- Daily - CERT.at

Tageszusammenfassung - 29.08.2025
by Daily end-of-shift report 29 Aug '25

29 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-08-2025 18:00 − Freitag 29-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Polizei warnt vor Anrufen von Fake-Innenminister, der Geld will ∗∗∗ --------------------------------------------- Innenminister Karner soll um Spenden für Lösegeldzahlungen gebeten haben. Die Kontaktaufnahme geschah dabei mit einer echten Nummer des Innenministeriums. --------------------------------------------- https://futurezone.at/digital-life/fake-innenminister-karner-anruf-scam-pol… ∗∗∗ Vorsicht! Ankündigung einer Betriebsprüfung durch das Finanzamt ist eine Falle! ∗∗∗ --------------------------------------------- Eine neue Betrugsmasche im Namen des österreichischen Finanzamts macht aktuell die Runde. Diesmal ist es kein Zugangscode, der abläuft. Keine Rückerstattung, die auf ihre Auszahlung wartet. Im aktuellen Fall versuchen Kriminelle, über die Ankündigung einer Betriebsprüfung für Schaden zu sorgen. --------------------------------------------- https://www.watchlist-internet.at/news/falle-finanzamt-betriebspruefung/ ∗∗∗ Citrix forgot to tell you CVE-2025–6543 has been used as a zero day since May 2025 ∗∗∗ --------------------------------------------- Netscaler customers have a problem: the product is on fire. And not in a good way. Serious threat actors are running rings around the product on a regular basis, zero days being exploited regularly, and Citrix/Cloud Software Group simply aren’t being transparent about what is happening with customers so they cannot make real assessments of compromise. Applying patches after already being exploited is not working. --------------------------------------------- https://doublepulsar.com/citrix-forgot-to-tell-you-cve-2025-6543-has-been-u… ∗∗∗ Vorzeitige Beendigung des Supports für SonicWall SMA100 ∗∗∗ --------------------------------------------- Am 31. Oktober 2025 soll Schluss mit dem Support sein, wie es in einer Mitteilung eines SonicWall-Partners heißt. --------------------------------------------- https://www.borncity.com/blog/2025/08/29/vorzeitige-beendigung-des-supports… ∗∗∗ How attackers adapt to built-in macOS protection ∗∗∗ --------------------------------------------- We analyze the built-in protection mechanisms in macOS: how they work, how threat actors can attack them or deceive users, and how to detect such attacks. --------------------------------------------- https://securelist.com/macos-security-and-typical-attacks/117367/ ∗∗∗ Passkeys Pwned: Turning WebAuthn Against Itself ∗∗∗ --------------------------------------------- On the DEFCON 33 main stage, SquareX researchers disclosed a major passkey vulnerability that uses malicious extensions/scripts to fake passkey registration and logins, allowing attackers to access enterprise SaaS apps without the user’s device or biometrics. --------------------------------------------- https://labs.sqrx.com/passkeys-pwned-0dbddb7ade1a ∗∗∗ Ransomware gang takedowns causing explosion of new, smaller groups ∗∗∗ --------------------------------------------- The ransomware ecosystem continues to splinter, with new gangs proliferating in the wake of law enforcement takedowns that have scattered affiliates and prompted criminal rebrands. --------------------------------------------- https://therecord.media/ransomware-gang-takedown-proliferation ===================== = Vulnerabilities = ===================== ∗∗∗ Windows: Zero-Day-Lücke bei der LNK-Anzeige ∗∗∗ --------------------------------------------- Laut ZDI stellte Microsoft sich auf den Standpunkt, dass die Sicherheitslücke nicht den Schweregrad für eine Behandlung erreicht. Auch nach etwa einem halben Jahr hin und her änderte Microsoft seine Meinung dazu nicht. Schließlich hat ZDI die Meldung veröffentlicht und jetzt auch einen CVE-Schwachstelleneintrag dazu herausgegeben. [..] "Die Schwachstelle ermöglicht Angreifern aus dem Netz, beliebigen Code auf betroffenen Installationen von Microsoft Windows auszuführen. Benutzerinteraktion ist für den Missbrauch erforderlich, diese müssen eine bösartige Seite besuchen oder eine bösartige Datei öffnen", schlussfolgert die ZDI. [..] (CVE-2025-9491 / noch kein EUVD, CVSS 7.0, Risiko "hoch") --------------------------------------------- https://heise.de/-10625780 ∗∗∗ FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available ∗∗∗ --------------------------------------------- The vulnerability, assigned the CVE identifier CVE-2025-57819, carries a CVSS score of 10.0, indicating maximum severity. "Insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator, leading to arbitrary database manipulation and remote code execution," the project maintainers said in an advisory. [..] "We are seeing active exploitation of FreePBX in the wild with activity traced back as far as August 21 and backdoors being dropped post-compromise," watchTowr CEO Benjamin Harris said in a statement shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/08/freepbx-servers-targeted-by-zero-day.html ∗∗∗ clickstudios Passwordstate 2025-08-28 ∗∗∗ --------------------------------------------- Fixed a potential authentication bypass issue associated with accessing the core Passwordstate Products' Emergency Access page, by using a carefully crafted URL, which could allow access to the Passwordstate Administration section. --------------------------------------------- https://www.clickstudios.com.au/security/advisories/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (aide, fence-agents, firefox, kernel-rt, python-cryptography, and thunderbird), Debian (golang-github-gin-contrib-cors, libxml2, and udisks2), Fedora (chromium), Oracle (postgresql16, postgresql:16, python3.11, and thunderbird), Red Hat (lz4 and mpfr), SUSE (chromium, docker, dpkg, firefox, gdk-pixbuf, git, git, git-lfs, obs-scm-bridge, python-PyYAML, gnutls, kernel, libarchive, libxml2, net-tools, netty, perl-Crypt-CBC, polkit, postgresql14, postgresql15, sqlite3, thunderbird, tomcat10, and udisks2), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-hwe-6.14, linux-raspi, linux-realtime, linux-realtime-6.14, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-gke, linux-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-gke, linux-kvm, linux-oem-6.14, linux-realtime, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, openldap, and udisks2). --------------------------------------------- https://lwn.net/Articles/1035724/ ∗∗∗ QNAP: Multiple Vulnerabilities in File Station 5 ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-19 ∗∗∗ QNAP: Multiple Vulnerabilities in QTS and QuTS hero ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-21 ∗∗∗ Tenable: [R1] Stand-alone Security Patches Available for Tenable Security Center versions 6.4.x, 6.5.1 and 6.6.0: SC-202508.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-17 ∗∗∗ Mitsubishi Electric MELSEC iQ-F Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-01 ∗∗∗ Mitsubishi Electric MELSEC iQ-F Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-02 ∗∗∗ GE Vernova CIMPLICITY ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-06 ∗∗∗ Delta Electronics CNCSoft-G2 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-04 ∗∗∗ Delta Electronics COMMGR ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 28.08.2025
by Daily end-of-shift report 28 Aug '25

28 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-08-2025 18:00 − Donnerstag 28-08-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Experimental PromptLock ransomware uses AI to encrypt, steal data ∗∗∗ --------------------------------------------- Threat researchers discovered the first AI-powered ransomware, called PromptLock, that uses Lua scripts to steal and encrypt data on Windows, macOS, and Linux systems. The malware uses OpenAI’s gpt-oss:20b model through the Ollama API to dynamically generate the malicious Lua scripts from hard-coded prompts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/experimental-promptlock-rans… ∗∗∗ ZipLine Phishers Flip Script as Victims Email First ∗∗∗ --------------------------------------------- "ZipLine" appears to be a sophisticated and carefully planned campaign that has already affected dozens of small, medium, and large A financially motivated threat actor is flipping the phishing playbook by getting victims to make the first email contact with the attacker rather than the other way around. The scam involves the adversary hitting up Contact Us forms on company websites under the guise of partnership inquiries or other business pretexts and waiting for the target to respond. Over a couple of weeks, they build credibility with carefully crafted, professional-sounding emails before hitting their mark with a weaponized zip file. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/zipline-phishers-vic… ∗∗∗ AppSuite PDF Editor Backdoor: A Detailed Technical Analysis ∗∗∗ --------------------------------------------- Some threat actors are bold enough to submit their own malware as false positive to antivirus companies and demand removal of the detection. This is exactly what happened with AppSuite PDF Editor. Initially, automation flagged it as a potentially unwanted program—a verdict that is typically reserved for legitimate software with shady features like unwanted advertisement or installation of third-party programs without proper consent. In the case of AppSuite, however, we found a backdoor. --------------------------------------------- https://feeds.feedblitz.com/~/923960972/0/gdatasecurityblog-en~AppSuite-PDF… ∗∗∗ Schweden: Cyberangriff legt Systeme Hunderter Kommunen lahm ∗∗∗ --------------------------------------------- Ein schwedischer IT-Dienstleister namens Miljödata ist offenbar Ziel einer folgenschweren Cyberattacke geworden. Einem Bericht von Bleeping Computer(öffnet im neuen Fenster) zufolge soll der Angriff in mehr als 200 schwedischen Verwaltungen zu Ausfällen führen. Bei dem Nachrichtenportal Sweden Herald(öffnet im neuen Fenster) ist sogar von 250 betroffenen Kunden die Rede, von denen mindestens 164 Kommunalverwaltungen sein sollen. --------------------------------------------- https://www.golem.de/news/schweden-cyberangriff-legt-systeme-hunderter-komm… ∗∗∗ Malicious Screen Connect Campaign Abuses AI-Themed Lures for Xworm Delivery ∗∗∗ --------------------------------------------- During a recent Advanced Continual Threat Hunt (ACTH) investigation, the Trustwave SpiderLabs Threat Hunt team identified a deceptive campaign that abused fake AI-themed content to lure users into executing a malicious, pre-configured ScreenConnect installer. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-s… ∗∗∗ Mehr als 28.000 Netscaler-Instanzen anfällig für Citrix Bleed 3 ∗∗∗ --------------------------------------------- Am Mittwoch wurde bekannt, dass Schwachstellen in den Netscalern (ADC und Gateways) von Citrix angegriffen werden, die bereits als "Citrix Bleed 3" tituliert werden. Die Shadowserver Foundation hat am Mittwoch Zahlen veröffentlicht, denen zufolge weltweit am Dienstag noch mehr als 28.000 Systeme für die Lücke "Citrix Bleed 3" verwundbar sind. Angreifer können darauf vermutlich die Schwachstellen missbrauchen. --------------------------------------------- https://www.heise.de/news/Mehr-als-28-000-Netscaler-Instanzen-anfaellig-fue… ∗∗∗ Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System ∗∗∗ --------------------------------------------- People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks. While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks. These actors often modify routers to maintain persistent, long-term access to networks. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a ∗∗∗ Microsoft warnt: Ransomware-Gruppe Storm-0501 greift (Azure) Cloud an, verlangt Zahlungen ∗∗∗ --------------------------------------------- Microsoft warnt vor der finanziell motivierten Gruppe Storm-0501, die kontinuierlich mit Angriffen auf Cloud-Instanzen (Azure) zielt. Bei Erfolg werden Daten abgezogen, dann die Originale verschlüsselt und Backups zerstört. Anschließend wird Lösegeld verlangt. --------------------------------------------- https://www.borncity.com/blog/2025/08/28/microsoft-warnt-ransomware-gruppe-… ∗∗∗ Zip Slip, Path Traversal Vulnerability during File Decompression ∗∗∗ --------------------------------------------- Path traversal or directory traversal vulnerabilities are security vulnerabilities that occur mainly due to improper validation of user inputs. Attackers can read, modify, or even create new files that are originally inaccessible or located in unintended paths using relative or absolute paths. Although these vulnerabilities have been known for a long time, they are still being discovered in various environments and applications, not just web environments. This article examines Zip Slip, a path traversal vulnerability that occurs during the file decompression process of compression programs, and aims to introduce its main vulnerabilities. --------------------------------------------- https://asec.ahnlab.com/en/89890/ ∗∗∗ Thousands of Developer Credentials Stolen in macOS “s1ngularity” Attack ∗∗∗ --------------------------------------------- A supply chain attack called “s1ngularity” on Nx versions 20.9.0-21.8.0 stole thousands of developer credentials. The attack targeted macOS and AI tools, according to GitGuardian’s analysis. --------------------------------------------- https://hackread.com/developer-credentials-stolen-macos-s1ngularity-attack/ ∗∗∗ Cisco: Mehrere Produkte mit teils hochriskanten Lücken ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat am Mittwoch zehn neue Sicherheitsmeldungen herausgegeben. Sie behandeln teils hochriskante Schwachstellen in mehreren Produkten. --------------------------------------------- https://heise.de/-10623826 ∗∗∗ Referral Beware, Your Rewards are Mine (Part 1) ∗∗∗ --------------------------------------------- Referral rewards programs are nearly ubiquitous today, from consumer tech to SaaS companies, but are rarely given much security oversight. In this blog post we’ll dig into the common technical implementations of rewards programs on web apps, common security issues with each approach, and recommendations for secure development of similar programs. In a subsequent post, we’ll explore real-world examples of these vulnerability classes in detail. --------------------------------------------- https://rhinosecuritylabs.com/research/referral-beware-your-rewards-are-min… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (aide, firefox, kernel, and mod_http2), Debian (chromium and unbound), Fedora (mod_auth_openidc), Oracle (fence-agents and kernel), SUSE (ignition, jetty-minimal, kernel, libmozjs-128-0, matrix-synapse, postgresql13, postgresql15, postgresql16, and postgresql17), and Ubuntu (kernel). --------------------------------------------- https://lwn.net/Articles/1035464/ ∗∗∗ Libbiosig, Tenda, SAIL, PDF XChange, Foxit vulnerabilities ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/libbiosig-tenda-sail-pdf-xchange-foxit-v… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 27.08.2025
by Daily end-of-shift report 27 Aug '25

27 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-08-2025 18:00 − Mittwoch 27-08-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cyberangriff auf Ameos: Großer Klinikverbund erleidet Datenklau ∗∗∗ --------------------------------------------- Daten von Patienten und Mitarbeitern der Ameos Gruppe sind in die Hände Cyberkrimineller gelangt. Betroffene können jetzt Details anfragen. --------------------------------------------- https://www.golem.de/news/cyberangriff-auf-ameos-grosser-klinikverbund-erle… ∗∗∗ Schadcode im Anmarsch: Aktiv ausgenutzte Git-Lücke gefährdet Entwickler ∗∗∗ --------------------------------------------- Wer Git im Einsatz hat, sollte die Software dringend aktualisieren. Angreifer bedienen sich einer Sicherheitslücke, um Schadcode einzuschleusen. --------------------------------------------- https://www.golem.de/news/schadcode-im-anmarsch-aktiv-ausgenutzte-git-lueck… ∗∗∗ Cyber-Dome: Bundesregierung plant stärkere Cyberabwehr ∗∗∗ --------------------------------------------- Die Pläne zu einer besseren Cyberabwehr sind noch sehr vage. Ein Gesetzentwurf von Alexander Dobrindt soll bis Ende 2025 kommen. --------------------------------------------- https://www.golem.de/news/cyber-dome-bundesregierung-plant-staerkere-cybera… ∗∗∗ US-Regierung steigt bei Intel ein: Krypto-Funktionen weiter vertrauenswürdig? ∗∗∗ --------------------------------------------- Der Einstieg der US-Regierung bei Intel unterminiert Funktionen wie Confidential Computing und "souveräne Cloud". --------------------------------------------- https://www.heise.de/news/Intel-Chips-USA-inside-10622136.html ∗∗∗ Google Chrome: Update schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Im Webbrowser Google Chrome haben die Entwickler eine Sicherheitslücke geschlossen, die als kritisches Risiko eingestuft wurde. Wer den Browser einsetzt, sollte sicherstellen, die jüngste Version zu nutzen. --------------------------------------------- https://www.heise.de/news/Google-Chrome-Update-schliesst-kritische-Sicherhe… ∗∗∗ Paypal: Deutsche Banken blockierten offenbar Zahlungen von Milliarden Euro ∗∗∗ --------------------------------------------- Die Süddeutsche Zeitung berichtet, dass Deutsche Banken Zahlungen an Paypal gestoppt hatten. Auslöser war ein Sicherheitsproblem. --------------------------------------------- https://www.heise.de/news/Paypal-Deutsche-Banken-blockierten-offenbar-Zahlu… ∗∗∗ Governments, tech companies meet in Tokyo to share tips on fighting North Korea IT worker scheme ∗∗∗ --------------------------------------------- The U.S. State Department said it worked with the Ministries of Foreign Affairs in Japan and South Korea to organize the forum, which had more than 130 attendees from freelance work platforms, payment service providers, cryptocurrency companies, AI firms and more. --------------------------------------------- https://therecord.media/japan-us-south-korea-forum-north-korea-it-worker-sc… ∗∗∗ Widespread Data Theft Targets Salesforce Instances via Salesloft Drift ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations about a widespread data theft campaign, carried out by the actor tracked as UNC6395. Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesfo… ∗∗∗ The One Where We Just Steal The Vulnerabilities (CrushFTP CVE-2025-54309) ∗∗∗ --------------------------------------------- As we’ve all experienced in 2025, 2025 has been the year of vendors burying their heads in the sand with regard to in-the-wild exploitation, even in the face of impressively indisputable evidence, and using their status as a CNA to somehow get CVEs with suspiciously similar identifiers to the point that confusion appears almost intentional. --------------------------------------------- https://labs.watchtowr.com/the-one-where-we-just-steal-the-vulnerabilities-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-cipher-base), Fedora (keylime-agent-rust and libtiff), Oracle (aide, kernel, mod_http2, pam, pki-deps:10.6, python-cryptography, python3, python3.12, and thunderbird), SUSE (cheat, ffmpeg, firebird, govulncheck-vulndb, postgresql17, tomcat, tomcat10, tomcat11, ucode-intel-20250812, and v2ray-core), and Ubuntu (binutils, gst-plugins-base1.0, gst-plugins-good1.0, and linux-raspi-realtime). --------------------------------------------- https://lwn.net/Articles/1035307/ ∗∗∗ Malicious versions of Nx and some supporting plugins were published ∗∗∗ --------------------------------------------- https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 26.08.2025
by Daily end-of-shift report 26 Aug '25

26 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Montag 25-08-2025 18:00 − Dienstag 26-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New AI attack hides data-theft prompts in downscaled images ∗∗∗ --------------------------------------------- Researchers have developed a novel attack that steals user data by injecting malicious prompts in images processed by AI systems before delivering them to a large language model. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ai-attack-hides-data-the… ∗∗∗ ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners ∗∗∗ --------------------------------------------- A new large-scale campaign has been observed exploiting over 100 compromised WordPress sites to direct site visitors to fake CAPTCHA verification pages that employ the ClickFix social engineering tactic to deliver information stealers, ransomware, and cryptocurrency miners.The large-scale cybercrime campaign, first detected in August 2025, .. --------------------------------------------- https://thehackernews.com/2025/08/shadowcaptcha-exploits-wordpress-sites.ht… ∗∗∗ Malware-ridden apps made it into Googles Play Store, scored 19 million downloads ∗∗∗ --------------------------------------------- Everythings fine, the ad slinger assures us Cloud security vendor Zscaler says customers of Google’s Play Store have downloaded more than 19 million instances of malware-laden apps that evaded the web giant’s security scans. --------------------------------------------- https://www.theregister.com/2025/08/26/apps_android_malware/ ∗∗∗ Sicherheitsupdates: Unbefugte Zugriffe auf GitHub Enterprise Server möglich ∗∗∗ --------------------------------------------- Eine Sicherheitslücke bedroht GitHub Enterprise Server. Admins sollten die gepatchte Ausgabe zeitnah installieren. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Unbefugte-Zugriffe-auf-GitHub-… ∗∗∗ ScreenConnect-Admins im Visier von Spear-Phishing-Angriffen ∗∗∗ --------------------------------------------- Derzeit läuft eine Phishing-Kampagne, die Zugangsdaten zu ScreenConnect abgreift. Die Angreifer wollen Ransomware platzieren. --------------------------------------------- https://www.heise.de/news/ScreenConnect-Admins-im-Visier-von-Spear-Phishing… ∗∗∗ HP Security Manager: Schadcode-Lücke in Druckerverwaltungstool ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in HPs Security Manager erlaubt Angreifern, Schadcode einzuschleusen. Ein Update steht bereit. --------------------------------------------- https://www.heise.de/news/HP-Security-Manager-Schadcode-Luecke-in-Druckerve… ∗∗∗ DSLRoot, Proxies, and the Threat of ‘Legal Botnets’ ∗∗∗ --------------------------------------------- The cybersecurity community on Reddit responded in disbelief this month when a self-described Air National Guard member with top secret security clearance began questioning the arrangement theyd made with company called DSLRoot, which was paying $250 a month to plug a pair of laptops into the Redditors high-speed Internet connection in the United States. This post .. --------------------------------------------- https://krebsonsecurity.com/2025/08/dslroot-proxies-and-the-threat-of-legal… ∗∗∗ Cyberangriff auf die Stadt Nürnberg: Prorussische Hacker im Verdacht ∗∗∗ --------------------------------------------- Haftbefehle wurden gegen russische Staatsangehörige erlassen --------------------------------------------- https://www.derstandard.at/story/3000000285014/cyberangriff-auf-die-stadt-n… ∗∗∗ Ewig ruft das Passwort ∗∗∗ --------------------------------------------- Die Verwendung von Passwörtern hat eine lange Tradition in der IT. Und regelmäßig sind sich alle einig, dass wir sie eigentlich loswerden sollten. Das haben wir das noch immer nicht geschafft, auch wenn Passkeys ein interessanter Ansatz sind. Daher sitzen wir alle auf großen Sammlungen von Passwörtern – die ca. 250 Einträge in .. --------------------------------------------- https://www.cert.at/de/blog/2025/8/ewig-ruft-das-passwort ∗∗∗ Nearly 2,000 Malicious IPs Probe Microsoft Remote Desktop in Single-Day Surge ∗∗∗ --------------------------------------------- On August 21, GreyNoise observed a sharp surge in scanning against Microsoft Remote Desktop (RDP) services. The wave’s aim was clear: test for timing flaws that reveal valid usernames, laying the groundwork for credential-based intrusions. --------------------------------------------- https://www.greynoise.io/blog/surge-malicious-ips-probe-microsoft-remote-de… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, firebird3.0, and luajit), Fedora (chromium, python3-docs, and python3.13), Oracle (aide, firefox, glibc, libxml2, and tomcat), Red Hat (aide, git, kernel, kernel-rt, libarchive, pam, python-cryptography, python3, python3.12, and webkit2gtk3), SUSE (cmake3, ffmpeg-4, kernel, kubernetes1.18, libqt4, minikube, net-tools, pam, postgresql16, proftpd, python-urllib3, python311, python312, python36, tomcat10, tomcat11, and webkit2gtk3), and .. --------------------------------------------- https://lwn.net/Articles/1035110/ ∗∗∗ Mehrere (teils kritische) Schwachstellen in NetScaler ADC and NetScaler Gateway ∗∗∗ --------------------------------------------- 26. August 2025 Beschreibung Citrix hat ein Advisory zu mehreren, zum Teil kritischen, Schwachstellen in den Produkten NetScaler ADC (ehemals Citrix ADC) und NetScaler Gateway (ehemals Citrix Gateway) veröffentlicht. Laut Citrix wurden bereits Angriffsversuche gegen verwundbare Systeme beobachtet, welche zumindest die kritische Schwachstelle CVE-2025-7775 auszunutzen versuchten. CVE-Nummern(n): CVE-2025-7775, CVE-2025-7776, CVE-2025-8424 CVSS v4.0 Base Score(s): 9.2, 8.8, 8.7 .. --------------------------------------------- https://www.cert.at/de/warnungen/2025/8/citrix-netscaler-adc-schwachstellen… ∗∗∗ Multiple Vulnerabilities in File Station 5 ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-31 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 25.08.2025
by Daily end-of-shift report 25 Aug '25

25 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-08-2025 18:00 − Montag 25-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New Android malware poses as antivirus from Russian intelligence agency ∗∗∗ --------------------------------------------- A new Android malware posing as an antivirus tool software created by Russias Federal Security Services agency (FSB) is being used to target executives of Russian businesses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-android-malware-poses-as… ∗∗∗ Social Engineering: Krypto-Anleger verliert Bitcoin im Wert von 90 Millionen USD ∗∗∗ --------------------------------------------- Betrüger haben einen Krypto-Anleger um ein Vermögen gebracht. Der Geschädigte ist nun um 783 Bitcoin ärmer. Das Geld sieht er wohl nie wieder. --------------------------------------------- https://www.golem.de/news/social-engineering-krypto-anleger-verliert-bitcoi… ∗∗∗ Criminal background checker APCS faces data breach ∗∗∗ --------------------------------------------- The attack first affected an upstream provider of bespoke software Exclusive A leading UK provider of criminal record checks for employers is handling a data breach stemming from a third-party development company. --------------------------------------------- https://www.theregister.com/2025/08/22/apcs_breach/ ∗∗∗ Botnet-Kampagne "Gayfemboy" auch in Deutschland aktiv ∗∗∗ --------------------------------------------- IT-Forscher von Fortinet beobachten ein IoT-Botnet, das auf "Mirai" basiert und "Gayfemboy" genannt wird. Es versteckt sich gut. --------------------------------------------- https://www.heise.de/news/Mirai-basierte-Botnet-Kampagne-Gayfemboy-auch-in-… ∗∗∗ Kriminelle locken mit angeblichen Kryptoguthaben ∗∗∗ --------------------------------------------- Lukas kann seinen Augen kaum trauen. In seinem Postfach liegt eine E-Mail, die behauptet, dass sich ein hoher Betrag in seinem Kryptowallet befindet. Um wieder Zugriff zu erhalten, soll er lediglich ein paar einfache Schritte befolgen. Doch Vorsicht: Die E-Mail stammt von Kriminellen, die ihn zu hohen Überweisungen bewegen wollen! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-locken-mit-angeblichen-kr… ∗∗∗ Beliebte eSIMs für Reisen leiten heimlich Daten über China um ∗∗∗ --------------------------------------------- Eine aktuelle Untersuchung zeigt grobe Sicherheits- und Privatsphärendefizite bei vielen Anbietern auf. --------------------------------------------- https://www.derstandard.at/story/3000000284843/beliebte-esims-fuer-reisen-l… ∗∗∗ Phishing in the Classroom: 115,000 Emails Exploit Google Classroom to Target 13,500 Organizations ∗∗∗ --------------------------------------------- Check Point researchers have uncovered a large-scale active phishing campaign abusing Google Classroom, a platform trusted by millions of students and educators worldwide. Over the course of just one week, attackers launched .. --------------------------------------------- https://blog.checkpoint.com/email-security/phishing-in-the-classroom-115000… ∗∗∗ Chrome-Erweiterung FreeVPN.One zeichnete Screenshots von Seitenbesuchen auf ∗∗∗ --------------------------------------------- Wer bisher glaubte, dass Microsofts Recall in Punkto Überwachung an der Spitze liegt, muss umdenken. Sicherheitsforscher sind auf die Erweiterung FreeVPN.One des Google Chrome-Browsers gestoßen. Diese fertigte Screenshots von allen .. --------------------------------------------- https://www.borncity.com/blog/2025/08/24/chrome-erweiterung-freevpn-one-zei… ∗∗∗ Cybercriminals Exploit Cheap VPS to Launch SaaS Hijacking Attacks ∗∗∗ --------------------------------------------- Darktrace researchers have discovered a new wave of attacks where cybercriminals use cheap Virtual Private Servers (VPS) .. --------------------------------------------- https://hackread.com/cybercriminals-exploit-cheap-vps-saas-hijack-attacks/ ∗∗∗ Phishing Campaign Targeting Companies via UpCrypter ∗∗∗ --------------------------------------------- FortiGuard Labs recently identified a phishing campaign leveraging carefully crafted emails to deliver malicious URLs linked to convincing phishing pages. These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter, malware that ultimately deploys various remote access tools (RATs). --------------------------------------------- https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-c… ∗∗∗ Webhosting-Software cPanel: Updates schließen Sicherheitslücke ∗∗∗ --------------------------------------------- Die Verwaltungssoftware cPanel und WHM für Webhosting schließt mit neuen Versionen mindestens eine Sicherheitslücke, die als hochriskant gilt. --------------------------------------------- https://heise.de/-10599503 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 22.08.2025
by Daily end-of-shift report 22 Aug '25

22 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-08-2025 18:00 − Freitag 22-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Dev gets 4 years for creating kill switch on ex-employers systems ∗∗∗ --------------------------------------------- A software developer has been sentenced to four years in prison for sabotaging his ex-employers Windows network with custom malware and a kill switch that locked out employees when his account was disabled. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dev-gets-4-years-for-creatin… ∗∗∗ Fake Mac fixes trick users into installing new Shamos infostealer ∗∗∗ --------------------------------------------- A new infostealer malware targeting Mac devices, called Shamos, is targeting Mac devices in ClickFix attacks that impersonate troubleshooting guides and fixes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-mac-fixes-trick-users-i… ∗∗∗ Trotz Rolling Code: Inoffizielle Flipper-Zero-Firmware soll Autos knacken ∗∗∗ --------------------------------------------- Ein russischer Akteur verkauft eine eigene Firmware für den Flipper Zero. Selbst neueste Autos gängiger Marken sollen sich damit entriegeln lassen. --------------------------------------------- https://www.golem.de/news/trotz-rolling-code-inoffizielle-flipper-zero-firm… ∗∗∗ Think before you Click(Fix): Analyzing the ClickFix social engineering technique ∗∗∗ --------------------------------------------- The ClickFix social engineering technique has been growing in popularity, with campaigns targeting thousands of enterprise and end-user devices daily. This technique exploits users’ tendency to resolve technical issues by tricking them into running malicious commands. These commands, in turn, deliver payloads that ultimately lead to information theft and .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-c… ∗∗∗ Coinbase Reverses Remote-First Policy After North Korean Infiltration Attempts ∗∗∗ --------------------------------------------- Remote work policies designed to attract top talent are becoming security vulnerabilities as state-sponsored hackers seek employment at cryptocurrency firms. Coinbase has implemented mandatory in-person orientation and US citizenship requirements for sensitive roles after detecting North Korean IT workers attempting to infiltrate the company .. --------------------------------------------- https://slashdot.org/story/25/08/22/1515238/coinbase-reverses-remote-first-… ∗∗∗ Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a novel attack chain that employs phishing emails to deliver an open-source backdoor called VShell.The "Linux-specific malware infection chain that starts with a spam email with a malicious .. --------------------------------------------- https://thehackernews.com/2025/08/linux-malware-delivered-via-malicious.html ∗∗∗ Interpol bags 1,209 suspects, $97M in cybercrime operation focused on Africa ∗∗∗ --------------------------------------------- Crypto mines, BEC scams, fake passports, and a $300M fraud empire allegedly brought down during Serengeti 2.0 Interpols latest clampdown on cybercrime resulted in 1,209 arrests across the African continent, from ransomware crooks to business .. --------------------------------------------- https://www.theregister.com/2025/08/22/interpol_serengeti_20/ ∗∗∗ KI-Assistent: Microsofts Copilot verfälschte monatelang Zugriffsprotokolle ∗∗∗ --------------------------------------------- Fragte man den virtuellen Copilot etwa nach Dokumenten-Zusammenfassungen, unterschlug er mitunter seine Zugriffe. Microsoft verschwieg das Problem. --------------------------------------------- https://www.heise.de/news/KI-Assistent-Microsofts-Copilot-verfaelschte-mona… ∗∗∗ Electronics manufacturer Data I/O reports ransomware attack to SEC ∗∗∗ --------------------------------------------- The tech manufacturer Data I/O reported a ransomware attack to federal regulators, writing that the incident has taken down critical operational systems. --------------------------------------------- https://therecord.media/electronics-manufacturer-dataio-ransomware ∗∗∗ AI Browsers Can Be Tricked Into Paying Fake Stores in PromptFix Attack ∗∗∗ --------------------------------------------- The PromptFix attack tricks AI browsers with fake CAPTCHAs, leading them to phishing sites and fake stores .. --------------------------------------------- https://hackread.com/ai-browsers-trick-paying-fake-stores-promptfix-attack/ ∗∗∗ AUR Chaos malware: an analysis ∗∗∗ --------------------------------------------- Recently, an incident involving malware in the AUR made the headlines. I read a lot of things around this topic, both right and wrong, and sometimes misleading. I was involved in the incident handling I chose to write this blog post, not only for transparency but also for laying down what I learned both during and .. --------------------------------------------- https://www.mh4ckt3mh4ckt1c4s.xyz/blog/aur-chaos-malware-analysis/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (tomcat), Debian (squid), Fedora (matrix-synapse, rust-slab, socat, and webkitgtk), SUSE (firefox-esr, gdk-pixbuf, gdk-pixbuf-devel, govulncheck-vulndb, rust-keylime, and wicked2nm), and Ubuntu (linux-nvidia, linux-oracle, linux-oracle-6.8, php7.0, php7.2, php7.4, python3.13, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4, and ruby-webrick). --------------------------------------------- https://lwn.net/Articles/1034755/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 21.08.2025
by Daily end-of-shift report 21 Aug '25

21 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-08-2025 18:00 − Donnerstag 21-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iPhone, iPad und Mac: Aktiv ausgenutzte Sicherheitslücke gefährdet Apple-Nutzer ∗∗∗ --------------------------------------------- Notfallupdates schließen eine aktiv ausgenutzte Sicherheitslücke in iOS, iPadOS und MacOS. Anwender sollten dringend patchen. --------------------------------------------- https://www.golem.de/news/iphone-ipad-und-mac-aktiv-ausgenutzte-sicherheits… ∗∗∗ Airtell Router Scans, and Mislabeled usernames ∗∗∗ --------------------------------------------- Looking at new usernames collected by our Cowrie honeypots, you will first of all notice a number of HTTP headers. It is very common for attackers to scan for web servers on ports that are covered by our Telnet honeypots. The result .. --------------------------------------------- https://isc.sans.edu/forums/diary/Airtell+Router+Scans+and+Mislabeled+usern… ∗∗∗ Neue Tricks mit QR-Codes ∗∗∗ --------------------------------------------- QR-Codes sind beliebte Vehikel für Verbrecher, Hyperlinks an Sicherheitssystemen vorbei zum Opfer zu schleusen. Der Einfallsreichtum ist groß. --------------------------------------------- https://www.heise.de/news/Neue-Tricks-mit-QR-Codes-10559942.html ∗∗∗ Docker Desktop: Kritische Sicherheitslücke erlaubt Host-Zugriff ∗∗∗ --------------------------------------------- In Docker Desktop können bösartige Container auf das Host-System durchgreifen, Schutzmaßnahmen greifen nicht. Ein Update hilft. --------------------------------------------- https://www.heise.de/news/Docker-Desktop-Kritische-Sicherheitsluecke-erlaub… ∗∗∗ Modern Solution: Verurteilter IT-Experte reicht Verfassungsbeschwerde ein ∗∗∗ --------------------------------------------- Das Urteil gegen einen nach dem Hackerparagrafen verurteilten Sicherheitsforscher ist rechtskräftig. Der Verurteilte geht nun nach Karlsruhe. --------------------------------------------- https://www.heise.de/news/Modern-Solution-Verurteilter-IT-Experte-reicht-Ve… ∗∗∗ SIM-Swapper, Scattered Spider Hacker Gets 10 Years ∗∗∗ --------------------------------------------- A 21-year-old Florida man at the center of a prolific cybercrime group known as "Scattered Spider" was sentenced to 10 years in federal prison today, and ordered to pay roughly $13 million in restitution to victims. Noah Michael Urban of Palm Coast, Fla. pleaded guilty in April 2025 to charges of wire fraud and conspiracy. Florida prosecutors alleged Urban .. --------------------------------------------- https://krebsonsecurity.com/2025/08/sim-swapper-scattered-spider-hacker-get… ∗∗∗ Achtung, Phishing-Falle: FinanzOnline will keine Infos zu Krypto-Beständen einholen! ∗∗∗ --------------------------------------------- Aufgrund einer neuen „Steuervorschrift für Kryptowährungen“ verlangt „FinanzOnline“ aktuell via E-Mail vermeintlich die Übermittlung umfassender Informationen rund um Krypto-Vermögen. Natürlich meldet sich hier nicht das echte Finanzportal. Vielmehr versuchen Kriminelle über diese Masche an die Zugangsdaten der Krypto-Wallets ihrer Opfer zu gelangen. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-falle-finanzonline-krypto/ ∗∗∗ Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth ∗∗∗ --------------------------------------------- A campaign leverages CVE-2024-36401 to stealthily monetize victims bandwidth where legitimate software development kits (SDKs) are deployed for passive income. --------------------------------------------- https://unit42.paloaltonetworks.com/attackers-sell-your-bandwidth-using-sdk… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 20.08.2025
by Daily end-of-shift report 20 Aug '25

20 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-08-2025 18:00 − Mittwoch 20-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ PyPI now blocks domain resurrection attacks used for hijacking accounts ∗∗∗ --------------------------------------------- The Python Package Index (PyPI) has introduced new protections against domain resurrection attacks that enable hijacking accounts through password resets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-now-blocks-domain-resur… ∗∗∗ Hackers steal Microsoft logins using legitimate ADFS redirects ∗∗∗ --------------------------------------------- Hackers are using a novel technique that combines legitimate office.com links with Active Directory Federation Services (ADFS) to redirect users to a phishing page that steals Microsoft 365 logins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-microsoft-logi… ∗∗∗ Experts Find AI Browsers Can Be Tricked by PromptFix Exploit to Run Malicious Hidden Prompts ∗∗∗ --------------------------------------------- Cybersecurity researchers have demonstrated a new prompt injection technique called PromptFix that tricks a generative artificial intelligence (GenAI) model into carrying out intended actions by embedding the malicious instruction inside a .. --------------------------------------------- https://thehackernews.com/2025/08/experts-find-ai-browsers-can-be-tricked.h… ∗∗∗ Like burglars closing a door, Apache ActiveMQ attackers patch critical vuln after breaking in ∗∗∗ --------------------------------------------- Intruders hoped no one would notice their presence Criminals exploiting a critical vulnerability in open source Apache ActiveMQ middleware are fixing the flaw that allowed them access, after establishing persistence on Linux servers. --------------------------------------------- https://www.theregister.com/2025/08/19/apache_activemq_patch_malware/ ∗∗∗ Commvault: Hochriskante Lücke ermöglicht Einschleusen von Schadcode ∗∗∗ --------------------------------------------- In der Backup-Software Commvault können Angreifer Sicherheitslücken missbrauchen, um etwa Schadcode einzuschleusen. Updates stehen bereit. --------------------------------------------- https://www.heise.de/news/Commvault-Hochriskante-Luecke-ermoeglicht-Einschl… ∗∗∗ Infoniqa-IT-Vorfall: Cyberbande will umfangreich Daten kopiert haben ∗∗∗ --------------------------------------------- Vergangene Woche wurde ein IT-Vorfall bei HR-Softwareanbieter Infoniqa bekannt. Nun behauptet eine Cybergang Daten kopiert zu haben. --------------------------------------------- https://www.heise.de/news/Infoniqa-IT-Vorfall-Cyberbande-will-umfangreich-D… ∗∗∗ Impressumsdiebstahl und funktionierende Links: Vorsicht vor besonders ausgeklügelten Fake-Shops! ∗∗∗ --------------------------------------------- Je mehr Aufwand Kriminelle bei der Nachahmung eines Online-Shops betreiben, desto schwieriger ist es, den Betrug zu erkennen. In einem aktuellen Fall nutzen sie nicht nur reale Impressumsdaten, sondern verlinken von ihren Fake-Shops aus zusätzlich zur echten Website und auf die echten Social-Media-Profile des Unternehmens. Woran sich die Falle dennoch relativ einfach erkennen lässt. --------------------------------------------- https://www.watchlist-internet.at/news/besonders-ausgekluegelte-fake-shops/ ∗∗∗ Major Belgian telecom firm says cyberattack compromised data on 850,000 accounts ∗∗∗ --------------------------------------------- The company said no critical data was accessed, but the hacker "gained access to one of our IT systems that contains the following data: name, first name, telephone number, SIM card number, PUK code, tariff plan.” --------------------------------------------- https://therecord.media/belgian-telecom-says-cyberattack-compromised-data-o… ∗∗∗ Feds charge alleged administrator of ‘sophisticated’ Rapper Bot botnet ∗∗∗ --------------------------------------------- A 22-year-old Oregon man has been charged with running a powerful botnet-for-hire service used to launch hundreds of thousands of cyberattacks worldwide, the U.S. Justice Department said. --------------------------------------------- https://therecord.media/feds-charge-botnet-admin ∗∗∗ Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices ∗∗∗ --------------------------------------------- A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide, targeting key sectors for intelligence gathering. --------------------------------------------- https://blog.talosintelligence.com/static-tundra/ ∗∗∗ Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware ∗∗∗ --------------------------------------------- Warlock ransomware exploits unpatched Microsoft SharePoint vulnerabilities to gain access, escalate privileges, steal credentials, move laterally, and deploy ransomware with data exfiltration across enterprise environments. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/h/warlock-ransomware.html ∗∗∗ A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor ∗∗∗ --------------------------------------------- Straight from Mandiant Threat Defense, the "Frontline Bulletin" series brings you the latest on the most intriguing compromises we are seeing in the wild right now, equipping our community to understand and respond to the most compelling threats we observe. This edition dissects an infection involving two threat groups, UNC5518 and UNC5774, leading to the deployment of .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflak… ∗∗∗ Guess Who Would Be Stupid Enough To Rob The Same Vault Twice? Pre-Auth RCE Chains in Commvault ∗∗∗ --------------------------------------------- We’re back, and we’ve finished telling everyone that our name was on the back of Phrack!!!!1111 Whatever, nerds.Today, were back to scheduled content. Like our friendly neighbourhood ransomware gangs and APT groups, weve continued to spend .. --------------------------------------------- https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same… ∗∗∗ Researcher Exposes Zero-Day Clickjacking Vulnerabilities in Major Password Managers ∗∗∗ --------------------------------------------- At DEF CON 33, Czech Republic based security researcher Marek Tóth, unveiled a series of unpatched zero-day clickjacking security vulnerabilities impacting the browser-based plugins for a wide range of password managers including: 1Password, Bitwarden, Dashlane, Enpass, iCloud Passwords, Keeper, LastPass, LogMeOnce, NordPass, ProtonPass, and .. --------------------------------------------- https://socket.dev/blog/password-manager-clickjacking ∗∗∗ Marshal madness: A brief history of Ruby deserialization exploits ∗∗∗ --------------------------------------------- This post traces the decade-long evolution of Ruby Marshal deserialization exploits, demonstrating how security researchers have repeatedly bypassed patches and why fundamental changes to the Ruby ecosystem are needed rather than continued patch-and-hope approaches. --------------------------------------------- https://blog.trailofbits.com/2025/08/20/marshal-madness-a-brief-history-of-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (firefox and libarchive), Red Hat (python3.11-setuptools and python3.12-setuptools), Slackware (mozilla), SUSE (apache2-mod_security2, cairo-devel, cflow, docker, glibc, go1.25, govulncheck-vulndb, gstreamer-0_10-plugins-base, jq, kernel, libarchive, libssh, libxslt, openbao, python-urllib3, systemd, and xz), and Ubuntu (apache2, libssh, libxml2, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, .. --------------------------------------------- https://lwn.net/Articles/1034546/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 19.08.2025
by Daily end-of-shift report 19 Aug '25

19 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Montag 18-08-2025 18:00 − Dienstag 19-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ In mehreren Webportalen: Reihenweise fest kodierte Zugangsdaten bei Intel entdeckt ∗∗∗ --------------------------------------------- Ein Forscher hat in Webportalen von Intel gravierende Sicherheitslücken gefunden. Teilweise standen Passwörter clientseitig im Code. --------------------------------------------- https://www.golem.de/news/in-mehreren-webportalen-reihenweise-fest-kodierte… ∗∗∗ GodRAT – New RAT targeting financial institutions ∗∗∗ --------------------------------------------- Kaspersky experts analyze GodRAT, a new Gh0st RAT-based tool attacking financial firms. It is likely a successor of the AwesomePuppet RAT connected to the Winnti group. --------------------------------------------- https://securelist.com/godrat/117119/ ∗∗∗ The State of Ransomware in Retail 2025 ∗∗∗ --------------------------------------------- 361 IT and cybersecurity leaders reveal the ransomware realities for retail businesses today. --------------------------------------------- https://news.sophos.com/en-us/2025/08/19/the-state-of-ransomware-in-retail-… ∗∗∗ 493 Cases of Sextortion Against Children Linked to Notorious Scam Compounds ∗∗∗ --------------------------------------------- Scam compounds in Cambodia, Myanmar, and Laos have conned people out of billions. New research shows they may be linked to child sextortion crimes too. --------------------------------------------- https://www.wired.com/story/child-sextorition-scam-compounds-southeast-asia/ ∗∗∗ Marokko zerrt deutsche Zeitungen wegen Spyware-Berichten vor den BGH ∗∗∗ --------------------------------------------- Marokko steht unter Verdacht, die Spyware Pegasus gegen Anwälte, Journalisten und Politiker eingesetzt zu haben. Deutsche Medien berichteten, Marokko ist sauer. --------------------------------------------- https://www.heise.de/news/Marokko-zieht-gegen-deutsche-Spyware-Berichtersta… ∗∗∗ Angriffe auf N-able N-central laufen, mehr als 1000 Systeme ungepatcht ∗∗∗ --------------------------------------------- Noch mehr als tausend Instanzen von des RMM N-able N-central sind für kritische Lücken anfällig. Die werden bereits attackiert. --------------------------------------------- https://www.heise.de/news/Angriffe-auf-N-able-N-central-laufen-mehr-als-100… ∗∗∗ Kostenlos 10.000.000 Robux bekommen? Achtung, Fake-Angebot! ∗∗∗ --------------------------------------------- Die Online-Spieleplattform „Roblox“ ist besonders bei Kindern und Jugendlichen beliebt – und grundsätzlich kostenlos. Um bestimmte Funktionen und Inhalte freizuschalten, braucht es aber eine In-Game-Währung namens „Robux“. Und die ist wiederum nur gegen echtes Geld erhältlich. Kriminelle versuchen deshalb, User mit dem Versprechen von kostenlosen „Robux“ in die Falle zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/robux-fake-angebot/ ∗∗∗ Fashionable Phishing Bait: GenAI on the Hook ∗∗∗ --------------------------------------------- GenAI-created phishing campaigns misuse tools ranging from website builders to text generators in order to create more convincing and scalable attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/genai-phishing-bait/ ∗∗∗ Ransomware gang masking PipeMagic backdoor as ChatGPT desktop app: Microsoft ∗∗∗ --------------------------------------------- Hackers are disguising a powerful strain of malware as a ChatGPT desktop application in preparation for ransomware attacks, Microsoft said. --------------------------------------------- https://therecord.media/ransomware-gang-masking-pipemagic-backdoor ∗∗∗ UK ‘agrees to drop’ demand over Apple iCloud encryption, US intelligence head claims ∗∗∗ --------------------------------------------- The United Kingdom is backing down from a controversial legal demand targeting Apple, U.S. Director of National Intelligence Tulsi Gabbard claimed on social media. --------------------------------------------- https://therecord.media/uk-agrees-drop-apple-encryption ∗∗∗ Trend Micro Unmasks Global "Task Scam" Industry ∗∗∗ --------------------------------------------- Trend Micro today released new research revealing the mechanics and scale of a rapidly growing fraud model known as "task scams": sophisticated online job scams that lure victims into repetitive digital tasks and systematically strip them of funds through escalating deposit demands. --------------------------------------------- https://newsroom.trendmicro.com/2025-08-19-Trend-Micro-Unmasks-Global-Task-… ∗∗∗ Fake Copyright Notices Drop New Noodlophile Stealer Variant ∗∗∗ --------------------------------------------- Morphisec warns of a new Noodlophile Stealer variant spread via fake copyright phishing emails, using Dropbox links .. --------------------------------------------- https://hackread.com/phishing-scam-fake-copyright-notice-noodlophile-steale… ∗∗∗ How Indirect Prompt Injections Exploit Context, Format, and Salience ∗∗∗ --------------------------------------------- A breakdown of indirect prompt injection attacks using real-world cases (emails, code comments, diagrams). Introduces the CFS model (Context, Format, Salience) to explain what makes some payloads more likely to succeed. --------------------------------------------- https://www.fogel.dev/prompt_injection_cfs_framework ∗∗∗ Trivial C# Random Exploitation ∗∗∗ --------------------------------------------- Exploiting random number generators requires math, right? Thanks to C#’sRandom, that is not necessarily the case! I ran into an HTTP 2.0 web serviceissuing password reset tokens from a custom encoding of (new Random()).Next(min, max) output. This led to a critical account takeover.Exploitation did not require scripting, math or libraries. Just several clicksin Burp. While I .. --------------------------------------------- https://blog.doyensec.com/2025/08/19/trivial-exploit-on-C-random.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security Vulnerabilities fixed in Firefox 142 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-64/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 18.08.2025
by Daily end-of-shift report 18 Aug '25

18 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-08-2025 18:00 − Montag 18-08-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Attacken auf Fortinet-IT-Sicherheitslösungen können bevorstehen ∗∗∗ --------------------------------------------- Beide Schwachstellen (FortiSIEM CVE-2025-25256 "kritisch", FortiWeb CVE-2025-52970 "hoch") haben die Fortinet-Entwickler am vergangenen Patchday geschlossen. Kurz darauf warnten sie davor, dass Exploitcode zum Ausnutzen der Lücke in FortiSIEM in Umlauf ist. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Fortinet-IT-Sicherheit… ∗∗∗ Should Security Solutions Be Secure? Maybe Were All Wrong - Fortinet FortiSIEM Pre-Auth Command Injection (CVE-2025-25256) ∗∗∗ --------------------------------------------- Today we’re looking at CVE-2025-25256 - a pre-authentication command injection in FortiSIEM that lets an attacker compromise an organization’s SIEM (!!!). [..] It’s the kind of “one platform to rule your SOC” solution that we believe (suspect, hope, imagine, guess, pray) might feel impressively safety-first. Except, obviously, this time it didn't because the bar remains so incredibly low. --------------------------------------------- https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-a… ∗∗∗ Gefälschtes Gewinnspiel für Wiener Linien Jahreskarte im Umlauf ∗∗∗ --------------------------------------------- Derzeit kursieren auf Facebook gefälschte Postings, die im Namen der Wiener Linien ein Gewinnspiel für eine Halbjahreskarte bewerben. Bei Teilnahme wird suggeriert, dass man automatisch gewonnen habe. Achtung: Es handelt sich um einen Betrugsversuch, der darauf abzielt, an Bankdaten zu gelangen! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-gewinnspiel-fuer-wiener… ∗∗∗ Verbesserung von nur 1,7 Prozent: Phishing-Training fast immer wirkungslos ∗∗∗ --------------------------------------------- Eine große Studie in einem US-Gesundheitsunternehmen zeigt, dass gängige Phishing-Trainings das Risiko kaum senken – egal wie intensiv oder interaktiv sie sind. --------------------------------------------- https://www.heise.de/news/Verbesserung-von-nur-1-7-Prozent-Phishing-Trainin… ∗∗∗ MadeYouReset: Neue DDoS-Angriffstechnik legt Webserver lahm ∗∗∗ --------------------------------------------- Forscher haben eine neue Sicherheitslücke entdeckt, die viele gängige HTTP/2-Implementierungen betrifft. Server lassen sich mit wenig Aufwand überlasten. [..] Als anfällig gelten mehrere weitverbreitete HTTP/2-Serverimplementierungen wie Netty, Apache Tomcat, H2O, SwiftNIO und F5 BIG-IP. Weitere betroffene Implementierungen sowie etwaige Reaktionen der Anbieter sind in einer Meldung des CERT Coordination Center der Carnegie Mellon University zu finden. --------------------------------------------- https://www.golem.de/news/madeyoureset-neue-ddos-angriffstechnik-legt-webse… ∗∗∗ Evolution of the PipeMagic backdoor: from the RansomExx incident to CVE-2025-29824 ∗∗∗ --------------------------------------------- We examine the evolution of the PipeMagic backdoor and the TTPs of its operators – from the RansomExx incident in 2022 to attacks in Brazil and Saudi Arabia, and the exploitation of CVE-2025-29824 in 2025. --------------------------------------------- https://securelist.com/pipemagic/117270/ ∗∗∗ How Researchers Collect Indicators of Compromise ∗∗∗ --------------------------------------------- Today, we'll demonstrate a simple workflow showing how researchers use various tools to collect indicators of compromise (IOCs) and develop appropriate signatures from detonated malware. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/how-researc… ∗∗∗ ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure ∗∗∗ --------------------------------------------- "The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications," Hunt.io said in a report. --------------------------------------------- https://thehackernews.com/2025/08/ermac-v30-banking-trojan-source-code.html ∗∗∗ Mobile Phishers Target Brokerage Accounts in ‘Ramp and Dump’ Cashout Scheme ∗∗∗ --------------------------------------------- Cybercriminal groups peddling sophisticated phishing kits that convert stolen card data into mobile wallets have recently shifted their focus to targeting customers of brokerage services, new research shows. Undeterred by security controls at these trading platforms that block users from wiring funds directly out of accounts, the phishers have pivoted to using multiple compromised brokerage accounts in unison to manipulate the prices of foreign stocks. --------------------------------------------- https://krebsonsecurity.com/2025/08/mobile-phishers-target-brokerage-accoun… ∗∗∗ Scammers turn to ‘ghost-tapping’ retail fraud to launder funds ∗∗∗ --------------------------------------------- In a report released Thursday, researchers at Recorded Future’s Insikt Group detailed what they call “ghost-tapping” — when stolen payment card details are uploaded onto a burner phone and used in-person to purchase goods. --------------------------------------------- https://therecord.media/scammers-ghost-tapping-retail-fraud-launder-cash ∗∗∗ Cyberattack on Dutch prosecution service is keeping speed cameras offline ∗∗∗ --------------------------------------------- Who knew zero-days could be so useful to highway speedsters? The lingering effects of a cyberattack on the Public Prosecution Service of the Netherlands are preventing it from reactivating speed cameras across the country. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/15/cyberattack_… ∗∗∗ KI-gestützte Cyberangriffe: Experten beobachten zunehmenden LLM-Einsatz ∗∗∗ --------------------------------------------- Sicherheitsforscher sehen aktuell eine Zunahme KI-unterstützter Angriffe und damit einen Wendepunkt im Cyberwettrüsten. [..] Ukrainische Behörden und mehrere Cybersicherheitsunternehmen konnten die Schadsoftware im Juli erstmals nachweisen. [..] Mit dem zunehmenden Einsatz von KI-Agenten sehen Experten ein neues Risiko für die Zukunft. --------------------------------------------- https://www.heise.de/news/KI-gestuetzte-Cyberangriffe-Experten-beobachten-z… ∗∗∗ Terraform Cloud token abuse turns speculative plan into remote code execution ∗∗∗ --------------------------------------------- Platforms like Terraform are great for making cloud management easier, but that same convenience can work in an attacker’s favour. Increasingly, we’re seeing Terraform used as a pivot point, letting attackers sidestep the usual security roadblocks of MFA and conditional access via token abuse, which remain one of the weaker links in the chain. --------------------------------------------- https://www.pentestpartners.com/security-blog/terraform-token-abuse-specula… ∗∗∗ libxml2 Maintainer Ends Embargoed Vulnerability Reports, Citing Unsustainable Burden ∗∗∗ --------------------------------------------- The lone volunteer maintainer of libxml2, one of the open source ecosystem’s most widely used XML parsing libraries, has announced a policy shift that drops support for embargoed security vulnerability reports. This change highlights growing frustration among unpaid maintainers bearing the brunt of big tech’s security demands without compensation or support. --------------------------------------------- https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-rep… ∗∗∗ Technical Analysis of SAP Exploit Script (Visual Composer “Metadata Uploader” Exploit)… ∗∗∗ --------------------------------------------- This script targets a critical zero-day vulnerability (now identified as CVE-2025–31324) in SAP NetWeaver’s Visual Composer Metadata Uploader component. The vulnerability is a missing authorization check on the HTTP endpoint /developmentserver/metadatauploader, allowing unauthenticated file uploads to the server’s filesystem. [..] The blog contains further pseudo code for detection and examples for another way to exploit the vulnerability. --------------------------------------------- https://detect.fyi/technical-analysis-of-sap-exploit-script-visual-composer… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and webkit2gtk3), Debian (aide and postgresql-13), Fedora (libtiff, mupdf, and pandoc), SUSE (cairo, chromium, gstreamer-plugins-base, ImageMagick, iputils, kubernetes1.23, kubernetes1.26, matrix-synapse, Mesa, pgadmin4, python3, qemu, and rz-pm), and Ubuntu (aide). --------------------------------------------- https://lwn.net/Articles/1033901/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (go-toolset:rhel8, kernel, and kernel-rt), Fedora (chromium), Oracle (libxml2), Red Hat (go-toolset:rhel8, golang, kernel, kernel-rt, openjpeg2, rsync, and tigervnc), and SUSE (apache-commons-lang3, chromedriver, fractal, framework_tool, go1.23-openssl, go1.24-openssl, grub2, gstreamer-devtools, gstreamer-plugins-rs, jasper, libavif, lighttpd, nginx, podman, postgresql13, postgresql14, postgresql15, postgresql16, python311-pypdf, ruby2.5, rust-keylime, tiff, tomcat, tomcat10, and tomcat11). --------------------------------------------- https://lwn.net/Articles/1034267/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 14.08.2025
by Daily end-of-shift report 14 Aug '25

14 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-08-2025 18:00 − Donnerstag 14-08-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Spike in Fortinet VPN brute-force attacks raises zero-day concerns ∗∗∗ --------------------------------------------- A massive spike in brute-force attacks targeted Fortinet SSL VPNs earlier this month, followed by a switch to FortiManager, marked a deliberate shift in targeting that has historically preceded new vulnerability disclosures. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spike-in-fortinet-vpn-brute-… ∗∗∗ New downgrade attack can bypass FIDO auth in Microsoft Entra ID ∗∗∗ --------------------------------------------- Security researchers have created a new FIDO downgrade attack against Microsoft Entra ID that tricks users into authenticating with weaker login methods, making them susceptible to phishing and session hijacking. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-downgrade-attack-can-byp… ∗∗∗ When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub’s Expanding Arsenal ∗∗∗ --------------------------------------------- Trustwave SpiderLabs researchers have recently identified an EncryptHub campaign that combines social engineering with abuse of the Brave Support platform to deliver malicious payloads via the CVE-2025-26633 vulnerability. In this blog post, we will break down the techniques used in the campaign and highlight the new tools employed by the threat group. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/when-hacker… ∗∗∗ A Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode ∗∗∗ --------------------------------------------- The motivation behind writing this post is that we want to provide the kind of resource that we wouldve liked to have seen more of when starting our own careers in malware research. --------------------------------------------- https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Info… ∗∗∗ Crypto24 Ransomware Group Blends Legitimate Tools with Custom Malware for Stealth Attacks ∗∗∗ --------------------------------------------- Crypto24 is a ransomware group that stealthily blends legitimate tools with custom malware, using advanced evasion techniques to bypass security and EDR technologies. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/h/crypto24-ransomware-stealth-… ===================== = Vulnerabilities = ===================== ∗∗∗ N-central 2025.3.1 ∗∗∗ --------------------------------------------- This release includes a critical security fix for CVE-2025-8875 and CVE-2025-8876. These vulnerabilities require authentication to exploit. --------------------------------------------- https://status.n-able.com/2025/08/13/announcing-the-ga-of-n-central-2025-3-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, python3.11-setuptools, thunderbird, and toolbox), Debian (chromium), Fedora (open62541 and perl-Authen-SASL), Oracle (git, kernel, konsole, and webkit2gtk3), SUSE (framework-inputmodule-control and poppler), and Ubuntu (apache2, mysql-8.0, mysql-8.4, node-qs, request-tracker5, and ruby-sidekiq). --------------------------------------------- https://lwn.net/Articles/1033737/ ∗∗∗ Rockwell Automation Security Advisories 14.08.2025 ∗∗∗ --------------------------------------------- Rockwell Automation has released 6 new security advisories (3x Critical, 3x High) --------------------------------------------- https://www.rockwellautomation.com/en-us/trust-center/security-advisories.h… ∗∗∗ Sicherheitspatches: Angreifer können Schadcode auf GitLab-Servern verankern ∗∗∗ --------------------------------------------- Die GitLab-Entwickler haben insgesamt zwölf Sicherheitslücken geschlossen. Angreifer können Systeme kompromittieren. [..] In einer Warnmeldung versichern die Verantwortlichen, dass GitLab.com bereits abgesichert sei. Sie empfehlen, dass Admins von On-premise-Instanzen die reparierten Ausgaben 18.0.6, 18.1.4 oder 18.2.2 zeitnah installieren sollten. Noch gibt es keine Informationen, ob bereits Attacken laufen. --------------------------------------------- https://heise.de/-10523017 ∗∗∗ Nvidia stopft Sicherheitslücken in KI-Software ∗∗∗ --------------------------------------------- In diverser KI-Software von Nvidia haben die Entwickler Sicherheitslücken gefunden. Diese stellen teils ein hohes Risiko dar. [..] Betroffen sind die Nvidia-Projekte Apex, Isaac-GR00T, Megatron LM, Merlin Transformers4Rec, NeMo Framework sowie WebDataset. --------------------------------------------- https://heise.de/-10524310 ∗∗∗ Foxit PDF Reader: Präparierte PDFs können Schadcode auf PCs schleusen ∗∗∗ --------------------------------------------- Sicherheitsupdates für Foxit PDF Reader und Editor schließen mehrere Sicherheitslücken. [..] Im schlimmsten Fall kann Schadcode auf Systeme gelangen und diese vollständig kompromittieren. Das kann etwa über mit JavaScript präparierte PDFs erfolgen (etwa CVE-2025-55313 "hoch"). Dabei ist aber davon auszugehen, dass Opfer mitspielen und so eine Datei öffnen müssen, damit eine Attacke eingeleitet werden kann. --------------------------------------------- https://heise.de/-10524778 ∗∗∗ Drupal: Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-097 ∗∗∗ Drupal: Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-096 ∗∗∗ Drupal: Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-096 ∗∗∗ ABB: 2025-08-12: Cyber Security Advisory -ABB AbilityTM zenon Remote Transport Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA002743&Language… ∗∗∗ ABB: 2025-08-11: Cyber Security Advisory -ELSB/BLBA ASPECT advisory several CVEs ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A4462&Lan… ∗∗∗ TYPO3-PSA-2025-001: Sanitization bypass in SVG Sanitizer ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2025-001 ∗∗∗ Siemens: SSA-395458 V1.0: Account Hijacking Vulnerability in Mendix SAML Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-395458.html ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (August 4, 2025 to August 10, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Bosch: Vulnerabilities in ctrlX OS - Setup ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-129652.html ∗∗∗ Bosch: Denial of Service on Rexroth Fieldbus Couplers ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-757244.html ∗∗∗ Kubernetes: CVE-2025-5187 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/133471 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 13.08.2025
by Daily end-of-shift report 13 Aug '25

13 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-08-2025 18:00 − Mittwoch 13-08-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Docker Hub still hosts dozens of Linux images with the XZ backdoor ∗∗∗ --------------------------------------------- The XZ-Utils backdoor, first discovered in March 2024, is still present in at least 35 Linux images on Docker Hub, potentially putting users, organizations, and their data at risk. --------------------------------------------- https://www.bleepingcomputer.com/news/security/docker-hub-still-hosts-dozen… ∗∗∗ New trends in phishing and scams: how AI and social media are changing the game ∗∗∗ --------------------------------------------- Common tactics in phishing and scams in 2025: learn about the use of AI and deepfakes, phishing via Telegram, Google Translate and Blob URLs, biometric data theft, and more. --------------------------------------------- https://securelist.com/new-phishing-and-scam-trends-in-2025/117217/ ∗∗∗ Geld zurück nach Krypto-Betrug? Vorsicht vor Recovery Scam! ∗∗∗ --------------------------------------------- Was einmal geklappt hat, kann wieder funktionieren. Darauf hoffen Kriminelle und kontaktieren jene Menschen, denen sie in der Vergangenheit durch Krypto- bzw. Investmentbetrug geschadet haben. Sie geben sich als Agentur, Behörde etc. aus, die dabei helfen kann, das verlorene Geld zurückzuholen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-recovery-scam/ ∗∗∗ The MedusaLocker ransomware gang is hiring penetration testers ∗∗∗ --------------------------------------------- MedusaLocker, the ransomware-as-a-service group that has been active since 2019 is openly recruiting for penetration testers to help it compromise more businesses. --------------------------------------------- https://www.fortra.com/blog/medusalocker-ransomware-gang-hiring-penetration… ∗∗∗ Malvertising campaign leads to PS1Bot, a multi-stage malware framework ∗∗∗ --------------------------------------------- Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.” --------------------------------------------- https://blog.talosintelligence.com/ps1bot-malvertising-campaign/ ∗∗∗ Microsoft Patchday August 2025: Sicherheitseinschätzungen von Tenable ∗∗∗ --------------------------------------------- Zum 12. August 2025 hat Microsoft zum Patchday Sicherheitsupdates für die noch im Support befindlichen Produkte veröffentlich und Schwachstellen geschlossen. [..] Inzwischen liegt mir eine Einschätzung seitens Tenable im Hinblick auf die Auswirkungen der Schwachstellen vor, die ich hier einfach zur Information in den Blog einstelle. --------------------------------------------- https://www.borncity.com/blog/2025/08/13/microsoft-patchday-august-2025-sic… ===================== = Vulnerabilities = ===================== ∗∗∗ Exchange Server Sicherheitsupdates August 2025 ∗∗∗ --------------------------------------------- Microsoft hat zum 12. August 2025 das "August 2025" Sicherheitsupdate für Exchange Server freigegeben. Das Sicherheitsupdate gilt Exchange Server 2016, Exchange Server 2019, und erstmals für Exchange Server Subscription Edition (SE). --------------------------------------------- https://www.borncity.com/blog/2025/08/12/exchange-server-sicherheitsupdates… ∗∗∗ Microsoft Security Update Summary (12. August 2025) ∗∗∗ --------------------------------------------- Microsoft hat am 12. August 2025 Sicherheitsupdates für Windows-Clients und -Server, für Office – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 107 Schwachstellen (CVEs), eine davon wurde als 0-day klassifiziert und war öffentlich bekannt. --------------------------------------------- https://www.borncity.com/blog/2025/08/12/microsoft-security-update-summary-… ∗∗∗ Angriff über Websites: Kritische Grafik-Schwachstellen gefährden Windows-Nutzer ∗∗∗ --------------------------------------------- Während sich CVE-2025-50165 nur auf Windows 11 24H2 und Windows Server 2025 bezieht, ist die Zahl der anfälligen Systeme im Falle von CVE-2025-53766 deutlich höher. [..] Beide lassen sich demnach über das Netzwerk ausnutzen und erfordern vorab keinerlei Authentifizierung oder Nutzerinteraktion. Die Angriffskomplexität ist laut Microsoft jeweils gering. --------------------------------------------- https://www.golem.de/news/angriff-ueber-websites-kritische-grafik-schwachst… ∗∗∗ AMD und Intel stopfen zahlreiche Sicherheitslücken ∗∗∗ --------------------------------------------- AMD und Intel haben im August Updates herausgegeben, die zahlreiche Sicherheitslücken in VGA- sowie Netzwerktreibern und Prozessoren schließen. --------------------------------------------- https://heise.de/-10520732 ∗∗∗ Patchday: Mehrere Fortinet-Produkte sind angreifbar ∗∗∗ --------------------------------------------- Am gefährlichsten gilt einer Warnmeldung zufolge eine "kritische" Sicherheitslücke (CVE-2025-25256) in der IT-Sicherheitslösung FortiSIEM. An dieser Stelle können Angreifer ohne Authentifizierung mit präparierten CLI-Anfragen ansetzen, um Schadcode auszuführen. [..] Wie ein Sicherheitsforscher in einem Beitrag schreibt, können Angreifer die Authentifizierung von FortiWeb-Firewalls umgehen. --------------------------------------------- https://heise.de/-10519770 ∗∗∗ Zoom: Windows-Clients ermöglichen Angriffe aus dem Netz ∗∗∗ --------------------------------------------- Zwei Sicherheitslücken meldet Zoom in den Windows-Clients. Sie ermöglicht Angreifern aus dem Netz ohne vorherige Anmeldung, ihre Rechte auszuweiten. [..] Details dazu, wie Angriffe aussehen könnten, nennen sie hingegen nicht. --------------------------------------------- https://heise.de/-10520206 ∗∗∗ Adobe Patch Tuesday Fixes Over 60 Vulnerabilities Across 13 Products ∗∗∗ --------------------------------------------- Adobe has issued a new set of security patches addressing more than 60 vulnerabilities across 13 of its widely used software products. This update, part of the company’s routine Adobe Patch Tuesday cycle, includes critical fixes for applications ranging from Adobe Commerce and Illustrator to its Substance 3D suite. --------------------------------------------- https://thecyberexpress.com/adobe-security-update-2/ ∗∗∗ VU#767506: HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames ∗∗∗ --------------------------------------------- OverviewA vulnerability has been discovered within many HTTP/2 implementations allowing for denial of service (DoS) attacks through HTTP/2 control frames. This vulnerability is colloquially known as "MadeYouReset" and is tracked as CVE-2025-8671. [..] Various vendors have provided patches and statements to address the vulnerability. Please review their statements below. --------------------------------------------- https://kb.cert.org/vuls/id/767506 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, kernel, linux-6.1, openjdk-17, and pgpool2), Fedora (glib2, matrix-synapse, openjpeg, python3-docs, and python3.13), Oracle (gdk-pixbuf2, glibc, java-1.8.0-openjdk, kernel, libxml2, python-requests, python3.11-setuptools, and thunderbird), SUSE (amber-cli, apache-commons-lang3, eclipse-jgit, go1.23, go1.24, govulncheck-vulndb, grub2, icinga2, kubernetes1.23, libgcrypt, python3, python313, sccache, slurm, tiff, and webkit2gtk3), and Ubuntu (linux-oracle). --------------------------------------------- https://lwn.net/Articles/1033588/ ∗∗∗ Palo Alto Networks Security Advisories 2025-08-13 ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ f5: K000152635: Quarterly Security Notification (August 2025) ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000152635 ∗∗∗ Johnson Controls iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-02 ∗∗∗ Santesoft Sante PACS Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-224-01 ∗∗∗ AVEVA PI Integrator ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-04 ∗∗∗ Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-01 ∗∗∗ Schneider Electric EcoStruxure Power Monitoring Expert ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 12.08.2025
by Daily end-of-shift report 12 Aug '25

12 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Montag 11-08-2025 18:00 − Dienstag 12-08-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs ∗∗∗ --------------------------------------------- The Netherlands National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability tracked as CVE-2025-6543 was exploited to breach "critical organizations" in the country. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netherlands-citrix-netscaler… ∗∗∗ Over 3,000 NetScaler devices left unpatched against CitrixBleed 2 bug ∗∗∗ --------------------------------------------- Over 3,300 Citrix NetScaler devices remain unpatched against a critical vulnerability that allows attackers to bypass authentication by hijacking user sessions, nearly two months after patches were released. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-3-000-netscaler-devices… ∗∗∗ Scam hunter scammed by tax office impersonators ∗∗∗ --------------------------------------------- Scam hunter Julie-Anne Kearns, who helps scam victims online, opened up about a tax scam she fell for herself. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/08/scam-hunter-scammed-by-tax-o… ∗∗∗ Russian-Linked Curly COMrades Deploy MucorAgent Malware in Europe ∗∗∗ --------------------------------------------- A new report from Bitdefender reveals the Russian-linked hacking group Curly COMrades is targeting Eastern Europe with a new backdoor called MucorAgent. Learn how they’re using advanced tactics to steal data. --------------------------------------------- https://hackread.com/russian-curly-comrades-mucoragent-malware-europe/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (Multiple CVEs) ∗∗∗ --------------------------------------------- Ivanti has released updates for Ivanti Connect Secure which addresses medium, high, and critical vulnerabilities. At the time of disclosure, there have been no reports of customers being exploited by this vulnerability. --------------------------------------------- https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Connect… ∗∗∗ August Security Advisory Ivanti Virtual Application Delivery Controller (vADC previously vTM) (CVE-2025-8310) ∗∗∗ --------------------------------------------- Ivanti has released updates for Ivanti Virtual Application Delivery Controller (vADC), previously Virtual Traffic Manager (vTM), which addresses one medium severity vulnerability. Successful exploitation could lead to account takeover. At the time of disclosure, there have been no reports of customers being exploited by this vulnerability. --------------------------------------------- https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Virtual… ∗∗∗ 40,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in UiCore Elements WordPress Plugin ∗∗∗ --------------------------------------------- On June 13th, 2025, we received a submission for an Arbitrary File Read vulnerability in UiCore Elements, a WordPress plugin with more than 40,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to read arbitrary files on the server, which can contain sensitive information. During the disclosure process, our investigation revealed that the vulnerability leveraged an underlying issue in Elementor’s import functionality. --------------------------------------------- https://www.wordfence.com/blog/2025/08/40000-wordpress-sites-affected-by-ar… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, and python-requests), Debian (ca-certificates-java), Fedora (chromium, clash-meta, mingw-python3, openjpeg, php-adodb, and toolbox), Mageia (kernel and kernel-linus), SUSE (chromium, ImageMagick, libgcrypt, libssh, libxml2, opensc, postgresql14, and postgresql16), and Ubuntu (dnsmasq, linux-gcp-6.8, linux-raspi, linux-oracle-6.14, and openjdk-17). --------------------------------------------- https://lwn.net/Articles/1033445/ ∗∗∗ Vtenext 25.02: A three-way path to RCE ∗∗∗ --------------------------------------------- Multiple vulnerabilities in vtenext 25.02 and prior versions allow unauthenticated attackers to bypass authentication through three separate vectors, ultimately leading to remote code execution on the underlying server. --------------------------------------------- https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/ ∗∗∗ OMSA-2025-0004: Omnissa Workspace ONE UEM addresses multiple vulnerabilities (CVE-2025-25229, CVE-2025-25231) ∗∗∗ --------------------------------------------- https://www.omnissa.com/omsa-2025-0004/ ∗∗∗ OMSA-2025-0003: Omnissa Secure Email Gateway (SEG) updates address Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-25235) ∗∗∗ --------------------------------------------- https://www.omnissa.com/omsa-2025-0003/ ∗∗∗ Matrix protocol vulnerabilities fixed in room version 12 ∗∗∗ --------------------------------------------- https://matrix.org/blog/2025/08/security-release/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.08.2025
by Daily end-of-shift report 11 Aug '25

11 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-08-2025 18:00 − Montag 11-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ WinRAR zero-day flaw exploited by RomCom hackers in phishing attacks ∗∗∗ --------------------------------------------- A recently fixed WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing attacks to install the RomCom malware. [..] The flaw is a directory traversal vulnerability that was fixed in WinRAR 7.13, which allows specially crafted archives to extract files into a file path selected by the attacker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winrar-zero-day-flaw-exploit… ∗∗∗ Command Injection in Jenkins via Git Parameter (CVE-2025-53652) ∗∗∗ --------------------------------------------- On July 9, Jenkins disclosed CVE-2025-53652 (aka SECURITY-34191), one of 31 plugin vulnerabilities announced that day. [..] was disclosed as medium severity, but it enables command injection via the Jenkins Git Parameter plugin. [..] Around 15,000 Jenkins servers appear to allow unauthenticated access, making RCE viable in the wild. [..] The patch can be disabled, so detection remains important even after upgrading. --------------------------------------------- https://www.vulncheck.com/blog/git-parameter-rce ∗∗∗ EU law to protect journalists from spyware takes effect ∗∗∗ --------------------------------------------- Critics from press freedom groups say member states have not taken steps to give the law any teeth. --------------------------------------------- https://therecord.media/eu-law-to-protect-journalists-from-spyware-takes-ef… ∗∗∗ Sicherheitslücken: Hacker knackt Auto über Webportal des Herstellers ∗∗∗ --------------------------------------------- Er konnte nicht nur aus der Ferne unzählige fremde Autos orten, entriegeln und starten, sondern auch nach Belieben die Halterdaten abfragen. [..] Zveare stellte seine Entdeckungen am vergangenen Sonntag auf der Def Con in Las Vegas vor. Den Angaben zufolge konnte er sich in dem besagten Händlerportal ein "nationales Administratorkonto" erstellen und erhielt damit einen weitreichenden Zugriff, der "nur wenigen ausgewählten Unternehmensnutzern vorbehalten ist" und "eine Vielzahl von lustigen Exploits" ermöglichte. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-hacker-knackt-auto-ueber-webpo… ∗∗∗ Spionage: Rauchwarnmelder in Abhörwanzen verwandelt ∗∗∗ --------------------------------------------- Zwei junge Sicherheitsforscher haben im Rahmen der Def Con in Las Vegas Sicherheitslücken in smarten Rauchwarnmeldern des Typs Halo 3C aufgedeckt. [..] Der Hersteller der Halo-3C-Warnmelder hört auf den Namen IPVideo und ist laut der Webseite seit 2023 Teil von Motorola Solutions. Das Unternehmen hat dem Wired-Bericht zufolge bereits ein Firmwareupdate bereitgestellt, um die von Garcia und seinem Kollegen entdeckten Sicherheitslücken zu schließen. Mit der Cloud verbundene Geräte sollen das Update automatisch erhalten. --------------------------------------------- https://www.golem.de/news/spionage-smarte-rauchwarnmelder-in-abhoerwanzen-v… ∗∗∗ Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered multiple security flaws in Dells ControlVault3 firmware and its associated Windows APIs that could have been abused by attackers to bypass Windows login, extract cryptographic keys, as well as maintain access even after a fresh operating system install by deploying undetectable malicious implants into the firmware. [..] Attackers can chain the vulnerabilities, which were presented at the Black Hat USA security conference, to escalate their privileges after initial access, bypass authentication controls, and maintain persistence on compromised systems that survive operating system updates or reinstallations. --------------------------------------------- https://thehackernews.com/2025/08/researchers-reveal-revault-attack.html ∗∗∗ DEF CON hackers plug security holes in US water systems amid tsunami of threats ∗∗∗ --------------------------------------------- A DEF CON hacker walks into a small-town water facility … no, this is not the setup for a joke or a (super-geeky) odd-couple rom-com. It's a true story that happened at five utilities across four states. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/10/def_con_hack… ∗∗∗ libarchive: Sicherheitslücke entpuppt sich als kritisch ∗∗∗ --------------------------------------------- In der Open-Source-Kompressionsbibliothek libarchive klafft eine Sicherheitslücke, die zunächst als lediglich niedriges Risiko eingestuft wurde. [..] Die ursprüngliche Meldung der Lücke an das libarchive-Projekt durch Tobias Stöckmann mitsamt eines Proof-of-Concept-Exploits fand bereits am 10. Mai dieses Jahres statt. Am 20. Mai haben die Entwickler die Version 3.8.0 von libarchive herausgegeben. Die öffentliche Schwachstellenmeldung erfolgte am 9. Juni ebenfalls auf Github. Dort wurde auch die CVE-Nummer CVE-2025-5914 zugewiesen, jedoch zunächst mit dem Schweregrad CVSS 3.9, Risiko "niedrig", wie Red Hat die Lücke einordnete. --------------------------------------------- https://www.heise.de/news/libarchive-Sicherheitsluecke-entpuppt-sich-als-kr… ∗∗∗ Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild ∗∗∗ --------------------------------------------- CVE-2025-32433 allows for remote code execution in sshd for certain versions of Erlang programming language’s OTP. We reproduced this CVE and share our findings. --------------------------------------------- https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/ ∗∗∗ BadCam Attack Turns Trusted Linux Webcams into Stealthy USB Weapons ∗∗∗ --------------------------------------------- A new class of USB-based attacks has come to light. [..] Attackers can now exploit vulnerabilities in commonly used USB webcams running embedded Linux, transforming them into BadUSB devices capable of injecting keystrokes and executing covert operations independently of the host operating system. --------------------------------------------- https://thecyberexpress.com/badcam-linux-webcam/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base and libxml2), Debian (distro-info-data, gnutls28, modsecurity-crs, and node-tmp), Fedora (chromium, incus, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, varnish, and xen), Red Hat (kernel, kernel-rt, and rhc), and SUSE (chromedriver, ffmpeg-4, go1.23, go1.24, go1.25, govulncheck-vulndb, himmelblau, iperf, keylime-ima-policy, net-tools, sqlite3, texmaker, tomcat, and zabbix). --------------------------------------------- https://lwn.net/Articles/1033328/ ∗∗∗ SQUID-2025:1 Buffer Overflow in URN Handling ∗∗∗ --------------------------------------------- https://github.com/squid-cache/squid/security/advisories/GHSA-w4gv-vw3f-29g3 ∗∗∗ Xerox® FreeFlow® Core v8.0.5 ∗∗∗ --------------------------------------------- https://securitydocs.business.xerox.com/wp-content/uploads/2025/08/Xerox-Se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 08.08.2025
by Daily end-of-shift report 08 Aug '25

08 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-08-2025 18:00 − Freitag 08-08-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ New EDR killer tool used by eight different ransomware groups ∗∗∗ --------------------------------------------- A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of 'EDRKillShifter,' developed by RansomHub, has been observed in attacks by eight different ransomware gangs. Such tools help ransomware operators turn off security products on breached systems so they can deploy payloads, escalate privileges, attempt lateral movement, and ultimately encrypt devices on the network without being detected. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-edr-killer-tool-used-by-… ∗∗∗ Why blow up satellites when you can just hack them? ∗∗∗ --------------------------------------------- Four countries have now tested anti-satellite missiles (the US, China, Russia, and India), but it's much easier and cheaper just to hack them. In a briefing at the Black Hat conference in Las Vegas, Milenko Starcik and Andrzej Olchawa from German biz VisionSpace Technologies demonstrated how easy it is by exploiting software vulnerabilities in the software used in the satellites themselves, as well as the ground stations that control them. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/07/balck_hat_sa… ∗∗∗ US confirms takedown of BlackSuit ransomware gang that racked up $370 million in ransoms ∗∗∗ --------------------------------------------- U.S. law enforcement agencies provided new details on an operation that dismantled critical infrastructure used by the BlackSuit ransomware gang after the organization’s leak site was replaced with a takedown banner nearly two weeks ago. The group — which rebranded from its Royal name after a devastating 2023 attack that shut down the city of Dallas — successfully attacked more than 450 entities in the U.S. Since emerging in 2022, the gang secured more than $370 million in ransom payments, according to U.S. investigators. --------------------------------------------- https://therecord.media/us-confirms-blacksuit-takedown ∗∗∗ Abusing Ubuntu 24.04 features for root privilege escalation ∗∗∗ --------------------------------------------- With the recent release of Ubuntu 24.04, we at Snyk Security Labs thought it would be interesting to examine the latest version of this Linux distribution to see if we could find any interesting privilege escalation vulnerabilities. In this post, we have seen that it only takes the leveraging of one small vulnerability, combined with a number of features, to achieve a chain of exploitation resulting in a full privilege escalation. Even where security controls are in place preventing the direct exploitation of a small vulnerability it may still be possible to finesse limited exploitation potential into a much greater impact. --------------------------------------------- https://labs.snyk.io/resources/abusing-ubuntu-root-privilege-escalation/ ∗∗∗ Oops Safari, I think You Spilled Something ∗∗∗ --------------------------------------------- In February 2023, researchers at Exodus Intelligence discovered a bug in the Data Flow Graph (DFG) compiler of WebKit, the browser engine used by Safari. This bug, CVE-2024-44308, was patched by Apple in November 2024. While it was alive, its exploit was chained with PAC and APRR bypasses on Apple Silicon to yield renderer remote code execution capabilities on macOS and iOS. Such capabilities, and many others including LPEs and RCEs on Windows and Linux, are available to Exodus’ customers. --------------------------------------------- https://blog.exodusintel.com/2025/08/04/oops-safari-i-think-you-spilled-som… ∗∗∗ 60 Malicious Ruby Gems Used in Targeted Credential Theft Campaign ∗∗∗ --------------------------------------------- Socket’s Threat Research Team has uncovered a long-running supply chain attack in the RubyGems ecosystem. Since at least March 2023, a threat actor using the aliases zon, nowon, kwonsoonje, and soonje has published 60 malicious gems posing as automation tools for Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver. These gems deliver their advertised functionality, such as bulk posting or engagement, but covertly exfiltrate credentials (usernames and passwords) to threat actor-controlled infrastructure, which classifies them as infostealer malware. --------------------------------------------- https://socket.dev/blog/60-malicious-ruby-gems-used-in-targeted-credential-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gdk-pixbuf2, glibc, kernel, kernel-rt, libxml2, and opentelemetry-collector), Fedora (firefox, mingw-opencv, moby-engine, varnish, webkitgtk, xen, and yarnpkg), Oracle (firefox, gdk-pixbuf2, glibc, kernel, libblockdev, libxml2, python-requests, python3.12-setuptools, and qt5-qt3d), Red Hat (libxml2, pcs, and sudo), and SUSE (agama, chromium, dpkg, ghostscript, iperf, kubo, libIex-3_3-32, libpoppler-cpp2, libsoup, libtiff-devel-32bit, nginx, python-urllib3, ruby2.5, tgt, traefik, and traefik2). --------------------------------------------- https://lwn.net/Articles/1033009/ ∗∗∗ CISA Issues ED 25-02: Mitigate Microsoft Exchange Vulnerability ∗∗∗ --------------------------------------------- Today, CISA issued Emergency Directive (ED) 25-02: Mitigate Microsoft Exchange Vulnerability in response to CVE-2025-53786, a vulnerability in Microsoft Exchange server hybrid deployments. ED 25-02 directs all Federal Civilian Executive Branch (FCEB) agencies with Microsoft Exchange hybrid environments to implement required mitigations by 9:00 AM EDT on Monday, August 11, 2025. This vulnerability presents significant risk to all organizations operating Microsoft Exchange hybrid-joined configurations that have not yet implemented the April 2025 patch guidance. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/08/07/cisa-issues-ed-25-02-mit… ∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/08/07/cisa-releases-ten-indust… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2025
by Daily end-of-shift report 07 Aug '25

07 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-08-2025 18:00 − Donnerstag 07-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ New Ghost Calls tactic abuses Zoom and Microsoft Teams for C2 operations ∗∗∗ --------------------------------------------- A new post-exploitation command-and-control (C2) evasion method called Ghost Calls abuses TURN servers used by conferencing apps like Zoom and Microsoft Teams to tunnel traffic through trusted infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ghost-calls-tactic-abuse… ∗∗∗ Wave of 150 crypto-draining extensions hits Firefox add-on store ∗∗∗ --------------------------------------------- A malicious campaign dubbed GreedyBear has snuck onto the Mozilla add-ons store, targeting Firefox users with 150 malicious extensions and stealing an estimated $1,000,000 from unsuspecting victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wave-of-150-crypto-draining-… ∗∗∗ Critical Zero-Day Bugs Crack Open CyberArk, HashiCorp Password Vaults ∗∗∗ --------------------------------------------- Secrets managers hold all the keys to an enterprises kingdom. Two popular ones had longstanding, critical, unauthenticated RCE vulnerabilities. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/critical-zero-day-bugs… ∗∗∗ Researchers Uncover ECScape Flaw in Amazon ECS Enabling Cross-Task Credential Theft ∗∗∗ --------------------------------------------- Cybersecurity researchers have demonstrated an "end-to-end privilege escalation chain" in Amazon Elastic Container Service (ECS) that could be exploited by an attacker to conduct lateral movement, access sensitive data, and seize control of the cloud environment. --------------------------------------------- https://thehackernews.com/2025/08/researchers-uncover-ecscape-flaw-in.html ∗∗∗ How To Find SQL Injection Vulnerabilities in WordPress Plugins and Themes ∗∗∗ --------------------------------------------- SQL Injection (SQLi), a vulnerability almost as old as database-driven web applications themselves (CWE-89), persists as a classic example of failing to neutralize user-supplied input before its used in a SQL query. So why does this well-understood vulnerability type continue to exist? --------------------------------------------- https://www.wordfence.com/blog/2025/08/how-to-find-sql-injection-vulnerabil… ∗∗∗ New Promptware Attack Hijacks User’s Gemini AI Via Google Calendar Invite ∗∗∗ --------------------------------------------- Cybersecurity researchers demonstrate a new attack on Google Gemini AI for Workspace. Discover how a simple calendar invite can be used to perform phishing, steal emails, and even control home appliances. --------------------------------------------- https://hackread.com/promptware-attack-hijack-gemini-ai-google-calendar-inv… ∗∗∗ Unveiling a New Variant of the DarkCloud Campaign ∗∗∗ --------------------------------------------- In early July 2025, a new DarkCloud campaign was observed in the wild by Fortinet’s FortiGuard Labs team. It began with a phishing email containing an attached RAR archive. I subsequently investigated this campaign and conducted a step-by-step analysis. --------------------------------------------- https://feeds.fortinet.com/~/922857380/0/fortinet/blogs~Unveiling-a-New-Var… ∗∗∗ HTTP/1.1 must die: the desync endgame ∗∗∗ --------------------------------------------- Upstream HTTP/1.1 is inherently insecure and regularly exposes millions of websites to hostile takeover. Six years of attempted mitigations have hidden the issue, but failed to fix it. This paper introduces several novel classes of HTTP desync attack capable of mass compromise of user credentials. --------------------------------------------- https://portswigger.net/research/http1-must-die ∗∗∗ Malicious npm Packages Target WhatsApp Developers with Remote Kill Switch ∗∗∗ --------------------------------------------- Two npm packages masquerading as WhatsApp developer libraries include a kill switch that deletes all files if the phone number isn’t whitelisted. --------------------------------------------- https://socket.dev/blog/malicious-npm-packages-target-whatsapp-developers-w… ===================== = Vulnerabilities = ===================== ∗∗∗ 6,500 Axis Servers Expose Remoting Protocol, 4,000 in U.S. Vulnerable to Exploits ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed multiple security flaws in video surveillance products from Axis Communications that, if successfully exploited, could expose them to takeover attacks. --------------------------------------------- https://thehackernews.com/2025/08/6500-axis-servers-expose-remoting.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (glibc, kernel, libxml2, python-requests, and python-setuptools), Debian (chromium), Fedora (chromium, firefox, gdk-pixbuf2, iputils, libsoup3, libssh, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, and poppler), Gentoo (Composer and Spreadsheet-ParseExcel), Oracle (glibc, kernel, libxml2, python-setuptools, sqlite, and virt:rhel and virt-devel:rhel), Red Hat (libxml2), SUSE (grub2, libarchive, libgcrypt, and python311), and Ubuntu (cifs-utils and poppler). --------------------------------------------- https://lwn.net/Articles/1032861/ ∗∗∗ Erhöhte Bedrohungsaktivität gegen SonicWall Gen 7 Firewalls mit SSLVPN - Sofortmaßnahmen empfohlen ∗∗∗ --------------------------------------------- Update: 07. August 2025 Ergänzung von technischen Indikatoren für eine forensische Untersuchung möglicherweise betroffener Geräte sowie Informationen zu der angeblich relevanten Schwachstelle. --------------------------------------------- https://www.cert.at/de/warnungen/2025/8/erhohte-bedrohungsaktivitat-gegen-s… ∗∗∗ Sicherheitslücken: Angreifer können IBM Tivoli Monitoring crashen lassen ∗∗∗ --------------------------------------------- IBMs IT-Verwaltungssoftware Tivoli Monitoring ist verwundbar und Angreifer können an zwei Sicherheitslücken ansetzen. Ein Update zum Schließen der Lücken steht zum Download bereit. --------------------------------------------- https://heise.de/-10513072 ∗∗∗ EG4 Electronics EG4 Inverters ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07 ∗∗∗ Dreame Technology iOS and Android Mobile Applications ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-06 ∗∗∗ Packet Power EMX and EG ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-05 ∗∗∗ Rockwell Automation Arena ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-04 ∗∗∗ Burk Technology ARC Solo ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-03 ∗∗∗ Johnson Controls FX80 and FX90 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-02 ∗∗∗ Delta Electronics DIAView ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.08.2025
by Daily end-of-shift report 06 Aug '25

06 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-08-2025 18:00 − Mittwoch 06-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Driver of destruction: How a legitimate driver is being used to take down AV processes ∗∗∗ --------------------------------------------- In an incident response case, Kaspersky experts discovered new malware that terminates AV processes by abusing the legitimate ThrottleStop driver. --------------------------------------------- https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/ ∗∗∗ CISA Adds 3 D-Link Router Flaws to KEV Catalog After Active Exploitation Reports ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three old security flaws impacting D-Link routers to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild. --------------------------------------------- https://thehackernews.com/2025/08/cisa-adds-3-d-link-router-flaws-to-kev.ht… ∗∗∗ CERT-UA Warns of HTA-Delivered C# Malware Attacks Using Court Summons Lures ∗∗∗ --------------------------------------------- The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks carried out by a threat actor called UAC-0099 targeting government agencies, the defense forces, and enterprises of the defense-industrial complex in the country. --------------------------------------------- https://thehackernews.com/2025/08/cert-ua-warns-of-hta-delivered-c.html ∗∗∗ GenAI Used For Phishing Websites Impersonating Brazil’s Government ∗∗∗ --------------------------------------------- In this blog post, ThreatLabz explores a campaign that uses generative AI tools like DeepSite AI and BlackBox AI to create malicious replicas of Brazil's State Department of Traffic and Ministry of Education. --------------------------------------------- https://www.zscaler.com/blogs/security-research/genai-used-phishing-website… ∗∗∗ Kriminelle versenden gefälschte Zahlungsaufforderungen im Namen der WKO ∗∗∗ --------------------------------------------- Die Wirtschatfskammer Österreich (WKO) ist erneut Ziel einer Phishing-Attacke geworden. Aktuell kursiert eine betrügerische E-Mail, die vorgibt, von der WKO zu stammen. In der E-Mail wird der Eindruck erweckt, dass eine ausstehende Mitgliedsrechnung bezahlt werden müsse. Das Ziel der Attacke ist es, an persönliche Informationen und Log-in-Daten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versenden-gefaelschte-zah… ∗∗∗ Makop Ransomware Identified in Attacks in South Korea ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) recently identified cases of Makop ransomware attacks targeting South Korean users. The Makop ransomware has been distributed to South Korean users by disguising as resumes or emails related to copyrights for several years. Recently, it has been reported that the ransomware is exploiting RDP for attacks. --------------------------------------------- https://asec.ahnlab.com/en/89397/ ∗∗∗ The Cost of a Call: From Voice Phishing to Data Extortion ∗∗∗ --------------------------------------------- In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations. The instance was used to store contact information and related notes for small and medium businesses. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-dat… ===================== = Vulnerabilities = ===================== ∗∗∗ Experience Manager: Adobe patcht 90 Tage nicht und bringt nun Notfallupdate ∗∗∗ --------------------------------------------- Da Proof-of-Concept-Code im Umlauf ist, könnten Angriffe auf Adobe Experience Manager bevorstehen. Angreifer können an zwei Sicherheitslücken [..] ansetzen, um Systeme zu attackieren. Die Schwachstellen sind seit April dieses Jahres bekannt, Sicherheitspatches gibt es aber erst jetzt. --------------------------------------------- https://www.heise.de/news/Experience-Manager-Adobe-patcht-90-Tage-nicht-und… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and python3.12-setuptools), Fedora (perl-Crypt-CBC and unbound), Gentoo (FontForge, GPL Ghostscript, Mozilla Network Security Service (NSS), and PAM), Oracle (gdk-pixbuf2, jq, kernel, mod_security, ncurses, python-requests, and python3-setuptools), Red Hat (python-requests and socat), SUSE (docker, kernel-livepatch-MICRO-6-0-RT_Update_2, kernel-livepatch-MICRO-6-0-RT_Update_4, kernel-livepatch-MICRO-6-0-RT_Update_5, kernel-livepatch-MICRO-6-0-RT_Update_6, kernel-livepatch-MICRO-6-0-RT_Update_7, kernel-livepatch-MICRO-6-0_Update_2, kernel-livepatch-MICRO-6-0_Update_4, kernel-livepatch-MICRO-6-0_Update_5, kernel-livepatch-MICRO-6-0_Update_6, kubeshark-cli, libgcrypt, pam-config, perl, python-requests, python311, and python313), and Ubuntu (linux-raspi). --------------------------------------------- https://lwn.net/Articles/1032700/ ∗∗∗ Docker: Sicherheitsalptraum MCP – sechs Lücken identifiziert ∗∗∗ --------------------------------------------- Die Containerplattform Docker warnt vor Sicherheitsrisiken, die sich durch die Nutzung von MCP-Quellen ergeben und Angreifern leichten Zugriff auf Dateien, Datenbanken, Netzwerk und Secrets eröffnen. Außerdem können die Täter weitreichend Befehle absetzen und schädlichen Code einschleusen. --------------------------------------------- https://heise.de/-10510262 ∗∗∗ Sicherheitsupdates: Root-Attacken auf Dell PowerProtect und Unity möglich ∗∗∗ --------------------------------------------- Um möglichen Attacken vorzubeugen, sollten Admins Dell PowerProtect Data Domain und Unity, UnityVSA sowie Unity XT auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer unter anderem mit Root-Rechten auf Instanzen zugreifen und diese kompromittieren. --------------------------------------------- https://heise.de/-10511706 ∗∗∗ JVN: Multiple vulnerabilities in Sato label printers CL4/6NX Plus and CL4/6NX-J Plus series ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN16547726/ ∗∗∗ ZDI-25-771: Trend Micro Apex One Console Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-771/ ∗∗∗ ZDI-25-807: (0Day) AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-807/ ∗∗∗ Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desk… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.08.2025
by Daily end-of-shift report 05 Aug '25

05 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Montag 04-08-2025 18:00 − Dienstag 05-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Android gets patches for Qualcomm flaws exploited in attacks ∗∗∗ --------------------------------------------- Google has released security patches for six vulnerabilities in Androids August 2025 security update, including two Qualcomm flaws exploited in targeted attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-gets-patches-for-qua… ∗∗∗ Stealing Machine Keys for fun and profit (or riding the SharePoint wave) ∗∗∗ --------------------------------------------- About 10 days ago exploits for Microsoft SharePoint (CVE-2025-53770, CVE-2025-53771) started being publicly abused .. --------------------------------------------- https://isc.sans.edu/diary/Stealing+Machine+Keys+for+fun+and+profit+or+ridi… ∗∗∗ Antivirus vendors fail to spot persistent, nasty, stealthy Linux backdoor ∗∗∗ --------------------------------------------- Plague malware has been around for months without tripping alarms Updated Researchers at German infosec services company Nextron Threat have spotted malware that creates a highly-persistent Linux backdoor and say antivirus engines do not flag the code as malicious. --------------------------------------------- https://www.theregister.com/2025/08/05/plague_linux_backdoor/ ∗∗∗ CrowdStrike investigated 320 North Korean IT worker cases in the past year ∗∗∗ --------------------------------------------- Threat hunters saw North Korean operatives almost daily, reflecting a 220% year-over-year increase in activity, CrowdStrike said in a new report. --------------------------------------------- https://cyberscoop.com/crowdstrike-north-korean-operatives/ ∗∗∗ Mozilla: Phishing-Attacken auf Add-on-Entwickler beobachtet ∗∗∗ --------------------------------------------- Zurzeit haben es Kriminelle auf Add-on-Entwickler abgesehen, die Erweiterungen für Firefox erstellen. --------------------------------------------- https://www.heise.de/news/Mozilla-warnt-vor-Phishing-Attacken-auf-Add-on-En… ∗∗∗ From code to stolen wallets: How hackers are trapping AI development tools ∗∗∗ --------------------------------------------- When AI becomes a target At a time when AI technology is developing rapidly, AI has been increasingly integrated into our daily lives. However, due .. --------------------------------------------- https://blog.360totalsecurity.com/en/from-code-to-stolen-wallets-how-hacker… ∗∗∗ Achtung Fake-Shop: vorwerk-deutschland.de ∗∗∗ --------------------------------------------- Auf vorwerk-deutschland.de freuen sich viele Kund:innen über ein Schnäppchen. Der neue Thermomix TM7 wird dort zu einem günstigeren Preis angeboten. Doch Vorsicht: Es handelt sich um einen Fake-Shop, der nur Zahlung per Vorkasse akzeptiert. Wer hier bestellt, verliert sein Geld und erhält keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-vorwerk-deutschlan… ∗∗∗ Ukrainische Hacker erbeuteten Geheimdokumente über das neueste russische Atom-U-Boot ∗∗∗ --------------------------------------------- Die erbeuteten Daten umfassen Besatzungslisten, Einsatzdaten und Baupläne. Laut dem ukrainischen Geheimdienst wurden auch die Schwächen des U-Boots offengelegt --------------------------------------------- https://www.derstandard.at/story/3000000282244/ukrainische-hacker-erbeutete… ∗∗∗ Erhöhte Bedrohungsaktivität gegen SonicWall Gen 7 Firewalls mit SSLVPN - Sofortmaßnahmen empfohlen ∗∗∗ --------------------------------------------- SonicWall berichtet über eine deutliche Zunahme von Sicherheitsvorfällen in den letzten 96 Stunden, die Gen 7 SonicWall Firewalls mit aktiviertem SSLVPN betreffen. Die Bedrohungsaktivität wurde sowohl intern als auch von externen Organisationen und Unternehmen wie Arctic Wolf, Google Mandiant und Huntress gemeldet. Es ist noch nicht .. --------------------------------------------- https://www.cert.at/de/warnungen/2025/8/erhohte-bedrohungsaktivitat-gegen-s… ∗∗∗ From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira ∗∗∗ --------------------------------------------- Bumblebee malware has been an initial access tool used by threat actors since late 2021. In 2023 the malware was first reported as using SEO poisoning as a delivery .. --------------------------------------------- https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumbleb… ∗∗∗ Cursor IDE: Persistent Code Execution via MCP Trust Bypass ∗∗∗ --------------------------------------------- Check Point Research uncovered a persistent remote code execution vulnerability in Cursor, a fast-growing AI-powered coding platform trusted by developers worldwide. MCP Vulnerability Cursor allows attackers to gain long-term, silent access to .. --------------------------------------------- https://blog.checkpoint.com/research/cursor-ide-persistent-code-execution-v… ∗∗∗ Vietnamese-speaking hackers appear to be running global data theft operation through Telegram ∗∗∗ --------------------------------------------- A combination of phishing lures, a previously spotted infostealer and Telegram bots are fueling a campaign by apparent Vietnamese-speaking hackers to capture and sell sensitive data globally. --------------------------------------------- https://therecord.media/pxa-infostealer-telegram-bots-vietnamese-speaking-h… ∗∗∗ Neue Insights zum SharePoint-Gate: Mitarbeiter aus China für die Wartung ∗∗∗ --------------------------------------------- Seit dem SharePoint-Desaster im Juli 2025, bei dem Schwachstellen angegriffen wurden, gibt es fast jeden Tag neue Enthüllungen. Es wurde spekuliert, dass mutmaßlich chinesische Hacker vorab auf interne .. --------------------------------------------- https://www.borncity.com/blog/2025/08/05/neue-insights-zum-sharepoint-gate-… ∗∗∗ Microsoft Recall erfasst weiterhin (Juli 2025) Kreditkartendaten und Passwörter ∗∗∗ --------------------------------------------- Ist es eine Überraschung? Nein, keine Überraschung, sondern zu erwarten. Die Spionagefunktion Recall, die Microsoft auf die Windows-Systeme drückt, erfasst weiterhin Sensitives wie Kreditkartendaten und Passwörter. Und dies, .. --------------------------------------------- https://www.borncity.com/blog/2025/08/05/microsoft-recall-erfasst-weiterhin… ∗∗∗ Detection Engineering: Practicing Detection-as-Code – Validation – Part 3 ∗∗∗ --------------------------------------------- In this part, we focus on implementing validation checks to improve consistency and ensure a minimum level of quality within the detection repository. Setting up validation pipelines is a key step, as it helps enforce the defined standards, reduce errors, and ensure that detections are reliable and consistent. --------------------------------------------- https://blog.nviso.eu/2025/08/05/detection-engineering-practicing-detection… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.08.2025
by Daily end-of-shift report 04 Aug '25

04 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-08-2025 18:00 − Montag 04-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Pi-hole discloses data breach triggered by WordPress plugin flaw ∗∗∗ --------------------------------------------- Pi-hole, a popular network-level ad-blocker, has disclosed that donor names and email addresses were exposed through a security vulnerability in the GiveWP WordPress donation plugin. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pi-hole-discloses-data-breac… ∗∗∗ Mozilla warns of phishing attacks targeting add-on developers ∗∗∗ --------------------------------------------- Mozilla has warned browser extension developers of an active phishing campaign targeting accounts on its official AMO (addons.mozilla.org) repository. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mozilla-warns-of-phishing-at… ∗∗∗ New Plague Linux malware stealthily maintains SSH access ∗∗∗ --------------------------------------------- A newly discovered Linux malware, which has evaded detection for over a year, allows attackers to gain persistent SSH access and bypass authentication on compromised systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-plague-malware-backdoors… ∗∗∗ Exchange: China wirft den USA Militär-Hacking vor ∗∗∗ --------------------------------------------- China beschuldigt US-Geheimdienste, über ein Jahr lang Microsoft Exchange-Schwachstellen ausgenutzt zu haben, um Militärdaten zu stehlen. --------------------------------------------- https://www.golem.de/news/exchange-china-wirft-den-usa-militaer-hacking-vor… ∗∗∗ CISA roasts unnamed critical national infrastructure body for shoddy security hygiene ∗∗∗ --------------------------------------------- Plaintext passwords, shared admin accounts, and insufficient logging rampant at mystery org CISA is using the findings from a recent probe of an unidentified critical infrastructure organization to warn about the dangers of getting cybersecurity seriously wrong. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/02/cisa_coast_g… ∗∗∗ Lazarus Group rises again, this time with malware-laden fake FOSS ∗∗∗ --------------------------------------------- Software supply chain management vendor Sonatype last week published research in which it claimed that Lazarus Group has created hundreds of “shadow downloads” that appear to be popular open source software development tools but are full of malware. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/04/infosec_in_b… ∗∗∗ Gefälschte Rückerstattungs-Mails im Namen der WKO ∗∗∗ --------------------------------------------- Derzeit werden E-Mails mit dem Betreff „Ihr möglicher Erstattungsbetrag von bis zu 476 Euro“ an zahlreiche Mitglieder der Wirtschaftskammer Österreich (WKO) versendet. Darin wird behauptet, dass möglicherweise ein Rückerstattungsanspruch der Mitgliederbeiträge besteht, den man über einen Link prüfen kann. Achtung: Der Link führt zu einer betrügerischen Website, auf der persönliche Daten gestohlen werden. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-e-mails-zu-rueckersta… ∗∗∗ Akira Ransomware Exploiting Potential Zero-Day in SonicWall SSL VPN ∗∗∗ --------------------------------------------- Artic Wolf also suggest that the attacks could be exploiting an undetermined security flaw in the appliances, meaning a Zero-Day vulnerability, given that some of the incidents affected SonicWall devices which were fully patched. --------------------------------------------- https://www.truesec.com/hub/blog/akira-ransomware-exploiting-potential-zero… ∗∗∗ Doch Sicherheitsvorfall bei Logitech-Partnerliste ∗∗∗ --------------------------------------------- Es hat einen Sicherheitsvorfall bei einem Dienstleister gegeben, der für die Firma Logitech die Logitech-Partner betreut. Logitech-Partner erhielten die Tage eine Betrugs-Mail, die vor dem Risiko eines Angriffs auf eine MetaMask-Wallet warnte, aber einen Phishing-Link enthielt. --------------------------------------------- https://www.borncity.com/blog/2025/08/03/doch-sicherheitsvorfall-bei-logite… ∗∗∗ New Attack Uses Windows Shortcut Files to Install REMCOS Backdoor ∗∗∗ --------------------------------------------- Security firm Point Wild has exposed a new malware campaign using malicious LNK files to install the REMCOS backdoor. This report details how attackers disguise files to gain full system control. --------------------------------------------- https://hackread.com/attack-windows-shortcut-files-install-remcos-backdoor/ ∗∗∗ When Flatpak’s Sandbox Cracks: Real‑Life Security Issues Beyond the Ideal ∗∗∗ --------------------------------------------- Flatpak’s sandbox model is robust in design, but imperfect in deployment. Sandboxes dissolved through misconfiguration, vulnerabilities like CVE‑2024‑32462, and symlink exploits illustrate the friction between ideal and actual protection. --------------------------------------------- https://www.linuxjournal.com/content/when-flatpaks-sandbox-cracks-real-life… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Phishingangriffe auf IBM Operational Decision Manager möglich ∗∗∗ --------------------------------------------- IBMs Businesstool Operational Decision Manager ist verwundbar. In aktuellen Versionen haben die Entwickler zwei Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdate-Phishingangriffe-auf-IBM-Operat… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-21-openjdk, kernel, libxml2, and lz4), Debian (exempi, ruby-graphql, and sope), Fedora (binutils, chromium, gdk-pixbuf2, libsoup3, poppler, and reposurgeon), Mageia (glib2.0 and wxgtk), Oracle (jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base and libxml2), Red Hat (kernel, pandoc, pcs, qemu-kvm, redis, and rsync), SUSE (chromedriver, coreutils, cosign, docker, gdk-pixbuf-devel, glib2, gnutls, grub2, gstreamer-plugins-base, helm, ignition, java-21-openjdk, jbigkit, jq, kernel, kubernetes1.28, kwctl, libxml2, nvidia-open-driver-G06-signed, opensc, pam-config, protobuf, python310, tgt, and valkey), and Ubuntu (linux-iot). --------------------------------------------- https://lwn.net/Articles/1032371/ ∗∗∗ Breaking NVIDIA Triton: CVE-2025-23319 - A Vulnerability Chain Leading to AI Server Takeover ∗∗∗ --------------------------------------------- Wiz Research discovers a critical vulnerability chain allowing unauthenticated attackers to take over NVIDIAs Triton Inference Server. --------------------------------------------- https://www.wiz.io/blog/nvidia-triton-cve-2025-23319-vuln-chain-to-ai-server ∗∗∗ Critical Vulnerability in NestJS Devtools: Localhost RCE via Sandbox Escape ∗∗∗ --------------------------------------------- A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE). --------------------------------------------- https://socket.dev/blog/nestjs-rce-vuln ∗∗∗ VU#317469: Partner Software/Partner Web does not sanitize Report files and Note content, allowing for XSS and RCE ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/317469 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0005 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0005.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2025
by Daily end-of-shift report 01 Aug '25

01 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-07-2025 18:00 − Freitag 01-08-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft to disable Excel workbook links to blocked file types ∗∗∗ --------------------------------------------- Microsoft has announced that it will start disabling external workbook links to blocked file types by default between October 2025 and July 2026. [..] After the rollout, Excel workbooks referencing blocked file types will display a #BLOCKED error or fail to refresh, eliminating security risks associated with accessing unsupported or high-risk file types, including, but not limited to, phishing attacks that utilize workbooks to redirect targets to malicious payloads. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-to-disable-extern… ∗∗∗ Kali Linux can now run in Apple containers on macOS systems ∗∗∗ --------------------------------------------- Cybersecurity professionals and researchers can now launch Kali Linux in a virtualized container on macOS Sequoia using Apples new containerization framework. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kali-linux-can-now-run-in-ap… ∗∗∗ Experts Detect Multi-Layer Redirect Tactic Used to Steal Microsoft 365 Login Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new phishing campaign that conceals malicious payloads by abusing link wrapping services from Proofpoint and Intermedia to bypass defenses. --------------------------------------------- https://thehackernews.com/2025/07/experts-detect-multi-layer-redirect.html ∗∗∗ Attackers Use Fake OAuth Apps with Tycoon Kit to Breach Microsoft 365 Accounts ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a new cluster of activity where threat actors are impersonating enterprises with fake Microsoft OAuth applications to facilitate credential harvesting as part of account takeover attacks. "The fake Microsoft 365 applications impersonate various companies, including RingCentral, SharePoint, Adobe, and Docusign," Proofpoint said in a Thursday report. --------------------------------------------- https://thehackernews.com/2025/08/attackers-use-fake-oauth-apps-with.html ∗∗∗ Huawei, at the heart of the Post outage ∗∗∗ --------------------------------------------- The cyberattack that hit Post (and Luxembourg) last week is believed to have targeted Huawei routers and their operating software. The presence of the Chinese giant at the heart of the infrastructure raises questions. The public company says it is reserving its answers for the MPs and ministers who will meet this Thursday at 10am in parliament. --------------------------------------------- https://en.paperjam.lu/article/huawei-at-the-heart-of-the-post-outage ∗∗∗ CISA Releases Open-Source Eviction Strategies Tool for Cyber Incident Response ∗∗∗ --------------------------------------------- “How an organization approaches remediation and eviction of an incident is critically important to a successful response effort. Over the years, we have seen organizations struggle with identifying the right steps to take and the correct sequencing of actions to properly evict advanced adversaries from their enterprises,” said Jermaine Roebuck, Associate Director for Threat Hunting, CISA. “This tool will level the playing field by making it easier for IT staff and cyber defenders to coordinate efforts and achieve a successful eviction. I encourage public and private sector organizations to incorporate this capability into their incident response plans.” --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-releases-open-source-eviction-st… ∗∗∗ CISA and USCG Issue Joint Advisory to Strengthen Cyber Hygiene in Critical Infrastructure ∗∗∗ --------------------------------------------- CISA, in partnership with the U.S. Coast Guard (USCG), released a joint Cybersecurity Advisory aimed at helping critical infrastructure organizations improve their cyber hygiene. [..] CISA and USCG are sharing their findings and associated mitigations to assist other critical infrastructure organizations identify potential similar issues and take proactive measures to improve their cybersecurity posture. The mitigations include best practices such as not storing passwords or credentials in plaintext, avoiding sharing local administrator account credentials, and implementing comprehensive logging. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/07/31/cisa-and-uscg-issue-join… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox and thunderbird), Debian (libcommons-lang-java, node-form-data, redis, and sope), Fedora (chromium), Mageia (slurm), Oracle (apache-commons-beanutils, firefox, kernel, redis:6, and thunderbird), Red Hat (kernel, kernel-rt, libxml2, and redis), SUSE (chromium, docker, ffmpeg-7, gnutls, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libgcrypt, rav1e, and sccache), and Ubuntu (linux-lowlatency, linux-lowlatency-hwe-6.8). --------------------------------------------- https://lwn.net/Articles/1032174/ ∗∗∗ WordPress Vulnerability & Patch Roundup — July 2025 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2025/07/wordpress-vulnerability-patch-roundup-july-… ∗∗∗ Rockwell Automation Lifecycle Services with VMware ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-212-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.07.2025
by Daily end-of-shift report 31 Jul '25

31 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-07-2025 18:00 − Donnerstag 31-07-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Hackers Exploit Critical WordPress Theme Flaw to Hijack Sites via Remote Plugin Install ∗∗∗ --------------------------------------------- The vulnerability, tracked as CVE-2025-5394, carries a CVSS score of 9.8. Security researcher Thái An has been credited with discovering and reporting the bug. According to Wordfence, the shortcoming relates to an arbitrary file upload affecting all versions of the plugin prior to and including 7.8.3. It has been addressed in version 7.8.5 released on June 16, 2025. --------------------------------------------- https://thehackernews.com/2025/07/hackers-exploit-critical-wordpress.html ∗∗∗ N. Korean Hackers Used Job Lures, Cloud Account Access, and Malware to Steal Millions in Crypto ∗∗∗ --------------------------------------------- The North Korea-linked threat actor known as UNC4899 has been attributed to attacks targeting two different organizations by approaching their employees via LinkedIn and Telegram. --------------------------------------------- https://thehackernews.com/2025/07/n-korean-hackers-used-job-lures-cloud.html ∗∗∗ Scammers Unleash Flood of Slick Online Gaming Sites ∗∗∗ --------------------------------------------- Fraudsters are flooding Discord and other social media platforms with ads for hundreds of polished online gaming and wagering websites that lure people with free credits and eventually abscond with any cryptocurrency funds deposited by players. Here’s a closer look at the social engineering tactics and remarkable traits of this sprawling network of more than 1,200 scam sites. --------------------------------------------- https://krebsonsecurity.com/2025/07/scammers-unleash-flood-of-slick-online-… ∗∗∗ Vorsicht vor dieser iCloud Phishing-Mail ∗∗∗ --------------------------------------------- „Letzte Mitteilung: Ihre Fotos und Videos werden gelöscht – ergreifen Sie Maßnahmen!“ Mit diesem Betreff versenden Kriminelle aktuell Phishing-Mails, die scheinbar von iCloud stammen. Unter dem Vorwand, das Speicherabonnement müsse verlängert werden, versuchen sie, an Zahlungsdaten zu gelangen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-dieser-icloud-phishing-… ∗∗∗ Patents by Silk Typhoon-linked company shed light on Beijing’s offensive hacking capabilities ∗∗∗ --------------------------------------------- SentinelOne's threat researchers pored through recent Justice Department indictments of prominent Chinese hackers and mapped out the country’s evolving web of private companies that are hired to launch cyberattacks on behalf of the government. --------------------------------------------- https://therecord.media/patents-silk-typhoon-company-beijing ∗∗∗ GreyNoise Uncovers Early Warning Signals for Emerging Vulnerabilities ∗∗∗ --------------------------------------------- It’s well known that the window between CVE disclosure and active exploitation has narrowed. But what happens before a CVE is even disclosed? In our latest research “Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities,” GreyNoise analyzed hundreds of spikes in malicious activity — scanning, brute forcing, exploit attempts, and more — targeting edge technologies. We discovered a consistent and actionable trend: in the vast majority of cases, these spikes were followed by the disclosure of a new CVE affecting the same technology within six weeks. --------------------------------------------- https://www.greynoise.io/blog/greynoise-uncovers-early-warning-signals-emer… ∗∗∗ In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network ∗∗∗ --------------------------------------------- Hackers planted a Raspberry Pi equipped with a 4G modem in the network of an unnamed bank in an attempt to siphon money out of the financial institution's ATM system, researchers reported Wednesday. --------------------------------------------- https://arstechnica.com/security/2025/07/in-search-of-riches-hackers-plant-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, java-21-openjdk, kernel, thunderbird, and unbound), Debian (chromium and systemd), Fedora (libtiff), Oracle (java-21-openjdk, libtpms, nodejs:22, redis:7, thunderbird, and unbound), Red Hat (firefox, redis, and thunderbird), SUSE (apache2, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, java-11-openjdk, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestf, libarchive, nvidia-open-driver-G06-signed, redis, and rmt-server), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-gcp-6.14, linux-hwe-6.14, linux-oem-6.14, linux-raspi, linux-realtime, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux, linux-aws, linux-kvm, linux-aws, linux-lts-xenial, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-fips, linux-intel-iot-realtime, linux-realtime, linux-oracle, linux-oracle-6.8, linux-realtime, and sqlite3). --------------------------------------------- https://lwn.net/Articles/1032083/ ∗∗∗ Schnell installieren: Apple fixt Zero-Day-Angriff in WebKit ∗∗∗ --------------------------------------------- Apples in der Nacht zum Mittwoch erschienene Updates für iOS, iPadOS und macOS sollten dringend schnell eingespielt werden: Wie nun erst bekannt wurde, wird damit auch ein WebKit-Bug gefixt, für den es bereits einen Exploit gibt. Dieser wird allerdings bislang nur verwendet, um Chrome-Nutzer anzugreifen, wie es in der zugehörigen NIST-Meldung heißt (CVE-2025-6558). Der Fehler wird mit "Severity: High" bewertet. Verwirrend: Apple warnt in seinen Sicherheitsunterlagen nicht vor bekannten aktiven Angriffen – offenbar, weil es für den Apple-Browser Safari noch keine entsprechenden Berichte gibt. --------------------------------------------- https://heise.de/-10505297 ∗∗∗ Sicherheitsupdate: Schwachstellen gefährden HCL BigFix Remote Control ∗∗∗ --------------------------------------------- Die Endpoint-Management-Plattform HCL BigFix ist verwundbar (CVE-2025-31965 "hoch"), und Angreifer können unbefugt Daten einsehen oder mit viel Aufwand und richtigem Timing sogar auf einen privaten Schlüssel zugreifen. Die Schwachstellen finden sich konkret in HCL BigFix Remote Control. Eine abgesicherte Version steht zum Download bereit. --------------------------------------------- https://heise.de/-10505415 ∗∗∗ CVE-2025-8292 - DSA-5968-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00132.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.07.2025
by Daily end-of-shift report 30 Jul '25

30 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-07-2025 18:00 − Mittwoch 30-07-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Attackers Can Use Browser Extensions to Inject AI Prompts ∗∗∗ --------------------------------------------- A brand-new cyberattack vector allows threat actors to use a poisoned browser extension to inject malicious prompts into all of the top generative AI tools on the market, including ChatGPT, Gemini, and others. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/attackers-use-browser-e… ∗∗∗ PyPI Warns of Ongoing Phishing Campaign Using Fake Verification Emails and Lookalike Domain ∗∗∗ --------------------------------------------- The maintainers of the Python Package Index (PyPI) repository have issued a warning about an ongoing phishing attack thats targeting users in an attempt to redirect them to fake PyPI sites. The attack involves sending email messages bearing the subject line "[PyPI] Email verification" that are sent from the email address noreply(a)pypj[.]org (note that the domain is not "pypi[.]org"). --------------------------------------------- https://thehackernews.com/2025/07/pypi-warns-of-ongoing-phishing-campaign.h… ∗∗∗ 2025 Unit 42 Global Incident Response Report: Social Engineering Edition ∗∗∗ --------------------------------------------- Social engineering thrives on trust and is now boosted by AI. Unit 42 incident response data explains why its surging. We detail eight critical countermeasures. --------------------------------------------- https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-r… ∗∗∗ Google Project Zero to publicly announce bugs within a week of reporting them ∗∗∗ --------------------------------------------- The vulnerability hunters at Google Project Zero want to address what they call the "upstream patch gap," when a vendor has a fix available but the downstream product providers havent integrated it yet. --------------------------------------------- https://therecord.media/google-project-zero-publicly-announce-vulnerabiliti… ∗∗∗ Decryptor released for FunkSec ransomware; Avast works with law enforcement to help victims ∗∗∗ --------------------------------------------- Cybersecurity company Avast released a decryptor for the short-lived FunkSec ransomware and said it is assisting dozens of the gangs targets with the process. --------------------------------------------- https://therecord.media/funksec-ransomware-decryptor-avast ∗∗∗ New Choicejacking Attack Steals Data from Phones via Public Chargers ∗∗∗ --------------------------------------------- Choicejacking is a new USB attack that tricks phones into sharing data at public charging stations, bypassing security prompts in milliseconds. --------------------------------------------- https://hackread.com/choicejacking-attack-steals-data-phones-public-charger… ∗∗∗ CISA Releases Part One of Zero Trust Microsegmentation Guidance ∗∗∗ --------------------------------------------- This guidance provides a high-level overview of microsegmentation, focusing on its key concepts, associated challenges and potential benefits, and includes recommended actions to modernize network security and advance zero trust principles. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/07/29/cisa-releases-part-one-z… ===================== = Vulnerabilities = ===================== ∗∗∗ New Lenovo UEFI firmware updates fix Secure Boot bypass flaws ∗∗∗ --------------------------------------------- Lenovo is warning about high-severity BIOS flaws that could allow attackers to potentially bypass Secure Boot in all-in-one desktop PC models that use customized Insyde UEFI (Unified Extensible Firmware Interface). --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-lenovo-uefi-firmware-upd… ∗∗∗ Apple Patches Safari Vulnerability Also Exploited as Zero-Day in Google Chrome ∗∗∗ --------------------------------------------- Apple on Tuesday released security updates for its entire software portfolio, including a fix for a vulnerability that Google said was exploited as a zero-day in the Chrome web browser earlier this month. The vulnerability, tracked as CVE-2025-6558 (CVSS score: 8.8), is an incorrect validation of untrusted input in the browser's ANGLE and GPU components that could result in a sandbox escape via a crafted HTML page. --------------------------------------------- https://thehackernews.com/2025/07/apple-patches-safari-vulnerability-also.h… ∗∗∗ Critical Dahua Camera Flaws Enable Remote Hijack via ONVIF and File Upload Exploits ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed now-patched critical security flaws in the firmware of Dahua smart cameras that, if left unaddressed, could allow attackers to hijack control of susceptible devices. --------------------------------------------- https://thehackernews.com/2025/07/critical-dahua-camera-flaws-enable.html ∗∗∗ Autodesk Security Advisory 29.07.2025 ∗∗∗ --------------------------------------------- Certain Autodesk products use a shared component that is affected by multiple vulnerabilities listed below. Exploitation of these vulnerabilities can lead to code execution. Exploitation of these vulnerabilities requires user interaction. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0015 ∗∗∗ Sicherheitsupdates: Angreifer können auf Dell ECS und ObjectScale zugreifen ∗∗∗ --------------------------------------------- Angreifer können mit vergleichsweise wenig Aufwand auf Dell Elastic Cloud Storage (ECS) und ObjectScale zugreifen. Damit setzten Firmen unter anderem Cloudspeicher auf. Liegen dort wichtige Daten, können unbefugte Zugriffe weitreichende Folgen haben. Sicherheitsupdates schließen die Schwachstelle. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Angreifer-koennen-auf-Dell-ECS… ∗∗∗ Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- The Stable channel has been updated to 138.0.7204.183/.184 for Windows, Mac and 138.0.7204.183 for Linux which will roll out over the coming days/weeks. This update includes 4 security fixes. --------------------------------------------- http://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desk… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, icu, kernel-rt, libtpms, redis:6, redis:7, and sqlite), Fedora (chromium and cloud-init), Oracle (icu, java-1.8.0-openjdk, java-21-openjdk, kernel, nodejs:22, perl, and sqlite), SUSE (docker, java-1_8_0-openj9, libxml2, python-starlette, and thunderbird), and Ubuntu (cloud-init, linux-azure, linux-azure-5.4, linux-azure-fips, linux-raspi, linux-raspi-5.4, and perl). --------------------------------------------- https://lwn.net/Articles/1031919/ ∗∗∗ Zahnarzt Praxis-Verwaltung-System (PVS): Sicherheitslücken beim CGM Z1 – Teil 1 ∗∗∗ --------------------------------------------- Von der Firma CompuGroup Medical (CGM) wird auch ein Praxis-Verwaltungssystem (PVS) für Zahnärzte vertrieben. Das System ist laut Firmenaussage bei über 7.000 Zahnärzten im Einsatz. Eine anonym bleiben wollende Quelle informierte mich Anfang des Jahres über potentielle Sicherheitsprobleme in dieser Software. Inzwischen hat es ein Software-Update gegeben, mit dem diese Probleme ausgeräumt sein sollten. Ich fasse mal den Sachverhalt in einigen Blog-Beiträgen zusammen. --------------------------------------------- https://www.borncity.com/blog/2025/07/30/sicherheit-beim-zahnarzt-pvs-z1/ ∗∗∗ Delta Electronics DTN Soft ∗∗∗ --------------------------------------------- According to Delta Electronics, if a version of DTN Soft prior to v2.1.0 is installed, it should be updated to v2.1.0 or later. If DTM Soft is also installed, it should be updated to v1.6.0.0 (released on March 25, 2025) or later. Successful exploitation of this vulnerability could allow an attacker to use a specially crafted project file to execute arbitrary code. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-03 ∗∗∗ TP-Link Archer C50 router is vulnerable to configuration-file decryption ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/554637 ∗∗∗ Security update for Tenable Patch Management Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-15 ∗∗∗ CISA: Security update for National Instruments LabVIEW ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-01 ∗∗∗ CISA: Security update for Samsung HVAC DMS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.07.2025
by Daily end-of-shift report 29 Jul '25

29 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 28-07-2025 18:00 − Dienstag 29-07-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ OpenAI’s ChatGPT Agent casually clicks through “I am not a robot” verification test ∗∗∗ --------------------------------------------- On Friday, OpenAI's new ChatGPT Agent, which can perform multistep tasks for users, proved it can pass through one of the Internet's most common security checkpoints by clicking Cloudflare's anti-bot verification—the same checkbox that's supposed to keep automated programs like itself at bay. --------------------------------------------- https://arstechnica.com/information-technology/2025/07/openais-chatgpt-agen… ∗∗∗ Exploit available for critical Cisco ISE bug exploited in attacks ∗∗∗ --------------------------------------------- Security researcher Bobby Gould has published a blog post demonstrating a complete exploit chain for CVE-2025-20281, an unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE). --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-available-for-critic… ∗∗∗ Endgame Gear mouse config tool infected users with malware ∗∗∗ --------------------------------------------- Gaming peripherals maker Endgame Gear is warning that malware was hidden in its configuration tool for the OP1w 4k v2 mouse hosted on the official website between June 26 and July 9, 2025. The infected file was hosted on 'endgamegear.com/gaming-mice/op1w-4k-v2,' so users downloading the tool from that page during this period were infected. --------------------------------------------- https://www.bleepingcomputer.com/news/security/endgame-gear-mouse-config-to… ∗∗∗ Critical Flaw in Vibe-Coding Platform Base44 Exposed Apps ∗∗∗ --------------------------------------------- The rise of "vibe coding" platforms that enable developers to build software with minimal traditional coding could create a slew of new security risks for organizations. A recent example is a now-patched vulnerability in the Base44 AI-powered development platform that allowed unauthorized users to gain complete access to private enterprise applications hosted on the service. --------------------------------------------- https://www.darkreading.com/application-security/critical-flaw-vibe-coding-… ∗∗∗ Parasitic Sharepoint Exploits ∗∗∗ --------------------------------------------- Last week, newly exploited SharePoint vulnerabilities took a lot of our attention. It is fair to assume that last Monday (July 21st), all exposed vulnerable SharePoint installs were exploited. Of course, there is nothing to prevent multiple exploitation of the same instance, and a lot of that certainly happened. But why exploit it yourself if you can just take advantage of backdoors left behind by prior exploits? A number of these backdoors were widely publicised. The initial backdoor "spinstall0.aspx", was frequently observed and Microsoft listed various variations of this filename [1]. --------------------------------------------- https://isc.sans.edu/diary/rss/32148 ∗∗∗ Windows auf veraltete libcurl-Bibliotheken in Programmen überprüfen ∗∗∗ --------------------------------------------- Microsoft liefert die cURL-Bibliothek häufiger mit veralteten Versionen, die Sicherheitslücken aufweisen, aus. Auch Software-Pakete kommen mit uralten libcurl-Dateien daher. Wie kann ich prüfen, ob da irgendwelche Altlasten auf meinen Systemen schlummern? --------------------------------------------- https://www.borncity.com/blog/2025/07/29/software-und-die-veralteten-libcur… ∗∗∗ Gunra Ransomware Group Unveils Efficient Linux Variant ∗∗∗ --------------------------------------------- Gunra ransomware was first observed in April 2025 in a campaign that targeted Windows systems using techniques inspired by the infamous Conti ransomware. Our monitoring of the ransomware landscape revealed that threat actors behind Gunra have expanded with a Linux variant, signaling a strategic move toward cross-platform targeting. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/g/gunra-ransomware-linux-varia… ∗∗∗ SAP NetWeaver Vulnerability Used in Auto-Color Malware Attack on US Firm ∗∗∗ --------------------------------------------- Darktrace uncovers the first exploit of a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy Auto-Color backdoor malware. Learn how this evasive Linux RAT targets systems for remote code execution and how AI-powered defence thwarts multi-stage attacks. --------------------------------------------- https://hackread.com/sap-netweaver-vulnerability-auto-color-malware-us-firm/ ∗∗∗ Stack Overflows, Heap Overflows, and Existential Dread (SonicWall SMA100 CVE-2025-40596, CVE-2025-40597 and CVE-2025-40598) ∗∗∗ --------------------------------------------- Our initial journey started with analyzing SonicWall N-days that were receiving coveted attention from our friendly APT groups. But somewhere along the way - deep in a fog of malformed headers and reverse proxy schenanigans - we stumbled across vulnerabilities that feel like they were preserved in amber from a more naïve era of C programming. --------------------------------------------- https://labs.watchtowr.com/stack-overflows-heap-overflows-and-existential-d… ∗∗∗ Security: CERT@VDE wird erste deutsche Schaltzentrale für Sicherheitslücken ∗∗∗ --------------------------------------------- Das Sicherheits- und Computer-Notfallteam des Elektrotechnik- und IT-Verbands VDE spielt international seit wenigen Tagen eine wichtigere Rolle. Die Branchenvereinigung teilte am Freitag mit, dass das eigene Computer Emergency Response Team CERT@VDE zur zentralen Stelle im Kampf gegen IT-Sicherheitslücken im Bereich der Industrieautomation mit Fokus auf kleine und mittlere Unternehmen aufgestiegen sei. Dessen Arbeit zur Koordination von Security-Problemen in diesem Sektor erhält damit eine weltweite Bedeutung. --------------------------------------------- https://heise.de/-10502241 ∗∗∗ Attacking GenAI applications and LLMs – Sometimes all it takes is to ask nicely! ∗∗∗ --------------------------------------------- Generative AI and LLM technologies have shown great potential in recent years, and for this reason, an increasing number of applications are starting to integrate them for multiple purposes. These applications are becoming increasingly complex, adopting approaches that involve multiple specialized agents, each focused on one or more tasks, interacting with one another and using external tools to access information, perform operations, or carry out tasks that LLMs are not capable of handling directly (e.g., mathematical computations). --------------------------------------------- https://security.humanativaspa.it/attacking-genai-applications-and-llms-som… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2025-26397 - ZDI-25-654: SolarWinds TFTP Server Deserialization of Untrusted Data Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds TFTP Server. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the internal TFTP communications endpoint, which listens on the localhost interface on TCP port 8099 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-654/ ∗∗∗ Jetzt patchen! Attacken auf PaperCut NG/MF beobachtet ∗∗∗ --------------------------------------------- Aufgrund derzeit laufender Angriffe sollten Admins sicherstellen, dass sie eine aktuelle Ausgabe der Druckermanagementsoftware PaperCut NG/MF installiert haben. Sind Attacken erfolgreich, können Angreifer im schlimmsten Fall Schadcode auf Systeme schieben und ausführen. Sicherheitsupdates sind schon länger verfügbar. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Attacken-auf-PaperCut-NG-MF-beobach… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (freerdp, git-lfs, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, icu, ipa, iputils, krb5, libvpx, nodejs:22, osbuild-composer, perl, python-tornado, qt6-qtbase, sqlite, unbound, valkey, wireshark, and yggdrasil), Debian (libfastjson and php8.2), Fedora (glibc), Oracle (firefox, icu, perl, and unbound), Red Hat (389-ds-base, glib2, icu, libtpms, redis:6, redis:7, and yelp), SUSE (boost, forgejo-longterm, java-11-openj9, java-17-openj9, java-1_8_0-openj9, kernel, nginx, and salt), and Ubuntu (linux-xilinx-zynqmp, openjdk-8, openjdk-lts, poppler, and sqlite3). --------------------------------------------- https://lwn.net/Articles/1031812/ ∗∗∗ Samsung Security Updates for Smart TV, Audio and Displays ∗∗∗ --------------------------------------------- https://security.samsungtv.com/securityUpdates ∗∗∗ CVE-2025-2179 GlobalProtect App: Non Admin User Can Disable the GlobalProtect App (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2025-2179 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2025
by Daily end-of-shift report 28 Jul '25

28 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-07-2025 18:00 − Montag 28-07-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Supply-chain attacks on open source software are getting out of hand ∗∗∗ --------------------------------------------- It has been a busy week for supply-chain attacks targeting open source software available in public repositories, with successful breaches of multiple developer accounts that resulted in malicious packages being pushed to unsuspecting users. --------------------------------------------- https://arstechnica.com/security/2025/07/open-source-repositories-are-seein… ∗∗∗ Amazon AI coding agent hacked to inject data wiping commands ∗∗∗ --------------------------------------------- As reported by 404 Media, on July 13, a hacker using the alias ‘lkmanka58’ added unapproved code on Amazon Q’s GitHub to inject a defective wiper that wouldn’t cause any harm, but rather sent a message about AI coding security. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-ai-coding-agent-hacke… ∗∗∗ Sophisticated Shuyal Stealer Targets 19 Browsers, Demonstrates Advanced Evasion ∗∗∗ --------------------------------------------- A new infostealing malware making the rounds can exfiltrate credentials and other system data even from browsing software considered more privacy-focused than mainstream options. --------------------------------------------- https://www.darkreading.com/endpoint-security/shuyal-stealer-targets-19-bro… ∗∗∗ French submarine secrets surface after cyber attack ∗∗∗ --------------------------------------------- European defence giant Naval Group has confirmed that it is investigating an alleged cyber attack which has seen what purports to be sensitive internal data published on the internet by hackers. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/french-submarine-secr… ∗∗∗ The Homograph Illusion: Not Everything Is As It Seems ∗∗∗ --------------------------------------------- A subtle yet dangerous email attack vector: homograph attacks. Threat actors are using visually similar, non-Latin characters to bypass security filters. --------------------------------------------- https://unit42.paloaltonetworks.com/homograph-attacks/ ∗∗∗ ToxicPanda: The Android Banking Trojan Targeting Europe ∗∗∗ --------------------------------------------- What is ToxicPanda? Bitsight Trace dives into detail on the banking malware, from impact breadth, delivery, technical analysis, and more. --------------------------------------------- https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study ∗∗∗ EU-Satelliteninternet: UK, Norwegen und Ukraine können sich IRIS2 anschließen ∗∗∗ --------------------------------------------- EU-Raumfahrtkommissar Kubiliius hat europäische Drittstaaten eingeladen, bei dem als Starlink-Alternative gedachten Satellitennetzwerk IRIS2 voll einzusteigen. --------------------------------------------- https://www.heise.de/news/EU-Satelliteninternet-UK-Norwegen-und-Ukraine-koe… ∗∗∗ How I hacked my washing machine ∗∗∗ --------------------------------------------- If you've known me for some amount of time you knew this was something that was bound to happen eventually. Yesterday (and technically today), me and a friend went on an endeavor to hack our washing machine, partially for the fun of it, and partially because there's actually a practical use for it. --------------------------------------------- https://nexy.blog/2025/07/27/how-i-hacked-my-washing-machine/ ∗∗∗ Protecting the Evidence in Real-Time with KQL Queries ∗∗∗ --------------------------------------------- A few weeks ago, I published a post titled Detecting Ransomware Final Stage Activities with KQL Queries where I shared different phases and detections during the last phase of a ransomware attack. Every time I read it, I realize just how broad and complex this topic truly is. --------------------------------------------- https://detect.fyi/protecting-the-evidence-in-real-time-with-kql-queries-ac… ∗∗∗ Lionishackers: Analyzing a corporate database seller ∗∗∗ --------------------------------------------- Outpost24’s threat intelligence researchers have been analyzing a corporate database seller known as "Lionishackers". They’re a financially motivated threat actor focused on exfiltrating and selling corporate databases. This post explores how they operate, where their attacks are taking place, and the current level of threat they pose. --------------------------------------------- https://outpost24.com/blog/lionishackers-corporate-database-seller/ ===================== = Vulnerabilities = ===================== ∗∗∗ Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks ∗∗∗ --------------------------------------------- More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account. --------------------------------------------- https://www.bleepingcomputer.com/news/security/post-smtp-plugin-flaw-expose… ∗∗∗ Critical Flaws in Niagara Framework Threaten Smart Buildings and Industrial Systems Worldwide ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered over a dozen security vulnerabilities impacting Tridiums Niagara Framework that could allow an attacker on the same network to compromise the system under certain circumstances. --------------------------------------------- https://thehackernews.com/2025/07/critical-flaws-in-niagara-framework.html ∗∗∗ Support ausgelaufen: Admin-Attacke auf LG Netzwerkkamera LNV5110R möglich ∗∗∗ --------------------------------------------- Die Netzwerkkamera LNV5110R von LG Innotek sollte nicht mehr benutzt werden: Die US-Sicherheitsbehörde CISA (Cybersecurity & Infrastructure Security Agency) warnt vor einer Sicherheitslücke, für die es kein Sicherheitsupdate mehr geben wird. --------------------------------------------- https://www.heise.de/news/Support-ausgelaufen-Admin-Attacke-auf-LG-Netzwerk… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (audiofile, libcaca, libetpan, libxml2, php7.4, snapcast, and thunderbird), Fedora (glibc, iputils, mingw-binutils, and thunderbird), Red Hat (kernel, kernel-rt, mod_auth_openidc, and mod_auth_openidc:2.3), SUSE (afterburn, apache2, atop, chromedriver, chromium, cloud-init, deepin-feature-enable, firefox, firefox-esr, grafana, grype-db, gstreamer-plugins-bad, javamail, jupyter-jupyterlab-templates, jupyter-nbdime, konsole, libetebase, libxmp, minio-client-20250721T052808Z, MozillaFirefox, MozillaFirefox-branding-SLE, opera, pdns-recursor, perl-Authen-SASL, polkit, python-Django, python3-pycares, python311-starlette, rpi-imager, ruby3.4-rubygem-thor, spdlog, thunderbird, varnish, viewvc, and xtrabackup), and Ubuntu (openjdk-21-crac). --------------------------------------------- https://lwn.net/Articles/1031667/ ∗∗∗ Sicherheitsproblem: Hartkodierte Zugangsdaten gefährden PCs mit MyASUS ∗∗∗ --------------------------------------------- Die MyASUS-App kann zum Einfallstor für Angreifer werden. Schuld sind zwei Sicherheitslücken, die aber mittlerweile geschlossen sind. Wer das Tool nicht aktualisiert, riskiert unbefugte Zugriffe auf bestimmte Services. --------------------------------------------- https://www.heise.de/news/Sicherheitsproblem-Hartkodierte-Zugangsdaten-gefa… ∗∗∗ SyStrack LsiAgent.exe contains an improper DLL search order, allowing an attacker to execute arbitrary code and priv esc ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/335798 ∗∗∗ Mehrere Stored Cross-Site Scripting Schwachstellen im Optimizely Episerver Content Management System ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-stored-cross-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.07.2025
by Daily end-of-shift report 25 Jul '25

25 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-07-2025 18:00 − Freitag 25-07-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hacker sneaks infostealer malware into early access Steam game ∗∗∗ --------------------------------------------- A threat actor called EncryptHub has compromised a game on Steam to distribute info-stealing malware to unsuspecting users downloading the title. A few days ago, the hacker (also tracked as Larva-208), injected malicious binaries into the Chemia game files hosted on Steam. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-sneaks-infostealer-ma… ∗∗∗ New Koske Linux malware hides in cute panda images ∗∗∗ --------------------------------------------- A new Linux malware named Koske may have been developed with artificial intelligence and is using seemingly benign JPEG images of panda bears to deploy malware directly into system memory. Researchers from cybersecurity company AquaSec analyzed Koske and described it as "a sophhisticated Linux threat." Based on the observed adaptive behavior, the researchers believe that the malware was developed using large language models (LLMs) or automation frameworks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-koske-linux-malware-hide… ∗∗∗ CastleLoader Malware Infects 469 Devices Using Fake GitHub Repos and ClickFix Phishing ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a new versatile malware loader called CastleLoader that has been put to use in campaigns distributing various information stealers and remote access trojans (RATs). The activity employs Cloudflare-themed ClickFix phishing attacks and fake GitHub repositories opened under the names of legitimate applications, Swiss cybersecurity company PRODAFT said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/07/castleloader-malware-infects-469.html ∗∗∗ Phishers Target Aviation Execs to Scam Customers ∗∗∗ --------------------------------------------- KrebsOnSecurity recently heard from a reader whose boss’s email account got phished and was used to trick one of the company’s customers into sending a large payment to scammers. An investigation into the attacker’s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries. --------------------------------------------- https://krebsonsecurity.com/2025/07/phishers-target-aviation-execs-to-scam-… ∗∗∗ From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944 ∗∗∗ --------------------------------------------- In mid 2025, Google Threat Intelligence Group (GITG) identified a sophisticated and aggressive cyber campaign targeting multiple industries, including retail, airline, and insurance. This was the work of UNC3944, a financially motivated threat group that has exhibited overlaps with public reporting of "0ktapus," "Octo Tempest," and "Scattered Spider." Following public alerts from the Federal Bureau of Investigation (FBI), the group's targeting became clear. GTIG observed that the group was suspected of turning its ransomware and extortion operations to the U.S. retail sector. The campaign soon broadened further, with airline and transportation organizations in North America having also become targets. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (git, kernel, nginx:1.24, and sudo), Fedora (dpkg, java-21-openjdk, java-25-openjdk, java-latest-openjdk, and valkey), Oracle (apache-commons-vfs, sudo, tigervnc, and xorg-x11-server), Red Hat (kernel, krb5, and openssh), SUSE (gnutls, ImageMagick, iputils, kernel-livepatch-MICRO-6-0-RT_Update_10, kubernetes1.18, libarchive, ovmf, python, and salt), and Ubuntu (iputils, linux-aws-6.14, linux-raspi, openjdk-21, and openjdk-24). --------------------------------------------- https://lwn.net/Articles/1031426/ ∗∗∗ Angriffe gegen Citrix Netscaler CVE-2025-6543 ∗∗∗ --------------------------------------------- https://www.cert.at/de/aktuelles/2025/7/angriffe-gegen-citrix-netscaler-cve… ∗∗∗ CVE-2025-38350 - ZDI-25-651: (Pwn2Own) Red Hat Enterprise Linux CBS Packet Scheduling Use-After-Free Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-651/ ∗∗∗ Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ CISA Releases Six Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/07/24/cisa-releases-six-indust… ∗∗∗ Medtronic MyCareLink Patient Monitor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-205-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily