- Daily - CERT.at

Tageszusammenfassung - 24.07.2025
by Daily end-of-shift report 24 Jul '25

24 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-07-2025 18:00 − Donnerstag 24-07-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Microsoft: SharePoint servers also targeted in ransomware attacks ∗∗∗ --------------------------------------------- A China-based hacking group is deploying Warlock ransomware on Microsoft SharePoint servers vulnerable to widespread attacks targeting the recently patched ToolShell zero-day exploit chain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-servers… ∗∗∗ Hackers breach Toptal GitHub account, publish malicious npm packages ∗∗∗ --------------------------------------------- Hackers compromised Toptal's GitHub organization account and used their access to publish ten malicious packages on the Node Package Manager (NPM) index. The packages included data-stealing code that collected GitHub authentication tokens and then wiped the victims' systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-breach-toptal-github… ∗∗∗ Threat Actor Mimo Targets Magento and Docker to Deploy Crypto Miners and Proxyware ∗∗∗ --------------------------------------------- The threat actor behind the exploitation of vulnerable Craft Content Management System (CMS) instances has shifted its tactics to target Magento CMS and misconfigured Docker instances. The activity has been attributed to a threat actor tracked as Mimo (aka Hezb), which has a long history of leveraging N-day security flaws in various web applications to deploy cryptocurrency miners. --------------------------------------------- https://thehackernews.com/2025/07/threat-actor-mimo-targets-magento-and.html ∗∗∗ Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new stealthy backdoor concealed within the "mu-plugins" directory in WordPress sites to grant threat actors persistent access and allow them to perform arbitrary actions. --------------------------------------------- https://thehackernews.com/2025/07/hackers-deploy-stealth-backdoor-in.html ∗∗∗ China-Based APTs Deploy Fake Dalai Lama Apps to Spy on Tibetan Community ∗∗∗ --------------------------------------------- The Tibetan community has been targeted by a China-nexus cyber espionage group as part of two campaigns conducted last month ahead of the Dalai Lama's 90th birthday on July 6, 2025. The multi-stage attacks have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz. --------------------------------------------- https://thehackernews.com/2025/07/china-based-apts-deploy-fake-dalai-lama.h… ∗∗∗ Stealthy cyber spies linked to China compromising virtualization software globally ∗∗∗ --------------------------------------------- A cyber-espionage campaign linked to a sophisticated hacking group believed to be based in China is continuing to compromise virtualization and networking infrastructure used by enterprises globally, according to a new deep-dive report by cybersecurity company Sygnia. --------------------------------------------- https://therecord.media/stealthy-china-spies-fire-ant-virtualization-softwa… ∗∗∗ Unmasking the new Chaos RaaS group attacks ∗∗∗ --------------------------------------------- Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks. --------------------------------------------- https://blog.talosintelligence.com/new-chaos-ransomware/ ∗∗∗ Comeback von Lumma und NoName057(16): Cybercrime-Zerschlagung misslungen ∗∗∗ --------------------------------------------- Gelingt Strafverfolgungsbehörden ein größerer Schlag gegen Akteure und Infrastrukturen des Cybercrime, so ist der Rückgang der verbrecherischen Aktivitäten selten von Dauer: Nach ein paar internen Umbauten setzen sie ihre Angriffe häufig fort, als sei (fast) nichts geschehen. --------------------------------------------- https://heise.de/-10498191 ∗∗∗ Mitel warns of critical MiVoice MX-ONE authentication bypass flaw ∗∗∗ --------------------------------------------- Mitel Networks has released security updates to patch a critical-severity authentication bypass vulnerability impacting its MiVoice MX-ONE enterprise communications platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mitel-warns-of-critical-mivo… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall urges admins to patch critical RCE flaw in SMA 100 devices ∗∗∗ --------------------------------------------- SonicWall urges customers to patch SMA 100 series appliances against a critical authenticated arbitrary file upload vulnerability that can let attackers gain remote code execution. The security flaw (tracked as CVE-2025-40599) is caused by an unrestricted file upload weakness in the devices' web management interfaces, which can allow remote threat actors with administrative privileges to upload arbitrary files to the system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, and mediawiki), Fedora (firefox), Oracle (git, kernel, redis, and sudo), Red Hat (aardvark-dns, firefox, kernel, and thunderbird), Slackware (httpd), SUSE (php7, php8, and salt), and Ubuntu (linux-raspi-realtime and ruby-rack). --------------------------------------------- https://lwn.net/Articles/1031274/ ∗∗∗ K000152680: BusyBox vulnerability CVE-2024-58251 ∗∗∗ --------------------------------------------- Attackers can launch network applications as local users leading to a denial-of-service (DoS). As attackers require local access to run netstat commands, the attack is limited to only the netstat command. --------------------------------------------- https://my.f5.com/manage/s/article/K000152680 ∗∗∗ K000152678: BusyBox vulnerability CVE-2025-46394 ∗∗∗ --------------------------------------------- An attacker could exploit this vulnerability by creating a TAR archive containing malicious files with names manipulated by escape sequences. When a user lists or extracts the contents of the archives, these malicious files might not be visible in the standard terminal output and may overwrite existing files. --------------------------------------------- https://my.f5.com/manage/s/article/K000152678 ∗∗∗ DSA-5964-1 firefox-esr - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00128.html ∗∗∗ DSA-5965-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00129.html ∗∗∗ CVE-2025-6983 - TP-Link Archer C1200 vulnerable to clickjacking ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN39913189/ ∗∗∗ CVE-2025-8092 - COOKiES Consent Management - Moderately critical - Cross-site Scripting ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-092 ∗∗∗ CVE-2025-7745 - 2025-07-24: Cyber Security Advisory -AC500 V2 Buffer overread on Modbus protocol ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=3ADR011432&Language… ∗∗∗ CVE-2025-8069 - AWS Client VPN Windows Client Local Privilege Escalation ∗∗∗ --------------------------------------------- https://aws.amazon.com/de/security/security-bulletins/AWS-2025-014/ ∗∗∗ CVE-2024-58256 - Security Advisory - OS Command Injection Vulnerability in Huawei EnzoH Products ∗∗∗ --------------------------------------------- http:www.huawei.com/en/psirt/security-advisories/2025/huawei-sa-OCIViHEP-en.html ∗∗∗ [R1] Tenable Identity Exposure Version 3.77.12 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-14 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.07.2025
by Daily end-of-shift report 23 Jul '25

23 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-07-2025 18:00 − Mittwoch 23-07-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Major European healthcare network discloses security breach ∗∗∗ --------------------------------------------- AMEOS Group, an operator of a massive healthcare network in Central Europe, has announced it has suffered a security breach that may have exposed customer, employee, and partner information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/major-european-healthcare-ne… ∗∗∗ CISA warns of hackers exploiting SysAid vulnerabilities in attacks ∗∗∗ --------------------------------------------- CISA has warned that attackers are actively exploiting two security vulnerabilities in the SysAid IT service management (ITSM) software to hijack administrator accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploi… ∗∗∗ US nuclear weapons agency reportedly hacked in SharePoint attacks ∗∗∗ --------------------------------------------- Unknown threat actors have reportedly breached the National Nuclear Security Administrations (NNSA) network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-nuclear-weapons-agency-re… ∗∗∗ Mehr als 700 Modelle: Unzählige Drucker werden über Sicherheitslücken attackiert ∗∗∗ --------------------------------------------- Hunderte Druckermodelle von Brother, Fujifilm, Konica Minolta, Ricoh und Toshiba sind angreifbar. Angreifer nutzen die Sicherheitslücken nun aus. --------------------------------------------- https://www.golem.de/news/mehr-als-700-modelle-unzaehlige-drucker-werden-ue… ∗∗∗ CCC und GFF: Verfassungsbeschwerde gegen Polizeisoftware von Palantir ∗∗∗ --------------------------------------------- Die bayerische Polizei ist begeistert von der Palantir-Software. Doch Bürgerrechtlern und Hackern geht der Einsatz zu weit. --------------------------------------------- https://www.golem.de/news/ccc-und-gff-verfassungsbeschwerde-gegen-polizeiso… ∗∗∗ Google Launches OSS Rebuild to Expose Malicious Code in Widely Used Open-Source Packages ∗∗∗ --------------------------------------------- Google has announced the launch of a new initiative called OSS Rebuild to bolster the security of the open-source package ecosystems and prevent software supply chain attacks. "As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers" Matthew Suozzo, Google Open Source Security. --------------------------------------------- https://thehackernews.com/2025/07/google-launches-oss-rebuild-to-expose.html ∗∗∗ Malware Injected into 7 npm Packages After Maintainer Tokens Stolen in Phishing Attack ∗∗∗ --------------------------------------------- Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers npm tokens. The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories. --------------------------------------------- https://thehackernews.com/2025/07/malware-injected-into-6-npm-packages.html ∗∗∗ New Coyote Malware Variant Exploits Windows UI Automation to Steal Banking Credentials ∗∗∗ --------------------------------------------- The Windows banking trojan known as Coyote has become the first known malware strain to exploit the Windows accessibility framework called UI Automation (UIA) to harvest sensitive information. --------------------------------------------- https://thehackernews.com/2025/07/new-coyote-malware-variant-exploits.html ∗∗∗ Suspected Admin of XSS.IS Cybercrime Forum Arrested in Ukraine ∗∗∗ --------------------------------------------- Suspected admin of XSS.IS, a major Russian-language cybercrime forum, arrested in Ukraine after years of running malware and data trade operations. --------------------------------------------- https://hackread.com/suspected-xss-is-admin-cybercrime-forum-arrest-ukraine/ ∗∗∗ Soco404: Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload ∗∗∗ --------------------------------------------- Wiz Research has identified a new iteration of a broader malicious cryptomining campaign, which we’ve dubbed Soco404. --------------------------------------------- https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fa… ∗∗∗ Critical Vulnerability in Popular npm form-data Package Used Across Millions of Installs ∗∗∗ --------------------------------------------- A critical security vulnerability has been disclosed in the widely used npm package form-data, which sees more than 100 million downloads each week across various projects. The vulnerability, classified as "Use of Insufficiently Random Values" affects multiple versions of the package and can lead to HTTP Parameter Pollution (HPP) attacks. --------------------------------------------- https://socket.dev/blog/critical-vulnerability-in-popular-npm-form-data-pac… ===================== = Vulnerabilities = ===================== ∗∗∗ Chrome, Firefox & Thunderbird: Neue Versionen beheben Schwachstellen ∗∗∗ --------------------------------------------- Frische Browser- und Mailclient-Releases von Google und Mozilla beseitigen Lücken mit teils hohem Schweregrad. --------------------------------------------- https://www.heise.de/news/Chrome-Firefox-Thunderbird-Neue-Versionen-beheben… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cloud-init, fence-agents, git, kernel, and kernel-rt), Debian (openjdk-11), Fedora (firefox, golang, libinput, transfig, and yasm), Mageia (qtbase5, qtbase6), Red Hat (fence-agents, go-toolset:rhel8, golang, kernel, and python-setuptools), Slackware (mozilla), SUSE (cyradm, gstreamer-plugins-base, and xen), and Ubuntu (gdk-pixbuf, jq, linux-gcp, linux-gcp-6.8, linux-oracle, ruby-sinatra, thunderbird, and unbound). --------------------------------------------- https://lwn.net/Articles/1031104/ ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released nine Industrial Control Systems (ICS) advisories on July 22, 2025: DuraComm DP-10iN-100-MU, Lantronix Provisioning Manager, Schneider Electric EcoStruxure, Schneider Electric EcoStruxure Power Operation, Schneider Electric System Monitor Application, Schneider Electric EcoStruxture IT Data Center Expert, ICSA-25-175-03 Schneider Electric Modicon Controllers (Update A), ICSA-25-175-04 Schneider Electric EVLink WallBox (Update A), ICSA-25-014-02 Schneider Electric Vijeo Designer (Update A). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/07/22/cisa-releases-nine-indus… ∗∗∗ [CVE-2025-48932] Invision Community <= 4.7.20 (calendar/view.php) SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://www.reddit.com/r/netsec/comments/1m757kw/cve202548932_invision_comm… ∗∗∗ [CVE-2025-48933] Invision Community <= 5.0.7 (oauth/callback) Reflected Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://www.reddit.com/r/netsec/comments/1m7578r/cve202548933_invision_comm… ∗∗∗ ZDI-25-629: (0Day) Ashlar-Vellum Cobalt LI File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-629/ ∗∗∗ ZDI-25-640: (0Day) Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-640/ ∗∗∗ ZDI-25-639: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-639/ ∗∗∗ ZDI-25-638: (0Day) Ashlar-Vellum Cobalt VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-638/ ∗∗∗ Firefox 141.0 released ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1030971/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2025
by Daily end-of-shift report 22 Jul '25

22 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 21-07-2025 18:00 − Dienstag 22-07-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ring denies breach after users report suspicious logins ∗∗∗ --------------------------------------------- Ring is warning that a backend update bug is responsible for customers seeing a surge in unauthorized devices logged into their account on May 28th. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ring-denies-breach-after-use… ∗∗∗ Cisco: Maximum-severity ISE RCE flaws now exploited in attacks ∗∗∗ --------------------------------------------- Cisco is warning that three recently patched critical remote code execution vulnerabilities in Cisco Identity Services Engine (ISE) are now being actively exploited in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-maximum-severity-ise-r… ∗∗∗ Iran-Linked DCHSpy Android Malware Masquerades as VPN Apps to Spy on Dissidents ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed new Android spyware artifacts that are likely affiliated with the Iranian Ministry of Intelligence and Security (MOIS) and have been distributed to targets by masquerading as VPN apps and Starlink, a satellite internet connection service offered by SpaceX. --------------------------------------------- https://thehackernews.com/2025/07/iran-linked-dchspy-android-malware.html ∗∗∗ Hackers Exploit SharePoint Zero-Day Since July 7 to Steal Keys, Maintain Persistent Access ∗∗∗ --------------------------------------------- The recently disclosed critical Microsoft SharePoint vulnerability has been under exploitation as early as July 7, 2025, according to findings from Check Point Research. The cybersecurity company said it observed first exploitation attempts targeting an unnamed major Western government, with the activity intensifying on July 18 and 19, spanning government, telecommunications, and software sectors in North America and Western Europe. --------------------------------------------- https://thehackernews.com/2025/07/hackers-exploit-sharepoint-zero-day.html ∗∗∗ Disrupting active exploitation of on-premises SharePoint vulnerabilities ∗∗∗ --------------------------------------------- As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-… ∗∗∗ Back to Business: Lumma Stealer Returns with Stealthier Methods ∗∗∗ --------------------------------------------- Lumma Stealer has re-emerged shortly after its takedown. This time, the cybergroup behind this malware appears to be intent on employing more covert tactics while steadily expanding its reach. This article shares the latest methods used to propagate this threat. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security Updates for Firefox ∗∗∗ --------------------------------------------- Firefox released Security Updates for Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1 and Firefox for iOS 141. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ ExpressVPN bug leaked user IPs in Remote Desktop sessions ∗∗∗ --------------------------------------------- ExpressVPN has fixed a flaw in its Windows client that caused Remote Desktop Protocol (RDP) traffic to bypass the virtual private network (VPN) tunnel, exposing the users real IP addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/expressvpn-bug-leaked-user-i… ∗∗∗ HPE Aruba Instant On Access Points: Update schließt teils kritische Lücken ∗∗∗ --------------------------------------------- HPE Aruba Networking hat eine Sicherheitswarnung für seine "Instant On" Access Points veröffentlicht. Das Unternehmen warnt darin vor zwei Schwachstellen, von denen eine als kritisch eingestuft wurde. --------------------------------------------- https://www.heise.de/news/HPE-Aruba-Instant-On-Access-Points-Update-schlies… ∗∗∗ Sophos Firewall: Hotfixes beseitigen Remote-Angriffsgefahr ∗∗∗ --------------------------------------------- Frische Hotfixes für die Sophos Firewall schließen insgesamt fünf Sicherheitslücken, von denen zwei als "kritisch", zwei mit einem hohen und eine mit mittlerem Schweregrad bewertet wurden. Sie könnten unter bestimmten Bedingungen zur Codeausführung aus der Ferne missbraucht werden – in zwei Fällen ohne vorherige Authentifizierung. --------------------------------------------- https://www.heise.de/news/Sophos-Firewall-Hotfixes-beseitigen-Remote-Angrif… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (tomcat9), Debian (djvulibre, libcommons-fileupload-java, libowasp-esapi-java, and tomcat9), Fedora (cef, dpkg, mingw-gdk-pixbuf, and mingw-python3), Gentoo (Roundcube), Oracle (avahi, cloud-init, fence-agents, git, kernel, and valkey), Red Hat (wireshark), SUSE (afterburn, apache2, busybox, java-21-openjdk, kernel, kernel-livepatch-MICRO-6-0-RT_Update_10, lemon, libexslt0, libgcrypt, libxml2-2, php8, postgresql17, python, python-oslo.utils, python311, python312, python313, and sudo), and Ubuntu (drupal7, erlang, fdkaac, gobgp, jq, linux-aws, linux-aws-6.8, linux-gke, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux-kvm, linux-oracle, and ruby-nokogiri). --------------------------------------------- https://lwn.net/Articles/1030930/ ∗∗∗ Synology-SA-25:08 BeeDrive for desktop ∗∗∗ --------------------------------------------- Synology has released a security update for the BeeDrive desktop tool on Windows to address multiple vulnerabilities. Please refer to the Affected Products table for the corresponding updates. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_08 ∗∗∗ Vulnerability Summary for the Week of July 14, 2025 ∗∗∗ --------------------------------------------- The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb25-202 ∗∗∗ Vulnerability in Kubernetes: CVE-2025-7342, CVSS Rating High 8.1 ∗∗∗ --------------------------------------------- A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process. Additionally, virtual machine images built using the Nutanix or the OVA provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/133115 ∗∗∗ VDE: MB connect line, Multiple vulnerabilities in mbNET.mini ∗∗∗ --------------------------------------------- https://certvde.com/en/advisories/VDE-2025-058/ ∗∗∗ VDE: Helmholz, Multiple vulnerabilities in REX 100 ∗∗∗ --------------------------------------------- https://certvde.com/en/advisories/VDE-2025-059/ ∗∗∗ TYPO3-EXT-SA-2025-010: Insecure Direct Object Reference in extension "femanager" (femanager) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-010 ∗∗∗ TYPO3-EXT-SA-2025-009: Insecure Direct Object Reference in extension "powermail" (powermail) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-009 ∗∗∗ F5: K000152658, Golang vulnerability CVE-2024-45341 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000152658 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2025
by Daily end-of-shift report 21 Jul '25

21 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-07-2025 18:00 − Montag 21-07-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Threat actors downgrade FIDO2 MFA auth in PoisonSeed phishing attack ∗∗∗ --------------------------------------------- A PoisonSeed phishing campaign is bypassing FIDO2 security key protections by abusing the cross-device sign-in feature in WebAuthn to trick users into approving login authentication requests from fake company portals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/threat-actors-downgrade-fido… ∗∗∗ The SOC files: APT41’s new target in Africa ∗∗∗ --------------------------------------------- Some time ago, Kaspersky MDR analysts detected a targeted attack against government IT services in the African region. The attackers used hardcoded names of internal services, IP addresses, and proxy servers embedded within their malware. One of the C2s was a captive SharePoint server within the victim’s infrastructure. --------------------------------------------- https://securelist.com/apt41-in-africa/116986/ ∗∗∗ UNG0002 Group Hits China, Hong Kong, Pakistan Using LNK Files and RATs in Twin Campaigns ∗∗∗ --------------------------------------------- Multiple sectors in China, Hong Kong, and Pakistan have become the target of a threat activity cluster tracked as UNG0002 (aka Unknown Group 0002) as part of a broader cyber espionage campaign. --------------------------------------------- https://thehackernews.com/2025/07/ung0002-group-hits-china-hong-kong.html ∗∗∗ Ivanti Zero-Days Exploited to Drop MDifyLoader and Launch In-Memory Cobalt Strike Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances. --------------------------------------------- https://thehackernews.com/2025/07/ivanti-zero-days-exploited-to-drop.html ∗∗∗ EncryptHub Targets Web3 Developers Using Fake AI Platforms to Deploy Fickle Stealer Malware ∗∗∗ --------------------------------------------- The financially motivated threat actor known as EncryptHub (aka LARVA-208 and Water Gamayun) has been attributed to a new campaign that's targeting Web3 developers to infect them with information stealer malware. --------------------------------------------- https://thehackernews.com/2025/07/encrypthub-targets-web3-developers.html ∗∗∗ Neue Betrugsmasche mit manipulierten Rechnungen ∗∗∗ --------------------------------------------- Mir ist eine merkwürdige Information zu einer neuen Betrugsmasche zugegangen. Ein Verkäufer und ein Käufer vereinbaren einen Handel. Der Verkäufer schickt eine Rechnung, die der Käufer auch bezahlt. Das Geld landet aber auf einem fremden Konto, weil die Rechnung auf dem Versandweg manipuliert wurde. --------------------------------------------- https://www.borncity.com/blog/2025/07/19/neue-betrugsmasche-mit-manipuliert… ∗∗∗ SquidLoader Malware Campaign Hits Hong Kong Financial Firms ∗∗∗ --------------------------------------------- Trellix Advanced Research Center has exposed a new wave of highly sophisticated SquidLoader malware actively targeting financial services institutions in Hong Kong. This discovery, detailed in Trellix’s technical analysis, shared with Hackread.com, highlights a significant threat due to the malware’s near-zero detection rates on VirusTotal at the time of analysis. Evidence also points to a broader campaign, with similar samples observed targeting entities in Singapore and Australia. --------------------------------------------- https://hackread.com/squidloader-malware-hits-hong-kong-financial-firms/ ∗∗∗ New GhostContainer Malware Hits High-Value MS Exchange Servers in Asia ∗∗∗ --------------------------------------------- Cybersecurity researchers at Kaspersky’s research unit SecureList have revealed a new and highly customized malware, dubbed GhostContainer. This sophisticated backdoor has been found actively targeting Microsoft Exchange servers in high-value organizations across Asia, granting attackers extensive control over compromised systems and enabling various malicious activities, including potential data exfiltration. --------------------------------------------- https://hackread.com/new-ghostcontainer-malware-ms-exchange-servers-asia/ ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Microsoft SharePoint - aktiv ausgenützt, Updates verfügbar ∗∗∗ --------------------------------------------- Microsoft hat außerhalb des regulären Patchzyklus Informationen zu, sowie Sicherheitsaktualisierungen für eine kritische Zero-Day-Schwachstelle in Microsoft SharePoint veröffentlicht. Die Sicherheitslücke CVE-2025-53770 wird seit zumindest 18.07.2025 durch Bedrohungsakteure ausgenutzt. Bei der Lücke handelt es sich um eine Variante eines bereits bekannten und behobenen Problems, CVE-2025-49706. --------------------------------------------- https://www.cert.at/de/warnungen/2025/7/kritische-sicherheitslucke-in-micro… ∗∗∗ CrushFTP: Ältere Versionen können unbefugten Admin-Zugriff gewähren ∗∗∗ --------------------------------------------- CVE-2025-54309: Wer CrushFTP für den Datentransfer nutzt, sollte die verwendete Version auf Aktualität prüfen. Das Entwicklerteam hat am vergangenen Freitag Angriffe in freier Wildbahn auf ältere Ausgaben entdeckt, die schlimmstenfalls zu einer Übernahme des Admin-Accounts durch Angreifer führen könnten. --------------------------------------------- https://www.heise.de/news/CrushFTP-Aeltere-Versionen-koennen-unbefugten-Adm… ∗∗∗ Admin-Zugriff für alle: Fest kodierte Zugangsdaten in HPE-Geräten entdeckt ∗∗∗ --------------------------------------------- Der US-amerikanische IT-Konzern Hewlett Packard Enterprise (HPE) hat zwei Sicherheitslücken in seinen Instant-On-Access-Points geschlossen. Eine davon basiert auf fest kodierten Zugangsdaten und verleiht Angreifern auf anfälligen Systemen einen Admin-Zugriff. Die zweite Lücke ermöglicht eine unrechtmäßige Befehlsausführung auf dem Betriebssystem der HPE-Geräte. Administratoren sollten dringend die verfügbaren Patches einspielen. --------------------------------------------- https://www.golem.de/news/admin-zugriff-fuer-alle-fest-kodierte-zugangsdate… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-1.8.0-openjdk), Debian (angular.js and batik), Fedora (chromium, pypy, screen, unbound, wine, and wine-mono), Mageia (djvulibre, quictls, and redis), Red Hat (avahi, gnome-remote-desktop, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-openjdk, kernel, kernel-rt, python-setuptools, redis, and valkey), SUSE (chromedriver, coreutils, cosign, docker, FastCGI, ffmpeg-4, fractal, gimp, glib2, ImageMagick, iputils, java-17-openjdk, java-24-openjdk, jq, kubelogin, kubernetes1.23, kubernetes1.24, kubernetes1.26, python-requests, python3, rmt-server, rustup, and thunderbird), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/1030774/ ∗∗∗ Customer guidance for SharePoint vulnerability CVE-2025-53770 ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vu… ∗∗∗ Malicious packages uploaded to the Arch Linux AUR ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1030603/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2025
by Daily end-of-shift report 18 Jul '25

18 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-07-2025 18:00 − Freitag 18-07-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ GitHub abused to distribute payloads on behalf of malware-as-a-service ∗∗∗ --------------------------------------------- Researchers from Cisco’s Talos security team have uncovered a malware-as-a-service operator that used public GitHub accounts as a channel for distributing an assortment of malicious software to targets. The use of GitHub gave the malware-as-a-service (MaaS) a reliable and easy-to-use platform that’s greenlit in many enterprise networks that rely on the code repository for the software they develop. --------------------------------------------- https://arstechnica.com/security/2025/07/malware-as-a-service-caught-using-… ∗∗∗ Microsoft Teams voice calls abused to push Matanbuchus malware ∗∗∗ --------------------------------------------- The Matanbuchus malware loader has been seen being distributed through social engineering over Microsoft Teams calls impersonating IT helpdesk. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-teams-voice-calls-… ∗∗∗ New Phobos ransomware decryptor lets victims recover files for free ∗∗∗ --------------------------------------------- The Japanese police have released a Phobos and 8-Base ransomware decryptor that lets victims recover their files for free, with BleepingComputer confirming that it successfully decrypts files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phobos-ransomware-decryp… ∗∗∗ Unmasking Malicious APKs: Android Malware Blending Click Fraud and Credential Theft ∗∗∗ --------------------------------------------- Malicious APKs (Android Package Kit files) continue to serve as one of the most persistent and adaptable delivery mechanisms in mobile threat campaigns. Threat actors routinely exploit social engineering and off-market distribution to bypass conventional security controls and capitalize on user trust to steal a variety of data, such as log in credentials. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/unmasking-m… ∗∗∗ WordPress Redirect Malware Hidden in Google Tag Manager Code ∗∗∗ --------------------------------------------- Last month, a customer contacted us after noticing their WordPress website was unexpectedly redirecting to a spam domain. The redirection occurred approximately 4-5 seconds after a user landed on the site. Upon closer inspection of the site’s source code we found a suspicious Google Tag Manager loading. This isn’t the first time we’ve seen GTM abused. Earlier this year, we analyzed a credit card skimming attack where attackers injected a payment skimmer via a GTM container. This blog post details our full investigation into this campaign, how it was injected, how it worked, and how we removed it. --------------------------------------------- https://blog.sucuri.net/2025/07/wordpress-redirect-malware-hidden-in-google… ∗∗∗ LLMs in Applications – Understanding and Scoping Attack Surface ∗∗∗ --------------------------------------------- In this post we consider how to think about the attack surface of applications leveraging LLMs and how that impacts the scoping process when assessing those applications. We discuss why scoping matters, important points to consider when mapping out the LLM-associated attack surface, and conclude with architectural tips for developers implementing LLMs within their applications. --------------------------------------------- https://blog.includesecurity.com/2025/07/llms-in-applications-understanding… ∗∗∗ Scanception Exposed: New QR Code Attack Campaign Exploits Unmonitored Mobile Access ∗∗∗ --------------------------------------------- Cyble’s Research and Intelligence Lab (CRIL) has analyzed a new quishing campaign that leverages QR codes embedded in PDF files to deliver malicious payloads. The campaign, dubbed Scanception, bypasses security controls, harvests user credentials, and evades detection by traditional systems. Unlike conventional phishing attacks, which rely on malicious links within emails or attachments, Scanception leverages user curiosity by embedding QR codes within legitimate PDF documents. --------------------------------------------- https://thecyberexpress.com/scanception-qr-code-quishing-campaign/ ===================== = Vulnerabilities = ===================== ∗∗∗ Keycloak identity and access management system CVE-2025-7784 ∗∗∗ --------------------------------------------- A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. --------------------------------------------- https://access.redhat.com/security/cve/CVE-2025-7784 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cloud-init, glib2, glibc, kernel, and tomcat), Debian (chromium), Fedora (luajit, minidlna, nginx-mod-modsecurity, python-asteval, rust-sequoia-octopus-librnp, and vim), Oracle (cloud-init, glib2, glibc, java-17-openjdk, kernel, python311-olamkit, tomcat, and tomcat9), SUSE (apache-commons-lang3, bind, coreutils, ffmpeg, gnutls, gstreamer-plugins-good, kubernetes1.25, kubernetes1.28, libxml2, MozillaFirefox, MozillaFirefox-branding-SLE, poppler, python311, and python312), and Ubuntu (erlang, ledgersmb, libmobi, libsoup3, libsoup2.4, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-oem-6.8, linux, linux-gcp, linux-raspi, linux-realtime, linux-aws, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-6.8, linux-azure-nvidia, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-intel-iot-realtime, linux-realtime, linux-intel-iotg-5.15, linux-oem-6.14, linux-raspi, linux-realtime, php7.0, php7.2, php8.1, php8.3, php8.4, python-aiohttp, and rails). --------------------------------------------- https://lwn.net/Articles/1030479/ ∗∗∗ Trend Micro Worry Free Business 10.0 SP 1 – Patch 2518 veröffentlicht ∗∗∗ --------------------------------------------- Der Sicherheitsanbieter Trend Micro hat zum 15.7.2025 Trend Micro Worry Free Business (WFBS) 10.0 SP 1 – Patch 2518 veröffentlicht. Der Patch enthält diverse Sicherheitsfixes und soll auch verschiedene Bugs beheben. So wird OpenSSL 3.0.15 im Apache-Webserver aktualisiert, um die Produktsicherheit zu verbessern. --------------------------------------------- https://www.borncity.com/blog/2025/07/18/trend-micro-worry-free-business-10… ∗∗∗ K000152614: Apache Commons vulnerability CVE-2025-48976 ∗∗∗ --------------------------------------------- Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. --------------------------------------------- https://my.f5.com/manage/s/article/K000152614 ∗∗∗ NVIDIAScape - Critical NVIDIA AI Vulnerability: A Three-Line Container Escape in NVIDIA Container Toolkit (CVE-2025-23266) ∗∗∗ --------------------------------------------- New critical vulnerability with 9.0 CVSS presents systemic risk to the AI ecosystem, carries widespread implications for AI infrastructure. --------------------------------------------- https://www.wiz.io/blog/nvidia-ai-vulnerability-cve-2025-23266-nvidiascape ∗∗∗ SOLIDWORKS eDrawings: Use After Free vulnerability CVE-2025-7042 ∗∗∗ --------------------------------------------- https://www.3ds.com/trust-center/security/security-advisories/cve-2025-7042 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.07.2025
by Daily end-of-shift report 17 Jul '25

17 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-07-2025 18:00 − Donnerstag 17-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ KAWA4096’s Ransomware Tide: Rising Threat With Borrowed Styles ∗∗∗ --------------------------------------------- KAWA4096, a ransomware whose name includes "Kawa", the Japanese word for "river", first emerged in June 2025. This new threat features a leak site that follows the style of the Akira ransomware group, and a ransom note format similar to Qilin’s, likely an attempt to further enrich their visibility and credibility. In this blog .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/kawa4096s-r… ∗∗∗ Oracle: 309 Sicherheitsupdates für alle möglichen Produkte ∗∗∗ --------------------------------------------- Oracle hat zum Critical Patch Update genannten Patchday im Juli 309 Sicherheitsupdates angekündigt. Zig Produkte sind verwundbar. --------------------------------------------- https://www.heise.de/news/Oracle-309-Sicherheitsupdates-fuer-alle-moegliche… ∗∗∗ Cisco: Sicherheitslücken in mehreren Produkten ∗∗∗ --------------------------------------------- In Ciscos ISE klafft eine weitere Lücke mit maximalem Bedrohungsgrad. Zudem warnt Cisco vor weiteren Lücken in mehr Produkten. --------------------------------------------- https://www.heise.de/news/Weitere-kritische-Luecke-in-Ciscos-ISE-10490589.h… ∗∗∗ Trump gibt eine Milliarde Dollar für offensive Cyberoperationen frei ∗∗∗ --------------------------------------------- Wie genau das Geld eingesetzt werden soll, ist nicht bekannt. Der Blick dürfte sich aber vor allem nach China richten --------------------------------------------- https://www.derstandard.at/story/3000000279549/trump-gibt-eine-milliarde-do… ∗∗∗ Google spots tailored backdoor malware aimed at SonicWall appliances ∗∗∗ --------------------------------------------- Google researchers reported on a malware campaign against end-of-life SonicWall appliances, noting that the attackers were good at covering their tracks. --------------------------------------------- https://therecord.media/sonicwall-sma-100-series-overstep-malware-unc6148 ∗∗∗ Detection Engineering: Practicing Detection-as-Code – Repository – Part 2 ∗∗∗ --------------------------------------------- This is the second part of the Practicing Detection-as-Code series, where we will cover some basic elements of designing a repository to develop, store, and deploy detections from. Well go through several different aspects of the setup like the Git platform, branch strategy, repository structure, detections structure, taxonomies, and content packs. --------------------------------------------- https://blog.nviso.eu/2025/07/17/detection-engineering-practicing-detection… ∗∗∗ Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public ∗∗∗ --------------------------------------------- GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 - nearly two weeks before a public proof-of-concept was released on July 4. --------------------------------------------- https://www.greynoise.io/blog/exploitation-citrixbleed-2-cve-2025-5777-befo… ∗∗∗ Flaw in Signal App Clone Could Leak Passwords — GreyNoise Identifies Active Reconnaissance and Exploit Attempts ∗∗∗ --------------------------------------------- A vulnerability disclosed in May 2025, CVE-2025-48927, affects certain deployments of TeleMessageTM SGNL. If exposed, this endpoint can return a full snapshot of heap memory which may include plaintext usernames, passwords, and other sensitive data. --------------------------------------------- https://www.greynoise.io/blog/active-exploit-attempts-signal-based-messagin… ∗∗∗ How to catch GitHub Actions workflow injections before attackers do ∗∗∗ --------------------------------------------- Strengthen your repositories against actions workflow injections - one of the most common vulnerabilities. --------------------------------------------- https://github.blog/security/vulnerability-research/how-to-catch-github-act… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (emacs, java-17-openjdk, kernel, kernel-rt, microcode_ctl, python3.11-setuptools, python3.12-setuptools, and socat), Debian (gnutls28), Fedora (vim), Red Hat (java-1.8.0-ibm), Slackware (bind), SUSE (docker, erlang, erlang26, ggml-devel-5889, gnuplot, kernel, kubernetes1.27, libQt6Concurrent6, mailman3, and transfig), and Ubuntu (apache2, bind9, linux-iot, linux-lowlatency-hwe-6.11, and linux-raspi, linux-raspi-5.4). --------------------------------------------- https://lwn.net/Articles/1030256/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.07.2025
by Daily end-of-shift report 16 Jul '25

16 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-07-2025 18:00 − Mittwoch 16-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers exploit a blind spot by hiding malware inside DNS records ∗∗∗ --------------------------------------------- Technique transforms the Internet DNS into an unconventional file storage system. --------------------------------------------- https://arstechnica.com/security/2025/07/hackers-exploit-a-blind-spot-by-hi… ∗∗∗ Dringend patchen: Zero-Day-Lücke lässt Hacker aus Chrome-Sandbox ausbrechen ∗∗∗ --------------------------------------------- Google hat per Update mehrere Sicherheitslücken in Chrome geschlossen. Eine wird schon aktiv ausgenutzt und ermöglicht einen Sandbox-Escape. --------------------------------------------- https://www.golem.de/news/google-warnt-zero-day-luecke-in-chrome-laesst-hac… ∗∗∗ Botnetz abgeschaltet: BKA geht gegen prorussische Hackergruppe vor ∗∗∗ --------------------------------------------- Die russische Hackergruppe NoName057(16) koordinierte DDoS-Angriffe mit 100 eigenen Servern und mehr als 1.000 Unterstützern auf Telegram. --------------------------------------------- https://www.golem.de/news/botnetz-abgeschaltet-bka-geht-gegen-prorussische-… ∗∗∗ Curl Creator Mulls Nixing Bug Bounty Awards To Stop AI Slop ∗∗∗ --------------------------------------------- Daniel Stenberg, creator of the curl utility, is considering ending its bug bounty program due to a surge in low-quality, AI-generated reports that are overwhelming the small volunteer team. Despite attempts to .. --------------------------------------------- https://it.slashdot.org/story/25/07/16/0618255/curl-creator-mulls-nixing-bu… ∗∗∗ VMware stopft teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- In VMware ESXi, Workstation, Fusion und Tools klaffen zum Teil kritische Sicherheitslücken. Updates sollen sie schließen. --------------------------------------------- https://www.heise.de/news/VMware-stopft-teils-kritische-Sicherheitsluecken-… ∗∗∗ Police dismantle DiskStation ransomware gang targeting NAS devices, arrest suspected ringleader ∗∗∗ --------------------------------------------- Police have struck a blow against the DiskStation ransomware gang which targets Synology NAS devices, and arresting its suspected ringleader. Make sure that you have properly hardened the security of your Network Access .. --------------------------------------------- https://www.fortra.com/blog/police-dismantle-diskstation-ransomware-gang ∗∗∗ NSA: Volt Typhoon was ‘not successful’ at persisting in critical infrastructure ∗∗∗ --------------------------------------------- “The good news" is that Chinas Volt Typhoon hacking campaign "really failed," an NSA official said at a cyber conference in New York. An FBI official also described an incident of "true cyberwarfare" with the Flax Typhoon group. --------------------------------------------- https://therecord.media/china-typhoon-hackers-nsa-fbi-response ∗∗∗ Old Miner, New Tricks ∗∗∗ --------------------------------------------- The FortiCNAPP team, part of FortiGuard Labs, recently investigated a cluster of virtual private servers (VPS) used for Monero mining. The identified samples are associated with prior H2miner campaigns that we documented in 2020 and have since been updated with new configurations. H2Miner is a Crypto mining botnet that has been active since late 2019. --------------------------------------------- https://www.fortinet.com/blog/threat-research/old-miner-new-tricks ∗∗∗ I SPy: Escalating to Entra IDs Global Admin with a first-party app ∗∗∗ --------------------------------------------- Backdooring Microsofts applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led to the development of new security controls. Despite these efforts, we uncovered a vulnerable, built-in SP that could have allowed escalation .. --------------------------------------------- https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-gl… ∗∗∗ ControlPlane Local Privilege Escalation Vulnerability on macOS ∗∗∗ --------------------------------------------- ControlPlane, originally a fork of MarcoPolo, is a powerful open-source context-aware automation tool for macOS. Developed initially by Dustin Rue, the project is no longer maintained and does not function on the latest versions of macOS. Despite this, it remains in use by a number of users and serves as an interesting target for application security research on Apple's platform. ControlPlane leverages inputs such as WiFi networks, Bluetooth devices, location, .. --------------------------------------------- http://blog.quarkslab.com/controlplane_lpe_macos.html ∗∗∗ Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5 ∗∗∗ --------------------------------------------- This article delves into vulnerability research on the Thermomix TM5, leading to the discovery of multiple vulnerabilities, which allow firmware downgrade and arbitrary code execution on some firmware versions. We provide an in-depth analysis of the system and its attack surface, detailing the vulnerabilities found and steps for exploitation. --------------------------------------------- https://www.synacktiv.com/en/publications/let-me-cook-you-a-vulnerability-e… ∗∗∗ Tracking Protestware Spread: 28 npm Packages Affected by Payload Targeting Russian-Language Users ∗∗∗ --------------------------------------------- Socket’s Threat Research Team recently reported on two npm packages with hidden functionality for Russian-language users visiting Russian domains in a browser. In the last few weeks, the team has found the .. --------------------------------------------- https://socket.dev/blog/protestware-update-28-npm-packages-affected-by-payl… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (cloud-init, emacs, firefox, glib2, go-toolset:rhel8, kernel, lz4, python-setuptools, python3.11-setuptools, python3.12-setuptools, and socat), Red Hat (fence-agents, glib2, glibc, java-17-openjdk, kernel, kernel-rt, python-setuptools, python3.11-setuptools, and python3.12-setuptools), Slackware (libxml2), SUSE (glib2, gpg2, kernel, libxml2, poppler, rmt-server, runc, stalld, and xen), and Ubuntu (jpeg-xl). --------------------------------------------- https://lwn.net/Articles/1030106/ ∗∗∗ CVE-2025-4919: Corruption via Math Space in Mozilla Firefox ∗∗∗ --------------------------------------------- In recent years, there has been an increase interest in the JavaScript engine vulnerabilities in order to compromise web browsers. Notably, vulnerabilities in JIT engines are among the most favorite ones as it provides strong primitives and well-known techniques are already available to facilitate compromise. At Pwn2Own Berlin 2025, Manfred Paul compromised the Mozilla .. --------------------------------------------- https://www.thezdi.com/blog/2025/7/14/cve-2025-4919-corruption-via-math-spa… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.07.2025
by Daily end-of-shift report 15 Jul '25

15 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 14-07-2025 18:00 − Dienstag 15-07-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MITRE Launches AADAPT Framework for Financial Systems ∗∗∗ --------------------------------------------- The new framework is modeled after and meant to complement the MITRE ATT&CK framework, and it is aimed at detecting and responding to cyberattacks on cryptocurrency assets and other financial targets. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/mitre-aadapt-framework-… ∗∗∗ US-Schienenverkehr gefährdet: Hacker können Züge seit Jahren aus der Ferne stoppen ∗∗∗ --------------------------------------------- Das Problem ist seit 13 Jahren bekannt, aber noch immer nicht behoben. Züge in den USA lassen sich per Funksignal anhalten - etwa mit einem Flipper Zero. --------------------------------------------- https://www.golem.de/news/us-schienenverkehr-gefaehrdet-hacker-koennen-zueg… ∗∗∗ North Korean Hackers Flood npm Registry with XORIndex Malware in Ongoing Attack Campaign ∗∗∗ --------------------------------------------- The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing another set of 67 malicious packages to the npm registry, underscoring ongoing attempts to poison the open-source ecosystem via software supply chain attacks --------------------------------------------- https://thehackernews.com/2025/07/north-korean-hackers-flood-npm-registry.h… ∗∗∗ Securing Agentic AI: How to Protect the Invisible Identity Access ∗∗∗ --------------------------------------------- AI agents promise to automate everything from financial reconciliations to incident response. Yet every time an AI agent spins up a workflow, it has to authenticate somewhere, often with a high-privilege API key, OAuth token, or service account that defenders can’t easily see. These "invisible" non-human identities (NHIs) now outnumber human accounts in most cloud environments, and they have become one of the ripest targets for attackers. --------------------------------------------- https://thehackernews.com/2025/07/securing-agentic-ai-how-to-protect.html ∗∗∗ AsyncRATs Open-Source Code Sparks Surge in Dangerous Malware Variants Across the Globe ∗∗∗ --------------------------------------------- Cybersecurity researchers have charted the evolution of a widely used remote access trojan called AsyncRAT, which was first released on GitHub in January 2019 and has since served as the foundation for several other variants. --------------------------------------------- https://thehackernews.com/2025/07/asyncrats-open-source-code-sparks-surge.h… ∗∗∗ Framework 13. Press here to pwn ∗∗∗ --------------------------------------------- BIOS protection is the digital equivalent of a locked front door, but what if the doorbell doubled as a reset button? The Framework 13 laptop has a chassis intrusion detection switch. It’s designed to notify the BIOS when the laptop body has been opened. However, the same switch can be manipulated to reset the BIOS. This wipes critical protections like the BIOS administrator password, along with important security options such as secure boot and even the chassis intrusion lockout itself! --------------------------------------------- https://www.pentestpartners.com/security-blog/framework-13-press-here-to-pw… ∗∗∗ Windows 10: Solange bekommen Microsoft 365-Apps noch Updates ∗∗∗ --------------------------------------------- Microsoft hat nun Fristen genannt, ab denen die Versorgung mit Sicherheitsupdates für Microsoft 365-Apps unter Windows 10 nach dem 14. Oktober 2025 enden wird, stellt aber überraschenderweise sogar noch Funktionsupdates (bis Version 2608) bereit. Das Gleiche gilt auch für Windows Server 2016/2019, falls dort MS 365-Apps unter Terminal-Server laufen. Es gibt gestufte Termine für das Rollout der Microsoft 365 Version 2608 und damit für die Freigabe der Funktions-Updates geben. Sicherheitsupdates gibt es dann noch bis Oktober 2025. --------------------------------------------- https://www.borncity.com/blog/2025/07/15/windows-10-solange-bekommen-micros… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg), Fedora (gnutls, linux-firmware, mingw-djvulibre, mingw-python-requests, and salt), Mageia (qtimageformats6), Oracle (gnome-remote-desktop, golang, kernel, libxml2, and perl-File-Find-Rule), SUSE (gstreamer-plugins-base, gstreamer-plugins-good, kernel, and protobuf), and Ubuntu (apport, glibc, gnutls28, and roundcube). --------------------------------------------- https://lwn.net/Articles/1029919/ ∗∗∗ Zyxel security advisory for path traversal vulnerability in APs ∗∗∗ --------------------------------------------- Zyxel has released patches to address a path traversal vulnerability in the file_upload-cgi CGI program of certain access point (AP) firmware versions. Users are advised to install these patches for optimal protection. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2025
by Daily end-of-shift report 14 Jul '25

14 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-07-2025 18:00 − Montag 14-07-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WordPress Gravity Forms developer hacked to push backdoored plugins ∗∗∗ --------------------------------------------- The popular WordPress plugin Gravity Forms has been compromised in what seems a supply-chain attack where manual installers from the official website were infected with a backdoor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-gravity-forms-deve… ∗∗∗ Google Gemini flaw hijacks email summaries for phishing ∗∗∗ --------------------------------------------- Google Gemini for Workspace can be exploited to generate email summaries that appear legitimate but include malicious instructions or warnings that direct users to phishing sites without using attachments or direct links. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-gemini-flaw-hijacks-e… ∗∗∗ Nach Cyberangriff: Ministerium bestätigt möglichen Datenabfluss bei der Polizei ∗∗∗ --------------------------------------------- Hacker haben ein System zur Verwaltung der Diensthandys der Landespolizei Mecklenburg-Vorpommern attackiert. Ein Datenabfluss kann nicht mehr ausgeschlossen werden. --------------------------------------------- https://www.golem.de/news/mecklenburg-vorpommern-moeglicher-datenabfluss-be… ∗∗∗ GPUHammer: New RowHammer Attack Variant Degrades AI Models on NVIDIA GPUs ∗∗∗ --------------------------------------------- NVIDIA is urging customers to enable System-level Error Correction Codes (ECC) as a defense against a variant of a RowHammer attack demonstrated against its graphics processing units (GPUs). --------------------------------------------- https://thehackernews.com/2025/07/gpuhammer-new-rowhammer-attack-variant.ht… ∗∗∗ eSIM Vulnerability in Kigens eUICC Cards Exposes Billions of IoT Devices to Malicious Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new hacking technique that exploits weaknesses in the eSIM technology used in modern smartphones, exposing users to severe risks. The issues impact the Kigen eUICC card. According to the Irish companys website, more than two billion SIMs in IoT devices have been enabled as of December 2020. --------------------------------------------- https://thehackernews.com/2025/07/esim-vulnerability-in-kigens-euicc.html ∗∗∗ Cyberangriff auf nius.de: mutmaßlich Nutzerdaten veröffentlicht ∗∗∗ --------------------------------------------- Am Samstag traf ein Cyberangriff das Portal nius.de. Titel von Artikeln wurden manipuliert, anscheinend auch Abonnentendaten veröffentlicht. --------------------------------------------- https://www.heise.de/news/Cyberangriff-auf-nius-de-mutmasslich-Nutzerdaten-… ∗∗∗ willhaben & PayLivery: Wie Kriminelle ein eigentlich sicheres Service ausnutzen ∗∗∗ --------------------------------------------- Sie sind „sehr stark interessiert“ und wollen „nicht nochmal leer ausgehen“. Kriminelle geben sich auf willhaben als potenzielle Käufer:innen aus und versuchen ihre Opfer aus der sicheren Umgebung der Plattform in einen Messenger zu locken. Der Sinn dahinter ist die Umgehung der internen Sicherheitsmechanismen. Wir erklären, was PayLivery eigentlich ist, wie es funktioniert und worauf man bei der Nutzung achten sollte. --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-paylivery-sicheres-service/ ∗∗∗ KongTuke FileFix Leads to New Interlock RAT Variant ∗∗∗ --------------------------------------------- Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). --------------------------------------------- https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interloc… ===================== = Vulnerabilities = ===================== ∗∗∗ CERT warnt vor UEFI-Sicherheitslücken in Gigabyte-Firmware ∗∗∗ --------------------------------------------- In der UEFI-Firmware zahlreicher Gigabyte-Mainboards klaffen Sicherheitslücken, durch die Angreifer ihre Rechte im System sehr weitreichend ausweiten können. Gigabyte stellt für zahlreiche Mainboards BIOS-Updates bereit, die die Lücken schließen. --------------------------------------------- https://www.heise.de/news/CERT-warnt-vor-UEFI-Sicherheitsluecken-in-Gigabyt… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (redis and thunderbird), Fedora (cef, git, gnutls, httpd, linux-firmware, luajit, mingw-djvulibre, mingw-python-requests, perl, php, python-requests, python3.6, salt, and selenium-manager), Mageia (dpkg, firefox, gnupg2, and golang), Slackware (httpd and kernel), SUSE (afterburn, cmctl, git, go1.23, go1.24, k9s, liboqs-devel, libxml2, php8, python36, trivy, and xen), and Ubuntu (linux-xilinx-zynqmp and nix). --------------------------------------------- https://lwn.net/Articles/1029764/ ∗∗∗ COPADATA: CD_SVA_2025_01: zenon Remote Transport Vulnerability ∗∗∗ --------------------------------------------- https://selfservice.copadata.com/portal/en/kb/articles/cd-10-7-2025 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2025
by Daily end-of-shift report 11 Jul '25

11 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-07-2025 18:00 − Freitag 11-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ In Paris verhaftet: Russischer Basketballprofi soll Cyberbande unterstützt haben ∗∗∗ --------------------------------------------- Ein Spieler des MBA Moskau ist in Frankreich festgenommen worden. Die US-Justiz wirft ihm vor, für eine Ransomwarebande Lösegeldzahlungen ausgehandelt zu haben. --------------------------------------------- https://www.golem.de/news/in-paris-verhaftet-russischer-basketballprofi-sol… ∗∗∗ PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a set of four security flaws in OpenSynergys BlueSDK Bluetooth stack that, if successfully exploited, could allow remote code execution on millions of transport vehicles from different vendors.The vulnerabilities, .. --------------------------------------------- https://thehackernews.com/2025/07/perfektblue-bluetooth-vulnerabilities.html ∗∗∗ Now everybody but Citrix agrees that CitrixBleed 2 is under exploit ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency has added its weighty name to the list of parties agreeing that CVE-2025-5777, dubbed CitrixBleed 2 by one researcher, has been under exploitation and abused to hijack user sessions. --------------------------------------------- https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/ ∗∗∗ Trend Micro: Mehrere Produkte mit hochriskanten Lücken ∗∗∗ --------------------------------------------- Trend Micro hat Schwachstellenbeschreibungen veröffentlicht, die Lücken in mehreren Produkten erörtern. Updates sind verfügbar. --------------------------------------------- https://www.heise.de/news/Trend-Micro-Mehrere-Produkte-mit-hochriskanten-Lu… ∗∗∗ Hackergruppe soll 170 Cyberangriffe verübt haben ∗∗∗ --------------------------------------------- Mindestens 170 Angriffe mit Millionenschaden: Ermittler nehmen eine internationale Hackergruppe ins Visier. --------------------------------------------- https://www.heise.de/news/Hackergruppe-soll-170-Cyberangriffe-veruebt-haben… ∗∗∗ Kritische Codeschmuggel-Lücke in Wing FTP wird angegriffen ∗∗∗ --------------------------------------------- In der Datentransfersoftware Wing FTP attackieren Angreifer eine Sicherheitslücke, die das Einschleusen von Schadcode erlaubt. --------------------------------------------- https://www.heise.de/news/Codeschmuggel-Luecke-in-Wing-FTP-wird-angegriffen… ∗∗∗ UK Arrests Four in ‘Scattered Spider’ Ransom Group ∗∗∗ --------------------------------------------- Authorities in the United Kingdom this week arrested four alleged members of "Scattered Spider," a prolific data theft and extortion group whose recent victims include multiple airlines and the U.K. retail chain Marks & Spencer. --------------------------------------------- https://krebsonsecurity.com/2025/07/uk-charges-four-in-scattered-spider-ran… ∗∗∗ Sil3ncer Deployed – RCE, Porn Diversion, and Ransomware on an SFTP-only Server ∗∗∗ --------------------------------------------- We investigated a ransomware incident on a Windows Server 2012 host running in an SFTP-only role. The attacker delivered an attack that combined remote code execution, persistence, tunnelling, and a diversionary visit to Pornhub, before launching a ransomware payload. Background & scope An easy way in The compromised server was .. --------------------------------------------- https://www.pentestpartners.com/security-blog/sil3ncer-deployed-rce-porn-di… ∗∗∗ Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques ∗∗∗ --------------------------------------------- SLOW#TEMPEST malware uses dynamic jumps and obfuscated calls to evade detection. Unit 42 details these techniques and how to defeat them with emulation. --------------------------------------------- https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/ ∗∗∗ Former Mexican president investigated over allegedly taking bribes from spyware industry ∗∗∗ --------------------------------------------- The investigation comes in response to an account in the Israeli business publication TheMarker, which reported that the contracts included a deal to buy Pegasus — the powerful spyware manufactured by Israel-based NSO Group. --------------------------------------------- https://therecord.media/former-mexican-president-investigated-spyware-bribes ∗∗∗ Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257) ∗∗∗ --------------------------------------------- Welcome back to yet another day in this parallel universe of security.This time, we’re looking at Fortinet’s FortiWeb Fabric Connector. “What is that?” we hear you say. Thats a great question; no one .. --------------------------------------------- https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.07.2025
by Daily end-of-shift report 10 Jul '25

10 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-07-2025 18:00 − Donnerstag 10-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ IT-Ausfall bei Ameos: Cyberangriff trifft großen Klinikverbund ∗∗∗ --------------------------------------------- Die Ameos Gruppe hat infolge eines Cyberangriffs ihre Dienste vom Netz genommen. Die Folge: Ausfälle in zahlreichen Kliniken und Pflegeeinrichtungen. --------------------------------------------- https://www.golem.de/news/it-ausfall-bei-ameos-cyberangriff-trifft-grossen-… ∗∗∗ Plötzlich Vollzugriff: Angriffstechnik trickst Android-Nutzer mit Animationen aus ∗∗∗ --------------------------------------------- Durch eine Angriffstechnik namens Taptrap erlangen Angreifer völlig unbemerkt weitreichende Zugriffsrechte. Selbst Android 16 bietet davor keinen Schutz. --------------------------------------------- https://www.golem.de/news/ploetzlich-vollzugriff-angriffstechnik-trickst-an… ∗∗∗ InfoFlood: KI-Sicherheit mit ausschweifender Prosa umgangen ∗∗∗ --------------------------------------------- Flutet man KI-Chatbots mit Informationen und Fachjargon, erstellen sie auch Anleitungen zum Hacken von Geldautomaten. --------------------------------------------- https://www.golem.de/news/infoflood-ki-sicherheit-mit-ausschweifender-prosa… ∗∗∗ Code highlighting with Cursor AI for $500,000 ∗∗∗ --------------------------------------------- Kaspersky GReAT experts uncover malicious extensions for Cursor AI that download the Quasar backdoor and a crypto stealer. --------------------------------------------- https://securelist.com/open-source-package-for-cursor-ai-turned-into-a-cryp… ∗∗∗ Attackers Inject Code into WordPress Theme to Redirect Visitors ∗∗∗ --------------------------------------------- In a recent article we discussed some of the reasons sites are frequently attacked. That article covered browser redirects, and we’ll explore an example of such a case here.Website themes are a common attack vector for many reasons. The theme is guaranteed to load on every page, that is the core design of any site, and themes can easily be .. --------------------------------------------- https://blog.sucuri.net/2025/07/attackers-inject-code-into-wordpress-theme-… ∗∗∗ At last, a use case for AI agents with sky-high ROI: Stealing crypto ∗∗∗ --------------------------------------------- Boffins outsmart smart contracts with evil automation Using AI models to generate exploits for cryptocurrency contract flaws appears to be a promising business model, though not necessarily a legal one. --------------------------------------------- https://www.theregister.com/2025/07/10/ai_agents_automatically_steal_crypto… ∗∗∗ 200.000 Webseiten durch Sicherheitsleck in WordPress-Plug-in SureForms gefährdet ∗∗∗ --------------------------------------------- Wer in den eigenen WordPress-Instanzen das Plug-in SureForms einsetzt, sollte updaten: Eine Sicherheitslücke erlaubt die Übernahme. --------------------------------------------- https://www.heise.de/news/WordPress-Plug-in-SureForms-Sicherheitsluecke-gef… ∗∗∗ Cyberangriff per Telefonkonferenz: Fünf junge Männer unter Verdacht ∗∗∗ --------------------------------------------- Fünf junge Männer blockierten die Telefonleitungen von rund 800 Polizeidienststellen. Der verwendete Trick war simpel, sorgte aber für viel Ärger. --------------------------------------------- https://www.heise.de/news/Cyberangriff-per-Telefonkonferenz-Fuenf-junge-Mae… ∗∗∗ McDonald’s AI bot spills data on job applicants ∗∗∗ --------------------------------------------- The job applicants personal information could be accessed by simply guessing a username and using the password “12345.” --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/07/mcdonalds-ai-bot-spills-data… ∗∗∗ FinanzOnline – „Dringende Sicherheitswarnung wegen Anmeldeversuchs“ ist Phishing-Falle ∗∗∗ --------------------------------------------- Eine neue Phishing-Welle im Namen von FinanzOnline hat es auf die Login-Daten der Nutzer:innen abgesehen. Kriminelle versenden E-Mails, in denen vor angeblich „unbekannten Anmeldeversuchen“ gewarnt wird. Wer auf den Link zur vermeintlichen Überprüfung der Sicherheitseinstellungen klickt, landet auf einem Fake-Portal. --------------------------------------------- https://www.watchlist-internet.at/news/finanzonline-sicherheitswarnung-phis… ∗∗∗ Fix the Click: Preventing the ClickFix Attack Vector ∗∗∗ --------------------------------------------- ClickFix campaigns are on the rise. We highlight three that distributed NetSupport RAT, Latrodectus, and Lumma Stealer malware. --------------------------------------------- https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/ ∗∗∗ Russian basketball player arrested in France over alleged ransomware ties ∗∗∗ --------------------------------------------- Daniil Kasatkin, 26, was detained in June at Paris’s Charles de Gaulle Airport shortly after arriving in the country with his fiancée, according to local media reports. --------------------------------------------- https://therecord.media/russian-basketball-player-arrested-in-france-ransom… ∗∗∗ Österreichs Nationalrat genehmigt Malware zur Gefährderüberwachung ∗∗∗ --------------------------------------------- Handys und Computer sollen mit Malware infiziert werden, damit Österreichs Ermittler Einsicht nehmen können. Nur 2 Abgeordnete der Regierung wagten Widerspruch. --------------------------------------------- https://heise.de/-10481818 ∗∗∗ Laravel: APP_KEY leakage analysis ∗∗∗ --------------------------------------------- This blog post sums up our journey, from identifying vulnerabilities related to Laravel encryption to scaling this knowledge for a massive internet facing applications compromise. We will talk about the methodology we used in order to collect data over the internet as well as how we analyzed it to get the most relevant results. --------------------------------------------- https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html ∗∗∗ Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5 ∗∗∗ --------------------------------------------- This article delves into vulnerability research on the Thermomix TM5, leading to the discovery of multiple vulnerabilities, which allow firmware downgrade and arbitrary code execution on some firmware versions. We provide an in-depth analysis of the system and its attack surface, detailing the vulnerabilities found and steps for exploitation. --------------------------------------------- https://www.synacktiv.com/en/publications/let-me-cook-you-a-vulnerability-e… ===================== = Vulnerabilities = ===================== ∗∗∗ Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-088 ∗∗∗ Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-087 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.07.2025
by Daily end-of-shift report 09 Jul '25

09 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-07-2025 18:00 − Mittwoch 09-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Android TapTrap attack fools users with invisible UI trick ∗∗∗ --------------------------------------------- A novel tapjacking technique can exploit user interface animations to bypass Androids permission system and allow access to sensitive data or trick users into performing destructive actions, such as wiping the device. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-android-taptrap-attack-f… ∗∗∗ Update nicht verteilt: Mainboard-Hersteller laut AMD schuld an ungefixtem TPM-Bug ∗∗∗ --------------------------------------------- Schon seit 2022 hat AMD einen Fix für einen Bug, der Windows-Nutzer mit aktivem Bitlocker aussperren kann. Doch die Mainboard-Hersteller liefern nicht. --------------------------------------------- https://www.golem.de/news/fix-nicht-ausgeliefert-amd-kritisiert-mainboard-h… ∗∗∗ Massive browser hijacking campaign infects 2.3M Chrome, Edge users ∗∗∗ --------------------------------------------- These extensions werent malware-laced from the start, researcher says A Chrome and Edge extension with more than 100,000 downloads that displays Googles verified badge does what it purports to do: It delivers a color picker to users. Unfortunately, it also .. --------------------------------------------- https://www.theregister.com/2025/07/08/browser_hijacking_campaign/ ∗∗∗ Patchday: Microsoft schließt 100.000-$-Lücke in SharePoint aus Hacker-Wettbewerb ∗∗∗ --------------------------------------------- Update-Sammlung veröffentlicht: Um Attacken vorzubeugen, sollten Admins sicherstellen, dass ihre Microsoft-Produkte auf dem aktuellen Stand sind. --------------------------------------------- https://www.heise.de/news/Patchday-Microsoft-schliesst-100-000-Luecke-in-Sh… ∗∗∗ Patchday: Adobe schützt After Effects & Co. vor möglichen Attacken ∗∗∗ --------------------------------------------- Mehrere Adobe-Anwendungen sind unter anderem für DoS- und Schadcode-Attacken anfällig. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-schuetzt-After-Effects-Co-vor-moeg… ∗∗∗ Advancing Protection in Chrome on Android ∗∗∗ --------------------------------------------- Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures. Advanced .. --------------------------------------------- http://security.googleblog.com/2025/07/advancing-protection-in-chrome-on.ht… ∗∗∗ Angeblicher Gewinn im Namen von MediaMarkt führt in Abofalle ∗∗∗ --------------------------------------------- Sie haben eine E-Mail im Namen von MediaMarkt mit einer angeblichen Gewinnbenachrichtigung erhalten? Darin sollen Sie auf einen Link klicken und zwei Euro Versandgebühr zahlen, um den Gewinn einzulösen? Dann ist Vorsicht geboten! Dahinter verbirgt sich kein Gewinn, sondern eine teure Abofalle. --------------------------------------------- https://www.watchlist-internet.at/news/angeblicher-gewinn-bei-media-markt-f… ∗∗∗ Kritische Sicherheitslücke CVE-2025-47981 in Windows SPNEGO - Update dringend empfohlen ∗∗∗ --------------------------------------------- Microsoft hat eine kritische Sicherheitslücke im Windows SPNEGO Extended Negotiation (NEGOEX) Security Mechanism veröffentlicht. Die Schwachstelle ermöglicht es Angreifern, aus der Ferne und ohne Authentifizierung beliebigen Code auf .. --------------------------------------------- https://www.cert.at/de/warnungen/2025/7/kritische-sicherheitslucke-cve-2025… ∗∗∗ Iranian ransomware group offers bigger payouts for attacks on Israel, US ∗∗∗ --------------------------------------------- The Iran-linked ransoware-as-a-service group Pay2Key.I2P told affiliates that they can keep a larger cut of extortion payments if they attack entities within Irans adversaries. --------------------------------------------- https://therecord.media/iran-ransomware-group-pay2keyi2p-israel-us-targets ∗∗∗ Treasury sanctions key player behind North Korean IT worker scheme ∗∗∗ --------------------------------------------- The United States identified and sanctioned another North Korean involved with the countrys IT worker schemes, this time for illicit operations based in China and Russia. --------------------------------------------- https://therecord.media/north-korea-it-worker-scheme-us-sanctions-song-kum-… ∗∗∗ Fake CNN and BBC sites used to push investment scams ∗∗∗ --------------------------------------------- Thousands of web pages falsely branded as popular news sites are conduits for fake cryptocurrency investment scams, researchers said. --------------------------------------------- https://therecord.media/news-websites-faked-to-spread-investment-scams ∗∗∗ CVE-2025-48384: Breaking git with a carriage return and cloning RCE ∗∗∗ --------------------------------------------- tl;dr: On Unix-like platforms, if you use git clone --recursive on an untrusted repo, it could achieve remote code execution. Update to a fixed version of Git and other software that embeds Git (including GitHub Desktop). --------------------------------------------- https://dgl.cx/2025/07/git-clone-submodule-cve-2025-48384 ∗∗∗ Supabase MCP can leak your entire SQL database ∗∗∗ --------------------------------------------- Model Context Protocol (MCP) has emerged as a standard way for LLMs to interact with external tools. While this unlocks new capabilities, it also introduces new risk surfaces. In this post, we show how an attacker can exploit Supabase’s MCP integration to leak a developer’s private SQL tables. --------------------------------------------- https://www.generalanalysis.com/blog/supabase-mcp-blog ===================== = Vulnerabilities = ===================== ∗∗∗ A set of Git security-fix releases ∗∗∗ --------------------------------------------- Versions v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1 andv2.50.1 of the Git source-code management system have been released."This is a set of coordinated security fix releases. Please update at your earliest convenience". See the announcement for details;many of the vulnerabilities have to do with tricks buried in untrusted repositories. --------------------------------------------- https://lwn.net/Articles/1029182/ ∗∗∗ SQL injection in forward module ∗∗∗ --------------------------------------------- An Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability [CWE-89] in FortiManager and FortiAnalyzer may allow an authenticated attacker with high privilege to extract database information via crafted requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-437 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.07.2025
by Daily end-of-shift report 08 Jul '25

08 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 07-07-2025 18:00 − Dienstag 08-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ “No honor among thieves”: M&S hacking group starts turf war ∗∗∗ --------------------------------------------- A clash between criminal ransomware groups could result in victims being extorted twice. --------------------------------------------- https://arstechnica.com/security/2025/07/no-honor-among-thieves-ms-hacking-… ∗∗∗ Qantas is being extorted in recent data-theft cyberattack ∗∗∗ --------------------------------------------- Qantas has confirmed that it is now being extorted by threat actors following a cyberattack that potentially exposed the data for 6 million customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qantas-is-being-extorted-in-… ∗∗∗ Atomic macOS infostealer adds backdoor for persistent attacks ∗∗∗ --------------------------------------------- Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as AMOS) that comes with a backdoor, to attackers persistent access to compromised systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atomic-macos-infostealer-add… ∗∗∗ Alleged Chinese hacker tied to Silk Typhoon arrested for cyberespionage ∗∗∗ --------------------------------------------- A Chinese national was arrested in Milan, Italy, last week for allegedly being linked to the state-sponsored Silk Typhoon hacking group, which responsible for cyberattacks against American organizations and government agencies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/alleged-chinese-hacker-tied-… ∗∗∗ Approach to mainframe penetration testing on z/OS. Deep dive into RACF ∗∗∗ --------------------------------------------- We have explored the RACF security package in z/OS and developed a utility to interact with its database. Now, we are assessing RACF configuration security for penetration testing. --------------------------------------------- https://securelist.com/zos-mainframe-pentesting-resource-access-control-fac… ∗∗∗ Android Patchday fällt im Juli aus ∗∗∗ --------------------------------------------- Admins können sich zumindest in Bezug auf Android und Pixel-Smartphones zurücklehnen: Im Juli gibt es nichts zu patchen. --------------------------------------------- https://www.heise.de/news/Android-Patchday-faellt-im-Juli-aus-10478020.html ∗∗∗ Patchday SAP: NetWeaver-Produkte sind für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- Angreifer können unter anderem SAP NetWeaver-Produkte und Business Objects attackieren. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://www.heise.de/news/Patchday-SAP-NetWeaver-Produkte-sind-fuer-Schadco… ∗∗∗ How to conduct a Password Audit in Active Directory (AD) ∗∗∗ --------------------------------------------- Weak or compromised passwords are still one of the most common ways attackers get into an organisation’s network. That’s why running password audits in Active Directory is so important. But smaller companies often don’t have the time, budget, or resources to do them regularly. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-conduct-a-password-aud… ∗∗∗ „Hallo Mama, das ist meine neue Nummer“ – Ein Blick hinter die Kulissen des Evergreens ∗∗∗ --------------------------------------------- Die "Hallo Mama"-Nachricht zählt zu den absoluten Phishing-Klassikern. Trotz der mittlerweile recht großen Bekanntheit versuchen Kriminelle weiterhin beharrlich, damit an Geld zu kommen. Für alle, die schon immer einmal wissen wollten, wie es im Fall einer Antwort eigentlich weitergeht, haben wir uns den Ablauf etwas näher angesehen. --------------------------------------------- https://www.watchlist-internet.at/news/hallo-mama-hinter-den-kulissen/ ∗∗∗ GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Revealed ∗∗∗ --------------------------------------------- An IAB campaign exploited leaked ASP.NET Machine Keys. We dissect the attackers infrastructure, campaign and offer takeaways for blue teams. --------------------------------------------- https://unit42.paloaltonetworks.com/initial-access-broker-exploits-leaked-m… ∗∗∗ Aktiv ausgenutzte Schwachstellen in Citrix NetScaler ADC und NetScaler Gateway ∗∗∗ --------------------------------------------- In den vergangenen Wochen hat Citrix mehrere Sicherheitsaktualisierungen für insgesamt drei Sicherheitslücken in seinen Produkten NetScaler ADC und NetScaler Gateway veröffentlicht: CVE-2025-6543, CVSS-Score 9.2 CVE-2025-5349, CVSS-Score 8.7 CVE-2025-5777, CVSS-Score 9.3, auch bekannt als "CitrixBleed 2" Zum Zeitpunkt der Veröffentlichung der Advisories sowie der dazugehörigen Aktualisierungen gab es laut Citrix keine aktive Ausnutzung der Schwachstellen, .. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/7/aktiv-ausgenutzte-schwachstellen-in… ∗∗∗ New spyware strain steals data from Russian industrial companies ∗∗∗ --------------------------------------------- Moscow-based cybersecurity firm Kaspersky said the campaign has already affected over 100 victims across several dozen Russian organizations, but did not disclose the specific targets. --------------------------------------------- https://therecord.media/spyware-strain-steals-data-russian-industrial-sector ∗∗∗ Detection Engineering: Practicing Detection-as-Code – Introduction – Part 1 ∗∗∗ --------------------------------------------- This is going to be a multipart blog series revolving around Detection Engineering and more specifically practicing Detection-as-Code in Detection Engineering. Throughout this series, we’ll dive deep into concepts, strategies, and practical blueprints that you can adapt to fit your own workflows. From building a detection engineering repository to validating .. --------------------------------------------- https://blog.nviso.eu/2025/07/08/detection-engineering-practicing-detection… ∗∗∗ From cheap IoT toy to your smartphone: Getting RCE by leveraging a companion app ∗∗∗ --------------------------------------------- As IoT adoption continues to grow, we explored the idea that instead of directly compromising IoT devices, an attacker could target the applications controlling them. This approach could potentially allow remote code execution on a user’s smartphone. --------------------------------------------- https://www.synacktiv.com/en/publications/from-cheap-iot-toy-to-your-smartp… ∗∗∗ New CVE Forecasting Tool Predicts 47,000 Disclosures in 2025 ∗∗∗ --------------------------------------------- Security engineer Jerry Gamblin, founder of RogoLabs, has released a new open source forecasting tool that aims to predict the growing volume of software vulnerability disclosures. The tool, CVEForecast.org, uses historical CVE data and machine learning models to generate short-term projections of how many new vulnerabilities are likely to be published. --------------------------------------------- https://socket.dev/blog/new-cve-forecasting-tool-predicts-47-000-disclosure… ===================== = Vulnerabilities = ===================== ∗∗∗ July Security Update ∗∗∗ --------------------------------------------- Ivanti releases standard security patches on the second Tuesday of every month. Our vulnerability management program is central to our commitment to maintaining secure products. Our philosophy is simple: discovering and communicating vulnerabilities, and sharing that information with defenders, is not an indication of weakness; rather it is evidence of .. --------------------------------------------- https://www.ivanti.com/blog/july-security-update-2025 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2025
by Daily end-of-shift report 07 Jul '25

07 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-07-2025 18:00 − Montag 07-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers abuse leaked Shellter red team tool to deploy infostealers ∗∗∗ --------------------------------------------- Shellter Project, the vendor of a commercial AV/EDR evasion loader for penetration testing, confirmed that hackers used its Shellter Elite product in attacks after a customer leaked a copy of the software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-abuse-leaked-shellte… ∗∗∗ Umsetzung von NIS 2 in Europa: Nur vier Länder haben geliefert ∗∗∗ --------------------------------------------- NIS 2 hätte bis zum 17. Oktober 2024 in nationales Recht umgesetzt werden müssen. Das ist nur wenigen Ländern gelungen. Wie haben sie das gemacht? Eine Analyse von Thomas Hafen --------------------------------------------- https://www.golem.de/news/umsetzung-von-nis-2-in-europa-nur-vier-laender-ha… ∗∗∗ Auch Lücken und Bugs beseitigt: Neues 7-Zip komprimiert mit mehr als 64 CPU-Kernen ∗∗∗ --------------------------------------------- Wer 7-Zip im Einsatz hat, sollte das Packprogramm zeitnah aktualisieren. Version 25.00 verspricht mehr Leistung und behebt Bugs und Schwachstellen. --------------------------------------------- https://www.golem.de/news/jetzt-updaten-7-zip-schliesst-sicherheitsluecken-… ∗∗∗ Massive spike in use of .es domains for phishing abuse ∗∗∗ --------------------------------------------- ¡Cuidado! Time to double-check before entering your Microsoft creds Cybersecurity experts are reporting a 19x increase in malicious campaigns being launched from .es domains, making it the third most common, behind only .com and .ru. --------------------------------------------- https://www.theregister.com/2025/07/05/spain_domains_phishing/ ∗∗∗ Ingram Micro confirms ransomware behind multi-day outage ∗∗∗ --------------------------------------------- SafePay crew claims responsibility for intrusion at one of worlds largest tech distributors Ingram Micro, one of the world’s largest distributors, has confirmed it is trying to restore systems following a ransomware attack. --------------------------------------------- https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_beh… ∗∗∗ Antivirus: Comodo Internet Security lässt sich Schadcode unterschieben ∗∗∗ --------------------------------------------- Ein IT-Sicherheitsforscher hat mehrere Sicherheitslücken im Virenschutz Comodo Internet Security entdeckt, wodurch Angreifer Schadcode einschleusen können. --------------------------------------------- https://www.heise.de/news/Antivirus-Comodo-Internet-Security-laesst-sich-Sc… ∗∗∗ SSB-104599 V1.0: Increasing Cyber Threats to Industrial Control Systems ∗∗∗ --------------------------------------------- The current geopolitical situation has created increased cybersecurity risks across all industrial sectors. This challenging environment also impacts the operational technology (OT) landscape, where we observe an intensification of threat activities. --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssb-104599.html ∗∗∗ Fake-Europol-E-Mail mit dem Vorwurf der Verbreitung pornografischer Inhalte von Minderjährigen ∗∗∗ --------------------------------------------- Derzeit wird eine gefälschte E-Mail im Namen von Europol verbreitet. Darin wird den Empfänger:innen unterstellt, verbotene pornografische Darstellungen von Minderjährigen abgerufen oder verbreitet zu haben. Angeblich sei deshalb ein Strafverfahren eingeleitet worden. Die Betroffenen werden aufgefordert, per E-Mail eine Stellungnahme zu übermitteln. Antworten Sie nicht darauf, denn es handelt sich um einen Betrugsversuch! --------------------------------------------- https://www.watchlist-internet.at/news/europol-e-mail-mit-vorwurf-der-verbr… ∗∗∗ BERT Ransomware Group Targets Asia and Europe on Multiple Platforms ∗∗∗ --------------------------------------------- BERT is a newly emerged ransomware group that pairs simple code with effective execution—carrying out attacks across Europe and Asia. In this entry, we examine the group’s tactics, how their variants have evolved, and the tools they use to get past defenses and speed up encryption across platforms. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/g/bert-ransomware-group-target… ∗∗∗ SatanLock Ransomware Ends Operations, Says Stolen Data Will Be Leaked ∗∗∗ --------------------------------------------- SatanLock ransomware gang shuts down after weeks of attacks and plans to leak stolen victim data. Group linked to Babuk-Bjorka and GD Lockersec families. --------------------------------------------- https://hackread.com/satanlock-ransomware-ends-operations-stolen-data-leak/ ∗∗∗ Isolated Recovery Environments: A Critical Layer in Modern Cyber Resilience ∗∗∗ --------------------------------------------- As adversaries grow faster, stealthier, and more destructive, traditional recovery strategies are increasingly insufficient. Mandiants M-Trends 2025 report reinforces this shift, highlighting that ransomware operators now routinely target not just production systems but also backups. This evolution demands that organizations re-evaluate their resilience posture. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/isolated-recovery-… ∗∗∗ How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777) ∗∗∗ --------------------------------------------- Before you dive into our latest diatribe, indulge us and join us on a journey.Sit in your chair, stand at your desk, lick your phone screen - close your eyes and imagine a world in which things are great. It’s sunny outside, the birds are chirping, .. --------------------------------------------- https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-mem… ∗∗∗ Lets Encrypt stellt erstes IP-Zertifikat aus ∗∗∗ --------------------------------------------- Das Lets-Encrypt-Projekt hat in der vergangenen Woche das erste Zertifikat für eine IP-Adresse ausgestellt. --------------------------------------------- https://heise.de/-10476509 ∗∗∗ Sicherheitsupdate: Dell Data Protection Advisor über viele Lücken angreifbar ∗∗∗ --------------------------------------------- Angreifer können an Schwachstellen in Dells Backuplösung Data Protection Advisor ansetzen. Der Computerhersteller stuft das Risiko als kritisch ein. --------------------------------------------- https://heise.de/-10476481 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird and xmedcon), Fedora (darktable, mbedtls, sudo, and yarnpkg), Mageia (catdoc and php), Red Hat (java-1.8.0-ibm, kernel, python-setuptools, python3, python3.11, python3.12, python3.9, socat, sudo, tigervnc, webkit2gtk3, webkitgtk4, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (alloy, apache-commons-fileupload, apache2-mod_security2, assimp-devel, chromedriver, clamav, clustershell, corepack22, ctdb, curl, dpkg, --------------------------------------------- https://lwn.net/Articles/1029073/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.07.2025
by Daily end-of-shift report 04 Jul '25

04 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-07-2025 18:00 − Freitag 04-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ingram Micro suffers global outage as internal systems inaccessible ∗∗∗ --------------------------------------------- IT giant Ingram Micro is experiencing a global outage that is impacting its websites and internal systems, with customers concerned that it may be a cyberattack after the company remains silent on the cause of the issues. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ingram-micro-suffers-global-… ∗∗∗ Hacker leaks Telefónica data allegedly stolen in a new breach ∗∗∗ --------------------------------------------- A hacker is threatening to leak 106GB of data allegedly stolen from Spanish telecommunications company Telefónica in a breach that the company did not acknowledge. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-leaks-telef-nica-data… ∗∗∗ Rechnungshof warnt: Cybersicherheit der Bundes-IT unzureichend ∗∗∗ --------------------------------------------- Viele Rechenzentren des Bundes verfügen wohl nicht einmal über eine angemessene Notstromversorgung. Und auch an Redundanzen fehlt es häufig. --------------------------------------------- https://www.golem.de/news/rechnungshof-warnt-cybersicherheit-der-bundes-it-… ∗∗∗ The Breach Beyond the Runway: Cybercriminals Targeted Qantas Through a Trusted Partner ∗∗∗ --------------------------------------------- On July 3, 2025, Qantas confirmed in an update statement that a cyber incident had compromised data from one of its contact centers, following the detection of suspicious activity on June 30. The breach didn’t strike at the heart of .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-breach-… ∗∗∗ Europol Dismantles $540 Million Cryptocurrency Fraud Network, Arrests Five Suspects ∗∗∗ --------------------------------------------- Europol on Monday announced the takedown of a cryptocurrency investment fraud ring that laundered €460 million ($540 million) from more than 5,000 victims across the world.The international effort, codenamed Operation Borrelli, was carried out by the .. --------------------------------------------- https://thehackernews.com/2025/06/europol-dismantles-540-million.html ∗∗∗ "FoxyWallet": Mehr als 40 bösartige Firefox-Add-ons entdeckt ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben eine groß angelegte Kampagne mit bösartigen Firefox-Add-ons entdeckt. Die räumen Krypto-Wallets leer. --------------------------------------------- https://www.heise.de/news/FoxyWallet-Mehr-als-40-boesartige-Firefox-Add-ons… ∗∗∗ Pet microchip scams and data leaks in the UK ∗∗∗ --------------------------------------------- TL;DR We were recently on BBC Morning Live talking about issues with pet microchip data, helping some pet owners understand how they were being billed for services which they didn’t recall signing up for. There was so much more to this piece though, so we’ve written up our findings in more detail .. --------------------------------------------- https://www.pentestpartners.com/security-blog/pet-microchip-scams-and-data-… ∗∗∗ Das Facebook-Konto versendet unerwünschte Nachrichten? Phishing-Alarm & Abo-Falle! ∗∗∗ --------------------------------------------- Kriminelle nutzen die Angst vor „Account Hijacking“ – also der Übernahme eines Online-Kontos durch andere – für ihre Zwecke aus. Sie versenden E-Mail-Warnungen, laut denen über den Facebook-Account des Opfers „unerwünschte Nachrichten“ versendet werden. Die Lösung des vermeintlichen Problems führt direkt in eine Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/facebook-nachrichten-phishing-abo/ ∗∗∗ A message from Bruce the mechanical shark ∗∗∗ --------------------------------------------- This Fourth of July, Bruce, the 25-foot mechanical shark from Jaws, shares how his saltwater struggles mirror the need for real-world cybersecurity stress testing. --------------------------------------------- https://blog.talosintelligence.com/a-message-from-bruce-the-mechanical-shar… ∗∗∗ AI Dilemma: Emerging Tech as Cyber Risk Escalates ∗∗∗ --------------------------------------------- As AI adoption accelerates, businesses face mounting cyber threats—and urgent choices about secure implementation --------------------------------------------- https://www.trendmicro.com/en_us/research/25/g/ai-cyber-risks.html ∗∗∗ Taking over 60k spyware user accounts with SQL injection ∗∗∗ --------------------------------------------- Recently I was looking through a database of known stalkerware services and found one I wasn’t familiar with: Catwatchful. It seemed to be a full-featured Android spy app, to actually be its own service as opposed to a millionth FlexiSpy reseller, and to offer a 3-day free trial. Aside from a boilerplate disclaimer to only use it with consent .. --------------------------------------------- https://ericdaigle.ca/posts/taking-over-60k-spyware-user-accounts/ ∗∗∗ Identifying Ransomware Final Stage activities with KQL Queries ∗∗∗ --------------------------------------------- When ransomware strikes, it doesn’t just encrypt files — it often wraps up with a series of stealthy moves meant to lock you out, cover tracks, and make recovery a nightmare. That’s why it’s so important to spot these final-stage activities before the damage is permanent. --------------------------------------------- https://detect.fyi/identifying-ransomware-final-stage-activities-with-kql-q… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.07.2025
by Daily end-of-shift report 03 Jul '25

03 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-07-2025 18:00 − Donnerstag 03-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ DOJ investigates ex-ransomware negotiator over extortion kickbacks ∗∗∗ --------------------------------------------- An ex-ransomware negotiator is under criminal investigation by the Department of Justice for allegedly working with ransomware gangs to profit from extortion payment deals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/doj-investigates-ex-ransomwa… ∗∗∗ Data Breach Reveals Catwatchful Stalkerware Is Spying On Thousands of Phones ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from TechCrunch: A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator. The bug, which was discovered by security researcher Eric Daigle, spilled the spyware apps full database of email addresses and plaintext passwords that .. --------------------------------------------- https://yro.slashdot.org/story/25/07/03/0023253/data-breach-reveals-catwatc… ∗∗∗ Fake Spam Plugin Uses Victim’s Domain Name to Evade Detection ∗∗∗ --------------------------------------------- During our investigation of an SEO spam infection (spam content designed to manipulate search engine results), we discovered a nicely crafted plugin that named itself after the infected domain, helping it evade detection. While this tactic was simple, it easily blended in with other legitimate plugins, making it harder to spot during the troubleshooting .. --------------------------------------------- https://blog.sucuri.net/2025/07/fake-spam-plugin-uses-victims-domain-name-t… ∗∗∗ CISA warns the Signal clone used by natsec staffers is being attacked, so patch now ∗∗∗ --------------------------------------------- Two flaws in TeleMessage are frequent attack vectors for malicious cyber actors The US security watchdog CISA has warned that malicious actors are actively exploiting two flaws in the Signal clone TeleMessage TM SGNL, and has directed federal agencies to patch the flaws or discontinue use of the app by July 22. --------------------------------------------- https://www.theregister.com/2025/07/02/cisa_telemessage_patch/ ∗∗∗ ChatGPT creates phisher’s paradise by recommending the wrong URLs for major companies ∗∗∗ --------------------------------------------- Crims have cottoned on to a new way to lead you astray AI-powered chatbots often deliver incorrect information when asked to name the address for major companies’ websites, and threat intelligence business Netcraft thinks that creates an opportunity for criminals. --------------------------------------------- https://www.theregister.com/2025/07/03/ai_phishing_websites/ ∗∗∗ Cisco entfernt SSH-Hintertür in Unified Communications Manager ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat Sicherheitslücken in verschiedenen Produkten geschlossen. Eine Lücke gilt als kritisch. --------------------------------------------- https://www.heise.de/news/Cisco-entfernt-SSH-Hintertuer-in-Unified-Communic… ∗∗∗ Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack ∗∗∗ --------------------------------------------- We analyze CVE-2025-24813 (Tomcat Partial PUT RCE), CVE-2025-27636 and CVE-2025-29891 (Camel Header Hijack RCE). --------------------------------------------- https://unit42.paloaltonetworks.com/apache-cve-2025-24813-cve-2025-27636-cv… ∗∗∗ Hunters International ransomware group claims to be shutting down ∗∗∗ --------------------------------------------- “After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” the prolific cybercrime gang wrote on its darknet site. --------------------------------------------- https://therecord.media/hunters-international-ransomware-extortion-group-cl… ∗∗∗ Russia jails man for 16 years over pro-Ukraine cyberattacks on critical infrastructure ∗∗∗ --------------------------------------------- Russian authorities said the man used malware to attack Russian information systems in 2022, blocking access to websites of several local companies and damaging critical infrastructure. --------------------------------------------- https://therecord.media/russia-jails-man-over-pro-ukraine-cyberattacks ===================== = Vulnerabilities = ===================== ∗∗∗ Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-085 ∗∗∗ Config Pages Viewer - Critical - Access bypass - SA-CONTRIB-2025-086 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-086 ∗∗∗ Security Vulnerabilities fixed in Thunderbird 140 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 128.12 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-55/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.07.2025
by Daily end-of-shift report 02 Jul '25

02 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-07-2025 18:00 − Mittwoch 02-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft: DNS issue blocks delivery of Exchange Online OTP codes ∗∗∗ --------------------------------------------- Microsoft is working to fix a DNS misconfiguration that is causing one-time passcode (OTP) message delivery failures in Exchange Online for some users. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-links-dns-issue-t… ∗∗∗ Kundenfang am Unfallort: Hacker verkauft Daten aus Notrufsystem an Bestatter ∗∗∗ --------------------------------------------- Die Notrufdaten sind in Echtzeit zur Verfügung gestellt worden. Die Bestatter konnten damit frühzeitig an Einsatzorten auftauchen, um neue Kunden zu gewinnen. --------------------------------------------- https://www.golem.de/news/kundenfang-am-unfallort-hacker-verkauft-daten-aus… ∗∗∗ C2 mit Dinosauriern ∗∗∗ --------------------------------------------- Angreifer nutzen gerne Programme, die als Open Source verfügbar sind und typischerweise als legitim sowie harmlos eingestuft werden (z. B. rclone .. --------------------------------------------- https://sec-consult.com/de/blog/detail/c2-mit-dinosauriern/ ∗∗∗ chwoot: Kritische Linux-Lücke macht Nutzer auf den meisten Systemen zu Root ∗∗∗ --------------------------------------------- Ein Beispielexploit steht im Netz und funktioniert auf vielen Standardystemen. Admins sollten schnell die bereitstehenden Updates einspielen. --------------------------------------------- https://www.heise.de/news/chwoot-Kritische-Linux-Luecke-macht-Nutzer-auf-de… ∗∗∗ Bericht: EU-Grenzsystem SIS II mit zahlreichen Sicherheitslücken ∗∗∗ --------------------------------------------- Vertrauliche Berichte sollen tausende Schwachstellen im EU-Grenzsystem SIS II monieren. Die Entwickler bessern sie zu langsam aus. --------------------------------------------- https://www.heise.de/news/Bericht-EU-Grenzsystem-SIS-II-mit-zahlreichen-Sic… ∗∗∗ 600,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability in Forminator WordPress Plugin ∗∗∗ --------------------------------------------- On June 20th, 2025, we received a submission for an Arbitrary File Deletion vulnerability in Forminator, a WordPress plugin with more than 600,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to specify arbitrary file paths in a form submission, and the file will be deleted when the submission is deleted. It can be .. --------------------------------------------- https://www.wordfence.com/blog/2025/07/600000-wordpress-sites-affected-by-a… ∗∗∗ Sinaloa-Kartell hackte das FBI, um geheime Informanten ausfindig zu machen ∗∗∗ --------------------------------------------- Ein Bericht des US-Justizministeriums übt Kritik am Umgang des FBI mit der Gefahr durch Überwachungstechnologien --------------------------------------------- https://www.derstandard.at/story/3000000277554/sinaloa-kartell-hackte-das-f… ∗∗∗ Russian bulletproof hosting service Aeza Group sanctioned by US for ransomware work ∗∗∗ --------------------------------------------- Support for ransomware, darknet drug markets and other cybercrime activity landed the Russian company Aeza Group on the U.S. governments sanctions list, the Treasury Department said. --------------------------------------------- https://therecord.media/russia-bulletproof-hosting-aeza-group-us-sanctions ∗∗∗ Ransomware gang attacks German charity that feeds starving children ∗∗∗ --------------------------------------------- Cybercriminals are extorting the German humanitarian aid group Welthungerhilfe (WHH) for 20 bitcoin. The charity said it will not pay. --------------------------------------------- https://therecord.media/welthungerhilfe-german-hunger-relief-charity-ransom… ∗∗∗ Analysis of Attacks Targeting Linux SSH Servers for Proxy Installation ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting Linux servers that are inappropriately managed using honeypots. One of the representative honeypots is the SSH service that uses weak credentials, which is targeted by a large .. --------------------------------------------- https://asec.ahnlab.com/en/88749/ ∗∗∗ PDFs: Portable documents, or perfect deliveries for phish? ∗∗∗ --------------------------------------------- A popular social engineering technique returns: callback phishing, or TOAD attacks, which leverage PDFs, VoIP anonymity and even QR code tricks. --------------------------------------------- https://blog.talosintelligence.com/pdfs-portable-documents-or-perfect-deliv… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.07.2025
by Daily end-of-shift report 01 Jul '25

01 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 30-06-2025 18:00 − Dienstag 01-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Root-Zugriff für alle: Kritische Sudo-Lücke gefährdet unzählige Linux-Systeme ∗∗∗ --------------------------------------------- Forscher haben eine gefährliche Sicherheitslücke im Kommandozeilentool Sudo entdeckt. Angreifer können mit wenig Aufwand Root-Rechte erlangen. --------------------------------------------- https://www.golem.de/news/root-zugriff-fuer-alle-kritische-sudo-luecke-gefa… ∗∗∗ Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations ∗∗∗ --------------------------------------------- Since 2024, Microsoft Threat Intelligence has observed remote IT workers deployed by North Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate revenue for the North Korean government. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north… ∗∗∗ Vulnerability & Patch Roundup — June 2025 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website .. --------------------------------------------- https://blog.sucuri.net/2025/06/vulnerability-patch-roundup-june-2025.html ∗∗∗ U.S. Agencies Warn of Rising Iranian Cyberattacks on Defense, OT Networks, and Critical Infrastructure ∗∗∗ --------------------------------------------- U.S. cybersecurity and intelligence agencies have issued a joint advisory warning of potential cyber attacks from Iranian state-sponsored or affiliated threat actors. "Over the past several months, there has been increasing activity from hacktivists .. --------------------------------------------- https://thehackernews.com/2025/06/us-agencies-warn-of-rising-iranian.html ∗∗∗ OneClik Red Team Campaign Targets Energy Sector Using Microsoft ClickOnce and Golang Backdoors ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a new campaign dubbed OneClik that leverages Microsofts ClickOnce software deployment technology and bespoke Golang backdoors to compromise organizations within the energy, oil, and gas .. --------------------------------------------- https://thehackernews.com/2025/06/oneclik-malware-targets-energy-sector.html ∗∗∗ Terrible tales of opsec oversights: How cybercrooks get themselves caught ∗∗∗ --------------------------------------------- The silly mistakes to the flagrant failures They say that success breeds complacency, and complacency leads to failure. For cybercriminals, taking too many shortcuts when it comes to opsec delivers a little more than that. --------------------------------------------- https://www.theregister.com/2025/07/01/terrible_tales_of_opsec_oversights/ ∗∗∗ Überwachungskameras aus China: Kanada ordnet Schließung von Hikvision Canada an ∗∗∗ --------------------------------------------- Hikvision kommt aus China und verkauft Überwachungstechnik. Seit Jahren gibt es Kritik an dem Konzern. Nun lässt Kanada den dortigen Ableger schließen. --------------------------------------------- https://www.heise.de/news/Ueberwachungskameras-aus-China-Kanada-ordnet-Schl… ∗∗∗ Webbrowser Chrome: Sicherheitslücke wird angegriffen ∗∗∗ --------------------------------------------- In der Nacht zum Dienstag hat Google den Chrome-Browser ungeplant aktualisiert. Eine Sicherheitslücke wird bereits attackiert. --------------------------------------------- https://www.heise.de/news/Chrome-Google-stopft-attackierte-Sicherheitslueck… ∗∗∗ Viele Sicherheitslücken in Dell OpenManage Network Integration geschlossen ∗∗∗ --------------------------------------------- Angreifer können Dell OpenManage Network Integration über verschiedene Wege attackieren. Sicherheitsupdates stehen zur Verfügung. --------------------------------------------- https://www.heise.de/news/Viele-Sicherheitsluecken-in-Dell-OpenManage-Netwo… ∗∗∗ Britischer IT-Angestellter rächte sich an Ex-Arbeitgeber: Sieben Monate Haft ∗∗∗ --------------------------------------------- Nur wenige Stunden nach seiner Entlassung startete der junge Mann eine Cyberattacke und sorgte für Schäden in Höhe von 200.000 Pfund --------------------------------------------- https://www.derstandard.at/story/3000000277498/britischer-it-angestellter-r… ∗∗∗ 50 customers of French bank hit after insider helped SIM swap scammers ∗∗∗ --------------------------------------------- French police have arrested a business student interning at the bank Société Générale who is accused of helping SIM-swapping scammers to defraud 50 of its clients. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/50-customers-of-frenc… ∗∗∗ Encryption vs. Lawful Interception: EU policy news ∗∗∗ --------------------------------------------- I’ve commented here on this blog (or its German twin) quite a few time already on various legislative proposals on how the law enforcement agencies can keep their traditional access to the communication of suspects. See Ein paar Thesen zu aktuellen Gesetzesentwürfen (2017) Ein paar Gedanken zur „Überwachung verschlüsselter Nachrichten" (2024) Roles in .. --------------------------------------------- https://www.cert.at/en/blog/2025/7/encryption-vs-lawful-interception-eu-pol… ∗∗∗ DOJ raids 29 ‘laptop farms’ in crackdown on N. Korean IT worker scheme ∗∗∗ --------------------------------------------- The Justice Department announced a coordinated action to disrupt a Pyongyang campaign to get North Koreans hired at U.S.-based companies. --------------------------------------------- https://therecord.media/doj-raids-laptop-farms-crackdown ∗∗∗ International Criminal Court targeted by new ‘sophisticated’ attack ∗∗∗ --------------------------------------------- The ICC credited its “alert and response mechanisms” for “swiftly” discovering, confirming and containing a cyberattack. --------------------------------------------- https://therecord.media/international-criminal-court-cyberattack-2025 ∗∗∗ Malware in Apps: Godfather 2.0 für Android; SparkKitty in App-Stores ∗∗∗ --------------------------------------------- Kleiner Sammelbeitrag rund um das Thema Smartphone-Apps mit Malware an Bord. Aktuell feiert die Android-Malware Godfather 2.0 ihr Comeback bzw. Erfolge beim Raubzügen beim Online-Banking. Zudem haben Sicherheitsforscher .. --------------------------------------------- https://www.borncity.com/blog/2025/06/30/malware-in-apps-godfather-2-0-fuer… ∗∗∗ What the NULL?! Wing FTP Server RCE (CVE-2025-47812) ∗∗∗ --------------------------------------------- While performing a penetration test for one of our Continuous Penetration Testing customers, we’ve found a Wing FTP server instance that allowed anonymous connections. It was almost the only interesting thing exposed, but we still wanted to get a foothold into their perimeter and provide the customer with an impactful finding. So we .. --------------------------------------------- https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2… ∗∗∗ Django Joins curl in Pushing Back on AI Slop Security Reports ∗∗∗ --------------------------------------------- Django has updated its official security documentation with new guidance for AI-assisted vulnerability reports, responding to a rising number of submissions generated by large language models (LLMs) that cite fabricated code or non-existent features. The change was authored by Django Fellow Natalia Bidart, who helps maintain the project’s .. --------------------------------------------- https://socket.dev/blog/django-joins-curl-in-pushing-back-on-ai-slop-securi… ∗∗∗ How hacktivist cyber operations surged amid Israeli-Iranian conflict ∗∗∗ --------------------------------------------- In June 2025, Israel carried out airstrikes against key Iranian military and nuclear facilities. Iran swiftly retaliated, escalating regional tensions to unprecedented levels. This military confrontation has not only unfolded in conventional warfare but also triggered a massive surge in cyber operations. Almost immediately after the .. --------------------------------------------- https://outpost24.com/blog/hacktivist-cyber-operations-iran-israel/ ===================== = Vulnerabilities = ===================== ∗∗∗ XSA-470 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-470.html ∗∗∗ [R1] Nessus Version 10.8.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-13 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.06.2025
by Daily end-of-shift report 30 Jun '25

30 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-06-2025 18:00 − Montag 30-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Scattered Spider hackers shift focus to aviation, transportation firms ∗∗∗ --------------------------------------------- Hackers associated with Scattered Spider tactics have expanded their targeting to the aviation and transportation industries after previously attacking insurance and retail sectors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/scattered-spider-hackers-shi… ∗∗∗ Let’s Encrypt ends certificate expiry emails to cut costs, boost privacy ∗∗∗ --------------------------------------------- Lets Encrypt has announced it will no longer notify users about imminent certificate expirations via email due to high costs, privacy concerns, and unnecessary complexities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lets-encrypt-ends-certificat… ∗∗∗ Unveiling RIFT: Enhancing Rust malware analysis through pattern matching ∗∗∗ --------------------------------------------- As threat actors are adopting Rust for malware development, RIFT, an open-source tool, helps reverse engineers analyze Rust malware, solving challenges in the security industry. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/06/27/unveiling-rift-enh… ∗∗∗ Stealthy WordPress Malware Drops Windows Trojan via PHP Backdoor ∗∗∗ --------------------------------------------- Last month, we encountered a particularly interesting and complex malware case that stood out from the usual infections we see in compromised WordPress websites. At first glance, the site looked clean, no visible signs of defacement, no malicious redirects, and nothing suspicious in the plugin list. But beneath the surface, a hidden infection chain was .. --------------------------------------------- https://blog.sucuri.net/2025/06/stealthy-wordpress-malware-drops-windows-tr… ∗∗∗ GIFTEDCROOK Malware Evolves: From Browser Stealer to Intelligence-Gathering Tool ∗∗∗ --------------------------------------------- The threat actor behind the GIFTEDCROOK malware has made significant updates to turn the malicious program from a basic browser data stealer to a potent intelligence-gathering tool."Recent campaigns in June 2025 demonstrate GIFTEDCROOKs enhanced .. --------------------------------------------- https://thehackernews.com/2025/06/giftedcrook-malware-evolves-from.html ∗∗∗ IGF25: Diktatoren und Demokraten im globalen Süden als Kunden von Spyware ∗∗∗ --------------------------------------------- Spyware wie Pegasus von der NSO-Group wird zunehmend ein politisches Problem. Das war eine der Erkenntnisse des Internet Governance Forums in Norwegen. --------------------------------------------- https://www.heise.de/news/IGF25-Diktatoren-und-Demokraten-im-globalen-Suede… ∗∗∗ "CitrixBleed 2": Indizien für laufende Angriffe auf Sicherheitsleck ∗∗∗ --------------------------------------------- Eine Citrix-Netscaler-Lücke mit dem Spitznamen "CitrixBleed 2" ist gravierend. Nun wird sie offenbar attackiert. --------------------------------------------- https://www.heise.de/news/CitrixBleed-2-Indizien-fuer-laufende-Angriffe-auf… ∗∗∗ Cybergang erpresst Welthungerhilfe um 1,8 Millionen Euro ∗∗∗ --------------------------------------------- Die Cybergang Rhysida ist bei der Welthungerhilfe eingebrochen und hat Daten kopiert. Nun wollen die Täter 20 Bitcoins dafür. --------------------------------------------- https://www.heise.de/news/Ransomwareattacke-auf-Welthungerhilfe-10464644.ht… ∗∗∗ Dubiose Inkassoforderungen: Was tun bei plötzlichen Mahnschreiben? ∗∗∗ --------------------------------------------- Sie öffnen Ihr E-Mail-Postfach oder Ihren Briefkasten und finden ein Schreiben eines Inkassounternehmens. Angeblich haben Sie eine Rechnung nicht bezahlt, können sich aber nicht daran erinnern, etwas bestellt zu haben. Dieses Szenario ist leider keine Seltenheit. Immer mehr Verbraucher:innen berichten über solche dubiosen Zahlungsaufforderungen. Wir zeigen Ihnen, wie Sie reagieren können. --------------------------------------------- https://www.watchlist-internet.at/news/dubiose-inkassoschreiben-was-tun-bei… ∗∗∗ ESET Threat Report H1 2025 ∗∗∗ --------------------------------------------- A view of the H1 2025 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts --------------------------------------------- https://www.welivesecurity.com/en/eset-research/eset-threat-report-h1-2025/ ∗∗∗ Hide Your RDP: Password Spray Leads to RansomHub Deployment ∗∗∗ --------------------------------------------- This intrusion began in November 2024 with a password spray attack targeting an internet-facing RDP server. Over the course of several hours, the threat actor .. --------------------------------------------- https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-… ∗∗∗ How 2 Ransomware Attacks on 2 Hospitals Led to 2 Deaths in Europe ∗∗∗ --------------------------------------------- Two deadly Ransomware Attacks on European hospitals show cybercrime now risks lives not just data with patients dying after treatment delays. --------------------------------------------- https://hackread.com/how-ransomware-attacks-hospitals-2-deaths-in-europe/ ∗∗∗ Protecting the Core: Securing Protection Relays in Modern Substations ∗∗∗ --------------------------------------------- Substations are critical nexus points in the power grid, transforming high-voltage electricity to ensure its safe and efficient delivery from power plants to millions of end-users. At the core of a modern substation lies the protection relay: an intelligent electronic device (IED) that plays a critical role in .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/securing-protectio… ∗∗∗ GitHub Advisory Database by the numbers: Known security vulnerabilities and what you can do about them ∗∗∗ --------------------------------------------- Use these insights to automate software security (where possible) to keep your projects safe. --------------------------------------------- https://github.blog/security/github-advisory-database-by-the-numbers-known-… ∗∗∗ Ultimate Guide to API Pentesting: Hacking APIs for better Security ∗∗∗ --------------------------------------------- API Pentesting, or Application Programming Interface Penetration Testing, is the process of simulating real-world attacks against APIs to uncover vulnerabilities, misconfigurations, and flaws that could be exploited by malicious actors. Unlike traditional web applications, APIs are designed to be consumed by machines—often exposing .. --------------------------------------------- https://fortbridge.co.uk/research/ultimate-guide-to-api-pentesting-hacking-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (mod_proxy_cluster), Debian (catdoc, chromium, nagvis, and sudo), Fedora (chromium, gum, kubernetes1.32, moodle, podman, python3-docs, python3.13, salt, and tigervnc), Mageia (x11-server, x11-server-xwayland & tigervnc), Oracle (apache-commons-beanutils, exiv2, expat, firefox, git, git-lfs, gstreamer1-plugins-bad-free, ipa, java-21-openjdk, kea, kernel, libarchive, libblockdev, libsoup3, libvpx, libxslt, mod_auth_openidc, nodejs22, .. --------------------------------------------- https://lwn.net/Articles/1027769/ ∗∗∗ Marvell QConvergeConsole: Multible 0Day Vulnerabilities ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.06.2025
by Daily end-of-shift report 27 Jun '25

27 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-06-2025 18:00 − Freitag 27-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critical Open VSX Registry Flaw Exposes Millions of Developers to Supply Chain Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a critical vulnerability in the Open VSX Registry ("open-vsx[.]org") that, if successfully exploited, could have enabled attackers to take control of the entire Visual Studio Code extensions marketplace, posing a severe supply chain risk. [..] Following responsible disclosure on May 4, 2025, multiple rounds of fixes were proposed by the maintainers, before a final patch was deployed on June 25. --------------------------------------------- https://thehackernews.com/2025/06/critical-open-vsx-registry-flaw-exposes.h… ∗∗∗ What if Microsoft just turned you off? Security pro counts the cost of dependency ∗∗∗ --------------------------------------------- Czech developer and pen-tester Miloslav Homer has an interesting take on reducing an organization's exposure to security risks. In an article headlined "Microsoft dependency has risks," he extends the now familiar arguments in favor of improving digital sovereignty, and reducing dependence on American cloud services. The argument is quite long but closely reasoned. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/06/26/cost_of_micr… ∗∗∗ Act now: Secure Boot certificates expire in June 2026 ∗∗∗ --------------------------------------------- Prepare for the first global large-scale certificate update to Secure Boot. The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new certificates for supported Windows systems is to let Microsoft manage your Windows updates, which include Secure Boot. [..] If you haven't yet, begin evaluating options and start preparing for the rollout of updated certificates across your organization in the coming months. --------------------------------------------- https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-… ∗∗∗ Fake DocuSign email hides tricky phishing attempt ∗∗∗ --------------------------------------------- On my daily rounds, I encountered a phishing attempt that used a not completely unusual, yet clever delivery method. What began as a seemingly routine DocuSign notification turned into a multi-layered deception involving Webflow, a shady redirect, and a legitimate Google login page. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/06/fake-docusign-email-hides-tr… ∗∗∗ Die Miete ist ausständig? Vorsicht: Phishing E-Mail ∗∗∗ --------------------------------------------- Kriminelle fordern über E-Mails angeblich noch ausstehende Mietzahlungen ein. Gleichzeitig wollen sie eine Änderung des Zielkontos für zukünftige Überweisungen erwirken. Wir zeigen, wie man am besten auf eine derartige Phishing-Nachricht reagiert. --------------------------------------------- https://www.watchlist-internet.at/news/miete-ausstaendig-phishing/ ∗∗∗ SafePay ransomware: What you need to know ∗∗∗ --------------------------------------------- SafePay is a relatively new ransomware threat that was first observed around September 2024. [..] A recently published threat report released by security experts at NCC Group revealed that SafePay was currently the most active ransomware group. In the month of May 2025 alone, 70 ransomware attacks were linked to Safepay, accounting for 18% of the total. --------------------------------------------- https://www.fortra.com/blog/safepay-ransomware-what-you-need-know ∗∗∗ Attacken auf Fernwartungslücke in Servern von HPE, Lenovo und Co. ∗∗∗ --------------------------------------------- Angreifer attackieren mehrere Sicherheitslücken in freier Wildbahn, warnt die US-amerikanische IT-Sicherheitsbehörde CISA. Am gefährlichsten sind laufende Angriffe auf die Fernwartungsfirmware in AMI MegaRAC, die etwa in Servern von Asus, Asrock Rack, HPE oder Lenovo steckt. [..] Die bereits attackierte Sicherheitslücke in der Fernwartungsfirmware AMI MegaRAC wurde Mitte März bekannt. --------------------------------------------- https://heise.de/-10461788 ∗∗∗ Phishing-Welle: Betrüger geben sich als Paypal aus ∗∗∗ --------------------------------------------- Kriminelle geben sich am Telefon derzeit wieder als PayPal aus und behaupten, es stünden hohe Überweisungen bevor. --------------------------------------------- https://heise.de/-10462478 ∗∗∗ Microsoft wirft Antivirensoftware aus dem Windows-Kernel ∗∗∗ --------------------------------------------- Ein CrowdStrike-Erlebnis will Microsoft nicht noch einmal haben. Nun fliegt deswegen Antivirensoftware aus dem Windows-Kernel. [..] Im kommenden Monat will Microsoft eine Vorschau der Windows-Endpoint-Security-Plattform an einige MVI-Partner verteilen. Die ermöglicht es ihnen, ihre IT-Sicherheitslösungen so zu bauen, dass sie außerhalb des Windows-Kernels laufen. Software wie Antivirus und Endgeräteschutz befinden sich dann im User Mode, wie normale Apps auch. --------------------------------------------- https://heise.de/-10462538 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freeradius and icu), Fedora (clamav, glow, libssh, perl-Crypt-OpenSSL-RSA, perl-CryptX, podman, trafficserver, and xorg-x11-server), Mageia (gdk-pixbuf2.0 and thunderbird), Red Hat (osbuild-composer and weldr-client), SUSE (afterburn, google-osconfig-agent, libblockdev, pam, python-tornado6, screen, and yelp-xsl), and Ubuntu (libxslt and python-pip). --------------------------------------------- https://lwn.net/Articles/1027251/ ∗∗∗ Mitsubishi Electric Air Conditioning Systems ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-177-01 ∗∗∗ TrendMakers Sight Bulb Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-177-02 ∗∗∗ f5: K000152189: Intel BIOS vulnerability CVE-2022-21233 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000152189 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.06.2025
by Daily end-of-shift report 26 Jun '25

26 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-06-2025 18:00 − Donnerstag 26-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Ubuntu disables Intel GPU security mitigations, promises 20% performance boost ∗∗∗ --------------------------------------------- Spectre, you may recall, came to public notice in 2018. Spectre attacks are based on the observation that performance enhancements built into modern CPUs open a side channel that can leak secrets a CPU is processing. The performance enhancement, known as speculative execution, predicts future instructions a CPU might receive and then performs the corresponding tasks before they are even called. If the instructions never come, the CPU discards the work it performed. When the prediction is correct, the CPU has already completed the task. --------------------------------------------- https://arstechnica.com/security/2025/06/ubuntu-disables-intel-gpu-security… ∗∗∗ New wave of ‘fake interviews’ use 35 npm packages to spread malware ∗∗∗ --------------------------------------------- A new wave of North Korea's 'Contagious Interview' campaign is targeting job seekers with malicious npm packages that infect dev's devices with infostealers and backdoors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-wave-of-fake-interviews-… ∗∗∗ Hackers abuse Microsoft ClickOnce and AWS services for stealthy attacks ∗∗∗ --------------------------------------------- A sophisticated malicious campaign that researchers call OneClik has been leveraging Microsoft’s ClickOnce software deployment tool and custom Golang backdoors to compromise organizations within the energy, oil, and gas sectors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/oneclik-attacks-use-microsof… ∗∗∗ Hackers turn ScreenConnect into malware using Authenticode stuffing ∗∗∗ --------------------------------------------- Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client's Authenticode signature. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-turn-screenconnect-i… ∗∗∗ CISA is Shrinking: What Does it Mean for Cyber? ∗∗∗ --------------------------------------------- Today we are going to focus on the slimmed down profile of the Cybersecurity and Infrastructure Security Agency (CISA) under the new administration. We want to know what that means practically to cybersecurity teams. We want to explore the cost of having less coming out of CISA, and any opportunities the federal government shakeup might present for business. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/cisa-is-shrinking-what… ∗∗∗ Taming Agentic AI Risks Requires Securing Non-Human Identities ∗∗∗ --------------------------------------------- >From service accounts and Web application programming interfaces (APIs) to serverless applications and now artificial intelligence (AI) agents, the landscape of non-human identities is quickly becoming more complex. Companies are struggling to monitor and manage machine identities with security controls. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/taming-agentic-ai-risk… ∗∗∗ RedirectionGuard: Mitigating unsafe junction traversal in Windows ∗∗∗ --------------------------------------------- As attackers continue to evolve, Microsoft is committed to staying ahead by not only responding to vulnerabilities, but also by anticipating and mitigating entire classes of threats. One such threat, filesystem redirection attacks, has been a persistent vector for privilege escalation. In response, we’ve developed and deployed a new mitigation in Windows 11 called RedirectionGuard. This blog outlines how RedirectionGuard proactively closes off a major attack surface by preventing unsafe junction traversal, reinforcing our commitment to secure-by-design-principles and reducing the burden on developers and defenders. --------------------------------------------- https://msrc.microsoft.com/blog/2025/06/redirectionguard-mitigating-unsafe-… ∗∗∗ The Case of Hidden Spam Pages ∗∗∗ --------------------------------------------- Spammy posts and pages being placed on WordPress websites is one of the most common infections that we come across. The reason being is that the attack is very low-level in terms of sophistication: All that is required of the attacker is to brute force their way into the wp-admin panel; from there they just have their scripts/bots post spam posts and pages effectively achieving a blackhat SEO attack. Since an out-of-the-box WordPress website contains no protection on admin access other than a password (with no limit on the number of failed login attempts), and the admin users can often be discovered via enumeration, this remains a very popular type of spam infection on the platform. --------------------------------------------- https://blog.sucuri.net/2025/06/the-case-of-hidden-spam-pages.html ∗∗∗ nOAuth Vulnerability Still Affects 9% of Microsoft Entra SaaS Apps Two Years After Discovery ∗∗∗ --------------------------------------------- New research has uncovered continued risk from a known security weakness in Microsoft's Entra ID, potentially enabling malicious actors to achieve account takeovers in susceptible software-as-a-service (SaaS) applications. Identity security company Semperis, in an analysis of 104 SaaS applications, found nine of them to be vulnerable to Entra ID cross-tenant nOAuth abuse. --------------------------------------------- https://thehackernews.com/2025/06/noauth-vulnerability-still-affects-9-of.h… ∗∗∗ Sextortion: Inflationsgebeutelte Betrüger erhöhen Forderungen ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher beobachten Preissteigerungen bei aktuellen Betrugsmaschen mit Sextortion-E-Mails. Offenbar sind auch die Betrüger inflationsgebeutelt und brauchen mehr Geld. --------------------------------------------- https://www.heise.de/news/Sextortion-Inflationsgebeutelte-Betrueger-erhoehe… ∗∗∗ Outdated Routers: The Hidden Threat to Network Security, FBI Warns ∗∗∗ --------------------------------------------- The FBI recently warned that malicious actors are targeting end-of-life (EOL) routers (network devices that manufacturers no longer support or update). These outdated routers are being hijacked by bad actors who use them as a stepping stone into networks, turning them into cybercriminal proxies. The threat is real, and it’s growing. --------------------------------------------- https://www.tripwire.com/state-of-security/outdated-routers-hidden-threat-n… ∗∗∗ How we turned a real car into a Mario Kart controller by intercepting CAN data ∗∗∗ --------------------------------------------- The PTP hack car is a second-hand 2016 Renault Clio that was bought because it was relatively cheap, was recent enough to feature an ‘eCall’ telematics module, small enough to fit in the garage attached to our lab and was local. It is used by our team to experiment and mess around with automotive testing on a real vehicle. It also uses a mixture of CAN and LIN for different components. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-we-turned-a-real-car-into… ∗∗∗ Gefälschte Anfragen zur Änderung des Gehaltskontos im Namen von Mitarbeitenden! ∗∗∗ --------------------------------------------- Wer eine unerwartete E-Mail von einem Mitarbeitenden erhält, in der um die Änderung der Bankverbindung für das Gehaltskonto gebeten wird, sollte besonders aufmerksam sein. Denn dahinter können Kriminelle stecken, die sich als echte Mitarbeitende ausgeben, um Gehaltszahlungen auf ihr eigenes Konto umzuleiten. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-anfragen-zur-aenderung-d… ∗∗∗ Common SCCM Misconfigurations Leading to Privilege Escalation ∗∗∗ --------------------------------------------- We often find that in environments which has a tiered model, where SCCM is used, there are plenty of misconfigurations which can be exploited. System Center Configuration Manager (SCCM), now known as Microsoft Configuration Manager (ConfigMgr), is a systems management platform used for deploying software, managing updates, and enforcing configuration settings across large numbers of Windows devices. --------------------------------------------- https://www.truesec.com/hub/blog/sccm-tier-killer ∗∗∗ Decrement by one to rule them all: AsIO3.sys driver exploitation ∗∗∗ --------------------------------------------- Armory Crate and AI Suite are applications used to manage and monitor ASUS motherboards and related components such as the processor, RAM or the increasingly popular RGB lighting. These types of applications often install drivers in the system, which are necessary for direct communication with hardware to configure settings or retrieve critical parameters such as CPU temperature, fan speeds and firmware updates. Therefore, it is critical to ensure that drivers are well-written with security in mind and designed such that access to the driver interfaces are limited only to certain services and administrators. --------------------------------------------- https://blog.talosintelligence.com/decrement-by-one-to-rule-them-all/ ===================== = Vulnerabilities = ===================== ∗∗∗ WinRAR patches bug letting malware launch from extracted archives ∗∗∗ --------------------------------------------- WinRAR has addressed a directory traversal vulnerability tracked as CVE-2025-6218 that, under certain circumstances, allows malware to be executed after extracting a malicious archive. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winrar-patches-bug-letting-m… ∗∗∗ Hunderte Modelle betroffen: Teils unpatchbare Lücken in Brother-Druckern entdeckt ∗∗∗ --------------------------------------------- Sicherheitsforscher von Rapid7 haben zahlreiche Multifunktionsdrucker auf mögliche Sicherheitslücken untersucht. Dabei fanden sie insgesamt acht Schwachstellen in 748 verschiedenen Scanner- und Druckermodellen. 689 dieser Modelle entfallen allein auf den Hersteller Brother, der im Fokus der Untersuchung stand. Aber auch von Fujifilm (46), Konica Minolta (6), Ricoh (5) und Toshiba (2) sind einige Geräte betroffen. Zumindest eine der acht Lücken kann wohl nicht ohne Weiteres über die Firmware gepatcht werden. --------------------------------------------- https://www.golem.de/news/hunderte-modelle-betroffen-teils-unpatchbare-luec… ∗∗∗ Citrix Releases Emergency Patches for Actively Exploited CVE-2025-6543 in NetScaler ADC ∗∗∗ --------------------------------------------- Citrix has released security updates to address a critical flaw affecting NetScaler ADC that it said has been exploited in the wild. The vulnerability, tracked as CVE-2025-6543, carries a CVSS score of 9.2 out of a maximum of 10.0. --------------------------------------------- https://thehackernews.com/2025/06/citrix-releases-emergency-patches-for.html ∗∗∗ ZDI-25-424: Mikrotik RouterOS VXLAN Source IP Improper Access Control Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to bypass access restrictions on affected installations of Mikrotik RouterOS. Authentication is not required to exploit this vulnerability. The following CVEs are assigned: CVE-2025-6443. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-424/ ∗∗∗ Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Notepad++ Vulnerability Allows Full System Takeover — PoC Released ∗∗∗ --------------------------------------------- A critical privilege escalation vulnerability (CVE-2025-49144) in Notepad++ v8.8.1 enables attackers to achieve full system control through a supply-chain attack. The flaw exploits the installer’s insecure search path behavior, allowing unprivileged users to escalate privileges to NT AUTHORITY\SYSTEM with minimal user interaction. This marks one of the most severe vulnerabilities discovered in the popular text editor, with proof-of-concept (PoC) exploitation materials now publicly available. --------------------------------------------- https://gbhackers.com/notepad-vulnerability/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and libxml2), Fedora (firefox, libtpms, and tigervnc), Mageia (chromium-browser-stable and nss & firefox), Oracle (emacs, iputils, kernel, krb5, libarchive, mod_proxy_cluster, pam, perl-File-Find-Rule, perl-YAML-LibYAML, and qt5-qtbase), Red Hat (opentelemetry-collector, osbuild-composer, and weldr-client), SUSE (clamav, firefox, go1.24-openssl, and helm), and Ubuntu (libarchive, linux-azure, linux-azure-5.4, linux-azure-fips, linux-fips, linux-azure-nvidia, linux-oracle, linux-oracle-6.8, linux-raspi, linux-raspi-realtime, linux-xilinx-zynqmp, and python-urllib3). --------------------------------------------- https://lwn.net/Articles/1027082/ ∗∗∗ Security Advisory: Airoha-based Bluetooth Headphones and Earbuds ∗∗∗ --------------------------------------------- During our research on Bluetooth headphones and earbuds, we identified several vulnerabilities in devices that incorporate Airoha Systems on a Chip (SoCs). In this blog post, we briefly want to describe the vulnerabilities, point out their impact and provide some context to currently running patch delivery processes as described at this year’s TROOPERS Conference. Airoha is a vendor that, amongst other things, builds Bluetooth SoCs and offers reference designs and implementations incorporating these chips. They have become a large supplier in the Bluetooth audio space, especially in the area of True Wireless Stereo (TWS) earbuds. Several reputable headphone and earbud vendors have built products based on Airoha’s SoCs and reference implementations using Airoha’s Software Development Kit (SDK). --------------------------------------------- https://insinuator.net/2025/06/airoha-bluetooth-security-vulnerabilities/ ∗∗∗ Drupal Security Advisories 2025-June-25 ∗∗∗ --------------------------------------------- https://www.drupal.org/security -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.06.2025
by Daily end-of-shift report 25 Jun '25

25 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-06-2025 18:00 − Mittwoch 25-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sonicwall warnt vor mit Schadcode verseuchter Fake-NetExtender-App ∗∗∗ --------------------------------------------- Derzeit ist eine von Cyberkriminellen manipulierte Ausgabe der VPN-Anwendung NetExtender in Umlauf. [..] Um zu erkennen, ob man die Fake-Version installiert hat, muss man die Eigenschaften der ausführbaren NetExtender-Datei öffnen und die "Digitale Signatur" prüfen. Steht dort "CITYLIGHT MEDIA PRIVATE LIMITED", handelt es sich um die verseuchte Version und Admins sollten sie umgehend löschen. --------------------------------------------- https://www.heise.de/news/Sonicwall-warnt-vor-mit-Schadcode-verseuchter-Fak… ∗∗∗ Microsoft: Update-Verlängerung für Windows 10 für Privatkunden konkretisiert ∗∗∗ --------------------------------------------- Microsoft hatte Support-Verlängerung für Windows-10-Privatkunden angekündigt. Jetzt gibt es Infos dazu – es geht sogar kostenlos. [..] Ob die Windows-Backup-Option wirklich als kostenlos gelten kann, hängt stark davon ab, wie viele Daten Microsoft auf den Cloud-Speicher schiebt. [..] Hier zahlen Interessierte mit ihren Daten. --------------------------------------------- https://heise.de/-10458519 ∗∗∗ Citrix Bleed Teil 2: Schwachstelle CVE-2025–5777 weitet sich aus ∗∗∗ --------------------------------------------- Zum 23. Juni 2025 gab es wohl eine Aktualisierung der Beschreibung zu CVE-2025-5777. Hieß es zum 17. Juni 2025 noch, dass man das "Netscaler Management Interface" wegen der Schwachstelle nicht dem Internet aussetzen sollte. Der Verweis auf das Netscaler Management Interface ist zum 23. Juni 2025 entfallen (lässt sich unter CVE-2025-5777 nachschlagen, wenn man am Seitenende unter "Change History" auf den Link "show changes" klickt. --------------------------------------------- https://www.borncity.com/blog/2025/06/25/citrix-bleed-teil-2-schwachstelle-… ∗∗∗ Surge in MOVEit Transfer Scanning Could Signal Emerging Threat Activity ∗∗∗ --------------------------------------------- GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025. --------------------------------------------- https://www.greynoise.io/blog/surge-moveit-transfer-scanning-activity ∗∗∗ Dire Wolf Strikes: New Ransomware Group Targeting Global Sectors ∗∗∗ --------------------------------------------- Dire Wolf is a newly emerged ransomware group first observed in May 2025 and Trustwave SpiderLabs recently uncovered a Dire Wolf ransomware sample that revealed for the first time key details about how the ransomware operates. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/dire-wolf-s… ∗∗∗ Cybercriminal abuse of large language models ∗∗∗ --------------------------------------------- Cybercriminals are increasingly gravitating towards uncensored LLMs, cybercriminal-designed LLMs and jailbreaking legitimate LLMs. [..] As AI technology continues to develop, Cisco Talos expects cybercriminals to continue adopting LLMs to help streamline their processes, write tools/scripts that can be used to compromise users and generate content that can more easily bypass defenses. This new technology doesn’t necessarily arm cybercriminals with completely novel cyber weapons, but it does act as a force multiplier, enhancing and improving familiar attacks. --------------------------------------------- https://blog.talosintelligence.com/cybercriminal-abuse-of-large-language-mo… ∗∗∗ What LLMs Know About Their Users ∗∗∗ --------------------------------------------- Simon Willison talks about ChatGPT’s new memory dossier feature. In his explanation, he illustrates how much the LLM—and the company—knows about its users. --------------------------------------------- https://www.schneier.com/blog/archives/2025/06/what-llms-know-about-their-u… ∗∗∗ Kleine Figuren, großer Hype: Kriminelle locken vermehrt in Labubu Fake-Shops ∗∗∗ --------------------------------------------- Ihr weltweiter Siegeszug ruft immer mehr Betrüger:innen auf den Plan. Die Rede ist von Labubu Figuren. Fake-Shops locken mit vermeintlichen Schnäppchen, dienen den Kriminellen in Wahrheit aber nur als Vehikel, um sensible Daten ihrer Opfer abzugreifen und ihnen das Geld aus der Tasche zu ziehen. --------------------------------------------- https://www.watchlist-internet.at/news/labubu-fake-shops/ ∗∗∗ Post-Quantum Cryptography Implementation Enterprise-Readiness Analysis ∗∗∗ --------------------------------------------- Explore how enterprises are adopting post-quantum cryptography (PQC) using OpenSSL 3.5, hybrid TLS, and NIST-approved algorithms like Kyber and Dilithium. Learn about PQC implementation strategies, compliance timelines, tooling, and real-world deployments by Microsoft, Meta, Red Hat, and others preparing for quantum-safe encryption. --------------------------------------------- https://www.darknet.org.uk/2025/06/post-quantum-cryptography-implementation… ∗∗∗ The Anatomy of a Business Email Compromise Attack ∗∗∗ --------------------------------------------- BEC attacks almost always start with an Email Account Compromise (EAC) – in other words, an attacker gets control of someone’s email inbox. --------------------------------------------- https://www.truesec.com/hub/blog/the-anatomy-of-a-business-email-compromise… ===================== = Vulnerabilities = ===================== ∗∗∗ Admin-Attacken auf HPE OneView für VMware vCenter möglich ∗∗∗ --------------------------------------------- Die in einer Warnmeldung aufgeführte Schwachstelle (CVE-2025-37101 "hoch") kann Angreifer mit Leserechten dazu befähigen, Befehle als Admins auszuführen. Wie ein solcher Angriff im Detail ablaufen könnte und ob Angreifer die Lücke bereits ausnutzen, ist derzeit nicht bekannt. --------------------------------------------- https://www.heise.de/news/Admin-Attacken-auf-HPE-OneView-fuer-VMware-vCente… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (commons-beanutils, dcmtk, nginx, trafficserver, and xorg-server), Fedora (atuin, awatcher, dotnet8.0, firefox, glibc, gotify-desktop, keylime-agent-rust, libtpms, mirrorlist-server, qt6-qtbase, qt6-qtimageformats, udisks2, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (apache-mod_security, clamav, docker, python-django, tomcat, udisks2, and yarnpkg), Oracle (firefox, libblockdev, mod_auth_openidc, perl-FCGI, perl-YAML-LibYAML, tigervnc, and xorg-x11-server and xorg-x11-server-Xwayland), Slackware (libssh and mozilla), SUSE (gimp, gstreamer-plugins-good, icu, ignition, kernel, pam-config, perl-File-Find-Rule, python311, and webkit2gtk3), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-gke, linux-gkeop, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux, linux-gcp, linux-raspi, linux-realtime, linux-aws, linux-azure, linux-azure, linux-azure-6.8, linux-azure-5.15, linux-azure-fips, and linux-realtime). --------------------------------------------- https://lwn.net/Articles/1026848/ ∗∗∗ TeamViewer: Incorrect Permission Assignment for Critical Resource in TeamViewer Remote Management ∗∗∗ --------------------------------------------- Incorrect Permission Assignment for Critical Resource in the TeamViewer Client (Full and Host) of TeamViewer Remote and Tensor prior Version 15.67 (and additional versions listed below) on Windows allows a local unprivileged user to trigger arbitrary file deletion with SYSTEM privileges via leveraging the MSI rollback mechanism. To exploit this vulnerability, an attacker needs local access to the Windows system. CVE-2025-36537 --------------------------------------------- https://www.teamviewer.com/de/resources/trust-center/security-bulletins/tv-… ∗∗∗ Parsons AccuWeather Widget ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-06 ∗∗∗ Kaleris Navis N4 Terminal Operating System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-01 ∗∗∗ Delta Electronics CNCSoft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-02 ∗∗∗ MICROSENS NMP Web+ ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-07 ∗∗∗ ControlID iDSecure On-Premises ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05 ∗∗∗ f5: K000152048: Dnsmasq vulnerability CVE-2019-14834 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000152048 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.06.2025
by Daily end-of-shift report 24 Jun '25

24 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Montag 23-06-2025 18:00 − Dienstag 24-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Auswirkungen des militärischen Konfliktes zwischen Israel und dem Iran auf Österreich ∗∗∗ --------------------------------------------- Vorliegende Analysen internationaler Behörden und Sicherheitsunternehmen verzeichnen seit dem Beginn der aktuellen militärischen Auseinandersetzung zwischen Israel und dem Iran verstärkte Aktivitäten von Bedrohungsakteuren aller Konfliktparteien. [..] Laut unseren bisherigen Beobachtungen gab es bisher noch keine direkten Angriffe oder Auswirkungen auf lokale Unternehmen oder Organisationen. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/6/auswirkungen ∗∗∗ FileFix attack weaponizes Windows File Explorer for stealthy commands ∗∗∗ --------------------------------------------- A cybersecurity researcher has developed FileFix, a variant of the ClickFix social engineering attack that tricks users into executing malicious commands via the File Explorer address bar in Windows. --------------------------------------------- https://www.bleepingcomputer.com/news/security/filefix-attack-weaponizes-wi… ∗∗∗ Polizei-Handys seit Cyberangriff nicht nutzbar ∗∗∗ --------------------------------------------- Ein Angriff auf die Diensthandys der Polizei in Mecklenburg-Vorpommern könnte größere Folgen haben als angenommen. Derzeit sind die Handys nicht im Einsatz. --------------------------------------------- https://heise.de/-10456563 ∗∗∗ BSI warnt: Immer weniger Menschen nutzen 2FA und sichere Passwörter ∗∗∗ --------------------------------------------- Eine neue Untersuchung des BSI zeigt einen bedenklichen Trend. Menschen verhalten sich im Netz trotz hoher Bedrohungslage immer unvorsichtiger. --------------------------------------------- https://www.golem.de/news/bsi-warnt-immer-weniger-menschen-nutzen-2fa-und-s… ∗∗∗ Remote code execution in CentOS Web Panel - CVE-2025-48703 ∗∗∗ --------------------------------------------- This exploitation scenario has been tested on versions 0.9.8.1204 and 0.9.8.1188 on Centos7 and reported to CWP developers the 13th of May 2025 as CVE-2025-48703. It allows a remote attacker who knows a valid username on a CWP instance to execute pre-authenticated arbitrary commands on the server. The vulnerability has been patched on latest version 0.9.8.1205 during June 2025. --------------------------------------------- https://fenrisk.com/rce-centos-webpanel ∗∗∗ The State of Ransomware 2025 ∗∗∗ --------------------------------------------- Explore the causes and consequences of ransomware in 2025 based on findings from a vendor-agnostic survey of 3,400 organizations hit by ransomware in the last year. --------------------------------------------- https://news.sophos.com/en-us/2025/06/24/the-state-of-ransomware-2025/ ∗∗∗ Echo Chamber Jailbreak Tricks LLMs Like OpenAI and Google into Generating Harmful Content ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new jailbreaking method called Echo Chamber that could be leveraged to trick popular large language models (LLMs) into generating undesirable responses, irrespective of the safeguards put in place. --------------------------------------------- https://thehackernews.com/2025/06/echo-chamber-jailbreak-tricks-llms-like.h… ∗∗∗ Hackers Exploit Misconfigured Docker APIs to Mine Cryptocurrency via Tor Network ∗∗∗ --------------------------------------------- Misconfigured Docker instances are the target of a campaign that employs the Tor anonymity network to stealthily mine cryptocurrency in susceptible environments. --------------------------------------------- https://thehackernews.com/2025/06/hackers-exploit-misconfigured-docker.html ∗∗∗ A Deep Dive into a Modular Malware Family ∗∗∗ --------------------------------------------- In today’s blog post we highlighted an interesting malware family targeting various systems with diverse capabilities, including stealing credit card information and WordPress credentials. Additionally, we detailed a novel bundle of credit card skimmers and malicious WordPress plugins which combines malicious actions with features developed for the attacker’s convenience. --------------------------------------------- https://www.wordfence.com/blog/2025/06/a-deep-dive-into-a-modular-malware-f… ===================== = Vulnerabilities = ===================== ∗∗∗ Splunk Security Advisories 2025-06-23 ∗∗∗ --------------------------------------------- Splunk released 4 security advisories (1x critical). --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dns-root-data and xorg-server), Fedora (glibc, mingw-glib2, and optipng), Red Hat (iputils, kernel, kernel-rt, krb5, libarchive, mod_auth_openidc, mod_proxy_cluster, and xorg-x11-server-Xwayland), SUSE (python313), and Ubuntu (fig2dev, gnuplot, gss-ntlmssp, linux, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-oracle, linux-aws-5.15, linux-gcp-5.15, linux-ibm-5.15, linux-lowlatency-hwe-5.15, linux-oracle-5.15, linux-aws-fips, linux-fips, linux-gcp-fips, linux-hwe-5.15, and linux-intel-iot-realtime, linux-realtime). --------------------------------------------- https://lwn.net/Articles/1026646/ ∗∗∗ Kanboard: Sicherheitslücke ermöglicht Kontoübernahme ∗∗∗ --------------------------------------------- In dem Open-Source-Kanban Kanboard können Angreifer Links fälschen, die zur Kontoübernahme führen. [..] Die Kanboard-Entwickler stellen aktualisierte Quellen und auch Docker-Container bereit, sie verlinken sie in den Release-Notes und erörtern das Docker-Update. --------------------------------------------- https://heise.de/-10457116 ∗∗∗ Mozilla Firefox June 24, 2025 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ f5: K000151924: runc vulnerability CVE-2024-45310 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151924 ∗∗∗ Case update: DIVD-2025-00032 - Unauthenticated Arbitrary Remote Code Execution in Pterodactyl ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2025-00032/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.06.2025
by Daily end-of-shift report 23 Jun '25

23 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-06-2025 18:00 − Montag 23-06-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WordPress Motors theme flaw mass-exploited to hijack admin accounts ∗∗∗ --------------------------------------------- Hackers are exploiting a critical privilege escalation vulnerability in the WordPress theme "Motors" to hijack administrator accounts and gain complete control of a targeted site. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-motors-theme-flaw-… ∗∗∗ Canada says Salt Typhoon hacked telecom firm via Cisco flaw ∗∗∗ --------------------------------------------- The Canadian Centre for Cyber Security and the FBI confirm that the Chinese state-sponsored Salt Typhoon hacking group is also targeting Canadian telecommunication firms, breaching a telecom provider in February. --------------------------------------------- https://www.bleepingcomputer.com/news/security/canada-says-salt-typhoon-hac… ∗∗∗ ConnectUnwise: Threat actors abuse ConnectWise as builder for signed malware ∗∗∗ --------------------------------------------- Since March 2025 there has been a noticeable increase in infections and fake applications using validly signed ConnectWise samples. We reveal how bad signing practices allow threat actors to abuse this legitimate software to build and distribute their own signed malware and what security vendors can do to detect them. --------------------------------------------- https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware ∗∗∗ SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play ∗∗∗ --------------------------------------------- SparkKitty, a new Trojan spy for iOS and Android, spreads through untrusted websites, the App Store, and Google Play, stealing images from users galleries. --------------------------------------------- https://securelist.com/sparkkitty-ios-android-malware/116793/ ∗∗∗ Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms ∗∗∗ --------------------------------------------- The threat actors behind the Qilin ransomware-as-a-service (RaaS) scheme are now offering legal counsel for affiliates to put more pressure on victims to pay up, as the cybercrime group intensifies its activity and tries to fill the void left by its rivals. The new feature takes the form of a "Call Lawyer" feature on the affiliate panel, per Israeli cybersecurity company Cybereason. --------------------------------------------- https://thehackernews.com/2025/06/qilin-ransomware-adds-call-lawyer.html ∗∗∗ Google Adds Multi-Layered Defenses to Secure GenAI from Prompt Injection Attacks ∗∗∗ --------------------------------------------- Google has revealed the various safety measures that are being incorporated into its generative artificial intelligence (AI) systems to mitigate emerging attack vectors like indirect prompt injections and improve the overall security posture for agentic AI systems. --------------------------------------------- https://thehackernews.com/2025/06/google-adds-multi-layered-defenses-to.html ∗∗∗ XDigo Malware Exploits Windows LNK Flaw in Eastern European Government Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a Go-based malware called XDigo that has been used in attacks targeting Eastern European governmental entities in March 2025. The attack chains are said to have leveraged a collection of Windows shortcut (LNK) files as part of a multi-stage procedure to deploy the malware, French cybersecurity company HarfangLab said. --------------------------------------------- https://thehackernews.com/2025/06/xdigo-malware-exploits-windows-lnk-flaw.h… ∗∗∗ Rekord bei DDoS-Attacke mit 7,3 TBit/s ∗∗∗ --------------------------------------------- Cloudflare hat Mitte Mai den "größten jemals registrierten" Denial-of-Service-Angriff (DDoS) mit bislang kaum für möglich gehaltenen 7,3 Terabit pro Sekunde (TBit/s) blockiert. Dies teilte der US-Anbieter rund um Lösungen für IT-Sicherheit und Internetperformance am Freitag mit. --------------------------------------------- https://www.heise.de/news/Junk-Traffic-Flut-Rekord-DDoS-Angriff-auf-Provide… ∗∗∗ Gefälschte Mahn-SMS im Namen des Finanzministeriums! ∗∗∗ --------------------------------------------- Derzeit gibt es eine Phishing-Welle mit angeblichen SMS des Bundesministeriums für Finanzen (BMF). Darin wird behauptet, dass eine Pfändung bevorsteht, weil angeblich mehrere Mahnungen ignoriert wurden. Achtung: Zahlen Sie diese Forderung nicht! Die Nachricht stammt nicht vom Finanzministerium und Ihr Geld landet bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-mahn-sms-im-namen-des-fi… ∗∗∗ New Detection Method Uses Hackers’ Own Jitter Patterns Against Them ∗∗∗ --------------------------------------------- A new detection method from Varonis Threat Labs turns hackers sneaky random patterns into a way to catch hidden cyberattacks. Learn about Jitter-Trap and how it boosts cybersecurity defenses. --------------------------------------------- https://hackread.com/cyber-detection-hackers-jitter-patterns-against-them/ ∗∗∗ Report Warns of Sophisticated DDoS Campaigns Crippling Global Banks ∗∗∗ --------------------------------------------- A new FS-ISAC and Akamai report warns that sophisticated DDoS attacks are severely impacting the global financial sector, leading to multi-day outages. Learn about these evolving threats and how institutions can strengthen defences. --------------------------------------------- https://hackread.com/sophisticated-ddos-campaigns-crippling-global-banks/ ∗∗∗ Mehr Sicherheit, weniger Handarbeit: AWS bringt die KI-Security ∗∗∗ --------------------------------------------- Security Hub, Shield und GuardDuty XTD erhalten neue Funktionen: Mit einer speziell trainierten KI will AWS wichtige Sicherheitsmaßnahmen beschleunigen. --------------------------------------------- https://heise.de/-10455859 ∗∗∗ Ukrainian Government Systems Targeted With Backdoors Hidden in Cloud APIs and Docs ∗∗∗ --------------------------------------------- Russia-linked hackers are back at it again, this time with upgraded tools and a stealthier playbook targeting Ukrainian government systems. --------------------------------------------- https://thecyberexpress.com/ukrainian-government-systems-targeted/ ===================== = Vulnerabilities = ===================== ∗∗∗ Öffnen reicht: Winrar-Lücke lässt Angreifer Schadcode ausführen ∗∗∗ --------------------------------------------- Der Entwickler von Winrar hat in seinem weit verbreiteten Packprogramm eine gefährliche Sicherheitslücke geschlossen, die es Angreifern ermöglicht, auf fremden Systemen eigenen Code zur Ausführung zu bringen. Der Patch scheint bisher nur in der am 10. Juni veröffentlichten Beta-Version Winrar 7.12 Beta 1 enthalten zu sein. --------------------------------------------- https://www.golem.de/news/packprogramm-winrar-schwachstelle-ermoeglicht-aus… ∗∗∗ IBM QRadar SIEM: Autoupdate-Dateien mit Schadcode verseuchbar ∗∗∗ --------------------------------------------- Angreifer können an mehreren Sicherheitslücken in IBM QRadar SIEM ansetzen und im schlimmsten Fall Schadcode ausführen. Ein Sicherheitspatch schließt mehrere Lücken. --------------------------------------------- https://www.heise.de/news/IBM-QRadar-SIEM-Autoupdate-Dateien-mit-Schadcode-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libblockdev and open-vm-tools), Debian (debian-security-support, gdk-pixbuf, konsole, and node-send), Fedora (apache-commons-beanutils, chromium, clamav, dotnet9.0, libblockdev, mediawiki, mingw-python-setuptools, pam, perl-File-Find-Rule, python-pycares, python-setuptools, spdlog, udisks2, and xorg-x11-server-Xwayland), Mageia (chromium-browser-stable), Oracle (apache-commons-beanutils, container-tools:ol8, gimp:2.8, idm:DL1, perl-FCGI:0.78, and postgresql), Red Hat (container-tools:rhel8, delve, git-lfs, go-toolset:rhel8, grafana, kernel, mod_auth_openidc, and spice-client-win), SUSE (apache-commons-beanutils, apache2-mod_security2, distribution, gstreamer-plugins-good, icu, ignition, perl, python310, python311, python312, and python39), and Ubuntu (apache-log4j1.2 and botan). --------------------------------------------- https://lwn.net/Articles/1026498/ ∗∗∗ Fortinet: Buffer overflow in fgfmd ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-036 ∗∗∗ F5: K000151740, Ruby vulnerability CVE-2024-47220 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151740 ∗∗∗ Fortinet: Teleport Remote Authentication Bypass ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6132 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.06.2025
by Daily end-of-shift report 20 Jun '25

20 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-06-2025 18:00 − Freitag 20-06-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Telecom giant Viasat breached by Chinas Salt Typhoon hackers ∗∗∗ --------------------------------------------- Satellite communications company Viasat is the latest victim of China's Salt Typhoon cyber-espionage group, which has previously hacked into the networks of multiple other telecom providers in the United States and worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telecom-giant-viasat-breache… ∗∗∗ Grok und Mixtral ohne Grenzen: Neue KI-Tools erzeugen Phishing-Mails und Malware ∗∗∗ --------------------------------------------- WormGPT war eines der ersten großen Sprachmodelle, das speziell für cyberkriminelle Aktivitäten vorgesehen war und äußerst überzeugende Phishing-Mails generieren konnte. Während das Original schon nach wenigen Wochen wieder verschwand, sind neue LLMs unter gleichem Namen an dessen Stelle getreten. --------------------------------------------- https://www.golem.de/news/wormgpt-ist-zurueck-neue-ki-modelle-unterstuetzen… ∗∗∗ Cyberangriffe: Nordkoreanische Hacker faken Vorgesetzte in Videokonferenzen ∗∗∗ --------------------------------------------- Die nordkoreanische Hackergruppe Bluenoroff verwendet Bleeping Computer zufolge seit einiger Zeit eine perfide Methode, um Malware in Unternehmen einzuschleusen. Das Ziel ist offenbar, Kryptogeld abzuzweigen – dafür ist die Bluenoroff-Gruppierung, die eine Untergruppe von Lazarus sein soll, bekannt. --------------------------------------------- https://www.golem.de/news/cyberangriffe-nordkoreanische-hacker-faken-vorges… ∗∗∗ Cybersicherheit: Iran soll israelische Sicherheitskameras gehackt haben ∗∗∗ --------------------------------------------- Iranische Hacker sollen auf private Überwachungskameras in Israel zugegriffen haben, um Informationen zu sammeln. Wie Bloomberg mit Verweis auf einen Beitrag im israelischen Rundfunk berichtet, hat ein ehemaliger israelischer Cybersicherheitsbeamter die Bevölkerung dazu aufgefordert, private Überwachungskameras abzuschalten oder deren Passwörter zu ändern. --------------------------------------------- https://www.golem.de/news/cybersicherheit-iran-soll-israelische-sicherheits… ∗∗∗ Analysis of a Malicious WordPress Plugin: The Covert Redirector ∗∗∗ --------------------------------------------- A few weeks ago, we received a support request from a website owner who was experiencing unexpected redirects. Visitors landed on the website normally, but after about 4–5 seconds, the site redirected them to unrelated and suspicious websites. During the investigation, we discovered a malicious plugin that was responsible for this behavior, continuing the trend of attackers using fake WordPress plugins. --------------------------------------------- https://blog.sucuri.net/2025/06/analysis-of-a-malicious-wordpress-plugin-th… ∗∗∗ New Malware Campaign Uses Cloudflare Tunnels to Deliver RATs via Phishing Chains ∗∗∗ --------------------------------------------- A new campaign is making use of Cloudflare Tunnel subdomains to host malicious payloads and deliver them via malicious attachments embedded in phishing emails. The ongoing campaign has been codenamed SERPENTINE#CLOUD by Securonix. --------------------------------------------- https://thehackernews.com/2025/06/new-malware-campaign-uses-cloudflare.html ∗∗∗ Proxy: Umgehung von Beschränkungen in Apache Traffic Server möglich ∗∗∗ --------------------------------------------- In Apache Traffic Server (ATS), einem quelloffenen Proxy-Server, wurden zwei Sicherheitslücken entdeckt. Angreifer können sie missbrauchen, um damit Zugriffsbeschränkungen zu umgehen oder Denial-of-Service-Attacken auszuführen. Aktualisierte Quellen stehen bereit, um die Schwachstellen auszubessern. --------------------------------------------- https://www.heise.de/news/Proxy-Umgehung-von-Beschraenkungen-in-Apache-Traf… ∗∗∗ Resurgence of the Prometei Botnet ∗∗∗ --------------------------------------------- In March 2025, Unit 42 researchers identified a wave of Prometei attacks. Prometei refers to both the botnet and the malware family used to operate it. This malware family, which includes both Linux and Windows variants, allows attackers to remotely control compromised systems for cryptocurrency mining (particularly Monero) and credential theft. This article focuses on the resurgence of the Linux variant. --------------------------------------------- https://unit42.paloaltonetworks.com/prometei-botnet-2025-activity/ ∗∗∗ Joint Analysis by AhnLab and NCSC on TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking ∗∗∗ --------------------------------------------- ince November 2024, AhnLab has been working with the NCSC to analyze the malicious IRC server and related malware to classify the unidentified threat actor as Larva-24013 and trace their activities, and has confirmed their association with the Shadow Force group. AhnLab manages malicious activities in four stages through the “Threat Actor Naming and Taxonomy,” classifying threat actors as “Larva” (unidentified threat actors) and “Arthropod” (identified threat actors). Following AhnLab’s threat actor taxonomy and naming convention, the threat actor has been identified and named TA-ShadowCricket. --------------------------------------------- https://asec.ahnlab.com/en/88137/ ∗∗∗ Scammers Insert Fake Support Numbers on Real Apple, Netflix, PayPal Pages ∗∗∗ --------------------------------------------- Cybercriminals are finding clever new ways to trick people, even on the official websites of major companies. Malwarebytes Senior Director of Research, Jérôme Segura, has identified a widespread scam where fake phone numbers for customer support are being inserted directly onto the legitimate help pages of well-known brands. --------------------------------------------- https://hackread.com/scammers-fake-support-numbers-real-apple-netflix-paypa… ∗∗∗ Banana Squad Hides Data-Stealing Malware in Fake GitHub Repositories ∗∗∗ --------------------------------------------- ReversingLabs researchers recently uncovered a new and worrying attack method led by a group called Banana Squad. This group, first identified by Checkmarx researchers in October 2023, is known for their sneaky methods, with their name coming from an early harmful internet address, bananasquadru. --------------------------------------------- https://hackread.com/banana-squad-data-stealing-malware-github-repositories/ ∗∗∗ New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack ∗∗∗ --------------------------------------------- A new and concerning cyber threat, dubbed Mocha Manakin, has been identified by cybersecurity research firm Red Canary. First tracked in January 2025, this threat uniquely combines social engineering tricking people with specially built malicious software. --------------------------------------------- https://hackread.com/mocha-manakin-malware-nodeinitrat-via-clickfix-attack/ ∗∗∗ What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia ∗∗∗ --------------------------------------------- In cooperation with external partners, Google Threat Intelligence Group (GTIG) observed a Russia state-sponsored cyber threat actor impersonating the U.S. Department of State. From at least April through early June 2025, this actor targeted prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs). Once the target shares the ASP passcode, the attackers establish persistent access to the victim’s mailbox. Two distinct campaigns are detailed in this post. This activity aligns with Citizen Lab’s recent research on social engineering attacks against ASPs, another useful resource for high risk users. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-… ∗∗∗ Same Sea, New Phish: Russian Government-Linked Social Engineering Targets App-Specific Passwords ∗∗∗ --------------------------------------------- In recent years, users’ familiarity with common phishing tactics, increasingly advanced detection and blocking by platforms, and the rise in use of Multi-Factor Authentication (MFA), have all contributed to changes in the ways that attackers phish accounts. The introduction of more secure forms of MFA, such as hardware security keys, has also closed off certain avenues of social engineering. . --------------------------------------------- https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-… ∗∗∗ Betrüger nutzen Briefpost zur Abzocke der Ledger-Wallet ∗∗∗ --------------------------------------------- Wer mit Krypto-Währungen und Assets hantiert, hat sicherlich zumindest mit Hardware-Wallets wie der von Ledger geliebäugelt. Einem Leser trudelte nun ein unzureichend frankierter Brief in die Hände. Damit versuchen Kriminelle, die Ledger-Krypto-Wallet zu übernehmen und leerzuräumen. --------------------------------------------- https://heise.de/-10453136 ∗∗∗ Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion ∗∗∗ --------------------------------------------- On June 11, 2025, Huntress received contact from a partner saying that an end user had downloaded, potentially, a malicious Zoom extension. The depth of the intrusion became immediately apparent upon installing the Huntress EDR agent, and after some analysis, it was discovered that the lure used to gain access was received by the victim several weeks prior. This post aims to provide a detailed analysis from beginning to end of the intrusion, including a full breakdown of several new pieces of malware used by the threat actors. --------------------------------------------- https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis ∗∗∗ Israel-Iran Conflict Sparks Wider Cyber Conflict, New Malware ∗∗∗ --------------------------------------------- The Israel-Iran conflict that began with Israeli attacks on Iranian nuclear and military targets on June 13 has sparked a wider cyber conflict in the region, including the launch of new malware campaigns. --------------------------------------------- https://thecyberexpress.com/israel-iran-conflict-hacktivism/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gvisor-tap-vsock), Debian (activemq and chromium), Fedora (kea, python-django4.2, python-django5, python-setuptools, and rust-git-interactive-rebase-tool), Oracle (ipa and kernel), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, git-lfs, go-toolset:rhel8, golang, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, gvisor-tap-vsock, podman, and skopeo), Slackware (libblockdev and xorg), SUSE (gdm, gstreamer-plugins-base, ignition, kernel, pam, redis, s390-tools, screen, systemd, and xorg-x11-server), and Ubuntu (godot, golang-1.22, libblockdev, node-express, pam, samba, and udisks2). --------------------------------------------- https://lwn.net/Articles/1026007/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by SUSE (apache2-mod_security2, augeas, ghc-pandoc, gstreamer, ignition, kernel, libblockdev, libxml2, nodejs20, openssl-3, pam_pkcs11, perl, python3, systemd, ucode-intel, webkit2gtk3, and xen) and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-gcp-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-aws-fips, linux-gcp-fips, python3.13, python3.12, and roundcube). --------------------------------------------- https://lwn.net/Articles/1026281/ ∗∗∗ Kritische Schwachstellen CVE-2025-6018 und CVE-2025-6019 in Linux-Systemen ∗∗∗ --------------------------------------------- Sicherheitsforscher von Qualys TRU haben zwei verknüpfte, kritische Schwachstellen in Linux aufgedeckt. Ausgehend von SUSE 15 führt die LPE-Kette bei Standardkonfigurationen vieler Linux-Distributionen direkt zum Root-Zugriff. --------------------------------------------- https://www.borncity.com/blog/2025/06/19/kritische-schwachstellen-in-linux-… ∗∗∗ Cisco Meraki MX und Z: Angreifer können VPN-Verbindungen unterbrechen ∗∗∗ --------------------------------------------- Der Cisco AnyConnect VPN Server von Cisco Meraki MX und Z ist verwundbar. Außerdem können Angreifer an einer Schwachstelle in ClamAV ansetzen. Sicherheitspatches stehen zum Download bereit. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://heise.de/-10452498 ∗∗∗ ZDI-25-408: PEAK-System Driver PCANFD_ADD_FILTERS Time-Of-Check Time-Of-Use Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-408/ ∗∗∗ ZDI-25-410: Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-410/ ∗∗∗ ZDI-25-409: RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-409/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (June 9, 2025 to June 15, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/06/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.06.2025
by Daily end-of-shift report 18 Jun '25

18 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-06-2025 18:00 − Mittwoch 18-06-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Cybersecurity takes a big hit in new Trump executive order ∗∗∗ --------------------------------------------- Cybersecurity practitioners are voicing concerns over a recent executive order issued by the White House that guts requirements for: securing software the government uses, punishing people who compromise sensitive networks, preparing new encryption schemes that will withstand attacks from quantum computers, and other existing controls. --------------------------------------------- https://arstechnica.com/security/2025/06/cybersecurity-take-a-big-hit-in-ne… ∗∗∗ Instagram BMO ads use AI deepfakes to scam banking customers ∗∗∗ --------------------------------------------- Instagram ads impersonating financial institutions like Bank of Montreal (BMO) and EQ Bank (Equitable Bank) are being used to target Canadian consumers with phishing scams and investment fraud. Some ads use AI-powered deepfake videos in an attempt to collect your personal information, while others use official branding to drive traffic outside of the platform to lookalike illicit domains that are not affiliated with banks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/instagram-bmo-ads-use-ai-dee… ∗∗∗ Schutz vor Cyberangriffen: Der Iran nimmt sich selbst vom Netz ∗∗∗ --------------------------------------------- Der Iran schränkt seine Verbindung zum weltweiten Internet offenbar gezielt ein, um sich infolge des seit dem 13. Juni andauernden israelisch-iranischen Krieges vor möglichen Cyberattacken aus Israel zu schützen. Zunächst wurde lediglich die Geschwindigkeit gedrosselt. Einem X-Beitrag von Netblocks zufolge ist der Datenverkehr des Iran innerhalb kürzester Zeit um 75 Prozent zurückgegangen. --------------------------------------------- https://www.golem.de/news/schutz-vor-cyberangriffen-der-iran-nimmt-sich-sel… ∗∗∗ LangSmith Bug Could Expose OpenAI Keys and User Data via Malicious Agents ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a now-patched security flaw in LangChain's LangSmith platform that could be exploited to capture sensitive data, including API keys and user prompts. --------------------------------------------- https://thehackernews.com/2025/06/langchain-langsmith-bug-let-hackers.html ∗∗∗ Google Chrome Zero-Day CVE-2025-2783 Exploited by TaxOff to Deploy Trinper Backdoor ∗∗∗ --------------------------------------------- A now-patched security flaw in Google Chrome was exploited as a zero-day by a threat actor known as TaxOff to deploy a backdoor codenamed Trinper. The attack, observed in mid-March 2025 by Positive Technologies, involved the use of a sandbox escape vulnerability tracked as CVE-2025-2783 (CVSS score: 8.3). --------------------------------------------- https://thehackernews.com/2025/06/google-chrome-zero-day-cve-2025-2783.html ∗∗∗ Exploring Netstalking – Mapping the Hidden Corners of the Internet ∗∗∗ --------------------------------------------- Netstalking is the art of exploring little-known, rarely visited parts of the internet—ranging from forgotten photo archives and open surveillance cameras to defunct servers and prototype systems—using techniques like IP scanning, deep web search, and network archaeology. The activity originated in 2009 among Russian internet subcultures and draws its name from the “S.T.A.L.K.E.R.” mythos. --------------------------------------------- https://www.darknet.org.uk/2025/06/exploring-netstalking-mapping-the-hidden… ∗∗∗ Minecraft Players Targeted in Sophisticated Malware Campaign ∗∗∗ --------------------------------------------- This campaign reminds us that even the most familiar digital spaces can become a playground for cyber criminals. By disguising malware as Minecraft mods, attackers were able to quietly target an engaged and unsuspecting user base with a multistage, Java-based infection chain. Because these files often appear harmless and can slip past traditional defenses, any Minecraft player is at risk. --------------------------------------------- https://blog.checkpoint.com/research/minecraft-players-targeted-in-sophisti… ∗∗∗ Scattered Spider hackers targeting insurance industry following retail hits, Google warns ∗∗∗ --------------------------------------------- A group of hackers behind a recent string of attacks on retail stores in the U.K. and U.S. has shifted its focus to insurance firms in recent days, according to cybersecurity researchers. --------------------------------------------- https://therecord.media/scattered-spider-targeting-insurance-sector-followi… ∗∗∗ When legitimate tools go rogue ∗∗∗ --------------------------------------------- Attackers are increasingly hiding in plain sight, using the same tools IT and security teams rely on for daily operations. This blog breaks down common techniques and provides recommendations to defenders. --------------------------------------------- https://blog.talosintelligence.com/when-legitimate-tools-go-rogue/ ∗∗∗ CVE Trends to Watch: Real-World Risks to Telecom and Professional Services ∗∗∗ --------------------------------------------- Between 2023-2025, there was a 38% increase in CVEs. Learn which industry sectors have seen the highest levels of CVEs, & which CVEs had the highest impact. --------------------------------------------- https://www.bitsight.com/blog/cve-trends-by-sector ∗∗∗ Achtstellige Passwörter unzureichend: Datenschutzstrafe für Genfirma 23andme ∗∗∗ --------------------------------------------- 2023 wurden fast 7 Millionen Datensätze von Kunden 23andmes im Darknet feilgeboten. Großbritannien verhängt eine Millionenstrafe. --------------------------------------------- https://heise.de/-10450679 ∗∗∗ AMD stopft Sicherheitslecks in Krypto-Coprozessor und TPM ∗∗∗ --------------------------------------------- AMD hat im Juni aktualisierte Firmware veröffentlicht, die teils hochriskante Sicherheitslücken in den Prozessoren schließt. Betroffen sind etwa die Krypto-Coprozessoren sowie das Firmware-TPM moderner Ryzen- und zum Teil auch der abgespeckten Athlon-CPUs. --------------------------------------------- https://heise.de/-10451026 ∗∗∗ Malvertising: Bösartige Werbung schiebt Anbieterseiten falsche Nummern unter ∗∗∗ --------------------------------------------- Betrüger schieben mit Werbelinks in Suchergebnissen echten Anbieterseiten falsche Telefonnummern unter, warnen IT-Sicherheitsforscher. --------------------------------------------- https://heise.de/-10451518 ∗∗∗ 2025 Blockchain and Cryptocurrency Threat Report: Malware in the Open Source Supply Chain ∗∗∗ --------------------------------------------- An in-depth analysis of credential stealers, crypto drainers, cryptojackers, and clipboard hijackers abusing open source package registries to compromise Web3 development environments. --------------------------------------------- https://socket.dev/blog/2025-blockchain-and-cryptocurrency-threat-report?ut… ∗∗∗ libxml2 Maintainer Ends Embargoed Vulnerability Reports, Citing Unsustainable Burden ∗∗∗ --------------------------------------------- Libxml2’s solo maintainer drops embargoed security fixes, highlighting the burden on unpaid volunteers who keep critical open source software secure. --------------------------------------------- https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-rep… ===================== = Vulnerabilities = ===================== ∗∗∗ BeyondTrust warns of pre-auth RCE in Remote Support software ∗∗∗ --------------------------------------------- BeyondTrust has released security updates to fix a high-severity flaw in its Remote Support (RS) and Privileged Remote Access (PRA) solutions that can let unauthenticated attackers gain remote code execution on vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/beyondtrust-warns-of-pre-aut… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-bad1.0, konsole, and libblockdev), Oracle (buildah, containernetworking-plugins, gimp, git-lfs, gvisor-tap-vsock, kernel, libvpx, podman, and skopeo), Red Hat (apache-commons-beanutils and thunderbird), Slackware (xorg), SUSE (gdm, golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter, golang-github-prometheus-prometheus, govulncheck-vulndb, grafana, kernel, Multi-Linux Manager, Multi-Linux Manager Client Tools, openssl-3, pam, python-cryptography, python-requests, python-setuptools, python3-requests, SUSE Manager Server, systemd, ucode-intel, xorg-x11-server, and xwayland), and Ubuntu (dwarfutils, mujs, node-katex, xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04, and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/1025862/ ∗∗∗ Citrix Netscaler ADC: Kritische Sicherheitslücken dringend fixen ∗∗∗ --------------------------------------------- Von den Schwachstellen sind die NetScaler ADC- und Gateway-Versionen 14.1 vor 14.1-43.56, 13.1 vor 13.1-58.32 sowie diverse FIPS-Varianten betroffen. Wichtig: Ältere Versionen (12.1 und 13.0) sind End-of-Life (EOL) und erhalten keine Sicherheitsupdates mehr. Von Citrix ist die empfohlene Maßnahme ein umgehendes Update auf die gepatchten Versionen (z.B. 14.1-43.56, 13.1-58.32). Nach dem Update sollten alle aktiven ICA- und PCoIP-Sitzungen auf allen NetScaler-Appliances beendet werden, um eine vollständige Absicherung zu gewährleisten. --------------------------------------------- https://www.borncity.com/blog/2025/06/18/citrix-netscaler-adc-kritische-sic… ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released five Industrial Control Systems (ICS) advisories on June 17, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/06/17/cisa-releases-five-indus… ∗∗∗ CISA Flags CVE-2023-0386 as Actively Exploited Linux Kernel Privilege Escalation Threat ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about the active exploitation of a critical Linux kernel vulnerability, officially listed as CVE-2023-0386. The vulnerability, which carries a CVSS score of 7.8, is categorized as a Linux Kernel Privilege Escalation flaw. It stems from improper ownership management within the Linux kernel’s OverlayFS subsystem. If exploited successfully, attackers can escalate privileges on affected systems, gain unauthorized access, and potentially execute arbitrary code with elevated rights. --------------------------------------------- https://thecyberexpress.com/cisa-warns-cve-2023-0386-linux-vulnerability/ ∗∗∗ Windows 11: Out-of-Band-Update KB5063060 mit Error 0x800f0818 / 0x80070306 ∗∗∗ --------------------------------------------- Noch ein kurzer Nachtrag zu den im Juni 2025 veröffentlichten Sicherheitsupdates für Windows 10 und Windows 11. Diese verursachen bei manchen Anwendern diverse Probleme. So wirft das zum 11. Juni 2025 nachgeschobene Out-of-Band-Update KB5063060 bei manchen Nutzern den Installationsfehler 0x800f0818 oder 0x80070306. --------------------------------------------- https://www.borncity.com/blog/2025/06/18/windows-11-out-of-band-update-kb50… ∗∗∗ Chrome for Android Update ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/06/chrome-for-android-update_17.h… ∗∗∗ LS Electric GMWin 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-168-02 ∗∗∗ Dover Fueling Solutions ProGauge MagLink LX Consoles ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-168-05 ∗∗∗ Fuji Electric Smart Editor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-168-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.06.2025
by Daily end-of-shift report 17 Jun '25

17 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Montag 16-06-2025 18:00 − Dienstag 17-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Apple: Sicherheitslücke in diversen Betriebssystemen wird angegriffen ∗∗∗ --------------------------------------------- Die neu attackierte Schwachstelle betrifft nach Apples Angaben Messages. "Ein Logikfehler kann bei der Verarbeitung von bösartig präparierten Fotos oder Videos auftreten, die mittels eines iCloud-Links geteilt wurden", schreiben die Entwickler dazu (CVE-2025-43200 / EUVD-2025-18428, CVSS steht noch aus, Risikoeinstufung fehlt derzeit). Sie erklären weiter: "Apple weiß von einem Bericht, demzufolge dieses Problem in einem extrem ausgeklügelten Angriff gegen bestimmte Zielpersonen ausgenutzt worden sein könnte." Der Schwachstelleneintrag stammt vom Montag dieser Woche. Sicherheitsmitteilungen zu den diversen Betriebssystemen und -versionen hat Apple hingegen bereits am Donnerstag vergangener Woche aktualisiert oder neu veröffentlicht. --------------------------------------------- https://heise.de/-10449241 ∗∗∗ Cross-Site Scripting (XSS) Schwachstelle CVE-2025-4123 in Grafana ∗∗∗ --------------------------------------------- In der Open-Source-Software Grafana wurde die Tage eine Cross-Site Scripting (XSS) Schwachstelle CVE-2025-4123 öffentlich. Es ist ein kritischer offener Redirect-Fehler in Grafana, der zur Übernahme von Konten führen könnte. [..] Sonic Wall hat dies bereits zum 5. Juni 2025 im Beitrag High-Severity Open Redirect Vulnerability in Grafana Leads to Account Takeover: CVE-2025-4123 öffentlich gemacht. Die Schwachstelle CVE-2025-4123 ist laut dem Grafana Sicherheitshinweis Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin vom 21. Mai 2025 in den Versionen v10.4.18+security-01, v11.2.9+security-01, v11.3.6+security-01, v11.4.4+security-01, v11.5.4+security-01, v11.6.1+security-01 und v12.0.0+security-01 behoben. --------------------------------------------- https://www.borncity.com/blog/2025/06/17/cross-site-scripting-xss-schwachst… ∗∗∗ Water Curse Targets Infosec Pros via Poisoned GitHub Repositories ∗∗∗ --------------------------------------------- The emerging threat group attacks the supply chain via weaponized repositories posing as legitimate pen-testing suites and other tools that are poisoned with malware. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/water-curse-targets-… ∗∗∗ How Long Until the Phishing Starts? About Two Weeks, (Tue, Jun 17th) ∗∗∗ --------------------------------------------- I recently added an account to my Google Workspace domain (montance[dot]com). Friday, May 16th, 10:10 am, to be exact. Something interesting to note about the domain configuration is there’s a catchall account in place, so all email addresses are valid. Starting May 28th the new account started receiving targeted phishing email messages. [..] Nothing especially surprising, but a reminder that they’re watching for opportunities. Someone new at the company and eager to appear responsive seems like a good phishing target! --------------------------------------------- https://isc.sans.edu/diary/rss/32052 ∗∗∗ TP-Link Router Flaw CVE-2023-33538 Under Active Exploit, CISA Issues Immediate Alert ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security flaw in TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability in question is CVE-2023-33538 (CVSS score: 8.8), a command injection bug that could result in the execution of arbitrary system commands when processing the ssid1 parameter in a specially crafted HTTP GET request. --------------------------------------------- https://thehackernews.com/2025/06/tp-link-router-flaw-cve-2023-33538.html ∗∗∗ New Flodrix Botnet Variant Exploits Langflow AI Server RCE Bug to Launch DDoS Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have called attention to a new campaign thats actively exploiting a recently disclosed critical security flaw in Langflow to deliver the Flodrix botnet malware. --------------------------------------------- https://thehackernews.com/2025/06/new-flodrix-botnet-variant-exploits.html ∗∗∗ Eine Kühlbox voll Stiegl Bier? Vorsicht vor Fake-Gewinnspiel! ∗∗∗ --------------------------------------------- Aktuell schwappt eine Phishing-Welle durch österreichische WhatsApp-Konten. Angeblich verlost die Stiegl Brauerei eine Kühlbox voll Bier. Dahinter versteckt sich aber nichts anderes als eine altbekannte Kombination aus Abo-Falle und Phishing-Attacke – mit einer raffinierten Neuerung. --------------------------------------------- https://www.watchlist-internet.at/news/stiegl-bier-fake-phishing/ ∗∗∗ Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation ∗∗∗ --------------------------------------------- We analyze two new KimJongRAT stealer variants, combining new research with existing knowledge. One uses a Portable Executable (PE) file and the other PowerShell. --------------------------------------------- https://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/ ===================== = Vulnerabilities = ===================== ∗∗∗ Hard-Coded b Password in Sitecore XP Sparks Major RCE Risk in Enterprise Deployments ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed three security flaws in the popular Sitecore Experience Platform (XP) that could be chained to achieve pre-authenticated remote code execution. Sitecore Experience Platform is an enterprise-oriented software that provides users with tools for content management, digital marketing, and analytics and reports. [..] This also means that the exploit chain only works if users have installed Sitecore using installers for versions ≥ 10.1. Users are likely not impacted if they were previously running a version prior to 10.1 and then upgraded to a newer vulnerable version, assuming the old database is being migrated, and not the database embedded within the installation package. WT-2025-0024 (CVE-2025-XXXXX), WT-2025-0032 (CVE-2025-XXXXX), WT-2025-0025 (CVE-2025-XXXXX) --------------------------------------------- https://thehackernews.com/2025/06/hard-coded-b-password-in-sitecore-xp.html ∗∗∗ Veeam: Vulnerabilities Resolved in Veeam Backup & Replication 12.3.2 ∗∗∗ --------------------------------------------- CVE-2025-23121: A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user. Severity: Critical --------------------------------------------- https://www.veeam.com/kb4743 ∗∗∗ ASUS Armoury Crate bug lets attackers get Windows admin privileges ∗∗∗ --------------------------------------------- Armoury Crate is the official system control software for Windows from ASUS, providing a centralized interface to control RGB lighting (Aura Sync), adjust fan curves, manage performance profiles and ASUS peripherals, as well as download drivers and firmware updates. [..] Cisco Talos validated that CVE-2025-3464 impacts Armoury Crate version 5.9.13.0, but ASUS' bulletin notes that the flaw impacts all versions between 5.9.9.0 and 6.1.18.0. [..] A high-severity vulnerability in ASUS Armoury Crate software could allow threat actors to escalate their privileges to SYSTEM level on Windows machines. The security issue is tracked as CVE-2025-3464 and received a severity score of 8.8 out of 10. --------------------------------------------- https://www.bleepingcomputer.com/news/security/asus-armoury-crate-bug-lets-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, buildah, containernetworking-plugins, firefox, gstreamer1-plugins-bad-free, libsoup3, podman, skopeo, sqlite, thunderbird, unbound, valkey, varnish, and xz), Debian (webkit2gtk), Fedora (fido-device-onboard, python-django4.2, rust-git-interactive-rebase-tool, and thunderbird), Red Hat (libsoup), Slackware (libxml2), SUSE (java-11-openjdk, kernel, and wireshark), and Ubuntu (c3p0, dojo, python-django, python3.13, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, and requests). --------------------------------------------- https://lwn.net/Articles/1025734/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.06.2025
by Daily end-of-shift report 16 Jun '25

16 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-06-2025 18:00 − Montag 16-06-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Washington Posts email system hacked, journalists accounts compromised ∗∗∗ --------------------------------------------- Email accounts of several Washington Post journalists were compromised in a cyberattack believed to have been carried out by a foreign government. --------------------------------------------- https://www.bleepingcomputer.com/news/security/washington-posts-email-syste… ∗∗∗ Kali Linux 2025.2 released with 13 new tools, car hacking updates ∗∗∗ --------------------------------------------- Kali Linux 2025.2, the second release of the year, is now available for download with 13 new tools and an expanded car hacking toolkit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kali-linux-20252-released-wi… ∗∗∗ BKA schaltet Darknet-Marktplatz "Archetyp Market" ab ∗∗∗ --------------------------------------------- Das BKA hat den mutmaßlichen Betreiber des Online-Drogenmarktplatzes "Archetyp Market" am Mittwoch vergangener Woche in Barcelona festgenommen. --------------------------------------------- https://www.heise.de/news/BKA-schaltet-Darknet-Marktplatz-Archetyp-Market-a… ∗∗∗ Die Hersteller von Staatstrojanern sind Gegner – keine Verbündeten ∗∗∗ --------------------------------------------- Die Leiterin von Googles Threat-Intelligence-Abteilung macht klar, warum sie solche Firmen als Gegner betrachtet. Zudem erläutert sie im Gespräch die wachsende Relevanz von KI für Angreifer und die Gefahr aus Nordkorea. --------------------------------------------- https://www.derstandard.at/story/3000000273949/die-hersteller-von-staatstro… ∗∗∗ Hackers Leak Data of 10,000 VirtualMacOSX Customers in Alleged Breach ∗∗∗ --------------------------------------------- Hackers leak data of 10,000 VirtualMacOSX customers in alleged breach, exposing names, emails, passwords, and financial details on a hacking forum. --------------------------------------------- https://hackread.com/hackers-leak-virtualmacosx-customers-data-breach/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM AIX/VIOS und DataPower Gateway für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- Wenn Angreifer erfolgreich an Sicherheitslücken in IBM AIX/VIOS und DataPower Gateway ansetzen, kann Schadcode auf Systeme gelangen und diese kompromittieren. Updates schließen die Schwachstellen. --------------------------------------------- https://www.heise.de/news/IBM-AIX-VIOS-und-DataPower-Gateway-fuer-Schadcode… ∗∗∗ Angreifer können Server über Schwachstelle in Dell iDRAC Tools attackieren ∗∗∗ --------------------------------------------- Angreifer können an einer Sicherheitslücke in Dell iDRAC Tools ansetzen, um Server zu attackieren. Mittlerweile haben die Entwickler die Schwachstelle geschlossen. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecke-in-Dell-iDRAC-Tools-gefaehrdet-… ∗∗∗ Dell ControlVault: Angreifer können Systeme vollständig kompromittieren ∗∗∗ --------------------------------------------- In Dells ControlVault klaffen Sicherheitslücken in den Treibern und der Firmware, die Angreifern das Einschleusen und Ausführen von Schadcode und damit die Übernahme von Systemen ermöglichen. Dell bietet aktualisierte Software an, um die Sicherheitslecks zu schließen. --------------------------------------------- https://www.heise.de/news/Dell-ControlVault-Angreifer-koennen-Systeme-volls… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0 and .NET 9.0), Arch Linux (curl, ghostscript, go, konsole, python-django, roundcubemail, and samba), Fedora (aerc, chromium, golang-x-perf, libkrun, python3.11, python3.12, rust-kbs-types, rust-sev, rust-sevctl, valkey, and wireshark), Gentoo (Konsole and sysstat), Oracle (.NET 9.0), Red Hat (bootc, grub2, keylime-agent-rust, python3.12-cryptography, rpm-ostree, rust-bootupd, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (apache2-mod_auth_openidc, docker, grub2, java-1_8_0-openj9, kernel, less, python-Django, screen, and sqlite3), and Ubuntu (cifs-utils and modsecurity-apache). --------------------------------------------- https://lwn.net/Articles/1025618/ ∗∗∗ Tenable: Nessus Agent Version 10.8.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-11 ∗∗∗ Chromium: CVE-2025-5959 Type Confusion in V8 ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-5959 ∗∗∗ Chromium: CVE-2025-5958 Use after free in Media ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-5958 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.06.2025
by Daily end-of-shift report 13 Jun '25

13 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-06-2025 18:00 − Freitag 13-06-2025 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Trend Micro fixes critical vulnerabilities in multiple products ∗∗∗ --------------------------------------------- Trend Micro has released security updates to address multiple critical-severity remote code execution and authentication bypass vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer products. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trend-micro-fixes-six-critic… ∗∗∗ Nach über 100 Jahren: Cyberangriff drängt deutsche Firma in die Insolvenz ∗∗∗ --------------------------------------------- Der in Euskirchen ansässige Serviettenhersteller Fasana hat nach einem Cyberangriff Zahlungsprobleme. Hacker haben den Betrieb vollständig lahmgelegt. --------------------------------------------- https://www.golem.de/news/nach-ueber-100-jahren-cyberangriff-draengt-deutsc… ∗∗∗ [Guest Diary] Anatomy of a Linux SSH Honeypot Attack: Detailed Analysis of Captured Malware, (Fri, Jun 13th) ∗∗∗ --------------------------------------------- This is a Guest Diary by Michal Ambrozkiewicz, an ISC intern as part of the SANS.edu Bachelor .. --------------------------------------------- https://isc.sans.edu/diary/Guest+Diary+Anatomy+of+a+Linux+SSH+Honeypot+Atta… ∗∗∗ WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network ∗∗∗ --------------------------------------------- The threat actors behind the VexTrio Viper Traffic Distribution Service (TDS) have been linked to other TDS services like Help TDS and Disposable TDS, indicating that the sophisticated cybercriminal operation is a sprawling enterprise of its own .. --------------------------------------------- https://thehackernews.com/2025/06/wordpress-sites-turned-weapon-how.html ∗∗∗ "Anmeldung mit nicht erkanntem Gerät": Phishing-Attacke im Namen von PayPal ∗∗∗ --------------------------------------------- Ein angeblicher Login in ein bestehendes PayPal-Profil ruft die ebenso angebliche Sicherheitsabteilung des Unternehmens auf den Plan. Hinter den alarmierenden E-Mails und SMS-Nachrichten steckt aber nichts weiter als eine klassische Phishing-Masche. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-attacke-paypal/ ∗∗∗ Bert ransomware: what you need to know ∗∗∗ --------------------------------------------- Bert is a recently-discovered strain of ransomware that encrypts victims files and demands a payment for the decryption key. Read more in my article on the Fortra blog. --------------------------------------------- https://www.fortra.com/blog/bert-ransomware-what-you-need-know ∗∗∗ Serverless Tokens in the Cloud: Exploitation and Detections ∗∗∗ --------------------------------------------- Understand the mechanics of serverless authentication: three simulated attacks across major CSPs offer effective approaches for application developers. --------------------------------------------- https://unit42.paloaltonetworks.com/serverless-authentication-cloud/ ∗∗∗ Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this advisory in response to ransomware actors leveraging unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. This incident reflects a broader pattern of ransomware actors .. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a ∗∗∗ E-Mail-Sicherheit: Verstärkte Angriffe mit SVG ∗∗∗ --------------------------------------------- Immer mehr Phishing-Kampagnen nutzen das wenig bekannte Vektorgrafik-Format SVG. Das kann nämlich Skripte enthalten, die dann beim Öffnen ausgeführt werden. --------------------------------------------- https://heise.de/-10444330 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, glibc, kernel, and mod_security), Fedora (chromium, gh, mingw-icu, nginx-mod-modsecurity, python3.10, python3.9, thunderbird, valkey, and yarnpkg), Oracle (.NET 8.0, .NET 9.0, glibc, grafana-pcp, kernel, libxml2, mod_security, nodejs:20, and thunderbird), SUSE (audiofile, helm, kubernetes-old, kubernetes1.23, kubernetes1.24, libcryptopp, postgresql15, thunderbird, and valkey), and Ubuntu (linux-nvidia-tegra-igx). --------------------------------------------- https://lwn.net/Articles/1025354/ ∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released ten Industrial Control Systems (ICS) advisories on June 12, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.ICSA-25-162-01 Siemens Tecnomatix Plant SimulationICSA-25-162-02 Siemens RUGGEDCOM APE1808ICSA-25-162-03 Siemens SCALANCE and RUGGEDCOMICSA-25-162-04 .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/06/12/cisa-releases-ten-indust… ∗∗∗ [R1] Nessus Agent Version 10.8.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.06.2025
by Daily end-of-shift report 12 Jun '25

12 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-06-2025 18:00 − Donnerstag 12-06-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CRA Vulnerability Reports: why would we not share them with other CSIRTs? ∗∗∗ --------------------------------------------- The Cyber Resilience Act (Regulation (EU) 2024/2847) defines security requirements for products with digital elements and requires vendors to report to national CSIRTs if a vulnerability in one of their products is actively exploited. --------------------------------------------- https://www.cert.at/en/blog/2025/6/cra-vulnerability-reports-why-would-we-n… ∗∗∗ Fog ransomware attack uses unusual mix of legitimate and open-source tools ∗∗∗ --------------------------------------------- Fog ransomware hackers are using an uncommon toolset, which includes open-source pentesting utilities and a legitimate employee monitoring software called Syteca. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fog-ransomware-attack-uses-u… ∗∗∗ Password-spraying attacks target 80,000 Microsoft Entra ID accounts ∗∗∗ --------------------------------------------- Hackers have been using the TeamFiltration pentesting framework to target more than 80,000 Microsoft Entra ID accounts at hundreds of organizations worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/password-spraying-attacks-ta… ∗∗∗ Google Bug Allowed Brute-Forcing of Any User Phone Number ∗∗∗ --------------------------------------------- Google has fixed a security vulnerability in its page for recovering account details that allowed anyone to access the page and brute-force the private phone number of any user. The flaw posed a significant risk to Google users by exposing them to risk of phishing and other attacks. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/google-bug-brute-forcin… ∗∗∗ Air-Gapped-Systeme: Malware leitet Daten über hochfrequenten Schall aus ∗∗∗ --------------------------------------------- Der bekannte Sicherheitsforscher Mordechai Guri hat eine neue Angriffstechnik vorgestellt, mit der sich Daten von Air-Gapped-Systemen ohne eigene Netzwerkanbindung über eine Smartwatch exfiltrieren lassen. Der Smartattack genannte Angriff basiert auf einer Datenübertragung mittels Schallwellen in einem derart hohen Frequenzbereich, dass sie für Menschen je nach Hörvermögen kaum bis gar nicht wahrnehmbar sind. --------------------------------------------- https://www.golem.de/news/air-gapped-systeme-malware-leitet-daten-ueber-hoc… ∗∗∗ Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks ∗∗∗ --------------------------------------------- Former members tied to the Black Basta ransomware operation have been observed sticking to their tried-and-tested approach of email bombing and Microsoft Teams phishing to establish persistent access to target networks. --------------------------------------------- https://thehackernews.com/2025/06/former-black-basta-members-use.html ∗∗∗ Kritische Sicherheitslücke in Microsoft 365 Copilot zeigt Risiko von KI-Agenten ∗∗∗ --------------------------------------------- Der KI-Agent von M365 konnte per E-Mail und ohne Mausklick zur Freigabe sensibler Informationen verführt werden. Microsoft hat die Lücke jetzt geschlossen. --------------------------------------------- https://www.heise.de/news/Kritische-Sicherheitsluecke-in-Microsoft-365-Copi… ∗∗∗ Markenfälschungen im Netz: Eine wachsende Gefahr für den österreichischen Onlinehandel ∗∗∗ --------------------------------------------- Kaum eine Marke ist im Internet noch vor Fälschungen sicher: Kriminelle verwenden gestohlene Logos und Produktbilder beliebter Händler, um täuschend echte Fake-Shops zu erstellen. Neben bekannten Marken sind auch kleine und mittlere Unternehmen (KMU) zunehmend betroffen. Im Rahmen einer Studie des Österreichischen Instituts für angewandte Telekommunikation (ÖIAT) wurde das Ausmaß der Markenfälschungen im Internet untersucht und konkrete Handlungsempfehlungen fürs KMU erarbeitet. --------------------------------------------- https://www.watchlist-internet.at/news/markenfaelschungen-im-netz-eine-wach… ∗∗∗ JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique ∗∗∗ --------------------------------------------- We recently discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code. Threat actors commonly use this type of campaign to invisibly redirect victims from legitimate websites to malicious pages that serve malware, exploits and spam. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-… ∗∗∗ Fortinet: Angreifer können VPN-Verbindungen umleiten ∗∗∗ --------------------------------------------- Mehrere Produkte von Fortinet sind verwundbar. Angreifer können an Sicherheitslücken in FortiADC, FortiAnalyzer, FortiClientEMS, FortiClientWindows, FortiManager, FortiManager Cloud, FortiOS, FortiPAM, FortiProxy, FortiSASE und FortiWeb ansetzen. Im schlimmsten Fall kann es zur Ausführung von Schadcode kommen. --------------------------------------------- https://heise.de/-10441108 ===================== = Vulnerabilities = ===================== ∗∗∗ Phishing-Angriffe mit manipulierten SVG-Dateien - Vorsicht geboten ∗∗∗ --------------------------------------------- CERT.at warnt vor stark zunehmenden Phishing-Kampagnen, bei denen manipulierte SVG-Dateien (Scalable Vector Graphics) als E-Mail-Anhänge verwendet werden. Diese Angriffsmethode wird seit mehreren Monaten verstärkt beobachtet und stellt eine ernsthafte Bedrohung dar, da SVG-Dateien von vielen Sicherheitslösungen nicht ausreichend geprüft werden. --------------------------------------------- https://www.cert.at/de/warnungen/2025/6/phishing-angriffe-mit-manipulierten… ∗∗∗ GitLab patches high severity account takeover, missing auth issues ∗∗∗ --------------------------------------------- GitLab has released security updates to address multiple vulnerabilities in the company's DevSecOps platform, including ones enabling attackers to take over accounts and inject malicious jobs in future pipelines. The company released GitLab Community and Enterprise versions 18.0.2, 17.11.4, and 17.10.8 to address these security flaws and urged all admins to upgrade immediately. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-patches-high-severity… ∗∗∗ Thunderbird: HTML-Mails können Zugangsdaten verraten, Update verfügbar ∗∗∗ --------------------------------------------- Mozilla hat Updates für Thunderbird veröffentlicht. Sie stopfen ein Sicherheitsleck bei der Anzeige von HTML-E-Mails. --------------------------------------------- https://www.heise.de/news/Thunderbird-HTML-Mails-koennen-Zugangsdaten-verra… ∗∗∗ Palo Alto stopft hochriskante Lücken in PAN-OS und GlobalProtect ∗∗∗ --------------------------------------------- Palo Alto Networks hat Sicherheitsmitteilungen zu Schwachstellen in mehreren Produkten wie dem PAN-OS-Betriebssystem oder der GlobalProtect-App herausgegeben. Angreifer können die Sicherheitslücken missbrauchen, um Befehle einzuschleusen und mit erhöhten Rechten auszuführen, Schadcode einzuschleusen und auszuführen oder unbefugt Traffic einzusehen. --------------------------------------------- https://www.heise.de/news/Palo-Alto-stopft-hochriskante-Luecken-in-PAN-OS-u… ∗∗∗ Reflected Cross-Site Scripting in ONLYOFFICE Docs (DocumentServer) ∗∗∗ --------------------------------------------- ONLYOFFICE Docs was affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which were reflected in the server's HTML response. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel), Debian (chromium, gst-plugins-bad1.0, node-tar-fs, and ublock-origin), Gentoo (Emacs, File-Find-Rule, GStreamer, GStreamer Plugins, GTK+ 3, LibreOffice, Node.js, OpenImageIO, Python, PyPy, Qt, X.Org X server, XWayland, and YAML-LibYAML), Mageia (mariadb and roundcubemail), Red Hat (go-toolset:rhel8, golang, grafana, grafana-pcp, gstreamer1-plugins-bad-free, libxml2, libxslt, mod_security, nodejs:20, and perl-FCGI:0.78), Slackware (mozilla), SUSE (docker, docker-compose, iputils, kernel, libsoup, open-vm-tools, rabbitmq-server, rabbitmq-server313, wget, and yelp), and Ubuntu (libsoup2.4 and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1025208/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.06.2025
by Daily end-of-shift report 11 Jun '25

11 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-06-2025 18:00 − Mittwoch 11-06-2025 18:00 Handler: Alexander Riepl Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Microsoft Outlook to block more risky attachments used in attacks ∗∗∗ --------------------------------------------- Microsoft announced it will expand the list of blocked attachments in Outlook Web and the new Outlook for Windows starting next month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-outlook-to-block-m… ∗∗∗ ConnectWise rotating code signing certificates over security concerns ∗∗∗ --------------------------------------------- ConnectWise is warning customers that it is rotating the digital code signing certificates used to sign ScreenConnect, ConnectWise Automate, and ConnectWise RMM executables over security concerns. --------------------------------------------- https://www.bleepingcomputer.com/news/security/connectwise-rotating-code-si… ∗∗∗ Zehntausende Überwachungskameras streamen ungeschützt ins Netz ∗∗∗ --------------------------------------------- Überwachungskameras sind überall – in U-Bahnen, an Türklingeln und in Fahrstühlen. Oft bemerkt man sie gar nicht, weil es mittlerweile so kleine und unscheinbare Modelle gibt. Amerikanische Sicherheitsforscher warnen nun aber davor, wie einfach es für Dritte ist, sich Zugriff auf die Feeds solcher Überwachungskameras zu verschaffen. Bei einem Test konnten die Experten von Bitsight Live-Feeds von insgesamt 40.000 Kameras abrufen, die mit dem Internet verbunden waren. --------------------------------------------- https://futurezone.at/digital-life/zehntausende-ueberwachungskameras-stream… ∗∗∗ Quasar RAT Delivered Through Bat Files, (Wed, Jun 11th) ∗∗∗ --------------------------------------------- RAT's are popular malware. They are many of them in the wild, Quasar[1] being one of them. The malware has been active for a long time and new campaigns come regularly back on stage. I spotted an interesting .bat file (Windows script) that attracted my attention because it is very well obfuscated. --------------------------------------------- https://isc.sans.edu/diary/rss/32036 ∗∗∗ Trump Quietly Throws Out Bidens Cyber Policies ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from Axios: President Trump quietly took a red pen to much of the Biden administrations cyber legacy in a little-noticed move late Friday. Under an executive order signed just before the weekend, Trump is tossing out some of the major touchstones of Bidens cyber policy legacy - while keeping a few others. The order preserves efforts around post-quantum cryptography, advanced encryption standards, and border gateway protocol security, along with the Cyber --------------------------------------------- https://it.slashdot.org/story/25/06/10/2044217/trump-quietly-throws-out-bid… ∗∗∗ Ungeklärte Phishing-Vorfälle rund um Booking.com ∗∗∗ --------------------------------------------- Hotels in Südtirol haben vermehrt mit kompromittierten Extranet-Zugängen von Booking.com zu tun, über die sie mit Gästen kommunizieren. Noch ist unklar, warum. --------------------------------------------- https://www.heise.de/news/Ungeklaerte-Phishing-Vorfaelle-rund-um-Booking-co… ∗∗∗ UEFI-BIOS-Lücken: SecureBoot-Umgehung und Firmware-Austausch möglich ∗∗∗ --------------------------------------------- Zwei unterschiedliche Sicherheitslücken in diversen UEFI-BIOS-Versionen mehrerer Anbieter ermöglichen die Umgehung des SecureBoot-Mechanismus. In UEFI-BIOSen von Insyde können Angreifer sogar die Firmware austauschen. Verwundbare Systeme lassen sich damit vollständig kompromittieren. Proof-of-Concept-Code dafür ist öffentlich verfügbar. Systemhersteller arbeiten an BIOS-Updates zum Schließen der Lücken. --------------------------------------------- https://www.heise.de/news/UEFI-BIOS-Luecken-SecureBoot-Umgehung-und-Firmwar… ∗∗∗ Reflective Kerberos Relay Attack Against Domain-Joined Windows Clients and Servers ∗∗∗ --------------------------------------------- RedTeam Pentesting has developed the Reflective Kerberos Relay Attack which remotely allows low-privileged Active Directory domain users to obtain NT AUTHORITY\SYSTEM privileges on domain-joined Windows computers. This vulnerability affects all domain-joined Windows hosts that do not require SMB signing of incoming connections. In their default configurations, this includes all Windows 10 and 11 versions up to 23H2 and all Windows Server versions including 2025 24H2 and excluding domain controllers. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-002/ ∗∗∗ Inside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day ∗∗∗ --------------------------------------------- Inside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day --------------------------------------------- https://blog.checkpoint.com/research/inside-stealth-falcons-espionage-campa… ∗∗∗ UK cyber agency pushes for strategic policy agenda as government efforts stall ∗∗∗ --------------------------------------------- Following years-long delays in the United Kingdom bringing forward new cybersecurity legislation, what seems to be an increasingly exasperated National Cyber Security Centre (NCSC) called on Monday for the country to adopt a strategic policy agenda to tackle the growing risks. --------------------------------------------- https://therecord.media/ncsc-pushes-uk-government-create-strategic-cyber-po… ∗∗∗ Operation Secure: INTERPOL Disrupts 20,000 Infostealer Domains, 32 Arrested ∗∗∗ --------------------------------------------- An international cybercrime operation coordinated by INTERPOL has led to the takedown of more than 20,000 malicious IPs and domains used to deploy infostealer malware across the Asia-Pacific region. --------------------------------------------- https://hackread.com/operation-secure-interpol-disrupts-infostealer-domains/ ∗∗∗ Hydroph0bia (CVE-2025-4275) - a trivial SecureBoot bypass for UEFI-compatible firmware based on Insyde H2O, part 1 ∗∗∗ --------------------------------------------- This post will be about a vulnerability I dubbed Hydroph0bia (as a pun on Insyde H2O) aka CVE-2025-4275 or INSYDE-SA-2025002. --------------------------------------------- https://coderush.me/hydroph0bia-part1/ ∗∗∗ NTLM reflection is dead, long live NTLM reflection! – An in-depth analysis of CVE-2025-33073 ∗∗∗ --------------------------------------------- For nearly two decades, Windows has been plagued with NTLM reflection vulnerabilities. In this article, we present CVE-2025-33073, a logical vulnerability which bypasses NTLM reflection mitigations and allows an authenticated remote attacker to execute arbitrary commands as SYSTEM on any machine which does not enforce SMB signing. The vulnerability discovery, the complete analysis of the root cause as well as the patch by Microsoft will be detailed in this blogpost. --------------------------------------------- https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live… ∗∗∗ Infuencing LLM Output using logprobs and Token Distribution ∗∗∗ --------------------------------------------- What if you could influence an LLM's output not by breaking its rules, but by bending its probabilities? In this deep-dive, we explore how small changes in user input (down to a single token) can shift the balance between “true” and “false”, triggering radically different completions. --------------------------------------------- https://blog.sicuranext.com/infuencing-llm-output-using-logprobs-and-token-… ∗∗∗ Software Supply Chain Attacks Have Surged in Recent Months ∗∗∗ --------------------------------------------- IT and software supply chain attacks have surged in recent months, as threat actors have gotten better at exploiting supply chain vulnerabilities, Cyble threat intelligence researchers reported this week. In a June 9 blog post, Cyble researchers said software supply chain attacks have grown from just under 13 a month during February-September 2024 to just over 16 a month from October 2024 to May 2025, an increase of 25%. However, the last two months have seen an average of nearly 25 cyberattacks with supply chain impact, a near-doubling of supply chain attacks from the year-ago period. --------------------------------------------- https://thecyberexpress.com/software-supply-chain-attacks-have-surged/ ∗∗∗ Undocumented Root Shell Access bei SIMCom Modem ∗∗∗ --------------------------------------------- Das SIMCom SIM7600G Modem unterstützt einen undokumentierten AT Befehl, welcher es einem lokalen/physischen Angreifer ermöglicht, Systembefehle mit root-Berechtigungen auf dem Modem auszuführen. Der Stand der Entfernung des Backdoor-Kommandos ist unklar, da sich der Hersteller nach zahlreichen Kontaktversuchen nicht mehr gemeldet hat. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/undocumented-root-she… ===================== = Vulnerabilities = ===================== ∗∗∗ New Secure Boot flaw lets attackers install bootkit malware, patch now ∗∗∗ --------------------------------------------- Security researchers have disclosed a new Secure Boot bypass tracked as CVE-2025-3052 that can be used to turn off security on PCs and servers and install bootkit malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-secure-boot-flaw-lets-at… ∗∗∗ Patch Tuesday, June 2025 Edition ∗∗∗ --------------------------------------------- Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public. --------------------------------------------- https://krebsonsecurity.com/2025/06/patch-tuesday-june-2025-edition/ ∗∗∗ Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities ∗∗∗ --------------------------------------------- Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” --------------------------------------------- https://blog.talosintelligence.com/microsoft-patch-tuesday-june-2025/ ∗∗∗ Two Mirai Botnets, Lzrd and Resgod Spotted Exploiting Wazuh Flaw ∗∗∗ --------------------------------------------- Cybersecurity experts at Akamai have uncovered a new threat: two separate botnets are actively exploiting a critical flaw in Wazuh security software, open source XDR and SIEM solution, to spread the Mirai malware. This vulnerability, tracked as CVE-2025-24016, affects Wazuh versions 4.4.0 through 4.9.0 and has since been fixed in version 4.9.1. It lets attackers run their own code on a target server by sending a specially crafted request through Wazuh’s API, hence, allowing attackers to take control of affected servers remotely. --------------------------------------------- https://hackread.com/two-mirai-botnets-lzrd-resgod-exploiting-wazuh-flaw/ ∗∗∗ TBK DVRs Botnet Attack ∗∗∗ --------------------------------------------- Threat Actors are actively exploiting CVE-2024-3721, a command injection vulnerability in TBK DVR devices (Digital Video Recorders). This flaw allows unauthenticated remote code execution (RCE) via crafted HTTP requests to the endpoint. The compromised devices are being conscripted into a botnet capable of conducting DDoS attacks. If successfully exploited, there is a potential for significant disruption from DDoS attacks, lateral movement, or further malware delivery. --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6127 ∗∗∗ Patchday: Schadcode-Lücken in Adobe Acrobat, InDesign & Co. geschlossen ∗∗∗ --------------------------------------------- Angreifer können an Sicherheitslücken (CVE-2025-43573 / EUVD-2025-17828) in Adobe Acrobat, Commerce, Experince Manager, InCopy, InDesign, Substance 3D Painter und Substance 3D Sampler ansetzen. Im Rahmen des Juni-Patchdays stellt Adobe Updates zum Download bereit. --------------------------------------------- https://heise.de/-10439601 ∗∗∗ The June 2025 Security Update Review ∗∗∗ --------------------------------------------- https://www.thezdi.com/blog/2025/6/10/the-june-2025-security-update-review ∗∗∗ Security Vulnerabilities fixed in Thunderbird 139.0.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-50/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 128.11.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-49/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.06.2025
by Daily end-of-shift report 10 Jun '25

10 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-06-2025 18:00 − Dienstag 10-06-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Over 84,000 Roundcube instances vulnerable to actively exploited flaw ∗∗∗ --------------------------------------------- Over 84,000 instances of the Roundcube webmail software are vulnerable to CVE-2025-49113, a critical remote code execution (RCE) vulnerability with a publicly available exploit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-84-000-roundcube-instan… ∗∗∗ FIN6 hackers pose as job seekers to backdoor recruiters’ devices ∗∗∗ --------------------------------------------- In a twist on typical hiring-related social engineering attacks, the FIN6 hacking group impersonates job seekers to target recruiters, using convincing resumes and phishing sites to deliver malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fin6-hackers-pose-as-job-see… ∗∗∗ Windows: Designproblem erlaubt Aushebeln von Gruppenrichtlinien ∗∗∗ --------------------------------------------- In Windows schlummert ein Designproblem, das es normalen Nutzern und Malware erlaubt, von Admins gesetzte Gruppenrichtlinien außer Kraft zu setzen. Ein Bericht von .. --------------------------------------------- https://www.golem.de/news/windows-designproblem-erlaubt-aushebeln-von-grupp… ∗∗∗ Chinese spy crew appears to be preparing for conflict by backdooring 75+ critical orgs ∗∗∗ --------------------------------------------- SentinelOne discovered the campaign when they tried to hit the security vendors own servers An IT services company, a European media group, and a South Asian government entity are among the more than 75 companies where China-linked groups have planted malware to access strategic networks should a conflict break out. --------------------------------------------- https://www.theregister.com/2025/06/09/china_malware_flip_switch_sentinelon… ∗∗∗ DanaBleed: DanaBot C2 Server Memory Leak Bug ∗∗∗ --------------------------------------------- DanaBot is a Malware-as-a-Service (MaaS) platform that has been active since 2018. DanaBot operates on an affiliate model, where the malware developer sells access to customers who then distribute and use the malware for activities like credential theft and banking fraud. The developer is responsible for creating the malware, maintaining the .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server… ∗∗∗ Microsoft: Abhilfe für Sicherheitslücke durch gelöschte "inetpub"-Ordner ∗∗∗ --------------------------------------------- Windows-Update hat einen "inetpub"-Ordner angelegt. Wird er gelöscht, blockiert das womöglich weitere Updates. Ein Script hilft. --------------------------------------------- https://www.heise.de/news/Microsoft-Abhilfe-fuer-Sicherheitsluecke-durch-ge… ∗∗∗ SAP-Patchday: Erneut kritische Sicherheitslücke in Netweaver ∗∗∗ --------------------------------------------- SAP kümmert sich am Juni-Patchday in 14 neuen Sicherheitsnotizen um teils kritische Sicherheitslücken in den Produkten aus Walldorf. --------------------------------------------- https://www.heise.de/news/SAP-Patchday-Erneut-kritische-Sicherheitsluecke-i… ∗∗∗ Malvertising: Suche nach Standardbefehlen für Macs liefert Infostealer ∗∗∗ --------------------------------------------- Perfide Masche: Bei der Suche nach Standardbefehlen für macOS erscheinen Seiten, die Befehle zur Malware-Installation anzeigen. --------------------------------------------- https://www.heise.de/news/Malvertising-Suche-nach-Standardbefehlen-fuer-Mac… ∗∗∗ Phishing-Alarm: Ex-Mitarbeiterin verschenkt keine Rabattcodes! ∗∗∗ --------------------------------------------- Videos und Postings auf Social-Media-Plattformen erwecken den Anschein, als würde eine gekündigte Angestellte eines großen Einzelhandelsunternehmens Rabattcodes verschenken. Als Rache am Ex-Arbeitgeber. Tatsächlich versteckt sich dahinter nichts anderes als eine simple Phishing-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-rabattcodes/ ∗∗∗ Falsche E-Mails im Namen der WKO im Umlauf! ∗∗∗ --------------------------------------------- Derzeit sind betrügerische E-Mails im Umlauf, die vorgeben, von der Wirtschaftskammer Österreich (WKO) zu stammen. In diesen gefälschten Nachrichten werden Unternehmer:innen zur Zahlung der Kammerumlage 2025 aufgefordert und gleichzeitig dazu verleitet, ihre WKO-Zugangsdaten preiszugeben. --------------------------------------------- https://www.watchlist-internet.at/news/falsche-e-mails-im-namen-der-wko-im-… ∗∗∗ The Evolution of Linux Binaries in Targeted Cloud Operations ∗∗∗ --------------------------------------------- Using data from machine learning tools, we predict a surge in cloud attacks leveraging reworked Linux Executable and Linkage Format (ELF) files. --------------------------------------------- https://unit42.paloaltonetworks.com/elf-based-malware-targets-cloud/ ∗∗∗ New hacker group uses LockBit ransomware variant to target Russian companies ∗∗∗ --------------------------------------------- In its latest campaign this spring, DarkGaboon was observed deploying LockBit 3.0 ransomware against victims in Russia, Positive Technologies said in a report last week. --------------------------------------------- https://therecord.media/new-hacker-group-lockbit-target-russia ∗∗∗ Spyware maker cuts ties with Italy after government refused audit into hack of journalist’s phone ∗∗∗ --------------------------------------------- Israel-based spyware maker Paragon and Italys government had a falling out over the companys offer to help investigate what happened on journalist Francesco Cancellatos phone. --------------------------------------------- https://therecord.media/paragon-spyware-maker-cuts-ties-italy-government ∗∗∗ Coordinated Brute Force Activity Targeting Apache Tomcat Manager Indicates Possible Upcoming Threats ∗∗∗ --------------------------------------------- GreyNoise recently observed a coordinated spike in malicious activity against Apache Tomcat Manager interfaces. --------------------------------------------- https://www.greynoise.io/blog/coordinated-brute-force-activity-targeting-ap… ∗∗∗ Bitsight Identifies Thousands of Security Cameras Openly Accessible on the Internet ∗∗∗ --------------------------------------------- In our latest research at Bitsight TRACE, we found over 40,000 exposed cameras streaming live on the internet. No passwords. No protections. Just out there. We first raised the alarm in 2023, and based on this latest study, the situation hasn’t gotten any better. --------------------------------------------- https://www.bitsight.com/blog/bitsight-identifies-thousands-of-compromised-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (golang, nodejs22, thunderbird, and varnish), Debian (gimp, modsecurity-apache, python-tornado, and roundcube), Fedora (chromium, coreutils, fcgi, ghostscript, krb5, libvpx, mingw-gstreamer1-plugins-bad-free, mingw-libsoup, mod_security, and samba), Mageia (php-adodb, systemd, and tomcat), Red Hat (buildah, firefox, glibc, grafana, kernel, libsoup, libxslt, mod_security, perl-FCGI, podman, python-tornado, and skopeo), Slackware (libvpx), and SUSE .. --------------------------------------------- https://lwn.net/Articles/1024625/ ∗∗∗ Security Vulnerabilities fixed in Firefox 139.0.4 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-47/ ∗∗∗ June Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/june-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.06.2025
by Daily end-of-shift report 06 Jun '25

06 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-06-2025 18:00 − Freitag 06-06-2025 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Hacker selling critical Roundcube webmail exploit as tech info disclosed ∗∗∗ --------------------------------------------- Hackers are actively exploiting CVE-2025-49113, a critical vulnerability in the widely used Roundcube open-source webmail application that allows remote execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-selling-critical-roun… ∗∗∗ FBI: BADBOX 2.0 Android malware infects millions of consumer devices ∗∗∗ --------------------------------------------- The FBI is warning that the BADBOX 2.0 malware campaign has infected over 1 million home Internet-connected devices, converting consumer electronics into residential proxies that are used for malicious activity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-badbox-20-android-malwar… ∗∗∗ Critical Fortinet flaws now exploited in Qilin ransomware attacks ∗∗∗ --------------------------------------------- The Qilin ransomware operation has recently joined attacks exploiting two Fortinet vulnerabilities that allow bypassing authentication on vulnerable devices and executing malicious code remotely. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-fortinet-flaws-now-… ∗∗∗ Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721 ∗∗∗ --------------------------------------------- Kaspersky GReAT experts describe the new features of a Mirai variant: the latest botnet infections target TBK DVR devices with CVE-2024-3721. --------------------------------------------- https://securelist.com/mirai-botnet-variant-targets-dvr-devices-with-cve-20… ∗∗∗ Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hard-Coded Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks."Several widely used extensions [...] unintentionally transmit sensitive data over simple HTTP," Yuanjing Guo, a security researcher in the Symantecs Security Technology and .. --------------------------------------------- https://thehackernews.com/2025/06/popular-chrome-extensions-leak-api-keys.h… ∗∗∗ AT&T not sure if new customer data dump is déjà vu ∗∗∗ --------------------------------------------- Re-selling info from an earlier breach? Probably. But which one? AT&T is investigating claims that millions of its customers data are listed for sale on a cybercrime forum in what appears to be a re-release from an earlier hack. --------------------------------------------- https://www.theregister.com/2025/06/05/att_investigates_data_dump/ ∗∗∗ Turning Off the (Information) Flow: Working With the EPA to Secure Hundreds of Exposed Water HMIs ∗∗∗ --------------------------------------------- In October 2024, Censys researchers discovered nearly 400 web-based HMIs for U.S. water facilities exposed online. These were identified via TLS certificate analysis and confirmed through screenshot .. --------------------------------------------- https://censys.com/blog/turning-off-the-information-flow-working-with-the-e… ∗∗∗ Blitz Malware: A Tale of Game Cheats and Code Repositories ∗∗∗ --------------------------------------------- Blitz malware, active since 2024 and updated in 2025, was spread via game cheats. We discuss its infection vector and abuse of Hugging Face for C2. --------------------------------------------- https://unit42.paloaltonetworks.com/blitz-malware-2025/ ∗∗∗ DDoS-Angriffe auf österreichische Unternehmen und Organisationen ∗∗∗ --------------------------------------------- Uns erreichen aktuell vermehrt Berichte von österreichischen Unternehmen und Organisationen über DDoS-Angriffe gegen ihre Systeme und Netzwerke. Betroffen sind Ziele in den verschiedensten Bereichen und Sektoren, ein besonderer Schwerpunkt der Kriminellen lässt sich bisher nicht festmachen. Bei manchen Angriffen liegen deutliche Hinweise .. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/6/ddos-angriffe-auf-osterreichische-u… ∗∗∗ Nigeria jails 9 Chinese nationals for being part of international cyberfraud syndicate ∗∗∗ --------------------------------------------- The group was arrested in December as part of a raid that included 599 Nigerians and 193 other foreign nationals, many of them Chinese, on suspicion of being involved in a range of online crimes. --------------------------------------------- https://therecord.media/nigeria-jails-9-chinese-nationals-cyber-fraud ∗∗∗ Unsecured Database Exposes Data of 3.6 Million Passion.io Creators ∗∗∗ --------------------------------------------- A massive data leak has put the personal information of over 3.6 million app creators, influencers, and .. --------------------------------------------- https://hackread.com/unsecured-database-exposes-passion-io-creators-data/ ∗∗∗ NICKNAME: Zero-Click iMessage Exploit Targeted Key Figures in US, EU ∗∗∗ --------------------------------------------- iVerify’s NICKNAME discovery reveals a zero-click iMessage flaw exploited in targeted attacks on US & EU .. --------------------------------------------- https://hackread.com/nickname-zero-click-imessage-exploit-figures-us-eu/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (go-toolset:rhel8, golang, nodejs:20, nodejs:22, openssh, and python36:3.6), Debian (edk2, libfile-find-rule-perl, and webkit2gtk), Fedora (emacs, libvpx, perl-FCGI, and seamonkey), Mageia (cifs-utils), Red Hat (containernetworking-plugins, go-toolset:rhel8, golang, gvisor-tap-vsock, krb5, mod_auth_openidc:2.3, protobuf, and thunderbird), Slackware (seamonkey), SUSE (gimp, gnutls, haproxy, opensaml, openssh, openvpn, python-cryptography, .. --------------------------------------------- https://lwn.net/Articles/1024317/ ∗∗∗ CISA Releases Seven Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released seven Industrial Control Systems (ICS) advisories on June 5, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.ICSA-25-155-01 CyberData 011209 SIP Emergency IntercomICSA-25-155-02 Hitachi Energy Relion 670, 650 series and SAM600-IO Product ICSA-21-049-02 Mitsubishi Electric FA .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/06/05/cisa-releases-seven-indu… ∗∗∗ ZDI-25-325: Hewlett Packard Enterprise Insight Remote Support processAttachmentDataStream Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-325/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.06.2025
by Daily end-of-shift report 05 Jun '25

05 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-06-2025 18:00 − Donnerstag 05-06-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ BidenCash carding market domains seized in international operation ∗∗∗ --------------------------------------------- Earlier today, law enforcement seized multiple domains of BidenCash, the infamous dark web market for stolen credit cards, personal information, and SSH access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bidencash-carding-market-dom… ∗∗∗ Cisco warns of ISE and CCP flaws with public exploit code ∗∗∗ --------------------------------------------- Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-warns-of-ise-and-ccp-f… ∗∗∗ Researchers Bypass Deepfake Detection With Replay Attacks ∗∗∗ --------------------------------------------- An international group of researchers found that simply rerecording deepfake audio with natural acoustics in the background allows it to bypass detection models at a higher-than-expected rate. --------------------------------------------- https://www.darkreading.com/cybersecurity-analytics/researchers-bypass-deep… ∗∗∗ Für Datenklau: Hacker kapern reihenweise Salesforce-Zugänge ∗∗∗ --------------------------------------------- Sicherheitsforscher der Google Threat Intelligence Group (GTIG) warnen vor laufenden Vishing-Angriffen (Voice Phishing), die darauf abzielen, Zugang zu Salesforce-Instanzen zu erlangen und daraus massenhaft vertrauliche Unternehmensdaten abzugreifen. --------------------------------------------- https://www.golem.de/news/fuer-datenklau-hacker-kapern-reihenweise-salesfor… ∗∗∗ Be Careful With Fake Zoom Client Downloads ∗∗∗ --------------------------------------------- Collaborative tools are really popular these days. Since the COVID-19 pandemic, many people switched to remote work positions and we need to collaborate with our colleagues or customers every day. Tools like Microsoft Teams, Zoom, WebEx, (name your best solution), became popular and must be regularly updated. Yesterday, I received an interesting email with a fake Zoom meeting invitation. --------------------------------------------- https://isc.sans.edu/diary/rss/32014 ∗∗∗ AI kept 15-year-old zombie vuln alive, but its time is drawing near ∗∗∗ --------------------------------------------- Despite multiple developer warnings about the 2010 GitHub Gist containing the path traversal vulnerability in 2012, 2014, and 2018, the flaw appeared in MDN Web Docs documentation and a Stack Overflow snippet. From there, it took up residence in large language models (LLMs) trained on the flawed examples. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/06/05/llm_kept_per… ∗∗∗ Musikhaus Thomann: Kriminelle locken in Fake-Shops ∗∗∗ --------------------------------------------- Der Erfolg des Musik-Versandhändlers ruft zunehmend Betrüger:innen auf den Plan. Diese bauen den Original-Onlineshop detailgetreu nach und bieten Produkte zu unrealistischen Schleuderpreisen. Wer dort bestellt, bekommt allerdings nichts, sondern verliert Geld. Wir verraten, wie Sie die Fakes am einfachsten erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/musikhaus-thomann-fake-shops/ ∗∗∗ Newly identified wiper malware "PathWiper" targets critical infrastructure in Ukraine ∗∗∗ --------------------------------------------- Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling "PathWiper". --------------------------------------------- https://blog.talosintelligence.com/pathwiper-targets-ukraine/ ∗∗∗ Updated Guidance on Play Ransomware ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have issued an updated advisory on Play ransomware, also known as Playcrypt. This advisory highlights new tactics, techniques, and procedures used by the Play ransomware group and provides updated indicators of compromise (IOCs) to enhance threat detection. Since June 2022, Playcrypt has targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/06/04/updated-guidance-play-ra… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Integrated Management Controller Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the SSH connection handling of Cisco Integrated Management Controller (IMC) for Cisco UCS B-Series, UCS C-Series, UCS S-Series, and UCS X-Series Servers could allow an authenticated, remote attacker to access internal services with elevated privileges. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus Dashboard Fabric Controller SSH Host Key Validation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the SSH implementation of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an unauthenticated, remote attacker to impersonate Cisco NDFC-managed devices. This vulnerability is due to insufficient SSH host key validation. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine on Cloud Platforms Static Credential Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Sicherheitsupdates: Dell repariert PowerScale OneFS und Bluetooth-Treiber ∗∗∗ --------------------------------------------- Angreifer können an einer Schwachstelle in Dells NAS-Betriebssystem PowerScale OneFS ansetzen und Dateien löschen. Außerdem macht eine Lücke im Bluetooth-Treiber unzählige Dell-PCs angreifbar. Sicherheitsupdates stehen zum Download. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Dell-repariert-PowerScale-OneF… ∗∗∗ VMware NSX: Hochriskante Sicherheitslücke gestopft ∗∗∗ --------------------------------------------- Broadcom warnt vor teils hochriskanten Sicherheitslücken in der Netzwerkvirtualisierungs- und Sicherheitsplattform VMware NSX. Angreifer können unter anderem Schadcode einschleusen und ausführen. IT-Verantwortliche sollten zügig auf die fehlerbereinigten Versionen aktualisieren. --------------------------------------------- https://www.heise.de/news/VMware-NSX-Hochriskante-Sicherheitsluecke-gestopf… ∗∗∗ Acronis Cyber Protect: Mehrere teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- In der umfangreichen Virenschutz- und Backup-Software Acronis Cyber Protect hat der Hersteller mehrere, teils höchst kritische Sicherheitslücken entdeckt. Diese stopfen die Entwickler mit aktualisierter Software. --------------------------------------------- https://www.heise.de/news/Acronis-Cyber-Protect-Mehrere-teils-kritische-Sic… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and mariadb-10.5), Oracle (firefox, ghostscript, git, go-toolset:ol8, golang, kernel, krb5, mingw-freetype and spice-client-win, nodejs:20, nodejs:22, perl-CPAN, python36:3.6, rsync, varnish, and varnish:6), Red Hat (firefox, thunderbird, and webkit2gtk3), Slackware (curl and python3), SUSE (apache-commons-beanutils, apache2-mod_security2, avahi, buildkit, ca-certificates-mozilla, cloud-regionsrv-client, cloud-regionsrv-client, python-toml, containerd, containerized-data-importer, cups, curl, dnsmasq, docker, elemental-operator, elemental-toolkit, expat, firefox, freetype2, gdk-pixbuf, git, glib2, glibc, gnuplot, gnutls, gpg2, gstreamer, gstreamer-plugins-base, gtk3, haproxy, helm, java-17-openjdk, java-1_8_0-openjdk, keepalived, kernel, kernel-firmware, krb5, kubevirt, less, libarchive, libcryptopp, libdb-4_8, libndp, libpcap, libsoup, libtasn1, libvirt, libX11, libxml2, libxslt, Mesa, mozilla-nss, nghttp2, nvidia-open-driver-G06-signed, opensc, openssh, openssl-3, openssl-3, libpulp, ulp-macros, orc, pam, pam_pkcs11, pam_u2f, patch, pcp, pcr-oracle, shim, perl-Crypt-OpenSSL-RSA, podman, postgresql16, procps, protobuf, python-dnspython, python-Jinja2, python-requests, python-setuptools, python-tornado6, python-urllib3, python311, python311, python-rpm-macros, qemu, rsync, runc, rust-keylime, selinux-policy, sevctl, skopeo, sssd, SUSE Manager Client Tools, systemd, thunderbird, tiff, tpm2.0-tools, tpm2-0-tss, u-boot, ucode-intel, unbound, util-linux, vim, wget, and wpa_supplicant), and Ubuntu (linux-nvidia, python-django, twitter-bootstrap3, twitter-bootstrap4, and wireshark). --------------------------------------------- https://lwn.net/Articles/1024158/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.06.2025
by Daily end-of-shift report 04 Jun '25

04 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-06-2025 18:00 − Mittwoch 04-06-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Coinbase breach tied to bribed TaskUs support agents in India ∗∗∗ --------------------------------------------- A recently disclosed data breach at Coinbase has been linked to India-based customer support representatives from outsourcing firm TaskUs, who threat actors bribed to steal data from the crypto exchange. --------------------------------------------- https://www.bleepingcomputer.com/news/security/coinbase-breach-tied-to-brib… ∗∗∗ Umgehung des Sandboxings: Meta und Yandex de-anonymisieren Android-Nutzer ∗∗∗ --------------------------------------------- Sicherheitsforscher decken eine Methode auf, mit der Meta und Yandex flüchtige Web-Identifikatoren in dauerhafte Nutzeridentitäten umgewandelt haben. --------------------------------------------- https://www.golem.de/news/umgehung-des-sandboxings-meta-und-yandex-de-anony… ∗∗∗ The strange tale of ischhfd83: When cybercriminals eat their own ∗∗∗ --------------------------------------------- This investigation is a good example of how threats can be much more complex than they first appear. From an initial customer query about a new RAT, we uncovered a significant amount of backdoored GitHub repositories, containing multiple kinds of backdoors. --------------------------------------------- https://news.sophos.com/en-us/2025/06/04/the-strange-tale-of-ischhfd83-when… ∗∗∗ Acreed infostealer poised to replace Lumma after global crackdown ∗∗∗ --------------------------------------------- The Acreed malware, which emerged earlier this year, is gaining ground with cybercriminals who otherwise might have used the Lumma infostealer, researchers said. --------------------------------------------- https://therecord.media/acreed-infostealer-arises-after-lumma-takedown ∗∗∗ Angriffe laufen: Connectwise, Craft CMS und Asus-Router im Visier ∗∗∗ --------------------------------------------- Die CISA warnt vor Angriffen auf Sicherheitslecks in Connectwise ScreenConnect, Craft CMS und Asus-Router. Updates stehen bereit. --------------------------------------------- https://heise.de/-10424978 ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday Android: Angreifer können sich höhere Rechte verschaffen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Lücken in Android 13, 14 und 15. Angreifer attackieren Geräte mit Qualcomm-Prozessor. --------------------------------------------- https://www.heise.de/news/Patchday-Android-Angreifer-koennen-sich-hoehere-R… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (git, krb5, perl-CPAN, and rsync), Debian (tcpdf), Fedora (libmodsecurity, lua-http, microcode_ctl, and nextcloud), Red Hat (osbuild-composer), SUSE (389-ds, avahi, ca-certificates-mozilla, docker, expat, freetype2, glib2, gnuplot, gnutls, golang-github-teddysun-v2ray-plugin, golang-github-v2fly-v2ray-core, govulncheck-vulndb, helm, iperf, kernel, kernel-livepatch-MICRO-6-0_Update_2, kernel-livepatch-MICRO-6-0_Update_4, krb5, libarchive, libsoup, libsoup2, libtasn1, libX11, libxml2, libxslt, orc, podman, python-Jinja2, python-requests, python3-setuptools, python310, python311, python39, rubygem-rack, sslh, SUSE Manager Client Tools, SUSE Manager Client Tools and Salt Bundle, ucode-intel, util-linux, and wget), and Ubuntu (libvpx, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-nvidia-tegra, linux-oracle, linux, linux-aws, linux-kvm, linux-aws, linux-lts-xenial, linux-aws-fips, linux-azure-fips, linux-fips, linux-gcp-fips, linux-aws-fips, linux-gcp-fips, linux-azure-fde, linux-fips, and linux-intel-iot-realtime, linux-realtime). --------------------------------------------- https://lwn.net/Articles/1023793/ ∗∗∗ ZDI-25-324: Sante DICOM Viewer Pro DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-324/ ∗∗∗ ZDI-25-323: Action1 Uncontrolled Search Path Element Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-323/ ∗∗∗ ZDI-25-321: GIMP ICO File Parsing Integer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-321/ ∗∗∗ Critical Vulnerability in multiple Mitsubishi Electric MELSEC iQ-F Series Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-153-03 ∗∗∗ Critical Vulnerability in Schneider Electric Wiser Home Automation ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-153-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.06.2025
by Daily end-of-shift report 03 Jun '25

03 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Montag 02-06-2025 18:00 − Dienstag 03-06-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Malicious RubyGems pose as Fastlane to steal Telegram API data ∗∗∗ --------------------------------------------- Two malicious RubyGems packages posing as popular Fastlane CI/CD plugins redirect Telegram API requests to attacker-controlled servers to intercept and steal data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-rubygems-pose-as-f… ∗∗∗ Android Trojan Crocodilus Now Active in 8 Countries, Targeting Banks and Crypto Wallets ∗∗∗ --------------------------------------------- A growing number of malicious campaigns have leveraged a recently discovered Android banking trojan called Crocodilus to target users in Europe and South America. The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis and detection, and includes the ability to create new contacts in the victims contacts list. --------------------------------------------- https://thehackernews.com/2025/06/android-trojan-crocodilus-now-active-in.h… ∗∗∗ How Good Are the LLM Guardrails on the Market? A Comparative Study on the Effectiveness of LLM Content Filtering Across Major GenAI Platforms ∗∗∗ --------------------------------------------- We compare the effectiveness of content filtering guardrails across major GenAI platforms and identify common failure cases across different systems. [..] A Comparative Study on the Effectiveness of LLM Content Filtering Across Major GenAI Platforms appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/comparing-llm-guardrails-across-genai-p… ∗∗∗ Cyberattacks Hit Top Retailers: Cartier, North Face Among Latest Victims ∗∗∗ --------------------------------------------- North Face, Cartier, and Next Step Healthcare are the latest victims in a string of cyberattacks compromising customer data. Explore the methods used by attackers and the wider impact on retail security. --------------------------------------------- https://hackread.com/cyberattacks-retailers-cartier-north-face-victims/ ∗∗∗ Inside RansomHub: Tactics, Targets, and What It Means for You ∗∗∗ --------------------------------------------- What is RansomHub ransomware? We dive into the groups TTPs, latest attacks and news, & mitigation strategies you should know in 2025. --------------------------------------------- https://www.bitsight.com/blog/guide-to-ransomhub-ransomware-2025 ===================== = Vulnerabilities = ===================== ∗∗∗ Google stopft attackierte Lücke in Chrome ∗∗∗ --------------------------------------------- In der Javascript-Engine V8 von Google Chrome ermöglicht eine Schwachstelle Angreifern, außerhalb vorgesehener Speichergrenzen zu lesen und zu schreiben. Für diese Schwachstelle ist ein Exploit in freier Wildbahn aufgetaucht, sie wird daher offenbar bereits attackiert. --------------------------------------------- https://www.heise.de/news/Google-stopft-attackierte-Luecke-in-Chrome-104232… ∗∗∗ Sicherheitsupdate: Vielfältige Attacken auf HPE StoreOnce möglich ∗∗∗ --------------------------------------------- Acht Softwareschwachstellen in der Backuplösung StoreOnce von HPE machen Systeme attackierbar. Darunter findet sich eine "kritische" Lücke. Über weitere Angriffe kann Schadcode auf PCs gelangen. Eine gegen mögliche Attacken geschützte Version steht ab sofort zum Download bereit. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdate-Vielfaeltige-Attacken-auf-HPE-S… ∗∗∗ Angreifer können Roundcube Webmail mit Schadcode attackieren ∗∗∗ --------------------------------------------- Webadmins sollten ihre Roundcube-Webmail-Instanzen zeitnah auf den aktuellen Stand bringen. In aktuellen Ausgaben haben die Entwickler eine Sicherheitslücke geschlossen, über die Schadcode auf Systeme gelangen kann. --------------------------------------------- https://www.heise.de/news/Kritische-Schadcode-Luecke-bedroht-Roundcube-Webm… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (varnish), Debian (asterisk and roundcube), Fedora (systemd), Mageia (golang), Red Hat (ghostscript, perl-CPAN, python36:3.6, and rsync), SUSE (govulncheck-vulndb, libsoup-2_4-1, and postgresql, postgresql16, postgresql17), and Ubuntu (mariadb, open-vm-tools, php-twig, and python-tornado). --------------------------------------------- https://lwn.net/Articles/1023625/ ∗∗∗ SVD-2025-0604: Third-Party Package Updates in Splunk Universal Forwarder - June 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0604 ∗∗∗ SVD-2025-0603: Third-Party Package Updates in Splunk Enterprise - June 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0603 ∗∗∗ SVD-2025-0602: Incorrect permission assignment on Universal Forwarder for Windows during new installation or upgrade ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0602 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.06.2025
by Daily end-of-shift report 02 Jun '25

02 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-05-2025 18:00 − Montag 02-06-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Exploit details for max severity Cisco IOS XE flaw now public ∗∗∗ --------------------------------------------- Technical details about a maximum-severity Cisco IOS XE WLC arbitrary file upload flaw tracked as CVE-2025-20188 have been made publicly available, bringing us closer to a working exploit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-details-for-max-seve… ∗∗∗ Deutscher Rüstungskonzern: Cybergang leakt interne Daten von Rheinmetall ∗∗∗ --------------------------------------------- Der deutsche Rüstungskonzern Rheinmetall ist offenbar Ziel einer Cyberattacke geworden, bei der vertrauliche Daten in die Hände der Angreifer gelangt sind. Die Hackergruppe Babuk2 hatte Rheinmetall schon am 4. April auf ihre Datenleckseite aufgenommen. Jetzt berichtete Tagesschau.de, dass auch die Datenschutzbehörde NRW sowie das Bundesamt für Sicherheit in der Informationstechnik über den Vorfall informiert worden seien. --------------------------------------------- https://www.golem.de/news/deutscher-ruestungskonzern-cybergang-leakt-intern… ∗∗∗ Fake Recruiter Emails Target CFOs Using Legit NetBird Tool Across 6 Global Regions ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of a new spear-phishing campaign that uses a legitimate remote access tool called Netbird to target Chief Financial Officers (CFOs) and financial executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia. --------------------------------------------- https://thehackernews.com/2025/06/fake-recruiter-emails-target-cfos-using.h… ∗∗∗ Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump ∗∗∗ --------------------------------------------- A mystery whistleblower calling himself GangExposed has exposed key figures behind the Conti and Trickbot ransomware crews, publishing a trove of internal files and naming names. The leaks include thousands of chat logs, personal videos, and ransom negotiations tied to some of the most notorious cyber-extortion gangs — believed to have raked in billions from companies, hospitals, and individuals worldwide. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/31/gangexposed_… ∗∗∗ RCEs and more in the KUNBUS GmbH Revolution Pi PLC ∗∗∗ --------------------------------------------- We found four vulnerabilities by downloading and extracting Revolution Pi’s latest firmware version (01/2025). We didn’t even need to buy the device, although one would look great on our ICS demo rig! All were found with static code analysis but demonstrated by installing the firmware to a standard Raspberry Pi. --------------------------------------------- https://www.pentestpartners.com/security-blog/rces-and-more-in-the-kunbus-g… ∗∗∗ The remote desktop puzzle. DFIR techniques for dealing with RDP Bitmap Cache ∗∗∗ --------------------------------------------- A lot of people are aware of RDP and what its functions are. It’s known for providing remote access and making life easier for administrators and users. With that comes insight for forensic investigators, regarding the ‘bitmap cache’. This is often overlooked, but when analysed correctly can provide some great understanding about what’s happened on a system. --------------------------------------------- https://www.pentestpartners.com/security-blog/the-remote-desktop-puzzle-dfi… ∗∗∗ LOLCLOUD - Azure Arc - C2aaS ∗∗∗ --------------------------------------------- Exploring Azure Arc’s overlooked C2aaS potential. Attacking and Defending against its usage and exploring usecases. --------------------------------------------- https://blog.zsec.uk/azure-arc-c2aas/ ===================== = Vulnerabilities = ===================== ∗∗∗ New Linux Flaws Allow Password Hash Theft via Core Dumps in Ubuntu, RHEL, Fedora ∗∗∗ --------------------------------------------- Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems. --------------------------------------------- https://thehackernews.com/2025/05/new-linux-flaws-allow-password-hash.html ∗∗∗ 2025-06-02: Cyber Security Advisory - ELSB/Home Solutions Outdated SW Components in ABB Welcome IP-Gateway ∗∗∗ --------------------------------------------- An attacker who successfully exploits these vulnerabilities could potentially gain unauthorized access and potentially compromise the system's - and log-file - confidentiality, integrity and availability. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A8948&Lan… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (espeak-ng, kitty, kmail-account-wizard, krb5, libreoffice, libvpx, net-tools, python-flask-cors, symfony, tcpdf, thunderbird, and twitter-bootstrap3), Fedora (chromium, dropbear, firefox, gstreamer1-plugins-bad-free, python-tornado, systemd, and thunderbird), Mageia (coreutils, deluge, glib2.0, and redis), Oracle (firefox, kernel, and systemd), Red Hat (firefox, kernel, kernel-rt, varnish, varnish:6, and zlib), SUSE (bind, curl, dnsdist, docker, ffmpeg-7, firefox, glibc, golang-github-prometheus-alertmanager, govulncheck-vulndb, icinga2, iputils, java-11-openjdk, java-1_8_0-ibm, kea, kernel, libopenssl-3-devel, libsoup, libxml2, nodejs-electron, open-vm-tools, openbao, perl-Net-Dropbox-API, pluto, poppler, postgresql14, postgresql15, postgresql16, postgresql17, python312-setuptools, runc, s390-tools, skopeo, sqlite3, thunderbird, and unbound), and Ubuntu (apport and libphp-adodb). --------------------------------------------- https://lwn.net/Articles/1023501/ ∗∗∗ Multiple vulnerabilities in wivia 5 ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN51394666/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.05.2025
by Daily end-of-shift report 30 May '25

30 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-05-2025 18:00 − Freitag 30-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Interlock ransomware gang deploys new NodeSnake RAT on universities ∗∗∗ --------------------------------------------- The Interlock ransomware gang is deploying a previously undocumented remote access trojan (RAT) named NodeSnake against educational institutes for persistent access to corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/interlock-ransomware-gang-de… ∗∗∗ APT41 malware abuses Google Calendar for stealthy C2 communication ∗∗∗ --------------------------------------------- The Chinese APT41 hacking group uses a new malware named 'ToughProgress' that exploits Google Calendar for command-and-control (C2) operations, hiding malicious activity behind a trusted cloud service. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apt41-malware-abuses-google-… ∗∗∗ Threat actors abuse Google Apps Script in evasive phishing attacks ∗∗∗ --------------------------------------------- Threat actors are abusing the ‘Google Apps Script’ development platform to host phishing pages that appear legitimate and steal login credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/threat-actors-abuse-google-a… ∗∗∗ ConnectWise breached in cyberattack linked to nation-state hackers ∗∗∗ --------------------------------------------- IT management software firm ConnectWise says a suspected state-sponsored cyberattack breached its environment and impacted a limited number of ScreenConnect customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/connectwise-breached-in-cybe… ∗∗∗ Everest Group Extorts Global Orgs via SAPs HR Tool ∗∗∗ --------------------------------------------- Extortionist-cum-information broker "Everest Group" has pulled off a swath of attacks against large organizations in the Middle East, Africa, Europe, and North America, and is now extorting victims over records stolen from their human resources departments. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/everest-group-extort… ∗∗∗ Sicherheitslücke: Warum ChatGPT oft den gesamten Onedrive-Ordner lesen kann ∗∗∗ --------------------------------------------- Forscher warnen vor einer Sicherheitslücke in Microsofts File Picker für Onedrive. Apps wie ChatGPT können weitaus mehr lesen, als Anwender erwarten. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-warum-chatgpt-oft-den-gesamten-… ∗∗∗ Exploits and vulnerabilities in Q1 2025 ∗∗∗ --------------------------------------------- This report contains statistics on vulnerabilities and published exploits, along with an analysis of the most noteworthy vulnerabilities we observed in the first quarter of 2025. --------------------------------------------- https://securelist.com/vulnerabilities-and-exploits-in-q1-2025/116624/ ∗∗∗ New Windows RAT Evades Detection for Weeks Using Corrupted DOS and PE Headers ∗∗∗ --------------------------------------------- Cybersecurity researchers have taken the wraps off an unusual cyber attack that leveraged malware with corrupted DOS and PE headers, according to new findings from Fortinet. --------------------------------------------- https://thehackernews.com/2025/05/new-windows-rat-evades-detection-for.html ∗∗∗ Attack on LexisNexis Risk Solutions exposes data on 300k + ∗∗∗ --------------------------------------------- LexisNexis Risk Solutions (LNRS) is the latest big-name organization to disclose a serious cyberattack leading to data theft, with the number of affected individuals pegged at 364,333. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/28/attack_on_le… ∗∗∗ Billions of cookies up for grabs as experts warn over session security ∗∗∗ --------------------------------------------- A VPN vendor says billions of stolen cookies currently on sale either on dark web or Telegram-based marketplaces remain active and exploitable. More than 93.7 billion of them are currently available for criminals to buy online and of those, between 7-9 percent are active, on average, according to NordVPN's breakdown of stolen cookies by country. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/29/billions_of_… ∗∗∗ U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams ∗∗∗ --------------------------------------------- The U.S. government today imposed economic sanctions on Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams known as “pig butchering.” In January 2025, KrebsOnSecurity detailed how Funnull was being used as a content delivery network that catered to cybercriminals seeking to route their traffic through U.S.-based cloud providers. --------------------------------------------- https://krebsonsecurity.com/2025/05/u-s-sanctions-cloud-provider-funnull-as… ∗∗∗ Fake Bitdefender website used to spread infostealer malware ∗∗∗ --------------------------------------------- The attackers created a website that closely mimics Bitdefender’s legitimate Windows download page. Victims are infected after clicking a seemingly authentic “Download for Windows” button, which delivers a malicious archive. The archive contains executable files configured to deploy VenomRAT, which is used for remote access, keylogging and data exfiltration. --------------------------------------------- https://therecord.media/fake-bitdefender-website-venomrat-infostealer ∗∗∗ Microsoft Entra Design Lets Guest Users Gain Azure Control, Researchers Say ∗∗∗ --------------------------------------------- Cybersecurity researchers at BeyondTrust are warning about a little-known but dangerous issue within Microsoft’s Entra identity platform. The issue isn’t some hidden bug or overlooked vulnerability; it’s a feature, built into the system by design, that attackers can exploit. --------------------------------------------- https://hackread.com/microsoft-entra-design-guest-users-gain-azure-control/ ∗∗∗ Threat Actor Claims TikTok Breach, Puts 428 Million Records Up for Sale ∗∗∗ --------------------------------------------- A newly emerged threat actor, going by the alias “Often9,” has posted on a prominent cybercrime and database trading forum, claiming to possess 428 million unique TikTok user records. The post is titled “TikTok 2025 Breach – 428M Unique Lines.” --------------------------------------------- https://hackread.com/threat-actor-tiktok-breach-428-million-records-sale/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (firefox-esr, libvpx, net-tools, php-twig, python-tornado, setuptools, varnish, webpy, yelp, and yelp-xsl), Fedora (xen), Mageia (cimg and ghostscript), Oracle (gstreamer1-plugins-bad-free, kernel, libsoup, thunderbird, and unbound), Red Hat (firefox, mingw-freetype and spice-client-win, pcs, and varnish:6), Slackware (curl and mozilla), SUSE (apparmor, containerd, dnsdist, go1.23-openssl, go1.24, gstreamer-plugins-bad, ImageMagick, jetty-minimal, python-tornado, python313-setuptools, s390-tools, thunderbird, tomcat10, ucode-intel, and wxWidgets-3_2), and Ubuntu (ffmpeg, krb5, libsoup3, libsoup2.4, linux-aws-5.4, linux-aws-fips, linux-fips, linux-oracle-6.8, net-tools, and python-setuptools, setuptools). --------------------------------------------- https://lwn.net/Articles/1023072/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, firefox, ghostscript, gstreamer1-plugins-bad-free, libsoup3, mingw-freetype, perl, ruby, sqlite, thunderbird, unbound, valkey, and xz), Debian (chromium, firefox-esr, libavif, linux-6.1, modsecurity-apache, mydumper, systemd, and thunderbird), Fedora (coreutils, dnsdist, docker-buildx, maturin, mingw-python-flask, mingw-python-flit-core, ruff, rust-hashlink, rust-rusqlite, and thunderbird), Red Hat (pcs), SUSE (augeas, brltty, brotli, ca-certificates-mozilla, dnsdist, glibc, grub2, kernel, libsoup, libsoup2, libxml2, open-vm-tools, perl, postgresql13, postgresql15, postgresql16, postgresql17, python-cryptography, python-httpcore, python-h11, python311, runc, s390-tools, slurm, slurm_20_11, slurm_22_05, slurm_23_02, slurm_24_11, tomcat, and webkit2gtk3), and Ubuntu (linux-aws). --------------------------------------------- https://lwn.net/Articles/1023259/ ∗∗∗ On Demand JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP11 IF03 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.05.2025
by Daily end-of-shift report 28 May '25

28 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-05-2025 18:00 − Mittwoch 28-05-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers ∗∗∗ --------------------------------------------- GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise discovered it with AI-powered tooling, and what defenders need to know. --------------------------------------------- https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-rou… ∗∗∗ DragonForce Ransomware Strikes MSP in Supply Chain Attack ∗∗∗ --------------------------------------------- DragonForce, a ransomware "cartel" that has gained significant popularity since its debut in 2023, attacked an MSP as part of a recent supply chain attack, via known SimpleHelp bugs. --------------------------------------------- https://www.darkreading.com/application-security/dragonforce-ransomware-msp… ∗∗∗ Zanubis in motion: Tracing the active evolution of the Android banking malware ∗∗∗ --------------------------------------------- A comprehensive historical breakdown of Zanubis changes, including RC4 and AES encryption, credentials stealing and new targets in Peru, provided by Kaspersky GReAT experts. --------------------------------------------- https://securelist.com/evolution-of-zanubis-banking-trojan-for-android/1165… ∗∗∗ Fake Java Update Popup Found in Malicious WordPress Plugin ∗∗∗ --------------------------------------------- We recently assisted a customer who reported a persistent and concerning "Java Update" pop-up appearing on their WordPress website. This type of deceptive notification is a common tactic used by attackers to compromise website visitors. Our investigation revealed a malicious plugin operating stealthily within their WordPress environment. --------------------------------------------- https://blog.sucuri.net/2025/05/fake-java-update-popup-found-in-malicious-w… ∗∗∗ OneDrive File Picker Flaw Provides ChatGPT and Other Web Apps Full Read Access to Users’ Entire OneDrive ∗∗∗ --------------------------------------------- Oasis Securitys research team uncovered a flaw in Microsofts OneDrive File Picker that allows websites to access a user’s entire OneDrive content, rather than just the specific files selected for upload via OneDrive File Picker. Researchers estimate that hundreds of apps are affected, including ChatGPT, Slack, Trello, and ClickUp – meaning millions of users may have already granted these apps access to their OneDrive. --------------------------------------------- https://www.oasis.security/resources/blog/onedrive-file-picker-security-fla… ∗∗∗ Chinese spies blamed for attempted hack on Czech government network ∗∗∗ --------------------------------------------- Czech authorities said they assessed with “a high degree of certainty” that a Chinese cyber-espionage group known as APT31, Judgment Panda, Bronze Vinewood or RedBravo tried to hack into a government network. --------------------------------------------- https://therecord.media/czechia-accuses-china-cyber-espionage-apt31 ∗∗∗ New Phishing Campaign Uses DBatLoader to Drop Remcos RAT: What Analysts Need to Know ∗∗∗ --------------------------------------------- ANY.RUN analysts recently uncovered a stealthy phishing campaign delivering the Remcos RAT (Remote Access Trojan) through a loader malware known as DBatLoader. This attack chain relies on a blend of obfuscated scripts, User Account Control (UAC) bypass, and LOLBAS (Living-Off-the-Land Binaries and Scripts) abuse to stay hidden from traditional detection methods. --------------------------------------------- https://hackread.com/new-phishing-campaign-dbatloader-drop-remcos-rat/ ∗∗∗ Malware Hidden in AI Models on PyPI Targets Alibaba AI Labs Users ∗∗∗ --------------------------------------------- ReversingLabs discovers new malware hidden inside AI/ML models on PyPI, targeting Alibaba AI Labs users. --------------------------------------------- https://hackread.com/malware-ai-models-pypi-targets-alibaba-ai-labs-users/ ∗∗∗ Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day ∗∗∗ --------------------------------------------- On May 8, GreyNoise observed a highly coordinated reconnaissance campaign launched by 251 malicious IP addresses, all geolocated to Japan and hosted by Amazon AWS. The infrastructure and execution suggest centralized planning. --------------------------------------------- https://www.greynoise.io/blog/coordinated-cloud-based-scanning-operation-ta… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken: IBM Guardium Data Protection als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Aufgrund von mehreren Schwachstellen kann es zu Datenlecks im Kontext von IBM Guardium Data Protection kommen. Updates schaffen Abhilfe. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-IBM-Guardium-Data-Protection-a… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free and kernel), Arch Linux (bind and varnish), Debian (glibc and syslog-ng), Fedora (microcode_ctl, mozilla-ublock-origin, nodejs20, and nodejs22), Mageia (firefox, nss, rootcerts, open-vm-tools, sqlite3, and thunderbird), Oracle (gstreamer1-plugins-bad-free, kernel, libsoup, nodejs:22, php, php:8.2, php:8.3, python-tornado, redis, and redis:7), Red Hat (libsoup, pcs, and python-tornado), Slackware (mozilla), SUSE (bind, dnsdist, elemental-operator, govulncheck-vulndb, gstreamer-plugins-bad, jetty-annotations, jq, libnss_slurm2, libyelp0, mariadb, nvidia-open-driver-G06-signed, prometheus-blackbox_exporter, python-h11, python-httpcore, python-setuptools, python312, python39-setuptools, screen, sqlite3, umoci, and webkit2gtk3), and Ubuntu (cifs-utils, glibc, linux-aws, linux-intel-iotg-5.15, linux-nvidia-tegra-igx, linux-raspi, linux-aws-fips, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oracle, linux-raspi, linux-raspi-5.4, and net-tools). --------------------------------------------- https://lwn.net/Articles/1022853/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 128.11 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-46/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 139 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-45/ ∗∗∗ F5: K000151516, Python urllib vulnerability CVE-2019-9947 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151516 ∗∗∗ F5: K000151520, Python vulnerabilities CVE-2018-20852, CVE-2014-4616, and CVE-2013-7040 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151520 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.05.2025
by Daily end-of-shift report 27 May '25

27 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 26-05-2025 18:00 − Dienstag 27-05-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MATLAB dev confirms ransomware attack behind service outage ∗∗∗ --------------------------------------------- MathWorks, a leading developer of mathematical computing and simulation software, has revealed that a recent ransomware attack is behind an ongoing service outage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mathworks-blames-ransomware-… ∗∗∗ Not Every CVE Deserves a Fire Drill: Focus on What’s Exploitable ∗∗∗ --------------------------------------------- Not every "critical" vulnerability is a critical risk. Picus Exposure Validation cuts through the noise by testing whats actually exploitable in your environment — so you can patch what matters. --------------------------------------------- https://www.bleepingcomputer.com/news/security/not-every-cve-deserves-a-fir… ∗∗∗ Chinese-Owned VPNs ∗∗∗ --------------------------------------------- One one my biggest worries about VPNs is the amount of trust users need to place in them, and how opaque most of them are about who owns them and what sorts of data they retain. A new study found that many commercials VPNS are (often surreptitiously) owned by Chinese companies. It would be hard for U.S. users to avoid the Chinese VPNs. The ownership of many appeared deliberately opaque, with several concealing their structure behind layers of offshore shell companies. --------------------------------------------- https://www.schneier.com/blog/archives/2025/05/chinese-owned-vpns.html ∗∗∗ Cyber Security Operations Center: ESA will mehr IT-Sicherheit ∗∗∗ --------------------------------------------- Die Raumfahrtagentur ESA verstärkt ihre IT-Sicherheitsbemühungen. Dazu eröffnete sie nun das Cyber Security Operations Center. --------------------------------------------- https://www.heise.de/news/Cyber-Security-Operations-Center-ESA-will-mehr-IT… ∗∗∗ Dutch intelligence unmasks previously unknown Russian hacking group Laundry Bear ∗∗∗ --------------------------------------------- Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard. --------------------------------------------- https://therecord.media/laundry-bear-void-blizzard-russia-hackers-netherlan… ∗∗∗ Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites ∗∗∗ --------------------------------------------- Mandiant Threat Defense has been investigating an UNC6032 campaign that weaponizes the interest around AI tools, in particular those tools which can be used to generate videos based on user prompts. UNC6032 utilizes fake “AI video generator” websites to distribute malware leading to the deployment of payloads such as Python-based infostealers and several backdoors. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-wea… ===================== = Vulnerabilities = ===================== ∗∗∗ GitHub MCP Exploited: Accessing private repositories via MCP ∗∗∗ --------------------------------------------- We showcase a critical vulnerability with the official GitHub MCP server, allowing attackers to access private repository data. The vulnerability is among the first discovered by Invariants security analyzer for detecting toxic agent flows. --------------------------------------------- https://invariantlabs.ai/blog/mcp-github-vulnerability ∗∗∗ Update für ManageEngine ADAudit Plus stopft hochriskante Sicherheitslücken ∗∗∗ --------------------------------------------- In ManageEngine ADAudit Plus hat Hersteller Zoho zwei als hohes Risiko eingestufte Schwachstellen ausgebessert. --------------------------------------------- https://www.heise.de/news/Update-fuer-ManageEngine-ADAudit-Plus-stopft-hoch… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free, libsoup, and python-tornado), Debian (libavif and pgbouncer), Red Hat (gstreamer1-plugins-bad-free, mingw-freetype and spice-client-win, and webkit2gtk3), SUSE (firefox, govulncheck-vulndb, and python310-setuptools), and Ubuntu (flask, intel-microcode, openjdk-17-crac, tika, and Tomcat). --------------------------------------------- https://lwn.net/Articles/1022703/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 128.11 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.24 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-43/ ∗∗∗ Security Vulnerabilities fixed in Firefox 139 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-42/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.05.2025
by Daily end-of-shift report 26 May '25

26 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-05-2025 18:00 − Montag 26-05-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Feds charge 16 Russians allegedly tied to botnets used in cyberattacks and spying ∗∗∗ --------------------------------------------- An example of how a single malware operation can enable both criminal and state-sponsored hacking. --------------------------------------------- https://arstechnica.com/security/2025/05/feds-charge-16-russians-allegedly-… ∗∗∗ Gitlab Duo: Versteckter Kommentar lässt KI-Tool privaten Code leaken ∗∗∗ --------------------------------------------- Gitlab Duo hatte zuletzt ernste Sicherheitsprobleme. Angreifer konnten privaten Quellcode abgreifen oder Schadcode in fremde Softwareprojekte einschleusen. --------------------------------------------- https://www.golem.de/news/gitlab-duo-versteckter-kommentar-laesst-ki-tool-p… ∗∗∗ Fake Google Meet Page Tricks Users into Running PowerShell Malware ∗∗∗ --------------------------------------------- Last month, a customer reached out to us after noticing suspicious URLs on their WordPress site. Visitors reported being prompted to perform unusual actions.We began our investigation, scanning the site for common .. --------------------------------------------- https://blog.sucuri.net/2025/05/fake-google-meet-page-tricks-users-into-run… ∗∗∗ Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Technique ∗∗∗ --------------------------------------------- The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector."The ClickFix technique is particularly risky because it allows the malware to execute in memory .. --------------------------------------------- https://thehackernews.com/2025/05/hackers-use-tiktok-videos-to-distribute.h… ∗∗∗ Operation Endgame 2: 15 Millionen E-Mail-Adressen und 43 Millionen Passwörter ∗∗∗ --------------------------------------------- Bei "Operation Endgame 2.0" kamen viele Millionen Adressen und Passwörter von Opfern ans Licht. Have I Been Pwned hat sie aufgenommen. --------------------------------------------- https://www.heise.de/news/Operation-Endgame-2-15-Millionen-E-Mail-Adressen-… ∗∗∗ Neuer Lieferkettenangriff mit bösartigen Skripten in npm-Paketen ∗∗∗ --------------------------------------------- Ein neuer Angriff auf die Lieferkette bedroht Workstations und CI-Umgebungen. Das bösartige Skript spioniert interne Daten für weitere Attacken aus. --------------------------------------------- https://www.heise.de/news/Neuer-Lieferkettenangriff-mit-boesartigen-Skripte… ∗∗∗ Kriminelle Gruppe "Careto" angeblich von spanischer Regierung gelenkt ∗∗∗ --------------------------------------------- Nicht nur China und Russland steuern Cybergangs. Ehemalige Kaspersky-Mitarbeiter behaupten, die Bande "Careto" werde von Spanien gelenkt. --------------------------------------------- https://www.heise.de/news/Kriminelle-Gruppe-Careto-angeblich-von-spanischer… ∗∗∗ Hacker bietet 1,2 Milliarden Facebook-Nutzerdaten im Darknet – ist es ein Fake? ∗∗∗ --------------------------------------------- Gab es ein neues Datenleck bei Meta-Tochter Facebook? Ein Hacker behauptet 1,2 Milliarden Facebook-Nutzerdaten über eine API abgezogen zu haben und bietet diese im Darknet zum Kauf an. Es gibt aber Zweifel, ob diese Daten neu sind. --------------------------------------------- https://www.borncity.com/blog/2025/05/23/hacker-bietet-12-milliarden-facebo… ∗∗∗ Offensive Threat Intelligence ∗∗∗ --------------------------------------------- CTI isn’t just for blue teams. Used properly, it sharpens red team tradecraft, aligns ops to real-world threats, and exposes blind spots defenders often miss. It’s not about knowing threats, it’s about becoming them long enough to help others beat them. --------------------------------------------- https://blog.zsec.uk/offensive-cti/ ∗∗∗ Joint Analysis by AhnLab and NCSC on TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking ∗∗∗ --------------------------------------------- AhnLab and the National Cyber Security Center (NCSC) have released a report that details the activities of the TA-ShadowCricket group from 2023 to the present. --------------------------------------------- https://asec.ahnlab.com/en/88137/ ∗∗∗ ConnectWise ScreenConnect Tops List of Abused RATs in 2025 Attacks ∗∗∗ --------------------------------------------- Cofense Intelligences May 2025 report exposes how cybercriminals are abusing legitimate Remote Access Tools (RATs) like ConnectWise and Splashtop to deliver malware and steal data. Learn about this growing threat. --------------------------------------------- https://hackread.com/connectwise-screenconnect-tops-abused-rats-2025/ ∗∗∗ BadSuccessor Exploits Windows Server 2025 Flaw for Full AD Takeover ∗∗∗ --------------------------------------------- Akamai researchers reveal a critical flaw in Windows Server 2025 dMSA feature that allows attackers to compromise any… --------------------------------------------- https://hackread.com/badsuccessor-exploits-windows-server-2025-takeover/ ∗∗∗ How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation ∗∗∗ --------------------------------------------- In this post I’ll show you how I found a zeroday vulnerability in the Linux kernel using OpenAI’s o3 model. I found the vulnerability with nothing more complicated than the o3 API – no scaffolding, no agentic frameworks, no tool use. --------------------------------------------- https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-re… ∗∗∗ Bypassing MTE with CVE-2025-0072 ∗∗∗ --------------------------------------------- In this post, I’ll look at CVE-2025-0072, a vulnerability in the Arm Mali GPU, and show how it can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled. --------------------------------------------- https://github.blog/security/vulnerability-research/bypassing-mte-with-cve-… ∗∗∗ The Windows Registry Adventure #7: Attack surface analysis ∗∗∗ --------------------------------------------- In the first three blog posts of this series, I sought to outline what the Windows Registry actually is, its role, history, and where to find further information about it. In the subsequent three posts, my goal was to describe in detail how this mechanism works internally .. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventu… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5924-1 intel-microcode - security update ∗∗∗ --------------------------------------------- This update ships updated CPU microcode for some types of Intel CPUs. Inparticular it provides mitigations for the Indirect Target Selection(ITS) vulnerability (CVE-2024-28956) and the Branch Privilege Injectionvulnerability (CVE-2024-45332).For CPUs affected to ITS (Indirect Target Selection), to fully mitigatethe vulnerability it is also necessary to .. --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00087.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.05.2025
by Daily end-of-shift report 23 May '25

23 May '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-05-2025 18:00 − Freitag 23-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ TikTok videos now push infostealer malware in ClickFix attacks ∗∗∗ --------------------------------------------- As Trend Micro recently discovered, the threat actors behind this TikTok social engineering campaign are using videos likely generated using AI that ask viewers to run commands claiming to activate Windows and Microsoft Office, as well as premium features in various legitimate software like CapCut and Spotify. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tiktok-videos-now-push-infos… ∗∗∗ FBI warns of Luna Moth extortion attacks targeting law firms ∗∗∗ --------------------------------------------- The FBI warned that an extortion gang known as the Silent Ransom Group has been targeting U.S. law firms over the last two years in callback phishing and social engineering attacks. Also known as Luna Moth, Chatty Spider, and UNC3753, this threat group has been active since 2022 and was also behind BazarCall campaigns that provided initial access to corporate networks for Ryuk and Conti ransomware attacks --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-luna-moth-extor… ∗∗∗ The Windows Registry Adventure #7: Attack surface analysis ∗∗∗ --------------------------------------------- In this blog post, we get to the heart of the matter, the actual security of the Windows Registry. I'd like to talk about what made a feature that was initially meant to be just a quick test of my fuzzing infrastructure draw me into manual research for the next 1.5 ~ 2 years, and result in Microsoft fixing (so far) 53 CVEs. I will describe the various areas that are important in the context of low-level security research, from very general ones, such as the characteristics of the codebase that allow security bugs to exist in the first place, to more specific ones, like all possible entry points to attack the registry, the impact of vulnerabilities and the primitives they generate, and some considerations on effective fuzzing and where more bugs might still be lurking. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventu… ∗∗∗ GitLab Duo Vulnerability Enabled Attackers to Hijack AI Responses with Hidden Prompts ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. --------------------------------------------- https://thehackernews.com/2025/05/gitlab-duo-vulnerability-enabled.html ∗∗∗ ViciousTrap Uses Cisco Flaw to Build Global Honeypot from 5,300 Compromised Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed that a threat actor codenamed ViciousTrap has compromised nearly 5,300 unique network edge devices across 84 countries and turned them into a honeypot-like network. --------------------------------------------- https://thehackernews.com/2025/05/vicioustrap-uses-cisco-flaw-to-build.html ∗∗∗ Oops: DanaBot Malware Devs Infected Their Own PCs ∗∗∗ --------------------------------------------- The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling DanaBot, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The FBI says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware. --------------------------------------------- https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-thei… ∗∗∗ Fake-Geburtstagsgeschenk: Abofalle im Namen von Rituals im Umlauf ∗∗∗ --------------------------------------------- Derzeit sind betrügerische E-Mails im Umlauf, die angeblich von Rituals stammen. Sie versprechen eine luxuriöse Geburtstags-Geschenkbox zum Sonderpreis von nur zwei Euro. Doch Vorsicht: Hinter dem scheinbar großzügigen Angebot verbirgt sich keine echte Überraschung, sondern eine teure Abofalle! --------------------------------------------- https://www.watchlist-internet.at/news/fake-geburtstagsgeschenk-abofalle-im… ∗∗∗ Sicherheitsrisiko AD-Verwaltung und Gruppe Authenticated Users ∗∗∗ --------------------------------------------- Ein Blog-Leser hat mich die Tage auf ein möglicherweise bei einigen Active Directory-Systemen bestehende Sicherheitsrisiko hingewiesen. Sind in der Active-Directory-Gruppe Authenticated Users externe Konten enthalten, könnten Freigaben interner Dienste (Drucker etc.) ungewollt externen Nutzern offen stehen. --------------------------------------------- https://www.borncity.com/blog/2025/05/22/sicherheitsrisiko-ad-verwaltung-un… ∗∗∗ Information Leakage Caused by DB Client Tool ∗∗∗ --------------------------------------------- In recent breach incidents, threat actors have been observed not only accessing systems, but also directly querying internal databases and stealing sensitive information. Particularly, more threat actors are installing DB client tools directly on targeted systems to exfiltrate data, and legitimate tools such as DBeaver, Navicat, and sqlcmd are being used in this process. --------------------------------------------- https://asec.ahnlab.com/en/88134/ ∗∗∗ Scarcity signals: Are rare activities red flags? ∗∗∗ --------------------------------------------- Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones. --------------------------------------------- https://blog.talosintelligence.com/scarcity-signals-are-rare-activities-red… ∗∗∗ Operation Endgame 2.0: 20 Haftbefehle, Hunderte Server außer Gefecht gesetzt ∗∗∗ --------------------------------------------- Internationale Strafverfolger gehen weiter gegen Malware-Autoren vor. Im Rahmen der "Operation Endgame 2.0" haben die Sicherheitsbehörden aus Deutschland – das BKA und die Generalstaatsanwaltschaft Frankfurt am Main – die Cyberkriminellen nun empfindlich getroffen. Allein in Deutschland nahmen die Behörden 50 Server vom Netz, 650 Domains sind nicht mehr unter der Kontrolle der Cybergangster. --------------------------------------------- https://heise.de/-10394215 ∗∗∗ Fault Injection-Angriffe auf die Mikrocontroller nRF54L15 und STM32L051 (SYSS-2025-022/-033) ∗∗∗ --------------------------------------------- Der Begriff "Fault Injection" bezeichnet eine Klasse von Schwachstellen, bei denen Angreifende gezielt versuchen, Fehlerzustände in Systemen zu erzeugen. Diese Fehlerzustände führen dabei zu abnormalem Verhalten der Systeme und können ausgenutzt werden, um Sicherheitsbeschränkungen zu umgehen. So ist es beispielsweise möglich, kryptografische Schlüssel zu extrahieren oder Lesebeschränkungen von internen Datenspeichern zu umgehen. --------------------------------------------- https://www.syss.de/pentest-blog/fault-injection-angriffe-auf-die-mikrocont… ===================== = Vulnerabilities = ===================== ∗∗∗ 2025-05-22: Cyber Security Advisory - ASPECT advisory several CVEs ∗∗∗ --------------------------------------------- Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021&Lan… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dotnet9.0, dropbear, ghostscript, nbdkit, openssh, python-watchfiles, rpm-ostree, yelp, yelp-xsl, and zsync), Oracle (firefox and kernel), Red Hat (osbuild-composer), Slackware (aaa_glibc and mozilla), SUSE (chromedriver, open-vm-tools, postgresql14, python-cryptography, and thunderbird), and Ubuntu (linux-aws, linux-hwe-5.4, python, and sqlite3). --------------------------------------------- https://lwn.net/Articles/1022352/ ∗∗∗ Infoblox NetMRI is vulnerable to CVE-2024-54188 ∗∗∗ --------------------------------------------- https://support.infoblox.com/s/article/Infoblox-NetMRI-is-vulnerable-to-CVE… ∗∗∗ [R1] Tenable Network Monitor Version 6.5.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-10 ∗∗∗ Lantronix Device Installer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-01 ∗∗∗ Rockwell Automation FactoryTalk Historian ThingWorx ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.05.2025
by Daily end-of-shift report 22 May '25

22 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-05-2025 18:00 − Donnerstag 22-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Strafverfolger beschlagnahmen Lumma Stealer-Infrastruktur (Mai 2025) ∗∗∗ --------------------------------------------- In einer koordinierten Aktion haben US-Strafverfolger die Infrastruktur (C & C-Server) des Lumma-Infostealers beschlagnahmt und die Funktion lahm gelegt. Die Malware ist für zahlreiche Cyberangriffe auf Nutzer mit Abgreifen von Informationen verantwortlich und es waren fast 400.000 PC infiziert. [..] Microsoft bezeichnet den Akteur, der Lumma als Malware-as-a-service (MaaS) anbietet, als Storm-2477. [..] Das Ganze erfolgte in Zusammenarbeit mit Strafverfolgungsbehörden (FBI, Europol, JC3) und Industriepartnern (ESET, Bitsight, Lumen, Cloudflare, CleanDNS und GMO Registry). --------------------------------------------- https://www.borncity.com/blog/2025/05/22/strafverfolger-beschlagen-lumma-st… ∗∗∗ 3AM ransomware uses spoofed IT calls, email bombing to breach networks ∗∗∗ --------------------------------------------- A 3AM ransomware affiliate is conducting highly targeted attacks using email bombing and spoofed IT support calls to socially engineer employees into giving credentials for remote access to corporate systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/3am-ransomware-uses-spoofed-… ∗∗∗ Signal now blocks Microsoft Recall screenshots on Windows 11 ∗∗∗ --------------------------------------------- Signal has updated its Windows app to protect users privacy by blocking Microsofts AI-powered Recall feature from taking screenshots of their conversations. [..] This new privacy feature, dubbed "screen security," is now enabled by default on all Windows 11 devices, where Recall continuously takes screenshots of all active windows every few seconds and analyzes them to build a database that can be searched using natural language. When enabled, screen security will set a Digital Rights Management (DRM) flag on Signal's app windows, blocking their content from being captured by Recall or other Windows apps and features. --------------------------------------------- https://www.bleepingcomputer.com/news/security/signal-now-blocks-microsoft-… ∗∗∗ Storm-0558 and the Dangers of Cross-Tenant Token Forgery ∗∗∗ --------------------------------------------- Modern cloud ecosystems often place a single identity provider in charge of handling logins and tokens for a wide range of customers. This approach certainly streamlines single sign-on (SSO) for end users, but it also places enormous trust in a single set of signing keys. If those private keys are compromised, attackers can create tokens that appear valid to any service that relies on them. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/storm-0558-… ∗∗∗ Another Fake Cloudflare Verification Targets WordPress Sites ∗∗∗ --------------------------------------------- A new Cloudflare infection has once again been targeting WordPress sites. This new iteration of malware mimics a legitimate-looking Cloudflare verification page, which then tricks victims into following various commands and downloading malware. This style of malware is not new – our researcher Ben Martin wrote about a similar campaign targeting WordPress sites back in March. The difference between this new infection and previous ones is the location of where the malware is located – spread out among multiple themes and fake plugins. Additionally, this variant is delivered in three stages, which helps the attacker avoid detection and maintain control over what is delivered at each step. --------------------------------------------- https://blog.sucuri.net/2025/05/another-fake-cloudflare-verification-target… ∗∗∗ Datenleck bei Coinbase: Massive Phishing-Welle rollt ∗∗∗ --------------------------------------------- Nachdem Hacker zahlreiche Kund:innendaten der Krypto-Plattform gestohlen und weiterverkauft haben, werden aktuell vermehrt Phishing-Versuche im Namen von Coinbase gemeldet. Die Kriminellen kontaktieren Ihre Opfer entweder per E-Mail oder via Telefon mit dem Ziel, an sensible Informationen zu kommen oder Überweisungen zu veranlassen. --------------------------------------------- https://www.watchlist-internet.at/news/datenleck-bei-coinbase-phishing/ ∗∗∗ BadSuccessor: dMSA zur Privilegien-Erhöhung in Active Directory missbrauchen ∗∗∗ --------------------------------------------- In Windows Server 2025 wurden delegated Managed Service Accounts (dMSAs) neu eingeführt. Das sind Service-Konten für das Active Directory (AD), die neue Funktionen ermöglichen sollen. Sicherheitsforscher sind nun darauf gestoßen, dass durch den Missbrauch von dMSAs Angreifer jeden Principal in der Domäne übernehmen können. [..] Derzeit will Microsoft das Problem aus obigen Gründen nicht fixen – sondern das Problem irgendwann in Zukunft beheben (es gibt also keinen Patch). --------------------------------------------- https://www.borncity.com/blog/2025/05/22/badsuccessor-dmsa-zur-privilegien-… ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered multiple critical security vulnerabilities impacting the Versa Concerto network security and SD-WAN orchestration platform that could be exploited to take control of susceptible instances. It's worth noting that the identified shortcomings remain unpatched despite responsible disclosure on February 13, 2025, prompting a public release of the issues following the end of the 90-day deadline. --------------------------------------------- https://thehackernews.com/2025/05/unpatched-versa-concerto-flaws-let.html ∗∗∗ Cisco Security Advisories 2025-05-21 ∗∗∗ --------------------------------------------- Cisco hat 10 neue Security Advisories veröffentlicht. Zwei der neuen Advisories sind als “High” eingestuft und 8 als “Medium”. Die als "High" eingestuften Advisories betreffen Schwachstellen in Cisco Identity Services Engine RADIUS und Cisco Unified Intelligence Center. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Mozilla Security Advisories 2025-05-20 ∗∗∗ --------------------------------------------- Thunderbird (critical) and Firefox (low) --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, and webkit2gtk3), Fedora (mozilla-ublock-origin and sudo-rs), Oracle (.NET 8.0, compat-openssl10, grafana, osbuild-composer, redis:6, ruby:2.5, and webkit2gtk3), SUSE (dante, firefox-esr, gnuplot, govulncheck-vulndb, grype, postgresql13, postgresql14, postgresql15, postgresql16, postgresql17, python-tornado6, python314, thunderbird, ucode-intel, and xen), and Ubuntu (bind9, libfcgi-perl, linux-ibm-5.4, linux-oracle-5.4, postgresql-17, and Tomcat). --------------------------------------------- https://lwn.net/Articles/1022189/ ∗∗∗ Authentifizierung: Kritische Lücke in Samlify macht Angreifer zu Admins ∗∗∗ --------------------------------------------- Admins, die Single-Sign-On-Anmeldungen (SSO) über die weitverbreitete Node.js-Bibliothek Samlify realisieren, sollten den verfügbaren Sicherheitspatch zeitnah installieren. Geschieht das nicht, können Angreifer die Authentifizierung umgehen und mit weitreichenden Rechten auf Systeme zugreifen. [..] Auf die "kritische" Sicherheitslücke (CVE-2025-47949) sind Sicherheitsforscher von Endor Labs gestoßen. --------------------------------------------- https://heise.de/-10392315 ∗∗∗ Angreifer können mit VMware erstellte virtuelle Maschinen crashen ∗∗∗ --------------------------------------------- Aus der Warnmeldung geht hervor, dass die am gefährlichsten eingestufte Schwachstelle (CVE-2025-41225 "hoch") vCenter Server betrifft. An dieser Stelle kann ein authentifizierter Angreifer eigene Befehle ausführen. Verfügt ein Angreifer über Gast-VM-Rechte, kann er für eine Gast-VM einen DoS-Zustand erzeugen (CVE-2025-41226 "mittel"). So etwas führt in der Regel zu Abstürzen. Weiterhin sind noch weitere DoS-Attacken (CVE-2025-41227 "mittel") und XSS-Angriffe (CVE-2025-41228 "mittel") möglich. --------------------------------------------- https://heise.de/-10392911 ∗∗∗ Drupal Security Advisories 2025-05-21 ∗∗∗ --------------------------------------------- https://www.drupal.org/security ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (May 12, 2025 to May 18, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.05.2025
by Daily end-of-shift report 21 May '25

21 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-05-2025 18:00 − Mittwoch 21-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 11’s most important new feature is post-quantum cryptography. Here’s why. ∗∗∗ --------------------------------------------- For the first time, new quantum-safe algorithms can be invoked using standard Windows APIs. --------------------------------------------- https://arstechnica.com/security/2025/05/heres-how-windows-11-aims-to-make-… ∗∗∗ VanHelsing ransomware builder leaked on hacking forum ∗∗∗ --------------------------------------------- The VanHelsing ransomware-as-a-service operation published the source code for its affiliate panel, data leak blog, and Windows encryptor builder after an old developer tried to sell it on the RAMP cybercrime forum. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vanhelsing-ransomware-builde… ∗∗∗ Dero miner zombies biting through Docker APIs to build a cryptojacking horde ∗∗∗ --------------------------------------------- Kaspersky experts break down an updated cryptojacking campaign targeting containerized environments: a Dero crypto miner abuses the Docker API. [..] The entire attack vector is automated via two malware implants: the previously unknown propagation malware nginx and the Dero crypto miner. --------------------------------------------- https://securelist.com/dero-miner-infects-containers-through-docker-api/116… ∗∗∗ Chrome kann unsichere Passwörter künftig komplett selbst ändern ∗∗∗ --------------------------------------------- Googles Chrome-Browser soll bald automatisch Passwörter ändern können, wenn bei der Anmeldung damit erkannt wird, dass es kompromittiert wurde. [..] Im Idealfall bekommen Nutzer und Nutzerinnen in Chrome dann künftig einen Hinweis, wenn ein gespeichertes Passwort in einem Datenleck gefunden wurde und können den Browser dazu bringen, das Passwort durch ein sicheres zu ersetzen. Das wird dann im Passwortmanager von Chrome abgespeichert, das unsichere wird ersetzt. Die automatische Passwortänderung benötigt dafür insgesamt nur einen Klick. --------------------------------------------- https://heise.de/-10391298 ∗∗∗ Sicherheitsbehörden warnen vor russischer Spionage mit IP-Kameras ∗∗∗ --------------------------------------------- Mutmaßliche Mitarbeiter des russischen Militärgeheimdienstes GRU haben sich Zugriff auf Netzwerke und IP-Kameras von Betreibern kritischer Infrastrukturen (KRITIS) verschafft. Das melden unter anderem NSA, FBI, der Bundesnachrichtendienst (BND) und die Bundesämter für Verfassungsschutz (BfV) sowie Sicherheit in der Informationstechnik (BSI).[..] Betroffen sind laut einer Mitteilung der Behörden vor allem Unternehmen aus der Logistikbranche. --------------------------------------------- https://heise.de/-10391927 ∗∗∗ CISA, NIST Researchers Develop Metric to Determine Likelihood of Vulnerability Exploitation ∗∗∗ --------------------------------------------- Researchers from the U.S. National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have developed a new security metric to determine the likelihood that a vulnerability has been exploited. In a paper published this week, Peter Mell, formerly of NIST, and CISA’s Jonathan Spring outlined their vulnerability exploit metric that augments the work of the Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) catalog. --------------------------------------------- https://thecyberexpress.com/cisa-nist-vulnerability-exploit-metric/ ===================== = Vulnerabilities = ===================== ∗∗∗ Lücke in OpenPGP.js gefährdet verschlüsselten E-Mail-Verkehr ∗∗∗ --------------------------------------------- In OpenPGP.js, einer weitverbreiteten Javascript-Implementierung von OpenPGP, klafft eine gefährliche Sicherheitslücke, durch die sich das Ergebnis der Signaturprüfung fälschen lässt. Laut einer Sicherheitsmeldung auf Github kann ein Angreifer speziell manipulierte Daten an die Funktionen openpgp.verify oder openpgp.decrypt übergeben, um verschlüsselte und/oder signierte Nachrichten zu spoofen. CVE-2025-47934 --------------------------------------------- https://www.golem.de/news/manipulationsgefahr-luecke-in-openpgp-js-gefaehrd… ∗∗∗ Mehrere Schwachstellen bei eCharge Hardy Barth cPH2 und cPP2 Ladestationen ∗∗∗ --------------------------------------------- Hardy Barth EV charging station products are affected by critical vulnerabilities that can be exploited through both physical access and unauthenticated network access. These vulnerabilities pose significant risks, including system compromise, data breaches, and operational disruptions within EV charging infrastructures. [..] The vendor has not provided a fix for any of the reported vulnerabilities. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelle… ∗∗∗ Mehrere Sicherheitslücken bedrohen VMware Cloud Foundation ∗∗∗ --------------------------------------------- Wie aus einer Warnmeldung hervorgeht, sind die Lücken (CVE-2025-41229, CVE-2025-41230, CVE-2025-41231) mit dem Bedrohungsgrad "hoch" eingestuft. Nutzen Angreifer die Schwachstellen erfolgreich aus, können sie etwa im Netzwerk über den Port 443 auf sensitive Informationen oder interne Services zugreifen. --------------------------------------------- https://heise.de/-10390932 ∗∗∗ Millions of Node.js Apps at Risk Due to Critical Multer Vulnerabilities ∗∗∗ --------------------------------------------- Two high-severity security flaws have been identified in Multer, a popular middleware used in Node.js applications for handling file uploads. The Multer vulnerabilities, tracked as CVE-2025-47944 and CVE-2025-47935, affect all versions from 1.4.4-lts.1 up to but not including 2.0.0. According to the GitHub post, the two vulnerabilities “allow an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. --------------------------------------------- https://thecyberexpress.com/multer-vulnerabilities-expose-node-js/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, avahi, buildah, compat-openssl10, compat-openssl11, expat, firefox, gimp, git, grafana, libsoup, libxslt, mod_auth_openidc, nginx, nodejs:22, osbuild-composer, php, redis, redis:7, skopeo, thunderbird, vim, webkit2gtk3, xterm, and yelp), Arch Linux (dropbear, freetype2, go, nodejs, nodejs-lts-iron, nodejs-lts-jod, python-django, webkit2gtk, webkit2gtk-4.1, webkitgtk-6.0, and wpewebkit), Debian (mongo-c-driver), Fedora (openssh, perl-Mojolicious, thunderbird, yelp, and yelp-xsl), Red Hat (firefox, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-ibm-semeru-certified-jdk, java-21-openjdk, kernel, libxslt, ruby, ruby:3.1, ruby:3.3, unbound, and webkit2gtk3), SUSE (glib2, grub2, kernel, libwebp, openssh, and s390-tools), and Ubuntu (linux, linux-azure, linux-azure-6.11, linux-gcp, linux-gcp-6.11, linux-hwe-6.11, linux-oem-6.11, linux-raspi, linux-realtime, linux-azure, linux-azure-5.15, linux-nvidia-tegra, linux-azure, linux-azure-6.8, linux-oem-6.8, linux-azure, linux-kvm, linux-azure-fips, linux-azure-nvidia, linux-gcp, linux-gcp-6.8, linux-gkeop, linux-gke, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, mariadb-10.6, and postgresql-12, postgresql-14, postgresql-16). --------------------------------------------- https://lwn.net/Articles/1022030/ ∗∗∗ Assured Telematics Inc (ATI) Fleet Management System with Geotab Integration ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-11 ∗∗∗ Vertiv Liebert RDU101 and UNITY ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-10 ∗∗∗ AutomationDirect MB-Gateway ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-09 ∗∗∗ Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-04 ∗∗∗ f5: K000151431: Intel Ethernet Controller and Adapter vulnerability CVE-2024-24983 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151431 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.05.2025
by Daily end-of-shift report 20 May '25

20 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 19-05-2025 18:00 − Dienstag 20-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hazy Hawk gang exploits DNS misconfigs to hijack trusted domains ∗∗∗ --------------------------------------------- A threat actor named Hazy Hawk has been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDS). --------------------------------------------- https://www.bleepingcomputer.com/news/security/hazy-hawk-gang-exploits-dns-… ∗∗∗ 100+ Fake Chrome Extensions Found Hijacking Sessions, Stealing Credentials, Injecting Ads ∗∗∗ --------------------------------------------- An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code. --------------------------------------------- https://thehackernews.com/2025/05/100-fake-chrome-extensions-found.html ∗∗∗ Bypass SharePoint Restricted View to exfiltrate data using Copilot AI and more… ∗∗∗ --------------------------------------------- Overall, we’ve proven that although a fair amount of effort has been put into enforcing the restrictions of Restricted View there are plenty of ways to circumvent them. Therefore, it is important for administrators and users to understand that it can not be relied on to secure data against motivated attackers. --------------------------------------------- https://www.pentestpartners.com/security-blog/bypass-sharepoint-restricted-… ∗∗∗ Duping Cloud Functions: An emerging serverless attack vector ∗∗∗ --------------------------------------------- Cisco Talos built on Tenable’s discovery of a Google Cloud Platform vulnerability to uncover how attackers could exploit similar techniques across AWS and Azure. --------------------------------------------- https://blog.talosintelligence.com/duping-cloud-functions-an-emerging-serve… ∗∗∗ Compromised RVTools Installer Spreading Bumblebee Malware ∗∗∗ --------------------------------------------- RVTools installer on its official site was found delivering malware. Research shows it spread Bumblebee loader. Users urged to verify downloads. --------------------------------------------- https://hackread.com/compromised-rvtools-installer-drop-bumblebee-malware/ ∗∗∗ Gehärtete Images von Docker verbessern die Sicherheit und entlasten Entwickler ∗∗∗ --------------------------------------------- Mit den Hardened Images (DHI) bietet Docker sichere, schlanke und Compliance-konforme Images. Mit dabei sind unter anderem Microsoft, Neo4J oder GitLab. --------------------------------------------- https://heise.de/-10388766 ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3 Security Advisories Tue. 20th May, 2025 ∗∗∗ --------------------------------------------- TYPO3 has released 11 new security advisories. --------------------------------------------- https://typo3.org/help/security-advisories ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dropbear, firefox-esr, intel-microcode, net-tools, openafs, thunderbird, and xrdp), Fedora (chromium, micropython, syslog-ng, webkitgtk, and xen), Mageia (dropbear and openssh), Oracle (.NET 9.0, kernel, libjpeg-turbo, and yelp and yelp-xsl), Red Hat (compat-openssl11, git-lfs, grafana, kernel, and osbuild and osbuild-composer), Slackware (mozilla), SUSE (cargo-c, gimp, iputils-20240905, kernel, libraw, microcode_ctl, openssh, pnpm, python311-cramjam, python311-httptools, python311-jwcrypto, python311-loguru, python311-mechanize, python311-nltk, python311-oauthlib, python311-py7zr, python311-pycapnp, python311-pyspnego, python311-pywayland, python311-suds, python311-treq, python311-ujson, python311-waitress, ruby3.4-rubygem-actionmailer, ruby3.4-rubygem-actiontext, ruby3.4-rubygem-activerecord, ruby3.4-rubygem-activestorage, ruby3.4-rubygem-fluentd, ruby3.4-rubygem-globalid, ruby3.4-rubygem-jquery-rails, ruby3.4-rubygem-kramdown, ruby3.4-rubygem-loofah, ruby3.4-rubygem-multi_xml, ruby3.4-rubygem-puma, ruby3.4-rubygem-rails, ruby3.4-rubygem-rails-html-sanitizer, ruby3.4-rubygem-sprockets, ruby3.4-rubygem-web-console, ruby3.4-rubygem-websocket-extensions, ucode-intel-20250512, and valkey), and Ubuntu (dotnet8, dotnet9, linux, linux-aws, linux-aws-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-oracle, linux, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-fips, linux-gcp, linux-gcp-5.15, linux-gcp-fips, linux-gke, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, and linux-xilinx-zynqmp). --------------------------------------------- https://lwn.net/Articles/1021740/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, openjdk-11, openjdk-17, and wireless-regdb), Fedora (iputils, open-vm-tools, sfnt2woff-zopfli, and woff), Red Hat (postgresql:12), SUSE (apache2-mod_auth_openidc, brltty, helm, python-maturin, and rubygem-rack), and Ubuntu (linux-azure-fips). --------------------------------------------- https://lwn.net/Articles/1021812/ ∗∗∗ 22,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Motors WordPress Theme ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/22000-wordpress-sites-affected-by-pr… ∗∗∗ Danfoss AK-SM 8xxA Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-03 ∗∗∗ National Instruments Circuit Design Suite ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-02 ∗∗∗ ABUP IoT Cloud Platform ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.05.2025
by Daily end-of-shift report 19 May '25

19 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-05-2025 18:00 − Montag 19-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Curl-Entwickler warnt: Unicode-Trick gefährdet Softwareprojekte auf Github ∗∗∗ --------------------------------------------- Die wenigsten Entwickler dürften die Unterschiede zwischen bestimmten Unicode-Zeichen zuverlässig erkennen. Gerade auf Github ist das ein Problem. --------------------------------------------- https://www.golem.de/news/curl-entwickler-warnt-unicode-trick-gefaehrdet-so… ∗∗∗ Warnung vor brancheneintrag24.com ∗∗∗ --------------------------------------------- Derzeit kursieren betrügerische E-Mails, die von der Adresse info(a)brancheneintrag24.com stammen. Im Anhang befindet sich ein Formular, das Unternehmen angeblich zur Aktualisierung ihres Brancheneintrags auffordert. [..] Mit dem Ausfüllen und Zurücksenden des Formulars wird ein kostenpflichtiger Vertrag abgeschlossen. --------------------------------------------- https://www.zettasecure.com/post/warnung-vor-brancheneintrag24-com ∗∗∗ Fake-Shops: Laufsportbegeisterte im Visier von Kriminellen ∗∗∗ --------------------------------------------- Laufschuhe von Top-Marken zu absoluten Niedrigstpreisen?! Vorsicht! Aktuell tauchen vermehrt Fake-Shops für Sportschuhe und anderes Equipment auf. Wer in einem derartigen Store bestellt, schaut in der Regel durch die Finger. Kommt doch eine Lieferung an, enthält diese nur minderwertige Kopien. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-fuer-laufschuhe/ ∗∗∗ Windows: Bitlocker-Verschlüsselung über Bitpixie (CVE-2023-21563) ausgehebelt ∗∗∗ --------------------------------------------- Die von Microsoft für Windows verwendete Bitlocker-Verschlüsselung für Datenträger lässt sich über die Bitpixie-Schwachstelle (CVE-2023-21563) per Software aushebeln, wenn gewisse Randbedingungen gelten. [..] Der jetzt bekannt gewordene Angriff ist nicht neues, sondern ein Proof of Concept, den Administratoren ggf. in eigenen Systemen testen können. [..] Die Bitpixie-Schwachstelle – und ganz allgemein sowohl hardware- als auch softwarebasierte Angriffe – kann durch Erzwingen einer Pre-Boot-Authentifizierung entschärft werden. --------------------------------------------- https://www.borncity.com/blog/2025/05/18/windows-bitlocker-verschluesselung… ∗∗∗ Windows 10/11: Defender mit simplen Tool Defendnot deaktivierbar ∗∗∗ --------------------------------------------- Microsoft hat in Windows 10 und Windows 11 eine Schnittstelle (API) eingebaut, über die Hersteller von Antivirus-Software bei deren Installation den Microsoft Defender deaktivieren können. Einige Leute (darunter ein Blog-Leser) haben nun gezeigt, wie man mit einer einfachen Software (no-defender oder Defendnot) den Windows Defender deaktivieren kann. --------------------------------------------- https://www.borncity.com/blog/2025/05/19/windows-10-11-defender-mit-simplen… ∗∗∗ Ivanti EPMM Zero-Days: Reconnaissance to Exploitation ∗∗∗ --------------------------------------------- Two critical Ivanti zero-days (CVE-2025-4427 and CVE-2025-4428) are now being actively exploited after a surge in scanning activity last month. When chained together, these vulnerabilities enable unauthenticated remote code execution on Ivanti Endpoint Manager Mobile systems. --------------------------------------------- https://www.greynoise.io/blog/ivanti-epmm-zero-days-reconnaissance-exploita… ∗∗∗ VM escape in Oracle VirtualBox via VGA device ∗∗∗ --------------------------------------------- We provide a proof-of-concept that demonstrates how to exploit this vulnerability to fully escape a virtual machine. --------------------------------------------- https://github.com/google/security-research/security/advisories/GHSA-qx2m-r… ∗∗∗ Passwords are okay, impulsive Internet isnt ∗∗∗ --------------------------------------------- Every few weeks, I come across an article telling us how passwords are bad and how we need to go "passwordless". These pieces are written by mostly well-intended nerds who think technology can solve basic problems in human behavior. --------------------------------------------- https://www.dedoimedo.com/life/passwords-passkeys.html ∗∗∗ New Community Resource: Attribution to IP ∗∗∗ --------------------------------------------- The Curated Intelligence community has shared a new collection for CTI analysts and others who perform cybersecurity research duties. A new GitHub repository has been created that contains a collection of methods to learn who the owner of an IP address is. --------------------------------------------- https://www.curatedintel.org/2025/05/new-community-resource-attribution-to-… ===================== = Vulnerabilities = ===================== ∗∗∗ Mozilla Security Advisories May 17, 2025 ∗∗∗ --------------------------------------------- Firefox ESR 115.23.1, ESR 128.10.1 and 138.0.4. Critical --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Angreifer können Verbindungen von Sonicwall SMA1000 manipulieren ∗∗∗ --------------------------------------------- In einer Warnmeldung führt der Anbieter von Netzwerktechnik aus, dass Angreifer im Zuge einer Server-side-request-forgery-Attacke (SSRF) Anfragen an etwa von ihnen kontrollierte Server umleiten können (CVE-2025-40595 "hoch"). --------------------------------------------- https://heise.de/-10387581 ∗∗∗ Thousands of WordPress Sites at Risk Due to Critical Crawlomatic Plugin Vulnerability ∗∗∗ --------------------------------------------- A severe security vulnerability has been discovered in the popular WordPress plugin, Crawlomatic Multisite Scraper Post Generator, potentially placing thousands of websites at risk. Tracked as CVE-2025-4389, the flaw allows unauthenticated attackers to upload malicious files, which could ultimately lead to remote code execution on affected websites. --------------------------------------------- https://thecyberexpress.com/crawlomatic-plugin-hit-by-cve-2025-4389/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.05.2025
by Daily end-of-shift report 16 May '25

16 May '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-05-2025 18:01 − Freitag 16-05-2025 18:01 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FBI: US officials targeted in voice deepfake attacks since April ∗∗∗ --------------------------------------------- The FBI warned that cybercriminals using AI-generated audio deepfakes to target U.S. officials in voice phishing attacks that started in April. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-us-officials-targeted-in… ∗∗∗ Ransomware gangs increasingly use Skitnet post-exploitation malware ∗∗∗ --------------------------------------------- Ransomware gang members increasingly use a new malware called Skitnet ("Bossnet") to perform stealthy post-exploitation activities on breached networks. The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-increasingl… ∗∗∗ Understanding CSRF: Cross-site Request Forgery Explained ∗∗∗ --------------------------------------------- Cross-Site Request Forgery, often called CSRF (or its other nicknames, Session Riding and XSRF), is a tricky type of attack. In short, it lets attackers make users do things on websites without their consent or knowledge. This attack works by misusing the trust a web application puts in a user’s browser once they’re logged in. By duping the browser into sending fake requests (usually through shady emails or misleading links), CSRF allows unauthorized commands to hit a website. And since these requests seem to come from a legitimate, logged-in user, the website has a hard time spotting the fakes, which can open the door to significant security problems. --------------------------------------------- https://blog.sucuri.net/2025/05/understanding-csrf-cross-site-request-forge… ∗∗∗ Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT. --------------------------------------------- https://thehackernews.com/2025/05/fileless-remcos-rat-delivered-via-lnk.html ∗∗∗ VNC. RDP for all to see ∗∗∗ --------------------------------------------- VNC (Virtual Network Computing) is a widely deployed service in perhaps forgotten corners of legacy enterprise networks. This is mainly because it’s a tried and trusted protocol that simply works, however this is disregarding its security flaws and disadvantages in the modern age. --------------------------------------------- https://www.pentestpartners.com/security-blog/vnc-rdp-for-all-to-see/ ∗∗∗ Operation RoundPress ∗∗∗ --------------------------------------------- This blogpost introduces an operation that we named RoundPress, targeting high-value webmail servers with XSS vulnerabilities, and that we assess with medium confidence is run by the Sednit cyberespionage group. The ultimate goal of this operation is to steal confidential data from specific email accounts. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/operation-roundpress/ ∗∗∗ Commit Stomping ∗∗∗ --------------------------------------------- Commit Stomping is a technique inspired by timestomping, a well-known method used in offensive operations where file metadata is manipulated to hide the true timing of actions. In Git, Commit Stomping involves altering commit timestamps to mislead observers about when changes were introduced. --------------------------------------------- https://blog.zsec.uk/commit-stomping/ ===================== = Vulnerabilities = ===================== ∗∗∗ Printer company provided infected software downloads for half a year ∗∗∗ --------------------------------------------- When Cameron Coward, the Youtuber behind the channel Serial Hobbyism, wanted to review a $6k UV printer and plugged in the USB flash drive with the printer software, the Antivirus software alerted him of a USB-spreading worm and a Floxif infection. Floxif is a file infector that attaches itself to Portable Executable files, so it can spread to network shares, removable drives like USB flash drives or backup storage systems. --------------------------------------------- https://feeds.feedblitz.com/~/918394763/0/gdatasecurityblog-en~Printer-comp… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, kernel, kernel-rt, redis:6, and yelp and yelp-xsl), Debian (chromium), Red Hat (compat-openssl11, kernel, and thunderbird), and SUSE (nbdkit, open-vm-tools, and rustup). --------------------------------------------- https://lwn.net/Articles/1021482/ ∗∗∗ Malicious ‘Checker’ Packages on PyPI Probe TikTok and Instagram for Valid Accounts ∗∗∗ --------------------------------------------- We often hear about the importance of secure data. Have I Been Pwned and similar websites exist to see if passwords or emails are listed online. However, many people do not understand the ramifications of their own leaked data. --------------------------------------------- https://socket.dev/blog/malicious-checker-packages-on-pypi-probe-tiktok-and… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.05.2025
by Daily end-of-shift report 15 May '25

15 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-05-2025 18:01 − Donnerstag 15-05-2025 18:01 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Spies hack high-value mail servers using an exploit from yesteryear ∗∗∗ --------------------------------------------- XSS is short for cross-site scripting. Vulnerabilities result from programming errors found in webserver software that, when exploited, allow attackers to execute malicious code in the browsers of people visiting an affected website. XSS first got attention in 2005, with the creation of the Samy Worm, which knocked MySpace out of commission when it added more than one million MySpace friends to a user named Samy. XSS exploits abounded for the next decade and have gradually fizzled more recently, although this class of attacks continues now. --------------------------------------------- https://arstechnica.com/security/2025/05/spies-hack-high-value-mail-servers… ∗∗∗ Critical Infrastructure Under Siege: OT Security Still Lags ∗∗∗ --------------------------------------------- With critical infrastructure facing constant cyber threats from the Typhoons and other corners, federal agencies and others are warning security for the OT network, a core technology in many critical sectors, is not powered up enough. --------------------------------------------- https://www.darkreading.com/ics-ot-security/critical-infrastructure-ot-secu… ∗∗∗ Beyond the kill chain: What cybercriminals do with their money (Part 1) ∗∗∗ --------------------------------------------- Sophos X-Ops investigates what financially motivated threat actors invest their ill-gotten profits in, once the dust has settled. --------------------------------------------- https://news.sophos.com/en-us/2025/05/15/beyond-the-kill-chain-what-cybercr… ∗∗∗ Technical Analysis of TransferLoader ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a new malware loader that we have named TransferLoader, which has been active since at least February 2025. ThreatLabz has identified three different components (a downloader, a backdoor, and a specialized loader for the backdoor) embedded in TransferLoader binaries. In addition, ThreatLabz has observed TransferLoader being used to deliver Morpheus ransomware. All components of TransferLoader share similarities including various anti-analysis techniques and code obfuscation. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-transfer… ∗∗∗ USA: Bösartige Kommunikationsgeräte in chinesischen Solar-Wechselrichtern ∗∗∗ --------------------------------------------- Bei der Untersuchung von Wechselrichtern aus China durch Experten in den USA wurden in einigen Geräten nicht dokumentierte Kommunikationsgeräte gefunden. US-Energiebehörden wollen das Risiko dieser chinesischen Inverter Medienberichten zufolge neu beurteilen. --------------------------------------------- https://www.heise.de/news/Boesartige-Kommunikationsgeraete-in-Solar-Wechsel… ∗∗∗ Angeblicher Steam-Hack: Datenleck enthält SMS-Sendeprotokolle ∗∗∗ --------------------------------------------- Ein angebliches Datenleck bei der Spieleplattform Steam soll 89 Millionen Datensätze enthalten – ein Unbekannter versucht seit vergangenem Samstag, sie im Darknet für 5.000 US-Dollar zu verkaufen. Doch die Resonanz ist mau und die Brisanz der Daten fraglich. --------------------------------------------- https://heise.de/-10383892 ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal Security Advisories 2025-05-14 ∗∗∗ --------------------------------------------- Drupal has released 7 new security advisories. --------------------------------------------- https://www.drupal.org/security ∗∗∗ Palo Alto Networks Security Advisories 2025-05-14 ∗∗∗ --------------------------------------------- Palo Alto has released 11 new security advisories. --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ Mozilla Foundation Security Advisories 2025-05-13 ∗∗∗ --------------------------------------------- For Thunderbird 138.0.1 and Thunderbird 128.10.1. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (open-vm-tools), Fedora (dnsdist), Gentoo (Node.js and Tracker miners), Red Hat (kernel and xdg-utils), SUSE (audiofile, go1.22-openssl, go1.24, grub2, kernel-devel, openssl-1_1, openssl-3, and python311-Django), and Ubuntu (ruby-rack). --------------------------------------------- https://lwn.net/Articles/1021379/ ∗∗∗ Patchday: Lücken in Intel-Software und -Treibern gestopft ∗∗∗ --------------------------------------------- Angreifer können Computer mit Hard- und Software von Intel attackieren. Sind Attacken erfolgreich, können sie unter anderem Denial-of-Service-Zustände (DoS) erzeugen, die in der Regel zu Abstürzen führen. --------------------------------------------- https://heise.de/-10384160 ∗∗∗ Google warnt: Gefährliche Chrome-Lücke wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Im weit verbreiteten Webbrowser Chrome klaffen mehrere gefährliche Sicherheitslücken, von denen eine bereits aktiv von Angreifern ausgenutzt wird. Davor warnt Google in den Release Notes zu einem am Mittwoch bereitgestellten Update. Betroffen ist nicht nur die Windows-Variante von Google Chrome, sondern auch jene für Mac und Linux. Anwender sollten den Browser zeitnah aktualisieren, um sich vor möglichen Angriffen zu schützen. --------------------------------------------- https://www.golem.de/news/google-warnt-gefaehrliche-chrome-luecke-wird-akti… ∗∗∗ Fortinet dichtet mehrere Lücken ab, Angriffe auf FortiVoice beobachtet ∗∗∗ --------------------------------------------- CVE-2025-32756 is a critical stack-based buffer overflow vulnerability affecting multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This flaw allows unauthenticated remote attackers to execute arbitrary code or commands via crafted HTTP requests, posing a severe security risk. --------------------------------------------- https://www.heise.de/news/Fortinet-dichtet-mehrere-Luecken-ab-Angriffe-auf-… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0004 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0004.html ∗∗∗ Reflected cross-site scripting vulnerability in Ricoh laser printers and MFPs which implement Web Image Monitor ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN20474768/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (May 5, 2025 to May 11, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.05.2025
by Daily end-of-shift report 14 May '25

14 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-05-2025 18:00 − Mittwoch 14-05-2025 18:01 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt ∗∗∗ --------------------------------------------- A new DarkCloud Stealer campaign is using AutoIt obfuscation for malware delivery. The attack chain involves phishing emails, RAR files and multistage payloads. --------------------------------------------- https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit… ∗∗∗ Intel: Ein weiterer Angriff umgeht alle bisherigen CPU-Schutzmaßnahmen ∗∗∗ --------------------------------------------- Intel hat einen Lauf: Eine weitere Sicherheitslücke öffnet viele Prozessoren erneut für Seitenkanalangriffe trotz bisheriger Schutzmaßnahmen. [..] Wie schon der Angriffstyp Training Solo erfordert BPI physischen Zugriff auf ein System. Daher sind die zugehörigen CVE-Nummern CVE-2024-43420, CVE-2025-20623 und CVE-2024-45332 nur mit dem Schweregrad Medium bewertet. --------------------------------------------- https://heise.de/-10383474 ∗∗∗ A Privacy Mechanism That Backfired ∗∗∗ --------------------------------------------- Some bugs are more interesting than others. Last time I mentioned how CVE-2025-24091 was one of my favorite iOS vulnerabilities so far. That was because I wasn’t yet allowed to disclose my actual favorite! This post is about CVE-2025-31212, the most ironic vulnerability I’ve ever found, and here's why... --------------------------------------------- https://rambo.codes/posts/2025-05-12-a-privacy-mechanism-that-backfired ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti EPMM: Remote Code Execution Schwachstellen (CVE-2025-4427, CVE-2025-4428) - Updates verfügbar ∗∗∗ --------------------------------------------- Ivanti veröffentlichte am 13. Mai Updates & Sicherheitsadvisories zu zwei Schwachstellen in Ivanti Endpoint Manager Mobile (EPMM). Die verkettete Ausnutzung der beiden Lücken kann zur unauthentifizierten Ausführung von Schadcode genutzt werden. Ivanti gibt an die Ausnutzung dieser Lücken auf einer limitierten Anzahl an Systemen, bereits vor der Veröffentlichtung des Advisories, beobachtet zu haben. CVE-Nummern: CVE-2025-4427, CVE-2025-4428 --------------------------------------------- https://www.cert.at/de/warnungen/2025/5/ivanti-epmm-rce ∗∗∗ Microsoft primes 71 fixes for May Patch Tuesday ∗∗∗ --------------------------------------------- Five issues actively exploited in the wild, but the real excitement may have been handled in advance. --------------------------------------------- https://news.sophos.com/en-us/2025/05/14/microsoft-primes-71-fixes-for-may-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (emacs, firefox, gnutls, java-17-openjdk, java-21-openjdk, osbuild-composer, python39:3.9, and thunderbird), Arch Linux (screen), Debian (varnish), Fedora (chromium), Gentoo (Atop, FreeType, and Spidermonkey), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk and postgresql15, postgresql13), Oracle (389-ds-base, emacs, firefox, kernel, libsoup, libtiff, mod_auth_openidc:2.3, nodejs:20, nodejs:22, osbuild-composer, python39:3.9, qemu-kvm, ruby, ruby:3.1, ruby:3.3, and thunderbird), Red Hat (.NET 8.0, .NET 9.0, avahi, buildah, corosync, delve and golang, exiv2, expat, firefox, ghostscript, gimp, git, grafana, gvisor-tap-vsock, java-21-openjdk, kernel, kernel-rt, libarchive, libjpeg-turbo, libsoup, libsoup3, libxslt, mod_auth_openidc, nginx, nginx:1.22, nginx:1.24, nodejs22, nodejs:20, nodejs:22, opentelemetry-collector, osbuild-composer, perl, php, php:8.2, php:8.3, podman, python-jinja2, redis, redis:7, rhc, ruby:2.5, skopeo, sqlite, thunderbird, tomcat, tomcat9, valkey, vim, xorg-x11-server-Xwayland, xterm, xz, yelp, and yggdrasil), Slackware (screen), SUSE (apparmor, dirmngr, gimp, golang-github-prometheus-node_exporter, java-11-openj9, java-17-openj9, java-21-openj9, libxmp-devel, python311-Django4, rabbitmq-server313, rke2, and transfig), and Ubuntu (abseil and open-vm-tools). --------------------------------------------- https://lwn.net/Articles/1021199/ ∗∗∗ Patchday Adobe: Schadcode-Attacken auf InDesign und Photoshop möglich ∗∗∗ --------------------------------------------- Adobe schließt Sicherheitslücken in mehreren Anwendungen. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://heise.de/-10382767 ∗∗∗ VIdeokonferenzen: Hochriskante Rechteausweitungslücken in Zoom Workplace Apps ∗∗∗ --------------------------------------------- Zoom meldet mehrere Sicherheitslücken in den Workplace Apps der Videokonferenzsoftware. Eine verpasst den Status "kritisch" nur knapp. --------------------------------------------- https://heise.de/-10383108 ∗∗∗ Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP11 IF03 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ MISP 2.4.209 / 2.5.11 Release Notes Latest ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.05.2025
by Daily end-of-shift report 13 May '25

13 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 12-05-2025 18:00 − Dienstag 13-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sit, Fetch, Steal - Chihuahua Stealer: A new Breed of Infostealer ∗∗∗ --------------------------------------------- Chihuahua Stealer is a newly discovered .NET-based infostealer that blends common malware techniques with unusually advanced features. It first came to our attention through a Reddit post made on April 9, where a user shared an obfuscated PowerShell script, they were tricked into executing via a Google Drive document. --------------------------------------------- https://feeds.feedblitz.com/~/918192962/0/gdatasecurityblog-en~Sit-Fetch-St… ∗∗∗ Türkiye-linked spy crew exploited a messaging app zero-day to snoop on Kurdish army in Iraq ∗∗∗ --------------------------------------------- Turkish spies exploited a zero-day bug in a messaging app to collect info on the Kurdish army in Iraq, according to Microsoft, which says the attacks began more than a year ago. Specifically, the snoops abused CVE-2025-27920, a directory traversal vulnerability in version 2.0.62 of messaging app Output Messenger, and the intrusions began in April 2024. The app's developer Srimax issued a software update in December to patch the hole, however not all users applied the fixes. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/13/turkish_spie… ∗∗∗ As US vuln-tracking falters, EU enters with its own security bug database ∗∗∗ --------------------------------------------- The European Vulnerability Database (EUVD) is now fully operational, offering a streamlined platform to monitor critical and actively exploited security flaws amid the US struggles with budget cuts, delayed disclosures, and confusion around the future of its own tracking systems. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/13/eu_security_… ∗∗∗ SAP-Patchday: Kritische Netweaver-Lücke und viele mehr gestopft ∗∗∗ --------------------------------------------- SAP veröffentlicht im Mai 2025 insgesamt 16 neue Sicherheitsmeldungen. Sie behandeln teils kritische Sicherheitslücken in diversen Produkten aus dem Business-Softwarekatalog des Unternehmens. --------------------------------------------- https://heise.de/-10381863 ∗∗∗ Auditing Moodles core hunting for logical bugs ∗∗∗ --------------------------------------------- The following article explains how, during an audit, we examined Moodle (v4.4.3) and found ways of bypassing all the restrictions preventing SSRF vulnerabilities from being exploited. --------------------------------------------- http://blog.quarkslab.com/auditing-moodles-core-hunting-for-logical-bugs.ht… ∗∗∗ Beyond the Hook: A Technical Deep Dive into Modern Phishing Methodologies ∗∗∗ --------------------------------------------- A technical exploration of modern phishing tactics, from basic HTML pages to advanced MFA-bypassing techniques, with analysis of infrastructure setup and delivery methods used by phishers in 2025. --------------------------------------------- http://blog.quarkslab.com/technical-dive-into-modern-phishing.html ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Updates Everything: May 2025 Edition, (Mon, May 12th) ∗∗∗ --------------------------------------------- Apple released its expected update for all its operating systems. The update, in addition to providing new features, patches 65 different vulnerabilities. Many of these vulnerabilities affect multiple operating systems within the Apple ecosystem. --------------------------------------------- https://isc.sans.edu/diary/rss/31942 ∗∗∗ Perfekt implementierte Sicherungen ausgehebelt: Spectre-Angriffe sind zurück ∗∗∗ --------------------------------------------- Bisherige Schutzmechanismen schützen nicht immer gegen Spectre-artige Seitenkanalangriffe auf Prozessoren, selbst wenn sie perfekt implementiert sind und verschiedene Domains voneinander abschotten. Zu dem Ergebnis kommen Forscher der Systems and Network Security Group an der Vrije Universiteit Amsterdam (VUSec). --------------------------------------------- https://www.heise.de/news/Perfekt-implementierte-Sicherungen-ausgehebelt-Sp… ∗∗∗ 82,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in TheGem WordPress Theme ∗∗∗ --------------------------------------------- On May 4th, 2025, we received a submission for an Arbitrary File Upload vulnerability in TheGem, a WordPress theme with more than 82,000 sales. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. --------------------------------------------- https://www.wordfence.com/blog/2025/05/82000-wordpress-sites-affected-by-ar… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libeconf and rubygems), Fedora (libxmp), Gentoo (glibc), Oracle (java-1.8.0-openjdk, kernel, libxslt, and virtuoso-opensource), SUSE (augeas, git-lfs, kanidm, and tomcat10), and Ubuntu (linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/1020948/ ∗∗∗ Stack-based buffer overflow vulnerability in API ∗∗∗ --------------------------------------------- A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-25-254 ∗∗∗ EPMM Security Update ∗∗∗ --------------------------------------------- To this end, we are issuing an important security update addressing vulnerabilities associated with open-source libraries used in Ivanti Endpoint Manager Mobile (EPMM). At the time of disclosure, we are aware of a very limited number of customers whose solution has been exploited. The issue only affects the on-prem EPMM product. --------------------------------------------- https://www.ivanti.com/blog/epmm-security-update ∗∗∗ Xen Security Advisory CVE-2024-28956 / XSA-469 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-469.html ∗∗∗ Möglichkeit für Replay-Attacken im Tiiwee X1 Alarm System (SYSS-2025-006) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/moeglichkeit-fuer-replay-attacken-im-tiiwe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily