments, theyve evolved into something far more cunning: a smokescreen. What looks like digital vandalism may actually be a coordinated diversion, engineered to distract defenders from deeper breaches in progress. --------------------------------------------- https://www.tripwire.com/state-of-security/subtle-form-siege-ddos-smokescre… ∗∗∗ Threat Brief: CVE-2025-31324 ∗∗∗ --------------------------------------------- On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50. This threat brief shares a brief overview of the vulnerability and our analysis, and also includes details of what we’ve observed through our incident response services and telemetry. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-313… ∗∗∗ SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths ∗∗∗ --------------------------------------------- sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with elevated privileges. However, misconfigurations and certain vulnerabilities can be exploited to escalate privileges, potentially compromising system security. --------------------------------------------- https://www.darknet.org.uk/2025/05/sudo_killer-auditing-sudo-configurations… ∗∗∗ One-click RCE in ASUS’s preinstalled driver software ∗∗∗ --------------------------------------------- By trawling through the Javascript on the website, and about 700k lines of decompiled code that the exe produced, I managed to create a list of callable endpoints including some unused ones sitting in the exe. --------------------------------------------- https://mrbruh.com/asusdriverhub/ ∗∗∗ CVE-2024-26809: Critical nftables Vulnerability in Linux Kernel Could Lead to Root Access ∗∗∗ --------------------------------------------- A critical security flaw has been discovered in the Linux kernel’s nftables subsystem, which is responsible for packet filtering in modern Linux distributions. This flaw, a double-free vulnerability, allows local attackers to escalate their privileges and execute arbitrary code. --------------------------------------------- https://thecyberexpress.com/cve-2024-26809-nftables-vulnerability/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libbson-xs-perl, postgresql-13, redis, and simplesamlphp), Fedora (chromium, deluge, epiphany, golang-github-nats-io-nkeys, libxmp, nodejs22, perl-Compress-Raw-Lzma, php-adodb, python-h11, and xz), Gentoo (firefox, NVIDIA Drivers, Orc, PAM, and thunderbird), Mageia (libreoffice, python-django, and transfig), Red Hat (emacs, firefox, python39:3.9, and thunderbird), SUSE (bird3, freetype2, ldap-proxy, libmosquitto1, and ruby3.4-rubygem-rack), and Ubuntu (linux, linux-aws, linux-kvm, linux-aws, and linux-fips). --------------------------------------------- https://lwn.net/Articles/1020884 ∗∗∗ TuneUp und Dienste in Avast, AVG, Avira und Norton reißen Sicherheitslücken auf ∗∗∗ --------------------------------------------- Die Virenschutzsoftware der Marken Avast, AVG, Avira und Norton von Gen Digital bringt unter anderem System-Optimierungsdienste und weitere Komponenten mit, die Schwachstellen enthalten. Nutzerinnen und Nutzer der betroffenen Software sollten prüfen, ob sie neuere Versionen installiert haben als die bekannt verwundbaren. --------------------------------------------- https://heise.de/-10379900 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.05.2025
by Daily end-of-shift report 09 May '25

09 May '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-05-2025 18:00 − Freitag 09-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Nationale Policy für die koordinierte Offenlegung von Schwachstellen (CVD) ∗∗∗ --------------------------------------------- Der Umgang mit Schwachstellen in IT Produkten und Dienstleistungen ist eine der spannenden Themen in der IT-Sicherheit. Seitens der Hersteller stellt sich die Frage, wie man am besten selbst Probleme identifiziert, wie man mit Meldungen von Dritten am umgeht, wie der Prozess zur Entwicklung von korrigierten Versionen aussieht und wie man diese neue Version schnell und effizient an die Kunden verteilt. Seitens der Finder (Researcher) stellen sich Fragen nach den rechtlichen Rahmenbedingungen für die Schwachstellensuche: was darf ich, was sicher nicht, und wie kommuniziere ich das Ergebnis am sinnvollsten? --------------------------------------------- https://www.cert.at/de/spezielles/2025/5/nationale-cvd-policy ∗∗∗ Malicious PyPi package hides RAT malware, targets Discord devs since 2022 ∗∗∗ --------------------------------------------- A malicious Python package targeting Discord developers with remote access trojan (RAT) malware was spotted on the Python Package Index (PyPI) after more than three years.[..] Named "discordpydebug," the package was masquerading as an error logger utility for developers working on Discord bots and was downloaded over 11,000 times since it was uploaded on March 21, 2022, even though it has no description or documentation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-package-hides… ∗∗∗ FBI: End-of-life routers hacked for cybercrime proxy networks ∗∗∗ --------------------------------------------- The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-end-of-life-routers-hack… ∗∗∗ Operation PowerOFF Takes Down 9 DDoS-for-Hire Domains ∗∗∗ --------------------------------------------- Four different countries, including the United States and Germany, were included in the latest international operation alongside Europols support. --------------------------------------------- https://www.darkreading.com/threat-intelligence/operation-poweroff-takes-do… ∗∗∗ Lumma Stealer, coming and going ∗∗∗ --------------------------------------------- The high-profile information stealer switches up its TTPs, but keeps the CAPTCHA tactic; we take a deep dive. --------------------------------------------- https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/ ∗∗∗ Warnung: Gefälschtes Anwaltsschreiben könnte Schadsoftware enthalten! ∗∗∗ --------------------------------------------- Derzeit kursieren E-Mails einer angeblichen Anwaltskanzlei, in denen Unternehmen beschuldigt werden, Urheberrechte an Inhalten von Avident Entertainment verletzt zu haben. Über einen Download-Link kann eine Sammlung von Beweisen heruntergeladen werden. Aber Vorsicht: Der Link ist betrügerisch und enthält vermutlich Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/warnung-gefaelschtes-anwaltsschreibe… ∗∗∗ Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources ∗∗∗ --------------------------------------------- Unit 42 details a new malware obfuscation technique where threat actors hide malware in bitmap resources within .NET applications. These deliver payloads like Agent Tesla or XLoader. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-payloads-as-bitmap-resources-… ∗∗∗ Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation ∗∗∗ --------------------------------------------- Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload generation and obfuscation. --------------------------------------------- https://www.darknet.org.uk/2025/05/bantam-advanced-php-backdoor-management-… ∗∗∗ Phishing Attack Uses Blob URIs to Show Fake Login Pages in Your Browser ∗∗∗ --------------------------------------------- Cofense Intelligence reveals a novel phishing technique using blob URIs to create local fake login pages, bypassing email security and stealing credentials. --------------------------------------------- https://hackread.com/phishing-attack-blob-uri-fake-login-pages-browser/ ∗∗∗ Remote-Access-Trojaner in npm-Paket mit 40.000 wöchentlichen Downloads gefunden ∗∗∗ --------------------------------------------- Angreifer hatten das Paket rand-user-agent, das unter anderem für automatische Tests und zum Web-Scraping dient, mit Schadcode versehen. --------------------------------------------- https://heise.de/-10377590 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libapache2-mod-auth-openidc, mariadb-10.5, and openssh), Red Hat (osbuild-composer), Slackware (mariadb), SUSE (apache2-mod_auth_openidc, glib2, ImageMagick, libsoup, libsoup2, libva, openvpn, sqlite3, and weblate), and Ubuntu (libsoup3, php-horde-css-parser, and python-django). --------------------------------------------- https://lwn.net/Articles/1020545/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fossil, libapache2-mod-auth-openidc, and request-tracker4), Fedora (thunderbird), Mageia (firefox and thunderbird), SUSE (389-ds, apparmor, cargo-c, chromium, go1.24, govulncheck-vulndb, java-1_8_0-openjdk, kanidm, libsoup, mozjs102, openssl-1_1, openssl-3, python-Django, sccache, tealdeer, tomcat, transfig, wasm-bindgen, and wireshark), and Ubuntu (libreoffice and python-h11). --------------------------------------------- https://lwn.net/Articles/1020653/ ∗∗∗ Sicherheitslücken: F5 BIG-IP-Appliances sind an mehreren Stellen verwundbar ∗∗∗ --------------------------------------------- https://heise.de/-10377584 ∗∗∗ Joomla: [20250402] - Core - MFA Authentication Bypass ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/964-20250402-core-mfa-authenti… ∗∗∗ Pixmeo OsiriX MD ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-128-01 ∗∗∗ Hitachi Energy RTU500 Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-02 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-01 ∗∗∗ Mitsubishi Electric CC-Link IE TSN ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.05.2025
by Daily end-of-shift report 08 May '25

08 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-05-2025 18:00 − Donnerstag 08-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ WhatsApp provides no cryptographic management for group messages ∗∗∗ --------------------------------------------- The weakness creates the possibility of an insider or hacker adding rogue members. [..] “This means that it is possible for the WhatsApp server to add new members to a group,” Martin R. Albrecht, a researcher at King's College in London, wrote in an email. “A correct client—like the official clients—will display this change but will not prevent it. Thus, any group chat that does not verify who has been added to the chat can potentially have their messages read.” --------------------------------------------- https://arstechnica.com/security/2025/05/whatsapp-provides-no-cryptographic… ∗∗∗ Password crisis deepens in 2025: lazy, reused, and stolen ∗∗∗ --------------------------------------------- A new study of over 19 billion newly exposed passwords manifests a widespread weak password reuse crisis. Lazy keyboard patterns, such as 123456, still reign supreme, and 94% of passwords are reused or duplicated, data leaks from 2024-2025 reveal. Names like Ana rank as the second most popular component. --------------------------------------------- https://cybernews.com/security/password-leak-study-unveils-2025-trends-reus… ∗∗∗ Ransomware: Unbekannte Angreifer leaken LockBit-Datenbank – dank PHP-Exploit? ∗∗∗ --------------------------------------------- Tausende Bitcoin-Adressen, Chatnachrichten und weitere brisante Details des Ransomware-Anbieters kursieren nun im Web. Der LockBit-Support relativiert. --------------------------------------------- https://www.heise.de/news/Ransomware-Unbekannte-Angreifer-leaken-LockBit-Da… ∗∗∗ RCEs and more in the KUNBUS GmbH Revolution Pi PLC ∗∗∗ --------------------------------------------- Four new vulnerabilities in the Revolution Pi industrial PLCs. Two give unauthenticated attackers RCE—potentially a direct impact on safety and operations. [..] Since the vulnerabilities affect ICS equipment, we coordinated disclosure with CISA and KUNBUS’ PSIRT team (security.txt). --------------------------------------------- https://www.pentestpartners.com/security-blog/rces-and-more-in-the-kunbus-g… ∗∗∗ 2,99 € Einfuhrzoll für die Post? Achtung, Phishing! ∗∗∗ --------------------------------------------- Ein Paket hängt im Zoll fest? Die Auslieferung ist nur gegen die Zahlung einer Gebühr möglich? Ein Szenario, das Kriminelle aktuell verstärkt als Betrugsmasche einsetzen. Sie versenden Phishing-Mails im Namen der Post AG und hoffen auf leichtgläubige Opfer. --------------------------------------------- https://www.watchlist-internet.at/news/einfuhrzoll-fuer-die-post/ ∗∗∗ Fake AI Tools Push New Noodlophile Stealer Through Facebook Ads ∗∗∗ --------------------------------------------- Scammers are using fake AI tools and Facebook ads to spread Noodlophile Stealer malware, targeting users with a multi-stage attack to steal credentials. --------------------------------------------- https://hackread.com/fake-ai-tools-noodlophile-stealer-facebook-ads/ ∗∗∗ RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale ∗∗∗ --------------------------------------------- Learn how RedisRaider is targeting publicly accecesibly Redis servers to mine crypocurrency. --------------------------------------------- https://securitylabs.datadoghq.com/articles/redisraider-weaponizing-misconf… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall urges admins to patch VPN flaw exploited in attacks ∗∗∗ --------------------------------------------- Discovered and reported by Rapid7 cybersecurity researcher Ryan Emmons, the three security flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) can be chained by attackers to gain remote code execution as root and compromise vulnerable instances. The vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.15-81sv and higher. [..] SonicWall advised admins to check their SMA devices' logs for any signs of unauthorized logins and enable the web application firewall and multifactor authentication (MFA) on their SMA100 appliances as a safety measure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-pa… ∗∗∗ CISCO Security Advisories 07. - 08.05.2025 ∗∗∗ --------------------------------------------- Cisco has released 29 new security Advisories. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. [..] Note: For exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device. It is not enabled by default. CVE-2025-20188 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Catalyst Center Unauthenticated API Access Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the management API of Cisco Catalyst Center, formerly Cisco DNA Center, could allow an unauthenticated, remote attacker to read and modify the outgoing proxy configuration settings. CVE-2025-20210 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Drupal Security Advisories 07.05.2025 ∗∗∗ --------------------------------------------- Drupal has released 10 new security advisories. --------------------------------------------- https://www.drupal.org/security ∗∗∗ Ubiquiti UniFi Protect: Kritisches Leck ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- In einer Sicherheitsmitteilung erörtert Ubiquiti die Schwachstellen. Bösartige Akteure mit Zugriff auf das Verwaltungsnetzwerk können einen Heap-basierten Pufferüberlauf in den Unifi-Protect-Kameras mit Firmware 4.75.43 und vorherigen provozieren und dadurch beliebigen Code einschleusen und ausführen (CVE-2025-23123, CVSS 10.0, Risiko "kritisch"). --------------------------------------------- https://www.heise.de/news/Ubiquity-UniFi-Protect-Einschleusen-von-Schadcode… ∗∗∗ Mitel SIP-Phones lassen sich beliebige Befehle unterjubeln ∗∗∗ --------------------------------------------- Laut der Sicherheitsmitteilung von Mitel gibt es eine Befehlsschmuggel-Lücke in den SIP-Phones der Baureihen 6800, 6900, 6900w sowie dem 6970-Konferenz-Modell. Angreifer aus dem Netz können dadurch ohne vorherige Authentifizierung Befehle einschleusen, da nicht näher genannte Parameter nicht ausreichend gefiltert werden. Damit können sie System- und Nutzer-Daten und Konfigurationen einsehen oder ändern (CVE-2025-47188, CVSS 9.8, Risiko "kritisch"). --------------------------------------------- https://heise.de/-10376625 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 28, 2025 to May 4, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily