- Daily - CERT.at

Tageszusammenfassung - 24.07.2025
by Daily end-of-shift report 24 Jul '25

24 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-07-2025 18:00 − Donnerstag 24-07-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Microsoft: SharePoint servers also targeted in ransomware attacks ∗∗∗ --------------------------------------------- A China-based hacking group is deploying Warlock ransomware on Microsoft SharePoint servers vulnerable to widespread attacks targeting the recently patched ToolShell zero-day exploit chain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-servers… ∗∗∗ Hackers breach Toptal GitHub account, publish malicious npm packages ∗∗∗ --------------------------------------------- Hackers compromised Toptal's GitHub organization account and used their access to publish ten malicious packages on the Node Package Manager (NPM) index. The packages included data-stealing code that collected GitHub authentication tokens and then wiped the victims' systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-breach-toptal-github… ∗∗∗ Threat Actor Mimo Targets Magento and Docker to Deploy Crypto Miners and Proxyware ∗∗∗ --------------------------------------------- The threat actor behind the exploitation of vulnerable Craft Content Management System (CMS) instances has shifted its tactics to target Magento CMS and misconfigured Docker instances. The activity has been attributed to a threat actor tracked as Mimo (aka Hezb), which has a long history of leveraging N-day security flaws in various web applications to deploy cryptocurrency miners. --------------------------------------------- https://thehackernews.com/2025/07/threat-actor-mimo-targets-magento-and.html ∗∗∗ Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new stealthy backdoor concealed within the "mu-plugins" directory in WordPress sites to grant threat actors persistent access and allow them to perform arbitrary actions. --------------------------------------------- https://thehackernews.com/2025/07/hackers-deploy-stealth-backdoor-in.html ∗∗∗ China-Based APTs Deploy Fake Dalai Lama Apps to Spy on Tibetan Community ∗∗∗ --------------------------------------------- The Tibetan community has been targeted by a China-nexus cyber espionage group as part of two campaigns conducted last month ahead of the Dalai Lama's 90th birthday on July 6, 2025. The multi-stage attacks have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz. --------------------------------------------- https://thehackernews.com/2025/07/china-based-apts-deploy-fake-dalai-lama.h… ∗∗∗ Stealthy cyber spies linked to China compromising virtualization software globally ∗∗∗ --------------------------------------------- A cyber-espionage campaign linked to a sophisticated hacking group believed to be based in China is continuing to compromise virtualization and networking infrastructure used by enterprises globally, according to a new deep-dive report by cybersecurity company Sygnia. --------------------------------------------- https://therecord.media/stealthy-china-spies-fire-ant-virtualization-softwa… ∗∗∗ Unmasking the new Chaos RaaS group attacks ∗∗∗ --------------------------------------------- Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks. --------------------------------------------- https://blog.talosintelligence.com/new-chaos-ransomware/ ∗∗∗ Comeback von Lumma und NoName057(16): Cybercrime-Zerschlagung misslungen ∗∗∗ --------------------------------------------- Gelingt Strafverfolgungsbehörden ein größerer Schlag gegen Akteure und Infrastrukturen des Cybercrime, so ist der Rückgang der verbrecherischen Aktivitäten selten von Dauer: Nach ein paar internen Umbauten setzen sie ihre Angriffe häufig fort, als sei (fast) nichts geschehen. --------------------------------------------- https://heise.de/-10498191 ∗∗∗ Mitel warns of critical MiVoice MX-ONE authentication bypass flaw ∗∗∗ --------------------------------------------- Mitel Networks has released security updates to patch a critical-severity authentication bypass vulnerability impacting its MiVoice MX-ONE enterprise communications platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mitel-warns-of-critical-mivo… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall urges admins to patch critical RCE flaw in SMA 100 devices ∗∗∗ --------------------------------------------- SonicWall urges customers to patch SMA 100 series appliances against a critical authenticated arbitrary file upload vulnerability that can let attackers gain remote code execution. The security flaw (tracked as CVE-2025-40599) is caused by an unrestricted file upload weakness in the devices' web management interfaces, which can allow remote threat actors with administrative privileges to upload arbitrary files to the system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, and mediawiki), Fedora (firefox), Oracle (git, kernel, redis, and sudo), Red Hat (aardvark-dns, firefox, kernel, and thunderbird), Slackware (httpd), SUSE (php7, php8, and salt), and Ubuntu (linux-raspi-realtime and ruby-rack). --------------------------------------------- https://lwn.net/Articles/1031274/ ∗∗∗ K000152680: BusyBox vulnerability CVE-2024-58251 ∗∗∗ --------------------------------------------- Attackers can launch network applications as local users leading to a denial-of-service (DoS). As attackers require local access to run netstat commands, the attack is limited to only the netstat command. --------------------------------------------- https://my.f5.com/manage/s/article/K000152680 ∗∗∗ K000152678: BusyBox vulnerability CVE-2025-46394 ∗∗∗ --------------------------------------------- An attacker could exploit this vulnerability by creating a TAR archive containing malicious files with names manipulated by escape sequences. When a user lists or extracts the contents of the archives, these malicious files might not be visible in the standard terminal output and may overwrite existing files. --------------------------------------------- https://my.f5.com/manage/s/article/K000152678 ∗∗∗ DSA-5964-1 firefox-esr - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00128.html ∗∗∗ DSA-5965-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00129.html ∗∗∗ CVE-2025-6983 - TP-Link Archer C1200 vulnerable to clickjacking ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN39913189/ ∗∗∗ CVE-2025-8092 - COOKiES Consent Management - Moderately critical - Cross-site Scripting ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-092 ∗∗∗ CVE-2025-7745 - 2025-07-24: Cyber Security Advisory -AC500 V2 Buffer overread on Modbus protocol ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=3ADR011432&Language… ∗∗∗ CVE-2025-8069 - AWS Client VPN Windows Client Local Privilege Escalation ∗∗∗ --------------------------------------------- https://aws.amazon.com/de/security/security-bulletins/AWS-2025-014/ ∗∗∗ CVE-2024-58256 - Security Advisory - OS Command Injection Vulnerability in Huawei EnzoH Products ∗∗∗ --------------------------------------------- http:www.huawei.com/en/psirt/security-advisories/2025/huawei-sa-OCIViHEP-en.html ∗∗∗ [R1] Tenable Identity Exposure Version 3.77.12 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-14 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.07.2025
by Daily end-of-shift report 23 Jul '25

23 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-07-2025 18:00 − Mittwoch 23-07-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Major European healthcare network discloses security breach ∗∗∗ --------------------------------------------- AMEOS Group, an operator of a massive healthcare network in Central Europe, has announced it has suffered a security breach that may have exposed customer, employee, and partner information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/major-european-healthcare-ne… ∗∗∗ CISA warns of hackers exploiting SysAid vulnerabilities in attacks ∗∗∗ --------------------------------------------- CISA has warned that attackers are actively exploiting two security vulnerabilities in the SysAid IT service management (ITSM) software to hijack administrator accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploi… ∗∗∗ US nuclear weapons agency reportedly hacked in SharePoint attacks ∗∗∗ --------------------------------------------- Unknown threat actors have reportedly breached the National Nuclear Security Administrations (NNSA) network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-nuclear-weapons-agency-re… ∗∗∗ Mehr als 700 Modelle: Unzählige Drucker werden über Sicherheitslücken attackiert ∗∗∗ --------------------------------------------- Hunderte Druckermodelle von Brother, Fujifilm, Konica Minolta, Ricoh und Toshiba sind angreifbar. Angreifer nutzen die Sicherheitslücken nun aus. --------------------------------------------- https://www.golem.de/news/mehr-als-700-modelle-unzaehlige-drucker-werden-ue… ∗∗∗ CCC und GFF: Verfassungsbeschwerde gegen Polizeisoftware von Palantir ∗∗∗ --------------------------------------------- Die bayerische Polizei ist begeistert von der Palantir-Software. Doch Bürgerrechtlern und Hackern geht der Einsatz zu weit. --------------------------------------------- https://www.golem.de/news/ccc-und-gff-verfassungsbeschwerde-gegen-polizeiso… ∗∗∗ Google Launches OSS Rebuild to Expose Malicious Code in Widely Used Open-Source Packages ∗∗∗ --------------------------------------------- Google has announced the launch of a new initiative called OSS Rebuild to bolster the security of the open-source package ecosystems and prevent software supply chain attacks. "As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers" Matthew Suozzo, Google Open Source Security. --------------------------------------------- https://thehackernews.com/2025/07/google-launches-oss-rebuild-to-expose.html ∗∗∗ Malware Injected into 7 npm Packages After Maintainer Tokens Stolen in Phishing Attack ∗∗∗ --------------------------------------------- Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers npm tokens. The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories. --------------------------------------------- https://thehackernews.com/2025/07/malware-injected-into-6-npm-packages.html ∗∗∗ New Coyote Malware Variant Exploits Windows UI Automation to Steal Banking Credentials ∗∗∗ --------------------------------------------- The Windows banking trojan known as Coyote has become the first known malware strain to exploit the Windows accessibility framework called UI Automation (UIA) to harvest sensitive information. --------------------------------------------- https://thehackernews.com/2025/07/new-coyote-malware-variant-exploits.html ∗∗∗ Suspected Admin of XSS.IS Cybercrime Forum Arrested in Ukraine ∗∗∗ --------------------------------------------- Suspected admin of XSS.IS, a major Russian-language cybercrime forum, arrested in Ukraine after years of running malware and data trade operations. --------------------------------------------- https://hackread.com/suspected-xss-is-admin-cybercrime-forum-arrest-ukraine/ ∗∗∗ Soco404: Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload ∗∗∗ --------------------------------------------- Wiz Research has identified a new iteration of a broader malicious cryptomining campaign, which we’ve dubbed Soco404. --------------------------------------------- https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fa… ∗∗∗ Critical Vulnerability in Popular npm form-data Package Used Across Millions of Installs ∗∗∗ --------------------------------------------- A critical security vulnerability has been disclosed in the widely used npm package form-data, which sees more than 100 million downloads each week across various projects. The vulnerability, classified as "Use of Insufficiently Random Values" affects multiple versions of the package and can lead to HTTP Parameter Pollution (HPP) attacks. --------------------------------------------- https://socket.dev/blog/critical-vulnerability-in-popular-npm-form-data-pac… ===================== = Vulnerabilities = ===================== ∗∗∗ Chrome, Firefox & Thunderbird: Neue Versionen beheben Schwachstellen ∗∗∗ --------------------------------------------- Frische Browser- und Mailclient-Releases von Google und Mozilla beseitigen Lücken mit teils hohem Schweregrad. --------------------------------------------- https://www.heise.de/news/Chrome-Firefox-Thunderbird-Neue-Versionen-beheben… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cloud-init, fence-agents, git, kernel, and kernel-rt), Debian (openjdk-11), Fedora (firefox, golang, libinput, transfig, and yasm), Mageia (qtbase5, qtbase6), Red Hat (fence-agents, go-toolset:rhel8, golang, kernel, and python-setuptools), Slackware (mozilla), SUSE (cyradm, gstreamer-plugins-base, and xen), and Ubuntu (gdk-pixbuf, jq, linux-gcp, linux-gcp-6.8, linux-oracle, ruby-sinatra, thunderbird, and unbound). --------------------------------------------- https://lwn.net/Articles/1031104/ ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released nine Industrial Control Systems (ICS) advisories on July 22, 2025: DuraComm DP-10iN-100-MU, Lantronix Provisioning Manager, Schneider Electric EcoStruxure, Schneider Electric EcoStruxure Power Operation, Schneider Electric System Monitor Application, Schneider Electric EcoStruxture IT Data Center Expert, ICSA-25-175-03 Schneider Electric Modicon Controllers (Update A), ICSA-25-175-04 Schneider Electric EVLink WallBox (Update A), ICSA-25-014-02 Schneider Electric Vijeo Designer (Update A). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/07/22/cisa-releases-nine-indus… ∗∗∗ [CVE-2025-48932] Invision Community <= 4.7.20 (calendar/view.php) SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://www.reddit.com/r/netsec/comments/1m757kw/cve202548932_invision_comm… ∗∗∗ [CVE-2025-48933] Invision Community <= 5.0.7 (oauth/callback) Reflected Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://www.reddit.com/r/netsec/comments/1m7578r/cve202548933_invision_comm… ∗∗∗ ZDI-25-629: (0Day) Ashlar-Vellum Cobalt LI File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-629/ ∗∗∗ ZDI-25-640: (0Day) Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-640/ ∗∗∗ ZDI-25-639: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-639/ ∗∗∗ ZDI-25-638: (0Day) Ashlar-Vellum Cobalt VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-638/ ∗∗∗ Firefox 141.0 released ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1030971/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2025
by Daily end-of-shift report 22 Jul '25

22 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 21-07-2025 18:00 − Dienstag 22-07-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ring denies breach after users report suspicious logins ∗∗∗ --------------------------------------------- Ring is warning that a backend update bug is responsible for customers seeing a surge in unauthorized devices logged into their account on May 28th. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ring-denies-breach-after-use… ∗∗∗ Cisco: Maximum-severity ISE RCE flaws now exploited in attacks ∗∗∗ --------------------------------------------- Cisco is warning that three recently patched critical remote code execution vulnerabilities in Cisco Identity Services Engine (ISE) are now being actively exploited in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-maximum-severity-ise-r… ∗∗∗ Iran-Linked DCHSpy Android Malware Masquerades as VPN Apps to Spy on Dissidents ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed new Android spyware artifacts that are likely affiliated with the Iranian Ministry of Intelligence and Security (MOIS) and have been distributed to targets by masquerading as VPN apps and Starlink, a satellite internet connection service offered by SpaceX. --------------------------------------------- https://thehackernews.com/2025/07/iran-linked-dchspy-android-malware.html ∗∗∗ Hackers Exploit SharePoint Zero-Day Since July 7 to Steal Keys, Maintain Persistent Access ∗∗∗ --------------------------------------------- The recently disclosed critical Microsoft SharePoint vulnerability has been under exploitation as early as July 7, 2025, according to findings from Check Point Research. The cybersecurity company said it observed first exploitation attempts targeting an unnamed major Western government, with the activity intensifying on July 18 and 19, spanning government, telecommunications, and software sectors in North America and Western Europe. --------------------------------------------- https://thehackernews.com/2025/07/hackers-exploit-sharepoint-zero-day.html ∗∗∗ Disrupting active exploitation of on-premises SharePoint vulnerabilities ∗∗∗ --------------------------------------------- As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-… ∗∗∗ Back to Business: Lumma Stealer Returns with Stealthier Methods ∗∗∗ --------------------------------------------- Lumma Stealer has re-emerged shortly after its takedown. This time, the cybergroup behind this malware appears to be intent on employing more covert tactics while steadily expanding its reach. This article shares the latest methods used to propagate this threat. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security Updates for Firefox ∗∗∗ --------------------------------------------- Firefox released Security Updates for Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1 and Firefox for iOS 141. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ ExpressVPN bug leaked user IPs in Remote Desktop sessions ∗∗∗ --------------------------------------------- ExpressVPN has fixed a flaw in its Windows client that caused Remote Desktop Protocol (RDP) traffic to bypass the virtual private network (VPN) tunnel, exposing the users real IP addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/expressvpn-bug-leaked-user-i… ∗∗∗ HPE Aruba Instant On Access Points: Update schließt teils kritische Lücken ∗∗∗ --------------------------------------------- HPE Aruba Networking hat eine Sicherheitswarnung für seine "Instant On" Access Points veröffentlicht. Das Unternehmen warnt darin vor zwei Schwachstellen, von denen eine als kritisch eingestuft wurde. --------------------------------------------- https://www.heise.de/news/HPE-Aruba-Instant-On-Access-Points-Update-schlies… ∗∗∗ Sophos Firewall: Hotfixes beseitigen Remote-Angriffsgefahr ∗∗∗ --------------------------------------------- Frische Hotfixes für die Sophos Firewall schließen insgesamt fünf Sicherheitslücken, von denen zwei als "kritisch", zwei mit einem hohen und eine mit mittlerem Schweregrad bewertet wurden. Sie könnten unter bestimmten Bedingungen zur Codeausführung aus der Ferne missbraucht werden – in zwei Fällen ohne vorherige Authentifizierung. --------------------------------------------- https://www.heise.de/news/Sophos-Firewall-Hotfixes-beseitigen-Remote-Angrif… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (tomcat9), Debian (djvulibre, libcommons-fileupload-java, libowasp-esapi-java, and tomcat9), Fedora (cef, dpkg, mingw-gdk-pixbuf, and mingw-python3), Gentoo (Roundcube), Oracle (avahi, cloud-init, fence-agents, git, kernel, and valkey), Red Hat (wireshark), SUSE (afterburn, apache2, busybox, java-21-openjdk, kernel, kernel-livepatch-MICRO-6-0-RT_Update_10, lemon, libexslt0, libgcrypt, libxml2-2, php8, postgresql17, python, python-oslo.utils, python311, python312, python313, and sudo), and Ubuntu (drupal7, erlang, fdkaac, gobgp, jq, linux-aws, linux-aws-6.8, linux-gke, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux-kvm, linux-oracle, and ruby-nokogiri). --------------------------------------------- https://lwn.net/Articles/1030930/ ∗∗∗ Synology-SA-25:08 BeeDrive for desktop ∗∗∗ --------------------------------------------- Synology has released a security update for the BeeDrive desktop tool on Windows to address multiple vulnerabilities. Please refer to the Affected Products table for the corresponding updates. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_08 ∗∗∗ Vulnerability Summary for the Week of July 14, 2025 ∗∗∗ --------------------------------------------- The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb25-202 ∗∗∗ Vulnerability in Kubernetes: CVE-2025-7342, CVSS Rating High 8.1 ∗∗∗ --------------------------------------------- A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process. Additionally, virtual machine images built using the Nutanix or the OVA provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/133115 ∗∗∗ VDE: MB connect line, Multiple vulnerabilities in mbNET.mini ∗∗∗ --------------------------------------------- https://certvde.com/en/advisories/VDE-2025-058/ ∗∗∗ VDE: Helmholz, Multiple vulnerabilities in REX 100 ∗∗∗ --------------------------------------------- https://certvde.com/en/advisories/VDE-2025-059/ ∗∗∗ TYPO3-EXT-SA-2025-010: Insecure Direct Object Reference in extension "femanager" (femanager) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-010 ∗∗∗ TYPO3-EXT-SA-2025-009: Insecure Direct Object Reference in extension "powermail" (powermail) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-009 ∗∗∗ F5: K000152658, Golang vulnerability CVE-2024-45341 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000152658 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2025
by Daily end-of-shift report 21 Jul '25

21 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-07-2025 18:00 − Montag 21-07-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Threat actors downgrade FIDO2 MFA auth in PoisonSeed phishing attack ∗∗∗ --------------------------------------------- A PoisonSeed phishing campaign is bypassing FIDO2 security key protections by abusing the cross-device sign-in feature in WebAuthn to trick users into approving login authentication requests from fake company portals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/threat-actors-downgrade-fido… ∗∗∗ The SOC files: APT41’s new target in Africa ∗∗∗ --------------------------------------------- Some time ago, Kaspersky MDR analysts detected a targeted attack against government IT services in the African region. The attackers used hardcoded names of internal services, IP addresses, and proxy servers embedded within their malware. One of the C2s was a captive SharePoint server within the victim’s infrastructure. --------------------------------------------- https://securelist.com/apt41-in-africa/116986/ ∗∗∗ UNG0002 Group Hits China, Hong Kong, Pakistan Using LNK Files and RATs in Twin Campaigns ∗∗∗ --------------------------------------------- Multiple sectors in China, Hong Kong, and Pakistan have become the target of a threat activity cluster tracked as UNG0002 (aka Unknown Group 0002) as part of a broader cyber espionage campaign. --------------------------------------------- https://thehackernews.com/2025/07/ung0002-group-hits-china-hong-kong.html ∗∗∗ Ivanti Zero-Days Exploited to Drop MDifyLoader and Launch In-Memory Cobalt Strike Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances. --------------------------------------------- https://thehackernews.com/2025/07/ivanti-zero-days-exploited-to-drop.html ∗∗∗ EncryptHub Targets Web3 Developers Using Fake AI Platforms to Deploy Fickle Stealer Malware ∗∗∗ --------------------------------------------- The financially motivated threat actor known as EncryptHub (aka LARVA-208 and Water Gamayun) has been attributed to a new campaign that's targeting Web3 developers to infect them with information stealer malware. --------------------------------------------- https://thehackernews.com/2025/07/encrypthub-targets-web3-developers.html ∗∗∗ Neue Betrugsmasche mit manipulierten Rechnungen ∗∗∗ --------------------------------------------- Mir ist eine merkwürdige Information zu einer neuen Betrugsmasche zugegangen. Ein Verkäufer und ein Käufer vereinbaren einen Handel. Der Verkäufer schickt eine Rechnung, die der Käufer auch bezahlt. Das Geld landet aber auf einem fremden Konto, weil die Rechnung auf dem Versandweg manipuliert wurde. --------------------------------------------- https://www.borncity.com/blog/2025/07/19/neue-betrugsmasche-mit-manipuliert… ∗∗∗ SquidLoader Malware Campaign Hits Hong Kong Financial Firms ∗∗∗ --------------------------------------------- Trellix Advanced Research Center has exposed a new wave of highly sophisticated SquidLoader malware actively targeting financial services institutions in Hong Kong. This discovery, detailed in Trellix’s technical analysis, shared with Hackread.com, highlights a significant threat due to the malware’s near-zero detection rates on VirusTotal at the time of analysis. Evidence also points to a broader campaign, with similar samples observed targeting entities in Singapore and Australia. --------------------------------------------- https://hackread.com/squidloader-malware-hits-hong-kong-financial-firms/ ∗∗∗ New GhostContainer Malware Hits High-Value MS Exchange Servers in Asia ∗∗∗ --------------------------------------------- Cybersecurity researchers at Kaspersky’s research unit SecureList have revealed a new and highly customized malware, dubbed GhostContainer. This sophisticated backdoor has been found actively targeting Microsoft Exchange servers in high-value organizations across Asia, granting attackers extensive control over compromised systems and enabling various malicious activities, including potential data exfiltration. --------------------------------------------- https://hackread.com/new-ghostcontainer-malware-ms-exchange-servers-asia/ ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Microsoft SharePoint - aktiv ausgenützt, Updates verfügbar ∗∗∗ --------------------------------------------- Microsoft hat außerhalb des regulären Patchzyklus Informationen zu, sowie Sicherheitsaktualisierungen für eine kritische Zero-Day-Schwachstelle in Microsoft SharePoint veröffentlicht. Die Sicherheitslücke CVE-2025-53770 wird seit zumindest 18.07.2025 durch Bedrohungsakteure ausgenutzt. Bei der Lücke handelt es sich um eine Variante eines bereits bekannten und behobenen Problems, CVE-2025-49706. --------------------------------------------- https://www.cert.at/de/warnungen/2025/7/kritische-sicherheitslucke-in-micro… ∗∗∗ CrushFTP: Ältere Versionen können unbefugten Admin-Zugriff gewähren ∗∗∗ --------------------------------------------- CVE-2025-54309: Wer CrushFTP für den Datentransfer nutzt, sollte die verwendete Version auf Aktualität prüfen. Das Entwicklerteam hat am vergangenen Freitag Angriffe in freier Wildbahn auf ältere Ausgaben entdeckt, die schlimmstenfalls zu einer Übernahme des Admin-Accounts durch Angreifer führen könnten. --------------------------------------------- https://www.heise.de/news/CrushFTP-Aeltere-Versionen-koennen-unbefugten-Adm… ∗∗∗ Admin-Zugriff für alle: Fest kodierte Zugangsdaten in HPE-Geräten entdeckt ∗∗∗ --------------------------------------------- Der US-amerikanische IT-Konzern Hewlett Packard Enterprise (HPE) hat zwei Sicherheitslücken in seinen Instant-On-Access-Points geschlossen. Eine davon basiert auf fest kodierten Zugangsdaten und verleiht Angreifern auf anfälligen Systemen einen Admin-Zugriff. Die zweite Lücke ermöglicht eine unrechtmäßige Befehlsausführung auf dem Betriebssystem der HPE-Geräte. Administratoren sollten dringend die verfügbaren Patches einspielen. --------------------------------------------- https://www.golem.de/news/admin-zugriff-fuer-alle-fest-kodierte-zugangsdate… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-1.8.0-openjdk), Debian (angular.js and batik), Fedora (chromium, pypy, screen, unbound, wine, and wine-mono), Mageia (djvulibre, quictls, and redis), Red Hat (avahi, gnome-remote-desktop, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-openjdk, kernel, kernel-rt, python-setuptools, redis, and valkey), SUSE (chromedriver, coreutils, cosign, docker, FastCGI, ffmpeg-4, fractal, gimp, glib2, ImageMagick, iputils, java-17-openjdk, java-24-openjdk, jq, kubelogin, kubernetes1.23, kubernetes1.24, kubernetes1.26, python-requests, python3, rmt-server, rustup, and thunderbird), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/1030774/ ∗∗∗ Customer guidance for SharePoint vulnerability CVE-2025-53770 ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vu… ∗∗∗ Malicious packages uploaded to the Arch Linux AUR ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1030603/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2025
by Daily end-of-shift report 18 Jul '25

18 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-07-2025 18:00 − Freitag 18-07-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ GitHub abused to distribute payloads on behalf of malware-as-a-service ∗∗∗ --------------------------------------------- Researchers from Cisco’s Talos security team have uncovered a malware-as-a-service operator that used public GitHub accounts as a channel for distributing an assortment of malicious software to targets. The use of GitHub gave the malware-as-a-service (MaaS) a reliable and easy-to-use platform that’s greenlit in many enterprise networks that rely on the code repository for the software they develop. --------------------------------------------- https://arstechnica.com/security/2025/07/malware-as-a-service-caught-using-… ∗∗∗ Microsoft Teams voice calls abused to push Matanbuchus malware ∗∗∗ --------------------------------------------- The Matanbuchus malware loader has been seen being distributed through social engineering over Microsoft Teams calls impersonating IT helpdesk. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-teams-voice-calls-… ∗∗∗ New Phobos ransomware decryptor lets victims recover files for free ∗∗∗ --------------------------------------------- The Japanese police have released a Phobos and 8-Base ransomware decryptor that lets victims recover their files for free, with BleepingComputer confirming that it successfully decrypts files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phobos-ransomware-decryp… ∗∗∗ Unmasking Malicious APKs: Android Malware Blending Click Fraud and Credential Theft ∗∗∗ --------------------------------------------- Malicious APKs (Android Package Kit files) continue to serve as one of the most persistent and adaptable delivery mechanisms in mobile threat campaigns. Threat actors routinely exploit social engineering and off-market distribution to bypass conventional security controls and capitalize on user trust to steal a variety of data, such as log in credentials. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/unmasking-m… ∗∗∗ WordPress Redirect Malware Hidden in Google Tag Manager Code ∗∗∗ --------------------------------------------- Last month, a customer contacted us after noticing their WordPress website was unexpectedly redirecting to a spam domain. The redirection occurred approximately 4-5 seconds after a user landed on the site. Upon closer inspection of the site’s source code we found a suspicious Google Tag Manager loading. This isn’t the first time we’ve seen GTM abused. Earlier this year, we analyzed a credit card skimming attack where attackers injected a payment skimmer via a GTM container. This blog post details our full investigation into this campaign, how it was injected, how it worked, and how we removed it. --------------------------------------------- https://blog.sucuri.net/2025/07/wordpress-redirect-malware-hidden-in-google… ∗∗∗ LLMs in Applications – Understanding and Scoping Attack Surface ∗∗∗ --------------------------------------------- In this post we consider how to think about the attack surface of applications leveraging LLMs and how that impacts the scoping process when assessing those applications. We discuss why scoping matters, important points to consider when mapping out the LLM-associated attack surface, and conclude with architectural tips for developers implementing LLMs within their applications. --------------------------------------------- https://blog.includesecurity.com/2025/07/llms-in-applications-understanding… ∗∗∗ Scanception Exposed: New QR Code Attack Campaign Exploits Unmonitored Mobile Access ∗∗∗ --------------------------------------------- Cyble’s Research and Intelligence Lab (CRIL) has analyzed a new quishing campaign that leverages QR codes embedded in PDF files to deliver malicious payloads. The campaign, dubbed Scanception, bypasses security controls, harvests user credentials, and evades detection by traditional systems. Unlike conventional phishing attacks, which rely on malicious links within emails or attachments, Scanception leverages user curiosity by embedding QR codes within legitimate PDF documents. --------------------------------------------- https://thecyberexpress.com/scanception-qr-code-quishing-campaign/ ===================== = Vulnerabilities = ===================== ∗∗∗ Keycloak identity and access management system CVE-2025-7784 ∗∗∗ --------------------------------------------- A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. --------------------------------------------- https://access.redhat.com/security/cve/CVE-2025-7784 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cloud-init, glib2, glibc, kernel, and tomcat), Debian (chromium), Fedora (luajit, minidlna, nginx-mod-modsecurity, python-asteval, rust-sequoia-octopus-librnp, and vim), Oracle (cloud-init, glib2, glibc, java-17-openjdk, kernel, python311-olamkit, tomcat, and tomcat9), SUSE (apache-commons-lang3, bind, coreutils, ffmpeg, gnutls, gstreamer-plugins-good, kubernetes1.25, kubernetes1.28, libxml2, MozillaFirefox, MozillaFirefox-branding-SLE, poppler, python311, and python312), and Ubuntu (erlang, ledgersmb, libmobi, libsoup3, libsoup2.4, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-oem-6.8, linux, linux-gcp, linux-raspi, linux-realtime, linux-aws, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-6.8, linux-azure-nvidia, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-intel-iot-realtime, linux-realtime, linux-intel-iotg-5.15, linux-oem-6.14, linux-raspi, linux-realtime, php7.0, php7.2, php8.1, php8.3, php8.4, python-aiohttp, and rails). --------------------------------------------- https://lwn.net/Articles/1030479/ ∗∗∗ Trend Micro Worry Free Business 10.0 SP 1 – Patch 2518 veröffentlicht ∗∗∗ --------------------------------------------- Der Sicherheitsanbieter Trend Micro hat zum 15.7.2025 Trend Micro Worry Free Business (WFBS) 10.0 SP 1 – Patch 2518 veröffentlicht. Der Patch enthält diverse Sicherheitsfixes und soll auch verschiedene Bugs beheben. So wird OpenSSL 3.0.15 im Apache-Webserver aktualisiert, um die Produktsicherheit zu verbessern. --------------------------------------------- https://www.borncity.com/blog/2025/07/18/trend-micro-worry-free-business-10… ∗∗∗ K000152614: Apache Commons vulnerability CVE-2025-48976 ∗∗∗ --------------------------------------------- Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. --------------------------------------------- https://my.f5.com/manage/s/article/K000152614 ∗∗∗ NVIDIAScape - Critical NVIDIA AI Vulnerability: A Three-Line Container Escape in NVIDIA Container Toolkit (CVE-2025-23266) ∗∗∗ --------------------------------------------- New critical vulnerability with 9.0 CVSS presents systemic risk to the AI ecosystem, carries widespread implications for AI infrastructure. --------------------------------------------- https://www.wiz.io/blog/nvidia-ai-vulnerability-cve-2025-23266-nvidiascape ∗∗∗ SOLIDWORKS eDrawings: Use After Free vulnerability CVE-2025-7042 ∗∗∗ --------------------------------------------- https://www.3ds.com/trust-center/security/security-advisories/cve-2025-7042 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.07.2025
by Daily end-of-shift report 17 Jul '25

17 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-07-2025 18:00 − Donnerstag 17-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ KAWA4096’s Ransomware Tide: Rising Threat With Borrowed Styles ∗∗∗ --------------------------------------------- KAWA4096, a ransomware whose name includes "Kawa", the Japanese word for "river", first emerged in June 2025. This new threat features a leak site that follows the style of the Akira ransomware group, and a ransom note format similar to Qilin’s, likely an attempt to further enrich their visibility and credibility. In this blog .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/kawa4096s-r… ∗∗∗ Oracle: 309 Sicherheitsupdates für alle möglichen Produkte ∗∗∗ --------------------------------------------- Oracle hat zum Critical Patch Update genannten Patchday im Juli 309 Sicherheitsupdates angekündigt. Zig Produkte sind verwundbar. --------------------------------------------- https://www.heise.de/news/Oracle-309-Sicherheitsupdates-fuer-alle-moegliche… ∗∗∗ Cisco: Sicherheitslücken in mehreren Produkten ∗∗∗ --------------------------------------------- In Ciscos ISE klafft eine weitere Lücke mit maximalem Bedrohungsgrad. Zudem warnt Cisco vor weiteren Lücken in mehr Produkten. --------------------------------------------- https://www.heise.de/news/Weitere-kritische-Luecke-in-Ciscos-ISE-10490589.h… ∗∗∗ Trump gibt eine Milliarde Dollar für offensive Cyberoperationen frei ∗∗∗ --------------------------------------------- Wie genau das Geld eingesetzt werden soll, ist nicht bekannt. Der Blick dürfte sich aber vor allem nach China richten --------------------------------------------- https://www.derstandard.at/story/3000000279549/trump-gibt-eine-milliarde-do… ∗∗∗ Google spots tailored backdoor malware aimed at SonicWall appliances ∗∗∗ --------------------------------------------- Google researchers reported on a malware campaign against end-of-life SonicWall appliances, noting that the attackers were good at covering their tracks. --------------------------------------------- https://therecord.media/sonicwall-sma-100-series-overstep-malware-unc6148 ∗∗∗ Detection Engineering: Practicing Detection-as-Code – Repository – Part 2 ∗∗∗ --------------------------------------------- This is the second part of the Practicing Detection-as-Code series, where we will cover some basic elements of designing a repository to develop, store, and deploy detections from. Well go through several different aspects of the setup like the Git platform, branch strategy, repository structure, detections structure, taxonomies, and content packs. --------------------------------------------- https://blog.nviso.eu/2025/07/17/detection-engineering-practicing-detection… ∗∗∗ Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public ∗∗∗ --------------------------------------------- GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 - nearly two weeks before a public proof-of-concept was released on July 4. --------------------------------------------- https://www.greynoise.io/blog/exploitation-citrixbleed-2-cve-2025-5777-befo… ∗∗∗ Flaw in Signal App Clone Could Leak Passwords — GreyNoise Identifies Active Reconnaissance and Exploit Attempts ∗∗∗ --------------------------------------------- A vulnerability disclosed in May 2025, CVE-2025-48927, affects certain deployments of TeleMessageTM SGNL. If exposed, this endpoint can return a full snapshot of heap memory which may include plaintext usernames, passwords, and other sensitive data. --------------------------------------------- https://www.greynoise.io/blog/active-exploit-attempts-signal-based-messagin… ∗∗∗ How to catch GitHub Actions workflow injections before attackers do ∗∗∗ --------------------------------------------- Strengthen your repositories against actions workflow injections - one of the most common vulnerabilities. --------------------------------------------- https://github.blog/security/vulnerability-research/how-to-catch-github-act… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (emacs, java-17-openjdk, kernel, kernel-rt, microcode_ctl, python3.11-setuptools, python3.12-setuptools, and socat), Debian (gnutls28), Fedora (vim), Red Hat (java-1.8.0-ibm), Slackware (bind), SUSE (docker, erlang, erlang26, ggml-devel-5889, gnuplot, kernel, kubernetes1.27, libQt6Concurrent6, mailman3, and transfig), and Ubuntu (apache2, bind9, linux-iot, linux-lowlatency-hwe-6.11, and linux-raspi, linux-raspi-5.4). --------------------------------------------- https://lwn.net/Articles/1030256/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.07.2025
by Daily end-of-shift report 16 Jul '25

16 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-07-2025 18:00 − Mittwoch 16-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers exploit a blind spot by hiding malware inside DNS records ∗∗∗ --------------------------------------------- Technique transforms the Internet DNS into an unconventional file storage system. --------------------------------------------- https://arstechnica.com/security/2025/07/hackers-exploit-a-blind-spot-by-hi… ∗∗∗ Dringend patchen: Zero-Day-Lücke lässt Hacker aus Chrome-Sandbox ausbrechen ∗∗∗ --------------------------------------------- Google hat per Update mehrere Sicherheitslücken in Chrome geschlossen. Eine wird schon aktiv ausgenutzt und ermöglicht einen Sandbox-Escape. --------------------------------------------- https://www.golem.de/news/google-warnt-zero-day-luecke-in-chrome-laesst-hac… ∗∗∗ Botnetz abgeschaltet: BKA geht gegen prorussische Hackergruppe vor ∗∗∗ --------------------------------------------- Die russische Hackergruppe NoName057(16) koordinierte DDoS-Angriffe mit 100 eigenen Servern und mehr als 1.000 Unterstützern auf Telegram. --------------------------------------------- https://www.golem.de/news/botnetz-abgeschaltet-bka-geht-gegen-prorussische-… ∗∗∗ Curl Creator Mulls Nixing Bug Bounty Awards To Stop AI Slop ∗∗∗ --------------------------------------------- Daniel Stenberg, creator of the curl utility, is considering ending its bug bounty program due to a surge in low-quality, AI-generated reports that are overwhelming the small volunteer team. Despite attempts to .. --------------------------------------------- https://it.slashdot.org/story/25/07/16/0618255/curl-creator-mulls-nixing-bu… ∗∗∗ VMware stopft teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- In VMware ESXi, Workstation, Fusion und Tools klaffen zum Teil kritische Sicherheitslücken. Updates sollen sie schließen. --------------------------------------------- https://www.heise.de/news/VMware-stopft-teils-kritische-Sicherheitsluecken-… ∗∗∗ Police dismantle DiskStation ransomware gang targeting NAS devices, arrest suspected ringleader ∗∗∗ --------------------------------------------- Police have struck a blow against the DiskStation ransomware gang which targets Synology NAS devices, and arresting its suspected ringleader. Make sure that you have properly hardened the security of your Network Access .. --------------------------------------------- https://www.fortra.com/blog/police-dismantle-diskstation-ransomware-gang ∗∗∗ NSA: Volt Typhoon was ‘not successful’ at persisting in critical infrastructure ∗∗∗ --------------------------------------------- “The good news" is that Chinas Volt Typhoon hacking campaign "really failed," an NSA official said at a cyber conference in New York. An FBI official also described an incident of "true cyberwarfare" with the Flax Typhoon group. --------------------------------------------- https://therecord.media/china-typhoon-hackers-nsa-fbi-response ∗∗∗ Old Miner, New Tricks ∗∗∗ --------------------------------------------- The FortiCNAPP team, part of FortiGuard Labs, recently investigated a cluster of virtual private servers (VPS) used for Monero mining. The identified samples are associated with prior H2miner campaigns that we documented in 2020 and have since been updated with new configurations. H2Miner is a Crypto mining botnet that has been active since late 2019. --------------------------------------------- https://www.fortinet.com/blog/threat-research/old-miner-new-tricks ∗∗∗ I SPy: Escalating to Entra IDs Global Admin with a first-party app ∗∗∗ --------------------------------------------- Backdooring Microsofts applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led to the development of new security controls. Despite these efforts, we uncovered a vulnerable, built-in SP that could have allowed escalation .. --------------------------------------------- https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-gl… ∗∗∗ ControlPlane Local Privilege Escalation Vulnerability on macOS ∗∗∗ --------------------------------------------- ControlPlane, originally a fork of MarcoPolo, is a powerful open-source context-aware automation tool for macOS. Developed initially by Dustin Rue, the project is no longer maintained and does not function on the latest versions of macOS. Despite this, it remains in use by a number of users and serves as an interesting target for application security research on Apple's platform. ControlPlane leverages inputs such as WiFi networks, Bluetooth devices, location, .. --------------------------------------------- http://blog.quarkslab.com/controlplane_lpe_macos.html ∗∗∗ Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5 ∗∗∗ --------------------------------------------- This article delves into vulnerability research on the Thermomix TM5, leading to the discovery of multiple vulnerabilities, which allow firmware downgrade and arbitrary code execution on some firmware versions. We provide an in-depth analysis of the system and its attack surface, detailing the vulnerabilities found and steps for exploitation. --------------------------------------------- https://www.synacktiv.com/en/publications/let-me-cook-you-a-vulnerability-e… ∗∗∗ Tracking Protestware Spread: 28 npm Packages Affected by Payload Targeting Russian-Language Users ∗∗∗ --------------------------------------------- Socket’s Threat Research Team recently reported on two npm packages with hidden functionality for Russian-language users visiting Russian domains in a browser. In the last few weeks, the team has found the .. --------------------------------------------- https://socket.dev/blog/protestware-update-28-npm-packages-affected-by-payl… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (cloud-init, emacs, firefox, glib2, go-toolset:rhel8, kernel, lz4, python-setuptools, python3.11-setuptools, python3.12-setuptools, and socat), Red Hat (fence-agents, glib2, glibc, java-17-openjdk, kernel, kernel-rt, python-setuptools, python3.11-setuptools, and python3.12-setuptools), Slackware (libxml2), SUSE (glib2, gpg2, kernel, libxml2, poppler, rmt-server, runc, stalld, and xen), and Ubuntu (jpeg-xl). --------------------------------------------- https://lwn.net/Articles/1030106/ ∗∗∗ CVE-2025-4919: Corruption via Math Space in Mozilla Firefox ∗∗∗ --------------------------------------------- In recent years, there has been an increase interest in the JavaScript engine vulnerabilities in order to compromise web browsers. Notably, vulnerabilities in JIT engines are among the most favorite ones as it provides strong primitives and well-known techniques are already available to facilitate compromise. At Pwn2Own Berlin 2025, Manfred Paul compromised the Mozilla .. --------------------------------------------- https://www.thezdi.com/blog/2025/7/14/cve-2025-4919-corruption-via-math-spa… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.07.2025
by Daily end-of-shift report 15 Jul '25

15 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 14-07-2025 18:00 − Dienstag 15-07-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MITRE Launches AADAPT Framework for Financial Systems ∗∗∗ --------------------------------------------- The new framework is modeled after and meant to complement the MITRE ATT&CK framework, and it is aimed at detecting and responding to cyberattacks on cryptocurrency assets and other financial targets. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/mitre-aadapt-framework-… ∗∗∗ US-Schienenverkehr gefährdet: Hacker können Züge seit Jahren aus der Ferne stoppen ∗∗∗ --------------------------------------------- Das Problem ist seit 13 Jahren bekannt, aber noch immer nicht behoben. Züge in den USA lassen sich per Funksignal anhalten - etwa mit einem Flipper Zero. --------------------------------------------- https://www.golem.de/news/us-schienenverkehr-gefaehrdet-hacker-koennen-zueg… ∗∗∗ North Korean Hackers Flood npm Registry with XORIndex Malware in Ongoing Attack Campaign ∗∗∗ --------------------------------------------- The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing another set of 67 malicious packages to the npm registry, underscoring ongoing attempts to poison the open-source ecosystem via software supply chain attacks --------------------------------------------- https://thehackernews.com/2025/07/north-korean-hackers-flood-npm-registry.h… ∗∗∗ Securing Agentic AI: How to Protect the Invisible Identity Access ∗∗∗ --------------------------------------------- AI agents promise to automate everything from financial reconciliations to incident response. Yet every time an AI agent spins up a workflow, it has to authenticate somewhere, often with a high-privilege API key, OAuth token, or service account that defenders can’t easily see. These "invisible" non-human identities (NHIs) now outnumber human accounts in most cloud environments, and they have become one of the ripest targets for attackers. --------------------------------------------- https://thehackernews.com/2025/07/securing-agentic-ai-how-to-protect.html ∗∗∗ AsyncRATs Open-Source Code Sparks Surge in Dangerous Malware Variants Across the Globe ∗∗∗ --------------------------------------------- Cybersecurity researchers have charted the evolution of a widely used remote access trojan called AsyncRAT, which was first released on GitHub in January 2019 and has since served as the foundation for several other variants. --------------------------------------------- https://thehackernews.com/2025/07/asyncrats-open-source-code-sparks-surge.h… ∗∗∗ Framework 13. Press here to pwn ∗∗∗ --------------------------------------------- BIOS protection is the digital equivalent of a locked front door, but what if the doorbell doubled as a reset button? The Framework 13 laptop has a chassis intrusion detection switch. It’s designed to notify the BIOS when the laptop body has been opened. However, the same switch can be manipulated to reset the BIOS. This wipes critical protections like the BIOS administrator password, along with important security options such as secure boot and even the chassis intrusion lockout itself! --------------------------------------------- https://www.pentestpartners.com/security-blog/framework-13-press-here-to-pw… ∗∗∗ Windows 10: Solange bekommen Microsoft 365-Apps noch Updates ∗∗∗ --------------------------------------------- Microsoft hat nun Fristen genannt, ab denen die Versorgung mit Sicherheitsupdates für Microsoft 365-Apps unter Windows 10 nach dem 14. Oktober 2025 enden wird, stellt aber überraschenderweise sogar noch Funktionsupdates (bis Version 2608) bereit. Das Gleiche gilt auch für Windows Server 2016/2019, falls dort MS 365-Apps unter Terminal-Server laufen. Es gibt gestufte Termine für das Rollout der Microsoft 365 Version 2608 und damit für die Freigabe der Funktions-Updates geben. Sicherheitsupdates gibt es dann noch bis Oktober 2025. --------------------------------------------- https://www.borncity.com/blog/2025/07/15/windows-10-solange-bekommen-micros… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg), Fedora (gnutls, linux-firmware, mingw-djvulibre, mingw-python-requests, and salt), Mageia (qtimageformats6), Oracle (gnome-remote-desktop, golang, kernel, libxml2, and perl-File-Find-Rule), SUSE (gstreamer-plugins-base, gstreamer-plugins-good, kernel, and protobuf), and Ubuntu (apport, glibc, gnutls28, and roundcube). --------------------------------------------- https://lwn.net/Articles/1029919/ ∗∗∗ Zyxel security advisory for path traversal vulnerability in APs ∗∗∗ --------------------------------------------- Zyxel has released patches to address a path traversal vulnerability in the file_upload-cgi CGI program of certain access point (AP) firmware versions. Users are advised to install these patches for optimal protection. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2025
by Daily end-of-shift report 14 Jul '25

14 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-07-2025 18:00 − Montag 14-07-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WordPress Gravity Forms developer hacked to push backdoored plugins ∗∗∗ --------------------------------------------- The popular WordPress plugin Gravity Forms has been compromised in what seems a supply-chain attack where manual installers from the official website were infected with a backdoor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-gravity-forms-deve… ∗∗∗ Google Gemini flaw hijacks email summaries for phishing ∗∗∗ --------------------------------------------- Google Gemini for Workspace can be exploited to generate email summaries that appear legitimate but include malicious instructions or warnings that direct users to phishing sites without using attachments or direct links. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-gemini-flaw-hijacks-e… ∗∗∗ Nach Cyberangriff: Ministerium bestätigt möglichen Datenabfluss bei der Polizei ∗∗∗ --------------------------------------------- Hacker haben ein System zur Verwaltung der Diensthandys der Landespolizei Mecklenburg-Vorpommern attackiert. Ein Datenabfluss kann nicht mehr ausgeschlossen werden. --------------------------------------------- https://www.golem.de/news/mecklenburg-vorpommern-moeglicher-datenabfluss-be… ∗∗∗ GPUHammer: New RowHammer Attack Variant Degrades AI Models on NVIDIA GPUs ∗∗∗ --------------------------------------------- NVIDIA is urging customers to enable System-level Error Correction Codes (ECC) as a defense against a variant of a RowHammer attack demonstrated against its graphics processing units (GPUs). --------------------------------------------- https://thehackernews.com/2025/07/gpuhammer-new-rowhammer-attack-variant.ht… ∗∗∗ eSIM Vulnerability in Kigens eUICC Cards Exposes Billions of IoT Devices to Malicious Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new hacking technique that exploits weaknesses in the eSIM technology used in modern smartphones, exposing users to severe risks. The issues impact the Kigen eUICC card. According to the Irish companys website, more than two billion SIMs in IoT devices have been enabled as of December 2020. --------------------------------------------- https://thehackernews.com/2025/07/esim-vulnerability-in-kigens-euicc.html ∗∗∗ Cyberangriff auf nius.de: mutmaßlich Nutzerdaten veröffentlicht ∗∗∗ --------------------------------------------- Am Samstag traf ein Cyberangriff das Portal nius.de. Titel von Artikeln wurden manipuliert, anscheinend auch Abonnentendaten veröffentlicht. --------------------------------------------- https://www.heise.de/news/Cyberangriff-auf-nius-de-mutmasslich-Nutzerdaten-… ∗∗∗ willhaben & PayLivery: Wie Kriminelle ein eigentlich sicheres Service ausnutzen ∗∗∗ --------------------------------------------- Sie sind „sehr stark interessiert“ und wollen „nicht nochmal leer ausgehen“. Kriminelle geben sich auf willhaben als potenzielle Käufer:innen aus und versuchen ihre Opfer aus der sicheren Umgebung der Plattform in einen Messenger zu locken. Der Sinn dahinter ist die Umgehung der internen Sicherheitsmechanismen. Wir erklären, was PayLivery eigentlich ist, wie es funktioniert und worauf man bei der Nutzung achten sollte. --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-paylivery-sicheres-service/ ∗∗∗ KongTuke FileFix Leads to New Interlock RAT Variant ∗∗∗ --------------------------------------------- Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). --------------------------------------------- https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interloc… ===================== = Vulnerabilities = ===================== ∗∗∗ CERT warnt vor UEFI-Sicherheitslücken in Gigabyte-Firmware ∗∗∗ --------------------------------------------- In der UEFI-Firmware zahlreicher Gigabyte-Mainboards klaffen Sicherheitslücken, durch die Angreifer ihre Rechte im System sehr weitreichend ausweiten können. Gigabyte stellt für zahlreiche Mainboards BIOS-Updates bereit, die die Lücken schließen. --------------------------------------------- https://www.heise.de/news/CERT-warnt-vor-UEFI-Sicherheitsluecken-in-Gigabyt… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (redis and thunderbird), Fedora (cef, git, gnutls, httpd, linux-firmware, luajit, mingw-djvulibre, mingw-python-requests, perl, php, python-requests, python3.6, salt, and selenium-manager), Mageia (dpkg, firefox, gnupg2, and golang), Slackware (httpd and kernel), SUSE (afterburn, cmctl, git, go1.23, go1.24, k9s, liboqs-devel, libxml2, php8, python36, trivy, and xen), and Ubuntu (linux-xilinx-zynqmp and nix). --------------------------------------------- https://lwn.net/Articles/1029764/ ∗∗∗ COPADATA: CD_SVA_2025_01: zenon Remote Transport Vulnerability ∗∗∗ --------------------------------------------- https://selfservice.copadata.com/portal/en/kb/articles/cd-10-7-2025 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2025
by Daily end-of-shift report 11 Jul '25

11 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-07-2025 18:00 − Freitag 11-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ In Paris verhaftet: Russischer Basketballprofi soll Cyberbande unterstützt haben ∗∗∗ --------------------------------------------- Ein Spieler des MBA Moskau ist in Frankreich festgenommen worden. Die US-Justiz wirft ihm vor, für eine Ransomwarebande Lösegeldzahlungen ausgehandelt zu haben. --------------------------------------------- https://www.golem.de/news/in-paris-verhaftet-russischer-basketballprofi-sol… ∗∗∗ PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a set of four security flaws in OpenSynergys BlueSDK Bluetooth stack that, if successfully exploited, could allow remote code execution on millions of transport vehicles from different vendors.The vulnerabilities, .. --------------------------------------------- https://thehackernews.com/2025/07/perfektblue-bluetooth-vulnerabilities.html ∗∗∗ Now everybody but Citrix agrees that CitrixBleed 2 is under exploit ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency has added its weighty name to the list of parties agreeing that CVE-2025-5777, dubbed CitrixBleed 2 by one researcher, has been under exploitation and abused to hijack user sessions. --------------------------------------------- https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/ ∗∗∗ Trend Micro: Mehrere Produkte mit hochriskanten Lücken ∗∗∗ --------------------------------------------- Trend Micro hat Schwachstellenbeschreibungen veröffentlicht, die Lücken in mehreren Produkten erörtern. Updates sind verfügbar. --------------------------------------------- https://www.heise.de/news/Trend-Micro-Mehrere-Produkte-mit-hochriskanten-Lu… ∗∗∗ Hackergruppe soll 170 Cyberangriffe verübt haben ∗∗∗ --------------------------------------------- Mindestens 170 Angriffe mit Millionenschaden: Ermittler nehmen eine internationale Hackergruppe ins Visier. --------------------------------------------- https://www.heise.de/news/Hackergruppe-soll-170-Cyberangriffe-veruebt-haben… ∗∗∗ Kritische Codeschmuggel-Lücke in Wing FTP wird angegriffen ∗∗∗ --------------------------------------------- In der Datentransfersoftware Wing FTP attackieren Angreifer eine Sicherheitslücke, die das Einschleusen von Schadcode erlaubt. --------------------------------------------- https://www.heise.de/news/Codeschmuggel-Luecke-in-Wing-FTP-wird-angegriffen… ∗∗∗ UK Arrests Four in ‘Scattered Spider’ Ransom Group ∗∗∗ --------------------------------------------- Authorities in the United Kingdom this week arrested four alleged members of "Scattered Spider," a prolific data theft and extortion group whose recent victims include multiple airlines and the U.K. retail chain Marks & Spencer. --------------------------------------------- https://krebsonsecurity.com/2025/07/uk-charges-four-in-scattered-spider-ran… ∗∗∗ Sil3ncer Deployed – RCE, Porn Diversion, and Ransomware on an SFTP-only Server ∗∗∗ --------------------------------------------- We investigated a ransomware incident on a Windows Server 2012 host running in an SFTP-only role. The attacker delivered an attack that combined remote code execution, persistence, tunnelling, and a diversionary visit to Pornhub, before launching a ransomware payload. Background & scope An easy way in The compromised server was .. --------------------------------------------- https://www.pentestpartners.com/security-blog/sil3ncer-deployed-rce-porn-di… ∗∗∗ Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques ∗∗∗ --------------------------------------------- SLOW#TEMPEST malware uses dynamic jumps and obfuscated calls to evade detection. Unit 42 details these techniques and how to defeat them with emulation. --------------------------------------------- https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/ ∗∗∗ Former Mexican president investigated over allegedly taking bribes from spyware industry ∗∗∗ --------------------------------------------- The investigation comes in response to an account in the Israeli business publication TheMarker, which reported that the contracts included a deal to buy Pegasus — the powerful spyware manufactured by Israel-based NSO Group. --------------------------------------------- https://therecord.media/former-mexican-president-investigated-spyware-bribes ∗∗∗ Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257) ∗∗∗ --------------------------------------------- Welcome back to yet another day in this parallel universe of security.This time, we’re looking at Fortinet’s FortiWeb Fabric Connector. “What is that?” we hear you say. Thats a great question; no one .. --------------------------------------------- https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.07.2025
by Daily end-of-shift report 10 Jul '25

10 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-07-2025 18:00 − Donnerstag 10-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ IT-Ausfall bei Ameos: Cyberangriff trifft großen Klinikverbund ∗∗∗ --------------------------------------------- Die Ameos Gruppe hat infolge eines Cyberangriffs ihre Dienste vom Netz genommen. Die Folge: Ausfälle in zahlreichen Kliniken und Pflegeeinrichtungen. --------------------------------------------- https://www.golem.de/news/it-ausfall-bei-ameos-cyberangriff-trifft-grossen-… ∗∗∗ Plötzlich Vollzugriff: Angriffstechnik trickst Android-Nutzer mit Animationen aus ∗∗∗ --------------------------------------------- Durch eine Angriffstechnik namens Taptrap erlangen Angreifer völlig unbemerkt weitreichende Zugriffsrechte. Selbst Android 16 bietet davor keinen Schutz. --------------------------------------------- https://www.golem.de/news/ploetzlich-vollzugriff-angriffstechnik-trickst-an… ∗∗∗ InfoFlood: KI-Sicherheit mit ausschweifender Prosa umgangen ∗∗∗ --------------------------------------------- Flutet man KI-Chatbots mit Informationen und Fachjargon, erstellen sie auch Anleitungen zum Hacken von Geldautomaten. --------------------------------------------- https://www.golem.de/news/infoflood-ki-sicherheit-mit-ausschweifender-prosa… ∗∗∗ Code highlighting with Cursor AI for $500,000 ∗∗∗ --------------------------------------------- Kaspersky GReAT experts uncover malicious extensions for Cursor AI that download the Quasar backdoor and a crypto stealer. --------------------------------------------- https://securelist.com/open-source-package-for-cursor-ai-turned-into-a-cryp… ∗∗∗ Attackers Inject Code into WordPress Theme to Redirect Visitors ∗∗∗ --------------------------------------------- In a recent article we discussed some of the reasons sites are frequently attacked. That article covered browser redirects, and we’ll explore an example of such a case here.Website themes are a common attack vector for many reasons. The theme is guaranteed to load on every page, that is the core design of any site, and themes can easily be .. --------------------------------------------- https://blog.sucuri.net/2025/07/attackers-inject-code-into-wordpress-theme-… ∗∗∗ At last, a use case for AI agents with sky-high ROI: Stealing crypto ∗∗∗ --------------------------------------------- Boffins outsmart smart contracts with evil automation Using AI models to generate exploits for cryptocurrency contract flaws appears to be a promising business model, though not necessarily a legal one. --------------------------------------------- https://www.theregister.com/2025/07/10/ai_agents_automatically_steal_crypto… ∗∗∗ 200.000 Webseiten durch Sicherheitsleck in WordPress-Plug-in SureForms gefährdet ∗∗∗ --------------------------------------------- Wer in den eigenen WordPress-Instanzen das Plug-in SureForms einsetzt, sollte updaten: Eine Sicherheitslücke erlaubt die Übernahme. --------------------------------------------- https://www.heise.de/news/WordPress-Plug-in-SureForms-Sicherheitsluecke-gef… ∗∗∗ Cyberangriff per Telefonkonferenz: Fünf junge Männer unter Verdacht ∗∗∗ --------------------------------------------- Fünf junge Männer blockierten die Telefonleitungen von rund 800 Polizeidienststellen. Der verwendete Trick war simpel, sorgte aber für viel Ärger. --------------------------------------------- https://www.heise.de/news/Cyberangriff-per-Telefonkonferenz-Fuenf-junge-Mae… ∗∗∗ McDonald’s AI bot spills data on job applicants ∗∗∗ --------------------------------------------- The job applicants personal information could be accessed by simply guessing a username and using the password “12345.” --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/07/mcdonalds-ai-bot-spills-data… ∗∗∗ FinanzOnline – „Dringende Sicherheitswarnung wegen Anmeldeversuchs“ ist Phishing-Falle ∗∗∗ --------------------------------------------- Eine neue Phishing-Welle im Namen von FinanzOnline hat es auf die Login-Daten der Nutzer:innen abgesehen. Kriminelle versenden E-Mails, in denen vor angeblich „unbekannten Anmeldeversuchen“ gewarnt wird. Wer auf den Link zur vermeintlichen Überprüfung der Sicherheitseinstellungen klickt, landet auf einem Fake-Portal. --------------------------------------------- https://www.watchlist-internet.at/news/finanzonline-sicherheitswarnung-phis… ∗∗∗ Fix the Click: Preventing the ClickFix Attack Vector ∗∗∗ --------------------------------------------- ClickFix campaigns are on the rise. We highlight three that distributed NetSupport RAT, Latrodectus, and Lumma Stealer malware. --------------------------------------------- https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/ ∗∗∗ Russian basketball player arrested in France over alleged ransomware ties ∗∗∗ --------------------------------------------- Daniil Kasatkin, 26, was detained in June at Paris’s Charles de Gaulle Airport shortly after arriving in the country with his fiancée, according to local media reports. --------------------------------------------- https://therecord.media/russian-basketball-player-arrested-in-france-ransom… ∗∗∗ Österreichs Nationalrat genehmigt Malware zur Gefährderüberwachung ∗∗∗ --------------------------------------------- Handys und Computer sollen mit Malware infiziert werden, damit Österreichs Ermittler Einsicht nehmen können. Nur 2 Abgeordnete der Regierung wagten Widerspruch. --------------------------------------------- https://heise.de/-10481818 ∗∗∗ Laravel: APP_KEY leakage analysis ∗∗∗ --------------------------------------------- This blog post sums up our journey, from identifying vulnerabilities related to Laravel encryption to scaling this knowledge for a massive internet facing applications compromise. We will talk about the methodology we used in order to collect data over the internet as well as how we analyzed it to get the most relevant results. --------------------------------------------- https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html ∗∗∗ Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5 ∗∗∗ --------------------------------------------- This article delves into vulnerability research on the Thermomix TM5, leading to the discovery of multiple vulnerabilities, which allow firmware downgrade and arbitrary code execution on some firmware versions. We provide an in-depth analysis of the system and its attack surface, detailing the vulnerabilities found and steps for exploitation. --------------------------------------------- https://www.synacktiv.com/en/publications/let-me-cook-you-a-vulnerability-e… ===================== = Vulnerabilities = ===================== ∗∗∗ Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-088 ∗∗∗ Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-087 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.07.2025
by Daily end-of-shift report 09 Jul '25

09 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-07-2025 18:00 − Mittwoch 09-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Android TapTrap attack fools users with invisible UI trick ∗∗∗ --------------------------------------------- A novel tapjacking technique can exploit user interface animations to bypass Androids permission system and allow access to sensitive data or trick users into performing destructive actions, such as wiping the device. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-android-taptrap-attack-f… ∗∗∗ Update nicht verteilt: Mainboard-Hersteller laut AMD schuld an ungefixtem TPM-Bug ∗∗∗ --------------------------------------------- Schon seit 2022 hat AMD einen Fix für einen Bug, der Windows-Nutzer mit aktivem Bitlocker aussperren kann. Doch die Mainboard-Hersteller liefern nicht. --------------------------------------------- https://www.golem.de/news/fix-nicht-ausgeliefert-amd-kritisiert-mainboard-h… ∗∗∗ Massive browser hijacking campaign infects 2.3M Chrome, Edge users ∗∗∗ --------------------------------------------- These extensions werent malware-laced from the start, researcher says A Chrome and Edge extension with more than 100,000 downloads that displays Googles verified badge does what it purports to do: It delivers a color picker to users. Unfortunately, it also .. --------------------------------------------- https://www.theregister.com/2025/07/08/browser_hijacking_campaign/ ∗∗∗ Patchday: Microsoft schließt 100.000-$-Lücke in SharePoint aus Hacker-Wettbewerb ∗∗∗ --------------------------------------------- Update-Sammlung veröffentlicht: Um Attacken vorzubeugen, sollten Admins sicherstellen, dass ihre Microsoft-Produkte auf dem aktuellen Stand sind. --------------------------------------------- https://www.heise.de/news/Patchday-Microsoft-schliesst-100-000-Luecke-in-Sh… ∗∗∗ Patchday: Adobe schützt After Effects & Co. vor möglichen Attacken ∗∗∗ --------------------------------------------- Mehrere Adobe-Anwendungen sind unter anderem für DoS- und Schadcode-Attacken anfällig. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-schuetzt-After-Effects-Co-vor-moeg… ∗∗∗ Advancing Protection in Chrome on Android ∗∗∗ --------------------------------------------- Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures. Advanced .. --------------------------------------------- http://security.googleblog.com/2025/07/advancing-protection-in-chrome-on.ht… ∗∗∗ Angeblicher Gewinn im Namen von MediaMarkt führt in Abofalle ∗∗∗ --------------------------------------------- Sie haben eine E-Mail im Namen von MediaMarkt mit einer angeblichen Gewinnbenachrichtigung erhalten? Darin sollen Sie auf einen Link klicken und zwei Euro Versandgebühr zahlen, um den Gewinn einzulösen? Dann ist Vorsicht geboten! Dahinter verbirgt sich kein Gewinn, sondern eine teure Abofalle. --------------------------------------------- https://www.watchlist-internet.at/news/angeblicher-gewinn-bei-media-markt-f… ∗∗∗ Kritische Sicherheitslücke CVE-2025-47981 in Windows SPNEGO - Update dringend empfohlen ∗∗∗ --------------------------------------------- Microsoft hat eine kritische Sicherheitslücke im Windows SPNEGO Extended Negotiation (NEGOEX) Security Mechanism veröffentlicht. Die Schwachstelle ermöglicht es Angreifern, aus der Ferne und ohne Authentifizierung beliebigen Code auf .. --------------------------------------------- https://www.cert.at/de/warnungen/2025/7/kritische-sicherheitslucke-cve-2025… ∗∗∗ Iranian ransomware group offers bigger payouts for attacks on Israel, US ∗∗∗ --------------------------------------------- The Iran-linked ransoware-as-a-service group Pay2Key.I2P told affiliates that they can keep a larger cut of extortion payments if they attack entities within Irans adversaries. --------------------------------------------- https://therecord.media/iran-ransomware-group-pay2keyi2p-israel-us-targets ∗∗∗ Treasury sanctions key player behind North Korean IT worker scheme ∗∗∗ --------------------------------------------- The United States identified and sanctioned another North Korean involved with the countrys IT worker schemes, this time for illicit operations based in China and Russia. --------------------------------------------- https://therecord.media/north-korea-it-worker-scheme-us-sanctions-song-kum-… ∗∗∗ Fake CNN and BBC sites used to push investment scams ∗∗∗ --------------------------------------------- Thousands of web pages falsely branded as popular news sites are conduits for fake cryptocurrency investment scams, researchers said. --------------------------------------------- https://therecord.media/news-websites-faked-to-spread-investment-scams ∗∗∗ CVE-2025-48384: Breaking git with a carriage return and cloning RCE ∗∗∗ --------------------------------------------- tl;dr: On Unix-like platforms, if you use git clone --recursive on an untrusted repo, it could achieve remote code execution. Update to a fixed version of Git and other software that embeds Git (including GitHub Desktop). --------------------------------------------- https://dgl.cx/2025/07/git-clone-submodule-cve-2025-48384 ∗∗∗ Supabase MCP can leak your entire SQL database ∗∗∗ --------------------------------------------- Model Context Protocol (MCP) has emerged as a standard way for LLMs to interact with external tools. While this unlocks new capabilities, it also introduces new risk surfaces. In this post, we show how an attacker can exploit Supabase’s MCP integration to leak a developer’s private SQL tables. --------------------------------------------- https://www.generalanalysis.com/blog/supabase-mcp-blog ===================== = Vulnerabilities = ===================== ∗∗∗ A set of Git security-fix releases ∗∗∗ --------------------------------------------- Versions v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1 andv2.50.1 of the Git source-code management system have been released."This is a set of coordinated security fix releases. Please update at your earliest convenience". See the announcement for details;many of the vulnerabilities have to do with tricks buried in untrusted repositories. --------------------------------------------- https://lwn.net/Articles/1029182/ ∗∗∗ SQL injection in forward module ∗∗∗ --------------------------------------------- An Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability [CWE-89] in FortiManager and FortiAnalyzer may allow an authenticated attacker with high privilege to extract database information via crafted requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-437 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.07.2025
by Daily end-of-shift report 08 Jul '25

08 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 07-07-2025 18:00 − Dienstag 08-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ “No honor among thieves”: M&S hacking group starts turf war ∗∗∗ --------------------------------------------- A clash between criminal ransomware groups could result in victims being extorted twice. --------------------------------------------- https://arstechnica.com/security/2025/07/no-honor-among-thieves-ms-hacking-… ∗∗∗ Qantas is being extorted in recent data-theft cyberattack ∗∗∗ --------------------------------------------- Qantas has confirmed that it is now being extorted by threat actors following a cyberattack that potentially exposed the data for 6 million customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qantas-is-being-extorted-in-… ∗∗∗ Atomic macOS infostealer adds backdoor for persistent attacks ∗∗∗ --------------------------------------------- Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as AMOS) that comes with a backdoor, to attackers persistent access to compromised systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atomic-macos-infostealer-add… ∗∗∗ Alleged Chinese hacker tied to Silk Typhoon arrested for cyberespionage ∗∗∗ --------------------------------------------- A Chinese national was arrested in Milan, Italy, last week for allegedly being linked to the state-sponsored Silk Typhoon hacking group, which responsible for cyberattacks against American organizations and government agencies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/alleged-chinese-hacker-tied-… ∗∗∗ Approach to mainframe penetration testing on z/OS. Deep dive into RACF ∗∗∗ --------------------------------------------- We have explored the RACF security package in z/OS and developed a utility to interact with its database. Now, we are assessing RACF configuration security for penetration testing. --------------------------------------------- https://securelist.com/zos-mainframe-pentesting-resource-access-control-fac… ∗∗∗ Android Patchday fällt im Juli aus ∗∗∗ --------------------------------------------- Admins können sich zumindest in Bezug auf Android und Pixel-Smartphones zurücklehnen: Im Juli gibt es nichts zu patchen. --------------------------------------------- https://www.heise.de/news/Android-Patchday-faellt-im-Juli-aus-10478020.html ∗∗∗ Patchday SAP: NetWeaver-Produkte sind für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- Angreifer können unter anderem SAP NetWeaver-Produkte und Business Objects attackieren. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://www.heise.de/news/Patchday-SAP-NetWeaver-Produkte-sind-fuer-Schadco… ∗∗∗ How to conduct a Password Audit in Active Directory (AD) ∗∗∗ --------------------------------------------- Weak or compromised passwords are still one of the most common ways attackers get into an organisation’s network. That’s why running password audits in Active Directory is so important. But smaller companies often don’t have the time, budget, or resources to do them regularly. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-conduct-a-password-aud… ∗∗∗ „Hallo Mama, das ist meine neue Nummer“ – Ein Blick hinter die Kulissen des Evergreens ∗∗∗ --------------------------------------------- Die "Hallo Mama"-Nachricht zählt zu den absoluten Phishing-Klassikern. Trotz der mittlerweile recht großen Bekanntheit versuchen Kriminelle weiterhin beharrlich, damit an Geld zu kommen. Für alle, die schon immer einmal wissen wollten, wie es im Fall einer Antwort eigentlich weitergeht, haben wir uns den Ablauf etwas näher angesehen. --------------------------------------------- https://www.watchlist-internet.at/news/hallo-mama-hinter-den-kulissen/ ∗∗∗ GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Revealed ∗∗∗ --------------------------------------------- An IAB campaign exploited leaked ASP.NET Machine Keys. We dissect the attackers infrastructure, campaign and offer takeaways for blue teams. --------------------------------------------- https://unit42.paloaltonetworks.com/initial-access-broker-exploits-leaked-m… ∗∗∗ Aktiv ausgenutzte Schwachstellen in Citrix NetScaler ADC und NetScaler Gateway ∗∗∗ --------------------------------------------- In den vergangenen Wochen hat Citrix mehrere Sicherheitsaktualisierungen für insgesamt drei Sicherheitslücken in seinen Produkten NetScaler ADC und NetScaler Gateway veröffentlicht: CVE-2025-6543, CVSS-Score 9.2 CVE-2025-5349, CVSS-Score 8.7 CVE-2025-5777, CVSS-Score 9.3, auch bekannt als "CitrixBleed 2" Zum Zeitpunkt der Veröffentlichung der Advisories sowie der dazugehörigen Aktualisierungen gab es laut Citrix keine aktive Ausnutzung der Schwachstellen, .. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/7/aktiv-ausgenutzte-schwachstellen-in… ∗∗∗ New spyware strain steals data from Russian industrial companies ∗∗∗ --------------------------------------------- Moscow-based cybersecurity firm Kaspersky said the campaign has already affected over 100 victims across several dozen Russian organizations, but did not disclose the specific targets. --------------------------------------------- https://therecord.media/spyware-strain-steals-data-russian-industrial-sector ∗∗∗ Detection Engineering: Practicing Detection-as-Code – Introduction – Part 1 ∗∗∗ --------------------------------------------- This is going to be a multipart blog series revolving around Detection Engineering and more specifically practicing Detection-as-Code in Detection Engineering. Throughout this series, we’ll dive deep into concepts, strategies, and practical blueprints that you can adapt to fit your own workflows. From building a detection engineering repository to validating .. --------------------------------------------- https://blog.nviso.eu/2025/07/08/detection-engineering-practicing-detection… ∗∗∗ From cheap IoT toy to your smartphone: Getting RCE by leveraging a companion app ∗∗∗ --------------------------------------------- As IoT adoption continues to grow, we explored the idea that instead of directly compromising IoT devices, an attacker could target the applications controlling them. This approach could potentially allow remote code execution on a user’s smartphone. --------------------------------------------- https://www.synacktiv.com/en/publications/from-cheap-iot-toy-to-your-smartp… ∗∗∗ New CVE Forecasting Tool Predicts 47,000 Disclosures in 2025 ∗∗∗ --------------------------------------------- Security engineer Jerry Gamblin, founder of RogoLabs, has released a new open source forecasting tool that aims to predict the growing volume of software vulnerability disclosures. The tool, CVEForecast.org, uses historical CVE data and machine learning models to generate short-term projections of how many new vulnerabilities are likely to be published. --------------------------------------------- https://socket.dev/blog/new-cve-forecasting-tool-predicts-47-000-disclosure… ===================== = Vulnerabilities = ===================== ∗∗∗ July Security Update ∗∗∗ --------------------------------------------- Ivanti releases standard security patches on the second Tuesday of every month. Our vulnerability management program is central to our commitment to maintaining secure products. Our philosophy is simple: discovering and communicating vulnerabilities, and sharing that information with defenders, is not an indication of weakness; rather it is evidence of .. --------------------------------------------- https://www.ivanti.com/blog/july-security-update-2025 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2025
by Daily end-of-shift report 07 Jul '25

07 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-07-2025 18:00 − Montag 07-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers abuse leaked Shellter red team tool to deploy infostealers ∗∗∗ --------------------------------------------- Shellter Project, the vendor of a commercial AV/EDR evasion loader for penetration testing, confirmed that hackers used its Shellter Elite product in attacks after a customer leaked a copy of the software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-abuse-leaked-shellte… ∗∗∗ Umsetzung von NIS 2 in Europa: Nur vier Länder haben geliefert ∗∗∗ --------------------------------------------- NIS 2 hätte bis zum 17. Oktober 2024 in nationales Recht umgesetzt werden müssen. Das ist nur wenigen Ländern gelungen. Wie haben sie das gemacht? Eine Analyse von Thomas Hafen --------------------------------------------- https://www.golem.de/news/umsetzung-von-nis-2-in-europa-nur-vier-laender-ha… ∗∗∗ Auch Lücken und Bugs beseitigt: Neues 7-Zip komprimiert mit mehr als 64 CPU-Kernen ∗∗∗ --------------------------------------------- Wer 7-Zip im Einsatz hat, sollte das Packprogramm zeitnah aktualisieren. Version 25.00 verspricht mehr Leistung und behebt Bugs und Schwachstellen. --------------------------------------------- https://www.golem.de/news/jetzt-updaten-7-zip-schliesst-sicherheitsluecken-… ∗∗∗ Massive spike in use of .es domains for phishing abuse ∗∗∗ --------------------------------------------- ¡Cuidado! Time to double-check before entering your Microsoft creds Cybersecurity experts are reporting a 19x increase in malicious campaigns being launched from .es domains, making it the third most common, behind only .com and .ru. --------------------------------------------- https://www.theregister.com/2025/07/05/spain_domains_phishing/ ∗∗∗ Ingram Micro confirms ransomware behind multi-day outage ∗∗∗ --------------------------------------------- SafePay crew claims responsibility for intrusion at one of worlds largest tech distributors Ingram Micro, one of the world’s largest distributors, has confirmed it is trying to restore systems following a ransomware attack. --------------------------------------------- https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_beh… ∗∗∗ Antivirus: Comodo Internet Security lässt sich Schadcode unterschieben ∗∗∗ --------------------------------------------- Ein IT-Sicherheitsforscher hat mehrere Sicherheitslücken im Virenschutz Comodo Internet Security entdeckt, wodurch Angreifer Schadcode einschleusen können. --------------------------------------------- https://www.heise.de/news/Antivirus-Comodo-Internet-Security-laesst-sich-Sc… ∗∗∗ SSB-104599 V1.0: Increasing Cyber Threats to Industrial Control Systems ∗∗∗ --------------------------------------------- The current geopolitical situation has created increased cybersecurity risks across all industrial sectors. This challenging environment also impacts the operational technology (OT) landscape, where we observe an intensification of threat activities. --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssb-104599.html ∗∗∗ Fake-Europol-E-Mail mit dem Vorwurf der Verbreitung pornografischer Inhalte von Minderjährigen ∗∗∗ --------------------------------------------- Derzeit wird eine gefälschte E-Mail im Namen von Europol verbreitet. Darin wird den Empfänger:innen unterstellt, verbotene pornografische Darstellungen von Minderjährigen abgerufen oder verbreitet zu haben. Angeblich sei deshalb ein Strafverfahren eingeleitet worden. Die Betroffenen werden aufgefordert, per E-Mail eine Stellungnahme zu übermitteln. Antworten Sie nicht darauf, denn es handelt sich um einen Betrugsversuch! --------------------------------------------- https://www.watchlist-internet.at/news/europol-e-mail-mit-vorwurf-der-verbr… ∗∗∗ BERT Ransomware Group Targets Asia and Europe on Multiple Platforms ∗∗∗ --------------------------------------------- BERT is a newly emerged ransomware group that pairs simple code with effective execution—carrying out attacks across Europe and Asia. In this entry, we examine the group’s tactics, how their variants have evolved, and the tools they use to get past defenses and speed up encryption across platforms. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/g/bert-ransomware-group-target… ∗∗∗ SatanLock Ransomware Ends Operations, Says Stolen Data Will Be Leaked ∗∗∗ --------------------------------------------- SatanLock ransomware gang shuts down after weeks of attacks and plans to leak stolen victim data. Group linked to Babuk-Bjorka and GD Lockersec families. --------------------------------------------- https://hackread.com/satanlock-ransomware-ends-operations-stolen-data-leak/ ∗∗∗ Isolated Recovery Environments: A Critical Layer in Modern Cyber Resilience ∗∗∗ --------------------------------------------- As adversaries grow faster, stealthier, and more destructive, traditional recovery strategies are increasingly insufficient. Mandiants M-Trends 2025 report reinforces this shift, highlighting that ransomware operators now routinely target not just production systems but also backups. This evolution demands that organizations re-evaluate their resilience posture. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/isolated-recovery-… ∗∗∗ How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777) ∗∗∗ --------------------------------------------- Before you dive into our latest diatribe, indulge us and join us on a journey.Sit in your chair, stand at your desk, lick your phone screen - close your eyes and imagine a world in which things are great. It’s sunny outside, the birds are chirping, .. --------------------------------------------- https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-mem… ∗∗∗ Lets Encrypt stellt erstes IP-Zertifikat aus ∗∗∗ --------------------------------------------- Das Lets-Encrypt-Projekt hat in der vergangenen Woche das erste Zertifikat für eine IP-Adresse ausgestellt. --------------------------------------------- https://heise.de/-10476509 ∗∗∗ Sicherheitsupdate: Dell Data Protection Advisor über viele Lücken angreifbar ∗∗∗ --------------------------------------------- Angreifer können an Schwachstellen in Dells Backuplösung Data Protection Advisor ansetzen. Der Computerhersteller stuft das Risiko als kritisch ein. --------------------------------------------- https://heise.de/-10476481 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird and xmedcon), Fedora (darktable, mbedtls, sudo, and yarnpkg), Mageia (catdoc and php), Red Hat (java-1.8.0-ibm, kernel, python-setuptools, python3, python3.11, python3.12, python3.9, socat, sudo, tigervnc, webkit2gtk3, webkitgtk4, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (alloy, apache-commons-fileupload, apache2-mod_security2, assimp-devel, chromedriver, clamav, clustershell, corepack22, ctdb, curl, dpkg, --------------------------------------------- https://lwn.net/Articles/1029073/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.07.2025
by Daily end-of-shift report 04 Jul '25

04 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-07-2025 18:00 − Freitag 04-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ingram Micro suffers global outage as internal systems inaccessible ∗∗∗ --------------------------------------------- IT giant Ingram Micro is experiencing a global outage that is impacting its websites and internal systems, with customers concerned that it may be a cyberattack after the company remains silent on the cause of the issues. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ingram-micro-suffers-global-… ∗∗∗ Hacker leaks Telefónica data allegedly stolen in a new breach ∗∗∗ --------------------------------------------- A hacker is threatening to leak 106GB of data allegedly stolen from Spanish telecommunications company Telefónica in a breach that the company did not acknowledge. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-leaks-telef-nica-data… ∗∗∗ Rechnungshof warnt: Cybersicherheit der Bundes-IT unzureichend ∗∗∗ --------------------------------------------- Viele Rechenzentren des Bundes verfügen wohl nicht einmal über eine angemessene Notstromversorgung. Und auch an Redundanzen fehlt es häufig. --------------------------------------------- https://www.golem.de/news/rechnungshof-warnt-cybersicherheit-der-bundes-it-… ∗∗∗ The Breach Beyond the Runway: Cybercriminals Targeted Qantas Through a Trusted Partner ∗∗∗ --------------------------------------------- On July 3, 2025, Qantas confirmed in an update statement that a cyber incident had compromised data from one of its contact centers, following the detection of suspicious activity on June 30. The breach didn’t strike at the heart of .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-breach-… ∗∗∗ Europol Dismantles $540 Million Cryptocurrency Fraud Network, Arrests Five Suspects ∗∗∗ --------------------------------------------- Europol on Monday announced the takedown of a cryptocurrency investment fraud ring that laundered €460 million ($540 million) from more than 5,000 victims across the world.The international effort, codenamed Operation Borrelli, was carried out by the .. --------------------------------------------- https://thehackernews.com/2025/06/europol-dismantles-540-million.html ∗∗∗ "FoxyWallet": Mehr als 40 bösartige Firefox-Add-ons entdeckt ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben eine groß angelegte Kampagne mit bösartigen Firefox-Add-ons entdeckt. Die räumen Krypto-Wallets leer. --------------------------------------------- https://www.heise.de/news/FoxyWallet-Mehr-als-40-boesartige-Firefox-Add-ons… ∗∗∗ Pet microchip scams and data leaks in the UK ∗∗∗ --------------------------------------------- TL;DR We were recently on BBC Morning Live talking about issues with pet microchip data, helping some pet owners understand how they were being billed for services which they didn’t recall signing up for. There was so much more to this piece though, so we’ve written up our findings in more detail .. --------------------------------------------- https://www.pentestpartners.com/security-blog/pet-microchip-scams-and-data-… ∗∗∗ Das Facebook-Konto versendet unerwünschte Nachrichten? Phishing-Alarm & Abo-Falle! ∗∗∗ --------------------------------------------- Kriminelle nutzen die Angst vor „Account Hijacking“ – also der Übernahme eines Online-Kontos durch andere – für ihre Zwecke aus. Sie versenden E-Mail-Warnungen, laut denen über den Facebook-Account des Opfers „unerwünschte Nachrichten“ versendet werden. Die Lösung des vermeintlichen Problems führt direkt in eine Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/facebook-nachrichten-phishing-abo/ ∗∗∗ A message from Bruce the mechanical shark ∗∗∗ --------------------------------------------- This Fourth of July, Bruce, the 25-foot mechanical shark from Jaws, shares how his saltwater struggles mirror the need for real-world cybersecurity stress testing. --------------------------------------------- https://blog.talosintelligence.com/a-message-from-bruce-the-mechanical-shar… ∗∗∗ AI Dilemma: Emerging Tech as Cyber Risk Escalates ∗∗∗ --------------------------------------------- As AI adoption accelerates, businesses face mounting cyber threats—and urgent choices about secure implementation --------------------------------------------- https://www.trendmicro.com/en_us/research/25/g/ai-cyber-risks.html ∗∗∗ Taking over 60k spyware user accounts with SQL injection ∗∗∗ --------------------------------------------- Recently I was looking through a database of known stalkerware services and found one I wasn’t familiar with: Catwatchful. It seemed to be a full-featured Android spy app, to actually be its own service as opposed to a millionth FlexiSpy reseller, and to offer a 3-day free trial. Aside from a boilerplate disclaimer to only use it with consent .. --------------------------------------------- https://ericdaigle.ca/posts/taking-over-60k-spyware-user-accounts/ ∗∗∗ Identifying Ransomware Final Stage activities with KQL Queries ∗∗∗ --------------------------------------------- When ransomware strikes, it doesn’t just encrypt files — it often wraps up with a series of stealthy moves meant to lock you out, cover tracks, and make recovery a nightmare. That’s why it’s so important to spot these final-stage activities before the damage is permanent. --------------------------------------------- https://detect.fyi/identifying-ransomware-final-stage-activities-with-kql-q… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.07.2025
by Daily end-of-shift report 03 Jul '25

03 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-07-2025 18:00 − Donnerstag 03-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ DOJ investigates ex-ransomware negotiator over extortion kickbacks ∗∗∗ --------------------------------------------- An ex-ransomware negotiator is under criminal investigation by the Department of Justice for allegedly working with ransomware gangs to profit from extortion payment deals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/doj-investigates-ex-ransomwa… ∗∗∗ Data Breach Reveals Catwatchful Stalkerware Is Spying On Thousands of Phones ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from TechCrunch: A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator. The bug, which was discovered by security researcher Eric Daigle, spilled the spyware apps full database of email addresses and plaintext passwords that .. --------------------------------------------- https://yro.slashdot.org/story/25/07/03/0023253/data-breach-reveals-catwatc… ∗∗∗ Fake Spam Plugin Uses Victim’s Domain Name to Evade Detection ∗∗∗ --------------------------------------------- During our investigation of an SEO spam infection (spam content designed to manipulate search engine results), we discovered a nicely crafted plugin that named itself after the infected domain, helping it evade detection. While this tactic was simple, it easily blended in with other legitimate plugins, making it harder to spot during the troubleshooting .. --------------------------------------------- https://blog.sucuri.net/2025/07/fake-spam-plugin-uses-victims-domain-name-t… ∗∗∗ CISA warns the Signal clone used by natsec staffers is being attacked, so patch now ∗∗∗ --------------------------------------------- Two flaws in TeleMessage are frequent attack vectors for malicious cyber actors The US security watchdog CISA has warned that malicious actors are actively exploiting two flaws in the Signal clone TeleMessage TM SGNL, and has directed federal agencies to patch the flaws or discontinue use of the app by July 22. --------------------------------------------- https://www.theregister.com/2025/07/02/cisa_telemessage_patch/ ∗∗∗ ChatGPT creates phisher’s paradise by recommending the wrong URLs for major companies ∗∗∗ --------------------------------------------- Crims have cottoned on to a new way to lead you astray AI-powered chatbots often deliver incorrect information when asked to name the address for major companies’ websites, and threat intelligence business Netcraft thinks that creates an opportunity for criminals. --------------------------------------------- https://www.theregister.com/2025/07/03/ai_phishing_websites/ ∗∗∗ Cisco entfernt SSH-Hintertür in Unified Communications Manager ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat Sicherheitslücken in verschiedenen Produkten geschlossen. Eine Lücke gilt als kritisch. --------------------------------------------- https://www.heise.de/news/Cisco-entfernt-SSH-Hintertuer-in-Unified-Communic… ∗∗∗ Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack ∗∗∗ --------------------------------------------- We analyze CVE-2025-24813 (Tomcat Partial PUT RCE), CVE-2025-27636 and CVE-2025-29891 (Camel Header Hijack RCE). --------------------------------------------- https://unit42.paloaltonetworks.com/apache-cve-2025-24813-cve-2025-27636-cv… ∗∗∗ Hunters International ransomware group claims to be shutting down ∗∗∗ --------------------------------------------- “After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” the prolific cybercrime gang wrote on its darknet site. --------------------------------------------- https://therecord.media/hunters-international-ransomware-extortion-group-cl… ∗∗∗ Russia jails man for 16 years over pro-Ukraine cyberattacks on critical infrastructure ∗∗∗ --------------------------------------------- Russian authorities said the man used malware to attack Russian information systems in 2022, blocking access to websites of several local companies and damaging critical infrastructure. --------------------------------------------- https://therecord.media/russia-jails-man-over-pro-ukraine-cyberattacks ===================== = Vulnerabilities = ===================== ∗∗∗ Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-085 ∗∗∗ Config Pages Viewer - Critical - Access bypass - SA-CONTRIB-2025-086 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-086 ∗∗∗ Security Vulnerabilities fixed in Thunderbird 140 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 128.12 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-55/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.07.2025
by Daily end-of-shift report 02 Jul '25

02 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-07-2025 18:00 − Mittwoch 02-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft: DNS issue blocks delivery of Exchange Online OTP codes ∗∗∗ --------------------------------------------- Microsoft is working to fix a DNS misconfiguration that is causing one-time passcode (OTP) message delivery failures in Exchange Online for some users. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-links-dns-issue-t… ∗∗∗ Kundenfang am Unfallort: Hacker verkauft Daten aus Notrufsystem an Bestatter ∗∗∗ --------------------------------------------- Die Notrufdaten sind in Echtzeit zur Verfügung gestellt worden. Die Bestatter konnten damit frühzeitig an Einsatzorten auftauchen, um neue Kunden zu gewinnen. --------------------------------------------- https://www.golem.de/news/kundenfang-am-unfallort-hacker-verkauft-daten-aus… ∗∗∗ C2 mit Dinosauriern ∗∗∗ --------------------------------------------- Angreifer nutzen gerne Programme, die als Open Source verfügbar sind und typischerweise als legitim sowie harmlos eingestuft werden (z. B. rclone .. --------------------------------------------- https://sec-consult.com/de/blog/detail/c2-mit-dinosauriern/ ∗∗∗ chwoot: Kritische Linux-Lücke macht Nutzer auf den meisten Systemen zu Root ∗∗∗ --------------------------------------------- Ein Beispielexploit steht im Netz und funktioniert auf vielen Standardystemen. Admins sollten schnell die bereitstehenden Updates einspielen. --------------------------------------------- https://www.heise.de/news/chwoot-Kritische-Linux-Luecke-macht-Nutzer-auf-de… ∗∗∗ Bericht: EU-Grenzsystem SIS II mit zahlreichen Sicherheitslücken ∗∗∗ --------------------------------------------- Vertrauliche Berichte sollen tausende Schwachstellen im EU-Grenzsystem SIS II monieren. Die Entwickler bessern sie zu langsam aus. --------------------------------------------- https://www.heise.de/news/Bericht-EU-Grenzsystem-SIS-II-mit-zahlreichen-Sic… ∗∗∗ 600,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability in Forminator WordPress Plugin ∗∗∗ --------------------------------------------- On June 20th, 2025, we received a submission for an Arbitrary File Deletion vulnerability in Forminator, a WordPress plugin with more than 600,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to specify arbitrary file paths in a form submission, and the file will be deleted when the submission is deleted. It can be .. --------------------------------------------- https://www.wordfence.com/blog/2025/07/600000-wordpress-sites-affected-by-a… ∗∗∗ Sinaloa-Kartell hackte das FBI, um geheime Informanten ausfindig zu machen ∗∗∗ --------------------------------------------- Ein Bericht des US-Justizministeriums übt Kritik am Umgang des FBI mit der Gefahr durch Überwachungstechnologien --------------------------------------------- https://www.derstandard.at/story/3000000277554/sinaloa-kartell-hackte-das-f… ∗∗∗ Russian bulletproof hosting service Aeza Group sanctioned by US for ransomware work ∗∗∗ --------------------------------------------- Support for ransomware, darknet drug markets and other cybercrime activity landed the Russian company Aeza Group on the U.S. governments sanctions list, the Treasury Department said. --------------------------------------------- https://therecord.media/russia-bulletproof-hosting-aeza-group-us-sanctions ∗∗∗ Ransomware gang attacks German charity that feeds starving children ∗∗∗ --------------------------------------------- Cybercriminals are extorting the German humanitarian aid group Welthungerhilfe (WHH) for 20 bitcoin. The charity said it will not pay. --------------------------------------------- https://therecord.media/welthungerhilfe-german-hunger-relief-charity-ransom… ∗∗∗ Analysis of Attacks Targeting Linux SSH Servers for Proxy Installation ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting Linux servers that are inappropriately managed using honeypots. One of the representative honeypots is the SSH service that uses weak credentials, which is targeted by a large .. --------------------------------------------- https://asec.ahnlab.com/en/88749/ ∗∗∗ PDFs: Portable documents, or perfect deliveries for phish? ∗∗∗ --------------------------------------------- A popular social engineering technique returns: callback phishing, or TOAD attacks, which leverage PDFs, VoIP anonymity and even QR code tricks. --------------------------------------------- https://blog.talosintelligence.com/pdfs-portable-documents-or-perfect-deliv… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.07.2025
by Daily end-of-shift report 01 Jul '25

01 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 30-06-2025 18:00 − Dienstag 01-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Root-Zugriff für alle: Kritische Sudo-Lücke gefährdet unzählige Linux-Systeme ∗∗∗ --------------------------------------------- Forscher haben eine gefährliche Sicherheitslücke im Kommandozeilentool Sudo entdeckt. Angreifer können mit wenig Aufwand Root-Rechte erlangen. --------------------------------------------- https://www.golem.de/news/root-zugriff-fuer-alle-kritische-sudo-luecke-gefa… ∗∗∗ Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations ∗∗∗ --------------------------------------------- Since 2024, Microsoft Threat Intelligence has observed remote IT workers deployed by North Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate revenue for the North Korean government. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north… ∗∗∗ Vulnerability & Patch Roundup — June 2025 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website .. --------------------------------------------- https://blog.sucuri.net/2025/06/vulnerability-patch-roundup-june-2025.html ∗∗∗ U.S. Agencies Warn of Rising Iranian Cyberattacks on Defense, OT Networks, and Critical Infrastructure ∗∗∗ --------------------------------------------- U.S. cybersecurity and intelligence agencies have issued a joint advisory warning of potential cyber attacks from Iranian state-sponsored or affiliated threat actors. "Over the past several months, there has been increasing activity from hacktivists .. --------------------------------------------- https://thehackernews.com/2025/06/us-agencies-warn-of-rising-iranian.html ∗∗∗ OneClik Red Team Campaign Targets Energy Sector Using Microsoft ClickOnce and Golang Backdoors ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a new campaign dubbed OneClik that leverages Microsofts ClickOnce software deployment technology and bespoke Golang backdoors to compromise organizations within the energy, oil, and gas .. --------------------------------------------- https://thehackernews.com/2025/06/oneclik-malware-targets-energy-sector.html ∗∗∗ Terrible tales of opsec oversights: How cybercrooks get themselves caught ∗∗∗ --------------------------------------------- The silly mistakes to the flagrant failures They say that success breeds complacency, and complacency leads to failure. For cybercriminals, taking too many shortcuts when it comes to opsec delivers a little more than that. --------------------------------------------- https://www.theregister.com/2025/07/01/terrible_tales_of_opsec_oversights/ ∗∗∗ Überwachungskameras aus China: Kanada ordnet Schließung von Hikvision Canada an ∗∗∗ --------------------------------------------- Hikvision kommt aus China und verkauft Überwachungstechnik. Seit Jahren gibt es Kritik an dem Konzern. Nun lässt Kanada den dortigen Ableger schließen. --------------------------------------------- https://www.heise.de/news/Ueberwachungskameras-aus-China-Kanada-ordnet-Schl… ∗∗∗ Webbrowser Chrome: Sicherheitslücke wird angegriffen ∗∗∗ --------------------------------------------- In der Nacht zum Dienstag hat Google den Chrome-Browser ungeplant aktualisiert. Eine Sicherheitslücke wird bereits attackiert. --------------------------------------------- https://www.heise.de/news/Chrome-Google-stopft-attackierte-Sicherheitslueck… ∗∗∗ Viele Sicherheitslücken in Dell OpenManage Network Integration geschlossen ∗∗∗ --------------------------------------------- Angreifer können Dell OpenManage Network Integration über verschiedene Wege attackieren. Sicherheitsupdates stehen zur Verfügung. --------------------------------------------- https://www.heise.de/news/Viele-Sicherheitsluecken-in-Dell-OpenManage-Netwo… ∗∗∗ Britischer IT-Angestellter rächte sich an Ex-Arbeitgeber: Sieben Monate Haft ∗∗∗ --------------------------------------------- Nur wenige Stunden nach seiner Entlassung startete der junge Mann eine Cyberattacke und sorgte für Schäden in Höhe von 200.000 Pfund --------------------------------------------- https://www.derstandard.at/story/3000000277498/britischer-it-angestellter-r… ∗∗∗ 50 customers of French bank hit after insider helped SIM swap scammers ∗∗∗ --------------------------------------------- French police have arrested a business student interning at the bank Société Générale who is accused of helping SIM-swapping scammers to defraud 50 of its clients. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/50-customers-of-frenc… ∗∗∗ Encryption vs. Lawful Interception: EU policy news ∗∗∗ --------------------------------------------- I’ve commented here on this blog (or its German twin) quite a few time already on various legislative proposals on how the law enforcement agencies can keep their traditional access to the communication of suspects. See Ein paar Thesen zu aktuellen Gesetzesentwürfen (2017) Ein paar Gedanken zur „Überwachung verschlüsselter Nachrichten" (2024) Roles in .. --------------------------------------------- https://www.cert.at/en/blog/2025/7/encryption-vs-lawful-interception-eu-pol… ∗∗∗ DOJ raids 29 ‘laptop farms’ in crackdown on N. Korean IT worker scheme ∗∗∗ --------------------------------------------- The Justice Department announced a coordinated action to disrupt a Pyongyang campaign to get North Koreans hired at U.S.-based companies. --------------------------------------------- https://therecord.media/doj-raids-laptop-farms-crackdown ∗∗∗ International Criminal Court targeted by new ‘sophisticated’ attack ∗∗∗ --------------------------------------------- The ICC credited its “alert and response mechanisms” for “swiftly” discovering, confirming and containing a cyberattack. --------------------------------------------- https://therecord.media/international-criminal-court-cyberattack-2025 ∗∗∗ Malware in Apps: Godfather 2.0 für Android; SparkKitty in App-Stores ∗∗∗ --------------------------------------------- Kleiner Sammelbeitrag rund um das Thema Smartphone-Apps mit Malware an Bord. Aktuell feiert die Android-Malware Godfather 2.0 ihr Comeback bzw. Erfolge beim Raubzügen beim Online-Banking. Zudem haben Sicherheitsforscher .. --------------------------------------------- https://www.borncity.com/blog/2025/06/30/malware-in-apps-godfather-2-0-fuer… ∗∗∗ What the NULL?! Wing FTP Server RCE (CVE-2025-47812) ∗∗∗ --------------------------------------------- While performing a penetration test for one of our Continuous Penetration Testing customers, we’ve found a Wing FTP server instance that allowed anonymous connections. It was almost the only interesting thing exposed, but we still wanted to get a foothold into their perimeter and provide the customer with an impactful finding. So we .. --------------------------------------------- https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2… ∗∗∗ Django Joins curl in Pushing Back on AI Slop Security Reports ∗∗∗ --------------------------------------------- Django has updated its official security documentation with new guidance for AI-assisted vulnerability reports, responding to a rising number of submissions generated by large language models (LLMs) that cite fabricated code or non-existent features. The change was authored by Django Fellow Natalia Bidart, who helps maintain the project’s .. --------------------------------------------- https://socket.dev/blog/django-joins-curl-in-pushing-back-on-ai-slop-securi… ∗∗∗ How hacktivist cyber operations surged amid Israeli-Iranian conflict ∗∗∗ --------------------------------------------- In June 2025, Israel carried out airstrikes against key Iranian military and nuclear facilities. Iran swiftly retaliated, escalating regional tensions to unprecedented levels. This military confrontation has not only unfolded in conventional warfare but also triggered a massive surge in cyber operations. Almost immediately after the .. --------------------------------------------- https://outpost24.com/blog/hacktivist-cyber-operations-iran-israel/ ===================== = Vulnerabilities = ===================== ∗∗∗ XSA-470 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-470.html ∗∗∗ [R1] Nessus Version 10.8.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-13 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.06.2025
by Daily end-of-shift report 30 Jun '25

30 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-06-2025 18:00 − Montag 30-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Scattered Spider hackers shift focus to aviation, transportation firms ∗∗∗ --------------------------------------------- Hackers associated with Scattered Spider tactics have expanded their targeting to the aviation and transportation industries after previously attacking insurance and retail sectors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/scattered-spider-hackers-shi… ∗∗∗ Let’s Encrypt ends certificate expiry emails to cut costs, boost privacy ∗∗∗ --------------------------------------------- Lets Encrypt has announced it will no longer notify users about imminent certificate expirations via email due to high costs, privacy concerns, and unnecessary complexities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lets-encrypt-ends-certificat… ∗∗∗ Unveiling RIFT: Enhancing Rust malware analysis through pattern matching ∗∗∗ --------------------------------------------- As threat actors are adopting Rust for malware development, RIFT, an open-source tool, helps reverse engineers analyze Rust malware, solving challenges in the security industry. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/06/27/unveiling-rift-enh… ∗∗∗ Stealthy WordPress Malware Drops Windows Trojan via PHP Backdoor ∗∗∗ --------------------------------------------- Last month, we encountered a particularly interesting and complex malware case that stood out from the usual infections we see in compromised WordPress websites. At first glance, the site looked clean, no visible signs of defacement, no malicious redirects, and nothing suspicious in the plugin list. But beneath the surface, a hidden infection chain was .. --------------------------------------------- https://blog.sucuri.net/2025/06/stealthy-wordpress-malware-drops-windows-tr… ∗∗∗ GIFTEDCROOK Malware Evolves: From Browser Stealer to Intelligence-Gathering Tool ∗∗∗ --------------------------------------------- The threat actor behind the GIFTEDCROOK malware has made significant updates to turn the malicious program from a basic browser data stealer to a potent intelligence-gathering tool."Recent campaigns in June 2025 demonstrate GIFTEDCROOKs enhanced .. --------------------------------------------- https://thehackernews.com/2025/06/giftedcrook-malware-evolves-from.html ∗∗∗ IGF25: Diktatoren und Demokraten im globalen Süden als Kunden von Spyware ∗∗∗ --------------------------------------------- Spyware wie Pegasus von der NSO-Group wird zunehmend ein politisches Problem. Das war eine der Erkenntnisse des Internet Governance Forums in Norwegen. --------------------------------------------- https://www.heise.de/news/IGF25-Diktatoren-und-Demokraten-im-globalen-Suede… ∗∗∗ "CitrixBleed 2": Indizien für laufende Angriffe auf Sicherheitsleck ∗∗∗ --------------------------------------------- Eine Citrix-Netscaler-Lücke mit dem Spitznamen "CitrixBleed 2" ist gravierend. Nun wird sie offenbar attackiert. --------------------------------------------- https://www.heise.de/news/CitrixBleed-2-Indizien-fuer-laufende-Angriffe-auf… ∗∗∗ Cybergang erpresst Welthungerhilfe um 1,8 Millionen Euro ∗∗∗ --------------------------------------------- Die Cybergang Rhysida ist bei der Welthungerhilfe eingebrochen und hat Daten kopiert. Nun wollen die Täter 20 Bitcoins dafür. --------------------------------------------- https://www.heise.de/news/Ransomwareattacke-auf-Welthungerhilfe-10464644.ht… ∗∗∗ Dubiose Inkassoforderungen: Was tun bei plötzlichen Mahnschreiben? ∗∗∗ --------------------------------------------- Sie öffnen Ihr E-Mail-Postfach oder Ihren Briefkasten und finden ein Schreiben eines Inkassounternehmens. Angeblich haben Sie eine Rechnung nicht bezahlt, können sich aber nicht daran erinnern, etwas bestellt zu haben. Dieses Szenario ist leider keine Seltenheit. Immer mehr Verbraucher:innen berichten über solche dubiosen Zahlungsaufforderungen. Wir zeigen Ihnen, wie Sie reagieren können. --------------------------------------------- https://www.watchlist-internet.at/news/dubiose-inkassoschreiben-was-tun-bei… ∗∗∗ ESET Threat Report H1 2025 ∗∗∗ --------------------------------------------- A view of the H1 2025 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts --------------------------------------------- https://www.welivesecurity.com/en/eset-research/eset-threat-report-h1-2025/ ∗∗∗ Hide Your RDP: Password Spray Leads to RansomHub Deployment ∗∗∗ --------------------------------------------- This intrusion began in November 2024 with a password spray attack targeting an internet-facing RDP server. Over the course of several hours, the threat actor .. --------------------------------------------- https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-… ∗∗∗ How 2 Ransomware Attacks on 2 Hospitals Led to 2 Deaths in Europe ∗∗∗ --------------------------------------------- Two deadly Ransomware Attacks on European hospitals show cybercrime now risks lives not just data with patients dying after treatment delays. --------------------------------------------- https://hackread.com/how-ransomware-attacks-hospitals-2-deaths-in-europe/ ∗∗∗ Protecting the Core: Securing Protection Relays in Modern Substations ∗∗∗ --------------------------------------------- Substations are critical nexus points in the power grid, transforming high-voltage electricity to ensure its safe and efficient delivery from power plants to millions of end-users. At the core of a modern substation lies the protection relay: an intelligent electronic device (IED) that plays a critical role in .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/securing-protectio… ∗∗∗ GitHub Advisory Database by the numbers: Known security vulnerabilities and what you can do about them ∗∗∗ --------------------------------------------- Use these insights to automate software security (where possible) to keep your projects safe. --------------------------------------------- https://github.blog/security/github-advisory-database-by-the-numbers-known-… ∗∗∗ Ultimate Guide to API Pentesting: Hacking APIs for better Security ∗∗∗ --------------------------------------------- API Pentesting, or Application Programming Interface Penetration Testing, is the process of simulating real-world attacks against APIs to uncover vulnerabilities, misconfigurations, and flaws that could be exploited by malicious actors. Unlike traditional web applications, APIs are designed to be consumed by machines—often exposing .. --------------------------------------------- https://fortbridge.co.uk/research/ultimate-guide-to-api-pentesting-hacking-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (mod_proxy_cluster), Debian (catdoc, chromium, nagvis, and sudo), Fedora (chromium, gum, kubernetes1.32, moodle, podman, python3-docs, python3.13, salt, and tigervnc), Mageia (x11-server, x11-server-xwayland & tigervnc), Oracle (apache-commons-beanutils, exiv2, expat, firefox, git, git-lfs, gstreamer1-plugins-bad-free, ipa, java-21-openjdk, kea, kernel, libarchive, libblockdev, libsoup3, libvpx, libxslt, mod_auth_openidc, nodejs22, .. --------------------------------------------- https://lwn.net/Articles/1027769/ ∗∗∗ Marvell QConvergeConsole: Multible 0Day Vulnerabilities ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.06.2025
by Daily end-of-shift report 27 Jun '25

27 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-06-2025 18:00 − Freitag 27-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critical Open VSX Registry Flaw Exposes Millions of Developers to Supply Chain Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a critical vulnerability in the Open VSX Registry ("open-vsx[.]org") that, if successfully exploited, could have enabled attackers to take control of the entire Visual Studio Code extensions marketplace, posing a severe supply chain risk. [..] Following responsible disclosure on May 4, 2025, multiple rounds of fixes were proposed by the maintainers, before a final patch was deployed on June 25. --------------------------------------------- https://thehackernews.com/2025/06/critical-open-vsx-registry-flaw-exposes.h… ∗∗∗ What if Microsoft just turned you off? Security pro counts the cost of dependency ∗∗∗ --------------------------------------------- Czech developer and pen-tester Miloslav Homer has an interesting take on reducing an organization's exposure to security risks. In an article headlined "Microsoft dependency has risks," he extends the now familiar arguments in favor of improving digital sovereignty, and reducing dependence on American cloud services. The argument is quite long but closely reasoned. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/06/26/cost_of_micr… ∗∗∗ Act now: Secure Boot certificates expire in June 2026 ∗∗∗ --------------------------------------------- Prepare for the first global large-scale certificate update to Secure Boot. The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new certificates for supported Windows systems is to let Microsoft manage your Windows updates, which include Secure Boot. [..] If you haven't yet, begin evaluating options and start preparing for the rollout of updated certificates across your organization in the coming months. --------------------------------------------- https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-… ∗∗∗ Fake DocuSign email hides tricky phishing attempt ∗∗∗ --------------------------------------------- On my daily rounds, I encountered a phishing attempt that used a not completely unusual, yet clever delivery method. What began as a seemingly routine DocuSign notification turned into a multi-layered deception involving Webflow, a shady redirect, and a legitimate Google login page. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/06/fake-docusign-email-hides-tr… ∗∗∗ Die Miete ist ausständig? Vorsicht: Phishing E-Mail ∗∗∗ --------------------------------------------- Kriminelle fordern über E-Mails angeblich noch ausstehende Mietzahlungen ein. Gleichzeitig wollen sie eine Änderung des Zielkontos für zukünftige Überweisungen erwirken. Wir zeigen, wie man am besten auf eine derartige Phishing-Nachricht reagiert. --------------------------------------------- https://www.watchlist-internet.at/news/miete-ausstaendig-phishing/ ∗∗∗ SafePay ransomware: What you need to know ∗∗∗ --------------------------------------------- SafePay is a relatively new ransomware threat that was first observed around September 2024. [..] A recently published threat report released by security experts at NCC Group revealed that SafePay was currently the most active ransomware group. In the month of May 2025 alone, 70 ransomware attacks were linked to Safepay, accounting for 18% of the total. --------------------------------------------- https://www.fortra.com/blog/safepay-ransomware-what-you-need-know ∗∗∗ Attacken auf Fernwartungslücke in Servern von HPE, Lenovo und Co. ∗∗∗ --------------------------------------------- Angreifer attackieren mehrere Sicherheitslücken in freier Wildbahn, warnt die US-amerikanische IT-Sicherheitsbehörde CISA. Am gefährlichsten sind laufende Angriffe auf die Fernwartungsfirmware in AMI MegaRAC, die etwa in Servern von Asus, Asrock Rack, HPE oder Lenovo steckt. [..] Die bereits attackierte Sicherheitslücke in der Fernwartungsfirmware AMI MegaRAC wurde Mitte März bekannt. --------------------------------------------- https://heise.de/-10461788 ∗∗∗ Phishing-Welle: Betrüger geben sich als Paypal aus ∗∗∗ --------------------------------------------- Kriminelle geben sich am Telefon derzeit wieder als PayPal aus und behaupten, es stünden hohe Überweisungen bevor. --------------------------------------------- https://heise.de/-10462478 ∗∗∗ Microsoft wirft Antivirensoftware aus dem Windows-Kernel ∗∗∗ --------------------------------------------- Ein CrowdStrike-Erlebnis will Microsoft nicht noch einmal haben. Nun fliegt deswegen Antivirensoftware aus dem Windows-Kernel. [..] Im kommenden Monat will Microsoft eine Vorschau der Windows-Endpoint-Security-Plattform an einige MVI-Partner verteilen. Die ermöglicht es ihnen, ihre IT-Sicherheitslösungen so zu bauen, dass sie außerhalb des Windows-Kernels laufen. Software wie Antivirus und Endgeräteschutz befinden sich dann im User Mode, wie normale Apps auch. --------------------------------------------- https://heise.de/-10462538 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freeradius and icu), Fedora (clamav, glow, libssh, perl-Crypt-OpenSSL-RSA, perl-CryptX, podman, trafficserver, and xorg-x11-server), Mageia (gdk-pixbuf2.0 and thunderbird), Red Hat (osbuild-composer and weldr-client), SUSE (afterburn, google-osconfig-agent, libblockdev, pam, python-tornado6, screen, and yelp-xsl), and Ubuntu (libxslt and python-pip). --------------------------------------------- https://lwn.net/Articles/1027251/ ∗∗∗ Mitsubishi Electric Air Conditioning Systems ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-177-01 ∗∗∗ TrendMakers Sight Bulb Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-177-02 ∗∗∗ f5: K000152189: Intel BIOS vulnerability CVE-2022-21233 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000152189 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.06.2025
by Daily end-of-shift report 26 Jun '25

26 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-06-2025 18:00 − Donnerstag 26-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Ubuntu disables Intel GPU security mitigations, promises 20% performance boost ∗∗∗ --------------------------------------------- Spectre, you may recall, came to public notice in 2018. Spectre attacks are based on the observation that performance enhancements built into modern CPUs open a side channel that can leak secrets a CPU is processing. The performance enhancement, known as speculative execution, predicts future instructions a CPU might receive and then performs the corresponding tasks before they are even called. If the instructions never come, the CPU discards the work it performed. When the prediction is correct, the CPU has already completed the task. --------------------------------------------- https://arstechnica.com/security/2025/06/ubuntu-disables-intel-gpu-security… ∗∗∗ New wave of ‘fake interviews’ use 35 npm packages to spread malware ∗∗∗ --------------------------------------------- A new wave of North Korea's 'Contagious Interview' campaign is targeting job seekers with malicious npm packages that infect dev's devices with infostealers and backdoors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-wave-of-fake-interviews-… ∗∗∗ Hackers abuse Microsoft ClickOnce and AWS services for stealthy attacks ∗∗∗ --------------------------------------------- A sophisticated malicious campaign that researchers call OneClik has been leveraging Microsoft’s ClickOnce software deployment tool and custom Golang backdoors to compromise organizations within the energy, oil, and gas sectors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/oneclik-attacks-use-microsof… ∗∗∗ Hackers turn ScreenConnect into malware using Authenticode stuffing ∗∗∗ --------------------------------------------- Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client's Authenticode signature. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-turn-screenconnect-i… ∗∗∗ CISA is Shrinking: What Does it Mean for Cyber? ∗∗∗ --------------------------------------------- Today we are going to focus on the slimmed down profile of the Cybersecurity and Infrastructure Security Agency (CISA) under the new administration. We want to know what that means practically to cybersecurity teams. We want to explore the cost of having less coming out of CISA, and any opportunities the federal government shakeup might present for business. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/cisa-is-shrinking-what… ∗∗∗ Taming Agentic AI Risks Requires Securing Non-Human Identities ∗∗∗ --------------------------------------------- >From service accounts and Web application programming interfaces (APIs) to serverless applications and now artificial intelligence (AI) agents, the landscape of non-human identities is quickly becoming more complex. Companies are struggling to monitor and manage machine identities with security controls. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/taming-agentic-ai-risk… ∗∗∗ RedirectionGuard: Mitigating unsafe junction traversal in Windows ∗∗∗ --------------------------------------------- As attackers continue to evolve, Microsoft is committed to staying ahead by not only responding to vulnerabilities, but also by anticipating and mitigating entire classes of threats. One such threat, filesystem redirection attacks, has been a persistent vector for privilege escalation. In response, we’ve developed and deployed a new mitigation in Windows 11 called RedirectionGuard. This blog outlines how RedirectionGuard proactively closes off a major attack surface by preventing unsafe junction traversal, reinforcing our commitment to secure-by-design-principles and reducing the burden on developers and defenders. --------------------------------------------- https://msrc.microsoft.com/blog/2025/06/redirectionguard-mitigating-unsafe-… ∗∗∗ The Case of Hidden Spam Pages ∗∗∗ --------------------------------------------- Spammy posts and pages being placed on WordPress websites is one of the most common infections that we come across. The reason being is that the attack is very low-level in terms of sophistication: All that is required of the attacker is to brute force their way into the wp-admin panel; from there they just have their scripts/bots post spam posts and pages effectively achieving a blackhat SEO attack. Since an out-of-the-box WordPress website contains no protection on admin access other than a password (with no limit on the number of failed login attempts), and the admin users can often be discovered via enumeration, this remains a very popular type of spam infection on the platform. --------------------------------------------- https://blog.sucuri.net/2025/06/the-case-of-hidden-spam-pages.html ∗∗∗ nOAuth Vulnerability Still Affects 9% of Microsoft Entra SaaS Apps Two Years After Discovery ∗∗∗ --------------------------------------------- New research has uncovered continued risk from a known security weakness in Microsoft's Entra ID, potentially enabling malicious actors to achieve account takeovers in susceptible software-as-a-service (SaaS) applications. Identity security company Semperis, in an analysis of 104 SaaS applications, found nine of them to be vulnerable to Entra ID cross-tenant nOAuth abuse. --------------------------------------------- https://thehackernews.com/2025/06/noauth-vulnerability-still-affects-9-of.h… ∗∗∗ Sextortion: Inflationsgebeutelte Betrüger erhöhen Forderungen ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher beobachten Preissteigerungen bei aktuellen Betrugsmaschen mit Sextortion-E-Mails. Offenbar sind auch die Betrüger inflationsgebeutelt und brauchen mehr Geld. --------------------------------------------- https://www.heise.de/news/Sextortion-Inflationsgebeutelte-Betrueger-erhoehe… ∗∗∗ Outdated Routers: The Hidden Threat to Network Security, FBI Warns ∗∗∗ --------------------------------------------- The FBI recently warned that malicious actors are targeting end-of-life (EOL) routers (network devices that manufacturers no longer support or update). These outdated routers are being hijacked by bad actors who use them as a stepping stone into networks, turning them into cybercriminal proxies. The threat is real, and it’s growing. --------------------------------------------- https://www.tripwire.com/state-of-security/outdated-routers-hidden-threat-n… ∗∗∗ How we turned a real car into a Mario Kart controller by intercepting CAN data ∗∗∗ --------------------------------------------- The PTP hack car is a second-hand 2016 Renault Clio that was bought because it was relatively cheap, was recent enough to feature an ‘eCall’ telematics module, small enough to fit in the garage attached to our lab and was local. It is used by our team to experiment and mess around with automotive testing on a real vehicle. It also uses a mixture of CAN and LIN for different components. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-we-turned-a-real-car-into… ∗∗∗ Gefälschte Anfragen zur Änderung des Gehaltskontos im Namen von Mitarbeitenden! ∗∗∗ --------------------------------------------- Wer eine unerwartete E-Mail von einem Mitarbeitenden erhält, in der um die Änderung der Bankverbindung für das Gehaltskonto gebeten wird, sollte besonders aufmerksam sein. Denn dahinter können Kriminelle stecken, die sich als echte Mitarbeitende ausgeben, um Gehaltszahlungen auf ihr eigenes Konto umzuleiten. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-anfragen-zur-aenderung-d… ∗∗∗ Common SCCM Misconfigurations Leading to Privilege Escalation ∗∗∗ --------------------------------------------- We often find that in environments which has a tiered model, where SCCM is used, there are plenty of misconfigurations which can be exploited. System Center Configuration Manager (SCCM), now known as Microsoft Configuration Manager (ConfigMgr), is a systems management platform used for deploying software, managing updates, and enforcing configuration settings across large numbers of Windows devices. --------------------------------------------- https://www.truesec.com/hub/blog/sccm-tier-killer ∗∗∗ Decrement by one to rule them all: AsIO3.sys driver exploitation ∗∗∗ --------------------------------------------- Armory Crate and AI Suite are applications used to manage and monitor ASUS motherboards and related components such as the processor, RAM or the increasingly popular RGB lighting. These types of applications often install drivers in the system, which are necessary for direct communication with hardware to configure settings or retrieve critical parameters such as CPU temperature, fan speeds and firmware updates. Therefore, it is critical to ensure that drivers are well-written with security in mind and designed such that access to the driver interfaces are limited only to certain services and administrators. --------------------------------------------- https://blog.talosintelligence.com/decrement-by-one-to-rule-them-all/ ===================== = Vulnerabilities = ===================== ∗∗∗ WinRAR patches bug letting malware launch from extracted archives ∗∗∗ --------------------------------------------- WinRAR has addressed a directory traversal vulnerability tracked as CVE-2025-6218 that, under certain circumstances, allows malware to be executed after extracting a malicious archive. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winrar-patches-bug-letting-m… ∗∗∗ Hunderte Modelle betroffen: Teils unpatchbare Lücken in Brother-Druckern entdeckt ∗∗∗ --------------------------------------------- Sicherheitsforscher von Rapid7 haben zahlreiche Multifunktionsdrucker auf mögliche Sicherheitslücken untersucht. Dabei fanden sie insgesamt acht Schwachstellen in 748 verschiedenen Scanner- und Druckermodellen. 689 dieser Modelle entfallen allein auf den Hersteller Brother, der im Fokus der Untersuchung stand. Aber auch von Fujifilm (46), Konica Minolta (6), Ricoh (5) und Toshiba (2) sind einige Geräte betroffen. Zumindest eine der acht Lücken kann wohl nicht ohne Weiteres über die Firmware gepatcht werden. --------------------------------------------- https://www.golem.de/news/hunderte-modelle-betroffen-teils-unpatchbare-luec… ∗∗∗ Citrix Releases Emergency Patches for Actively Exploited CVE-2025-6543 in NetScaler ADC ∗∗∗ --------------------------------------------- Citrix has released security updates to address a critical flaw affecting NetScaler ADC that it said has been exploited in the wild. The vulnerability, tracked as CVE-2025-6543, carries a CVSS score of 9.2 out of a maximum of 10.0. --------------------------------------------- https://thehackernews.com/2025/06/citrix-releases-emergency-patches-for.html ∗∗∗ ZDI-25-424: Mikrotik RouterOS VXLAN Source IP Improper Access Control Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to bypass access restrictions on affected installations of Mikrotik RouterOS. Authentication is not required to exploit this vulnerability. The following CVEs are assigned: CVE-2025-6443. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-424/ ∗∗∗ Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Notepad++ Vulnerability Allows Full System Takeover — PoC Released ∗∗∗ --------------------------------------------- A critical privilege escalation vulnerability (CVE-2025-49144) in Notepad++ v8.8.1 enables attackers to achieve full system control through a supply-chain attack. The flaw exploits the installer’s insecure search path behavior, allowing unprivileged users to escalate privileges to NT AUTHORITY\SYSTEM with minimal user interaction. This marks one of the most severe vulnerabilities discovered in the popular text editor, with proof-of-concept (PoC) exploitation materials now publicly available. --------------------------------------------- https://gbhackers.com/notepad-vulnerability/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and libxml2), Fedora (firefox, libtpms, and tigervnc), Mageia (chromium-browser-stable and nss & firefox), Oracle (emacs, iputils, kernel, krb5, libarchive, mod_proxy_cluster, pam, perl-File-Find-Rule, perl-YAML-LibYAML, and qt5-qtbase), Red Hat (opentelemetry-collector, osbuild-composer, and weldr-client), SUSE (clamav, firefox, go1.24-openssl, and helm), and Ubuntu (libarchive, linux-azure, linux-azure-5.4, linux-azure-fips, linux-fips, linux-azure-nvidia, linux-oracle, linux-oracle-6.8, linux-raspi, linux-raspi-realtime, linux-xilinx-zynqmp, and python-urllib3). --------------------------------------------- https://lwn.net/Articles/1027082/ ∗∗∗ Security Advisory: Airoha-based Bluetooth Headphones and Earbuds ∗∗∗ --------------------------------------------- During our research on Bluetooth headphones and earbuds, we identified several vulnerabilities in devices that incorporate Airoha Systems on a Chip (SoCs). In this blog post, we briefly want to describe the vulnerabilities, point out their impact and provide some context to currently running patch delivery processes as described at this year’s TROOPERS Conference. Airoha is a vendor that, amongst other things, builds Bluetooth SoCs and offers reference designs and implementations incorporating these chips. They have become a large supplier in the Bluetooth audio space, especially in the area of True Wireless Stereo (TWS) earbuds. Several reputable headphone and earbud vendors have built products based on Airoha’s SoCs and reference implementations using Airoha’s Software Development Kit (SDK). --------------------------------------------- https://insinuator.net/2025/06/airoha-bluetooth-security-vulnerabilities/ ∗∗∗ Drupal Security Advisories 2025-June-25 ∗∗∗ --------------------------------------------- https://www.drupal.org/security -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.06.2025
by Daily end-of-shift report 25 Jun '25

25 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-06-2025 18:00 − Mittwoch 25-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sonicwall warnt vor mit Schadcode verseuchter Fake-NetExtender-App ∗∗∗ --------------------------------------------- Derzeit ist eine von Cyberkriminellen manipulierte Ausgabe der VPN-Anwendung NetExtender in Umlauf. [..] Um zu erkennen, ob man die Fake-Version installiert hat, muss man die Eigenschaften der ausführbaren NetExtender-Datei öffnen und die "Digitale Signatur" prüfen. Steht dort "CITYLIGHT MEDIA PRIVATE LIMITED", handelt es sich um die verseuchte Version und Admins sollten sie umgehend löschen. --------------------------------------------- https://www.heise.de/news/Sonicwall-warnt-vor-mit-Schadcode-verseuchter-Fak… ∗∗∗ Microsoft: Update-Verlängerung für Windows 10 für Privatkunden konkretisiert ∗∗∗ --------------------------------------------- Microsoft hatte Support-Verlängerung für Windows-10-Privatkunden angekündigt. Jetzt gibt es Infos dazu – es geht sogar kostenlos. [..] Ob die Windows-Backup-Option wirklich als kostenlos gelten kann, hängt stark davon ab, wie viele Daten Microsoft auf den Cloud-Speicher schiebt. [..] Hier zahlen Interessierte mit ihren Daten. --------------------------------------------- https://heise.de/-10458519 ∗∗∗ Citrix Bleed Teil 2: Schwachstelle CVE-2025–5777 weitet sich aus ∗∗∗ --------------------------------------------- Zum 23. Juni 2025 gab es wohl eine Aktualisierung der Beschreibung zu CVE-2025-5777. Hieß es zum 17. Juni 2025 noch, dass man das "Netscaler Management Interface" wegen der Schwachstelle nicht dem Internet aussetzen sollte. Der Verweis auf das Netscaler Management Interface ist zum 23. Juni 2025 entfallen (lässt sich unter CVE-2025-5777 nachschlagen, wenn man am Seitenende unter "Change History" auf den Link "show changes" klickt. --------------------------------------------- https://www.borncity.com/blog/2025/06/25/citrix-bleed-teil-2-schwachstelle-… ∗∗∗ Surge in MOVEit Transfer Scanning Could Signal Emerging Threat Activity ∗∗∗ --------------------------------------------- GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025. --------------------------------------------- https://www.greynoise.io/blog/surge-moveit-transfer-scanning-activity ∗∗∗ Dire Wolf Strikes: New Ransomware Group Targeting Global Sectors ∗∗∗ --------------------------------------------- Dire Wolf is a newly emerged ransomware group first observed in May 2025 and Trustwave SpiderLabs recently uncovered a Dire Wolf ransomware sample that revealed for the first time key details about how the ransomware operates. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/dire-wolf-s… ∗∗∗ Cybercriminal abuse of large language models ∗∗∗ --------------------------------------------- Cybercriminals are increasingly gravitating towards uncensored LLMs, cybercriminal-designed LLMs and jailbreaking legitimate LLMs. [..] As AI technology continues to develop, Cisco Talos expects cybercriminals to continue adopting LLMs to help streamline their processes, write tools/scripts that can be used to compromise users and generate content that can more easily bypass defenses. This new technology doesn’t necessarily arm cybercriminals with completely novel cyber weapons, but it does act as a force multiplier, enhancing and improving familiar attacks. --------------------------------------------- https://blog.talosintelligence.com/cybercriminal-abuse-of-large-language-mo… ∗∗∗ What LLMs Know About Their Users ∗∗∗ --------------------------------------------- Simon Willison talks about ChatGPT’s new memory dossier feature. In his explanation, he illustrates how much the LLM—and the company—knows about its users. --------------------------------------------- https://www.schneier.com/blog/archives/2025/06/what-llms-know-about-their-u… ∗∗∗ Kleine Figuren, großer Hype: Kriminelle locken vermehrt in Labubu Fake-Shops ∗∗∗ --------------------------------------------- Ihr weltweiter Siegeszug ruft immer mehr Betrüger:innen auf den Plan. Die Rede ist von Labubu Figuren. Fake-Shops locken mit vermeintlichen Schnäppchen, dienen den Kriminellen in Wahrheit aber nur als Vehikel, um sensible Daten ihrer Opfer abzugreifen und ihnen das Geld aus der Tasche zu ziehen. --------------------------------------------- https://www.watchlist-internet.at/news/labubu-fake-shops/ ∗∗∗ Post-Quantum Cryptography Implementation Enterprise-Readiness Analysis ∗∗∗ --------------------------------------------- Explore how enterprises are adopting post-quantum cryptography (PQC) using OpenSSL 3.5, hybrid TLS, and NIST-approved algorithms like Kyber and Dilithium. Learn about PQC implementation strategies, compliance timelines, tooling, and real-world deployments by Microsoft, Meta, Red Hat, and others preparing for quantum-safe encryption. --------------------------------------------- https://www.darknet.org.uk/2025/06/post-quantum-cryptography-implementation… ∗∗∗ The Anatomy of a Business Email Compromise Attack ∗∗∗ --------------------------------------------- BEC attacks almost always start with an Email Account Compromise (EAC) – in other words, an attacker gets control of someone’s email inbox. --------------------------------------------- https://www.truesec.com/hub/blog/the-anatomy-of-a-business-email-compromise… ===================== = Vulnerabilities = ===================== ∗∗∗ Admin-Attacken auf HPE OneView für VMware vCenter möglich ∗∗∗ --------------------------------------------- Die in einer Warnmeldung aufgeführte Schwachstelle (CVE-2025-37101 "hoch") kann Angreifer mit Leserechten dazu befähigen, Befehle als Admins auszuführen. Wie ein solcher Angriff im Detail ablaufen könnte und ob Angreifer die Lücke bereits ausnutzen, ist derzeit nicht bekannt. --------------------------------------------- https://www.heise.de/news/Admin-Attacken-auf-HPE-OneView-fuer-VMware-vCente… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (commons-beanutils, dcmtk, nginx, trafficserver, and xorg-server), Fedora (atuin, awatcher, dotnet8.0, firefox, glibc, gotify-desktop, keylime-agent-rust, libtpms, mirrorlist-server, qt6-qtbase, qt6-qtimageformats, udisks2, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (apache-mod_security, clamav, docker, python-django, tomcat, udisks2, and yarnpkg), Oracle (firefox, libblockdev, mod_auth_openidc, perl-FCGI, perl-YAML-LibYAML, tigervnc, and xorg-x11-server and xorg-x11-server-Xwayland), Slackware (libssh and mozilla), SUSE (gimp, gstreamer-plugins-good, icu, ignition, kernel, pam-config, perl-File-Find-Rule, python311, and webkit2gtk3), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-gke, linux-gkeop, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux, linux-gcp, linux-raspi, linux-realtime, linux-aws, linux-azure, linux-azure, linux-azure-6.8, linux-azure-5.15, linux-azure-fips, and linux-realtime). --------------------------------------------- https://lwn.net/Articles/1026848/ ∗∗∗ TeamViewer: Incorrect Permission Assignment for Critical Resource in TeamViewer Remote Management ∗∗∗ --------------------------------------------- Incorrect Permission Assignment for Critical Resource in the TeamViewer Client (Full and Host) of TeamViewer Remote and Tensor prior Version 15.67 (and additional versions listed below) on Windows allows a local unprivileged user to trigger arbitrary file deletion with SYSTEM privileges via leveraging the MSI rollback mechanism. To exploit this vulnerability, an attacker needs local access to the Windows system. CVE-2025-36537 --------------------------------------------- https://www.teamviewer.com/de/resources/trust-center/security-bulletins/tv-… ∗∗∗ Parsons AccuWeather Widget ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-06 ∗∗∗ Kaleris Navis N4 Terminal Operating System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-01 ∗∗∗ Delta Electronics CNCSoft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-02 ∗∗∗ MICROSENS NMP Web+ ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-07 ∗∗∗ ControlID iDSecure On-Premises ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05 ∗∗∗ f5: K000152048: Dnsmasq vulnerability CVE-2019-14834 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000152048 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.06.2025
by Daily end-of-shift report 24 Jun '25

24 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Montag 23-06-2025 18:00 − Dienstag 24-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Auswirkungen des militärischen Konfliktes zwischen Israel und dem Iran auf Österreich ∗∗∗ --------------------------------------------- Vorliegende Analysen internationaler Behörden und Sicherheitsunternehmen verzeichnen seit dem Beginn der aktuellen militärischen Auseinandersetzung zwischen Israel und dem Iran verstärkte Aktivitäten von Bedrohungsakteuren aller Konfliktparteien. [..] Laut unseren bisherigen Beobachtungen gab es bisher noch keine direkten Angriffe oder Auswirkungen auf lokale Unternehmen oder Organisationen. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/6/auswirkungen ∗∗∗ FileFix attack weaponizes Windows File Explorer for stealthy commands ∗∗∗ --------------------------------------------- A cybersecurity researcher has developed FileFix, a variant of the ClickFix social engineering attack that tricks users into executing malicious commands via the File Explorer address bar in Windows. --------------------------------------------- https://www.bleepingcomputer.com/news/security/filefix-attack-weaponizes-wi… ∗∗∗ Polizei-Handys seit Cyberangriff nicht nutzbar ∗∗∗ --------------------------------------------- Ein Angriff auf die Diensthandys der Polizei in Mecklenburg-Vorpommern könnte größere Folgen haben als angenommen. Derzeit sind die Handys nicht im Einsatz. --------------------------------------------- https://heise.de/-10456563 ∗∗∗ BSI warnt: Immer weniger Menschen nutzen 2FA und sichere Passwörter ∗∗∗ --------------------------------------------- Eine neue Untersuchung des BSI zeigt einen bedenklichen Trend. Menschen verhalten sich im Netz trotz hoher Bedrohungslage immer unvorsichtiger. --------------------------------------------- https://www.golem.de/news/bsi-warnt-immer-weniger-menschen-nutzen-2fa-und-s… ∗∗∗ Remote code execution in CentOS Web Panel - CVE-2025-48703 ∗∗∗ --------------------------------------------- This exploitation scenario has been tested on versions 0.9.8.1204 and 0.9.8.1188 on Centos7 and reported to CWP developers the 13th of May 2025 as CVE-2025-48703. It allows a remote attacker who knows a valid username on a CWP instance to execute pre-authenticated arbitrary commands on the server. The vulnerability has been patched on latest version 0.9.8.1205 during June 2025. --------------------------------------------- https://fenrisk.com/rce-centos-webpanel ∗∗∗ The State of Ransomware 2025 ∗∗∗ --------------------------------------------- Explore the causes and consequences of ransomware in 2025 based on findings from a vendor-agnostic survey of 3,400 organizations hit by ransomware in the last year. --------------------------------------------- https://news.sophos.com/en-us/2025/06/24/the-state-of-ransomware-2025/ ∗∗∗ Echo Chamber Jailbreak Tricks LLMs Like OpenAI and Google into Generating Harmful Content ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new jailbreaking method called Echo Chamber that could be leveraged to trick popular large language models (LLMs) into generating undesirable responses, irrespective of the safeguards put in place. --------------------------------------------- https://thehackernews.com/2025/06/echo-chamber-jailbreak-tricks-llms-like.h… ∗∗∗ Hackers Exploit Misconfigured Docker APIs to Mine Cryptocurrency via Tor Network ∗∗∗ --------------------------------------------- Misconfigured Docker instances are the target of a campaign that employs the Tor anonymity network to stealthily mine cryptocurrency in susceptible environments. --------------------------------------------- https://thehackernews.com/2025/06/hackers-exploit-misconfigured-docker.html ∗∗∗ A Deep Dive into a Modular Malware Family ∗∗∗ --------------------------------------------- In today’s blog post we highlighted an interesting malware family targeting various systems with diverse capabilities, including stealing credit card information and WordPress credentials. Additionally, we detailed a novel bundle of credit card skimmers and malicious WordPress plugins which combines malicious actions with features developed for the attacker’s convenience. --------------------------------------------- https://www.wordfence.com/blog/2025/06/a-deep-dive-into-a-modular-malware-f… ===================== = Vulnerabilities = ===================== ∗∗∗ Splunk Security Advisories 2025-06-23 ∗∗∗ --------------------------------------------- Splunk released 4 security advisories (1x critical). --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dns-root-data and xorg-server), Fedora (glibc, mingw-glib2, and optipng), Red Hat (iputils, kernel, kernel-rt, krb5, libarchive, mod_auth_openidc, mod_proxy_cluster, and xorg-x11-server-Xwayland), SUSE (python313), and Ubuntu (fig2dev, gnuplot, gss-ntlmssp, linux, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-oracle, linux-aws-5.15, linux-gcp-5.15, linux-ibm-5.15, linux-lowlatency-hwe-5.15, linux-oracle-5.15, linux-aws-fips, linux-fips, linux-gcp-fips, linux-hwe-5.15, and linux-intel-iot-realtime, linux-realtime). --------------------------------------------- https://lwn.net/Articles/1026646/ ∗∗∗ Kanboard: Sicherheitslücke ermöglicht Kontoübernahme ∗∗∗ --------------------------------------------- In dem Open-Source-Kanban Kanboard können Angreifer Links fälschen, die zur Kontoübernahme führen. [..] Die Kanboard-Entwickler stellen aktualisierte Quellen und auch Docker-Container bereit, sie verlinken sie in den Release-Notes und erörtern das Docker-Update. --------------------------------------------- https://heise.de/-10457116 ∗∗∗ Mozilla Firefox June 24, 2025 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ f5: K000151924: runc vulnerability CVE-2024-45310 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151924 ∗∗∗ Case update: DIVD-2025-00032 - Unauthenticated Arbitrary Remote Code Execution in Pterodactyl ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2025-00032/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.06.2025
by Daily end-of-shift report 23 Jun '25

23 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-06-2025 18:00 − Montag 23-06-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WordPress Motors theme flaw mass-exploited to hijack admin accounts ∗∗∗ --------------------------------------------- Hackers are exploiting a critical privilege escalation vulnerability in the WordPress theme "Motors" to hijack administrator accounts and gain complete control of a targeted site. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-motors-theme-flaw-… ∗∗∗ Canada says Salt Typhoon hacked telecom firm via Cisco flaw ∗∗∗ --------------------------------------------- The Canadian Centre for Cyber Security and the FBI confirm that the Chinese state-sponsored Salt Typhoon hacking group is also targeting Canadian telecommunication firms, breaching a telecom provider in February. --------------------------------------------- https://www.bleepingcomputer.com/news/security/canada-says-salt-typhoon-hac… ∗∗∗ ConnectUnwise: Threat actors abuse ConnectWise as builder for signed malware ∗∗∗ --------------------------------------------- Since March 2025 there has been a noticeable increase in infections and fake applications using validly signed ConnectWise samples. We reveal how bad signing practices allow threat actors to abuse this legitimate software to build and distribute their own signed malware and what security vendors can do to detect them. --------------------------------------------- https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware ∗∗∗ SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play ∗∗∗ --------------------------------------------- SparkKitty, a new Trojan spy for iOS and Android, spreads through untrusted websites, the App Store, and Google Play, stealing images from users galleries. --------------------------------------------- https://securelist.com/sparkkitty-ios-android-malware/116793/ ∗∗∗ Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms ∗∗∗ --------------------------------------------- The threat actors behind the Qilin ransomware-as-a-service (RaaS) scheme are now offering legal counsel for affiliates to put more pressure on victims to pay up, as the cybercrime group intensifies its activity and tries to fill the void left by its rivals. The new feature takes the form of a "Call Lawyer" feature on the affiliate panel, per Israeli cybersecurity company Cybereason. --------------------------------------------- https://thehackernews.com/2025/06/qilin-ransomware-adds-call-lawyer.html ∗∗∗ Google Adds Multi-Layered Defenses to Secure GenAI from Prompt Injection Attacks ∗∗∗ --------------------------------------------- Google has revealed the various safety measures that are being incorporated into its generative artificial intelligence (AI) systems to mitigate emerging attack vectors like indirect prompt injections and improve the overall security posture for agentic AI systems. --------------------------------------------- https://thehackernews.com/2025/06/google-adds-multi-layered-defenses-to.html ∗∗∗ XDigo Malware Exploits Windows LNK Flaw in Eastern European Government Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a Go-based malware called XDigo that has been used in attacks targeting Eastern European governmental entities in March 2025. The attack chains are said to have leveraged a collection of Windows shortcut (LNK) files as part of a multi-stage procedure to deploy the malware, French cybersecurity company HarfangLab said. --------------------------------------------- https://thehackernews.com/2025/06/xdigo-malware-exploits-windows-lnk-flaw.h… ∗∗∗ Rekord bei DDoS-Attacke mit 7,3 TBit/s ∗∗∗ --------------------------------------------- Cloudflare hat Mitte Mai den "größten jemals registrierten" Denial-of-Service-Angriff (DDoS) mit bislang kaum für möglich gehaltenen 7,3 Terabit pro Sekunde (TBit/s) blockiert. Dies teilte der US-Anbieter rund um Lösungen für IT-Sicherheit und Internetperformance am Freitag mit. --------------------------------------------- https://www.heise.de/news/Junk-Traffic-Flut-Rekord-DDoS-Angriff-auf-Provide… ∗∗∗ Gefälschte Mahn-SMS im Namen des Finanzministeriums! ∗∗∗ --------------------------------------------- Derzeit gibt es eine Phishing-Welle mit angeblichen SMS des Bundesministeriums für Finanzen (BMF). Darin wird behauptet, dass eine Pfändung bevorsteht, weil angeblich mehrere Mahnungen ignoriert wurden. Achtung: Zahlen Sie diese Forderung nicht! Die Nachricht stammt nicht vom Finanzministerium und Ihr Geld landet bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-mahn-sms-im-namen-des-fi… ∗∗∗ New Detection Method Uses Hackers’ Own Jitter Patterns Against Them ∗∗∗ --------------------------------------------- A new detection method from Varonis Threat Labs turns hackers sneaky random patterns into a way to catch hidden cyberattacks. Learn about Jitter-Trap and how it boosts cybersecurity defenses. --------------------------------------------- https://hackread.com/cyber-detection-hackers-jitter-patterns-against-them/ ∗∗∗ Report Warns of Sophisticated DDoS Campaigns Crippling Global Banks ∗∗∗ --------------------------------------------- A new FS-ISAC and Akamai report warns that sophisticated DDoS attacks are severely impacting the global financial sector, leading to multi-day outages. Learn about these evolving threats and how institutions can strengthen defences. --------------------------------------------- https://hackread.com/sophisticated-ddos-campaigns-crippling-global-banks/ ∗∗∗ Mehr Sicherheit, weniger Handarbeit: AWS bringt die KI-Security ∗∗∗ --------------------------------------------- Security Hub, Shield und GuardDuty XTD erhalten neue Funktionen: Mit einer speziell trainierten KI will AWS wichtige Sicherheitsmaßnahmen beschleunigen. --------------------------------------------- https://heise.de/-10455859 ∗∗∗ Ukrainian Government Systems Targeted With Backdoors Hidden in Cloud APIs and Docs ∗∗∗ --------------------------------------------- Russia-linked hackers are back at it again, this time with upgraded tools and a stealthier playbook targeting Ukrainian government systems. --------------------------------------------- https://thecyberexpress.com/ukrainian-government-systems-targeted/ ===================== = Vulnerabilities = ===================== ∗∗∗ Öffnen reicht: Winrar-Lücke lässt Angreifer Schadcode ausführen ∗∗∗ --------------------------------------------- Der Entwickler von Winrar hat in seinem weit verbreiteten Packprogramm eine gefährliche Sicherheitslücke geschlossen, die es Angreifern ermöglicht, auf fremden Systemen eigenen Code zur Ausführung zu bringen. Der Patch scheint bisher nur in der am 10. Juni veröffentlichten Beta-Version Winrar 7.12 Beta 1 enthalten zu sein. --------------------------------------------- https://www.golem.de/news/packprogramm-winrar-schwachstelle-ermoeglicht-aus… ∗∗∗ IBM QRadar SIEM: Autoupdate-Dateien mit Schadcode verseuchbar ∗∗∗ --------------------------------------------- Angreifer können an mehreren Sicherheitslücken in IBM QRadar SIEM ansetzen und im schlimmsten Fall Schadcode ausführen. Ein Sicherheitspatch schließt mehrere Lücken. --------------------------------------------- https://www.heise.de/news/IBM-QRadar-SIEM-Autoupdate-Dateien-mit-Schadcode-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libblockdev and open-vm-tools), Debian (debian-security-support, gdk-pixbuf, konsole, and node-send), Fedora (apache-commons-beanutils, chromium, clamav, dotnet9.0, libblockdev, mediawiki, mingw-python-setuptools, pam, perl-File-Find-Rule, python-pycares, python-setuptools, spdlog, udisks2, and xorg-x11-server-Xwayland), Mageia (chromium-browser-stable), Oracle (apache-commons-beanutils, container-tools:ol8, gimp:2.8, idm:DL1, perl-FCGI:0.78, and postgresql), Red Hat (container-tools:rhel8, delve, git-lfs, go-toolset:rhel8, grafana, kernel, mod_auth_openidc, and spice-client-win), SUSE (apache-commons-beanutils, apache2-mod_security2, distribution, gstreamer-plugins-good, icu, ignition, perl, python310, python311, python312, and python39), and Ubuntu (apache-log4j1.2 and botan). --------------------------------------------- https://lwn.net/Articles/1026498/ ∗∗∗ Fortinet: Buffer overflow in fgfmd ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-036 ∗∗∗ F5: K000151740, Ruby vulnerability CVE-2024-47220 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151740 ∗∗∗ Fortinet: Teleport Remote Authentication Bypass ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6132 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.06.2025
by Daily end-of-shift report 20 Jun '25

20 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-06-2025 18:00 − Freitag 20-06-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Telecom giant Viasat breached by Chinas Salt Typhoon hackers ∗∗∗ --------------------------------------------- Satellite communications company Viasat is the latest victim of China's Salt Typhoon cyber-espionage group, which has previously hacked into the networks of multiple other telecom providers in the United States and worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telecom-giant-viasat-breache… ∗∗∗ Grok und Mixtral ohne Grenzen: Neue KI-Tools erzeugen Phishing-Mails und Malware ∗∗∗ --------------------------------------------- WormGPT war eines der ersten großen Sprachmodelle, das speziell für cyberkriminelle Aktivitäten vorgesehen war und äußerst überzeugende Phishing-Mails generieren konnte. Während das Original schon nach wenigen Wochen wieder verschwand, sind neue LLMs unter gleichem Namen an dessen Stelle getreten. --------------------------------------------- https://www.golem.de/news/wormgpt-ist-zurueck-neue-ki-modelle-unterstuetzen… ∗∗∗ Cyberangriffe: Nordkoreanische Hacker faken Vorgesetzte in Videokonferenzen ∗∗∗ --------------------------------------------- Die nordkoreanische Hackergruppe Bluenoroff verwendet Bleeping Computer zufolge seit einiger Zeit eine perfide Methode, um Malware in Unternehmen einzuschleusen. Das Ziel ist offenbar, Kryptogeld abzuzweigen – dafür ist die Bluenoroff-Gruppierung, die eine Untergruppe von Lazarus sein soll, bekannt. --------------------------------------------- https://www.golem.de/news/cyberangriffe-nordkoreanische-hacker-faken-vorges… ∗∗∗ Cybersicherheit: Iran soll israelische Sicherheitskameras gehackt haben ∗∗∗ --------------------------------------------- Iranische Hacker sollen auf private Überwachungskameras in Israel zugegriffen haben, um Informationen zu sammeln. Wie Bloomberg mit Verweis auf einen Beitrag im israelischen Rundfunk berichtet, hat ein ehemaliger israelischer Cybersicherheitsbeamter die Bevölkerung dazu aufgefordert, private Überwachungskameras abzuschalten oder deren Passwörter zu ändern. --------------------------------------------- https://www.golem.de/news/cybersicherheit-iran-soll-israelische-sicherheits… ∗∗∗ Analysis of a Malicious WordPress Plugin: The Covert Redirector ∗∗∗ --------------------------------------------- A few weeks ago, we received a support request from a website owner who was experiencing unexpected redirects. Visitors landed on the website normally, but after about 4–5 seconds, the site redirected them to unrelated and suspicious websites. During the investigation, we discovered a malicious plugin that was responsible for this behavior, continuing the trend of attackers using fake WordPress plugins. --------------------------------------------- https://blog.sucuri.net/2025/06/analysis-of-a-malicious-wordpress-plugin-th… ∗∗∗ New Malware Campaign Uses Cloudflare Tunnels to Deliver RATs via Phishing Chains ∗∗∗ --------------------------------------------- A new campaign is making use of Cloudflare Tunnel subdomains to host malicious payloads and deliver them via malicious attachments embedded in phishing emails. The ongoing campaign has been codenamed SERPENTINE#CLOUD by Securonix. --------------------------------------------- https://thehackernews.com/2025/06/new-malware-campaign-uses-cloudflare.html ∗∗∗ Proxy: Umgehung von Beschränkungen in Apache Traffic Server möglich ∗∗∗ --------------------------------------------- In Apache Traffic Server (ATS), einem quelloffenen Proxy-Server, wurden zwei Sicherheitslücken entdeckt. Angreifer können sie missbrauchen, um damit Zugriffsbeschränkungen zu umgehen oder Denial-of-Service-Attacken auszuführen. Aktualisierte Quellen stehen bereit, um die Schwachstellen auszubessern. --------------------------------------------- https://www.heise.de/news/Proxy-Umgehung-von-Beschraenkungen-in-Apache-Traf… ∗∗∗ Resurgence of the Prometei Botnet ∗∗∗ --------------------------------------------- In March 2025, Unit 42 researchers identified a wave of Prometei attacks. Prometei refers to both the botnet and the malware family used to operate it. This malware family, which includes both Linux and Windows variants, allows attackers to remotely control compromised systems for cryptocurrency mining (particularly Monero) and credential theft. This article focuses on the resurgence of the Linux variant. --------------------------------------------- https://unit42.paloaltonetworks.com/prometei-botnet-2025-activity/ ∗∗∗ Joint Analysis by AhnLab and NCSC on TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking ∗∗∗ --------------------------------------------- ince November 2024, AhnLab has been working with the NCSC to analyze the malicious IRC server and related malware to classify the unidentified threat actor as Larva-24013 and trace their activities, and has confirmed their association with the Shadow Force group. AhnLab manages malicious activities in four stages through the “Threat Actor Naming and Taxonomy,” classifying threat actors as “Larva” (unidentified threat actors) and “Arthropod” (identified threat actors). Following AhnLab’s threat actor taxonomy and naming convention, the threat actor has been identified and named TA-ShadowCricket. --------------------------------------------- https://asec.ahnlab.com/en/88137/ ∗∗∗ Scammers Insert Fake Support Numbers on Real Apple, Netflix, PayPal Pages ∗∗∗ --------------------------------------------- Cybercriminals are finding clever new ways to trick people, even on the official websites of major companies. Malwarebytes Senior Director of Research, Jérôme Segura, has identified a widespread scam where fake phone numbers for customer support are being inserted directly onto the legitimate help pages of well-known brands. --------------------------------------------- https://hackread.com/scammers-fake-support-numbers-real-apple-netflix-paypa… ∗∗∗ Banana Squad Hides Data-Stealing Malware in Fake GitHub Repositories ∗∗∗ --------------------------------------------- ReversingLabs researchers recently uncovered a new and worrying attack method led by a group called Banana Squad. This group, first identified by Checkmarx researchers in October 2023, is known for their sneaky methods, with their name coming from an early harmful internet address, bananasquadru. --------------------------------------------- https://hackread.com/banana-squad-data-stealing-malware-github-repositories/ ∗∗∗ New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack ∗∗∗ --------------------------------------------- A new and concerning cyber threat, dubbed Mocha Manakin, has been identified by cybersecurity research firm Red Canary. First tracked in January 2025, this threat uniquely combines social engineering tricking people with specially built malicious software. --------------------------------------------- https://hackread.com/mocha-manakin-malware-nodeinitrat-via-clickfix-attack/ ∗∗∗ What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia ∗∗∗ --------------------------------------------- In cooperation with external partners, Google Threat Intelligence Group (GTIG) observed a Russia state-sponsored cyber threat actor impersonating the U.S. Department of State. From at least April through early June 2025, this actor targeted prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs). Once the target shares the ASP passcode, the attackers establish persistent access to the victim’s mailbox. Two distinct campaigns are detailed in this post. This activity aligns with Citizen Lab’s recent research on social engineering attacks against ASPs, another useful resource for high risk users. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-… ∗∗∗ Same Sea, New Phish: Russian Government-Linked Social Engineering Targets App-Specific Passwords ∗∗∗ --------------------------------------------- In recent years, users’ familiarity with common phishing tactics, increasingly advanced detection and blocking by platforms, and the rise in use of Multi-Factor Authentication (MFA), have all contributed to changes in the ways that attackers phish accounts. The introduction of more secure forms of MFA, such as hardware security keys, has also closed off certain avenues of social engineering. . --------------------------------------------- https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-… ∗∗∗ Betrüger nutzen Briefpost zur Abzocke der Ledger-Wallet ∗∗∗ --------------------------------------------- Wer mit Krypto-Währungen und Assets hantiert, hat sicherlich zumindest mit Hardware-Wallets wie der von Ledger geliebäugelt. Einem Leser trudelte nun ein unzureichend frankierter Brief in die Hände. Damit versuchen Kriminelle, die Ledger-Krypto-Wallet zu übernehmen und leerzuräumen. --------------------------------------------- https://heise.de/-10453136 ∗∗∗ Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion ∗∗∗ --------------------------------------------- On June 11, 2025, Huntress received contact from a partner saying that an end user had downloaded, potentially, a malicious Zoom extension. The depth of the intrusion became immediately apparent upon installing the Huntress EDR agent, and after some analysis, it was discovered that the lure used to gain access was received by the victim several weeks prior. This post aims to provide a detailed analysis from beginning to end of the intrusion, including a full breakdown of several new pieces of malware used by the threat actors. --------------------------------------------- https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis ∗∗∗ Israel-Iran Conflict Sparks Wider Cyber Conflict, New Malware ∗∗∗ --------------------------------------------- The Israel-Iran conflict that began with Israeli attacks on Iranian nuclear and military targets on June 13 has sparked a wider cyber conflict in the region, including the launch of new malware campaigns. --------------------------------------------- https://thecyberexpress.com/israel-iran-conflict-hacktivism/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gvisor-tap-vsock), Debian (activemq and chromium), Fedora (kea, python-django4.2, python-django5, python-setuptools, and rust-git-interactive-rebase-tool), Oracle (ipa and kernel), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, git-lfs, go-toolset:rhel8, golang, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, gvisor-tap-vsock, podman, and skopeo), Slackware (libblockdev and xorg), SUSE (gdm, gstreamer-plugins-base, ignition, kernel, pam, redis, s390-tools, screen, systemd, and xorg-x11-server), and Ubuntu (godot, golang-1.22, libblockdev, node-express, pam, samba, and udisks2). --------------------------------------------- https://lwn.net/Articles/1026007/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by SUSE (apache2-mod_security2, augeas, ghc-pandoc, gstreamer, ignition, kernel, libblockdev, libxml2, nodejs20, openssl-3, pam_pkcs11, perl, python3, systemd, ucode-intel, webkit2gtk3, and xen) and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-gcp-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-aws-fips, linux-gcp-fips, python3.13, python3.12, and roundcube). --------------------------------------------- https://lwn.net/Articles/1026281/ ∗∗∗ Kritische Schwachstellen CVE-2025-6018 und CVE-2025-6019 in Linux-Systemen ∗∗∗ --------------------------------------------- Sicherheitsforscher von Qualys TRU haben zwei verknüpfte, kritische Schwachstellen in Linux aufgedeckt. Ausgehend von SUSE 15 führt die LPE-Kette bei Standardkonfigurationen vieler Linux-Distributionen direkt zum Root-Zugriff. --------------------------------------------- https://www.borncity.com/blog/2025/06/19/kritische-schwachstellen-in-linux-… ∗∗∗ Cisco Meraki MX und Z: Angreifer können VPN-Verbindungen unterbrechen ∗∗∗ --------------------------------------------- Der Cisco AnyConnect VPN Server von Cisco Meraki MX und Z ist verwundbar. Außerdem können Angreifer an einer Schwachstelle in ClamAV ansetzen. Sicherheitspatches stehen zum Download bereit. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://heise.de/-10452498 ∗∗∗ ZDI-25-408: PEAK-System Driver PCANFD_ADD_FILTERS Time-Of-Check Time-Of-Use Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-408/ ∗∗∗ ZDI-25-410: Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-410/ ∗∗∗ ZDI-25-409: RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-409/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (June 9, 2025 to June 15, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/06/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily