- Daily - CERT.at

Tageszusammenfassung - 26.05.2025
by Daily end-of-shift report 26 May '25

26 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-05-2025 18:00 − Montag 26-05-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Feds charge 16 Russians allegedly tied to botnets used in cyberattacks and spying ∗∗∗ --------------------------------------------- An example of how a single malware operation can enable both criminal and state-sponsored hacking. --------------------------------------------- https://arstechnica.com/security/2025/05/feds-charge-16-russians-allegedly-… ∗∗∗ Gitlab Duo: Versteckter Kommentar lässt KI-Tool privaten Code leaken ∗∗∗ --------------------------------------------- Gitlab Duo hatte zuletzt ernste Sicherheitsprobleme. Angreifer konnten privaten Quellcode abgreifen oder Schadcode in fremde Softwareprojekte einschleusen. --------------------------------------------- https://www.golem.de/news/gitlab-duo-versteckter-kommentar-laesst-ki-tool-p… ∗∗∗ Fake Google Meet Page Tricks Users into Running PowerShell Malware ∗∗∗ --------------------------------------------- Last month, a customer reached out to us after noticing suspicious URLs on their WordPress site. Visitors reported being prompted to perform unusual actions.We began our investigation, scanning the site for common .. --------------------------------------------- https://blog.sucuri.net/2025/05/fake-google-meet-page-tricks-users-into-run… ∗∗∗ Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Technique ∗∗∗ --------------------------------------------- The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector."The ClickFix technique is particularly risky because it allows the malware to execute in memory .. --------------------------------------------- https://thehackernews.com/2025/05/hackers-use-tiktok-videos-to-distribute.h… ∗∗∗ Operation Endgame 2: 15 Millionen E-Mail-Adressen und 43 Millionen Passwörter ∗∗∗ --------------------------------------------- Bei "Operation Endgame 2.0" kamen viele Millionen Adressen und Passwörter von Opfern ans Licht. Have I Been Pwned hat sie aufgenommen. --------------------------------------------- https://www.heise.de/news/Operation-Endgame-2-15-Millionen-E-Mail-Adressen-… ∗∗∗ Neuer Lieferkettenangriff mit bösartigen Skripten in npm-Paketen ∗∗∗ --------------------------------------------- Ein neuer Angriff auf die Lieferkette bedroht Workstations und CI-Umgebungen. Das bösartige Skript spioniert interne Daten für weitere Attacken aus. --------------------------------------------- https://www.heise.de/news/Neuer-Lieferkettenangriff-mit-boesartigen-Skripte… ∗∗∗ Kriminelle Gruppe "Careto" angeblich von spanischer Regierung gelenkt ∗∗∗ --------------------------------------------- Nicht nur China und Russland steuern Cybergangs. Ehemalige Kaspersky-Mitarbeiter behaupten, die Bande "Careto" werde von Spanien gelenkt. --------------------------------------------- https://www.heise.de/news/Kriminelle-Gruppe-Careto-angeblich-von-spanischer… ∗∗∗ Hacker bietet 1,2 Milliarden Facebook-Nutzerdaten im Darknet – ist es ein Fake? ∗∗∗ --------------------------------------------- Gab es ein neues Datenleck bei Meta-Tochter Facebook? Ein Hacker behauptet 1,2 Milliarden Facebook-Nutzerdaten über eine API abgezogen zu haben und bietet diese im Darknet zum Kauf an. Es gibt aber Zweifel, ob diese Daten neu sind. --------------------------------------------- https://www.borncity.com/blog/2025/05/23/hacker-bietet-12-milliarden-facebo… ∗∗∗ Offensive Threat Intelligence ∗∗∗ --------------------------------------------- CTI isn’t just for blue teams. Used properly, it sharpens red team tradecraft, aligns ops to real-world threats, and exposes blind spots defenders often miss. It’s not about knowing threats, it’s about becoming them long enough to help others beat them. --------------------------------------------- https://blog.zsec.uk/offensive-cti/ ∗∗∗ Joint Analysis by AhnLab and NCSC on TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking ∗∗∗ --------------------------------------------- AhnLab and the National Cyber Security Center (NCSC) have released a report that details the activities of the TA-ShadowCricket group from 2023 to the present. --------------------------------------------- https://asec.ahnlab.com/en/88137/ ∗∗∗ ConnectWise ScreenConnect Tops List of Abused RATs in 2025 Attacks ∗∗∗ --------------------------------------------- Cofense Intelligences May 2025 report exposes how cybercriminals are abusing legitimate Remote Access Tools (RATs) like ConnectWise and Splashtop to deliver malware and steal data. Learn about this growing threat. --------------------------------------------- https://hackread.com/connectwise-screenconnect-tops-abused-rats-2025/ ∗∗∗ BadSuccessor Exploits Windows Server 2025 Flaw for Full AD Takeover ∗∗∗ --------------------------------------------- Akamai researchers reveal a critical flaw in Windows Server 2025 dMSA feature that allows attackers to compromise any… --------------------------------------------- https://hackread.com/badsuccessor-exploits-windows-server-2025-takeover/ ∗∗∗ How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation ∗∗∗ --------------------------------------------- In this post I’ll show you how I found a zeroday vulnerability in the Linux kernel using OpenAI’s o3 model. I found the vulnerability with nothing more complicated than the o3 API – no scaffolding, no agentic frameworks, no tool use. --------------------------------------------- https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-re… ∗∗∗ Bypassing MTE with CVE-2025-0072 ∗∗∗ --------------------------------------------- In this post, I’ll look at CVE-2025-0072, a vulnerability in the Arm Mali GPU, and show how it can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled. --------------------------------------------- https://github.blog/security/vulnerability-research/bypassing-mte-with-cve-… ∗∗∗ The Windows Registry Adventure #7: Attack surface analysis ∗∗∗ --------------------------------------------- In the first three blog posts of this series, I sought to outline what the Windows Registry actually is, its role, history, and where to find further information about it. In the subsequent three posts, my goal was to describe in detail how this mechanism works internally .. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventu… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5924-1 intel-microcode - security update ∗∗∗ --------------------------------------------- This update ships updated CPU microcode for some types of Intel CPUs. Inparticular it provides mitigations for the Indirect Target Selection(ITS) vulnerability (CVE-2024-28956) and the Branch Privilege Injectionvulnerability (CVE-2024-45332).For CPUs affected to ITS (Indirect Target Selection), to fully mitigatethe vulnerability it is also necessary to .. --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00087.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.05.2025
by Daily end-of-shift report 23 May '25

23 May '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-05-2025 18:00 − Freitag 23-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ TikTok videos now push infostealer malware in ClickFix attacks ∗∗∗ --------------------------------------------- As Trend Micro recently discovered, the threat actors behind this TikTok social engineering campaign are using videos likely generated using AI that ask viewers to run commands claiming to activate Windows and Microsoft Office, as well as premium features in various legitimate software like CapCut and Spotify. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tiktok-videos-now-push-infos… ∗∗∗ FBI warns of Luna Moth extortion attacks targeting law firms ∗∗∗ --------------------------------------------- The FBI warned that an extortion gang known as the Silent Ransom Group has been targeting U.S. law firms over the last two years in callback phishing and social engineering attacks. Also known as Luna Moth, Chatty Spider, and UNC3753, this threat group has been active since 2022 and was also behind BazarCall campaigns that provided initial access to corporate networks for Ryuk and Conti ransomware attacks --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-luna-moth-extor… ∗∗∗ The Windows Registry Adventure #7: Attack surface analysis ∗∗∗ --------------------------------------------- In this blog post, we get to the heart of the matter, the actual security of the Windows Registry. I'd like to talk about what made a feature that was initially meant to be just a quick test of my fuzzing infrastructure draw me into manual research for the next 1.5 ~ 2 years, and result in Microsoft fixing (so far) 53 CVEs. I will describe the various areas that are important in the context of low-level security research, from very general ones, such as the characteristics of the codebase that allow security bugs to exist in the first place, to more specific ones, like all possible entry points to attack the registry, the impact of vulnerabilities and the primitives they generate, and some considerations on effective fuzzing and where more bugs might still be lurking. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventu… ∗∗∗ GitLab Duo Vulnerability Enabled Attackers to Hijack AI Responses with Hidden Prompts ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. --------------------------------------------- https://thehackernews.com/2025/05/gitlab-duo-vulnerability-enabled.html ∗∗∗ ViciousTrap Uses Cisco Flaw to Build Global Honeypot from 5,300 Compromised Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed that a threat actor codenamed ViciousTrap has compromised nearly 5,300 unique network edge devices across 84 countries and turned them into a honeypot-like network. --------------------------------------------- https://thehackernews.com/2025/05/vicioustrap-uses-cisco-flaw-to-build.html ∗∗∗ Oops: DanaBot Malware Devs Infected Their Own PCs ∗∗∗ --------------------------------------------- The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling DanaBot, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The FBI says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware. --------------------------------------------- https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-thei… ∗∗∗ Fake-Geburtstagsgeschenk: Abofalle im Namen von Rituals im Umlauf ∗∗∗ --------------------------------------------- Derzeit sind betrügerische E-Mails im Umlauf, die angeblich von Rituals stammen. Sie versprechen eine luxuriöse Geburtstags-Geschenkbox zum Sonderpreis von nur zwei Euro. Doch Vorsicht: Hinter dem scheinbar großzügigen Angebot verbirgt sich keine echte Überraschung, sondern eine teure Abofalle! --------------------------------------------- https://www.watchlist-internet.at/news/fake-geburtstagsgeschenk-abofalle-im… ∗∗∗ Sicherheitsrisiko AD-Verwaltung und Gruppe Authenticated Users ∗∗∗ --------------------------------------------- Ein Blog-Leser hat mich die Tage auf ein möglicherweise bei einigen Active Directory-Systemen bestehende Sicherheitsrisiko hingewiesen. Sind in der Active-Directory-Gruppe Authenticated Users externe Konten enthalten, könnten Freigaben interner Dienste (Drucker etc.) ungewollt externen Nutzern offen stehen. --------------------------------------------- https://www.borncity.com/blog/2025/05/22/sicherheitsrisiko-ad-verwaltung-un… ∗∗∗ Information Leakage Caused by DB Client Tool ∗∗∗ --------------------------------------------- In recent breach incidents, threat actors have been observed not only accessing systems, but also directly querying internal databases and stealing sensitive information. Particularly, more threat actors are installing DB client tools directly on targeted systems to exfiltrate data, and legitimate tools such as DBeaver, Navicat, and sqlcmd are being used in this process. --------------------------------------------- https://asec.ahnlab.com/en/88134/ ∗∗∗ Scarcity signals: Are rare activities red flags? ∗∗∗ --------------------------------------------- Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones. --------------------------------------------- https://blog.talosintelligence.com/scarcity-signals-are-rare-activities-red… ∗∗∗ Operation Endgame 2.0: 20 Haftbefehle, Hunderte Server außer Gefecht gesetzt ∗∗∗ --------------------------------------------- Internationale Strafverfolger gehen weiter gegen Malware-Autoren vor. Im Rahmen der "Operation Endgame 2.0" haben die Sicherheitsbehörden aus Deutschland – das BKA und die Generalstaatsanwaltschaft Frankfurt am Main – die Cyberkriminellen nun empfindlich getroffen. Allein in Deutschland nahmen die Behörden 50 Server vom Netz, 650 Domains sind nicht mehr unter der Kontrolle der Cybergangster. --------------------------------------------- https://heise.de/-10394215 ∗∗∗ Fault Injection-Angriffe auf die Mikrocontroller nRF54L15 und STM32L051 (SYSS-2025-022/-033) ∗∗∗ --------------------------------------------- Der Begriff "Fault Injection" bezeichnet eine Klasse von Schwachstellen, bei denen Angreifende gezielt versuchen, Fehlerzustände in Systemen zu erzeugen. Diese Fehlerzustände führen dabei zu abnormalem Verhalten der Systeme und können ausgenutzt werden, um Sicherheitsbeschränkungen zu umgehen. So ist es beispielsweise möglich, kryptografische Schlüssel zu extrahieren oder Lesebeschränkungen von internen Datenspeichern zu umgehen. --------------------------------------------- https://www.syss.de/pentest-blog/fault-injection-angriffe-auf-die-mikrocont… ===================== = Vulnerabilities = ===================== ∗∗∗ 2025-05-22: Cyber Security Advisory - ASPECT advisory several CVEs ∗∗∗ --------------------------------------------- Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021&Lan… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dotnet9.0, dropbear, ghostscript, nbdkit, openssh, python-watchfiles, rpm-ostree, yelp, yelp-xsl, and zsync), Oracle (firefox and kernel), Red Hat (osbuild-composer), Slackware (aaa_glibc and mozilla), SUSE (chromedriver, open-vm-tools, postgresql14, python-cryptography, and thunderbird), and Ubuntu (linux-aws, linux-hwe-5.4, python, and sqlite3). --------------------------------------------- https://lwn.net/Articles/1022352/ ∗∗∗ Infoblox NetMRI is vulnerable to CVE-2024-54188 ∗∗∗ --------------------------------------------- https://support.infoblox.com/s/article/Infoblox-NetMRI-is-vulnerable-to-CVE… ∗∗∗ [R1] Tenable Network Monitor Version 6.5.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-10 ∗∗∗ Lantronix Device Installer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-01 ∗∗∗ Rockwell Automation FactoryTalk Historian ThingWorx ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.05.2025
by Daily end-of-shift report 22 May '25

22 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-05-2025 18:00 − Donnerstag 22-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Strafverfolger beschlagnahmen Lumma Stealer-Infrastruktur (Mai 2025) ∗∗∗ --------------------------------------------- In einer koordinierten Aktion haben US-Strafverfolger die Infrastruktur (C & C-Server) des Lumma-Infostealers beschlagnahmt und die Funktion lahm gelegt. Die Malware ist für zahlreiche Cyberangriffe auf Nutzer mit Abgreifen von Informationen verantwortlich und es waren fast 400.000 PC infiziert. [..] Microsoft bezeichnet den Akteur, der Lumma als Malware-as-a-service (MaaS) anbietet, als Storm-2477. [..] Das Ganze erfolgte in Zusammenarbeit mit Strafverfolgungsbehörden (FBI, Europol, JC3) und Industriepartnern (ESET, Bitsight, Lumen, Cloudflare, CleanDNS und GMO Registry). --------------------------------------------- https://www.borncity.com/blog/2025/05/22/strafverfolger-beschlagen-lumma-st… ∗∗∗ 3AM ransomware uses spoofed IT calls, email bombing to breach networks ∗∗∗ --------------------------------------------- A 3AM ransomware affiliate is conducting highly targeted attacks using email bombing and spoofed IT support calls to socially engineer employees into giving credentials for remote access to corporate systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/3am-ransomware-uses-spoofed-… ∗∗∗ Signal now blocks Microsoft Recall screenshots on Windows 11 ∗∗∗ --------------------------------------------- Signal has updated its Windows app to protect users privacy by blocking Microsofts AI-powered Recall feature from taking screenshots of their conversations. [..] This new privacy feature, dubbed "screen security," is now enabled by default on all Windows 11 devices, where Recall continuously takes screenshots of all active windows every few seconds and analyzes them to build a database that can be searched using natural language. When enabled, screen security will set a Digital Rights Management (DRM) flag on Signal's app windows, blocking their content from being captured by Recall or other Windows apps and features. --------------------------------------------- https://www.bleepingcomputer.com/news/security/signal-now-blocks-microsoft-… ∗∗∗ Storm-0558 and the Dangers of Cross-Tenant Token Forgery ∗∗∗ --------------------------------------------- Modern cloud ecosystems often place a single identity provider in charge of handling logins and tokens for a wide range of customers. This approach certainly streamlines single sign-on (SSO) for end users, but it also places enormous trust in a single set of signing keys. If those private keys are compromised, attackers can create tokens that appear valid to any service that relies on them. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/storm-0558-… ∗∗∗ Another Fake Cloudflare Verification Targets WordPress Sites ∗∗∗ --------------------------------------------- A new Cloudflare infection has once again been targeting WordPress sites. This new iteration of malware mimics a legitimate-looking Cloudflare verification page, which then tricks victims into following various commands and downloading malware. This style of malware is not new – our researcher Ben Martin wrote about a similar campaign targeting WordPress sites back in March. The difference between this new infection and previous ones is the location of where the malware is located – spread out among multiple themes and fake plugins. Additionally, this variant is delivered in three stages, which helps the attacker avoid detection and maintain control over what is delivered at each step. --------------------------------------------- https://blog.sucuri.net/2025/05/another-fake-cloudflare-verification-target… ∗∗∗ Datenleck bei Coinbase: Massive Phishing-Welle rollt ∗∗∗ --------------------------------------------- Nachdem Hacker zahlreiche Kund:innendaten der Krypto-Plattform gestohlen und weiterverkauft haben, werden aktuell vermehrt Phishing-Versuche im Namen von Coinbase gemeldet. Die Kriminellen kontaktieren Ihre Opfer entweder per E-Mail oder via Telefon mit dem Ziel, an sensible Informationen zu kommen oder Überweisungen zu veranlassen. --------------------------------------------- https://www.watchlist-internet.at/news/datenleck-bei-coinbase-phishing/ ∗∗∗ BadSuccessor: dMSA zur Privilegien-Erhöhung in Active Directory missbrauchen ∗∗∗ --------------------------------------------- In Windows Server 2025 wurden delegated Managed Service Accounts (dMSAs) neu eingeführt. Das sind Service-Konten für das Active Directory (AD), die neue Funktionen ermöglichen sollen. Sicherheitsforscher sind nun darauf gestoßen, dass durch den Missbrauch von dMSAs Angreifer jeden Principal in der Domäne übernehmen können. [..] Derzeit will Microsoft das Problem aus obigen Gründen nicht fixen – sondern das Problem irgendwann in Zukunft beheben (es gibt also keinen Patch). --------------------------------------------- https://www.borncity.com/blog/2025/05/22/badsuccessor-dmsa-zur-privilegien-… ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered multiple critical security vulnerabilities impacting the Versa Concerto network security and SD-WAN orchestration platform that could be exploited to take control of susceptible instances. It's worth noting that the identified shortcomings remain unpatched despite responsible disclosure on February 13, 2025, prompting a public release of the issues following the end of the 90-day deadline. --------------------------------------------- https://thehackernews.com/2025/05/unpatched-versa-concerto-flaws-let.html ∗∗∗ Cisco Security Advisories 2025-05-21 ∗∗∗ --------------------------------------------- Cisco hat 10 neue Security Advisories veröffentlicht. Zwei der neuen Advisories sind als “High” eingestuft und 8 als “Medium”. Die als "High" eingestuften Advisories betreffen Schwachstellen in Cisco Identity Services Engine RADIUS und Cisco Unified Intelligence Center. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Mozilla Security Advisories 2025-05-20 ∗∗∗ --------------------------------------------- Thunderbird (critical) and Firefox (low) --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, and webkit2gtk3), Fedora (mozilla-ublock-origin and sudo-rs), Oracle (.NET 8.0, compat-openssl10, grafana, osbuild-composer, redis:6, ruby:2.5, and webkit2gtk3), SUSE (dante, firefox-esr, gnuplot, govulncheck-vulndb, grype, postgresql13, postgresql14, postgresql15, postgresql16, postgresql17, python-tornado6, python314, thunderbird, ucode-intel, and xen), and Ubuntu (bind9, libfcgi-perl, linux-ibm-5.4, linux-oracle-5.4, postgresql-17, and Tomcat). --------------------------------------------- https://lwn.net/Articles/1022189/ ∗∗∗ Authentifizierung: Kritische Lücke in Samlify macht Angreifer zu Admins ∗∗∗ --------------------------------------------- Admins, die Single-Sign-On-Anmeldungen (SSO) über die weitverbreitete Node.js-Bibliothek Samlify realisieren, sollten den verfügbaren Sicherheitspatch zeitnah installieren. Geschieht das nicht, können Angreifer die Authentifizierung umgehen und mit weitreichenden Rechten auf Systeme zugreifen. [..] Auf die "kritische" Sicherheitslücke (CVE-2025-47949) sind Sicherheitsforscher von Endor Labs gestoßen. --------------------------------------------- https://heise.de/-10392315 ∗∗∗ Angreifer können mit VMware erstellte virtuelle Maschinen crashen ∗∗∗ --------------------------------------------- Aus der Warnmeldung geht hervor, dass die am gefährlichsten eingestufte Schwachstelle (CVE-2025-41225 "hoch") vCenter Server betrifft. An dieser Stelle kann ein authentifizierter Angreifer eigene Befehle ausführen. Verfügt ein Angreifer über Gast-VM-Rechte, kann er für eine Gast-VM einen DoS-Zustand erzeugen (CVE-2025-41226 "mittel"). So etwas führt in der Regel zu Abstürzen. Weiterhin sind noch weitere DoS-Attacken (CVE-2025-41227 "mittel") und XSS-Angriffe (CVE-2025-41228 "mittel") möglich. --------------------------------------------- https://heise.de/-10392911 ∗∗∗ Drupal Security Advisories 2025-05-21 ∗∗∗ --------------------------------------------- https://www.drupal.org/security ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (May 12, 2025 to May 18, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.05.2025
by Daily end-of-shift report 21 May '25

21 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-05-2025 18:00 − Mittwoch 21-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 11’s most important new feature is post-quantum cryptography. Here’s why. ∗∗∗ --------------------------------------------- For the first time, new quantum-safe algorithms can be invoked using standard Windows APIs. --------------------------------------------- https://arstechnica.com/security/2025/05/heres-how-windows-11-aims-to-make-… ∗∗∗ VanHelsing ransomware builder leaked on hacking forum ∗∗∗ --------------------------------------------- The VanHelsing ransomware-as-a-service operation published the source code for its affiliate panel, data leak blog, and Windows encryptor builder after an old developer tried to sell it on the RAMP cybercrime forum. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vanhelsing-ransomware-builde… ∗∗∗ Dero miner zombies biting through Docker APIs to build a cryptojacking horde ∗∗∗ --------------------------------------------- Kaspersky experts break down an updated cryptojacking campaign targeting containerized environments: a Dero crypto miner abuses the Docker API. [..] The entire attack vector is automated via two malware implants: the previously unknown propagation malware nginx and the Dero crypto miner. --------------------------------------------- https://securelist.com/dero-miner-infects-containers-through-docker-api/116… ∗∗∗ Chrome kann unsichere Passwörter künftig komplett selbst ändern ∗∗∗ --------------------------------------------- Googles Chrome-Browser soll bald automatisch Passwörter ändern können, wenn bei der Anmeldung damit erkannt wird, dass es kompromittiert wurde. [..] Im Idealfall bekommen Nutzer und Nutzerinnen in Chrome dann künftig einen Hinweis, wenn ein gespeichertes Passwort in einem Datenleck gefunden wurde und können den Browser dazu bringen, das Passwort durch ein sicheres zu ersetzen. Das wird dann im Passwortmanager von Chrome abgespeichert, das unsichere wird ersetzt. Die automatische Passwortänderung benötigt dafür insgesamt nur einen Klick. --------------------------------------------- https://heise.de/-10391298 ∗∗∗ Sicherheitsbehörden warnen vor russischer Spionage mit IP-Kameras ∗∗∗ --------------------------------------------- Mutmaßliche Mitarbeiter des russischen Militärgeheimdienstes GRU haben sich Zugriff auf Netzwerke und IP-Kameras von Betreibern kritischer Infrastrukturen (KRITIS) verschafft. Das melden unter anderem NSA, FBI, der Bundesnachrichtendienst (BND) und die Bundesämter für Verfassungsschutz (BfV) sowie Sicherheit in der Informationstechnik (BSI).[..] Betroffen sind laut einer Mitteilung der Behörden vor allem Unternehmen aus der Logistikbranche. --------------------------------------------- https://heise.de/-10391927 ∗∗∗ CISA, NIST Researchers Develop Metric to Determine Likelihood of Vulnerability Exploitation ∗∗∗ --------------------------------------------- Researchers from the U.S. National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have developed a new security metric to determine the likelihood that a vulnerability has been exploited. In a paper published this week, Peter Mell, formerly of NIST, and CISA’s Jonathan Spring outlined their vulnerability exploit metric that augments the work of the Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) catalog. --------------------------------------------- https://thecyberexpress.com/cisa-nist-vulnerability-exploit-metric/ ===================== = Vulnerabilities = ===================== ∗∗∗ Lücke in OpenPGP.js gefährdet verschlüsselten E-Mail-Verkehr ∗∗∗ --------------------------------------------- In OpenPGP.js, einer weitverbreiteten Javascript-Implementierung von OpenPGP, klafft eine gefährliche Sicherheitslücke, durch die sich das Ergebnis der Signaturprüfung fälschen lässt. Laut einer Sicherheitsmeldung auf Github kann ein Angreifer speziell manipulierte Daten an die Funktionen openpgp.verify oder openpgp.decrypt übergeben, um verschlüsselte und/oder signierte Nachrichten zu spoofen. CVE-2025-47934 --------------------------------------------- https://www.golem.de/news/manipulationsgefahr-luecke-in-openpgp-js-gefaehrd… ∗∗∗ Mehrere Schwachstellen bei eCharge Hardy Barth cPH2 und cPP2 Ladestationen ∗∗∗ --------------------------------------------- Hardy Barth EV charging station products are affected by critical vulnerabilities that can be exploited through both physical access and unauthenticated network access. These vulnerabilities pose significant risks, including system compromise, data breaches, and operational disruptions within EV charging infrastructures. [..] The vendor has not provided a fix for any of the reported vulnerabilities. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelle… ∗∗∗ Mehrere Sicherheitslücken bedrohen VMware Cloud Foundation ∗∗∗ --------------------------------------------- Wie aus einer Warnmeldung hervorgeht, sind die Lücken (CVE-2025-41229, CVE-2025-41230, CVE-2025-41231) mit dem Bedrohungsgrad "hoch" eingestuft. Nutzen Angreifer die Schwachstellen erfolgreich aus, können sie etwa im Netzwerk über den Port 443 auf sensitive Informationen oder interne Services zugreifen. --------------------------------------------- https://heise.de/-10390932 ∗∗∗ Millions of Node.js Apps at Risk Due to Critical Multer Vulnerabilities ∗∗∗ --------------------------------------------- Two high-severity security flaws have been identified in Multer, a popular middleware used in Node.js applications for handling file uploads. The Multer vulnerabilities, tracked as CVE-2025-47944 and CVE-2025-47935, affect all versions from 1.4.4-lts.1 up to but not including 2.0.0. According to the GitHub post, the two vulnerabilities “allow an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. --------------------------------------------- https://thecyberexpress.com/multer-vulnerabilities-expose-node-js/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, avahi, buildah, compat-openssl10, compat-openssl11, expat, firefox, gimp, git, grafana, libsoup, libxslt, mod_auth_openidc, nginx, nodejs:22, osbuild-composer, php, redis, redis:7, skopeo, thunderbird, vim, webkit2gtk3, xterm, and yelp), Arch Linux (dropbear, freetype2, go, nodejs, nodejs-lts-iron, nodejs-lts-jod, python-django, webkit2gtk, webkit2gtk-4.1, webkitgtk-6.0, and wpewebkit), Debian (mongo-c-driver), Fedora (openssh, perl-Mojolicious, thunderbird, yelp, and yelp-xsl), Red Hat (firefox, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-ibm-semeru-certified-jdk, java-21-openjdk, kernel, libxslt, ruby, ruby:3.1, ruby:3.3, unbound, and webkit2gtk3), SUSE (glib2, grub2, kernel, libwebp, openssh, and s390-tools), and Ubuntu (linux, linux-azure, linux-azure-6.11, linux-gcp, linux-gcp-6.11, linux-hwe-6.11, linux-oem-6.11, linux-raspi, linux-realtime, linux-azure, linux-azure-5.15, linux-nvidia-tegra, linux-azure, linux-azure-6.8, linux-oem-6.8, linux-azure, linux-kvm, linux-azure-fips, linux-azure-nvidia, linux-gcp, linux-gcp-6.8, linux-gkeop, linux-gke, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, mariadb-10.6, and postgresql-12, postgresql-14, postgresql-16). --------------------------------------------- https://lwn.net/Articles/1022030/ ∗∗∗ Assured Telematics Inc (ATI) Fleet Management System with Geotab Integration ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-11 ∗∗∗ Vertiv Liebert RDU101 and UNITY ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-10 ∗∗∗ AutomationDirect MB-Gateway ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-09 ∗∗∗ Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-04 ∗∗∗ f5: K000151431: Intel Ethernet Controller and Adapter vulnerability CVE-2024-24983 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151431 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.05.2025
by Daily end-of-shift report 20 May '25

20 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 19-05-2025 18:00 − Dienstag 20-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hazy Hawk gang exploits DNS misconfigs to hijack trusted domains ∗∗∗ --------------------------------------------- A threat actor named Hazy Hawk has been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDS). --------------------------------------------- https://www.bleepingcomputer.com/news/security/hazy-hawk-gang-exploits-dns-… ∗∗∗ 100+ Fake Chrome Extensions Found Hijacking Sessions, Stealing Credentials, Injecting Ads ∗∗∗ --------------------------------------------- An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code. --------------------------------------------- https://thehackernews.com/2025/05/100-fake-chrome-extensions-found.html ∗∗∗ Bypass SharePoint Restricted View to exfiltrate data using Copilot AI and more… ∗∗∗ --------------------------------------------- Overall, we’ve proven that although a fair amount of effort has been put into enforcing the restrictions of Restricted View there are plenty of ways to circumvent them. Therefore, it is important for administrators and users to understand that it can not be relied on to secure data against motivated attackers. --------------------------------------------- https://www.pentestpartners.com/security-blog/bypass-sharepoint-restricted-… ∗∗∗ Duping Cloud Functions: An emerging serverless attack vector ∗∗∗ --------------------------------------------- Cisco Talos built on Tenable’s discovery of a Google Cloud Platform vulnerability to uncover how attackers could exploit similar techniques across AWS and Azure. --------------------------------------------- https://blog.talosintelligence.com/duping-cloud-functions-an-emerging-serve… ∗∗∗ Compromised RVTools Installer Spreading Bumblebee Malware ∗∗∗ --------------------------------------------- RVTools installer on its official site was found delivering malware. Research shows it spread Bumblebee loader. Users urged to verify downloads. --------------------------------------------- https://hackread.com/compromised-rvtools-installer-drop-bumblebee-malware/ ∗∗∗ Gehärtete Images von Docker verbessern die Sicherheit und entlasten Entwickler ∗∗∗ --------------------------------------------- Mit den Hardened Images (DHI) bietet Docker sichere, schlanke und Compliance-konforme Images. Mit dabei sind unter anderem Microsoft, Neo4J oder GitLab. --------------------------------------------- https://heise.de/-10388766 ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3 Security Advisories Tue. 20th May, 2025 ∗∗∗ --------------------------------------------- TYPO3 has released 11 new security advisories. --------------------------------------------- https://typo3.org/help/security-advisories ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dropbear, firefox-esr, intel-microcode, net-tools, openafs, thunderbird, and xrdp), Fedora (chromium, micropython, syslog-ng, webkitgtk, and xen), Mageia (dropbear and openssh), Oracle (.NET 9.0, kernel, libjpeg-turbo, and yelp and yelp-xsl), Red Hat (compat-openssl11, git-lfs, grafana, kernel, and osbuild and osbuild-composer), Slackware (mozilla), SUSE (cargo-c, gimp, iputils-20240905, kernel, libraw, microcode_ctl, openssh, pnpm, python311-cramjam, python311-httptools, python311-jwcrypto, python311-loguru, python311-mechanize, python311-nltk, python311-oauthlib, python311-py7zr, python311-pycapnp, python311-pyspnego, python311-pywayland, python311-suds, python311-treq, python311-ujson, python311-waitress, ruby3.4-rubygem-actionmailer, ruby3.4-rubygem-actiontext, ruby3.4-rubygem-activerecord, ruby3.4-rubygem-activestorage, ruby3.4-rubygem-fluentd, ruby3.4-rubygem-globalid, ruby3.4-rubygem-jquery-rails, ruby3.4-rubygem-kramdown, ruby3.4-rubygem-loofah, ruby3.4-rubygem-multi_xml, ruby3.4-rubygem-puma, ruby3.4-rubygem-rails, ruby3.4-rubygem-rails-html-sanitizer, ruby3.4-rubygem-sprockets, ruby3.4-rubygem-web-console, ruby3.4-rubygem-websocket-extensions, ucode-intel-20250512, and valkey), and Ubuntu (dotnet8, dotnet9, linux, linux-aws, linux-aws-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-oracle, linux, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-fips, linux-gcp, linux-gcp-5.15, linux-gcp-fips, linux-gke, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, and linux-xilinx-zynqmp). --------------------------------------------- https://lwn.net/Articles/1021740/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, openjdk-11, openjdk-17, and wireless-regdb), Fedora (iputils, open-vm-tools, sfnt2woff-zopfli, and woff), Red Hat (postgresql:12), SUSE (apache2-mod_auth_openidc, brltty, helm, python-maturin, and rubygem-rack), and Ubuntu (linux-azure-fips). --------------------------------------------- https://lwn.net/Articles/1021812/ ∗∗∗ 22,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Motors WordPress Theme ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/22000-wordpress-sites-affected-by-pr… ∗∗∗ Danfoss AK-SM 8xxA Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-03 ∗∗∗ National Instruments Circuit Design Suite ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-02 ∗∗∗ ABUP IoT Cloud Platform ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.05.2025
by Daily end-of-shift report 19 May '25

19 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-05-2025 18:00 − Montag 19-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Curl-Entwickler warnt: Unicode-Trick gefährdet Softwareprojekte auf Github ∗∗∗ --------------------------------------------- Die wenigsten Entwickler dürften die Unterschiede zwischen bestimmten Unicode-Zeichen zuverlässig erkennen. Gerade auf Github ist das ein Problem. --------------------------------------------- https://www.golem.de/news/curl-entwickler-warnt-unicode-trick-gefaehrdet-so… ∗∗∗ Warnung vor brancheneintrag24.com ∗∗∗ --------------------------------------------- Derzeit kursieren betrügerische E-Mails, die von der Adresse info(a)brancheneintrag24.com stammen. Im Anhang befindet sich ein Formular, das Unternehmen angeblich zur Aktualisierung ihres Brancheneintrags auffordert. [..] Mit dem Ausfüllen und Zurücksenden des Formulars wird ein kostenpflichtiger Vertrag abgeschlossen. --------------------------------------------- https://www.zettasecure.com/post/warnung-vor-brancheneintrag24-com ∗∗∗ Fake-Shops: Laufsportbegeisterte im Visier von Kriminellen ∗∗∗ --------------------------------------------- Laufschuhe von Top-Marken zu absoluten Niedrigstpreisen?! Vorsicht! Aktuell tauchen vermehrt Fake-Shops für Sportschuhe und anderes Equipment auf. Wer in einem derartigen Store bestellt, schaut in der Regel durch die Finger. Kommt doch eine Lieferung an, enthält diese nur minderwertige Kopien. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-fuer-laufschuhe/ ∗∗∗ Windows: Bitlocker-Verschlüsselung über Bitpixie (CVE-2023-21563) ausgehebelt ∗∗∗ --------------------------------------------- Die von Microsoft für Windows verwendete Bitlocker-Verschlüsselung für Datenträger lässt sich über die Bitpixie-Schwachstelle (CVE-2023-21563) per Software aushebeln, wenn gewisse Randbedingungen gelten. [..] Der jetzt bekannt gewordene Angriff ist nicht neues, sondern ein Proof of Concept, den Administratoren ggf. in eigenen Systemen testen können. [..] Die Bitpixie-Schwachstelle – und ganz allgemein sowohl hardware- als auch softwarebasierte Angriffe – kann durch Erzwingen einer Pre-Boot-Authentifizierung entschärft werden. --------------------------------------------- https://www.borncity.com/blog/2025/05/18/windows-bitlocker-verschluesselung… ∗∗∗ Windows 10/11: Defender mit simplen Tool Defendnot deaktivierbar ∗∗∗ --------------------------------------------- Microsoft hat in Windows 10 und Windows 11 eine Schnittstelle (API) eingebaut, über die Hersteller von Antivirus-Software bei deren Installation den Microsoft Defender deaktivieren können. Einige Leute (darunter ein Blog-Leser) haben nun gezeigt, wie man mit einer einfachen Software (no-defender oder Defendnot) den Windows Defender deaktivieren kann. --------------------------------------------- https://www.borncity.com/blog/2025/05/19/windows-10-11-defender-mit-simplen… ∗∗∗ Ivanti EPMM Zero-Days: Reconnaissance to Exploitation ∗∗∗ --------------------------------------------- Two critical Ivanti zero-days (CVE-2025-4427 and CVE-2025-4428) are now being actively exploited after a surge in scanning activity last month. When chained together, these vulnerabilities enable unauthenticated remote code execution on Ivanti Endpoint Manager Mobile systems. --------------------------------------------- https://www.greynoise.io/blog/ivanti-epmm-zero-days-reconnaissance-exploita… ∗∗∗ VM escape in Oracle VirtualBox via VGA device ∗∗∗ --------------------------------------------- We provide a proof-of-concept that demonstrates how to exploit this vulnerability to fully escape a virtual machine. --------------------------------------------- https://github.com/google/security-research/security/advisories/GHSA-qx2m-r… ∗∗∗ Passwords are okay, impulsive Internet isnt ∗∗∗ --------------------------------------------- Every few weeks, I come across an article telling us how passwords are bad and how we need to go "passwordless". These pieces are written by mostly well-intended nerds who think technology can solve basic problems in human behavior. --------------------------------------------- https://www.dedoimedo.com/life/passwords-passkeys.html ∗∗∗ New Community Resource: Attribution to IP ∗∗∗ --------------------------------------------- The Curated Intelligence community has shared a new collection for CTI analysts and others who perform cybersecurity research duties. A new GitHub repository has been created that contains a collection of methods to learn who the owner of an IP address is. --------------------------------------------- https://www.curatedintel.org/2025/05/new-community-resource-attribution-to-… ===================== = Vulnerabilities = ===================== ∗∗∗ Mozilla Security Advisories May 17, 2025 ∗∗∗ --------------------------------------------- Firefox ESR 115.23.1, ESR 128.10.1 and 138.0.4. Critical --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Angreifer können Verbindungen von Sonicwall SMA1000 manipulieren ∗∗∗ --------------------------------------------- In einer Warnmeldung führt der Anbieter von Netzwerktechnik aus, dass Angreifer im Zuge einer Server-side-request-forgery-Attacke (SSRF) Anfragen an etwa von ihnen kontrollierte Server umleiten können (CVE-2025-40595 "hoch"). --------------------------------------------- https://heise.de/-10387581 ∗∗∗ Thousands of WordPress Sites at Risk Due to Critical Crawlomatic Plugin Vulnerability ∗∗∗ --------------------------------------------- A severe security vulnerability has been discovered in the popular WordPress plugin, Crawlomatic Multisite Scraper Post Generator, potentially placing thousands of websites at risk. Tracked as CVE-2025-4389, the flaw allows unauthenticated attackers to upload malicious files, which could ultimately lead to remote code execution on affected websites. --------------------------------------------- https://thecyberexpress.com/crawlomatic-plugin-hit-by-cve-2025-4389/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.05.2025
by Daily end-of-shift report 16 May '25

16 May '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-05-2025 18:01 − Freitag 16-05-2025 18:01 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FBI: US officials targeted in voice deepfake attacks since April ∗∗∗ --------------------------------------------- The FBI warned that cybercriminals using AI-generated audio deepfakes to target U.S. officials in voice phishing attacks that started in April. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-us-officials-targeted-in… ∗∗∗ Ransomware gangs increasingly use Skitnet post-exploitation malware ∗∗∗ --------------------------------------------- Ransomware gang members increasingly use a new malware called Skitnet ("Bossnet") to perform stealthy post-exploitation activities on breached networks. The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-increasingl… ∗∗∗ Understanding CSRF: Cross-site Request Forgery Explained ∗∗∗ --------------------------------------------- Cross-Site Request Forgery, often called CSRF (or its other nicknames, Session Riding and XSRF), is a tricky type of attack. In short, it lets attackers make users do things on websites without their consent or knowledge. This attack works by misusing the trust a web application puts in a user’s browser once they’re logged in. By duping the browser into sending fake requests (usually through shady emails or misleading links), CSRF allows unauthorized commands to hit a website. And since these requests seem to come from a legitimate, logged-in user, the website has a hard time spotting the fakes, which can open the door to significant security problems. --------------------------------------------- https://blog.sucuri.net/2025/05/understanding-csrf-cross-site-request-forge… ∗∗∗ Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT. --------------------------------------------- https://thehackernews.com/2025/05/fileless-remcos-rat-delivered-via-lnk.html ∗∗∗ VNC. RDP for all to see ∗∗∗ --------------------------------------------- VNC (Virtual Network Computing) is a widely deployed service in perhaps forgotten corners of legacy enterprise networks. This is mainly because it’s a tried and trusted protocol that simply works, however this is disregarding its security flaws and disadvantages in the modern age. --------------------------------------------- https://www.pentestpartners.com/security-blog/vnc-rdp-for-all-to-see/ ∗∗∗ Operation RoundPress ∗∗∗ --------------------------------------------- This blogpost introduces an operation that we named RoundPress, targeting high-value webmail servers with XSS vulnerabilities, and that we assess with medium confidence is run by the Sednit cyberespionage group. The ultimate goal of this operation is to steal confidential data from specific email accounts. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/operation-roundpress/ ∗∗∗ Commit Stomping ∗∗∗ --------------------------------------------- Commit Stomping is a technique inspired by timestomping, a well-known method used in offensive operations where file metadata is manipulated to hide the true timing of actions. In Git, Commit Stomping involves altering commit timestamps to mislead observers about when changes were introduced. --------------------------------------------- https://blog.zsec.uk/commit-stomping/ ===================== = Vulnerabilities = ===================== ∗∗∗ Printer company provided infected software downloads for half a year ∗∗∗ --------------------------------------------- When Cameron Coward, the Youtuber behind the channel Serial Hobbyism, wanted to review a $6k UV printer and plugged in the USB flash drive with the printer software, the Antivirus software alerted him of a USB-spreading worm and a Floxif infection. Floxif is a file infector that attaches itself to Portable Executable files, so it can spread to network shares, removable drives like USB flash drives or backup storage systems. --------------------------------------------- https://feeds.feedblitz.com/~/918394763/0/gdatasecurityblog-en~Printer-comp… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, kernel, kernel-rt, redis:6, and yelp and yelp-xsl), Debian (chromium), Red Hat (compat-openssl11, kernel, and thunderbird), and SUSE (nbdkit, open-vm-tools, and rustup). --------------------------------------------- https://lwn.net/Articles/1021482/ ∗∗∗ Malicious ‘Checker’ Packages on PyPI Probe TikTok and Instagram for Valid Accounts ∗∗∗ --------------------------------------------- We often hear about the importance of secure data. Have I Been Pwned and similar websites exist to see if passwords or emails are listed online. However, many people do not understand the ramifications of their own leaked data. --------------------------------------------- https://socket.dev/blog/malicious-checker-packages-on-pypi-probe-tiktok-and… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.05.2025
by Daily end-of-shift report 15 May '25

15 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-05-2025 18:01 − Donnerstag 15-05-2025 18:01 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Spies hack high-value mail servers using an exploit from yesteryear ∗∗∗ --------------------------------------------- XSS is short for cross-site scripting. Vulnerabilities result from programming errors found in webserver software that, when exploited, allow attackers to execute malicious code in the browsers of people visiting an affected website. XSS first got attention in 2005, with the creation of the Samy Worm, which knocked MySpace out of commission when it added more than one million MySpace friends to a user named Samy. XSS exploits abounded for the next decade and have gradually fizzled more recently, although this class of attacks continues now. --------------------------------------------- https://arstechnica.com/security/2025/05/spies-hack-high-value-mail-servers… ∗∗∗ Critical Infrastructure Under Siege: OT Security Still Lags ∗∗∗ --------------------------------------------- With critical infrastructure facing constant cyber threats from the Typhoons and other corners, federal agencies and others are warning security for the OT network, a core technology in many critical sectors, is not powered up enough. --------------------------------------------- https://www.darkreading.com/ics-ot-security/critical-infrastructure-ot-secu… ∗∗∗ Beyond the kill chain: What cybercriminals do with their money (Part 1) ∗∗∗ --------------------------------------------- Sophos X-Ops investigates what financially motivated threat actors invest their ill-gotten profits in, once the dust has settled. --------------------------------------------- https://news.sophos.com/en-us/2025/05/15/beyond-the-kill-chain-what-cybercr… ∗∗∗ Technical Analysis of TransferLoader ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a new malware loader that we have named TransferLoader, which has been active since at least February 2025. ThreatLabz has identified three different components (a downloader, a backdoor, and a specialized loader for the backdoor) embedded in TransferLoader binaries. In addition, ThreatLabz has observed TransferLoader being used to deliver Morpheus ransomware. All components of TransferLoader share similarities including various anti-analysis techniques and code obfuscation. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-transfer… ∗∗∗ USA: Bösartige Kommunikationsgeräte in chinesischen Solar-Wechselrichtern ∗∗∗ --------------------------------------------- Bei der Untersuchung von Wechselrichtern aus China durch Experten in den USA wurden in einigen Geräten nicht dokumentierte Kommunikationsgeräte gefunden. US-Energiebehörden wollen das Risiko dieser chinesischen Inverter Medienberichten zufolge neu beurteilen. --------------------------------------------- https://www.heise.de/news/Boesartige-Kommunikationsgeraete-in-Solar-Wechsel… ∗∗∗ Angeblicher Steam-Hack: Datenleck enthält SMS-Sendeprotokolle ∗∗∗ --------------------------------------------- Ein angebliches Datenleck bei der Spieleplattform Steam soll 89 Millionen Datensätze enthalten – ein Unbekannter versucht seit vergangenem Samstag, sie im Darknet für 5.000 US-Dollar zu verkaufen. Doch die Resonanz ist mau und die Brisanz der Daten fraglich. --------------------------------------------- https://heise.de/-10383892 ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal Security Advisories 2025-05-14 ∗∗∗ --------------------------------------------- Drupal has released 7 new security advisories. --------------------------------------------- https://www.drupal.org/security ∗∗∗ Palo Alto Networks Security Advisories 2025-05-14 ∗∗∗ --------------------------------------------- Palo Alto has released 11 new security advisories. --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ Mozilla Foundation Security Advisories 2025-05-13 ∗∗∗ --------------------------------------------- For Thunderbird 138.0.1 and Thunderbird 128.10.1. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (open-vm-tools), Fedora (dnsdist), Gentoo (Node.js and Tracker miners), Red Hat (kernel and xdg-utils), SUSE (audiofile, go1.22-openssl, go1.24, grub2, kernel-devel, openssl-1_1, openssl-3, and python311-Django), and Ubuntu (ruby-rack). --------------------------------------------- https://lwn.net/Articles/1021379/ ∗∗∗ Patchday: Lücken in Intel-Software und -Treibern gestopft ∗∗∗ --------------------------------------------- Angreifer können Computer mit Hard- und Software von Intel attackieren. Sind Attacken erfolgreich, können sie unter anderem Denial-of-Service-Zustände (DoS) erzeugen, die in der Regel zu Abstürzen führen. --------------------------------------------- https://heise.de/-10384160 ∗∗∗ Google warnt: Gefährliche Chrome-Lücke wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Im weit verbreiteten Webbrowser Chrome klaffen mehrere gefährliche Sicherheitslücken, von denen eine bereits aktiv von Angreifern ausgenutzt wird. Davor warnt Google in den Release Notes zu einem am Mittwoch bereitgestellten Update. Betroffen ist nicht nur die Windows-Variante von Google Chrome, sondern auch jene für Mac und Linux. Anwender sollten den Browser zeitnah aktualisieren, um sich vor möglichen Angriffen zu schützen. --------------------------------------------- https://www.golem.de/news/google-warnt-gefaehrliche-chrome-luecke-wird-akti… ∗∗∗ Fortinet dichtet mehrere Lücken ab, Angriffe auf FortiVoice beobachtet ∗∗∗ --------------------------------------------- CVE-2025-32756 is a critical stack-based buffer overflow vulnerability affecting multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This flaw allows unauthenticated remote attackers to execute arbitrary code or commands via crafted HTTP requests, posing a severe security risk. --------------------------------------------- https://www.heise.de/news/Fortinet-dichtet-mehrere-Luecken-ab-Angriffe-auf-… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0004 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0004.html ∗∗∗ Reflected cross-site scripting vulnerability in Ricoh laser printers and MFPs which implement Web Image Monitor ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN20474768/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (May 5, 2025 to May 11, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.05.2025
by Daily end-of-shift report 14 May '25

14 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-05-2025 18:00 − Mittwoch 14-05-2025 18:01 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt ∗∗∗ --------------------------------------------- A new DarkCloud Stealer campaign is using AutoIt obfuscation for malware delivery. The attack chain involves phishing emails, RAR files and multistage payloads. --------------------------------------------- https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit… ∗∗∗ Intel: Ein weiterer Angriff umgeht alle bisherigen CPU-Schutzmaßnahmen ∗∗∗ --------------------------------------------- Intel hat einen Lauf: Eine weitere Sicherheitslücke öffnet viele Prozessoren erneut für Seitenkanalangriffe trotz bisheriger Schutzmaßnahmen. [..] Wie schon der Angriffstyp Training Solo erfordert BPI physischen Zugriff auf ein System. Daher sind die zugehörigen CVE-Nummern CVE-2024-43420, CVE-2025-20623 und CVE-2024-45332 nur mit dem Schweregrad Medium bewertet. --------------------------------------------- https://heise.de/-10383474 ∗∗∗ A Privacy Mechanism That Backfired ∗∗∗ --------------------------------------------- Some bugs are more interesting than others. Last time I mentioned how CVE-2025-24091 was one of my favorite iOS vulnerabilities so far. That was because I wasn’t yet allowed to disclose my actual favorite! This post is about CVE-2025-31212, the most ironic vulnerability I’ve ever found, and here's why... --------------------------------------------- https://rambo.codes/posts/2025-05-12-a-privacy-mechanism-that-backfired ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti EPMM: Remote Code Execution Schwachstellen (CVE-2025-4427, CVE-2025-4428) - Updates verfügbar ∗∗∗ --------------------------------------------- Ivanti veröffentlichte am 13. Mai Updates & Sicherheitsadvisories zu zwei Schwachstellen in Ivanti Endpoint Manager Mobile (EPMM). Die verkettete Ausnutzung der beiden Lücken kann zur unauthentifizierten Ausführung von Schadcode genutzt werden. Ivanti gibt an die Ausnutzung dieser Lücken auf einer limitierten Anzahl an Systemen, bereits vor der Veröffentlichtung des Advisories, beobachtet zu haben. CVE-Nummern: CVE-2025-4427, CVE-2025-4428 --------------------------------------------- https://www.cert.at/de/warnungen/2025/5/ivanti-epmm-rce ∗∗∗ Microsoft primes 71 fixes for May Patch Tuesday ∗∗∗ --------------------------------------------- Five issues actively exploited in the wild, but the real excitement may have been handled in advance. --------------------------------------------- https://news.sophos.com/en-us/2025/05/14/microsoft-primes-71-fixes-for-may-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (emacs, firefox, gnutls, java-17-openjdk, java-21-openjdk, osbuild-composer, python39:3.9, and thunderbird), Arch Linux (screen), Debian (varnish), Fedora (chromium), Gentoo (Atop, FreeType, and Spidermonkey), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk and postgresql15, postgresql13), Oracle (389-ds-base, emacs, firefox, kernel, libsoup, libtiff, mod_auth_openidc:2.3, nodejs:20, nodejs:22, osbuild-composer, python39:3.9, qemu-kvm, ruby, ruby:3.1, ruby:3.3, and thunderbird), Red Hat (.NET 8.0, .NET 9.0, avahi, buildah, corosync, delve and golang, exiv2, expat, firefox, ghostscript, gimp, git, grafana, gvisor-tap-vsock, java-21-openjdk, kernel, kernel-rt, libarchive, libjpeg-turbo, libsoup, libsoup3, libxslt, mod_auth_openidc, nginx, nginx:1.22, nginx:1.24, nodejs22, nodejs:20, nodejs:22, opentelemetry-collector, osbuild-composer, perl, php, php:8.2, php:8.3, podman, python-jinja2, redis, redis:7, rhc, ruby:2.5, skopeo, sqlite, thunderbird, tomcat, tomcat9, valkey, vim, xorg-x11-server-Xwayland, xterm, xz, yelp, and yggdrasil), Slackware (screen), SUSE (apparmor, dirmngr, gimp, golang-github-prometheus-node_exporter, java-11-openj9, java-17-openj9, java-21-openj9, libxmp-devel, python311-Django4, rabbitmq-server313, rke2, and transfig), and Ubuntu (abseil and open-vm-tools). --------------------------------------------- https://lwn.net/Articles/1021199/ ∗∗∗ Patchday Adobe: Schadcode-Attacken auf InDesign und Photoshop möglich ∗∗∗ --------------------------------------------- Adobe schließt Sicherheitslücken in mehreren Anwendungen. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://heise.de/-10382767 ∗∗∗ VIdeokonferenzen: Hochriskante Rechteausweitungslücken in Zoom Workplace Apps ∗∗∗ --------------------------------------------- Zoom meldet mehrere Sicherheitslücken in den Workplace Apps der Videokonferenzsoftware. Eine verpasst den Status "kritisch" nur knapp. --------------------------------------------- https://heise.de/-10383108 ∗∗∗ Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP11 IF03 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ MISP 2.4.209 / 2.5.11 Release Notes Latest ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.05.2025
by Daily end-of-shift report 13 May '25

13 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 12-05-2025 18:00 − Dienstag 13-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sit, Fetch, Steal - Chihuahua Stealer: A new Breed of Infostealer ∗∗∗ --------------------------------------------- Chihuahua Stealer is a newly discovered .NET-based infostealer that blends common malware techniques with unusually advanced features. It first came to our attention through a Reddit post made on April 9, where a user shared an obfuscated PowerShell script, they were tricked into executing via a Google Drive document. --------------------------------------------- https://feeds.feedblitz.com/~/918192962/0/gdatasecurityblog-en~Sit-Fetch-St… ∗∗∗ Türkiye-linked spy crew exploited a messaging app zero-day to snoop on Kurdish army in Iraq ∗∗∗ --------------------------------------------- Turkish spies exploited a zero-day bug in a messaging app to collect info on the Kurdish army in Iraq, according to Microsoft, which says the attacks began more than a year ago. Specifically, the snoops abused CVE-2025-27920, a directory traversal vulnerability in version 2.0.62 of messaging app Output Messenger, and the intrusions began in April 2024. The app's developer Srimax issued a software update in December to patch the hole, however not all users applied the fixes. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/13/turkish_spie… ∗∗∗ As US vuln-tracking falters, EU enters with its own security bug database ∗∗∗ --------------------------------------------- The European Vulnerability Database (EUVD) is now fully operational, offering a streamlined platform to monitor critical and actively exploited security flaws amid the US struggles with budget cuts, delayed disclosures, and confusion around the future of its own tracking systems. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/13/eu_security_… ∗∗∗ SAP-Patchday: Kritische Netweaver-Lücke und viele mehr gestopft ∗∗∗ --------------------------------------------- SAP veröffentlicht im Mai 2025 insgesamt 16 neue Sicherheitsmeldungen. Sie behandeln teils kritische Sicherheitslücken in diversen Produkten aus dem Business-Softwarekatalog des Unternehmens. --------------------------------------------- https://heise.de/-10381863 ∗∗∗ Auditing Moodles core hunting for logical bugs ∗∗∗ --------------------------------------------- The following article explains how, during an audit, we examined Moodle (v4.4.3) and found ways of bypassing all the restrictions preventing SSRF vulnerabilities from being exploited. --------------------------------------------- http://blog.quarkslab.com/auditing-moodles-core-hunting-for-logical-bugs.ht… ∗∗∗ Beyond the Hook: A Technical Deep Dive into Modern Phishing Methodologies ∗∗∗ --------------------------------------------- A technical exploration of modern phishing tactics, from basic HTML pages to advanced MFA-bypassing techniques, with analysis of infrastructure setup and delivery methods used by phishers in 2025. --------------------------------------------- http://blog.quarkslab.com/technical-dive-into-modern-phishing.html ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Updates Everything: May 2025 Edition, (Mon, May 12th) ∗∗∗ --------------------------------------------- Apple released its expected update for all its operating systems. The update, in addition to providing new features, patches 65 different vulnerabilities. Many of these vulnerabilities affect multiple operating systems within the Apple ecosystem. --------------------------------------------- https://isc.sans.edu/diary/rss/31942 ∗∗∗ Perfekt implementierte Sicherungen ausgehebelt: Spectre-Angriffe sind zurück ∗∗∗ --------------------------------------------- Bisherige Schutzmechanismen schützen nicht immer gegen Spectre-artige Seitenkanalangriffe auf Prozessoren, selbst wenn sie perfekt implementiert sind und verschiedene Domains voneinander abschotten. Zu dem Ergebnis kommen Forscher der Systems and Network Security Group an der Vrije Universiteit Amsterdam (VUSec). --------------------------------------------- https://www.heise.de/news/Perfekt-implementierte-Sicherungen-ausgehebelt-Sp… ∗∗∗ 82,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in TheGem WordPress Theme ∗∗∗ --------------------------------------------- On May 4th, 2025, we received a submission for an Arbitrary File Upload vulnerability in TheGem, a WordPress theme with more than 82,000 sales. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. --------------------------------------------- https://www.wordfence.com/blog/2025/05/82000-wordpress-sites-affected-by-ar… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libeconf and rubygems), Fedora (libxmp), Gentoo (glibc), Oracle (java-1.8.0-openjdk, kernel, libxslt, and virtuoso-opensource), SUSE (augeas, git-lfs, kanidm, and tomcat10), and Ubuntu (linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/1020948/ ∗∗∗ Stack-based buffer overflow vulnerability in API ∗∗∗ --------------------------------------------- A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-25-254 ∗∗∗ EPMM Security Update ∗∗∗ --------------------------------------------- To this end, we are issuing an important security update addressing vulnerabilities associated with open-source libraries used in Ivanti Endpoint Manager Mobile (EPMM). At the time of disclosure, we are aware of a very limited number of customers whose solution has been exploited. The issue only affects the on-prem EPMM product. --------------------------------------------- https://www.ivanti.com/blog/epmm-security-update ∗∗∗ Xen Security Advisory CVE-2024-28956 / XSA-469 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-469.html ∗∗∗ Möglichkeit für Replay-Attacken im Tiiwee X1 Alarm System (SYSS-2025-006) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/moeglichkeit-fuer-replay-attacken-im-tiiwe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.05.2025
by Daily end-of-shift report 12 May '25

12 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-05-2025 18:00 − Montag 12-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iClicker site hack targeted students with malware via fake CAPTCHA ∗∗∗ --------------------------------------------- The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/iclicker-hack-targeted-stude… ∗∗∗ Von AMD-Lücke inspiriert: Forscher warnt vor Ransomware im CPU-Microcode ∗∗∗ --------------------------------------------- Eine Ransomware-Infektion kann für Unternehmen weitreichende Folgen haben, die nicht selten auch in einer Insolvenz münden. Durch geeignete Maßnahmen lassen sich die Risiken für solche Sicherheitsvorfälle eindämmen. Der Sicherheitsforscher Christiaan Beek von Rapid7 warnt jedoch vor einer Bedrohung, der gängige Cybersicherheitslösungen wohl bisher wenig entgegenzusetzen haben: Ransomware im Microcode der CPU. --------------------------------------------- https://www.golem.de/news/von-amd-luecke-inspiriert-forscher-warnt-vor-rans… ∗∗∗ It Is 2025, And We Are Still Dealing With Default IoT Passwords And Stupid 2013 Router Vulnerabilities, (Mon, May 12th) ∗∗∗ --------------------------------------------- Unipi Technologies is a company developing programmable logic controllers for a number of different applications like home automation, building management, and industrial controls. The modules produced by Unipi are likely to appeal to a more professional audience. All modules are based on the "Marvis" platform, a customized Linux distribution maintained by Unipi. --------------------------------------------- https://isc.sans.edu/diary/rss/31940 ∗∗∗ A Subtle Form of Siege: DDoS Smokescreens as a Cover for Quiet Data Breaches ∗∗∗ --------------------------------------------- DDoS attacks have long been dismissed as blunt instruments, favored by script kiddies and hacktivists for their ability to overwhelm and disrupt. But in todays fragmented, hybrid-cloud environments, theyve evolved into something far more cunning: a smokescreen. What looks like digital vandalism may actually be a coordinated diversion, engineered to distract defenders from deeper breaches in progress. --------------------------------------------- https://www.tripwire.com/state-of-security/subtle-form-siege-ddos-smokescre… ∗∗∗ Threat Brief: CVE-2025-31324 ∗∗∗ --------------------------------------------- On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50. This threat brief shares a brief overview of the vulnerability and our analysis, and also includes details of what we’ve observed through our incident response services and telemetry. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-313… ∗∗∗ SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths ∗∗∗ --------------------------------------------- sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with elevated privileges. However, misconfigurations and certain vulnerabilities can be exploited to escalate privileges, potentially compromising system security. --------------------------------------------- https://www.darknet.org.uk/2025/05/sudo_killer-auditing-sudo-configurations… ∗∗∗ One-click RCE in ASUS’s preinstalled driver software ∗∗∗ --------------------------------------------- By trawling through the Javascript on the website, and about 700k lines of decompiled code that the exe produced, I managed to create a list of callable endpoints including some unused ones sitting in the exe. --------------------------------------------- https://mrbruh.com/asusdriverhub/ ∗∗∗ CVE-2024-26809: Critical nftables Vulnerability in Linux Kernel Could Lead to Root Access ∗∗∗ --------------------------------------------- A critical security flaw has been discovered in the Linux kernel’s nftables subsystem, which is responsible for packet filtering in modern Linux distributions. This flaw, a double-free vulnerability, allows local attackers to escalate their privileges and execute arbitrary code. --------------------------------------------- https://thecyberexpress.com/cve-2024-26809-nftables-vulnerability/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libbson-xs-perl, postgresql-13, redis, and simplesamlphp), Fedora (chromium, deluge, epiphany, golang-github-nats-io-nkeys, libxmp, nodejs22, perl-Compress-Raw-Lzma, php-adodb, python-h11, and xz), Gentoo (firefox, NVIDIA Drivers, Orc, PAM, and thunderbird), Mageia (libreoffice, python-django, and transfig), Red Hat (emacs, firefox, python39:3.9, and thunderbird), SUSE (bird3, freetype2, ldap-proxy, libmosquitto1, and ruby3.4-rubygem-rack), and Ubuntu (linux, linux-aws, linux-kvm, linux-aws, and linux-fips). --------------------------------------------- https://lwn.net/Articles/1020884 ∗∗∗ TuneUp und Dienste in Avast, AVG, Avira und Norton reißen Sicherheitslücken auf ∗∗∗ --------------------------------------------- Die Virenschutzsoftware der Marken Avast, AVG, Avira und Norton von Gen Digital bringt unter anderem System-Optimierungsdienste und weitere Komponenten mit, die Schwachstellen enthalten. Nutzerinnen und Nutzer der betroffenen Software sollten prüfen, ob sie neuere Versionen installiert haben als die bekannt verwundbaren. --------------------------------------------- https://heise.de/-10379900 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.05.2025
by Daily end-of-shift report 09 May '25

09 May '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-05-2025 18:00 − Freitag 09-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Nationale Policy für die koordinierte Offenlegung von Schwachstellen (CVD) ∗∗∗ --------------------------------------------- Der Umgang mit Schwachstellen in IT Produkten und Dienstleistungen ist eine der spannenden Themen in der IT-Sicherheit. Seitens der Hersteller stellt sich die Frage, wie man am besten selbst Probleme identifiziert, wie man mit Meldungen von Dritten am umgeht, wie der Prozess zur Entwicklung von korrigierten Versionen aussieht und wie man diese neue Version schnell und effizient an die Kunden verteilt. Seitens der Finder (Researcher) stellen sich Fragen nach den rechtlichen Rahmenbedingungen für die Schwachstellensuche: was darf ich, was sicher nicht, und wie kommuniziere ich das Ergebnis am sinnvollsten? --------------------------------------------- https://www.cert.at/de/spezielles/2025/5/nationale-cvd-policy ∗∗∗ Malicious PyPi package hides RAT malware, targets Discord devs since 2022 ∗∗∗ --------------------------------------------- A malicious Python package targeting Discord developers with remote access trojan (RAT) malware was spotted on the Python Package Index (PyPI) after more than three years.[..] Named "discordpydebug," the package was masquerading as an error logger utility for developers working on Discord bots and was downloaded over 11,000 times since it was uploaded on March 21, 2022, even though it has no description or documentation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-package-hides… ∗∗∗ FBI: End-of-life routers hacked for cybercrime proxy networks ∗∗∗ --------------------------------------------- The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-end-of-life-routers-hack… ∗∗∗ Operation PowerOFF Takes Down 9 DDoS-for-Hire Domains ∗∗∗ --------------------------------------------- Four different countries, including the United States and Germany, were included in the latest international operation alongside Europols support. --------------------------------------------- https://www.darkreading.com/threat-intelligence/operation-poweroff-takes-do… ∗∗∗ Lumma Stealer, coming and going ∗∗∗ --------------------------------------------- The high-profile information stealer switches up its TTPs, but keeps the CAPTCHA tactic; we take a deep dive. --------------------------------------------- https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/ ∗∗∗ Warnung: Gefälschtes Anwaltsschreiben könnte Schadsoftware enthalten! ∗∗∗ --------------------------------------------- Derzeit kursieren E-Mails einer angeblichen Anwaltskanzlei, in denen Unternehmen beschuldigt werden, Urheberrechte an Inhalten von Avident Entertainment verletzt zu haben. Über einen Download-Link kann eine Sammlung von Beweisen heruntergeladen werden. Aber Vorsicht: Der Link ist betrügerisch und enthält vermutlich Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/warnung-gefaelschtes-anwaltsschreibe… ∗∗∗ Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources ∗∗∗ --------------------------------------------- Unit 42 details a new malware obfuscation technique where threat actors hide malware in bitmap resources within .NET applications. These deliver payloads like Agent Tesla or XLoader. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-payloads-as-bitmap-resources-… ∗∗∗ Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation ∗∗∗ --------------------------------------------- Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload generation and obfuscation. --------------------------------------------- https://www.darknet.org.uk/2025/05/bantam-advanced-php-backdoor-management-… ∗∗∗ Phishing Attack Uses Blob URIs to Show Fake Login Pages in Your Browser ∗∗∗ --------------------------------------------- Cofense Intelligence reveals a novel phishing technique using blob URIs to create local fake login pages, bypassing email security and stealing credentials. --------------------------------------------- https://hackread.com/phishing-attack-blob-uri-fake-login-pages-browser/ ∗∗∗ Remote-Access-Trojaner in npm-Paket mit 40.000 wöchentlichen Downloads gefunden ∗∗∗ --------------------------------------------- Angreifer hatten das Paket rand-user-agent, das unter anderem für automatische Tests und zum Web-Scraping dient, mit Schadcode versehen. --------------------------------------------- https://heise.de/-10377590 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libapache2-mod-auth-openidc, mariadb-10.5, and openssh), Red Hat (osbuild-composer), Slackware (mariadb), SUSE (apache2-mod_auth_openidc, glib2, ImageMagick, libsoup, libsoup2, libva, openvpn, sqlite3, and weblate), and Ubuntu (libsoup3, php-horde-css-parser, and python-django). --------------------------------------------- https://lwn.net/Articles/1020545/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fossil, libapache2-mod-auth-openidc, and request-tracker4), Fedora (thunderbird), Mageia (firefox and thunderbird), SUSE (389-ds, apparmor, cargo-c, chromium, go1.24, govulncheck-vulndb, java-1_8_0-openjdk, kanidm, libsoup, mozjs102, openssl-1_1, openssl-3, python-Django, sccache, tealdeer, tomcat, transfig, wasm-bindgen, and wireshark), and Ubuntu (libreoffice and python-h11). --------------------------------------------- https://lwn.net/Articles/1020653/ ∗∗∗ Sicherheitslücken: F5 BIG-IP-Appliances sind an mehreren Stellen verwundbar ∗∗∗ --------------------------------------------- https://heise.de/-10377584 ∗∗∗ Joomla: [20250402] - Core - MFA Authentication Bypass ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/964-20250402-core-mfa-authenti… ∗∗∗ Pixmeo OsiriX MD ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-128-01 ∗∗∗ Hitachi Energy RTU500 Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-02 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-01 ∗∗∗ Mitsubishi Electric CC-Link IE TSN ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.05.2025
by Daily end-of-shift report 08 May '25

08 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-05-2025 18:00 − Donnerstag 08-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ WhatsApp provides no cryptographic management for group messages ∗∗∗ --------------------------------------------- The weakness creates the possibility of an insider or hacker adding rogue members. [..] “This means that it is possible for the WhatsApp server to add new members to a group,” Martin R. Albrecht, a researcher at King's College in London, wrote in an email. “A correct client—like the official clients—will display this change but will not prevent it. Thus, any group chat that does not verify who has been added to the chat can potentially have their messages read.” --------------------------------------------- https://arstechnica.com/security/2025/05/whatsapp-provides-no-cryptographic… ∗∗∗ Password crisis deepens in 2025: lazy, reused, and stolen ∗∗∗ --------------------------------------------- A new study of over 19 billion newly exposed passwords manifests a widespread weak password reuse crisis. Lazy keyboard patterns, such as 123456, still reign supreme, and 94% of passwords are reused or duplicated, data leaks from 2024-2025 reveal. Names like Ana rank as the second most popular component. --------------------------------------------- https://cybernews.com/security/password-leak-study-unveils-2025-trends-reus… ∗∗∗ Ransomware: Unbekannte Angreifer leaken LockBit-Datenbank – dank PHP-Exploit? ∗∗∗ --------------------------------------------- Tausende Bitcoin-Adressen, Chatnachrichten und weitere brisante Details des Ransomware-Anbieters kursieren nun im Web. Der LockBit-Support relativiert. --------------------------------------------- https://www.heise.de/news/Ransomware-Unbekannte-Angreifer-leaken-LockBit-Da… ∗∗∗ RCEs and more in the KUNBUS GmbH Revolution Pi PLC ∗∗∗ --------------------------------------------- Four new vulnerabilities in the Revolution Pi industrial PLCs. Two give unauthenticated attackers RCE—potentially a direct impact on safety and operations. [..] Since the vulnerabilities affect ICS equipment, we coordinated disclosure with CISA and KUNBUS’ PSIRT team (security.txt). --------------------------------------------- https://www.pentestpartners.com/security-blog/rces-and-more-in-the-kunbus-g… ∗∗∗ 2,99 € Einfuhrzoll für die Post? Achtung, Phishing! ∗∗∗ --------------------------------------------- Ein Paket hängt im Zoll fest? Die Auslieferung ist nur gegen die Zahlung einer Gebühr möglich? Ein Szenario, das Kriminelle aktuell verstärkt als Betrugsmasche einsetzen. Sie versenden Phishing-Mails im Namen der Post AG und hoffen auf leichtgläubige Opfer. --------------------------------------------- https://www.watchlist-internet.at/news/einfuhrzoll-fuer-die-post/ ∗∗∗ Fake AI Tools Push New Noodlophile Stealer Through Facebook Ads ∗∗∗ --------------------------------------------- Scammers are using fake AI tools and Facebook ads to spread Noodlophile Stealer malware, targeting users with a multi-stage attack to steal credentials. --------------------------------------------- https://hackread.com/fake-ai-tools-noodlophile-stealer-facebook-ads/ ∗∗∗ RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scale ∗∗∗ --------------------------------------------- Learn how RedisRaider is targeting publicly accecesibly Redis servers to mine crypocurrency. --------------------------------------------- https://securitylabs.datadoghq.com/articles/redisraider-weaponizing-misconf… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall urges admins to patch VPN flaw exploited in attacks ∗∗∗ --------------------------------------------- Discovered and reported by Rapid7 cybersecurity researcher Ryan Emmons, the three security flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) can be chained by attackers to gain remote code execution as root and compromise vulnerable instances. The vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.15-81sv and higher. [..] SonicWall advised admins to check their SMA devices' logs for any signs of unauthorized logins and enable the web application firewall and multifactor authentication (MFA) on their SMA100 appliances as a safety measure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-pa… ∗∗∗ CISCO Security Advisories 07. - 08.05.2025 ∗∗∗ --------------------------------------------- Cisco has released 29 new security Advisories. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. [..] Note: For exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device. It is not enabled by default. CVE-2025-20188 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Catalyst Center Unauthenticated API Access Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the management API of Cisco Catalyst Center, formerly Cisco DNA Center, could allow an unauthenticated, remote attacker to read and modify the outgoing proxy configuration settings. CVE-2025-20210 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Drupal Security Advisories 07.05.2025 ∗∗∗ --------------------------------------------- Drupal has released 10 new security advisories. --------------------------------------------- https://www.drupal.org/security ∗∗∗ Ubiquiti UniFi Protect: Kritisches Leck ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- In einer Sicherheitsmitteilung erörtert Ubiquiti die Schwachstellen. Bösartige Akteure mit Zugriff auf das Verwaltungsnetzwerk können einen Heap-basierten Pufferüberlauf in den Unifi-Protect-Kameras mit Firmware 4.75.43 und vorherigen provozieren und dadurch beliebigen Code einschleusen und ausführen (CVE-2025-23123, CVSS 10.0, Risiko "kritisch"). --------------------------------------------- https://www.heise.de/news/Ubiquity-UniFi-Protect-Einschleusen-von-Schadcode… ∗∗∗ Mitel SIP-Phones lassen sich beliebige Befehle unterjubeln ∗∗∗ --------------------------------------------- Laut der Sicherheitsmitteilung von Mitel gibt es eine Befehlsschmuggel-Lücke in den SIP-Phones der Baureihen 6800, 6900, 6900w sowie dem 6970-Konferenz-Modell. Angreifer aus dem Netz können dadurch ohne vorherige Authentifizierung Befehle einschleusen, da nicht näher genannte Parameter nicht ausreichend gefiltert werden. Damit können sie System- und Nutzer-Daten und Konfigurationen einsehen oder ändern (CVE-2025-47188, CVSS 9.8, Risiko "kritisch"). --------------------------------------------- https://heise.de/-10376625 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 28, 2025 to May 4, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.05.2025
by Daily end-of-shift report 07 May '25

07 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-05-2025 18:00 − Mittwoch 07-05-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Samsung MagicINFO 9 Server RCE flaw now exploited in attacks ∗∗∗ --------------------------------------------- Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/samsung-magicinfo-9-server-r… ∗∗∗ Apache Parquet exploit tool detect servers vulnerable to critical flaw ∗∗∗ --------------------------------------------- A proof-of-concept exploit tool has been publicly released for a maximum severity Apache Parquet vulnerability, tracked as CVE-2025-30065, making it easy to find vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apache-parquet-exploit-tool-… ∗∗∗ Millionenstrafe für Firma nach WhatsApp-Hack ∗∗∗ --------------------------------------------- Die NSO Group aus Israel hatte einen Bug in WhatsApp genutzt, um Spyware zu installieren. Meta klagte und gewann. --------------------------------------------- https://futurezone.at/digital-life/meta-whatsapp-nso-group-spionagesoftware… ∗∗∗ Zero Day: Windows-Lücke von mindestens zwei Hackergruppen ausgenutzt ∗∗∗ --------------------------------------------- Mindestens zwei Cyberbanden haben sich einer Schwachstelle im CLFS-Treiber von Windows bedient, bevor Microsoft einen Patch ausliefern konnte. --------------------------------------------- https://www.golem.de/news/zero-day-windows-luecke-von-mindestens-zwei-hacke… ∗∗∗ State of ransomware in 2025 ∗∗∗ --------------------------------------------- Kaspersky researchers review ransomware trends for 2024, analyze the most active groups and forecast how this threat will evolve in 2025. --------------------------------------------- https://securelist.com/state-of-ransomware-in-2025/116475/ ∗∗∗ Lights Out and Stalled Factories: Using M.A.T.R.I.X to Learn About Modbus Vulnerabilities ∗∗∗ --------------------------------------------- Let’s explore the critical role of Modbus in energy and manufacturing systems, then demonstrate real-world exploitation techniques using Docker-based simulations and the custom-built Python tool M.A.T.R.I.X. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lights-out-… ∗∗∗ Backupsoftware Commvault: Weitere Lücke angegriffen, Patch offenbar unwirksam ∗∗∗ --------------------------------------------- Zum Wochenende wurden Angriffe auf eine weitere Commvault-Sicherheitslücke bekannt. Das Update zum Abdichten wirkt wohl nicht. --------------------------------------------- https://www.heise.de/news/Backupsoftware-Commvault-Weitere-Luecke-angegriff… ∗∗∗ Wegen Sicherheitslücken: LibreOffice rät von OpenOffice ab ∗∗∗ --------------------------------------------- Die Entwickler von LibreOffice raten vom Konkurrenten OpenOffice ab. Die Apache-Software enthalte Sicherheitslücken und werde nicht weiterentwickelt. --------------------------------------------- https://www.heise.de/news/Wegen-Sicherheitsluecken-LibreOffice-raet-von-Ope… ∗∗∗ NIS2 nicht umgesetzt: EU-Strafe für Deutschland rückt einen Schritt näher ∗∗∗ --------------------------------------------- Die EU-Kommission hat die zweite Stufe des Vertragsverletzungsverfahren gegen Deutschland eingeleitet, weil es die NIS2-Richtlinie noch nicht umgesetzt hat. --------------------------------------------- https://www.heise.de/news/NIS2-nicht-umgesetzt-EU-Strafe-fuer-Deutschland-r… ∗∗∗ Exploiting Copilot AI for SharePoint ∗∗∗ --------------------------------------------- TL;DR AI Assistants are becoming far more common Copilot for SharePoint is Microsoft’s answer to generative AI assistance on SharePoint Attackers will look to exploit anything they can get their .. --------------------------------------------- https://www.pentestpartners.com/security-blog/exploiting-copilot-ai-for-sha… ∗∗∗ Meta lässt sich sechs Wochen Zeit, bis Betrug entfernt wird ∗∗∗ --------------------------------------------- Postings über Kryptoscams oder betrügerische Influencer-Aktionen bleiben auf Facebook und Instagram am längsten von allen online --------------------------------------------- https://www.derstandard.at/story/3000000268532/meta-laesst-sich-sechs-woche… ∗∗∗ Ransomware Attackers Leveraged Privilege Escalation Zero-day ∗∗∗ --------------------------------------------- Exploit used by Play-linked attackers targets the CVE-2025-29824 zero-day vulnerability patched on April 8. --------------------------------------------- https://www.security.com/threat-intelligence/play-ransomware-zero-day ∗∗∗ Unsophisticated Cyber Actor(s) Targeting Operational Technology ∗∗∗ --------------------------------------------- CISA is increasingly aware of unsophisticated cyber actor(s) targeting ICS/SCADA systems within U.S. critical Infrastructure sectors (Oil and Natural Gas), specifically in Energy and Transportation Systems. Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/05/06/unsophisticated-cyber-ac… ∗∗∗ Poland arrests four in global DDoS-for-hire takedown ∗∗∗ --------------------------------------------- The suspects allegedly operated six platforms that offered distributed denial-of-service attacks for as little as 10 euros. --------------------------------------------- https://therecord.media/poland-arrests-four-ddos-hire ∗∗∗ Achtung bei iVentoy, es werden obskure Zertifikate und Treiber installiert ∗∗∗ --------------------------------------------- Kurze Warnung an Leute aus der Blog-Leserschaft, die das Tool iVentoy zur Verteilung von Betriebssystem-Images über ein Netzwerk und einen PXE-Server einsetzen. Es gibt aktuell eine Diskussion, dass das Tool .. --------------------------------------------- https://www.borncity.com/blog/2025/05/07/achtung-bei-iventoy-es-werden-obsk… ∗∗∗ ClickFix Scam: How to Protect Your Business Against This Evolving Threat ∗∗∗ --------------------------------------------- Cybercriminals aren’t always loud and obvious. Sometimes, they play it quiet and smart. One of the tricks of .. --------------------------------------------- https://hackread.com/clickfix-scam-how-to-protect-business-againt-threat/ ∗∗∗ COLDRIVER Using New Malware To Steal Documents >From Western Targets and NGOs ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) has identified a new piece of malware called LOSTKEYS, attributed to the Russian government-backed threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto). LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-do… ===================== = Vulnerabilities = ===================== ∗∗∗ Honeywell MB Secure Authenticated Command Injection ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/authenticated-command… ∗∗∗ Langflow Missing Authentication Vulnerability ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6085 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2025
by Daily end-of-shift report 06 May '25

06 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 05-05-2025 18:00 − Dienstag 06-05-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Man pleads guilty to using malicious AI software to hack Disney employee ∗∗∗ --------------------------------------------- Fake image-generating app allowed man to download 1.1TB of Disney-owned data. --------------------------------------------- https://arstechnica.com/ai/2025/05/man-pleads-guilty-to-using-malicious-ai-… ∗∗∗ Luna Moth extortion hackers pose as IT help desks to breach US firms ∗∗∗ --------------------------------------------- The data-theft extortion group known as Luna Moth, aka Silent Ransom Group, has ramped up callback phishing campaigns in attacks on legal and financial institutions in the United States. --------------------------------------------- https://www.bleepingcomputer.com/news/security/luna-moth-extortion-hackers-… ∗∗∗ "Mirai" Now Exploits Samsung MagicINFO CMS (CVE-2024-7399), (Mon, May 5th) ∗∗∗ --------------------------------------------- Last August, Samsung patched an arbitrary file upload vulnerability that could lead to remote code execution [1]. The announcement was very sparse and did not even include affected .. --------------------------------------------- https://isc.sans.edu/diary/Mirai+Now+Exploits+Samsung+MagicINFO+CMS+CVE2024… ∗∗∗ CISA slammed for role in censorship industrial complex as budget faces possible $500M cut ∗∗∗ --------------------------------------------- Because who needs cybersecurity when there’s culture wars to win President Trumps dream 2026 budget would gut the US govts Cybersecurity and Infrastructure Security Agency, aka CISA, by $491 million - about 17 percent – and accuses the organization of abandoning its core mission in favor of policing online speech. --------------------------------------------- https://www.theregister.com/2025/05/06/cisa_budget_cuts/ ∗∗∗ Signal-Affäre: Modifizierter Messenger stellt nach zweitem Einbruch Betrieb ein ∗∗∗ --------------------------------------------- In der US-Regierung wird eine modifizierte App benutzt, um per Signal zu kommunizieren. Die heißt TeleMessage, wurde zweimal geknackt und vorerst dicht gemacht. --------------------------------------------- https://www.heise.de/news/Signal-Affaere-Modifizierter-Messenger-stellt-nac… ∗∗∗ Peru denies it was hit by ransomware attack following Rhysida claims ∗∗∗ --------------------------------------------- The prolific ransomware gang claimed to have taken over the Peruvian governments domain. --------------------------------------------- https://therecord.media/peru-rhysida-ransomware-claims-denied ∗∗∗ NSA to cut up to 2,000 civilian roles as part of intel community downsizing ∗∗∗ --------------------------------------------- The agency is expected to make the cuts by the end of year, however that deadline could change as it is tied to the Defense Department’s broader push to reduce its budget by 8 percent in each of the next five years. --------------------------------------------- https://therecord.media/nsa-to-cut-up-to-2000-roles-downsizing ∗∗∗ Verizon DBIR 2025: Edge KEVs Are Increasingly Left Unpatched — and More Often Exploited in Breaches ∗∗∗ --------------------------------------------- Edge vulnerabilities are a critical and growing threat. The 2025 DBIR reveals an eightfold surge in exploitation, yet many remain unpatched despite immediate risk. --------------------------------------------- https://www.greynoise.io/blog/verizon-dbir-2025-edge-kevs-increasingly-left… ∗∗∗ Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines ∗∗∗ --------------------------------------------- UNC3944, which overlaps with public reporting on Scattered Spider, is a financially-motivated threat actor characterized by its persistent use of social engineering and brazen communications with victims. In early operations, UNC3944 largely targeted telecommunications-related organizations to support SIM swap operations. However, after shifting to .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-… ∗∗∗ A Timely Reminder: Russia’s Enduring Cyber Threat to Critical Infrastructure ∗∗∗ --------------------------------------------- Russia’s cyber operations — ranging from power-grid disruptions to global ransomware — continue to be among the world’s most prolific and destructive, underscoring the continued .. --------------------------------------------- https://detect.fyi/a-timely-reminder-russias-enduring-cyber-threat-to-criti… ∗∗∗ How to Harden GitHub Actions: The Unofficial Guide ∗∗∗ --------------------------------------------- Build resilient GitHub Actions workflows with lessons from recent attacks. --------------------------------------------- https://www.wiz.io/blog/github-actions-security-guide ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium and kappanhang), Red Hat (osbuild-composer and thunderbird), SUSE (chromedriver), and Ubuntu (c-ares, corosync, mysql-8.0, mysql-8.4, openjdk-17, openjdk-21, openjdk-24, openjdk-8, and openjdk-lts). --------------------------------------------- https://lwn.net/Articles/1020222/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2025
by Daily end-of-shift report 05 May '25

05 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-05-2025 18:00 − Montag 05-05-2025 18:00 Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Magento supply chain attack compromises hundreds of e-stores ∗∗∗ --------------------------------------------- A supply chain attack involving 21 backdoored Magento extensions has compromised between 500 and 1,000 e-commerce stores, including one belonging to a $40 billion multinational. --------------------------------------------- https://www.bleepingcomputer.com/news/security/magento-supply-chain-attack-… ∗∗∗ StealC malware enhanced with stealth upgrades and data theft tools ∗∗∗ --------------------------------------------- The creators of StealC, a widely-used information stealer and malware downloader, have released its second major version, bringing multiple stealth and data theft enhancements. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stealc-malware-enhanced-with… ∗∗∗ Shuffling the Greatest Hits: How DragonForce Ransomware Samples LockBit and Conti Into a Ransomware Jukebox ∗∗∗ --------------------------------------------- DragonForce ransomware has been assessed as a sophisticated threat that tactically deploys payloads derived from leaked source code of both the notorious LockBit 3.0 and Conti ransomware families. While the samples share some similar core functionality, DragonForce distinguishes itself in several .. --------------------------------------------- https://hybrid-analysis.blogspot.com/2025/05/shuffling-greatest-hits-how-dr… ∗∗∗ Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware ∗∗∗ --------------------------------------------- An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years.The activity, which lasted from at least May 2023 to February 2025, .. --------------------------------------------- https://thehackernews.com/2025/05/iranian-hackers-maintain-2-year-access.ht… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/05/02/cisa-adds-two-known-expl… ∗∗∗ CVE-2025-31324: Critical SAP NetWeaver Vulnerability Actively Exploited ∗∗∗ --------------------------------------------- SAP has recently released a critical security patch for a severe vulnerability in SAP NetWeaver Visual Composer that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-31324, has recently been patched with the release of SAP Security Note 3594142. --------------------------------------------- https://www.truesec.com/hub/blog/cve-2025-31324-critical-sap-netweaver-vuln… ∗∗∗ DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door ∗∗∗ --------------------------------------------- The individuals operating under the DragonForce banner and attacking UK high street retailers are using social engineering for entry. I think it’s in the public interest to break down what is happening. --------------------------------------------- https://doublepulsar.com/dragonforce-ransomware-cartel-attacks-on-uk-high-s… ∗∗∗ NPM targeted by malware campaign mimicking familiar library names ∗∗∗ --------------------------------------------- Developers looking for familiar packages from other programming languages are increasingly falling victim to malicious attacks. Summary #The Socket threat research team uncovered a coordinated malware operation across the NPM ecosystem. The actor behind the campaign published dozens of malicious NPM packages that mimic well-known Python, Java, C++, .NET, .. --------------------------------------------- https://socket.dev/blog/npm-targeted-by-malware-campaign-mimicking-familiar… ∗∗∗ Apache Parquet Java Vulnerability CVE-2025-46762 Exposes Systems to Remote Code Execution Attacks ∗∗∗ --------------------------------------------- A vulnerability has been identified in Apache Parquet Java, which could leave systems exposed to remote code execution (RCE) attacks. Apache Parquet contributor Gang Wu discovered, this flaw, tracked as CVE-2025-46762, .. --------------------------------------------- https://thecyberexpress.com/apache-parquet-java-flaw-cve-2025-46762/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, containerd, and vips), Fedora (chromium, java-17-openjdk, nodejs-bash-language-server, nodejs-pnpm, ntpd-rs, redis, rust-hickory-proto, thunderbird, and valkey), Mageia (apache-mod_auth_openidc, fcgi, graphicsmagick, kernel-linus, pam, poppler, and tomcat), Red Hat (firefox, libsoup, nodejs:20, redis:6, .. --------------------------------------------- https://lwn.net/Articles/1020130/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.05.2025
by Daily end-of-shift report 02 May '25

02 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-04-2025 18:00 − Freitag 02-05-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Angreifer setzen erneut an älteren Sonicwall-Lücken an ∗∗∗ --------------------------------------------- Aufgrund von laufenden Attacken sollten Admins ihre Fernwartungslösungen der SMA-Serie von Sonicwall umgehend auf den aktuellen Stand bringen. [..] Beide Schwachstellen betreffen die SMA-Reihen SMA 200, 210, 400, 410 und 500v. Die Entwickler versichern, die Lücken ab der Firmware 10.2.1.14-75sv geschlossen zu haben. [..] Sind Attacken erfolgreich, können Angreifer Schadcode ausführen. Die "kritische" Lücke (CVE-2024-38475) betrifft die SMA-Komponente Apache HTTP Server. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Angreifer-setzen-erneut-an-aelteren… ∗∗∗ SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475) ∗∗∗ --------------------------------------------- Another day, another edge device being targeted - it’s a typical Thursday! In today’s blog post, we’re excited to share our previously private analysis of the now exploited in-the-wild N-day vulnerabilities affecting SonicWall’s SMA100 appliance. [..] Although this is a CVE attached to the Apache HTTP Server, it is important to note that due to how CVEs are now assigned, a seperate CVE will not be assigned for SonicWall's [..] As always, we’ve produced a Detection Artefact Generator to demonstrate and achieve pre-auth RCE. --------------------------------------------- https://labs.watchtowr.com/sonicboom-from-stolen-tokens-to-remote-shells-so… ∗∗∗ Why MFA is getting easer to bypass and what to do about it ∗∗∗ --------------------------------------------- As detailed on Thursday by Cisco Talos, an entire ecosystem has cropped up to help criminals defeat these forms of MFA. --------------------------------------------- https://arstechnica.com/security/2025/05/phishing-attacks-that-defeat-mfa-a… ∗∗∗ Windows: Anmeldung mit alten Passwörtern durch RDP möglich ∗∗∗ --------------------------------------------- Laut Microsoft handelt es sich um eine "Design-Entscheidung, die sicherstellt, dass mindestens ein Nutzerkonto dazu in der Lage ist, sich anzumelden, ganz gleich, wie lange das System offline war". Daher treffe dieses Verhalten die Definition einer Schwachstelle nicht. Microsoft habe keine Pläne, etwas daran zu ändern. --------------------------------------------- https://www.heise.de/news/Windows-Log-in-ueber-RDP-mit-widerrufenen-Passwoe… ∗∗∗ Prolific RansomHub Operation Goes Dark ∗∗∗ --------------------------------------------- The chat infrastructure and data-leak site of the notorious ransomware-as-a-service group has been inactive since March 31, according to security vendors. --------------------------------------------- https://www.darkreading.com/cyber-risk/prolific-ransomhub-operation-goes-da… ∗∗∗ Softwareupdates manipuliert: Hacker missbrauchen IPv6-Feature für Cyberattacken ∗∗∗ --------------------------------------------- Spellbinder nutzt den Angaben nach einen Angriffsvektor, der schon mindestens seit 2008 bekannt ist und schon 2011 in einem Blogbeitrag unter der Bezeichnung "SLAAC-Attack" ausführlich beschrieben wurde. [..] Mit Spellbinder lassen sich demnach IPv6-Konfigurationen spoofen, die normalerweise automatisch über eine Methode namens SLAAC (Stateless Address Autoconfiguration) zugewiesen werden. --------------------------------------------- https://www.golem.de/news/softwareupdates-manipuliert-hacker-missbrauchen-i… ∗∗∗ MintsLoader Drops GhostWeaver via Phishing, ClickFix — Uses DGA, TLS for Stealth Attacks ∗∗∗ --------------------------------------------- The malware loader known as MintsLoader has been used to deliver a PowerShell-based remote access trojan called GhostWeaver. "MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts," Recorded Futures Insikt Group said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/05/mintsloader-drops-ghostweaver-via.html ∗∗∗ I StealC You: Tracking the Rapid Changes To StealC ∗∗∗ --------------------------------------------- StealC is a popular information stealer and malware downloader that has been sold since January 2023. In March 2025, StealC version 2 (V2) was introduced with key updates, including a streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption (in the latest variants). The malware’s payload delivery options have been expanded to include Microsoft Software Installer (MSI) packages and PowerShell scripts. --------------------------------------------- https://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid… ∗∗∗ Using Trusted Protocols Against You: Gmail as a C2 Mechanism ∗∗∗ --------------------------------------------- Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. The threat actor’s email is the only potential clue as to their motivation, but once the tunnel is created, the threat actor can exfiltrate data or execute commands that we may not know about through these packages. --------------------------------------------- https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-m… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat, fig2dev, firefox-esr, golang-github-gorilla-csrf, jinja2, libxml2, nagvis, qemu, request-tracker4, request-tracker5, u-boot, and vips), Fedora (firefox, giflib, and thunderbird), Mageia (imagemagick), Red Hat (thunderbird), SUSE (amber-cli, libjxl, and redis), and Ubuntu (h2o, poppler, and postgresql-10). --------------------------------------------- https://lwn.net/Articles/1019645/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, nodejs, openjdk-17, and thunderbird), Fedora (firefox, golang-github-nvidia-container-toolkit, and thunderbird), Mageia (kernel), Oracle (ghostscript, glibc, kernel, libxslt, php:8.1, and thunderbird), SUSE (cmctl, firefox-esr, govulncheck-vulndb, java-21-openjdk, libxml2, poppler, python-h11, and redis), and Ubuntu (docker.io, ghostscript, linux-xilinx-zynqmp, and micropython). --------------------------------------------- https://lwn.net/Articles/1019869/ ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-121-01 KUNBUS GmbH Revolution Pi, ICSMA-25-121-01 MicroDicom DICOM Viewer --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/05/01/cisa-releases-two-indust… ∗∗∗ ZDI-25-267: GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-267/ ∗∗∗ IBM Cognos Analytics: Angreifer können Schadcode hochladen ∗∗∗ --------------------------------------------- https://www.heise.de/news/IBM-Cognos-Analytics-Angreifer-koennen-Schadcode-… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 21, 2025 to April 27, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… ∗∗∗ Tenable: [R1] Sensor Proxy Version 1.2.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-08 ∗∗∗ f5: K000151130: GnuTLS vulnerability CVE-2024-12243 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151130 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.04.2025
by Daily end-of-shift report 30 Apr '25

30 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-04-2025 18:00 − Mittwoch 30-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ AirBorne: Wormable Zero-Click RCE in Apple AirPlay ∗∗∗ --------------------------------------------- Oligo Security Research has discovered a new set of vulnerabilities in Apple’s AirPlay Protocol and the AirPlay Software Development Kit (SDK), which is used by third-party vendors to integrate AirPlay into third-party devices. --------------------------------------------- https://www.oligo.security/blog/airborne ∗∗∗ Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th) ∗∗∗ --------------------------------------------- The activity occured on the 23 April 2025 between 18:00 - 19:00 UTC but since then based on activity reported to DShield (see graphs below) has been happening almost daily. --------------------------------------------- https://isc.sans.edu/diary/rss/31906 ∗∗∗ Yet Another NodeJS Backdoor (YaNB): A Modern Challenge ∗∗∗ --------------------------------------------- During an Advanced Continual Threat Hunt (ACTH) investigation conducted in early March 2025, Trustwave SpiderLabs identified a notable resurgence in malicious campaigns exploiting deceptive CAPTCHA verifications. These campaigns trick users into executing NodeJS-based backdoors, subsequently deploying sophisticated NodeJS Remote Access Trojans (RATs) similar to traditional PE structured legacy RATs. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another… ∗∗∗ Understanding the Deep Web, Dark Web, and Darknet (2025 Guide) ∗∗∗ --------------------------------------------- Understand the difference between Deep Web, Dark Web, and Darknet. Learn how they work, how to access them safely, and why they matter in 2025. --------------------------------------------- https://www.darknet.org.uk/2025/04/understanding-the-deep-web-dark-web-and-… ∗∗∗ The MCP Authorization Spec Is... a Mess for Enterprise ∗∗∗ --------------------------------------------- The Model Context Protocol has created quite the buzz in the AI ecosystem at the moment, but as enterprise organizations look to adopt it, they are confronted with a hard truth: it lacks important security functionality. Up until now, as people experiment with Agentic AI and tool support, they’ve mostly adopted the MCP stdio transport, which means you end up with a 1:1 deployment of MCP server and MCP client. What organizations need is a way to deploy MCP servers remotely and leverage authorization to give resource owner’s access to their data safely. --------------------------------------------- https://blog.christianposta.com/the-updated-mcp-oauth-spec-is-a-mess/ ∗∗∗ Practical Cyber Deception — Introduction to “Chaotic Good” ∗∗∗ --------------------------------------------- Cyber deception isn’t about building expensive honeynets or deploying complex traps — it’s about instilling doubt and confusion in the attacker. By layering practical, tactical deception into your environment, you shift the balance of power: slowing them down, forcing mistakes, and gaining early warning long before real damage is done. From fake servers and canary tokens to ransomware drive traps, deception turns defense from a reactive grind into a strategic, active game. --------------------------------------------- https://detect.fyi/practical-cyber-deception-introduction-to-chaotic-good-2… ∗∗∗ Phishers Take Advantage of Iberian Blackout Before Its Even Over ∗∗∗ --------------------------------------------- Opportunistic threat actors targeted Portuguese and Spanish speakers by spoofing Portugals national airline in a campaign offering compensation for delayed or disrupted flights. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/phishers-take-advant… ===================== = Vulnerabilities = ===================== ∗∗∗ Dell schützt PowerProtect Data Manager und Laptops vor möglichen Attacken ∗∗∗ --------------------------------------------- In einer Warnmeldung führen die Entwickler aus, dass PowerProtect Data Manager über mehrere Lücken in Komponenten von Drittanbietern wie Golang und Spring Framework, aber auch über Lücken in der Anwendung selbst angreifbar ist. Sind Attacken erfolgreich, können sich Angreifer etwa mit lokalem Zugriff und niedrigen Rechten höhere Nutzerrechte verschaffen (CVE-2025-23375 "hoch"). Die Entwickler versichern, die Lücken in PowerProtect Data Manager 19.19.0-15 geschlossen zu haben. --------------------------------------------- https://www.heise.de/news/Dell-schuetzt-PowerProtect-Data-Manager-und-Lapto… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glibc and libraw), Fedora (digikam, icecat, mingw-LibRaw, perl, perl-Devel-Cover, and perl-PAR-Packer), Red Hat (ghostscript, kernel, and kernel-rt), Slackware (mozilla), SUSE (augeas, firefox, and java-11-openjdk), and Ubuntu (binutils, libxml2, and nodejs). --------------------------------------------- https://lwn.net/Articles/1019457/ ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-119-01 Rockwell Automation ThinManager, ICSA-25-119-02 Delta Electronics ISPSoft, ICSA-25-105-05 Lantronix XPort (Update A) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/04/29/cisa-releases-three-indu… ∗∗∗ Mehrere Schwachstellen in Sematell ReplyOne (SYSS-2024-081/-082/-083) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-sematell-replyon… ∗∗∗ f5: K000151082: PostgreSQL vulnerability CVE-2021-32027 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151082 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.04.2025
by Daily end-of-shift report 29 Apr '25

29 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Montag 28-04-2025 18:00 − Dienstag 29-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Hitachi Vantara takes servers offline after Akira ransomware attack ∗∗∗ --------------------------------------------- Hitachi Vantara, a subsidiary of Japanese multinational conglomerate Hitachi, was forced to take servers offline over the weekend to contain an Akira ransomware attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hitachi-vantara-takes-server… ∗∗∗ The one interview question that will protect you from North Korean fake workers ∗∗∗ --------------------------------------------- "My favorite interview question, because we've interviewed quite a few of these folks, is something to the effect of 'How fat is Kim Jong Un?' They terminate the call instantly, because it's not worth it to say something negative about that," he told a panel session at the RSA Conference in San Francisco Monday. [..] "One of the things that we've noted is that you'll have a person in Poland applying with a very complicated name," he recounted, "and then when you get them on Zoom calls it's a military age male Asian who can't pronounce it." --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/04/29/north_korea_… ∗∗∗ Interesting WordPress Malware Disguised as Legitimate Anti-Malware Plugin ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence team recently discovered an interesting malware variant that appears in the file system as a normal WordPress plugin, often with the name ‘WP-antymalwary-bot.php’, and contains several functions that allow attackers to maintain access to your site, hide the plugin from the dashboard, and execute remote code. [..] In today’s blog post, we highlighted an interesting piece of malware that masquerades as a legitimate plugin. --------------------------------------------- https://www.wordfence.com/blog/2025/04/interesting-wordpress-malware-disgui… ∗∗∗ So schützen Sie sich vor den häufigsten Betrugsmaschen auf booking.com ∗∗∗ --------------------------------------------- Der Sommer naht und damit beginnt die Hochsaison für Reisebuchungen. Ob Städtetrip, Strandurlaub oder Bergtour: Viele buchen ihre Unterkunft über die Buchungsplattform booking.com. Doch Vorsicht! Kriminelle nutzen die erhöhte Reiselust aus und versuchen Urlaubsfreudige zu täuschen. Wir zeigen Ihnen die häufigsten Maschen und wie Sie sich davor schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-den-haeufi… ∗∗∗ Gremlin Stealer: New Stealer on Sale in Underground Forum ∗∗∗ --------------------------------------------- Advertised on Telegram, Gremlin Stealer is new malware active since March 2025 written in C#. Data stolen is uploaded to a server for publication. [..] We have monitored Gremlin Stealer since we initially discovered it in March 2025. The functions of this stealer from Figure 1 are listed below. --------------------------------------------- https://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on… ∗∗∗ Unlocking New Jailbreaks with AI Explainability ∗∗∗ --------------------------------------------- In this post, we introduce our “Adversarial AI Explainability” research, a term we use to describe the intersection of AI explainability and adversarial attacks on Large Language Models (LLMs). Much like using an MRI to understand how a human brain might be fooled, we aim to decipher how LLMs can be manipulated. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/unlocking-new-jailb… ∗∗∗ Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). [..] We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-tren… ∗∗∗ Cybercrime-Marktplatz: Strafverfolger enterten BreachForums über Zero-Day-Lücke ∗∗∗ --------------------------------------------- Derzeit ist der Cybercrime-Marktplatz BreachForums offline. Als Grund nennen die Hintermänner, dass Strafverfolger das Forum über eine Zero-Day-Sicherheitslücke gehackt und sich so Zugriff dazu verschafft haben. --------------------------------------------- https://heise.de/-10365208 ∗∗∗ Spike in Git Config Crawling Highlights Risk of Codebase Exposure ∗∗∗ --------------------------------------------- GreyNoise observed a significant increase in crawling activity targeting Git configuration files. While the crawling itself is reconnaissance, successful discovery of exposed Git configuration files can lead to exposure of internal codebases, developer workflows, and potentially sensitive credentials. --------------------------------------------- https://www.greynoise.io/blog/spike-git-configuration-crawling-risk-codebas… ===================== = Vulnerabilities = ===================== ∗∗∗ Mozilla Foundation Security Advisories April 29, 2025 ∗∗∗ --------------------------------------------- Thunderbird and Firefox --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Seiko-Epson-Druckertreiber ermöglicht Rechteausweitung auf System ∗∗∗ --------------------------------------------- Die Windows-Druckertreiber von Seiko-Epson reißen eine Sicherheitslücke auf, durch die Angreifer ihre Rechte auf SYSTEM-Ebene ausweiten können. Aktualisierte Software steht bereit, die die zugrundeliegende Schwachstelle ausbessert. --------------------------------------------- https://www.heise.de/news/Seiko-Epson-Druckertreiber-ermoeglicht-Rechteausw… ∗∗∗ Multiple Vulnerabilities in HP Wolf Security Controller / HP Sure Access Enterprise / HP Sure Click Enterprise ∗∗∗ --------------------------------------------- The HP Wolf Security Controller, the HP Sure Access Enterprise Client and the HP Sure Click Enterprise Client might be vulnerable to attacks if not configured according to HP's Best Practices. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (glibc, php:8.1, and thunderbird), Debian (libreoffice), Fedora (caddy), Mageia (chromium-browser-stable), Red Hat (php:8.1), SUSE (glow), and Ubuntu (kicad, linux-aws-5.15, linux-azure-nvidia, linux-gcp-5.15, mistral, python-mistral-lib, tomcat8, and trafficserver). --------------------------------------------- https://lwn.net/Articles/1019272/ ∗∗∗ Docker: Rechteausweitungslücke in Desktop für Windows ∗∗∗ --------------------------------------------- In den Release-Notes schreiben die Docker-Entwickler, dass die Version 4.41.0 eine Sicherheitslücke schließt, die Angreifern mit Zugriff auf die Maschine die Ausweitung der Zugriffsrechte ermöglicht, wenn Docker Desktop Updates installiert (CVE-2025-3224, CVSS 7.3, Risiko "hoch"). --------------------------------------------- https://heise.de/-10366320 ∗∗∗ Daikin Security Gateway v214 Remote Password Reset ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5931.php ∗∗∗ ABB: 2025-04-29: Cyber Security Advisory - Ekip Com IEC61850 Vulnerability in third-party library ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2CRT000007&Language… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.04.2025
by Daily end-of-shift report 28 Apr '25

28 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-04-2025 18:00 − Montag 28-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ SAP patcht attackierte, kritische Schwachstelle außer der Reihe ∗∗∗ --------------------------------------------- Update 25.04.2025, 22:11 Uhr: Kriminelle missbauchen die Schwachstelle bereits im Internet. Details zu den Angriffen finden sich etwa bei Onapsis in einem Blog-Beitrag. Admins sollten schnellstmöglich aktualisieren, zumal offenbar viele SAP-Neatweaver-Installationen die verwundbare Komponente einsetzen, so die Einschätzung der IT-Sicherheitsforscher in der Analyse im Blog. --------------------------------------------- https://heise.de/-10361908 ∗∗∗ DragonForce expands ransomware model with white-label branding scheme ∗∗∗ --------------------------------------------- The ransomware scene is re-organizing [..] DragonForce is now incentivizing ransomware actors with a distributed affiliate branding model, providing other ransomware-as-a-service (RaaS) operations a means to carry out their business without dealing with infrastructure maintenance cost and effort. A group's representative told BleepingComputer that they’re purely financially motivated but also follow a moral compass and are against attacking certain healthcare organizations. [..] In exchange for using their malware and infrastructure, the developer charges affiliates a fee from received ransoms that is normally up to 30%. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dragonforce-expands-ransomwa… ∗∗∗ Cloudflare mitigates record number of DDoS attacks in 2025 ∗∗∗ --------------------------------------------- Internet services giant Cloudflare says it mitigated a record number of DDoS attacks in 2024, recording a massive 358% year-over-year jump and a 198% quarter-over-quarter increase. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloudflare-mitigates-record-… ∗∗∗ VU#667211: Various GPT services are vulnerable to "Inception" jailbreak, allows for bypass of safety guardrails ∗∗∗ --------------------------------------------- Two systemic jailbreaks, affecting a number of generative AI services, were discovered. These jailbreaks can result in the bypass of safety protocols and allow an attacker to instruct the corresponding LLM to provide illicit or dangerous content. [..] These jailbreaks, while of low severity on their own, bypass the security and safety guidelines of all affected AI services, allowing an attacker to abuse them for instructions to create content on various illicit topics, such as controlled substances, weapons, phishing emails, and malware code generation. --------------------------------------------- https://kb.cert.org/vuls/id/667211 ∗∗∗ Storm-1977 Hits Education Clouds with AzureChecker, Deploys 200+ Crypto Mining Containers ∗∗∗ --------------------------------------------- Microsoft has revealed that a threat actor it tracks as Storm-1977 has conducted password spraying attacks against cloud tenants in the education sector over the past year. --------------------------------------------- https://thehackernews.com/2025/04/storm-1977-hits-education-clouds-with.html ∗∗∗ Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised ∗∗∗ --------------------------------------------- Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access. [..] As of April 18, 2025, an estimated 13,000 vulnerable Craft CMS instances have been identified, out of which nearly 300 have been allegedly compromised. --------------------------------------------- https://thehackernews.com/2025/04/hackers-exploit-critical-craft-cms.html ∗∗∗ WooCommerce Users Targeted by Fake Patch Phishing Campaign Deploying Site Backdoors ∗∗∗ --------------------------------------------- Cybersecurity researchers are warning about a large-scale phishing campaign targeting WooCommerce users with a fake security alert urging them to download a "critical patch" but deploy a backdoor instead. --------------------------------------------- https://thehackernews.com/2025/04/woocommerce-users-targeted-by-fake.html ∗∗∗ Samsung: Android-Zwischenablage speichert Passwörter zwischen ∗∗∗ --------------------------------------------- Samsungs Android-Smartphones speichern in der Zwischenablage kopierte Inhalte. Im Zwischenablageverlauf finden sich gelegentlich auch alte, kopierte Passwörter. Samsung evaluiert das Problem derzeit. --------------------------------------------- https://heise.de/-10363941 ∗∗∗ Navigating Through The Fog ∗∗∗ --------------------------------------------- An open directory associated with a ransomware affiliate, likely linked to the Fog ransomware group, was discovered in December 2024. [..] Among the tools were SonicWall Scanner for exploiting VPN credentials, DonPAPI for extracting Windows DPAPI-protected credentials, Certipy for abusing Active Directory Certificate Services (AD CS), Zer0dump, and Pachine/noPac for exploiting Active Directory vulnerabilities like CVE-2020-1472. --------------------------------------------- https://thedfirreport.com/2025/04/28/navigating-through-the-fog/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Unbefugte Zugriffe auf VMware Spring Boot möglich ∗∗∗ --------------------------------------------- Softwareentwickler nutzen Spring Boot zum effizienteren Erstellen von Java-Applikationen. Damit Angreifer an der Lücke (CVE-2025-22235 „hoch“) ansetzen zu können, müssen aber mehrere Voraussetzungen erfüllt sein. Unter anderem muss Spring Security eingesetzt werden und mit EndpointRequest.to () konfiguriert sein. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdate-Unbefugte-Zugriffe-auf-VMware-T… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (thunderbird), Debian (distro-info-data, imagemagick, kernel, libsoup2.4, and poppler), Fedora (chromium, java-1.8.0-openjdk, java-1.8.0-openjdk-portable, java-17-openjdk, java-17-openjdk-portable, java-latest-openjdk, pgadmin4, thunderbird, and xz), Mageia (haproxy and libxml2), Oracle (bluez, firefox, gnutls, libtasn1, libxslt, mod_auth_openidc:2.3, ruby:3.1, thunderbird, and xmlrpc-c), Red Hat (delve and golang, glibc, mod_auth_openidc, mod_auth_openidc:2.3, and thunderbird), SUSE (augeas, chromedriver, cifs-utils, govulncheck-vulndb, java-11-openjdk, java-21-openjdk, kyverno, libraw, opentofu, runc, subfinder, and valkey), and Ubuntu (jupyter-notebook and libxml2). --------------------------------------------- https://lwn.net/Articles/1019212/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.04.2025
by Daily end-of-shift report 25 Apr '25

25 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-04-2025 18:00 − Freitag 25-04-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Triada strikes back ∗∗∗ --------------------------------------------- Kaspersky expert has discovered a new version of the Triada Trojan, with custom modules for Telegram, WhatsApp, TikTok, and other apps. --------------------------------------------- https://securelist.com/triada-trojan-modules-analysis/116380 ∗∗∗ Example of a Payload Delivered Through Steganography, (Fri, Apr 25th) ∗∗∗ --------------------------------------------- In this diary, Ill show you a practical example of how steganography is used to hide payloads (or other suspicious data) from security tools and Security Analysts eyes. Steganography can be defined like this: It is the art and science of concealing a secret message, file, or image within an ordinary-looking carrier - such as a digital photograph, audio clip, or text - so that the very existence of the hidden data is undetectable to casual observers. --------------------------------------------- https://isc.sans.edu/diary/rss/31892 ∗∗∗ Zoom attack tricks victims into allowing remote access to install malware and steal money ∗∗∗ --------------------------------------------- Attackers are luring victims into a Zoom call and then taking over their PC to install malware, infiltrate their accounts, and steal their assets. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/04/zoom-attack-tricks-victims-i… ∗∗∗ GitHub potential leaking of private emails and Hacker One ∗∗∗ --------------------------------------------- A bit over a month ago, I was crawling GitHub’s API while working on code input (—it is still in beta). I was compiling a list of repositories and pull requests to identify those with merge conflicts. At some point, while randomly checking some user profiles, I noticed email addresses appearing in the API that weren’t visible on the public profiles. --------------------------------------------- https://omarabid.com/hacker-one ∗∗∗ How I Got Hacked: A Warning about Malicious PoCs ∗∗∗ --------------------------------------------- This is a reminder that even experienced security researchers and exploit developers can fall victim to well-disguised malware. Always verify PoCs manually, isolate them in a controlled environment, and never underestimate how creative attackers can be when hiding malicious payloads. --------------------------------------------- https://chocapikk.com/posts/2025/s1nk/ ∗∗∗ Step-by-Step Guide: SOC Automation — SMB Threat Hunting & Incident Response Lab ∗∗∗ --------------------------------------------- In this project, I will simulate a similar attack scenario in which an insider compromises a Windows server by delivering malware through the SMB protocol. By leveraging automation and the incident response lifecycle, the goal is to detect and contain the threat before it spreads, demonstrating best practices in threat detection and response. --------------------------------------------- https://detect.fyi/step-by-step-guide-soc-automation-smb-threat-hunting-inc… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Nvidia-Grafikkartentreiber unter Linux und Windows löchrig ∗∗∗ --------------------------------------------- Besitzer einer Nvidia-Grafikkarte sollten zeitnah den GPU-Treiber aus Sicherheitsgründen auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer unter Linux an mehreren Schwachstellen ansetzen und Computer attackieren. Außerdem gibt es noch abgesicherte Versionen von Cloud Gaming und vGPU-Software unter Windows. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Nvidia-Grafikkartentreiber-unt… ∗∗∗ Connectwise Screenconnect: Hochriskante Codeschmuggel-Lücke ∗∗∗ --------------------------------------------- Die Remote-Desktop-Software Screenconnect von Connectwise enthält eine Sicherheitslücke, die Angreifern das Einschleusen und Ausführen von Schadcode ermöglicht. Der Hersteller bietet Software-Updates zum Schließen des Sicherheitslecks an. --------------------------------------------- https://www.heise.de/news/Connectwise-Screenconnect-Hochriskante-Codeschmug… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (thunderbird), Debian (libbpf), Fedora (golang-github-openprinting-ipp-usb, ImageMagick, mingw-libsoup, mingw-poppler, and pgbouncer), SUSE (glib2, govulncheck-vulndb, libsoup-2_4-1, libxml2-2, mozjs60, ruby2.5, and thunderbird), and Ubuntu (linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-iot, linux-aws-fips, linux-azure-fips, linux-fips, linux-gcp-fips, linux-hwe-6.8, linux-ibm-5.4, linux-oracle-5.15, openssh, and php-twig). --------------------------------------------- https://lwn.net/Articles/1018912/ ∗∗∗ CISA Releases Seven Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released seven Industrial Control Systems (ICS) advisories on April 24, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS, including Schneider Electric Modicon Controllers, ALBEDO Telecom Net.Time - PTP/NTP Clock, Vestel AC Charger, Nice Linear eMerge E3, Johnson Controls Software House iSTAR Configuration Utility (ICU) Tool, Planet Technology Network Products, and Fuji Electric Monitouch V-SFT (Update A). CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/04/24/cisa-releases-seven-indu… ∗∗∗ Hacking My Coworker (In Minecraft) ∗∗∗ --------------------------------------------- Integrated Scripting is included in several of the largest modpacks on CurseForge. It has 3.5 million downloads, which also doesn’t include non CurseForge hosted downloads such as for Feed the Beast modpacks. Through the presented vulnerability, any public or semi public multiplayer server that includes Integrated Scripting is vulnerable to remote code execution by a player who is able to craft a few relatively simple items. --------------------------------------------- https://redvice.org/assets/pdfs/minecraft2025.pdf ∗∗∗ Critical SAP NetWeaver Vulnerability (CVE-2025-31324) Fixed: Actively Exploited in the Wild ∗∗∗ --------------------------------------------- SAP has recently released a critical security patch for a severe vulnerability in SAP NetWeaver Visual Composer that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-31324, was patched just hours ago with the release of SAP Security Note 3594142. --------------------------------------------- https://redrays.io/blog/critical-sap-netweaver-vulnerability-cve-2025-31324… ∗∗∗ ZDI-25-252: (0Day) Cato Networks Cato Client for macOS Helper Service Time-Of-Check Time-Of-Use Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-252/ ∗∗∗ Three new vulnerabilities found related to IXON VPN client resulting in Local Privilege Escalation (LPE) ∗∗∗ --------------------------------------------- https://www.shelltrail.com/research/three-new-cves-related-to-ixon-vpn-clie… ∗∗∗ Bosch: Multiple ctrlX OS vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-640452.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.04.2025
by Daily end-of-shift report 24 Apr '25

24 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-04-2025 18:00 − Donnerstag 24-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Linux io_uring security blindspot allows stealthy rootkit attacks ∗∗∗ --------------------------------------------- A significant security gap in Linux runtime security caused by the io_uring interface allows rootkits to operate undetected on systems while bypassing advanced Enterprise security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-io-uring-security-blin… ∗∗∗ Darcula Adds GenAI to Phishing Toolkit, Lowering the Barrier for Cybercriminals ∗∗∗ --------------------------------------------- The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform have released new updates to their cybercrime suite with generative artificial intelligence (GenAI) capabilities. "This addition lowers the technical barrier for creating phishing pages, enabling less tech-savvy criminals to deploy customized scams in minutes," Netcraft said in a new report shared with The Hacker News." --------------------------------------------- https://thehackernews.com/2025/04/darcula-adds-genai-to-phishing-toolkit.ht… ∗∗∗ Erlang/OTP SSH: Namhafte Hersteller von kritischer Lücke betroffen ∗∗∗ --------------------------------------------- Erlang/OTP SSH wird von vielen namhaften Herstellern mitgeliefert. Daher betrifft eine kritische Lücke auch Cisco und Ericsson. Zu den weiteren verwundbaren Anbietern gehört nach jetzigem Stand EMQ Technologies. Nicht standardmäßig installiert, aber optional verfügbar ist Erlang/OTP SSH bei National Instruments, Broadcom (insbesondere RabbitMQ), Very Technology, Apache (CouchDB) und Riak Technologies. Hier müssen Admins prüfen, ob sie Erlang/OTP SSH installiert haben und gegebenenfalls die verfügbaren Aktualisierungen installieren. --------------------------------------------- https://www.heise.de/news/Erlang-OTP-SSH-Namhafte-Hersteller-von-kritischer… ∗∗∗ 9X Surge in Ivanti Connect Secure Scanning Activity ∗∗∗ --------------------------------------------- GreyNoise observed a 9X spike in suspicious scanning activity targeting Ivanti Connect Secure or Ivanti Pulse Secure VPN systems. More than 230 unique IPs probed ICS/IPS endpoints. This surge may indicate coordinated reconnaissance and possible preparation for future exploitation. --------------------------------------------- https://www.greynoise.io/blog/surge-ivanti-connect-secure-scanning-activity ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Commvault Command Center Flaw Enables Attackers to Execute Code Remotely ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in the Commvault Command Center that could allow arbitrary code execution on affected installations. The vulnerability, tracked as CVE-2025-34028, carries a CVSS score of 9.0 out of a maximum of 10.0. --------------------------------------------- https://thehackernews.com/2025/04/critical-commvault-command-center-flaw.ht… ∗∗∗ Drupal: Security advisories ∗∗∗ --------------------------------------------- Drupal has released new security advisories. --------------------------------------------- https://www.drupal.org/security ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (haproxy and openrazer), Fedora (c-ares and mingw-poppler), Red Hat (thunderbird), SUSE (epiphany, ffmpeg-6, gopass, and libsoup-3_0-0), and Ubuntu (erlang, haproxy, libapache2-mod-auth-openidc, libarchive, linux, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-oracle, linux-raspi, linux, linux-aws, linux-azure, linux-azure-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-aws-6.8, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-fips, linux-gcp, linux-gke, linux-gkeop, linux-gcp-6.8, linux-ibm-5.15, linux-intel-iot-realtime, linux-realtime, linux-intel-iotg-5.15, linux-realtime, perl, and yelp, yelp-xsl). --------------------------------------------- https://lwn.net/Articles/1018717/ ∗∗∗ ZDI-25-250: (0Day) Cloudera Hue Ace Editor Directory Traversal Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-250/ ∗∗∗ ZDI-25-249: (0Day) eCharge Hardy Barth cPH2 index.php Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-249/ ∗∗∗ ZDI-25-248: (0Day) eCharge Hardy Barth cPH2 nwcheckexec.php dest Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-248/ ∗∗∗ ZDI-25-247: (0Day) eCharge Hardy Barth cPH2 check_req.php ntp Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-247/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 14, 2025 to April 20, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/04/wordfence-intelligence-weekly-wordpr… ∗∗∗ ALBEDO Telecom Net.Time - PTP/NTP Clock ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-114-02 ∗∗∗ Sonicwall warnt vor DoS-Lücke in SSLVPN ∗∗∗ --------------------------------------------- https://heise.de/-10360960 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.04.2025
by Daily end-of-shift report 23 Apr '25

23 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-04-2025 18:00 − Mittwoch 23-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Alternativen aus Europa: Wie man von US-Software unabhängig wird ∗∗∗ --------------------------------------------- Ein Wiener Softwareentwickler sammelt "European Alternatives" zu US-Digitalprodukten. Seit Trumps 2. Amtsantritt ist das Interesse stark gestiegen. --------------------------------------------- https://futurezone.at/netzpolitik/tech-alternativen-apps-europa-datenschutz… ∗∗∗ Kurz nach Offenlegung: ChatGPT und Claude liefern Exploit für kritische SSH-Lücke ∗∗∗ --------------------------------------------- In einem verbreiteten SSH-Tool klafft eine gefährliche Lücke. Nur Stunden nach Bekanntwerden erstellt ein Forscher mittels KI einen funktionierenden Exploit. --------------------------------------------- https://www.golem.de/news/kurz-nach-offenlegung-chatgpt-und-claude-liefern-… ∗∗∗ Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have revealed that Russian military personnel are the target of a new malicious campaign that distributes Android spyware under the guise of the Alpine Quest mapping software. "The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs," Doctor Web said in an analysis. --------------------------------------------- https://thehackernews.com/2025/04/android-spyware-disguised-as-alpine.html ∗∗∗ CVE-2025-3248: RCE vulnerability in Langflow ∗∗∗ --------------------------------------------- CVE-2025-3248, a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8, has been discovered in Langflow, an open-source platform for visually composing AI-driven agents and workflows. [..] All Langflow versions prior to 1.3.0 are susceptible to code injection. [..] Exploiting CVE-2025-3248 involves the following steps: --------------------------------------------- https://www.zscaler.com/blogs/security-research/cve-2025-3248-rce-vulnerabi… ∗∗∗ Die Urlaubsplanung steht an? Vorsicht vor Betrug mit Fake-Buchungsportalen! ∗∗∗ --------------------------------------------- Wo soll es im Sommerurlaub hingehen? Wie wäre es mit einer Miet-Finca auf den Kanaren? Dann ist bei der Buchung Vorsicht angebracht! Kriminelle erstellen Fake-Portale und bieten dort vermeintlich reale Luxus-Mietobjekte an. Wer sich auf den Deal einlässt und den gewünschten Betrag überweist, ist in die Falle getappt. Die Unterkunft existiert nicht, das Geld ist weg. --------------------------------------------- https://www.watchlist-internet.at/news/villen-fincas-fake-buchungsportal/ ∗∗∗ Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows ∗∗∗ --------------------------------------------- Since early March 2025, Volexity has observed multiple Russian threat actors aggressively targeting individuals and organizations with ties to Ukraine and human rights. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows. The attackers are impersonating officials from various European nations, and in one instance leveraged a compromised Ukrainian Government account. --------------------------------------------- https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-… ∗∗∗ Distribution of PebbleDash Malware in March 2025 ∗∗∗ --------------------------------------------- PebbleDash is a backdoor malware that was previously identified by the Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. as a backdoor malware of Lazarus (Hidden Corba) in 2020. --------------------------------------------- https://asec.ahnlab.com/en/87621/ ∗∗∗ Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs ∗∗∗ --------------------------------------------- Cisco Talos discovered a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme. --------------------------------------------- https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-b… ===================== = Vulnerabilities = ===================== ∗∗∗ ASUS releases fix for AMI bug that lets hackers brick servers ∗∗∗ --------------------------------------------- ASUS has released security updates to address CVE-2024-54085, a maximum severity flaw that could allow attackers to hijack and potentially brick servers. [..] The flaw impacts American Megatrends International's MegaRAC Baseboard Management Controller (BMC) software, used by over a dozen server hardware vendors, including HPE, ASUS, and ASRock. The CVE-2024-54085 flaw is remotely exploitable, potentially leading to malware infections, firmware modifications, and irreversible physical damage through over-volting. --------------------------------------------- https://www.bleepingcomputer.com/news/security/asus-releases-fix-for-ami-bu… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bluez, expat, and postgresql:12), Fedora (chromium, golang, LibRaw, moodle, openiked, ruby, and trafficserver), Red Hat (bluez, expat, gnutls, libtasn1, libxslt, mod_auth_openidc, mod_auth_openidc:2.3, ruby:3.1, thunderbird, and xmlrpc-c), and Ubuntu (linux, linux-aws, linux-gcp, linux-hwe-6.11, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oem-6.11, linux-oracle, linux-raspi, linux-realtime, linux-azure, linux-azure-6.11, linux-gcp-6.8, and matrix-synapse). --------------------------------------------- https://lwn.net/Articles/1018589/ ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-112-01 Siemens TeleControl Server Basic SQL, ICSA-25-112-02 Siemens TeleControl Server Basic, ICSA-25-112-03 Schneider Electric Wiser Home Controller WHC-5918A, ICSA-25-112-04 ABB MV Drives, ICSA-25-035-04 Schneider Electric Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC (Update A) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/04/22/cisa-releases-five-indus… ∗∗∗ Cisco: Multiple Cisco Products Unauthenticated Remote Code Execution in Erlang/OTP SSH Server ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.04.2025
by Daily end-of-shift report 22 Apr '25

22 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-04-2025 18:00 − Dienstag 22-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ DOGE, CISA, Mitre und CVE ∗∗∗ --------------------------------------------- In der Cybersecurity Community herrschte letzte Woche helle Aufregung, weil die Einsparungstruppe von Trumps Gnaden die grandiose Idee hatte, das Funding für den Betrieb des CVE-Systems durch Mitre einzustellen. Wahrscheinlich aufgrund des starken Gegenwindes von der Seite der US-Industrie wurde eine Lösung gefunden und der Betrieb ist (angeblich) für die nächsten 11 Monate gesichert. Ich will das zum Anlass nehmen, das System hinter den bekannten CVE-Nummern zu erklären und mögliche Entwicklungen aufzuzeigen. --------------------------------------------- https://www.cert.at/de/blog/2025/4/doge-cisa-mitre-und-cve ∗∗∗ Phishers abuse Google OAuth to spoof Google in DKIM replay attack ∗∗∗ --------------------------------------------- In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Googles systems, passing all verifications but pointing to a fraudulent page that collected logins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishers-abuse-google-oauth-… ∗∗∗ Phishing attacks leveraging HTML code inside SVG files ∗∗∗ --------------------------------------------- The SVG format provides the capability to embed HTML and JavaScript code within images, which is misused by attackers. Despite not being widespread at the time of this study, SVG attachment attacks are showing a clear upward trend. --------------------------------------------- https://securelist.com/svg-phishing/116256/ ∗∗∗ Videokameras: Schwere Sicherheitslücke bei Überwachungsgeräten der Polizei ∗∗∗ --------------------------------------------- Polizeibehörden in zahlreichen Ländern nutzen mobile Sender der Firma Infodraw. Doch die hochgeladenen Daten sind nicht ausreichend gesichert. [..] Über das Bundesamt für Sicherheit in der Informationstechnik (BSI) wurden laut Schäfers inzwischen in Deutschland alle übrigen Betreiber gewarnt. [..] Ihm zufolge reicht es nicht aus, die aktuelle Softwareversion 7.1.0.0 installiert zu haben. Wobei aktuell relativ ist, denn die Version stammt aus dem Jahr 2000. Schäfers empfiehlt den nutzenden Organisationen, die Anwendung unmittelbar offline zu nehmen. --------------------------------------------- https://www.golem.de/news/videokameras-schwere-sicherheitsluecke-bei-ueberw… ∗∗∗ Agent In the Middle – Abusing Agent Cards in the Agent-2-Agent (A2A) Protocol To ‘Win’ All the Tasks ∗∗∗ --------------------------------------------- I’ll write a blog post on prompt injection defenses and how I am able to circumvent them another time… the blog post today is about one of those advancements: the Agent-2-Agent (A2A) Protocol. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-in-th… ∗∗∗ Microsoft Secures MSA Signing with Azure Confidential VMs Following Storm-0558 Breach ∗∗∗ --------------------------------------------- Microsoft on Monday announced that it has moved the Microsoft Account (MSA) signing service to Azure confidential virtual machines (VMs) and that it's also in the process of migrating the Entra ID signing service as well. The disclosure comes about seven months after the tech giant said it completed updates to Microsoft Entra ID and MS for both public and United States government clouds to generate, store, and automatically rotate access token signing keys using the Azure Managed Hardware Security Module (HSM) service. --------------------------------------------- https://thehackernews.com/2025/04/microsoft-secures-msa-signing-with.html ∗∗∗ Anspruch auf Kostenerstattung? Vorsicht vor neuer ÖGK-Betrugsmasche ∗∗∗ --------------------------------------------- Neue Website, alte Masche. Kriminelle haben eine weitere Betrugswelle im Namen der Österreichischen Gesundheitskasse gestartet. Sie locken mit einer hohen Rückzahlung und setzen auf eine beinahe 1:1-Kopie der originalen ÖGK-Website. So können Sie den Fake dennoch erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-neue-oegk-betrugsmasche/ ∗∗∗ Ivanti Endpoint Manager_Local Privilege Escalation via DLL Search Order Hijacking ∗∗∗ --------------------------------------------- The Ivanti Endpoint Manager Security Scan (Vulscan) Self Update was vulnerable to DLL Hijacking. 2025-04-08 Vendor publishes security advisory. 2025-04-22 Coordinated disclosure of security advisory. CVE Number CVE-2025-22458 --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelle… ∗∗∗ Microsoft’s patch for CVE-2025–21204 symlink vulnerability introduces another symlink vulnerability ∗∗∗ --------------------------------------------- Microsoft recently patched CVE-2025–21204, a vuln which allows users to abuse symlinks to elevate privileges using the Windows servicing stack and the c:\inetpub folder. [..] However, I’ve discovered this fix introduces a denial of service vulnerability in the Windows servicing stack that allows non-admin users to stop all future Windows security updates. [..] I reported this to MSRC about two weeks ago, but haven’t had a response. --------------------------------------------- https://doublepulsar.com/microsofts-patch-for-cve-2025-21204-symlink-vulner… ∗∗∗ Zugangs- und Schließsysteme mit Internetanbindung als Risiko – Teil 1 ∗∗∗ --------------------------------------------- Heute noch ein kleiner, zweiteiliger Sammelbeitrag, in dem ich auf die Risiken eingehe, welche Schließsysteme bzw. Systeme zur Zugangskontrolle sowie zur Zeiterfassung unter Umständen bieten. --------------------------------------------- https://www.borncity.com/blog/2025/04/20/risiko-zeiterfassungs-zugangs-und-… ∗∗∗ Systeme zur Zeiterfassung mit Internetanbindung als Risiko – Teil 2 ∗∗∗ --------------------------------------------- In Teil 1 des zweiteiligen Sammelbeitrags hatte ich auf die Risiken hingewiesen, die von elektronischen Schließsystemen bzw. Systemen zur Zugangskontrolle ausgehen können, wenn diese am Internet hängen. Aber auch Systeme zur Zeiterfassung, die per Internet erreichbar sind, fallen in diese Kategorie, sofern Dienstleister diese allzu sorglos eingerichtet haben. --------------------------------------------- https://www.borncity.com/blog/2025/04/21/systeme-zur-zeiterfassung-mit-inte… ===================== = Vulnerabilities = ===================== ∗∗∗ Asus-Router: Sicherheitslücke ermöglicht unbefugtes Ausführen von Funktionen ∗∗∗ --------------------------------------------- Im CVE-Eintrag zur Schwachstelle erörtert Asus, dass in der AiCloud eine unzureichende Authentifizierungskontrolle stattfinde. Diese lasse sich durch manipulierte Anfragen missbrauchen, um ohne Autorisierung Funktionen auszuführen (CVE-2025-2492, CVSS 9.2, Risiko "kritisch"). [..] In der Sicherheitsmitteilung schreibt Asus lediglich, dass die Entwickler aktualisierte Firmware für die Serien 3.0.0.4_382, 3.0.0.4_386, 3.0.0.4_388 und 3.0.0.6_102 veröffentlicht hat. Die soll die Schwachstelle ausbessern. --------------------------------------------- https://www.heise.de/news/Asus-Router-Sicherheitsluecke-ermoeglicht-unbefug… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (erlang, fig2dev, shadow, wget, and zabbix), Fedora (chromium, jupyterlab, llama-cpp, prometheus-podman-exporter, python-notebook, python-pydantic-core, rpki-client, rust-adblock, rust-cookie_store, rust-gitui, rust-gstreamer, rust-icu_collections, rust-icu_locid, rust-icu_locid_transform, rust-icu_locid_transform_data, rust-icu_normalizer, rust-icu_normalizer_data, rust-icu_properties, rust-icu_properties_data, rust-icu_provider, rust-icu_provider_macros, rust-idna, rust-idna_adapter, rust-litemap, rust-ron, rust-sequoia-openpgp, rust-sequoia-openpgp1, rust-tinystr, rust-url, rust-utf16_iter, rust-version-ranges, rust-write16, rust-writeable, rust-zerovec, rust-zip, uv, and webkitgtk), Slackware (libxml2 and zsh), SUSE (argocd-cli, chromium, coredns, ffmpeg-6, and firefox), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/1018292/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-1.8.0-openjdk, kernel, libxslt, mod_auth_openidc:2.3, and webkit2gtk3), Fedora (c-ares, giflib, jupyterlab, perl, perl-Devel-Cover, perl-PAR-Packer, prometheus-podman-exporter, python-notebook, python-pydantic-core, rpki-client, ruby, rust-adblock, rust-cookie_store, rust-gitui, rust-gstreamer, rust-icu_collections, rust-icu_locid, rust-icu_locid_transform, rust-icu_locid_transform_data, rust-icu_normalizer, rust-icu_normalizer_data, rust-icu_properties, rust-icu_properties_data, rust-icu_provider, rust-icu_provider_macros, rust-idna, rust-idna_adapter, rust-litemap, rust-ron, rust-sequoia-openpgp, rust-sequoia-openpgp1, rust-tinystr, rust-url, rust-utf16_iter, rust-version-ranges, rust-write16, rust-writeable, rust-zerovec, rust-zip, thunderbird, and uv), SUSE (erlang, erlang26, and govulncheck-vulndb), and Ubuntu (mosquitto). --------------------------------------------- https://lwn.net/Articles/1018444/ ∗∗∗ Zyxel security advisory for incorrect permission assignment and improper privilege management vulnerabilities in USG FLEX H series firewalls ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Wordpress: Angreifer können über Greenshift-Plug-in Schadcode hochladen ∗∗∗ --------------------------------------------- https://heise.de/-10357624 ∗∗∗ SicommNet BASEC product warning ∗∗∗ --------------------------------------------- https://csirt.divd.nl/2025/04/14/SicommNet-Basec-product-warning/ ∗∗∗ Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center version 6.5.1: SC-202504.3 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.04.2025
by Daily end-of-shift report 18 Apr '25

18 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-04-2025 18:00 − Freitag 18-04-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Chrome extensions with 6 million installs have hidden tracking code ∗∗∗ --------------------------------------------- A set of 57 Chrome extensions with 6,000,000 users have been discovered with very risky capabilities, such as monitoring browsing behavior, accessing cookies for domains, and potentially executing remote scripts. [..] Earlier today, the researcher added 22 more extensions believed to belong to the same operation, taking the total to 57 extensions used by 6 million people. Some of the newly added extensions are public, too. Tuckner says that many of the extensions have been removed from the Chrome Web Store following his report from last week, but others still remain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chrome-extensions-with-6-mil… ∗∗∗ Windows NTLM hash leak flaw exploited in phishing attacks on governments ∗∗∗ --------------------------------------------- A Windows vulnerability that exposes NTLM hashes using .library-ms files is now actively exploited by hackers in phishing campaigns targeting government entities and private companies. The flaw tracked as CVE-2025-24054 was fixed in Microsoft's March 2025 Patch Tuesday. Initially, it was not marked as actively exploited and was assessed as 'less likely' to be. [..] In a later campaign, Check Point discovered phishing emails that contained .library-ms attachments, without an archive. Simply downloading the .library-ms file was enough to trigger NTLM authentication to the remote server, demonstrating that archives were not required to exploit the flaw. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-ntlm-hash-leak-flaw-… ∗∗∗ Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader ∗∗∗ --------------------------------------------- A new multi-stage attack has been observed delivering malware families like Agent Tesla variants, Remcos RAT, and XLoader. "Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution," Palo Alto Networks Unit 42 researcher Saqib Khanzada said in a technical write-up of the campaign. --------------------------------------------- https://thehackernews.com/2025/04/multi-stage-malware-attack-uses-jse-and.h… ∗∗∗ Nebula – Autonomous AI Pentesting Tool ∗∗∗ --------------------------------------------- Another cutting-edge tool from 2024 is Nebula, an open-source AI-powered penetration testing assistant. If PentestGPT is like an AI advisor, Nebula attempts to automate parts of the pentest process itself. --------------------------------------------- https://www.darknet.org.uk/2025/04/nebula-autonomous-ai-pentesting-tool/ ∗∗∗ Cross-Site WebSocket Hijacking Exploitation in 2025 ∗∗∗ --------------------------------------------- The post includes a few brief case studies based on situations encountered during real world testing, in addition to a simple test site that can be hosted by readers to explore each of the vulnerability conditions. --------------------------------------------- https://blog.includesecurity.com/2025/04/cross-site-websocket-hijacking-exp… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphicsmagick and libapache2-mod-auth-openidc), Fedora (giflib, mod_auth_openidc, mysql8.0, perl, perl-Devel-Cover, perl-PAR-Packer, perl-String-Compare-ConstantTime, rust-openssl, rust-openssl-sys, trunk, and workrave), Mageia (chromium-browser-stable and rust), Oracle (java-1.8.0-openjdk, java-17-openjdk, java-21-openjdk, kernel, libreoffice, and webkit2gtk3), Red Hat (gvisor-tap-vsock), SUSE (containerd, docker, docker-stable, forgejo, GraphicsMagick, libmozjs-115-0, perl-32bit, poppler, subfinder, and thunderbird), and Ubuntu (erlang and ruby2.3, ruby2.5). --------------------------------------------- https://lwn.net/Articles/1018020/ ∗∗∗ [R1] Nessus Version 10.8.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-05 ∗∗∗ Yokogawa Recorder Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-107-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily