- Daily - CERT.at

Tageszusammenfassung - 03.10.2025
by Daily end-of-shift report 03 Oct '25

03 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-10-2025 18:00 − Freitag 03-10-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Oracle links Clop extortion attacks to July 2025 vulnerabilities ∗∗∗ --------------------------------------------- Oracle has linked an ongoing extortion campaign claimed by the Clop ransomware gang to E-Business Suite (EBS) vulnerabilities that were patched in July 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/security/oracle-links-clop-extortion-… ∗∗∗ CommetJacking attack tricks Comet browser into stealing emails ∗∗∗ --------------------------------------------- A new attack called CometJacking exploits URL parameters to pass to Perplexitys Comet AI browser hidden instructions that allow access to sensitive data from connected services, like email and calendar. --------------------------------------------- https://www.bleepingcomputer.com/news/security/commetjacking-attack-tricks-… ∗∗∗ Sicherheitslücke in Zahnarztpraxen-System ∗∗∗ --------------------------------------------- Bei einem von einigen Zahnarztpraxen eingesetzten Praxisverwaltungssystem hat es gravierende Schwachstellen gegeben - dadurch hätten Patientendaten gelesen und verändert werden können. --------------------------------------------- https://www.golem.de/news/security-sicherheitsluecke-in-zahnarztpraxen-syst… ∗∗∗ Coordinated Grafana Exploitation Attempts on 28 September ∗∗∗ --------------------------------------------- GreyNoise observed a sharp one-day surge of exploitation attempts targeting CVE-2021-43798 — a Grafana path traversal vulnerability that enables arbitrary file reads. All observed IPs are classified as malicious. --------------------------------------------- https://www.greynoise.io/blog/coordinated-grafana-exploitation-attempts ∗∗∗ Its Never Simple Until It Is (Dell UnityVSA Pre-Auth Command Injection CVE-2025-36604) ∗∗∗ --------------------------------------------- Welcome back, and what a week! We’re glad that happened for you and/or sorry that happened to you. It will get better and/or worse, and you will likely survive. Today, we’re walking down the garden path and digging into the archives, publishing our analysis of a vulnerability we discovered and disclosed to Dell in March 2025 within their UnityVSA solution. --------------------------------------------- https://labs.watchtowr.com/its-never-simple-until-it-is-dell-unityvsa-pre-a… ===================== = Vulnerabilities = ===================== ∗∗∗ DrayTek warns of remote code execution bug in Vigor routers ∗∗∗ --------------------------------------------- Networking hardware maker DrayTek released an advisory to warn about a security vulnerability in several Vigor router models that could allow remote, unauthenticated actors to execute perform arbitrary code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/draytek-warns-of-remote-code… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (idm:DL1), Debian (gegl and haproxy), Fedora (ffmpeg, firefox, freeipa, python-pip, rust-astral-tokio-tar, sqlite, uv, webkitgtk, and xen), Oracle (idm:DL1, ipa, kernel, perl-JSON-XS, and python3), Red Hat (git), SUSE (curl, frr, jupyter-jupyterlab, and libsuricata8_0_1), and Ubuntu (linux-aws, linux-lts-xenial, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-azure, linux-azure-6.8, linux-fips, linux-gcp-fips, and linux-intel-iot-realtime, linux-realtime). --------------------------------------------- https://lwn.net/Articles/1040729/ ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released two Industrial Control Systems (ICS) advisories on October 2, 2025: ICSA-25-275-01 Raise3D Pro2 Series 3D Printers and ICSA-25-275-02 Hitachi Energy MSM Product. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/02/cisa-releases-two-indust… ∗∗∗ Critical Splunk Vulnerabilities Expose Platforms to Remote JavaScript Injection and More ∗∗∗ --------------------------------------------- Splunk has disclosed six critical security vulnerabilities impacting multiple versions of both Splunk Enterprise and Splunk Cloud Platform. These Splunk vulnerabilities, collectively highlighting serious weaknesses in Splunk’s web components, could allow attackers to execute unauthorized JavaScript code remotely, access sensitive information, and perform server-side request forgery (SSRF) attacks. --------------------------------------------- https://thecyberexpress.com/critical-splunk-vulnerabilities/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 02.10.2025
by Daily end-of-shift report 02 Oct '25

02 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-10-2025 18:00 − Donnerstag 02-10-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ That annoying SMS phish you just got may have come from a box like this ∗∗∗ --------------------------------------------- Smishers looking for new infrastructure are getting creative. --------------------------------------------- https://arstechnica.com/security/2025/10/that-annoying-sms-phish-you-just-g… ∗∗∗ Adobe Analytics bug leaked customer tracking data to other tenants ∗∗∗ --------------------------------------------- Adobe is warning its Analytics customers that an ingestion bug caused data from some organizations to appear in the analytics instances of others for approximately one day. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-analytics-bug-leaked-c… ∗∗∗ Clop extortion emails claim theft of Oracle E-Business Suite data ∗∗∗ --------------------------------------------- Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clop-extortion-emails-claim-… ∗∗∗ Android spyware campaigns impersonate Signal and ToTok messengers ∗∗∗ --------------------------------------------- Two new spyware campaigns that researchers call ProSpy and ToSpy lured Android users with fake upgrades or plugins for the Signal and ToTok messaging apps to steal sensitive data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-spyware-campaigns-im… ∗∗∗ Shutdown Threatens US Intel Sharing, Cyber Defense ∗∗∗ --------------------------------------------- Lapse of critical information sharing and mass furloughs at CISA are just some of the concerns. --------------------------------------------- https://www.darkreading.com/cyber-risk/shutdown-us-intel-sharing-cyber-defe… ∗∗∗ Datenleck: Schufa-Tochter Bonify bestätigt Sicherheitsvorfall ∗∗∗ --------------------------------------------- Unbekannte erbeuten Identifizierungsdaten von Bonify-Nutzern. Darunter sind auch Ausweisdaten und Fotos. --------------------------------------------- https://www.golem.de/news/datenleck-schufa-tochter-bonify-bestaetigt-sicher… ∗∗∗ 570 GByte Github-Daten: Red Hat meldet Sicherheitsvorfall ∗∗∗ --------------------------------------------- Die Erpressergruppe Crimson Collective ist angeblich im Besitz vertraulicher Kundendaten von Red Hat - und verlangt ein Lösegeld. --------------------------------------------- https://www.golem.de/news/570-gbyte-github-daten-red-hat-meldet-sicherheits… ∗∗∗ New WireTap Attack Extracts Intel SGX ECDSA Key via DDR4 Memory-Bus Interposer ∗∗∗ --------------------------------------------- In yet another piece of research, academics from Georgia Institute of Technology and Purdue University have demonstrated that the security guarantees offered by Intels Software Guard eXtensions (SGX) can be bypassed on DDR4 systems to passively decrypt sensitive data. --------------------------------------------- https://thehackernews.com/2025/10/new-wiretap-attack-extracts-intel-sgx.html ∗∗∗ Malicious PyPI Package soopsocks Infects 2,653 Systems Before Takedown ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a malicious package on the Python Package Index (PyPI) repository that claims to offer the ability to create a SOCKS5 proxy service, while also providing a stealthy backdoor-like functionality to drop additional payloads on Windows systems. The deceptive package, named soopsocks, attracted a total of 2,653 downloads before it was taken down. --------------------------------------------- https://thehackernews.com/2025/10/alert-malicious-pypi-package-soopsocks.ht… ∗∗∗ EU funds are flowing into spyware companies, and politicians are demanding answers ∗∗∗ --------------------------------------------- Experts say Commission is ‘fanning the flames’ of the continent’s own Watergate. An arsenal of angry European Parliament members (MEPs) is demanding answers from senior commissioners about why EU subsidies are ending up in the pockets of spyware companies. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/10/02/eu_spyware_f… ∗∗∗ ENISA Threat Landscape 2025 ∗∗∗ --------------------------------------------- Through a more threat-centric approach and further contextual analysis, this latest edition of the ENISA Threat Landscape analyses 4875 incidents over a period spanning from 1 July 2024 to 30 June 2025. --------------------------------------------- https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025 ∗∗∗ Meet SpamGPT and MatrixPDF, AI Toolkits Driving Malware Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers at Varonis have discovered two new plug-and-play cybercrime toolkits, MatrixPDF and SpamGPT. Learn how these AI-powered tools make mass phishing and PDF malware accessible to anyone, redefining online security risks. --------------------------------------------- https://hackread.com/spamgpt-matrixpdf-ai-toolkits-malware-attacks/ ∗∗∗ Malicious ZIP Files Use Windows Shortcuts to Drop Malware ∗∗∗ --------------------------------------------- Cybersecurity firm Blackpoint Cyber reveals a new spear phishing campaign targeting executives. Learn how attackers use fraudulent document ZIPs containing malicious shortcut files, leveraging living off the land tactics, and a unique Anti-Virus check to deliver a custom payload. --------------------------------------------- https://hackread.com/malicious-zip-files-windows-shortcuts-malware/ ∗∗∗ $20 YoLink IoT Gateway Vulnerabilities Put Home Security at Risk ∗∗∗ --------------------------------------------- Four critical zero-day flaws found in the $20 YoLink Smart Hub allow remote physical access, threatening your home security. See the urgent steps you must take now. --------------------------------------------- https://hackread.com/20-yolink-iot-gateway-vulnerabilities-home-security/ ∗∗∗ Confucius Espionage: From Stealer to Backdoor ∗∗∗ --------------------------------------------- The Confucius group is a long-running cyber-espionage actor operating primarily across South Asia. First identified in 2013, the group is believed to have links to state-sponsored operations in the region. --------------------------------------------- https://feeds.fortinet.com/~/925674278/0/fortinet/blogs~Confucius-Espionage… ===================== = Vulnerabilities = ===================== ∗∗∗ Chrome 141: Google schließt schwerwiegende Sicherheitslücken ∗∗∗ --------------------------------------------- Google hat seinen Browser Chrome auf die Version 141 aktualisiert. Das Update beinhaltet den Versionshinweisen zufolge Patches für 21 Sicherheitslücken. Von mindestens zwei Anfälligkeiten geht demnach ein hohes Risiko aus. Sie erlauben unter Umständen das Einschleusen und Ausführen von Schadcode aus der Ferne und innerhalb der Sandbox des Browsers. --------------------------------------------- https://www.golem.de/news/chrome-141-google-schliesst-schwerwiegende-sicher… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (perl-JSON-XS), Debian (chromium and openssl), Fedora (bird, dnsdist, firefox, mapserver, ntpd-rs, python-nh3, rust-ammonia, skopeo, sqlite, thunderbird, and xen), Oracle (perl-JSON-XS), Red Hat (kernel, kernel-rt, and libvpx), SUSE (afterburn, cairo, docker-stable, firefox, nginx, python-Django, snpguest, and warewulf4), and Ubuntu (libmspack, libxslt, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-oracle, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-hwe-6.14, linux-realtime, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux, linux-aws, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux, linux-kvm, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-hwe-6.8, linux-kvm, linux-oracle-5.15, linux-oracle-6.14, linux-raspi, linux-raspi-realtime, linux-realtime, linux-realtime-6.8, linux-realtime-6.14, and python-django). --------------------------------------------- https://lwn.net/Articles/1040591/ ∗∗∗ Stand-alone Security Patch Available for Tenable Security Center versions 6.5.1 and 6.6.0 ∗∗∗ --------------------------------------------- Tenable has released Security Center Patch SC-202509.2.1 to address these issues. --------------------------------------------- https://www.tenable.com/security/tns-2025-20 ∗∗∗ Sicherheitspatches: OpenSSL für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- In aktuellen OpenSSL-Versionen haben die Entwickler drei Sicherheitslücken geschlossen. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://www.heise.de/news/OpenSSL-Angreifer-koennen-auf-ARM-Systemen-privat… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 01.10.2025
by Daily end-of-shift report 01 Oct '25

01 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-09-2025 18:00 − Mittwoch 01-10-2025 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ China Imposes One-Hour Reporting Rule for Major Cyber Incidents ∗∗∗ --------------------------------------------- The sweeping new regulations show that Chinas serious about hardening its own networks after launching widespread attacks on global networks. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/china-one-hour-reporti… ∗∗∗ MatrixPDF: Neues Hacker-Tool macht PDF-Dateien zu Phishing-Ködern ∗∗∗ --------------------------------------------- Schädliche PDF-Dateien lassen sich damit so gestalten, dass sie den Phishing-Filter von Gmail umgehen. --------------------------------------------- https://www.golem.de/news/matrixpdf-neues-hacker-tool-macht-pdf-dateien-zu-… ∗∗∗ New Android Banking Trojan “Klopatra” Uses Hidden VNC to Control Infected Smartphones ∗∗∗ --------------------------------------------- A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, with a majority of the infections reported in Spain and Italy.Italian fraud prevention firm Cleafy, which discovered the sophisticated malware .. --------------------------------------------- https://thehackernews.com/2025/10/new-android-banking-trojan-klopatra.html ∗∗∗ Hackers Exploit Milesight Routers to Send Phishing SMS to European Users ∗∗∗ --------------------------------------------- Unknown threat actors are abusing Milesight industrial cellular routers to send SMS messages as part of a smishing campaign targeting users in European countries since at least February 2022.French cybersecurity company SEKOIA said the attackers are exploiting .. --------------------------------------------- https://thehackernews.com/2025/10/hackers-exploit-milesight-routers-to.html ∗∗∗ Red Hat OpenShift AI Flaw Exposes Hybrid Cloud Infrastructure to Full Takeover ∗∗∗ --------------------------------------------- A severe security flaw has been disclosed in the Red Hat OpenShift AI service that could allow attackers to escalate privileges and take control of the complete infrastructure under certain conditions.OpenShift AI is a platform for managing the lifecycle .. --------------------------------------------- https://thehackernews.com/2025/10/critical-red-hat-openshift-ai-flaw.html ∗∗∗ OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps ∗∗∗ --------------------------------------------- A high-severity security flaw has been disclosed in the One Identity OneLogin Identity and Access Management (IAM) solution that, if successfully exploited, could expose sensitive OpenID Connect (OIDC) application client secrets under certain .. --------------------------------------------- https://thehackernews.com/2025/10/onelogin-bug-let-attackers-use-api-keys.h… ∗∗∗ Neue Phishing-Wellen im Namen der WKO ∗∗∗ --------------------------------------------- Kriminelle versuchen aktuell über zwei Maschen im Namen der Wirtschaftskammer Österreich für Schaden zu sorgen. Dabei geht es um die Aktualisierung von Unternehmensdaten und Zahlungsinformationen zum Mitgliedsbeitrag. Besonders gefährlich: Für .. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-wellen-wko/ ∗∗∗ TOTOLINK X6000R: Three New Vulnerabilities Uncovered ∗∗∗ --------------------------------------------- Researchers identified vulnerabilities in TOTOLINK X6000R routers: CVE-2025-52905, CVE-2025-52906 and CVE-2025-52907. We discuss root cause and impact. --------------------------------------------- https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/ ∗∗∗ North Korea IT worker scheme expanding to more industries, countries outside of US tech sector ∗∗∗ --------------------------------------------- Okta said their new research into the scheme revealed that North Korea has honed its skills on U.S.-based companies and has expanded into dozens of different countries and industries. --------------------------------------------- https://therecord.media/north-korea-it-worker-scheme-expands-outisde-us-tech ∗∗∗ Detour Dog’s DNS Hijacking Infects 30,000 Websites with Strela Stealer ∗∗∗ --------------------------------------------- Infoblox reveals how the Detour Dog group used server-side DNS to compromise 30,000+ sites across 89 countries, installing the stealthy Strela Stealer malware. --------------------------------------------- https://hackread.com/detour-dog-dns-hijacking-websites-strela-stealer/ ∗∗∗ Sicherheitsupdate: Schadcode-Lücke bedroht NAS-Modelle von Western Digital ∗∗∗ --------------------------------------------- Angreifer können bestimmte Netzwerkspeicher von Western Digital mit My Cloud OS attackieren. --------------------------------------------- https://heise.de/-10696726 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, mysql:8.0, and openssh), Debian (libcommons-lang-java, libcommons-lang3-java, libcpanel-json-xs-perl, libjson-xs-perl, libxml2, open-vm-tools, and u-boot), Fedora (bird, dnsdist, mapserver, ntpd-rs, python-nh3, and rust-ammonia), Oracle (kernel and mysql:8.0), Red Hat (cups, postgresql:12, and postgresql:13), SUSE (cJSON-devel, gimp, kernel-devel, kubecolor, open-vm-tools, openssl-1_1, openssl-3, and ruby3.4-rubygem-rack), .. --------------------------------------------- https://lwn.net/Articles/1040375/ ∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released ten Industrial Control Systems (ICS) advisories on September 30, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.ICSA-25-273-01 MegaSys Enterprises Telenium Online Web ApplicationICSA-25-273-02 Festo SBRD-Q/SBOC-Q/SBOI-QICSA-25-273-03 Festo CPX-CEC-C1 and .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/30/cisa-releases-ten-indust… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 30.09.2025
by Daily end-of-shift report 30 Sep '25

30 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 29-09-2025 18:00 − Dienstag 30-09-2025 18:00 Handler: n/a Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Ransomware gang sought BBC reporter’s help in hacking media giant ∗∗∗ --------------------------------------------- Threat actors claiming to represent the Medusa ransomware gang tempted a BBC correspondent to become an insider threat by offering a significant amount of money. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-sought-bbc-r… ∗∗∗ AI-Powered Voice Cloning Raises Vishing Risks ∗∗∗ --------------------------------------------- A researcher-developed framework could enable attackers to conduct real-time conversations using simulated audio to compromise organizations and extract sensitive information. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/ai-voice-cloning-vis… ∗∗∗ Researchers Disclose Google Gemini AI Flaws Allowing Prompt Injection and Cloud Exploits ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed three now-patched security vulnerabilities impacting Googles Gemini artificial intelligence (AI) assistant that, if successfully exploited, could have exposed users to major privacy risks and data theft. --------------------------------------------- https://thehackernews.com/2025/09/researchers-disclose-google-gemini-ai.html ∗∗∗ Google’s Latest AI Ransomware Defense Only Goes So Far ∗∗∗ --------------------------------------------- Google has launched a new AI-based protection in Drive for desktop that can shut down an attack before it spreads—but its benefits have their limits. --------------------------------------------- https://www.wired.com/story/googles-latest-ai-ransomware-defense-only-goes-… ∗∗∗ Auf GitHub: Zahlreiche Fakes bekannter Mac-Apps kursieren ∗∗∗ --------------------------------------------- In einer offenbar konzertierten Aktion versuchen Scammer, gefälschte Apps für Mac-Nutzer zu verbreiten. Unklar ist, was das bezwecken soll. --------------------------------------------- https://www.heise.de/news/Auf-GitHub-Zahlreiche-Fakes-bekannter-Mac-Apps-ku… ∗∗∗ Vorsicht vor Festnetz-Spoofing: Kriminelle nutzen (teilweise) reale Telefonnummern! ∗∗∗ --------------------------------------------- Wer aktuell Anrufe von vermeintlichen Bank-Berater:innen bekommt, sollte besonders misstrauisch und vorsichtig sein! Kriminellen gelingt es immer öfter, real existierende Service-Festnetznummern als Deckmantel für ihre Betrugsmaschen zu nutzen. Ziel des „Spoofings“ ist der Zugriff auf das Konto des Opfers. --------------------------------------------- https://www.watchlist-internet.at/news/vorsich-festnetz-spoofing/ ∗∗∗ Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite ∗∗∗ --------------------------------------------- Phantom Taurus is a previously undocumented Chinese threat group. Explore how this groups distinctive toolset lead to uncovering their existence.The post Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/phantom-taurus/ ∗∗∗ XiebroC2 Identified in MS-SQL Server Attack Cases ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting poorly managed MS-SQL servers and recently confirmed a case involving the use of XiebroC2. XiebroC2 is a C2 framework with open-source code that supports various features such as information collection, remote control, and defense evasion, similar to CobaltStrike. --------------------------------------------- https://asec.ahnlab.com/en/90369/ ∗∗∗ Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations ∗∗∗ --------------------------------------------- Protecting software-as-a-service (SaaS) platforms and applications requires a comprehensive security strategy. Drawing from analysis of UNC6040’s specific attack methodologies, this guide presents a structured defensive framework encompassing proactive hardening measures, comprehensive logging protocols, and advanced detection capabilities. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/unc6040-proactive-… ∗∗∗ When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise ∗∗∗ --------------------------------------------- In early 2025, we encountered a mission-critical software component called TRUfusion Enterprise on the perimeter of one of our customers that is used to transfer highly sensitive data. Since Rocket Software claims that they are undergoing regular audits and also follow secure coding guidelines, we didn’t expect to find much but to our surprise, it took us just two minutes to discover the first totally unsophisticated, but critical pre-auth path traversal vulnerability that already gave us admin rights. --------------------------------------------- https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth… ===================== = Vulnerabilities = ===================== ∗∗∗ Broadcom fixes high-severity VMware NSX bugs reported by NSA ∗∗∗ --------------------------------------------- Broadcom has released security updates to patch two high-severity VMware NSX vulnerabilities reported by the U.S. National Security Agency (NSA). --------------------------------------------- https://www.bleepingcomputer.com/news/security/broadcom-fixes-high-severity… ∗∗∗ IBM App Connect Enterprise Toolkit kann Daten leaken ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für IBM App Connect Enterprise Toolkit, InfoSphere und WebSphere erschienen. --------------------------------------------- https://www.heise.de/news/IBM-App-Connect-Enterprise-Toolkit-kann-Daten-lea… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-internetarchive and tiff), Fedora (nextcloud), Oracle (kernel, openssh, and squid), Red Hat (kernel, kernel-rt, and ncurses), SUSE (afterburn and chromium), and Ubuntu (open-vm-tools, ruby-rack, and tiff). --------------------------------------------- https://lwn.net/Articles/1040152/ ∗∗∗ Security Vulnerabilities fixed in Firefox 143.0.3 ∗∗∗ --------------------------------------------- Mozilla has fixed three vulnerabilities labeled as high. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-80/ ∗∗∗ Critical Vulnerability Alert: CVE-2025-10035 in GoAnywhere MFT ∗∗∗ --------------------------------------------- A critical security vulnerability (CVE-2025-10035) has been identified in GoAnywhere MFT, a widely used file transfer solution developed by Fortra. --------------------------------------------- https://www.bitsight.com/blog/critical-vulnerability-alert-cve-2025-10035-g… ∗∗∗ Apple Security Update Addresses Critical Font Parser Vulnerability Across Multiple Platforms ∗∗∗ --------------------------------------------- Apple has rolled out a series of important security updates across multiple platforms, addressing a vulnerability affecting the system font parser. These Apple security updates cover iOS, iPadOS, macOS, visionOS, watchOS, and tvOS. --------------------------------------------- https://thecyberexpress.com/apple-security-updates/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 29.09.2025
by Daily end-of-shift report 29 Sep '25

29 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-09-2025 18:00 − Montag 29-09-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ First Malicious MCP in the Wild: The Postmark Backdoor Thats Stealing Your Emails ∗∗∗ --------------------------------------------- This is the world’s first sighting of a real world malicious MCP server. The attack surface for endpoint supply chain attacks is slowly becoming the enterprise’s biggest attack surface. --------------------------------------------- https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-the… ∗∗∗ Akira ransomware breaching MFA-protected SonicWall VPN accounts ∗∗∗ --------------------------------------------- Ongoing Akira ransomware attacks targeting SonicWall SSL VPN devices continue to evolve, with the threat actors found to be successfully logging in despite OTP MFA being enabled on accounts. Researchers suspect that this may be achieved through the use of previously stolen OTP seeds, although the exact method remains unconfirmed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/akira-ransomware-breaching-m… ∗∗∗ Pointer leaks through pointer-keyed data structures ∗∗∗ --------------------------------------------- Some time in 2024, during a Project Zero team discussion, we were talking about how remote ASLR leaks would be helpful or necessary for exploiting some types of memory corruption bugs, specifically in the context of Apple devices. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/09/pointer-leaks-through-pointe… ∗∗∗ Microsoft Flags AI-Driven Phishing: LLM-Crafted SVG Files Outsmart Email Security ∗∗∗ --------------------------------------------- Microsoft is calling attention to a new phishing campaign primarily aimed at U.S.-based organizations that has likely utilized code generated using large language models (LLMs) to obfuscate payloads and evade security defenses. "Appearing to be aided by a large language model (LLM), the activity obfuscated its behavior within an SVG file, leveraging business terminology and a synthetic structure to disguise its malicious intent," the Microsoft Threat Intelligence team said in an analysis published last week. --------------------------------------------- https://thehackernews.com/2025/09/microsoft-flags-ai-driven-phishing-llm.ht… ∗∗∗ Cyber threat-sharing law set to shut down, along with US government ∗∗∗ --------------------------------------------- Barring a last-minute deal, the US federal government would shut down on Wednesday, October 1, and the 2015 Cybersecurity Information Sharing Act would lapse at the same time, threatening what many consider a critical plank of US cybersecurity policy. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/26/government_s… ∗∗∗ Sex offenders, terrorists, drug dealers, exposed in spyware breach ∗∗∗ --------------------------------------------- RemoteCOMs monitoring software leaked the personal details of suspects, offenders, and the law enforcement officers tracking them. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/09/sex-offenders-terrorists-dru… ∗∗∗ From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion ∗∗∗ --------------------------------------------- The intrusion took place in May 2024, when a user executed a malicious JavaScript file. This Javascipt file has been previously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated file, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among extensive filler content used for evasion. The JavaScript payload triggered the download of a MSI package, which deployed a Brute Ratel DLL file using rundll32. --------------------------------------------- https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-e… ∗∗∗ Medusa Ransomware Claims Comcast Data Breach, Demands $1.2M ∗∗∗ --------------------------------------------- Medusa ransomware group claims 834 GB data theft from Comcast, demanding $1.2M ransom while sharing screenshots and file listings. --------------------------------------------- https://hackread.com/medusa-ransomware-comcast-data-breach/ ∗∗∗ CISA and UK NCSC Release Joint Guidance for Securing OT Systems ∗∗∗ --------------------------------------------- CISA, in collaboration with the Federal Bureau of Investigation, the United Kingdom’s National Cyber Security Centre, and other international partners has released new joint cybersecurity guidance: [Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture]. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/29/cisa-and-uk-ncsc-release… ∗∗∗ Supply chain security for the 0.001% (and why it won’t catch on) ∗∗∗ --------------------------------------------- After yet another supply chain issue (npm this time, but it doesn’t really matter that much), Shai-hulud, 500 packages affected and millions of downloads later, I finally wrapped up the protection system for my dev environment. I really don’t want to be the next one exploited. --------------------------------------------- https://blog.viraptor.info/post/supply-chain-security-for-the-0001-and-why-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (avahi, cups, firefox, gnutls, golang, httpd, kernel, libtpms, mysql, opentelemetry-collector, php:8.2, podman, postgresql:13, postgresql:15, python3, python3.11, python3.12, python3.9, thunderbird, and udisks2), Debian (firefox-esr, gimp, nncp, node-tar-fs, and squid), Fedora (chromium, firebird, python-azure-keyvault-securitydomain, python-azure-mgmt-security, and python-microsoft-security-utilities-secret-masker), Red Hat (httpd:2.4, kernel, kernel-rt, and mod_http2), SUSE (aide, apache2-mod_security2, chromedriver, cloud-init, docker, gdk-pixbuf, git, google-osconfig-agent, govulncheck-vulndb, gstreamer-plugins-base, iperf, kernel, krb5, krita, luajit, net-tools, nvidia-open-driver-G06-signed, pam, postgresql17, python311, rust-keylime, sevctl, tor, tree-sitter-ruby, and udisks2), and Ubuntu (curl, ghostscript, inetutils, python2.7, and qtbase-opensource-src). --------------------------------------------- https://lwn.net/Articles/1040058/ ∗∗∗ REDCap: Multiple Cross-Site Scripting (XSS) Vulnerabilities ∗∗∗ --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/redcap-mult… ∗∗∗ DataSpider Servista improper restriction of XML external entity references ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN23423519/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 26.09.2025
by Daily end-of-shift report 26 Sep '25

26 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-09-2025 18:00 − Freitag 26-09-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Schwerwiegende Sicherheitslücken in Cisco Adaptive Security Appliance - aktiv ausgenutzt - Updates verfügbar ∗∗∗ --------------------------------------------- Cisco hat Informationen zu einer vermutlich bereits seit einigen Monaten laufenden Angriffskampagne veröffentlicht. Im Rahmen dieser Kampagne haben Angreifer:innen, denen bereits im vergangenen Jahr eine breitgefächerte Kampagne gegen Edge-Devices zugerechnet wurde, Cisco Adaptive Security Appliance (ASA) Systeme der 5500-X Reihe welche "VPN web services" kompromittiert um in weiterer Folge auf den übernommenen Geräten Schadsoftware zu platzieren und Daten zu stehlen. --------------------------------------------- https://www.cert.at/de/warnungen/2025/9/schwerwiegende-sicherheitslucken-in… ∗∗∗ Unofficial Postmark MCP npm silently stole users emails ∗∗∗ --------------------------------------------- A npm package copying the official postmark-mcp project on GitHub turned bad with the latest update that added a single line of code to exfiltrate all its users email communication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unofficial-postmark-mcp-npm-… ∗∗∗ Salesforce AI Agents Forced to Leak Sensitive Data ∗∗∗ --------------------------------------------- Yet again researchers have uncovered an opportunity (dubbed "ForcedLeak") for indirect prompt injection against autonomous agents lacking sufficient security controls — but this time the risk involves PII, corporate secrets, physical location data, and so much more. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/salesforce-ai-agents-le… ∗∗∗ HeartCrypt’s wholesale impersonation effort ∗∗∗ --------------------------------------------- How the notorious Packer-as-a-Service operation built itself into a hydra. --------------------------------------------- https://news.sophos.com/en-us/2025/09/26/heartcrypts-wholesale-impersonatio… ∗∗∗ New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks ∗∗∗ --------------------------------------------- The Russian advanced persistent threat (APT) group known as COLDRIVER has been attributed to a fresh round of ClickFix-style attacks designed to deliver two new "lightweight" malware families tracked as BAITSWITCH and SIMPLEFIX. --------------------------------------------- https://thehackernews.com/2025/09/new-coldriver-malware-campaign-joins-bo.h… ∗∗∗ North Koreas Lazarus Group shares its malware with IT work scammers ∗∗∗ --------------------------------------------- North Korean-linked crews connected to the pervasive IT worker scams have upped their malware game, using more advanced tools, including a backdoor that has much of the same code as Pyongyang's infamous Lazarus Group deploys. --------------------------------------------- https://theregister.com/2025/09/25/lazarus_group_shares_malware_with_it_sca… ∗∗∗ LockBits new variant is most dangerous yet, hitting Windows, Linux and VMware ESXi ∗∗∗ --------------------------------------------- Trend Micro has sounded the alarm over the new LockBit 5.0 ransomware strain, which it warns is "significantly more dangerous" than past versions due to its newfound ability to simultaneously target Windows, Linux, and VMware ESXi environments. --------------------------------------------- https://theregister.com/2025/09/26/lockbits_new_variant_is_most/ ∗∗∗ Vietnamese Hackers Use Fake Copyright Notices to Spread Lone None Stealer ∗∗∗ --------------------------------------------- New Lone None Stealer uses Telegram C2 and DLL side-loading to grab passwords, credit cards, and crypto. Find out how to spot this highly evasive phishing scam. --------------------------------------------- https://hackread.com/vietnamese-hackers-fake-copyright-notice-lone-none-ste… ∗∗∗ It Is Bad (Exploitation of Fortra GoAnywhere MFT CVE-2025-10035) - Part 2 ∗∗∗ --------------------------------------------- We’re back, just over 24 hours later, to share our evolving understanding of CVE-2025-10035. --------------------------------------------- https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-… ∗∗∗ SVG Phishing hits Ukraine with Amatera Stealer, PureMiner ∗∗∗ --------------------------------------------- Phishing emails disguised as official notices from Ukraine’s police deliver Amatera Stealer and PureMiner in a fileless attack chain. --------------------------------------------- https://www.fortinet.com/blog/threat-research/svg-phishing-hits-ukraine-wit… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, kernel, and thunderbird), Debian (ceph and thunderbird), Fedora (chromium, mingw-expat, python-deepdiff, python-orderly-set, python-pip, rust-az-cvm-vtpm, rust-az-snp-vtpm, rust-az-tdx-vtpm, and trustee-guest-components), Oracle (aide, kernel, and thunderbird), Red Hat (firefox, kernel, openssh, perl-YAML-LibYAML, and thunderbird), Slackware (expat), SUSE (jasper, libssh, openjpeg2, and python-pycares), and Ubuntu (linux-aws-6.14, linux-hwe-6.14, linux-azure, linux-hwe-6.8, linux-realtime-6.8, node-sha.js, and pcre2). --------------------------------------------- https://lwn.net/Articles/1039749/ ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.5.1 and 6.6.0: SC-202509.1 ∗∗∗ --------------------------------------------- Security Center leverages third-party software to help provide underlying functionality. One of the third-party components (PostgreSQL) was found to contain vulnerabilities, and an updated version has been made available by the provider. --------------------------------------------- https://www.tenable.com/security/tns-2025-18 ∗∗∗ Security Update Dingtian DT-R002 ∗∗∗ --------------------------------------------- All versions of Dingtian DT-R002 are vulnerable to an Insufficiently Protected Credentials vulnerability that could allow an attacker to retrieve the current user's username without authentication. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-268-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 25.09.2025
by Daily end-of-shift report 25 Sep '25

25 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-09-2025 18:00 − Donnerstag 25-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft will offer free Windows 10 security updates in Europe ∗∗∗ --------------------------------------------- Microsoft will offer free extended security updates for Windows 10 users in the European Economic Area (EEA), which includes Iceland, Liechtenstein, Norway, and all 27 European Union member states. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-will-offer-free-w… ∗∗∗ Malicious Rust packages on Crates.io steal crypto wallet keys ∗∗∗ --------------------------------------------- Two malicious packages with nearly 8,500 downloads in Rusts official crate repository scanned developers systems to steal cryptocurrency private keys and other secrets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-rust-packages-on-c… ∗∗∗ Supermicro: Unzählige Server-Mainboards anfällig für Firmware-Backdoors ∗∗∗ --------------------------------------------- Angreifer können in die BMC-Firmware zahlreicher Mainboards von Supermicro Malware einschleusen und damit dauerhaft die Kontrolle übernehmen. --------------------------------------------- https://www.golem.de/news/supermicro-unzaehlige-server-mainboards-anfaellig… ∗∗∗ XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence has uncovered a new variant of the XCSSET malware, which is designed to infect Xcode projects, typically used by software developers building Apple or macOS-related applications. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/09/25/xcsset-evolves-aga… ∗∗∗ OnePlus leaves researchers on read over Android bug that exposes texts ∗∗∗ --------------------------------------------- Rapid7 warns flaw could let any app peek at your SMS, but smartphone vendor wont pick up Updated Security researchers report that OnePlus smartphone users remain vulnerable to a critical bug that allows any application to read SMS and .. --------------------------------------------- https://www.theregister.com/2025/09/23/rapid7_oneplus_android_bug/ ∗∗∗ Jetzt patchen! Root-Attacken auf Cisco-Netzwerkgeräte möglich ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco warnt vor Angriffen unter anderem auf Router und Switches. Admins sollten die aktuellen Sicherheitsupdates installieren. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Angreifer-attackieren-Netzwerkgerae… ∗∗∗ Zu unsicher: IT-Dienstleister NTT Data trennt sich wohl von Ivanti-Produkten ∗∗∗ --------------------------------------------- Nicht nur das interne Netz, sondern auch der Weiterverkauf an Kunden ist betroffen. Die Sicherheit der Produkte sei ein unvertretbares Risiko. --------------------------------------------- https://www.heise.de/news/Zu-unsicher-IT-Dienstleister-NTT-Data-trennt-sich… ∗∗∗ Kriminelle kündigen Bankanruf per SMS oder WhatsApp an ∗∗∗ --------------------------------------------- Dass Kriminelle sich am Telefon als Bankmitarbeiter:innen ausgeben, ist seit Langem bekannt. Neu ist jedoch eine besonders raffinierte Variante, die derzeit im Umlauf ist. Dabei bauen die Kriminellen gezielt Vertrauen auf, indem sie den Anruf vorab per SMS oder WhatsApp-Nachricht ankündigen. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-kuendigen-bankanruf-per-s… ∗∗∗ International anti-fraud crackdown recovers more than $400 million, Interpol says ∗∗∗ --------------------------------------------- Authorities from more than 40 countries and territories blocked 68,000 bank accounts and froze about 400 cryptocurrency wallets as part of the operation from April through August, Interpol said. --------------------------------------------- https://therecord.media/anti-fraud-interpol-crackdown-recovers-over-400-mil… ∗∗∗ Securing Microsoft Entra ID: Lessons from the Field – Part 1 ∗∗∗ --------------------------------------------- This multipart blog series is focused on the real-world lessons learned while securing Microsoft Entra ID. Based on hands-on experience across various environments and organizations, we’ll explore the practical, high-impact strategies that work and more importantly, the common misconfigurations, overlooked settings, and pitfalls that can .. --------------------------------------------- https://blog.nviso.eu/2025/09/25/securing-microsoft-entra-id-lessons-from-t… ∗∗∗ This Is How Your LLM Gets Compromised ∗∗∗ --------------------------------------------- Poisoned data. Malicious LoRAs. Trojan model files. AI attacks are stealthier than ever—often invisible until it’s too late. Here’s how to catch them before they catch you. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/prevent-llm-compromise.html ∗∗∗ Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal services, Software as a Service .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espiona… ∗∗∗ 180,000 ICS/OT Devices and Counting: The Unforgivable Exposure ∗∗∗ --------------------------------------------- A new Bitsight TRACE threat research report shows that Industrial Control System and Operational Technology (ICS/OT) exposure is climbing again. --------------------------------------------- https://www.bitsight.com/blog/the-growing-exposure-of-ics-ot-devices ∗∗∗ Yet Another Random Story: VBScripts Randomize Internals ∗∗∗ --------------------------------------------- In one of our recent posts, Dennis shared an interesting case study of C# exploitation that rode on Random-based password-reset tokens. He demonstrated how to use the single-packet attack, or a bit of old-school math, to beat the game. Recently, I performed a security test on a target which had a dependency written in VBScript. This blog post focuses .. --------------------------------------------- https://blog.doyensec.com/2025/09/25/yet-another-random-story.html ===================== = Vulnerabilities = ===================== ∗∗∗ Zahlreiche Schwachstellen in iMonitorSoft EAM ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 24.09.2025
by Daily end-of-shift report 24 Sep '25

24 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-09-2025 18:00 − Mittwoch 24-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Supermicro server motherboards can be infected with unremovable malware ∗∗∗ --------------------------------------------- One of the two vulnerabilities is the result of an incomplete patch Supermicro released in January, said Alex Matrosov, founder and CEO of Binarly, the security firm that discovered it. [..] The two new vulnerabilities—tracked as CVE-2025-7937 and CVE-2025-6198—reside inside silicon soldered onto Supermicro motherboards that run servers inside data centers. [..] Supermicro said it has updated the BMC firmware to mitigate the vulnerabilities. The company is currently testing and validating affected products. --------------------------------------------- https://arstechnica.com/security/2025/09/supermicro-server-motherboards-can… ∗∗∗ PyPI urges users to reset credentials after new phishing attacks ∗∗∗ --------------------------------------------- The Python Software Foundation has warned victims of a new wave of phishing attacks using a fake Python Package Index (PyPI) website to reset credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-urges-users-to-reset-cr… ∗∗∗ YiBackdoor: A New Malware Family With Links to IcedID and Latrodectus ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a new malware family that we named YiBackdoor, which was first observed in June 2025. The malware is particularly interesting because it contains significant code overlaps with IcedID and Latrodectus. Similar to Zloader and Qakbot, IcedID was originally designed for facilitating banking and wire fraud. --------------------------------------------- https://www.zscaler.com/blogs/security-research/yibackdoor-new-malware-fami… ∗∗∗ Fake Malwarebytes, LastPass, and others on GitHub serve malware ∗∗∗ --------------------------------------------- Fake software—including Malwarebytes and LastPass—is currently circulating on GitHub pages, in a large-scale campaign targeting Mac users. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/09/fake-malwarebytes-lastpass-a… ∗∗∗ Betrugs-Website mit Fake-Investitionsprojekt im Stil von orf.at ∗∗∗ --------------------------------------------- Plus gefälschtes Video von Bundespräsident Van der Bellen. Die Täter wollen persönliche Daten abgreifen und 250 Euro abkassieren --------------------------------------------- https://www.derstandard.at/story/3000000289130/betrugs-website-mit-fake-inv… ∗∗∗ Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. [..] The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espiona… ∗∗∗ Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035) ∗∗∗ --------------------------------------------- On Thursday, September 18, Fortra published a security advisory fi-2025-012 titled: Deserialization Vulnerability in GoAnywhere MFT's License Servlet. The title in itself is reason for alarm, with the description going further to explain how we likely got to a CVSS 10.0 [..] No mystery is complete without a few unanswered questions. Despite our usual routine of reverse engineering and creative detours, we’ve ended this one with more questions than usual. --------------------------------------------- https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-1… ∗∗∗ Mobilfunk-Server mit 100.000 SIM-Karten in New York beschlagnahmt ∗∗∗ --------------------------------------------- Rund um das New Yorker Hauptquartier der UNO wurden 300 SIM-Karten-Server und 100.000 SIM-Karten entdeckt. Deren Zweck ist undeutlich. --------------------------------------------- https://heise.de/-10668021 ∗∗∗ Cyberattacke auf Flughäfen: Weiterhin Probleme am BER und eine Festnahme ∗∗∗ --------------------------------------------- Auch Tage nach der Cyberattacke halten die Beeinträchtigungen am Flughafen BER an. In Großbritannien wurde indessen ein Tatverdächtiger festgenommen. --------------------------------------------- https://heise.de/-10669658 ∗∗∗ How MCP Authentication Flaws Enable RCE in Claude Code, Gemini CLI, and More ∗∗∗ --------------------------------------------- During our security testing, we discovered that connecting to a malicious MCP server via common coding tools like Claude Code and Gemini CLI could give attackers instant control over user computers. --------------------------------------------- https://verialabs.com/blog/from-mcp-to-shell/ ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched flaw in OnePlus phones lets rogue apps text messages ∗∗∗ --------------------------------------------- A vulnerability in multiple OnePlus OxygenOS versions allows any installed app to access SMS data and metadata without requiring permission or user interaction. [..] The flaw, tracked as CVE-2025-10184, and discovered by Rapid7 researchers, is currently unpatched and exploitable. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-flaw-in-oneplus-ph… ∗∗∗ Two Critical Flaws Uncovered in Wondershare RepairIt Exposing User Data and AI Models ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed two security flaws in Wondershare RepairIt that exposed private user data and potentially exposed the system to artificial intelligence (AI) model tampering and supply chain risks. [..] Successful exploitation of the two flaws can allow an attacker to circumvent authentication protection on the system and launch a supply chain attack, ultimately resulting in the execution of arbitrary code on customers' endpoints. [..] The cybersecurity company said it responsibly disclosed the two issues through its Zero Day Initiative (ZDI) in April 2025, but not that it has yet to receive a response from the vendor despite repeated attempts. In the absence of a fix, users are recommended to "restrict interaction with the product." CVE-2025-10643, CVE-2025-10644 --------------------------------------------- https://thehackernews.com/2025/09/two-critical-flaws-uncovered-in.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Fedora (expat), Red Hat (kernel and multiple packages), SUSE (avahi, busybox, busybox-links, kernel, sevctl, tcpreplay, thunderbird, and tor), and Ubuntu (isc-kea, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-aws-6.8, linux-gcp-6.8, linux-aws-fips, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, python-pip, and rabbitmq-server). --------------------------------------------- https://lwn.net/Articles/1039311/ ∗∗∗ Libraesva ESG Security advisory: command injection vulnerability (CVE-2025-59689) ∗∗∗ --------------------------------------------- https://docs.libraesva.com/knowledgebase/security-advisory-command-injectio… ∗∗∗ ZDI-25-907: Autodesk Revit RFA File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-907/ ∗∗∗ Google Chrome: Chrome for Android Update ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/09/chrome-for-android-update_23.h… ∗∗∗ Google Chrome: Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desk… ∗∗∗ AutomationDirect CLICK PLUS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-01 ∗∗∗ Mitsubishi Electric MELSEC-Q Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-02 ∗∗∗ Viessmann Vitogate 300 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 23.09.2025
by Daily end-of-shift report 23 Sep '25

23 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 22-09-2025 18:00 − Dienstag 23-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ SonicWall releases SMA100 firmware update to wipe rootkit malware ∗∗∗ --------------------------------------------- SonicWall has released a firmware update that can help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-releases-sma100-fi… ∗∗∗ GitHub Mandates 2FA and Short-Lived Tokens to Strengthen npm Supply Chain Security ∗∗∗ --------------------------------------------- GitHub on Monday announced that it will be changing its authentication and publishing options "in the near future" in response to a recent wave of supply chain attacks targeting the npm ecosystem, including the Shai-Hulud attack. This includes steps to address threats posed by token abuse and self-replicating malware by allowing local publishing with required two-factor authentication (2FA), granular tokens that will have a limited lifetime of seven days, and trusted publishing, which enables the ability to securely publish npm packages directly from CI/CD workflows using OpenID Connect (OIDC). --------------------------------------------- https://thehackernews.com/2025/09/github-mandates-2fa-and-short-lived.html ∗∗∗ Vier Jahre langes Hin und Her zwischen Sicherheitsforscher und Vasion Print ∗∗∗ --------------------------------------------- Vasion Print war oder ist sogar noch verwundbar. Ob bereits alle Schwachstellen geschlossen sind, ist auf den ersten Blick nicht erkennbar. --------------------------------------------- https://www.heise.de/news/Vier-Jahre-langes-Hin-und-Her-zwischen-Sicherheit… ∗∗∗ [Guest Diary] Distracting the Analyst for Fun and Profit, (Tue, Sep 23rd) ∗∗∗ --------------------------------------------- Distributed denial of service (DDoS) attacks are a type of cyber-attack where the threat actor attempts to disrupt a service by flooding the target with a ton of requests to overload system resources and prevent legitimate traffic from reaching it. [..] We can draw a few conclusions from analyzing each wave of this attack. --------------------------------------------- https://isc.sans.edu/diary/rss/32308 ∗∗∗ Technical Analysis of Zloader Updates ∗∗∗ --------------------------------------------- Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a Zeus-based modular trojan that emerged in 2015. Zloader was originally designed to facilitate banking, but has since been repurposed for initial access, providing an entry point into corporate environments for the deployment of ransomware. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-zloader-… ∗∗∗ CISA Shares Lessons Learned from an Incident Response Engagement ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to highlight lessons learned from an incident response engagement CISA conducted at a U.S. federal civilian executive branch (FCEB) agency. CISA is publicizing this advisory to reinforce the importance of prompt patching, as well as preparing for incidents by practicing incident response plans and by implementing logging and aggregating logs in a centralized out-of-band location. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-266a ===================== = Vulnerabilities = ===================== ∗∗∗ SolarWinds releases third patch to fix Web Help Desk RCE bug ∗∗∗ --------------------------------------------- SolarWinds has released a hotfix for a critical a critical vulnerability in Web Help Desk that allows remote code execution (RCE) without authentication. Tracked as CVE-2025-26399, the security issue is the company's third attempt to address an older flaw identified as CVE-2024-28986 that impacted Web Help Desk (WHD) 12.8.3 and all previous versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-releases-third-pa… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (corosync and kernel), Fedora (checkpointctl, chromium, curl, and perl-Catalyst-Authentication-Credential-HTTP), SUSE (firefox, frr, kernel, rustup, vim, and wireshark), and Ubuntu (glibc and pam). --------------------------------------------- https://lwn.net/Articles/1039124/ ∗∗∗ Fehlende Validierung von Zertifikaten führt zu RCE in CleverControl Überwachungssoftware für Mitarbeitende ∗∗∗ --------------------------------------------- Eine fehlende Validierung des TLS Serverzertifikats in dem Installer der "CleverControl" Überwachungssoftware für Mitarbeitende erlaubt es Angreifern, die sich in die Netzwerkverbindung zwischen Client und Server platzieren können, beliebigen Code mit Administratorrechten auszuführen. CVE-2025-10548 --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/fehlende-validierung-… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0006 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0006.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 22.09.2025
by Daily end-of-shift report 22 Sep '25

22 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-09-2025 18:00 − Montag 22-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Cyberattacke auf Dienstleister behindert Flughäfen in Europa ∗∗∗ --------------------------------------------- Ein Dienstleister für die Systeme zur Passagierabfertigung ist am Freitagabend angegriffen worden, wie der Berliner Flughafen mitteilte. [..] Der Systemanbieter wird europaweit an Flughäfen eingesetzt. [..] Passagiere müssen nun mit längeren Wartezeiten beim Check-in und Boarding und mit Verspätungen rechnen. --------------------------------------------- https://www.heise.de/news/Cyberangriff-behindert-europaeische-Flughaefen-au… ∗∗∗ LastPass: Fake password managers infect Mac users with malware ∗∗∗ --------------------------------------------- LastPass is warning users of a campaign that targets macOS users with malicious software impersonating popular products delivered through fraudulent GitHub repositories. [..] The attackers created a large number of deceptive GitHub repositories from multiple accounts to evade takedown and optimize them to rank high in search results. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lastpass-fake-password-manag… ∗∗∗ BlockBlasters: Infected Steam game downloads malware disguised as patch ∗∗∗ --------------------------------------------- A 2D platformer game called BlockBlasters has recently started showing signs of malicious activity after a patch release on August 30. While the user is playing the game, various bits of information are lifted from the PC the game is running on - including crypto wallet data. Hundreds of users are potentially affected. --------------------------------------------- https://feeds.feedblitz.com/~/925181471/0/gdatasecurityblog-en~BlockBlaster… ∗∗∗ Understanding Spamhaus and Its Role in Email Security ∗∗∗ --------------------------------------------- One of the often “behind‐the‐scenes” organizations helping to defend email systems is Spamhaus. In this post, we’ll explain what Spamhaus is, how it works, why it matters, and what best practices companies should follow to stay out of blacklists and protect deliverability. --------------------------------------------- https://blog.sucuri.net/2025/09/understanding-spamhaus-and-its-role-in-emai… ∗∗∗ Researchers Uncover GPT-4-Powered MalTerminal Malware Creating Ransomware, Reverse Shell ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered what they say is the earliest example known to date of a malware with that bakes in Large Language Model (LLM) capabilities.The malware has been codenamed MalTerminal by SentinelOne SentinelLABS research team. --------------------------------------------- https://thehackernews.com/2025/09/researchers-uncover-gpt-4-powered.html ∗∗∗ Achtung vor WKO Phishing-Mails zu angeblichen Abgabenrückständen! ∗∗∗ --------------------------------------------- Derzeit erhalten viele Unternehmen eine gefälschte E-Mail, die angeblich von der Wirtschaftskammer Österreich (WKO) stammt. Darin wird behauptet, es gebe offene Abgaben von 482,00 Euro, die über einen Link bezahlt werden sollen. Achtung: Zahlen Sie nicht, es handelt sich um einen Betrugsversuch! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-wko-phishing-mails-zu-an… ∗∗∗ Fake-Shops: Kriminelle nutzen die finnische Kultmarke „Marimekko“ als Deckmantel ∗∗∗ --------------------------------------------- Derzeit tauchen auf Social-Media-Plattformen vermehrt Werbeanzeigen auf, die ungewöhnlich hohe Rabatte in Marimekko-Onlineshops versprechen. Natürlich stimmt daran nichts. Die Spezialpreise sollen die Fans der finnischen Design-Marke zu Impulskäufen verleiten. Geliefert werden die bestellten Produkte nie, das Geld ist weg. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-marimekko/ ∗∗∗ Iranian Threat Actor Nimbus Manticore Expands Campaigns into Europe with Advanced Malware and Fake Job Lures ∗∗∗ --------------------------------------------- In this blog, we highlight the evolution of Minibike into a new variant dubbed MiniJunk, the use of fake recruiting portals for malware delivery, victimology across the Middle East and Western Europe, and the broader implications for defense, telecom, and aviation sectors. --------------------------------------------- https://blog.checkpoint.com/research/iranian-threat-actor-nimbus-manticore-… ∗∗∗ Hacking with AI SASTs: An overview of ‘AI Security Engineers’ / ‘LLM Security Scanners’ for Penetration Testers and Security Teams ∗∗∗ --------------------------------------------- For the past few months, I have been trialing various AI-native security scanners, with a main focus on finding a product on the market today that is able to analyze the source code of a project in order to find vulnerabilities. This post will detail that journey, the successes and failures I’ve come across, my thoughts, and offer a general review of new on-the-market products that fit the category. --------------------------------------------- https://joshua.hu/llm-engineer-review-sast-security-ai-tools-pentesters ∗∗∗ Kernel Security in the Wild: Side-Channel-Assisted Exploit Techniques, Kernel-Level Defenses, and Real-World Analysis ∗∗∗ --------------------------------------------- In this thesis, we address all three challenges to advance the state of kernel security. [..] We introduce three novel side channels: SLUBStick, a timing side channel on the kernel’s memory allocator to infer heap memory reuse; KernelSnitch, a software- induced side channel that leaks the location of kernel heap objects via data structure access timing; and a hardware-induced TLB side channel that leaks fine-grained memory layout information. --------------------------------------------- https://tugraz.elsevierpure.com/ws/portalfiles/portal/98775241/main.pdf ===================== = Vulnerabilities = ===================== ∗∗∗ VU#780141: Cross-site scripting vulnerability in Lectora course navigation ∗∗∗ --------------------------------------------- Lectora Desktop versions 21.0–21.3 and Lectora Online versions 7.1.6 and older contained a cross-site scripting (XSS) vulnerability in courses published with Seamless Play Publish (SPP) enabled and Web Accessibility disabled. The vulnerability was initially patched in Lectora Desktop version 21.4 (October 25, 2022), but users must republish existing courses to apply the patch. CVE-2025-9125 --------------------------------------------- https://kb.cert.org/vuls/id/780141 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, jetty12, jetty9, jq, and pam), Fedora (curl, libssh, podman-tui, and prometheus-podman-exporter), Oracle (firefox, gnutls, kernel, and thunderbird), and SUSE (bluez, cairo, chromium, cmake, cups, firefox, frr, govulncheck-vulndb, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, mariadb, mybatis, ognl, python-h2, and rke2). --------------------------------------------- https://lwn.net/Articles/1039053/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 19.09.2025
by Daily end-of-shift report 19 Sep '25

19 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-09-2025 18:00 − Freitag 19-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Backup-Diebstahl: Angreifer stahlen bei Sonicwall Firewallkonfigurationen ∗∗∗ --------------------------------------------- Der Firewallhersteller Sonicwall meldet einen Einbruch in Cloud-Konten seiner Kunden. Dabei haben Unbekannte Sicherungskopien von Firewallkonfigurationsdateien unerlaubt vervielfältigt und exfiltriert. Es handelt sich jedoch nicht um einen Cyberangriff auf Sonicwall, sondern offenbar um massenhaftes Durchprobieren von Zugangsdaten. [..] Die entwendeten Konfigurationsdateien können sensible Informationen enthalten und Angriffe erleichtern. Offenbar sind nur wenige Kunden betroffen. --------------------------------------------- https://heise.de/-10662565 ∗∗∗ CISA exposes malware kits deployed in Ivanti EPMM attacks ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis of the malware deployed in attacks exploiting vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM). The flaws are an authentication bypass in EPMM’s API component (CVE-2025-4427) and a code injection vulnerability (CVE-2025-4428) that allows execution of arbitrary code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-exposes-malware-kits-de… ∗∗∗ New attack on ChatGPT research agent pilfers secrets from Gmail inboxes ∗∗∗ --------------------------------------------- Today’s installment hits OpenAI’s Deep Research agent. Researchers recently devised an attack that plucked confidential information out of a user’s Gmail inbox and sent it to an attacker-controlled web server, with no interaction required on the part of the victim and no sign of exfiltration. --------------------------------------------- https://arstechnica.com/information-technology/2025/09/new-attack-on-chatgp… ∗∗∗ Threat landscape for industrial automation systems in Q2 2025 ∗∗∗ --------------------------------------------- Kaspersky industrial threat report contains statistics on various malicious objects detected and blocked on ICS computers by Kaspersky solutions in Q2 2025. --------------------------------------------- https://securelist.com/industrial-threat-report-q2-2025/117532/ ∗∗∗ How AI-Native Development Platforms Enable Fake Captcha Pages ∗∗∗ --------------------------------------------- Cybercriminals are abusing AI-native platforms like Vercel, Netlify, and Lovable to host fake captcha pages that deceive users, bypass detection, and drive phishing campaigns. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/ai-development-platforms-ena… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortra Releases Critical Patch for CVSS 10.0 GoAnywhere MFT Vulnerability ∗∗∗ --------------------------------------------- Fortra has disclosed details of a critical security flaw in GoAnywhere Managed File Transfer (MFT) software that could result in the execution of arbitrary commands. The vulnerability, tracked as CVE-2025-10035, carries a CVSS score of 10.0, indicating maximum severity. "A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection," Fortra said in an advisory released Thursday. --------------------------------------------- https://thehackernews.com/2025/09/fortra-releases-critical-patch-for-cvss.h… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, cjson, and firefox-esr), Fedora (expat, gh, scap-security-guide, and xen), Oracle (container-tools:rhel8, firefox, grub2, and mysql:8.4), SUSE (busybox, busybox-links, element-web, kernel, shadowsocks-v2ray-plugin, and yt-dlp), and Ubuntu (imagemagick, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-azure, linux-azure-5.15, linux-azure-fips, linux-ibm, linux-ibm-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-oracle-6.8, linux-realtime, and openjpeg2). --------------------------------------------- https://lwn.net/Articles/1038802/ ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-261-01 Westermo Network Technologies WeOS 5, ICSA-25-261-02 Westermo Network Technologies WeOS 5, ICSA-25-261-03 Schneider Electric Saitel DR & Saitel DP Remote Terminal Unit, ICSA-25-261-04 Hitachi Energy Asset Suite, ICSA-25-261-05 Hitachi Energy Service Suite, ICSA-25-261-06 Cognex In-Sight Explorer and In-Sight Camera Firmware, ICSA-25-261-07 Dover Fueling Solutions ProGauge MagLink LX4 Devices --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/18/cisa-releases-nine-indus… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 18.09.2025
by Daily end-of-shift report 18 Sep '25

18 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-09-2025 18:00 − Donnerstag 18-09-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks ∗∗∗ --------------------------------------------- The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens. For the past year, the threat actors have been targeting Salesforce customers in data theft attacks using social engineering and malicious OAuth applications to breach Salesforce instances and download data. The stolen data is then used to extort companies into paying a ransom to prevent the data from being publicly leaked. --------------------------------------------- https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billi… ∗∗∗ SystemBC malware turns infected VPS systems into proxy highway ∗∗∗ --------------------------------------------- The operators of the SystemBC proxy botnet are hunting for vulnerable commercial virtual private servers (VPS) and maintain an average of 1,500 bots every day that provide a highway for malicious traffic. Compromised servers are located all over the world and have at least one unpatched critical vulnerability, some of them being plagued by tens of security issues. --------------------------------------------- https://www.bleepingcomputer.com/news/security/systembc-malware-turns-infec… ∗∗∗ Microsoft: Hacker konnten wohl beliebige Entra-ID-Tenants kapern ∗∗∗ --------------------------------------------- Der Sicherheitsforscher Dirk-Jan Mollema hat eine gefährliche Sicherheitslücke in der von vielen Unternehmen genutzten cloudbasierten Identitäts- und Zugriffsverwaltungsplattform Microsoft Entra ID entdeckt. Wie der Forscher in einem Blogbeitrag(öffnet im neuen Fenster) schildert, konnte er damit weltweit so ziemlich jeden Entra-ID-Tenant kompromittieren – mit Ausnahme nationaler Cloud-Deployments, die er lediglich mangels Zugriff nicht testen konnte. --------------------------------------------- https://www.golem.de/news/microsoft-hacker-konnten-wohl-beliebige-entra-id-… ∗∗∗ SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered two new malicious packages in the Python Package Index (PyPI) repository that are designed to deliver a remote access trojan called SilentSync on Windows systems. --------------------------------------------- https://thehackernews.com/2025/09/silentsync-rat-delivered-via-two.html ∗∗∗ CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2, and a remote access trojan known as PureHVNC RAT. --------------------------------------------- https://thehackernews.com/2025/09/countloader-broadens-russian-ransomware.h… ∗∗∗ Phishing-Mails im Namen der Statistik Austria im Umlauf ∗∗∗ --------------------------------------------- Aktuell kursiert eine Phishing-E-Mail, die vorgibt, von der Statistik Austria zu stammen. In der Nachricht werden Unternehmen aufgefordert, sensible Finanz- und Geschäftsdaten (z. B. Listen ausländischer Geschäftspartner, Beträge, Zahlungsfristen) zu übermitteln. Es ist davon auszugehen, dass die Daten für gefälschte Geldforderungen an Geschäftspartner missbraucht werden könnten. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mails-im-namen-der-statisti… ∗∗∗ What We Know About the NPM Supply Chain Attack ∗∗∗ --------------------------------------------- On September 15, the Node Package Manager (NPM) repository experienced an ongoing supply chain attack, in which the attackers executed a highly targeted phishing campaign to compromise the account of an NPM package maintainer. With privileged access, the attackers injected malicious code into widely used JavaScript packages, threatening the entire software ecosystem. Notably, the attack has disrupted several key NPM packages, including those integral to application development and cryptography. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/npm-supply-chain-attack.html ∗∗∗ New Raven Stealer Malware Hits Browsers for Passwords and Payment Data ∗∗∗ --------------------------------------------- New research reveals Raven Stealer malware that targets browsers like Chrome and Edge to steal personal data. Learn how this threat uses simple tricks like process hollowing to evade antiviruses and why it’s a growing risk for everyday users. --------------------------------------------- https://hackread.com/raven-stealer-malware-browsers-passwords-payment-data/ ∗∗∗ Vane Viper Malvertising Network Posed as Legit Adtech in Global Scams ∗∗∗ --------------------------------------------- Cybersecurity firm Infoblox says it has discovered “Vane Viper,” a massive online ad network that posed as a legitimate business while running global scams and spreading malware. Linked to previously reported PropellerAds and its parent company AdTech Holding, the operation has been active for nearly a decade and is now being called one of the largest malvertising scams seen to date. --------------------------------------------- https://hackread.com/vane-viper-malvertising-adtech-global-scams/ ===================== = Vulnerabilities = ===================== ∗∗∗ Notfallpatch: Aktiv ausgenutzte Chrome-Lücke gefährdet unzählige Nutzer ∗∗∗ --------------------------------------------- Google hat einen Notfallpatch für seinen weit verbreiteten Webbrowser Chrome bereitgestellt. Damit schließt der Konzern gleich mehrere gefährliche Sicherheitslücken. Eine davon wird bereits aktiv ausgenutzt, wie aus den Release Notes(öffnet im neuen Fenster) hervorgeht. Anwender sollten den Browser daher zügig aktualisieren, um sich vor möglichen Angriffen zu schützen. Betroffen sind Chrome-Versionen für Windows, Mac und Linux. --------------------------------------------- https://www.golem.de/news/notfallpatch-aktiv-ausgenutzte-chrome-luecke-gefa… ∗∗∗ Schwachstellen bedrohen HPE Aruba Networking EdgeConnect SD-WAN ∗∗∗ --------------------------------------------- Angreifer können Wide Area Networks (WAN) attackieren, die auf HPE Aruba Networking EdgeConnect SD-WAN fußen. Die Entwickler haben jüngst mehrere Sicherheitslücken geschlossen. Nach erfolgreichen Attacken können Angreifer unter anderem Sicherheitsbeschränkungen umgehen oder sogar Schadcode ausführen, um Systeme vollständig zu kompromittieren. --------------------------------------------- https://www.heise.de/news/Schwachstellen-bedrohen-HPE-Aruba-Networking-Edge… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gnutls, mysql:8.4, opentelemetry-collector, and python-cryptography), Debian (nextcloud-desktop), Fedora (chromium, firefox, forgejo, gitleaks, kernel, kernel-headers, lemonldap-ng, perl-Cpanel-JSON-XS, and python-pip), Red Hat (firefox and libxml2), Slackware (expat and mozilla), SUSE (avahi, bluez, cups, curl, firefox-esr, gdk-pixbuf, gstreamer, java-1_8_0-ibm, krb5, net-tools, podman, raptor, sevctl, tkimg, ucode-intel, and vim), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-fips, linux-azure-fips, linux-gcp-fips, and linux-gcp-6.14, linux-oracle, linux-oracle-6.14). --------------------------------------------- https://lwn.net/Articles/1038638/ ∗∗∗ Open-Source Tool Greenshot Hit by Severe Code Execution Vulnerability ∗∗∗ --------------------------------------------- A security vulnerability has been discovered in Greenshot, the widely used open-source screenshot tool for Windows. The Greenshot vulnerability exposes to the risk of arbitrary code execution, potentially allowing attackers to bypass established security protocols and launch further malicious activities. A proof-of-concept (PoC) exploit has already been released, drawing attention to the critical nature of the vulnerability. --------------------------------------------- https://thecyberexpress.com/greenshot-vulnerability/ ∗∗∗ ENCS testers help resolve critical vulnerabilities in solar inverters ∗∗∗ --------------------------------------------- ENCS cybersecurity testers uncovered several vulnerabilities in consumer solar inverters widely used in Europe, as part of the work on consumer IoT equipment. We reported these to the Dutch Institute for Vulnerability Disclosure (DIVD) CSIRT to start a responsible vulnerability disclosure process. Six vulnerabilities have now been resolved by the manufacturers. --------------------------------------------- https://encs.eu/news/encs-testers-help-resolve-critical-vulnerabilities-in-… ∗∗∗ ZDI-25-895: Wondershare Repairit Incorrect Permission Assignment Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-895/ ∗∗∗ CVE-2025-9242: WatchGuard Firebox iked Out of Bounds Write Vulnerability ∗∗∗ --------------------------------------------- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015 ∗∗∗ Third-Party Libraries and Supply Chains - PSA-2025-09-17 ∗∗∗ --------------------------------------------- https://www.drupal.org/psa-2025-09-17 ∗∗∗ Daikin Security Gateway ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-10 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 17.09.2025
by Daily end-of-shift report 17 Sep '25

17 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-09-2025 18:00 − Mittwoch 17-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ From ClickFix to MetaStealer: Dissecting Evolving Threat Actor Techniques ∗∗∗ --------------------------------------------- ClickFix isnt just back—its mutating. New variants use fake CAPTCHAs, File Explorer tricks & MSI lures to drop MetaStealer. Stay ahead with Huntress Tradecraft Tuesday threat briefings. --------------------------------------------- https://www.bleepingcomputer.com/news/security/from-clickfix-to-metastealer… ∗∗∗ Critical Bugs in Chaos Mesh Enable Cluster Takeover ∗∗∗ --------------------------------------------- "Chaotic Deputy" is a set of four vulnerabilities in the chaos engineering platform that many organizations use to test the resilience of their Kubernetes environments. Such is the case with a set of four serious vulnerabilities that researchers at JFrog recently discovered in Chaos Mesh that give attackers a way to take over entire Kubernetes clusters. --------------------------------------------- https://www.darkreading.com/cyber-risk/critical-bugs-chaos-mesh-cluster-tak… ∗∗∗ GOLD SALEM’s Warlock operation joins busy ransomware landscape ∗∗∗ --------------------------------------------- Counter Threat Unit (CTU) researchers are monitoring a threat group that refers to itself as Warlock Group. The group, which CTU researchers track as GOLD SALEM, has compromised networks and deployed its Warlock ransomware since March 2025. --------------------------------------------- https://news.sophos.com/en-us/2025/09/17/gold-salems-warlock-operation-join… ∗∗∗ Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims ∗∗∗ --------------------------------------------- Cybersecurity researchers have tied a fresh round of cyber attacks targeting financial services to the notorious cybercrime group known as Scattered Spider, casting doubt on their claims of going "dark". Threat intelligence firm ReliaQuest said it has observed indications that the threat actor has shifted their focus to the financial sector. --------------------------------------------- https://thehackernews.com/2025/09/scattered-spider-resurfaces-with.html ∗∗∗ Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing service ∗∗∗ --------------------------------------------- Microsoft’s Digital Crimes Unit (DCU) has disrupted RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords (“credentials”). --------------------------------------------- https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-w… ∗∗∗ Ransomware HybridPetya hebelt UEFI Secure Boot aus ∗∗∗ --------------------------------------------- ESET Research hat HybridPetya auf der Sample-Sharing-Plattform VirusTotal entdeckt. Es handelt sich um einen Nachahmer der berüchtigten Petya/NotPetya-Malware, der zusätzlich die Fähigkeit besitzt, UEFI-basierte Systeme zu kompromittieren und CVE-2024-7344 als Waffe einzusetzen, um UEFI Secure Boot auf veralteten Systemen zu umgehen. --------------------------------------------- https://www.welivesecurity.com/de/eset-research/ransomware-hybridpetya-hebe… ∗∗∗ Myth Busting: Why "Innocent Clicks" Dont Exist in Cybersecurity ∗∗∗ --------------------------------------------- Unit 42 explores how innocent clicks can have serious repercussions. Learn how simply visiting a malicious site can expose users to significant digital dangers. --------------------------------------------- https://unit42.paloaltonetworks.com/why-innocent-clicks-dont-exist-in-cyber… ∗∗∗ Der npm-Angriff geht weiter – "Wurm" infiziert Pakete ∗∗∗ --------------------------------------------- Der Lieferkettenangriff auf ein npm-Entwicklerkonto und 18 kompromittierten Paketen schien glimpflich ausgegangen zu sein. Jetzt wird bekannt, dass die Angriffe (über ein anderes Konto) weitergehen und eine selbstreplizierende Malware (Shai-Hulud) bereits mehr als 500 npm-Pakete infiziert hat. --------------------------------------------- https://www.borncity.com/blog/2025/09/17/der-npm-angriff-geht-weiter-wurm-i… ∗∗∗ PyPI Token Exfiltration Campaign via GitHub Actions Workflows ∗∗∗ --------------------------------------------- I recently responded to an attack campaign where malicious actors injected code into GitHub Actions workflows attempting to steal PyPI publishing tokens. PyPI was not compromised, and no PyPI packages were published by the attackers. --------------------------------------------- https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/ ∗∗∗ Ongoing Supply Chain Attack Targets CrowdStrike npm Packages ∗∗∗ --------------------------------------------- Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that has now impacted nearly 500 packages. --------------------------------------------- https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm… ∗∗∗ Microsoft: Office 2016 and Office 2019 reach end of support next month ∗∗∗ --------------------------------------------- Microsoft reminded customers again this week that Office 2016 and Office 2019 will reach the end of extended support in less than 30 days, on October 14, 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-office-2016-and-o… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, and podman), Debian (node-sha.js), Fedora (firefox, kea, and perl-JSON-XS), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk), Oracle (kernel, libarchive, podman, and python-cryptography), Red Hat (multiple packages, mysql:8.4, and python3.11), SUSE (expat, java-1_8_0-ibm, krb5, libavif, net-tools, nginx, nvidia-open-driver-G06-signed, onefetch, pcp, rabbitmq-server313, raptor, and vim), and Ubuntu (libyang2, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-aws-fips, linux-fips, linux-gcp-fips, and python-xmltodict). --------------------------------------------- https://lwn.net/Articles/1038453/ ∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released eight Industrial Control Systems (ICS) advisories on September 16, 2025. The following products are affected, Schneider Electric Altivar Products, Schneider Electric ATVdPAC Module, Schneider Electric ILC992 InterLink Converter, Schneider Electric Galaxy VS, Schneider Electric Galaxy VL, Schneider Electric Galaxy VXL, Hitachi Energy RTU500 Series, Siemens SIMATIC NET CP, Siemens SINEMA, Siemens SCALANCE, Siemens RUGGEDCOM, Siemens SINEC NMS, Siemens Industrial Products (OpenSSL Vulnerability), Siemens Multiple Industrial Products and Delta Electronics DIALink. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/16/cisa-releases-eight-indu… ∗∗∗ CVE-2025-9708: Kubernetes C# Client, improper certificate validation in custom CA mode may lead to man-in-the-middle attacks ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/134063 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 16.09.2025
by Daily end-of-shift report 16 Sep '25

16 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 15-09-2025 18:00 − Dienstag 16-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Neuer NPM-Großangriff: Selbst-vermehrende Malware infiziert Dutzende Pakete ∗∗∗ --------------------------------------------- Verschiedene IT-Sicherheitsunternehmen warnen vor neuen Angriffen auf das npm-Ökosystem rund um node.js. Mehrere Dutzend Pakete (mindestens 40, in einem Bericht gar an die 150) sind mit einer Malware infiziert, die geheime Daten stiehlt und über einen Webhook ausleitet. Zudem repliziert sich die Schadsoftware selbsttätig – und ist somit ein Wurm. [..] Unklar ist noch, wo der Angriff begann – einen klaren "Patient Null" nennen die drei analysierenden Unternehmen nicht. [..] JavaScript-Entwickler und insbesondere die Verwalter von auf npm gehosteten Paketen sollten größte Vorsicht walten lassen und die umfangreiche Liste infizierter Pakete konsultieren. --------------------------------------------- https://heise.de/-10651111 ∗∗∗ Apple backports zero-day patches to older iPhones and iPads ∗∗∗ --------------------------------------------- Apple has released security updates to backport patches released last month to older iPhones and iPads, addressing a zero-day bug that was exploited in "extremely sophisticated" attacks. This security flaw is the same one Apple has patched for devices running iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, and macOS (Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8) on August 20. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apple-backports-zero-day-pat… ∗∗∗ Patchstatus unklar: Angreifer attackieren Fertigungsmanagementtool DELMIA Apriso ∗∗∗ --------------------------------------------- DELMIA Apriso ist eine Manufacturing-Operations-Management-Software (MOM) und ein Manufacturing Execution System (MES) [..] Der Anbieter der Software, Dassault Systèmes, erwähnte die Sicherheitslücke (CVE-2025-5086 "kritisch") bereits im Juni dieses Jahres in einer äußerst knapp formulierten Warnmeldung. [..] Anfang September warnte nun ein Sicherheitsforscher des SANS-Institut Internet Strom Center in einem Beitrag vor Exploitversuchen. [..] Unklar bleibt auch, ob es einen Sicherheitspatch gibt. --------------------------------------------- https://www.heise.de/news/Patchstatus-unklar-Attacken-auf-Fertigungsmanagem… ∗∗∗ IServ: Schullösung mit Schwäche inbegriffen? ∗∗∗ --------------------------------------------- Am 8. September 2025 ist jemandem aufgefallen, dass das Web-Frontend des IServ-Schul-Servers der IServ GmbH eine "Benutzeraufzählung" im weitesten Sinne ermöglicht. Gibt jemand den Namen einer Person an der IServ-Anmeldeseite einer Schule ein, und versucht er eine Anmeldung, ohne das Passwort zu kennen, schlägt diese Anmeldung natürlich fehl. Noch ist also alles im grünen Bereich, da dieser Anmeldeversuch abgewiesen wird. Das Problem liegt darin, dass sich die Antworten dieser fehlgeschlagenen Anmeldeversuche unterscheiden, nachdem, ob das Benutzerkonto existiert oder nicht und hängt angeblich noch von anderen Bedingungen ab. --------------------------------------------- https://www.borncity.com/blog/2025/09/16/iserve-schulloesung-mit-schwaeche-… ∗∗∗ Microsoft: Exchange 2016 and 2019 reach end of support in 30 days ∗∗∗ --------------------------------------------- Microsoft has reminded administrators again that Exchange 2016 and Exchange 2019 will reach the end of extended support next month and has provided guidance for decommissioning outdated servers. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-2016-and… ∗∗∗ Phoenix: Neue Rowhammer-Variante verleiht Angreifern Root-Rechte ∗∗∗ --------------------------------------------- Forscher von Google und der ETH Zürich haben eine neue Variante des Rowhammer-Angriffs vorgestellt. Sie betrifft auch moderne DDR5-RAM-Module, die eigentlich vor entsprechenden Attacken geschützt sein sollten. [..] Die Phoenix genannte Angriffstechnik greift laut Informationsseite der Entdecker(öffnet im neuen Fenster) auf eine Schwachstelle bei den Rowhammer-Abwehrmaßnahmen zurück, die bestimmte Refresh-Intervalle des Speichers nicht abdecken. --------------------------------------------- https://www.golem.de/news/phoenix-neue-rowhammer-variante-verleiht-angreife… ∗∗∗ RevengeHotels: a new wave of attacks leveraging LLMs and VenomRAT ∗∗∗ --------------------------------------------- Kaspersky GReAT expert takes a closer look at the RevengeHotels threat actors new campaign, including AI-generated scripts, targeted phishing, and VenomRAT. --------------------------------------------- https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-la… ∗∗∗ New FileFix Variant Delivers StealC Malware Through Multilingual Phishing Site ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of a new campaign that's leveraging a variant of the FileFix social engineering tactic to deliver the StealC information stealer malware. "The observed campaign uses a highly convincing, multilingual phishing site (e.g., fake Facebook Security page), with anti-analysis techniques and advanced obfuscation to evade detection," Acronis security researcher Eliad Kimhy said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/09/new-filefix-variant-delivers-stealc.html ∗∗∗ SmokeLoader Rises From the Ashes ∗∗∗ --------------------------------------------- Active since 2011, SmokeLoader (aka Smoke or Dofoil) is a popular malware loader that is designed to deliver second-stage payloads such as trojans, ransomware, and information stealers. [..] In May 2024, Operation Endgame, an international collaboration between law enforcement and private industry (which included Zscaler ThreatLabz) dismantled numerous instances of SmokeLoader and remotely removed the malware from infected systems. [..] ThreatLabz has identified two new SmokeLoader versions that are being used by multiple threat groups. --------------------------------------------- https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (node-sha.js and python-django), Fedora (chromium, cups, exiv2, perl-Catalyst-Authentication-Credential-HTTP, perl-Catalyst-Plugin-Session, perl-Plack-Middleware-Session, and qemu), Red Hat (container-tools:rhel8, podman, and udisks2), SUSE (cargo-audit, cargo-c, cargo-packaging, and kernel-devel), and Ubuntu (libcpanel-json-xs-perl, libjson-xs-perl, rubygems, sqlite3, and vim). --------------------------------------------- https://lwn.net/Articles/1038325/ ∗∗∗ Spring Security and Spring Framework Release Fixes for CVE-2025-41248 and CVE-2025-41249 ∗∗∗ --------------------------------------------- https://spring.io/blog/2025/09/15/spring-framework-and-spring-security-fixe… ∗∗∗ LG WebOS TV Path Traversal, Authentication Bypass and Full Device Takeover ∗∗∗ --------------------------------------------- https://ssd-disclosure.com/lg-webos-tv-path-traversal-authentication-bypass… ∗∗∗ Mozilla Security Advisories September 16, 2025 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ TYPO3-EXT-SA-2025-013: Vulnerability in bundled package in extension "Base Excel" (base_excel) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-013 ∗∗∗ TYPO3-EXT-SA-2025-012: Cross-Site Scripting in extension "Form to Database" (form_to_database) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-012 ∗∗∗ Synology-SA-25:11 Safe Access ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 15.09.2025
by Daily end-of-shift report 15 Sep '25

15 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-09-2025 18:00 − Montag 15-09-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft reminds of Windows 10 support ending in 30 days ∗∗∗ --------------------------------------------- On Friday, Microsoft reminded customers once again that Windows 10 will reach its end of support in 30 days, on October 14. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-reminds-of-window… ∗∗∗ Shiny tools, shallow checks: how the AI hype opens the door to malicious MCP servers ∗∗∗ --------------------------------------------- Kaspersky experts discuss the Model Context Protocol used for AI integration. We describe the MCPs architecture, attack vectors and follow a proof of concept to see how it can be abused. --------------------------------------------- https://securelist.com/model-context-protocol-for-ai-integration-abused-in-… ∗∗∗ A Cyberattack Victim Notification Framework ∗∗∗ --------------------------------------------- When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry. --------------------------------------------- https://www.schneier.com/blog/archives/2025/09/a-cyberattack-victim-notific… ∗∗∗ Lawsuit About WhatsApp Security ∗∗∗ --------------------------------------------- Attaullah Baig, WhatsApp’s former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission. --------------------------------------------- https://www.schneier.com/blog/archives/2025/09/lawsuit-about-whatsapp-secur… ∗∗∗ FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks ∗∗∗ --------------------------------------------- The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for a string of data theft and extortion attacks. "Both groups have recently been observed targeting organizations Salesforce platforms via different initial access mechanisms," the FBI said. --------------------------------------------- https://thehackernews.com/2025/09/fbi-warns-of-unc6040-and-unc6395.html ∗∗∗ All your vulns are belong to us! CISA wants to maintain gov control of CVE program ∗∗∗ --------------------------------------------- Get ready for a fight over who steers the global standard for vulnerability identification The Cybersecurity and Infrastructure Security Agency (CISA) nearly let the Common Vulnerabilities and Exposures (CVE) program lapse earlier this year, but a new "vision" document it released this week signals that it now wants more control over the global standard for vulnerability identification. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/12/cisas_vision… ∗∗∗ Docker Image Security – Teil 2: Minimale und sichere Docker Images ∗∗∗ --------------------------------------------- Distroless Images reduzieren Paketgrößen drastisch, indem sie unnötige Komponenten wie Bash und Paketmanager weglassen. Das erhöht Performance und Sicherheit. --------------------------------------------- https://www.heise.de/hintergrund/Docker-Image-Security-Teil-2-Minimale-und-… ∗∗∗ Cyberkriminelle: "Scattered Lapsus$ Hunters" haben keine Lust mehr ∗∗∗ --------------------------------------------- Die Bande machte zuletzt durch Cyberangriffe auf Jaguar und Marks & Spencer von sich reden, die immense Schäden verursachten. Nicht alle halten die Füße still. --------------------------------------------- https://www.heise.de/news/Cybergang-Scattered-Lapsus-Hunters-kuendigt-Absch… ∗∗∗ Angreifer können IT-Sicherheitslösung IBM QRadar SIEM lahmlegen ∗∗∗ --------------------------------------------- Verschiedene Komponenten in IBMs IT-Sicherheitslösung QRadar SIEM sind verwundbar. Nutzen Angreifer die Schwachstellen erfolgreich aus, können sie unter anderem DoS-Zustände erzeugen, sodass Dienste abstürzen. Fällt dadurch der eigentlich durch die Anwendung versprochene Schutz weg, kann das fatale Folgen haben. --------------------------------------------- https://www.heise.de/news/Angreifer-koennen-IT-Sicherheitsloesung-IBM-QRada… ∗∗∗ Trusted Connections, Hidden Risks: Token Management in the Third-Party Supply Chain ∗∗∗ --------------------------------------------- Effective OAuth token management is crucial for supply chain security, preventing breaches caused by dormant integrations, insecure storage or lack of rotation. --------------------------------------------- https://unit42.paloaltonetworks.com/third-party-supply-chain-token-manageme… ∗∗∗ npm-Hack: Angreifer schauen weitgehend in die Röhre ∗∗∗ --------------------------------------------- Es war zwar ein Desaster im Hinblick auf die Kompromittierung einer Lieferkette – der Hack eines npm-Entwicklerkontos samt Injektion von Schadcode. Der Angreifer scheint aber mit ziemlich leeren Händen aus der Sache rausgegangen zu sein – er soll, je nach Quelle zwischen 65 und 600 US-Dollar an Kryptogeld gestohlen haben. --------------------------------------------- https://www.borncity.com/blog/2025/09/14/npm-hack-angreifer-schauen-weitgeh… ∗∗∗ New VoidProxy Phishing Service Bypasses MFA on Microsoft and Google Accounts ∗∗∗ --------------------------------------------- Okta Threat Intelligence exposes VoidProxy, a new PhaaS platform. Learn how this advanced service uses the Adversary-in-the-Middle technique to bypass MFA and how to protect yourself from attacks targeting Microsoft and Google accounts. --------------------------------------------- https://hackread.com/voidproxy-phishing-service-bypasses-mfa-microsoft-goog… ∗∗∗ Qrator Labs Mitigated Record L7 DDoS Attack from 5.76M-Device Botnet ∗∗∗ --------------------------------------------- Qrator Labs blocked a record L7 DDoS attack from a 5.76M-device botnet targeting government systems, showing rapid global growth since March. --------------------------------------------- https://hackread.com/qrator-labs-mitigate-l7-ddos-attack-5-76m-botnet/ ∗∗∗ 600 GB of Alleged Great Firewall of China Data Published in Largest Leak Yet ∗∗∗ --------------------------------------------- Hackers leaked 600 GB of data linked to the Great Firewall of China, exposing documents, code, and operations. Full details available on the GFW Report. --------------------------------------------- https://hackread.com/great-firewall-of-china-data-published-largest-leak/ ∗∗∗ ShadowSilk Data Exfiltration Attack ∗∗∗ --------------------------------------------- FortiGuard Labs’ network telemetry has observed active exploitation of known vulnerabilities in Drupal Core and the WP-Automatic WordPress plugin for initial access. Following compromise, attackers deploy multiple web shells and utilities to enable lateral movement, privilege escalation, and the installation of remote access trojans (RATs). --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/shadowsilk-data-exfiltration ∗∗∗ Phishing campaign targeting crates.io users ∗∗∗ --------------------------------------------- We received multiple reports of a phishing campaign targeting crates.io users (from the rustfoundation.dev domain name), mentioning a compromise of our infrastructure and asking users to authenticate to limit damage to their crates. --------------------------------------------- https://blog.rust-lang.org/2025/09/12/crates-io-phishing-campaign/ ∗∗∗ The Internet Coup ∗∗∗ --------------------------------------------- A Technical Analysis on How a Chinese Company is Exporting The Great Firewall to Autocratic Regimes. --------------------------------------------- https://interseclab.org/research/the-internet-coup/ ===================== = Vulnerabilities = ===================== ∗∗∗ Lücke in Microsoft Agentic AI und Visual Studio kann Schadcode passieren lassen ∗∗∗ --------------------------------------------- Angreifer können an einer Schwachstelle in Microsoft Agentic AI und Visual Studio ansetzen. Klappt eine Attacke, können sie Schadcode ausführen und Systeme mit hoher Wahrscheinlichkeit vollständig kompromittieren. Ein Sicherheitsupdate steht zum Download bereit. --------------------------------------------- https://www.heise.de/news/Schadcode-Schlupfloch-in-Microsoft-Agentic-AI-und… ∗∗∗ Jetzt patchen! Attacken auf Android-Smartphones von Samsung beobachtet ∗∗∗ --------------------------------------------- Derzeit nutzen Angreifer eine Sicherheitslücke in Samsung-Smarthpones mit Android 13, 14, 15 und 16 aus. Darüber kann Schadcode auf Geräte gelangen. Ein Sicherheitspatch ist für ausgewählte Geräte verfügbar. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Android-Smartphones-vo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cups, kernel, and mysql-selinux and mysql8.4), Debian (cjson, jetty9, and shibboleth-sp), Fedora (bustle, cef, checkpointctl, chromium, civetweb, cups, forgejo, jupyterlab, kernel, libsixel, linenoise, maturin, niri, perl-Cpanel-JSON-XS, python-uv-build, ruff, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-matchers, rust-monitord, rust-monitord-exporter, rust-secret-service, rust-tracing-subscriber, rustup, tcpreplay, tuigreet, udisks2, uv, and xwayland-satellite), Oracle (cups, gdk-pixbuf2, kernel, mysql-selinux and mysql8.4, and php:8.2), Red Hat (kernel, kernel-rt, and multiple packages), Slackware (cups, kernel, and patch), and SUSE (busybox, busybox-links, chromedriver, chromium, cups-filters, curl, go1.25, jasper, java-11-openj9, java-17-openj9, java-1_8_0-openjdk, kernel, kernel-devel, kubo, libssh-config, orthanc-gdcm, python-aiohttp, python-eventlet, python-h2, and xen). --------------------------------------------- https://lwn.net/Articles/1038231/ ∗∗∗ CVE-2025-58434: Critical FlowiseAI Flaw Enables Full Account Takeover ∗∗∗ --------------------------------------------- A severe security vulnerability has been discovered in FlowiseAI, an open-source AI workflow automation tool, exposing users to the risk of complete account compromise. Tracked as CVE-2025-58434, this vulnerability affects both the cloud-hosted version of FlowiseAI and self-hosted deployments that expose the relevant API endpoints. --------------------------------------------- https://thecyberexpress.com/cve-2025-58434/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 12.09.2025
by Daily end-of-shift report 12 Sep '25

12 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-09-2025 18:00 − Freitag 12-09-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Panama Ministry of Economy discloses breach claimed by INC ransomware ∗∗∗ --------------------------------------------- Panama's Ministry of Economy and Finance (MEF) has disclosed that one of its computers may have been compromised in a cyberattack. The government noted that it activated the security procedures for these situations, stating that the incident has been contained and didn't impact core systems that are vital to its operations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/panama-ministry-of-economy-d… ∗∗∗ Vidar Infostealer Back with a Vengeance ∗∗∗ --------------------------------------------- The long-running Vidar infostealer has evolved with new obfuscation techniques. That is according to researchers at cybersecurity vendor Aryaka, which published research last week dedicated to a fresh campaign involving the malware-as-a-service Vidar that has emerged in recent weeks. First tracked in late 2018, Vidar is an infostealer that enables affiliates to grab credentials, operating system details, cookies, sensitive financial data, various authentication tokens, and more from compromised environments. --------------------------------------------- https://www.darkreading.com/endpoint-security/vidar-infostealer-back-with-v… ∗∗∗ Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence ∗∗∗ --------------------------------------------- U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to probe Microsoft and hold it responsible for what he called "gross cybersecurity negligence" that enabled ransomware attacks on U.S. critical infrastructure, including against healthcare networks. --------------------------------------------- https://thehackernews.com/2025/09/senator-wyden-urges-ftc-to-probe.html ∗∗∗ New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new ransomware strain dubbed HybridPetya that resembles the notorious Petya/NotPetya malware, while also incorporating the ability to bypass the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems using a now-patched vulnerability disclosed earlier this year. --------------------------------------------- https://thehackernews.com/2025/09/new-hybridpetya-ransomware-bypasses.html ∗∗∗ Apple Warns French Users of Fourth Spyware Campaign in 2025, CERT-FR Confirms ∗∗∗ --------------------------------------------- Apple has notified users in France of a spyware campaign targeting their devices, according to the Computer Emergency Response Team of France (CERT-FR). The agency said the alerts were sent out on September 3, 2025, making it the fourth time this year that Apple has notified citizens in the county that at least one of the devices linked to their iCloud accounts may have been compromised as part of highly-targeted attacks. --------------------------------------------- https://thehackernews.com/2025/09/apple-warns-french-users-of-fourth.html ∗∗∗ Huntresss hilarious attacker surveillance splits infosec community ∗∗∗ --------------------------------------------- Security outfit Huntress has been forced onto the defensive after its latest research – described by senior staff as "hilarious" – split opinion across the cybersecurity community. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/12/huntress_att… ∗∗∗ Bulletproof Host Stark Industries Evades EU Sanctions ∗∗∗ --------------------------------------------- In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns. But new findings show those sanctions have done little to stop Stark from simply rebranding and transferring their assets to other corporate entities controlled by its original hosting providers. --------------------------------------------- https://krebsonsecurity.com/2025/09/bulletproof-host-stark-industries-evade… ∗∗∗ Swiss government looks to undercut privacy tech, stoking fears of mass surveillance ∗∗∗ --------------------------------------------- The Swiss government could soon require service providers with more than 5,000 users to collect government-issued identification, retain subscriber data for six months and, in many cases, disable encryption. --------------------------------------------- https://therecord.media/switzerland-digital-privacy-law-proton-privacy-surv… ∗∗∗ Wurden Router-URLs sphairon.box und zyxel.box gekapert? ∗∗∗ --------------------------------------------- Ich stelle mal ein Thema hier in den Blog, das mir jetzt von zwei Lesern gemeldet wurde und mich an einen alten Vorfall bei AVM zur fritz.box-URL erinnert. Es sieht so aus, dass die von Routern (Zyxel, Sphairon) zum Zugriff auf die Router-Funktionen verwendeten URLs sphairon.box und zyxel.box durch registrierte Domains gekapert wurden. Die Zielseiten sind als "malicious" einzustufen. --------------------------------------------- https://www.borncity.com/blog/2025/09/12/wurden-router-urls-sphairon-box-un… ∗∗∗ EvilAI Operators Use AI-Generated Code and Fake Apps for Far-Reaching Attacks ∗∗∗ --------------------------------------------- Combining AI-generated code and social engineering, EvilAI operators are executing a rapidly expanding campaign, disguising their malware as legitimate applications to bypass security, steal credentials, and persistently compromise organizations worldwide. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/evilai.html ∗∗∗ Muck Stealer Malware Used Alongside Phishing in New Attack Waves ∗∗∗ --------------------------------------------- A new report from Cofense reveals that cybercriminals are blending phishing and malware, including Muck Stealer, Info Stealer, ConnectWise RAT, and SimpleHelp RAT in dual-threat attacks, making them harder to defend against. --------------------------------------------- https://hackread.com/muck-stealer-malware-phishing-new-attack-waves/ ∗∗∗ Social Engineering & KI: Cyberkriminelle rekrutieren im Darknet ∗∗∗ --------------------------------------------- Cyberkriminelle suchen im Darknet verstärkt nach Experten für Social Engineering und KI. Ein Hinweis darauf, auf welche Bedrohungen Firmen achten sollten. --------------------------------------------- https://heise.de/-10642617 ∗∗∗ ChillyHell macOS Backdoor Resurfaces ∗∗∗ --------------------------------------------- In 2025, cybersecurity researchers uncovered a deeply concerning threat targeting macOS systems called ChillyHell—a modular backdoor malware that had managed to fly under the radar for years by cleverly abusing macOS security mechanisms and Apple’s own notarization process. --------------------------------------------- https://thecyberthrone.in/2025/09/11/chillyhell-macos-backdoor-resurfaces/ ===================== = Vulnerabilities = ===================== ∗∗∗ Samsung patches actively exploited zero-day reported by WhatsApp ∗∗∗ --------------------------------------------- Samsung has patched a remote code execution vulnerability that was exploited in zero-day attacks targeting its Android devices. Tracked as CVE-2025-21043, this critical security flaw affects Samsung devices running Android 13 or later and was reported by the security teams of Meta and WhatsApp on August 13. --------------------------------------------- https://www.bleepingcomputer.com/news/security/samsung-patches-actively-exp… ∗∗∗ Jetzt patchen! Erneut Attacken auf SonicWall-Firewalls beobachtet ∗∗∗ --------------------------------------------- Die "kritische" Sicherheitslücke (CVE-2024-40766) ist seit August vergangenen Jahres bekannt. Wiederholt ist die Schwachstelle in bestimmten Firewalls von SonicWall im Visier von Angreifern. Sicherheitsupdates sind bereits seit rund einem Jahr verfügbar, aber offensichtlich weiterhin nicht flächendeckend installiert. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Erneut-Attacken-auf-SonicWall-Firew… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups, imagemagick, libcpanel-json-xs-perl, and libjson-xs-perl), Fedora (checkpointctl, chromium, civetweb, glycin, kernel, libssh, ruff, rust-secret-service, snapshot, and uv), Mageia (curl), Red Hat (kernel), SUSE (cups, curl, perl-Cpanel-JSON-XS, regionServiceClientConfigAzure, regionServiceClientConfigEC2, regionServiceClientConfigGCE, trivy, and xen), and Ubuntu (cups, node-cipher-base, and qemu). --------------------------------------------- https://lwn.net/Articles/1037919/ ∗∗∗ CISA Releases Eleven Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/11/cisa-releases-eleven-ind… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.09.2025
by Daily end-of-shift report 11 Sep '25

11 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-09-2025 18:00 − Donnerstag 11-09-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ New VMScape attack breaks guest-host isolation on AMD, Intel CPUs ∗∗∗ --------------------------------------------- A new Spectre-like attack dubbed VMScape allows a malicious virtual machine (VM) to leak cryptographic keys from an unmodified QEMU hypervisor process running on modern AMD or Intel CPUs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-vmscape-attack-breaks-gu… ∗∗∗ K2 Think AI Model Jailbroken Mere Hours After Release ∗∗∗ --------------------------------------------- Researchers discovered that measures designed to make AI more transparent to users and regulators can also make it easier for bad actors to abuse. --------------------------------------------- https://www.darkreading.com/application-security/k2-think-llm-jailbroken ∗∗∗ Ordner öffnen reicht: Beliebter KI-Code-Editor führt automatisch Schadcode aus ∗∗∗ --------------------------------------------- Wer den KI-Code-Editor Cursor verwendet, sollte beim Öffnen fremder Repos vorsichtig sein. Es kann unbemerkt Malware ausgeführt werden. --------------------------------------------- https://www.golem.de/news/ordner-oeffnen-reicht-beliebter-ki-code-editor-fu… ∗∗∗ Fake Madgicx Plus and SocialMetrics Extensions Are Hijacking Meta Business Accounts ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed two new campaigns that are serving fake browser extensions using malicious ads and fake websites to steal sensitive data. The malvertising campaign, per Bitdefender, is designed to push fake "Meta Verified" browser extensions named SocialMetrics Pro that claim to unlock the blue check badge for Facebook and Instagram profiles. --------------------------------------------- https://thehackernews.com/2025/09/fake-madgicx-plus-and-socialmetrics.html ∗∗∗ Akira ransomware crims abusing trifecta of SonicWall security holes for extortion attacks ∗∗∗ --------------------------------------------- Affiliates of the Akira ransomware gang are again exploiting a critical SonicWall vulnerability abused last summer, after a suspected zero-day flaw actually turned out to be related to a year-old bug. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/10/akira_ransom… ∗∗∗ Beijing went to EggStreme lengths to attack Philippines military, researchers say ∗∗∗ --------------------------------------------- ‘EggStreme’ framework looks like the sort of thing Beijing would find handy in its ongoing territorial beefs Infosec outfit Bitdefender says it’s spotted a strain of in-memory malware that looks like the work of Chinese advanced persistent threat groups that wanted to achieve persistent access at a “military company” in the Philippines. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/11/eggstreme_ma… ∗∗∗ Technical Analysis of kkRAT ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a malware campaign targeting Chinese-speaking users, which has been active since early May 2025. The campaign delivers three types of malware: ValleyRAT, FatalRAT, and a new Remote Access Trojan (RAT) that ThreatLabz named kkRAT. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-kkrat ∗∗∗ The Great NPM Heist – September 2025 ∗∗∗ --------------------------------------------- On September 8, 2025, the JavaScript ecosystem experienced what is now considered the largest supply chain attack in npm history. A sophisticated phishing campaign led to the compromise of a trusted maintainer’s account, resulting in the injection of cryptocurrency-stealing malware into 18+ foundational npm packages. --------------------------------------------- https://blog.checkpoint.com/crypto/the-great-npm-heist-september-2025/ ∗∗∗ Global Cyber Threats August 2025: Agriculture in the Crosshairs ∗∗∗ --------------------------------------------- In August 2025, the global cyber threat landscape presented a complex interplay of stability and alarming new challenges. Organizations around the world confronted an average of nearly 2,000 cyber attacks each week—a slight 1% decrease from July but a stark 10% rise compared to the same month last year. --------------------------------------------- https://blog.checkpoint.com/research/global-cyber-threats-august-2025-agric… ∗∗∗ How the Infamous APT 1 Report Exposing China’s PLA Hackers Came to Be ∗∗∗ --------------------------------------------- This is the first in a series of pieces I’ll publish that take an in-depth look at significant events, people and cases in security and surveillance from the past. --------------------------------------------- https://www.zetter-zeroday.com/how-the-infamous-apt-1-report-exposing-china… ∗∗∗ CyberVolk Ransomware: Analysis of Double Encryption Structure and Disguised Decryption Logic ∗∗∗ --------------------------------------------- The CyberVolk ransomware, which first emerged in May 2024, has been launching attacks on public institutions and key infrastructures of various countries, posing a continuous threat. The ransomware is particularly notable for its pro-Russia nature, as it primarily targets anti-Russian countries, making it a geopolitically significant cyber threat. --------------------------------------------- https://asec.ahnlab.com/en/90077/ ∗∗∗ Trigona Rebranding Suspicions and Global Threats, and BlackNevas Ransomware Analysis ∗∗∗ --------------------------------------------- BlackNevas has been continuously launching ransomware attacks against companies in various industries and countries, including South Korea. This post provides a technical analysis on the characteristics, encryption methods, and reasons why BlackNevas encrypts files in a way that makes them impossible to decrypt. --------------------------------------------- https://asec.ahnlab.com/en/90080/ ∗∗∗ New Fileless Malware Attack Uses AsyncRAT for Credential Theft ∗∗∗ --------------------------------------------- LevelBlue Labs reports AsyncRAT delivered through a fileless attack chain using ScreenConnect, enabling credential theft and persistence. --------------------------------------------- https://hackread.com/fileless-malware-attack-asyncrat-credential-theft/ ∗∗∗ CISA Presents Vision for the Common Vulnerabilities and Exposures (CVE) Program ∗∗∗ --------------------------------------------- Agency Unveils Upcoming Program Enhancements: Strengthening Partnerships, Modernization, Transparency and Elevating Data Quality and Responsiveness. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-presents-vision-common-vulnerabi… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IOS XR ARP Broadcast Storm Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Address Resolution Protocol (ARP) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a broadcast storm, leading to a denial of service (DoS) condition on an affected device. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ DuckDB NPM packages 1.3.3 and 1.29.2 compromised with malware ∗∗∗ --------------------------------------------- The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. --------------------------------------------- https://github.com/duckdb/duckdb-node/security/advisories/GHSA-w62p-hx95-gf… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (python3.12-cryptography), Debian (chromium, hsqldb1.8.0, and imagemagick), Fedora (bustle, cef, maturin, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-monitord, rust-monitord-exporter, rustup, tuigreet, and wireshark), Oracle (kernel, microcode_ctl, and python3.12-cryptography), Red Hat (httpd:2.4 and multiple packages), SUSE (coreutils, curl, dpkg, ffmpeg-4, glib2, gnutls, go1.23-openssl, go1.24-openssl, go1.25-openssl, grub2, ImageMagick, jbigkit, kernel, libxslt, Mesa, opensc, opera, perl-JSON-XS, polkit, postgresql16, protobuf, python311, python311-deepdiff, sqlite3, ucode-intel, and warewulf4), and Ubuntu (bind9 and libxml2). --------------------------------------------- https://lwn.net/Articles/1037777/ ∗∗∗ Unauthentifizierte SQL Injection Schwachstelle im Shibboleth Service Provider (SP) (ODBC Interface) ∗∗∗ --------------------------------------------- SEC Consult hat eine unauthentifizierte SQL-Injection-Schwachstelle im Shibboleth Service Provider (SP) in der ODBC Schnittstelle identifiziert, die ein Angreifer ausnutzen könnte, um beliebige Datensätze aus der Datenbank mit den Rechten des Datenbankbenutzers auszulesen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/unauthentifizierte-sq… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 10.09.2025
by Daily end-of-shift report 10 Sep '25

10 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-09-2025 18:00 − Mittwoch 10-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Phishing im Namen der WKO: Sensible Daten im Visier ∗∗∗ --------------------------------------------- Kriminelle kopieren aktuell eine echte E-Mail-Nachricht der Wirtschaftskammer Österreich. Über ein angehängtes HTML-Dokument wollen sie Ihre Opfer auf ein Fake-Portal locken und dort sensible Daten erbeuten. Wir zeigen Ihnen, woran Sie den Betrugsversuch erkennen können. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-wko/ ∗∗∗ You Already Have Our Personal Data, Take Our Phone Calls Too (FreePBX CVE-2025-57819) ∗∗∗ --------------------------------------------- Today, inside this hellscape we call the Internet, a mean person has discovered a zero-day(s) in FreePBX (now lovingly called CVE-2025-57819). But they didn’t stop there - the dastardly individual(s) then proceeded to exploit FreePBX hosts en-masse. [..] Today, we are publishing our Detection Artefact Generator which you can find here. --------------------------------------------- https://labs.watchtowr.com/you-already-have-our-personal-data-take-our-phon… ∗∗∗ US Investment in Spyware Is Skyrocketing ∗∗∗ --------------------------------------------- A new report warns that the number of US investors in powerful commercial spyware rose sharply in 2024 and names new countries linked to the dangerous technology. --------------------------------------------- https://www.wired.com/story/us-spyware-investment/ ∗∗∗ CHILLYHELL macOS Backdoor and ZynorRAT RAT Threaten macOS, Windows, and Linux Systems ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems. --------------------------------------------- https://thehackernews.com/2025/09/chillyhell-macos-backdoor-and-zynorrat.ht… ∗∗∗ Pwn My Ride: Exploring the CarPlay Attack Surface ∗∗∗ --------------------------------------------- At the recent DefCon conference, we had the opportunity to present Pwn My Ride, a comprehensive exploration of the Apple CarPlay attack surface. With vehicles becoming increasingly connected, the security of in-car systems like CarPlay is critical. --------------------------------------------- https://www.oligo.security/blog/pwn-my-ride-exploring-the-carplay-attack-su… ∗∗∗ Kerberoasting ∗∗∗ --------------------------------------------- These “Kerberoasting” attacks have been around for ages: the technique and name is credited to Tim Medin who presented it in 2014 (and many popular blogs followed up on it) but the vulnerabilities themselves are much older. [..] I’ll bet most Windows people already know this stuff, but I only happened to learn about it today, after seeing a letter from Senator Wyden to Microsoft, describing how this vulnerability was used in the May 2024 ransomware attack on the Ascension Health hospital system. --------------------------------------------- https://blog.cryptographyengineering.com/2025/09/10/kerberoasting/ ∗∗∗ New Linux Botnet Combines Cryptomining and DDoS Attacks ∗∗∗ --------------------------------------------- Cyble threat intelligence researchers have identified a sophisticated Linux botnet built for cryptocurrency mining, remote command execution, and dozens of DDoS attack types. Cyble Research and Intelligence Labs (CRIL) researchers have dubbed the campaign “Luno.” --------------------------------------------- https://thecyberexpress.com/linux-botnet-combines-cryptomining-and-ddos/ ∗∗∗ Apple Introduces Memory Integrity Enforcement in iPhone 17 to Fight Spyware Exploits ∗∗∗ --------------------------------------------- Apple has introduced Memory Integrity Enforcement (MIE), a system-wide security feature designed to crush one of the most persistent threats to iPhone users—that of Spyware. The company describes MIE as “the most significant upgrade to memory safety in the history of consumer operating systems.” --------------------------------------------- https://thecyberexpress.com/memory-integrity-enforcement-in-iphone-17/ ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days ∗∗∗ --------------------------------------------- Today is Microsofts September 2025 Patch Tuesday, which includes security updates for 81 flaws, including two publicly disclosed zero-day vulnerabilities. [..] The two publicly disclosed zero-days are: CVE-2025-55234 - Windows SMB Elevation of Privilege Vulnerability [..] CVE-2024-21907 - VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-pa… ∗∗∗ Patchday Adobe: Lücken in Acrobat & Co. können Schadcode auf PCs lassen ∗∗∗ --------------------------------------------- Auflistung der Sicherheitspatches: Acrobat and Reader, After Effects, ColdFusion, Commerce, Dreamweaver, Experience Manager, Premiere Pro, Substance 3D Modeler, Substance 3D Viewer --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-Luecken-in-Acrobat-Co-koennen-Scha… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (buildah, containers-common, glycin, loupe, podman, rust-matchers, and rust-tracing-subscriber), Red Hat (fence-agents, jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base, pki-deps:10.6, python-requests, python3.12-cryptography, redis:6, redis:7, and resource-agents), Slackware (libssh), SUSE (aide, cloud-init, iperf, java-1_8_0-openjdk, jq, kernel-devel, python-deepdiff, regionServiceClientConfigAzure, regionServiceClientConfigEC2, and regionServiceClientConfigGCE), and Ubuntu (gnutls28). --------------------------------------------- https://lwn.net/Articles/1037471/ ∗∗∗ CISA Releases Fourteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-252-01 Rockwell Automation ThinManager, ICSA-25-252-02 ABB Cylon Aspect BMS/BAS, ICSA-25-252-03 Rockwell Automation Stratix IOS, ICSA-25-252-04 Rockwell Automation FactoryTalk Optix, ICSA-25-252-05 Rockwell Automation FactoryTalk Activation Manager, ICSA-25-252-06 Rockwell Automation CompactLogix® 5480, ICSA-25-252-07 Rockwell Automation ControlLogix 5580, ICSA-25-252-08 Rockwell Automation Analytics LogixAI, ICSA-25-252-09 Rockwell Automation 1783-NATR --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/09/cisa-releases-fourteen-i… ∗∗∗ Google Chrome: Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desk… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 09.09.2025
by Daily end-of-shift report 09 Sep '25

09 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 08-09-2025 18:00 − Dienstag 09-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ TOR-Based Cryptojacking Attack Expands Through Misconfigured Docker APIs ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a variant of a recently disclosed campaign that abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs. Akamai, which discovered the latest activity last month, said its designed to block other actors from accessing the Docker API from the internet. --------------------------------------------- https://thehackernews.com/2025/09/tor-based-cryptojacking-attack-expands.ht… ∗∗∗ GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies ∗∗∗ --------------------------------------------- Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account. Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. Its currently not known how the digital intruders gained access to the GitHub account. --------------------------------------------- https://thehackernews.com/2025/09/github-account-compromise-led-to.html ∗∗∗ RatOn Android Malware Detected With NFC Relay and ATS Banking Fraud Capabilities ∗∗∗ --------------------------------------------- A new Android malware called RatOn evolved from a basic tool capable of conducting Near Field Communication (NFC) attacks to a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities to conduct device fraud. --------------------------------------------- https://thehackernews.com/2025/09/raton-android-malware-detected-with-nfc.h… ∗∗∗ Axios Abuse and Salty 2FA Kits Fuel Advanced Microsoft 365 Phishing Attacks ∗∗∗ --------------------------------------------- Threat actors are abusing HTTP client tools like Axios in conjunction with Microsofts Direct Send feature to form a "highly efficient attack pipeline" in recent phishing campaigns, according to new findings from ReliaQuest. --------------------------------------------- https://thehackernews.com/2025/09/axios-abuse-and-salty-2fa-kits-fuel.html ∗∗∗ Salt Typhoon and UNC4841: Silent Push Discovers New Domains; Urges Defenders to Check Telemetry and Log Data ∗∗∗ --------------------------------------------- Silent Push has identified dozens of previously unreported domains, all aiming to obtain long-term, stealthy access to targeted organizations, used by the Chinese APT group, Salt Typhoon, along with some related People’s Republic of China (PRC) state-backed threat actors. --------------------------------------------- https://www.silentpush.com/blog/salt-typhoon-2025/ ∗∗∗ BSI warnt: "Digitale Angriffsflächen im Automobilsektor wachsen rasant" ∗∗∗ --------------------------------------------- Digitale Dienste, Over-the-Air-Updates, KI und vernetzte Steuergeräte prägen Fahrzeugarchitekturen, weiß das BSI. Hersteller und Ausrüster müssten vorsorgen. --------------------------------------------- https://www.heise.de/news/BSI-warnt-Digitale-Angriffsflaechen-im-Automobils… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (openafs and qemu), Fedora (buildah, containers-common, podman, python-flask, and snapshot), Mageia (postgresql, python-django, and udisks2), Oracle (kernel and libxml2), Red Hat (apache-commons-beanutils, firefox, httpd, httpd:2.4, kernel, kernel-rt, mod_http2, qt5-qt3d, and thunderbird), Slackware (libxml2), SUSE (firebird, go1.25-openssl, ImageMagick, microcode_ctl, netty, netty-tcnative, and ovmf), and Ubuntu (libetpan and postgresql-14, postgresql-16, postgresql-17). --------------------------------------------- https://lwn.net/Articles/1037308/ ∗∗∗ Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed ∗∗∗ --------------------------------------------- An analysis of the Gentlemen ransomware group, which employs advanced, adaptive tactics, techniques, and procedure to target critical industries worldwide. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-rans… ∗∗∗ Zero-Day in Sitecore Exploited to Deploy WEEPSTEEL Malware ∗∗∗ --------------------------------------------- Hackers exploit a Sitecore zero-day (CVE-2025-53690) to deploy WEEPSTEEL Malware via ViewState attacks, enabling Remote Code Execution (RCE). --------------------------------------------- https://hackread.com/zero-day-sitecore-exploited-deploy-weepsteel-malware/ ∗∗∗ OpenAI Paper: Halluzinationen offenbar unumgänglich ∗∗∗ --------------------------------------------- In einem neuen, wissenschaftlichen Paper, das OpenAI veröffentlicht hat, geht es um Halluzinationen. Das sind falsche Informationen und Zusammenhänge, die Large Language Models (LLMs) und damit auch KI-Chatbots ausgeben. Alle KI-Unternehmen arbeiten daran, Halluzinationen möglichst gering zu halten. Sie ganz auszuschalten, scheint hingegen unmöglich. Das schreibt nun auch OpenAI selbst. --------------------------------------------- https://heise.de/-10637744 ∗∗∗ LockBit Attempts Comeback with LockBit 5.0 Ransomware Release ∗∗∗ --------------------------------------------- LockBit was once the most feared ransomware group until global law enforcement action sent the group into decline last year. Now the threat group hopes to mount a comeback with LockBit 5.0. --------------------------------------------- https://thecyberexpress.com/lockbit-5-0-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe patches critical SessionReaper flaw in Magento eCommerce platform ∗∗∗ --------------------------------------------- Adobe is warning of a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms that researchers call SessionReaper and describe as one of " the most severe" flaws in the history of the product. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-patches-critical-sessi… ∗∗∗ Populäre JavaScript Pakete manipuliert ∗∗∗ --------------------------------------------- Eine Reihe populärer JavaScript Pakete wurde kürzlich manipuliert um Krypotwährungstransaktionen zu manipulieren. Ursache dieses Supply-Chain-Angriffs scheint eine erfolgreiche Phishing Attacke gegen den Maintainer dieser Pakete und dessen NPM Konto gewesen zu sein. Manipulierte Versionen der betroffenen Pakete wurden bereits zurückgezogen. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/9/populare-javascript-pakete-manipuli… ∗∗∗ September 2025 Security Update ∗∗∗ --------------------------------------------- Ivanti is disclosing vulnerabilities in Ivanti Endpoint Manager (EPM) and Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access. --------------------------------------------- https://www.ivanti.com/blog/september-2025-security-update ∗∗∗ SAP Security Patch Day – September 2025 ∗∗∗ --------------------------------------------- SAP has released its September 2025 security patch package containing 26 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes four HotNews vulnerabilities with CVSS ratings up to 10.0, four High priority issues, sixteen Medium priority fixes, and two Low priority updates. The patches affect NetWeaver AS Java, S/4HANA, SAP HCM, Business Planning and Consolidation, Commerce Cloud, and SAP Business One. --------------------------------------------- https://redrays.io/blog/sap-security-patch-day-september-2025/ ∗∗∗ VU#461364: Hiawatha open-source web server has multiple vulnerabilities ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/461364 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 08.09.2025
by Daily end-of-shift report 08 Sep '25

08 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-09-2025 18:00 − Montag 08-09-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ iCloud Calendar abused to send phishing emails from Apple’s servers ∗∗∗ --------------------------------------------- iCloud Calendar invites are being abused to send callback phishing emails disguised as purchase notifications directly from Apple's email servers, making them more likely to bypass spam filters to land in targets' inboxes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/icloud-calendar-abused-to-se… ∗∗∗ Fraunhofer SIT gibt auf: Die Volksverschlüsselung wird eingestellt ∗∗∗ --------------------------------------------- Die Volksverschlüsselung, eine gemeinsame Initiative des Fraunhofer-Instituts für Sichere Informationstechnologie (SIT) und der Deutschen Telekom, wird nach rund zehnjährigem Bestehen zum 31. Januar 2026 eingestellt. Das geht aus einer Mitteilung auf der zugehörigen Webseite(öffnet im neuen Fenster) hervor. Ziel der Volksverschlüsselung war es, Ende-zu-Ende-verschlüsselte Kommunikation benutzerfreundlicher zu machen. Doch das Projekt stieß schon zum Start auf Kritik. --------------------------------------------- https://www.golem.de/news/fraunhofer-sit-gibt-auf-die-volksverschluesselung… ∗∗∗ Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test ∗∗∗ --------------------------------------------- A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan. The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025. --------------------------------------------- https://thehackernews.com/2025/09/noisy-bear-targets-kazakhstan-energy.html ∗∗∗ GPUGate Malware Uses Google Ads and Fake GitHub Commits to Target IT Firms ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop. While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing altered links that point to attacker-controlled infrastructure. --------------------------------------------- https://thehackernews.com/2025/09/gpugate-malware-uses-google-ads-and.html ∗∗∗ Netflix-Phishing-Mail im Umlauf ∗∗∗ --------------------------------------------- Derzeit kursiert eine E-Mail, die angeblich von Netflix stammt. Darin wird behauptet, eine Aktualisierung der Kontodaten sei erforderlich. Andernfalls würden 8,99 € fällig und der Zugang würde eingeschränkt werden. Vorsicht: Es handelt sich um eine Fälschung! Die Nachricht führt auf eine Phishing-Website, über die Kriminelle versuchen, Kontodaten zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/netflix-phishing-mail-im-umlauf-1/ ∗∗∗ Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs ∗∗∗ --------------------------------------------- The intrusion began in September 2024 with a download of a malicious file mimicking the EarthTime application by DeskSoft. Upon execution, SectopRAT was deployed which opened a connection to its command and control (C2) infrastructure. The threat actor established persistence by relocating the malicious file and placing a shortcut in the Startup folder, configured to trigger on user logon. They further elevated access by creating a new local account and assigning it local administrative privileges. --------------------------------------------- https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-con… ∗∗∗ GhostAction Attack Steals 3,325 Secrets from GitHub Projects ∗∗∗ --------------------------------------------- On September 2, 2025, a GitHub user known as Grommash9 committed a new workflow file to the FastUUID project. The file, labelled “Github Actions Security,” appeared similar to routine automation scripts but was later found to contain malicious code designed to collect CI/CD secrets and send them to an external server. --------------------------------------------- https://hackread.com/ghostaction-attack-steals-github-projects-secrets/ ∗∗∗ Lazarus Group Deploys Malware With ClickFix Scam in Fake Job Interviews ∗∗∗ --------------------------------------------- A recent investigation by SentinelLABS and internet intelligence platform Validin reveals that North Korean threat actors behind the Contagious Interview campaign are actively abusing public cybersecurity platforms like Validin, Maltrail, and VirusTotal to improve their malicious activities. --------------------------------------------- https://hackread.com/lazarus-group-malware-clickfix-scam-fake-job-interview/ ∗∗∗ MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access ∗∗∗ --------------------------------------------- FortiGuard Labs recently discovered a phishing campaign that employs multiple advanced evasion techniques. These include the use of an Easy Programming Language (EPL) to develop a staged payload, concealing malicious operations and disabling security tools to prevent alert triggers, securing Command and Control (C2) communications using mutual TLS (mTLS), supporting various methods for deploying additional payloads, and even installing popular remote access tools to grant attackers complete control over the compromised system. --------------------------------------------- https://feeds.fortinet.com/~/924516446/0/fortinet/blogs~MostereRAT-Deployed… ∗∗∗ Ecovacs Deebot: Angreifer können beliebigen Code einschleusen ∗∗∗ --------------------------------------------- Schwachstellenbeschreibungen vom Wochenende erörtern teils hochriskante Sicherheitslücken in Staubsaugerrobotern aus dem Hause Ecovacs. Für die betroffenen Deebot-Modelle stehen bereits seit einiger Zeit Updates bereit, die die Sicherheitslecks abdichten. Besitzer sollten sicherstellen, die Basisstationen und Saugroboter auf den aktuellen Stand zu bringen. --------------------------------------------- https://heise.de/-10636233 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libhtp, modsecurity-apache, shibboleth-sp, and wireless-regdb), Fedora (chromium, kea, tcpreplay, and yq), Mageia (rootcerts, nspr, nss & firefox and thunderbird), Red Hat (python3), and SUSE (7zip, chromedriver, go1.25, libQt5Pdf5, libsixel-bash-completion, libsoup2, libwireshark18, netty, rav1e, and trivy). --------------------------------------------- https://lwn.net/Articles/1037157/ ∗∗∗ RICOH Streamline NX vulnerable to tampering with operation history ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN75307484/ ∗∗∗ CVE-2025-8699: NFC Card Vulnerability Exploitation Leading to Free Top-Up in KioSoft "Stored Value" Unattended Payment Solution ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-e… ∗∗∗ Beckhoff Security Advisory 2025-001: CVE-2025-41701 ∗∗∗ --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 05.09.2025
by Daily end-of-shift report 05 Sep '25

05 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-09-2025 18:00 − Freitag 05-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ The number of mis-issued 1.1.1.1 certificates grows. Here’s the latest. ∗∗∗ --------------------------------------------- Everything to know about the mishap that threatened to expose millions of users queries. --------------------------------------------- https://arstechnica.com/information-technology/2025/09/the-number-of-mis-is… ∗∗∗ Max severity Argo CD API flaw leaks repository credentials ∗∗∗ --------------------------------------------- An Argo CD vulnerability allows API tokens with even low project-level get permissions to access API endpoints and retrieve all repository credentials associated with the project. --------------------------------------------- https://www.bleepingcomputer.com/news/security/max-severity-argo-cd-api-fla… ∗∗∗ Seit Mai 2024 bekannt: TP-Link bestätigt Zero-Day-Lücke in Archer-Routern ∗∗∗ --------------------------------------------- Es sind auch hierzulande angebotene TP-Link-Modelle betroffen. Angreifer können unter Umständen aus der Ferne Schadcode einschleusen. --------------------------------------------- https://www.golem.de/news/seit-mai-2024-bekannt-tp-link-bestaetigt-zero-day… ∗∗∗ IT threat evolution in Q2 2025. Mobile statistics ∗∗∗ --------------------------------------------- The report contains statistics on mobile threats (malware, adware, and unwanted software for Android) for Q2 2025, as well as a description of the most notable malware types identified during the reporting period. --------------------------------------------- https://securelist.com/malware-report-q2-2025-mobile-statistics/117349/ ∗∗∗ IT threat evolution in Q2 2025. Non-mobile statistics ∗∗∗ --------------------------------------------- The report presents statistics for Windows, macOS, IoT, and other threats, including ransomware, miners, local and web-based threats, for Q2 2025. --------------------------------------------- https://securelist.com/malware-report-q2-2025-pc-iot-statistics/117421/ ∗∗∗ SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild ∗∗∗ --------------------------------------------- A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild.The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of .. --------------------------------------------- https://thehackernews.com/2025/09/sap-s4hana-critical-vulnerability-cve.html ∗∗∗ Schwachstellen: KI- und Netzwerktechnik von Nvidia ist angreifbar ∗∗∗ --------------------------------------------- Sicherheitsupdates schließen Lücken in unter anderem Nvidias KI-Plattformen DGX und HGX. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-Nvidia-KI-und-Netzwerktechnik-… ∗∗∗ Stealerium-Malware macht heimlich Webcam-Fotos für Erpressung ∗∗∗ --------------------------------------------- Die frei verfügbare Malware Stealerium erkennt Pornokonsum und fertigt heimlich Webcam-Aufnahmen an. Cyberkriminelle nutzen die Fotos für Erpressung. --------------------------------------------- https://www.heise.de/news/Malware-fotografiert-Nutzer-heimlich-bei-Porno-Ko… ∗∗∗ Cyberattack forces Jaguar Land Rover to tell staff to stay at home ∗∗∗ --------------------------------------------- Luxury automaker Jaguar Land Rover says employees should stay home through the weekend as it works to mitigate the impact of a cyberattack. --------------------------------------------- https://therecord.media/jaguar-land-rover-cyberattack-workers-stay-home ∗∗∗ SEO fraud-as-a-service scheme hijacks Windows servers to promote gambling websites ∗∗∗ --------------------------------------------- A malware campaign dubbed GhostRedirector by researchers at ESET attempts to compromise websites to drive traffic to gambling sites. --------------------------------------------- https://therecord.media/seo-scheme-windows-malware-gambling-sites-ghostredi… ∗∗∗ Scammers Exploit Grok AI With Video Ad Scam to Push Malware on X ∗∗∗ --------------------------------------------- Researchers at Guardio Labs have uncovered a new “Grokking” scam where attackers trick Grok AI into spreading malicious… --------------------------------------------- https://hackread.com/scammers-exploit-grok-ai-video-ad-scam-x-malware/ ∗∗∗ Microsoft erzwingt mehr Multifaktorauthentifizierung ∗∗∗ --------------------------------------------- Microsoft aktualisiert die Pläne für "Phase 2" der erzwungenen Multifaktorauthentifizierung für Azure. Am 1.10. sind mehr Dienste fällig. --------------------------------------------- https://heise.de/-10633932 ∗∗∗ Czechia Warns of Chinese Data Transfers and Remote Administration for Espionage ∗∗∗ --------------------------------------------- Czechia’s national cybersecurity watchdog has issued a warning about foreign cyber operations, focussed on Chinese data transfers and remote administration, urging both government bodies and private businesses to bolster defenses amid rising espionage campaigns tied to China and Russia. The alert, published this week by the National Cyber and I.. --------------------------------------------- https://thecyberexpress.com/czechia-warns-of-chinese-data-transfer/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (udisks2), Oracle (httpd:2.4 and kernel), Red Hat (python-requests), and SUSE (chromium, gn, dcmtk, firefox, himmelblau, nginx, perl-Authen-SASL, perl-Crypt-URandom, postgresql15, python-Django, and python-maturin). --------------------------------------------- https://lwn.net/Articles/1036907/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 04.09.2025
by Daily end-of-shift report 04 Sep '25

04 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-09-2025 18:00 − Donnerstag 04-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mis-issued certificates for 1.1.1.1 DNS service pose a threat to the Internet ∗∗∗ --------------------------------------------- The three certificates were issued in May but only came to light Wednesday. --------------------------------------------- https://arstechnica.com/security/2025/09/mis-issued-certificates-for-1-1-1-… ∗∗∗ Automated Sextortion Spyware Takes Webcam Pics of Victims Watching Porn ∗∗∗ --------------------------------------------- A new specimen of “infostealer” malware offers a disturbing feature: It monitors a targets browser for NSFW content, then takes simultaneous screenshots and webcam photos of the victim. --------------------------------------------- https://www.wired.com/story/stealerium-infostealer-porn-sextortion/ ∗∗∗ Serientäter bekennen sich zu IT-Angriff auf Jaguar Land Rover ∗∗∗ --------------------------------------------- Drei britische Verbrecherbanden haben sich offenbar zusammengetan. Sie prahlen mit der IT-Attacke auf Jaguar Land Rover. --------------------------------------------- https://www.heise.de/news/Serientaeter-bekennen-sich-zu-IT-Angriff-auf-Jagu… ∗∗∗ Kritische Infrastrukturen: Attacken auf industrielle Kontrollsysteme möglich ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für industrielle Kontrollsysteme von unter anderem Hitachi erschienen. Ein Patch steht aber noch aus. --------------------------------------------- https://www.heise.de/news/Kritische-Infrastrukturen-Attacken-auf-industriel… ∗∗∗ TP-Link warns of botnet infecting routers and targeting Microsoft 365 accounts ∗∗∗ --------------------------------------------- The Quad7 botnet is adding End-of-Life TP-Link routers to its arsenal and using them to steal Microsoft 365 accounts. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/09/tp-link-warns-of-botnet-infe… ∗∗∗ Microsoft-Support-Betrug: Phishing-Falle statt Online-Hilfe ∗∗∗ --------------------------------------------- Drängt ein Pop-up-Fenster zu einem Anruf bei der Microsoft-Helpline, ist allerhöchste Vorsicht angesagt! Hinter der Aufforderung warten nämlich keine IT-Expert:innen darauf, bei Computerproblemen weiterzuhelfen. Vielmehr wollen Kriminelle auf diesem Weg Zugriff auf das Konto ihrer Opfer bekommen. --------------------------------------------- https://www.watchlist-internet.at/news/microsoft-support-betrug/ ∗∗∗ Scattered Lapsus$ Hunters Demand Google Fire Security Experts or Face Data Leak ∗∗∗ --------------------------------------------- Scattered Lapsus$ Hunters threaten Google, demanding that two security experts, Austin Larsen of Google’s Threat Intelligence Group and Charles Carmakal of Mandiant, be fired or they will leak alleged stolen Google data. --------------------------------------------- https://hackread.com/scattered-lapsus-hunters-google-fire-experts-data-leak/ ∗∗∗ 25,000 IPs Scanned Cisco ASA Devices — New Vulnerability Potentially Incoming ∗∗∗ --------------------------------------------- GreyNoise observed two scanning surges against Cisco Adaptive Security Appliance (ASA) devices in late August including more than 25,000 unique IPs in a single burst. This activity represents a significant elevation above baseline, typically registering at less than 500 IPs per day. --------------------------------------------- https://www.greynoise.io/blog/scanning-surge-cisco-asa-devices ∗∗∗ ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690) ∗∗∗ --------------------------------------------- In a recent investigation, Mandiant Threat Defense discovered an active ViewState deserialization attack affecting Sitecore deployments leveraging a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. An attacker leveraged the exposed ASP.NET machine keys to perform remote code .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserial… ∗∗∗ Cookie Chaos: How to bypass __Host and __Secure cookie prefixes ∗∗∗ --------------------------------------------- Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and .. --------------------------------------------- https://portswigger.net/research/cookie-chaos-how-to-bypass-host-and-secure… ∗∗∗ Linux Kernel SMB 0-Day Vulnerability CVE-2025-37899 Uncovered Using ChatGPT o3 ∗∗∗ --------------------------------------------- For the first time, a zero-day vulnerability in the Linux kernel has been discovered using a large language model, OpenAI’s o3. Discovered by security researcher Sean Heelan and assigned .. --------------------------------------------- https://www.upwind.io/feed/linux-kernel-smb-0-day-vulnerability-cve-2025-37… ∗∗∗ s1ngularitys Aftermath: AI, TTPs, and Impact in the Nx Supply Chain Attack ∗∗∗ --------------------------------------------- A deeper look at the Nx supply chain attack: analyzing the performance of AI-powered malware, calculating incident impact, and sharing novel TTPs for further investigation. --------------------------------------------- https://www.wiz.io/blog/s1ngularitys-aftermath ∗∗∗ Nx Investigation Reveals GitHub Actions Workflow Exploit Led to npm Token Theft, Prompting Switch to Trusted Publishing ∗∗∗ --------------------------------------------- On August 26, 2025, the JavaScript ecosystem witnessed a watershed moment in supply chain security. The popular Nx build system, with over 4.6 million weekly downloads, fell victim to an attack that stole thousands of credentials and pioneered a disturbing new technique: weaponizing AI developer tools for scaling reconnaissance and data theft.The Nx team .. --------------------------------------------- https://socket.dev/blog/nx-supply-chain-attack-investigation-github-actions… ∗∗∗ Exploit development for IBM i ∗∗∗ --------------------------------------------- At TROOPERS24, we demonstrated how IBM i systems – still widely used in enterprise environments – can be compromised in both authenticated and unauthenticated scenarios, using only built-in services and a basic understanding of the underlying mechanisms. Despite being labeled “legacy,” these systems remain active in finance, logistics, and manufacturing, often handling critical workloads with little attention paid to their security posture. --------------------------------------------- https://blog.silentsignal.eu/2025/09/04/Exploit-development-for-IBM-i/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 03.09.2025
by Daily end-of-shift report 03 Sep '25

03 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-09-2025 18:00 − Mittwoch 03-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers breach fintech firm in attempted $130M bank heist ∗∗∗ --------------------------------------------- Hackers tried to steal $130 million from Evertecs Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central banks real-time payment system (Pix). --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-breach-fintech-firm-… ∗∗∗ What Is a Passkey? Here’s How to Set Up and Use Them (2025) ∗∗∗ --------------------------------------------- Passkeys were built to enable a password-free future. Heres what they are and how you can start using them. --------------------------------------------- https://www.wired.com/story/what-is-a-passkey-and-how-to-use-them/ ∗∗∗ Patchday: Kritische Schadcode-Lücke bedroht Android 15 und 16 ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Sicherheitslücken in verschiedenen Android-Versionen. --------------------------------------------- https://www.heise.de/news/Patchday-Kritische-Schadcode-Luecke-bedroht-Andro… ∗∗∗ Phishing-Alarm: FinanzOnline droht nicht mit der Pfändung des Hausrats! ∗∗∗ --------------------------------------------- Eine höchst aktuelle Phishing-Welle im Namen von FinanzOnline sorgt für große Verunsicherung. Die zentrale Drohung: Pfändung des Hausrats durch den Gerichtsvollzieher! Klingt besorgniserregend, ist in Wahrheit aber nichts anderes als ein Betrugsversuch. Wir erklären, .. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-finanzonline-pfaendun… ∗∗∗ Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust ∗∗∗ --------------------------------------------- Model namespace reuse is a potential security risk in the AI supply chain. Attackers can misuse platforms like Hugging Face for remote code execution. --------------------------------------------- https://unit42.paloaltonetworks.com/model-namespace-reuse/ ∗∗∗ Digitale Souveränität: Cloud Edition. ∗∗∗ --------------------------------------------- Das erratische Verhalten der aktuellen US-Regierung hat die Sorgen um die Abhängigkeit Europas von den großen US-Cloudbetreibern verstärkt. In der EU haben sowohl die Kommission als auch das Parlament Dokumente zu diesem Thema vorgelegt, heuer hat die Kommission bereits um Ideen zu einem Cloud and AI Development Act gebeten. Auch in Deutschland .. --------------------------------------------- https://www.cert.at/de/blog/2025/9/digitale-souveranitat-cloud-edition ∗∗∗ Cloudflare, Zscaler among companies impacted by Salesloft Drift incident ∗∗∗ --------------------------------------------- Multiple tech firms have publicly detailed how incidents involving the third-party Salesloft Drift tool have exposed customer data. --------------------------------------------- https://therecord.media/salesloft-drift-breach-cloudflare-zscaler-palo-alto… ∗∗∗ Corruption case against ousted cyber chief is ‘revenge,’ Ukraine’s security service says ∗∗∗ --------------------------------------------- Ukraine’s security service is accusing the country’s anti-corruption agencies of seeking “revenge” by bringing charges against Illia Vitiuk, the former head of the agency’s cybersecurity unit. --------------------------------------------- https://therecord.media/corruption-case-against-ousted-cyber ∗∗∗ Cloudflare Mitigates Largest Ever Recorded DDoS Attack at 11.5 Tbps ∗∗∗ --------------------------------------------- Cloudflare mitigated the largest DDoS attack ever recorded, an 11.5 Tbps flood that lasted 35 seconds without disrupting… --------------------------------------------- https://hackread.com/cloudflare-mitigates-largest-ddos-attack-11-5-tbps/ ∗∗∗ CISA, NSA and 19 International Partners Release Shared Vision of Software Bill of Materials for Cybersecurity Guide ∗∗∗ --------------------------------------------- CISA, NSA, and 19 international partners release a shared vision of Software Bill of Materials (SBOM) highlighting the importance of SBOM in securing global supply chains & enhancing software resilience worldwide. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-nsa-and-19-international-partner… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (httpd, kernel, and kernel-rt), Debian (python-eventlet and python-h2), Mageia (aide, gnutls, tomcat, and vim), Oracle (httpd, mod_http2, postgresql:15, python3.11, python3.12, python3.9, and udisks2), Red Hat (kernel, postgresql, postgresql:12, and postgresql:15), SUSE (dcmtk, jupyter-bqplot-jupyterlab, kured, libudisks2-0, munge, python-eventlet, python-future, python311-eventlet, rekor, traefik2, and ucode-intel), and Ubuntu (linux-aws, .. --------------------------------------------- https://lwn.net/Articles/1036567/ ∗∗∗ Vulnerability & Patch Roundup — August 2025 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2025/08/vulnerability-patch-roundup-august-2025.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 02.09.2025
by Daily end-of-shift report 02 Sep '25

02 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 01-09-2025 18:00 − Dienstag 02-09-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zscaler data breach exposes customer info after Salesloft Drift compromise ∗∗∗ --------------------------------------------- In an advisory, Zscaler says that its Salesforce instance was impacted by this supply-chain attack, exposing customers' information. [..] This warning follows the compromise of Salesloft Drift, an AI chat agent that integrates with Salesforce, in which attackers stole OAuth and refresh tokens, enabling them to gain access to customer Salesforce environments and exfiltrate sensitive data. [..] The company stresses that the data breach only impacts its Salesforce instance and no Zscaler products, services, or infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zscaler-data-breach-exposes-… ∗∗∗ Stolen OAuth tokens expose Palo Alto customer data ∗∗∗ --------------------------------------------- Palo Alto Networks is writing to customers that may have had commercially sensitive data exposed after criminals used stolen OAuth credentials lifted from the Salesloft Drift break-in to gain entry to its Salesforce instance. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/02/stolen_oauth… ∗∗∗ No, Google did not warn 2.5 billion Gmail users to reset passwords ∗∗∗ --------------------------------------------- This is just the latest such story, which numerous news websites and cybersecurity companies have reported without verification in recent years. [..] However, as the company explained on a Monday blog post addressing these inaccurate stories, "Gmail's protections are strong and effective, and claims of a major Gmail security warning are false." --------------------------------------------- https://www.bleepingcomputer.com/news/technology/no-google-did-not-warn-25-… ∗∗∗ Badges, behavior, and BMS: Why the human perimeter matters in energy cybersecurity ∗∗∗ --------------------------------------------- Over the summer, a hacker brought a 158-year-old European technology company to its knees with a guessed password. By identifying a weak admin credential, the attacker gained access to internal systems and extracted sensitive information, laying the groundwork for a broader ransomware campaign. [..] Energy cybersecurity is not just about software protection —it’s also about managing human interaction and physical access to critical infrastructure. [..] Even the most secure system in the world won’t help if someone holds the door open for the wrong person. --------------------------------------------- https://blog.se.com/digital-transformation/cybersecurity/2025/09/01/badges-… ∗∗∗ Cookies and how to bake them: what they are for, associated risks, and what session hijacking has to do with it ∗∗∗ --------------------------------------------- Kaspersky experts explain the different types of cookies, how to configure them correctly, and how to protect yourself from session hijacking attacks. --------------------------------------------- https://securelist.com/cookies-and-session-hijacking/117390/ ∗∗∗ A quick look at sextortion at scale: 1,900 messages and 205 Bitcoin addresses spanning four years, (Tue, Sep 2nd) ∗∗∗ --------------------------------------------- What can almost 2,000 sextortion messages tell us about how threat actors operate and whether they are successful? [..] The use of specific cryptocurrency addresses in sextortion messages seems to be fairly short-lived. Approximately 46% of the addresses in the dataset were only used for a single day [..] the average requested amount was 1,716 USD, with a median of 1,370 USD [..] Of the 205 cryptocurrency addresses in our dataset, only 57 (~28%) didn’t receive any payment at all, while the remaining addresses did. --------------------------------------------- https://isc.sans.edu/diary/rss/32252 ∗∗∗ Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a Ukrainian IP network for engaging in massive brute-force and password spraying campaigns targeting SSL VPN and RDP devices between June and July 2025. The activity originated from a Ukraine-based autonomous system FDN3 (AS211736), per French cybersecurity company Intrinsec. --------------------------------------------- https://thehackernews.com/2025/09/ukrainian-network-fdn3-launches-massive.h… ∗∗∗ Achtung, Bitpanda-Phishing: Krypto-Guthaben in Gefahr! ∗∗∗ --------------------------------------------- Kriminelle versenden SMS-Nachrichten und warnen vor einem angeblichen Login auf das Bitpanda-Konto des Opfers. Sie liefern außerdem eine Telefonnummer mit, bei der man sich zur Klärung melden solle. Am anderen warten allerdings die Betrüger:innen – und die haben es auf Krypto-Assets abgesehen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-bitpanda-phishing-krypto/ ===================== = Vulnerabilities = ===================== ∗∗∗ Heimautomatisierung: ESPHome-Lücke erlaubt volle Kompromittierung ∗∗∗ --------------------------------------------- In der ESP-IDF-Plattform der ESPHome-Firmwarebasis führt eine nun entdeckte Sicherheitslücke dazu, dass Angreifer eine Authentifizierung umgehen können. Das ermöglicht ihnen sogar, eigene Firmware auf verwundbare Controller zu verfrachten. [..] Ein neuer Schwachstelleneintrag vom Montag dieser Woche erörtert die Sicherheitslücke in der Firmware. [..] (CVE-2025-57808 / noch kein EUVD, CVSS 8.1, Risiko "hoch") --------------------------------------------- https://www.heise.de/news/Heimautomatisierung-ESPHome-Luecke-erlaubt-volle-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, mod_http2, postgresql, postgresql:15, and python39:3.9), Debian (libsndfile), Mageia (ceph, glibc, and golang), Oracle (postgresql and python39:3.9), Red Hat (aide, postgresql:12, postgresql:13, postgresql:15, and postgresql:16), SUSE (git, govulncheck-vulndb, jetty-minimal, nginx, python-future, and ruby2.5), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/1036369/ ∗∗∗ TYPO3-EXT-SA-2025-011: Command Injection in extension "TYPO3 Backup Plus" (ns_backup) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-011 ∗∗∗ Delta Electronics EIP Builder ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-01 ∗∗∗ SunPower PVS6 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-03 ∗∗∗ Fuji Electric FRENIC-Loader 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 01.09.2025
by Daily end-of-shift report 01 Sep '25

01 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-08-2025 18:00 − Montag 01-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Transparenz und Kommunikation: BSI rät indirekt von weiterer Paypal-Nutzung ab ∗∗∗ --------------------------------------------- Was passiert mit den Daten, werden bei Ausfällen Gründe genannt? Ohne Paypal zu nennen, ruft das BSI auf, nicht nur nach der Usability auszuwählen. --------------------------------------------- https://www.golem.de/news/transparenz-und-kommunikation-bsi-raet-indirekt-v… ∗∗∗ AWS warnt: Russische Hacker bei Attacken auf Microsoft-Nutzer erwischt ∗∗∗ --------------------------------------------- Die berüchtigte Hackergruppe APT29 soll bestehende Webseiten mit Schadcode verseucht haben, um an die Microsoft-Konten der Besucher zu gelangen. --------------------------------------------- https://www.golem.de/news/aws-warnt-russische-hacker-bei-attacken-auf-micro… ∗∗∗ Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling ∗∗∗ --------------------------------------------- Cybersecurity researchers have called attention to a cyber attack in which unknown threat actors deployed an open-source endpoint monitoring and digital forensic tool called Velociraptor, illustrating ongoing abuse of legitimate software for malicious purposes. --------------------------------------------- https://thehackernews.com/2025/08/attackers-abuse-velociraptor-forensic.html ∗∗∗ Traffic to government domains often crosses national borders, or flows through risky bottlenecks ∗∗∗ --------------------------------------------- Sites at yourcountry.gov may also not bother with HTTPs Internet traffic to government domains often flows across borders, relies on a worryingly small number of network connections, or does not require encryption, according to new research. --------------------------------------------- https://www.theregister.com/2025/09/01/isoc_government_domain_traffic_measu… ∗∗∗ SSA Whistleblower’s Resignation Email Mysteriously Disappeared From Inboxes ∗∗∗ --------------------------------------------- Less than 30 minutes after the Social Security Administration’s chief data officer resigned following a whistleblower complaint, recipients could no longer access the resignation email. --------------------------------------------- https://www.wired.com/story/charles-borges-resignation-email-disappearance/ ∗∗∗ Hintertür-Bericht: Britische Regierung will Vollzugriff auf iCloud ∗∗∗ --------------------------------------------- Noch immer ist nicht final entschieden, ob Apple britischen Strafverfolgern Zugriff auf iCloud geben muss. Nun wurde die ganze Datenbreite bekannt. --------------------------------------------- https://www.heise.de/news/Hintertuer-Bericht-Britische-Regierung-will-Vollz… ∗∗∗ Nach Kritik: Ameos Kliniken wollen proaktiv über Datenleak informieren ∗∗∗ --------------------------------------------- Nach einem erfolgreichen Cyberangriff hatte der Klinikkonzern Ameos ein Auskunftsformular bereitgestellt. Nach Kritik wurde selbiges jetzt geändert. --------------------------------------------- https://www.heise.de/news/Ameos-Kliniken-Nach-IT-Angriff-steht-Auskunftsfor… ∗∗∗ IT-Infrastruktur des Innenministeriums "gezielt und professionell" gehackt ∗∗∗ --------------------------------------------- Polizeiliche Daten oder Anwendungen sollen nach eigenen Angaben nicht betroffen sein. Der Angriff fand vor einigen Wochen statt, wurde aber erst jetzt kommuniziert. --------------------------------------------- https://www.derstandard.at/story/3000000285630/cyberangriff-auf-it-infrastr… ∗∗∗ Sweden scrambles after ransomware attack puts sensitive worker data at risk ∗∗∗ --------------------------------------------- Municipal government organisations across Sweden have found themselves impacted after a ransomware attack at a third-party software service supplier. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/sweden-scrambles-afte… ∗∗∗ Merkwürdige Spam-Mail; Accenture gehackt? ∗∗∗ --------------------------------------------- Ein Blog-Leser hat mich vor einigen Tage darauf hingewiesen, dass er eine merkwürdige Spam-Mail bekam, die von einer Accenture-Domain verschickt wurde. Inzwischen ist die Domain nicht mehr erreichbar – was die Frage nach dem Hintergrund aufwirft. --------------------------------------------- https://www.borncity.com/blog/2025/08/31/accenture-gehackt-merkwuerdige-phi… ∗∗∗ Starker Anstieg der Cyberangriffe auf den Bildungssektor ∗∗∗ --------------------------------------------- Sicherheitsanbieter Check Point warnt vor einem starken Anstieg von Cyber-Angriffen im Bildungssektor: Weltweit um 41 Prozent, in Deutschland sogar plus 56 Prozent. Bildungseinrichtungen verzeichnen im Schnitt mehr als 4300 Angriffe pro Woche, getrieben von saisonalen Phishing-Kampagnen zum Schul- und Semesterstart. --------------------------------------------- https://www.borncity.com/blog/2025/08/31/starker-anstieg-der-cyberangriffe-… ∗∗∗ PromptLock: Erste KI-gestützte Malware von ESET entdeckt ∗∗∗ --------------------------------------------- ESET-Sicherheitsforscher haben die ihrer Meinung nach "erste bekannte KI-gestützte Ransomware" mit dem Namen PromptLock entdeckt. --------------------------------------------- https://www.borncity.com/blog/2025/08/31/promptlock-erste-ki-gestuetzte-mal… ∗∗∗ Citrix Netscaler backdoors — Part One — May 2025 activity against governments ∗∗∗ --------------------------------------------- This is a follow up post to the prior one, part of a series looking at different Netscaler vulnerabilities that have been exploited in the wild as zero days. --------------------------------------------- https://doublepulsar.com/citrix-netscaler-backdoors-part-one-may-2025-activ… ∗∗∗ 8 Malicious NPM Packages Stole Chrome User Data on Windows ∗∗∗ --------------------------------------------- JFrog researchers found eight malicious NPM packages using 70 layers of obfuscation to steal data from Chrome browser users on Windows. The attack highlights a growing threat to developers. --------------------------------------------- https://hackread.com/malicious-npm-packages-stole-chrome-user-data-windows/ ∗∗∗ Widespread Data Theft Targets Salesforce Instances via Salesloft Drift ∗∗∗ --------------------------------------------- Update (August 28) Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesfo… ∗∗∗ ShadowSilk Data Exfiltration Attack ∗∗∗ --------------------------------------------- Nearly three dozen organizations across Central Asia and the Asia-Pacific region, predominantly government agencies, have been compromised in data exfiltration campaigns attributed to the Russian and Chinese-speaking threat group known as ShadowSilk, according to Group-IB. --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6190 ∗∗∗ Vishing: So gelingt der Angriff per Telefon selbst auf Großunternehmen ∗∗∗ --------------------------------------------- Auf der Def Con konnte man sich live ansehen, wie Vishing funktioniert. Erstaunlich oft ergattern Angreifer per Telefon selbst wichtigste Firmeninformationen. --------------------------------------------- https://heise.de/-10625451 ∗∗∗ A16-FuseBypass: Debug Logic Enabled on Production Apple Silicon ∗∗∗ --------------------------------------------- This repository documents a critical hardware-level vulnerability in the Apple A16 Bionic chip used in iPhone 14 Pro Max and related devices. --------------------------------------------- https://github.com/JGoyd/A16-FuseBypass ∗∗∗ KernelSnitch: Side-Channel Attacks on Kernel Data Structures ∗∗∗ --------------------------------------------- In this paper, we present a novel generic software side-channel attack, KernelSnitch, targeting kernel data structures such as hash tables and trees. --------------------------------------------- https://lukasmaar.github.io/papers/ndss25-kernelsnitch.pdf ∗∗∗ Client-side RCE via CSS Injection in Google Web Designer for Windows ∗∗∗ --------------------------------------------- After my recent discovery of two client-side remote code execution vulnerabilities in Google Web Designer (previously disclosed in my articles earlier this year: CVE-2025-1079, CVE-2025-4613), in April 2025 I've found yet another serious issue in the app. --------------------------------------------- https://balintmagyar.com/articles/google-web-designer-css-injection-client-… ∗∗∗ Passkeys are incompatible with open-source software ∗∗∗ --------------------------------------------- After reading more of the spec authors’ comments on open-source Passkey implementations, I cannot support this tech. In addition to what I covered at the bottom of this blog post, I found more instances where the spec authors have expressed positions that are incompatible with open-source software and user freedom. --------------------------------------------- https://www.smokingonabike.com/2025/01/04/passkey-marketing-is-lying-to-you/ ∗∗∗ Wallet-Draining npm Package Impersonates Nodemailer to Hijack Crypto Transactions ∗∗∗ --------------------------------------------- Socket’s Threat Research Team identified a malicious npm package, nodejs-smtp, that impersonates the popular email library nodemailer, which averages roughly 3.9 million weekly downloads, while implanting code into desktop cryptocurrency wallets on Windows. --------------------------------------------- https://socket.dev/blog/wallet-draining-npm-package-impersonates-nodemailer ∗∗∗ The CISO’s Codex – Leo and the Laws of Security ∗∗∗ --------------------------------------------- A a storytelling approach to cybersecurity, where a new CISO named Leo guides his company through foundational security models like Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash, and Graham-Denning/HRU. --------------------------------------------- https://thecyberthrone.in/2025/08/30/the-cisos-codex-leo-and-the-laws-of-se… ∗∗∗ Nevada Faces Unprecedented Ransomware Attack ∗∗∗ --------------------------------------------- On August 24, 2025, Nevada made headlines as the victim of a historic cyberattack that forced a near-total shutdown of state government operations. --------------------------------------------- https://thecyberthrone.in/2025/08/31/nevada-faces-unprecedented-ransomware-… ===================== = Vulnerabilities = ===================== ∗∗∗ IT-Sicherheitslösung Acronis Cyber Protect Cloud Agent ist verwundbar ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate schließt eine Schwachstelle in Acronis Cyber Protect Cloud Agent. --------------------------------------------- https://www.heise.de/news/IT-Sicherheitsloesung-Acronis-Cyber-Protect-Cloud… ∗∗∗ Qnap: Teils hochriskante Lücken in QTS und QuTS hero geschlossen ∗∗∗ --------------------------------------------- Aktualisierungen für die QTS- und QuTS-hero-Firmwares von Qnap-Geräten schließen als hochriskant eingestuft Sicherheitslücken. --------------------------------------------- https://www.heise.de/news/Qnap-Update-schliesst-teils-hochriskante-Luecken-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (postgresql16, postgresql:16, python3.11, and thunderbird), Debian (firebird4.0, libcommons-lang3-java, mbedtls, nodejs, openvpn, and ruby-saml), Fedora (cef, chromium, docker-buildx, exiv2, firefox, rocm-rpp, and udisks2), Oracle (postgresql:16), Red Hat (fence-agents, firefox, gdk-pixbuf2, httpd, kernel, kernel-rt, libarchive, libxml2, multiple packages, postgresql, postgresql16, postgresql:15, postgresql:16, python3.11, python3.12, python39:3.9, and thunderbird), Slackware (udisks2), SUSE (go-sendxmpp, helm, ImageMagick, javamail, jq, kea, kernel, libarchive, libsoup, libssh, libxml2, openssl-3, postgresql14, postgresql15, python, python-future, systemd, and xz), and Ubuntu (open-vm-tools and python2.7). --------------------------------------------- https://lwn.net/Articles/1036084/ ∗∗∗ Authenticated Attackers Could Exploit IBM Watsonx Vulnerability to Access Sensitive Data ∗∗∗ --------------------------------------------- A newly disclosed security vulnerability, tracked as CVE-2025-0165, has been reported, specifically concerning the users of the IBM Watsonx Orchestrate Cartridge within the IBM Cloud Pak for Data platform. --------------------------------------------- https://thecyberexpress.com/decoding-cve-2025-0165-flaw/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily