=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 09-09-2025 18:00 − Mittwoch 10-09-2025 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Phishing im Namen der WKO: Sensible Daten im Visier ∗∗∗
---------------------------------------------
Kriminelle kopieren aktuell eine echte E-Mail-Nachricht der Wirtschaftskammer Österreich. Über ein angehängtes HTML-Dokument wollen sie Ihre Opfer auf ein Fake-Portal locken und dort sensible Daten erbeuten. Wir zeigen Ihnen, woran Sie den Betrugsversuch erkennen können.
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-wko/
∗∗∗ You Already Have Our Personal Data, Take Our Phone Calls Too (FreePBX CVE-2025-57819) ∗∗∗
---------------------------------------------
Today, inside this hellscape we call the Internet, a mean person has discovered a zero-day(s) in FreePBX (now lovingly called CVE-2025-57819). But they didn’t stop there - the dastardly individual(s) then proceeded to exploit FreePBX hosts en-masse. [..] Today, we are publishing our Detection Artefact Generator which you can find here.
---------------------------------------------
https://labs.watchtowr.com/you-already-have-our-personal-data-take-our-phon…
∗∗∗ US Investment in Spyware Is Skyrocketing ∗∗∗
---------------------------------------------
A new report warns that the number of US investors in powerful commercial spyware rose sharply in 2024 and names new countries linked to the dangerous technology.
---------------------------------------------
https://www.wired.com/story/us-spyware-investment/
∗∗∗ CHILLYHELL macOS Backdoor and ZynorRAT RAT Threaten macOS, Windows, and Linux Systems ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems.
---------------------------------------------
https://thehackernews.com/2025/09/chillyhell-macos-backdoor-and-zynorrat.ht…
∗∗∗ Pwn My Ride: Exploring the CarPlay Attack Surface ∗∗∗
---------------------------------------------
At the recent DefCon conference, we had the opportunity to present Pwn My Ride, a comprehensive exploration of the Apple CarPlay attack surface. With vehicles becoming increasingly connected, the security of in-car systems like CarPlay is critical.
---------------------------------------------
https://www.oligo.security/blog/pwn-my-ride-exploring-the-carplay-attack-su…
∗∗∗ Kerberoasting ∗∗∗
---------------------------------------------
These “Kerberoasting” attacks have been around for ages: the technique and name is credited to Tim Medin who presented it in 2014 (and many popular blogs followed up on it) but the vulnerabilities themselves are much older. [..] I’ll bet most Windows people already know this stuff, but I only happened to learn about it today, after seeing a letter from Senator Wyden to Microsoft, describing how this vulnerability was used in the May 2024 ransomware attack on the Ascension Health hospital system.
---------------------------------------------
https://blog.cryptographyengineering.com/2025/09/10/kerberoasting/
∗∗∗ New Linux Botnet Combines Cryptomining and DDoS Attacks ∗∗∗
---------------------------------------------
Cyble threat intelligence researchers have identified a sophisticated Linux botnet built for cryptocurrency mining, remote command execution, and dozens of DDoS attack types. Cyble Research and Intelligence Labs (CRIL) researchers have dubbed the campaign “Luno.”
---------------------------------------------
https://thecyberexpress.com/linux-botnet-combines-cryptomining-and-ddos/
∗∗∗ Apple Introduces Memory Integrity Enforcement in iPhone 17 to Fight Spyware Exploits ∗∗∗
---------------------------------------------
Apple has introduced Memory Integrity Enforcement (MIE), a system-wide security feature designed to crush one of the most persistent threats to iPhone users—that of Spyware. The company describes MIE as “the most significant upgrade to memory safety in the history of consumer operating systems.”
---------------------------------------------
https://thecyberexpress.com/memory-integrity-enforcement-in-iphone-17/
=====================
= Vulnerabilities =
=====================
∗∗∗ Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days ∗∗∗
---------------------------------------------
Today is Microsofts September 2025 Patch Tuesday, which includes security updates for 81 flaws, including two publicly disclosed zero-day vulnerabilities. [..] The two publicly disclosed zero-days are: CVE-2025-55234 - Windows SMB Elevation of Privilege Vulnerability [..] CVE-2024-21907 - VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-pa…
∗∗∗ Patchday Adobe: Lücken in Acrobat & Co. können Schadcode auf PCs lassen ∗∗∗
---------------------------------------------
Auflistung der Sicherheitspatches: Acrobat and Reader, After Effects, ColdFusion, Commerce, Dreamweaver, Experience Manager, Premiere Pro, Substance 3D Modeler, Substance 3D Viewer
---------------------------------------------
https://www.heise.de/news/Patchday-Adobe-Luecken-in-Acrobat-Co-koennen-Scha…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (buildah, containers-common, glycin, loupe, podman, rust-matchers, and rust-tracing-subscriber), Red Hat (fence-agents, jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base, pki-deps:10.6, python-requests, python3.12-cryptography, redis:6, redis:7, and resource-agents), Slackware (libssh), SUSE (aide, cloud-init, iperf, java-1_8_0-openjdk, jq, kernel-devel, python-deepdiff, regionServiceClientConfigAzure, regionServiceClientConfigEC2, and regionServiceClientConfigGCE), and Ubuntu (gnutls28).
---------------------------------------------
https://lwn.net/Articles/1037471/
∗∗∗ CISA Releases Fourteen Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
ICSA-25-252-01 Rockwell Automation ThinManager,
ICSA-25-252-02 ABB Cylon Aspect BMS/BAS,
ICSA-25-252-03 Rockwell Automation Stratix IOS,
ICSA-25-252-04 Rockwell Automation FactoryTalk Optix,
ICSA-25-252-05 Rockwell Automation FactoryTalk Activation Manager,
ICSA-25-252-06 Rockwell Automation CompactLogix® 5480,
ICSA-25-252-07 Rockwell Automation ControlLogix 5580,
ICSA-25-252-08 Rockwell Automation Analytics LogixAI,
ICSA-25-252-09 Rockwell Automation 1783-NATR
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/09/09/cisa-releases-fourteen-i…
∗∗∗ Google Chrome: Stable Channel Update for Desktop ∗∗∗
---------------------------------------------
http://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desk…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 08-09-2025 18:00 − Dienstag 09-09-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ TOR-Based Cryptojacking Attack Expands Through Misconfigured Docker APIs ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a variant of a recently disclosed campaign that abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs. Akamai, which discovered the latest activity last month, said its designed to block other actors from accessing the Docker API from the internet.
---------------------------------------------
https://thehackernews.com/2025/09/tor-based-cryptojacking-attack-expands.ht…
∗∗∗ GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies ∗∗∗
---------------------------------------------
Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account. Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. Its currently not known how the digital intruders gained access to the GitHub account.
---------------------------------------------
https://thehackernews.com/2025/09/github-account-compromise-led-to.html
∗∗∗ RatOn Android Malware Detected With NFC Relay and ATS Banking Fraud Capabilities ∗∗∗
---------------------------------------------
A new Android malware called RatOn evolved from a basic tool capable of conducting Near Field Communication (NFC) attacks to a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities to conduct device fraud.
---------------------------------------------
https://thehackernews.com/2025/09/raton-android-malware-detected-with-nfc.h…
∗∗∗ Axios Abuse and Salty 2FA Kits Fuel Advanced Microsoft 365 Phishing Attacks ∗∗∗
---------------------------------------------
Threat actors are abusing HTTP client tools like Axios in conjunction with Microsofts Direct Send feature to form a "highly efficient attack pipeline" in recent phishing campaigns, according to new findings from ReliaQuest.
---------------------------------------------
https://thehackernews.com/2025/09/axios-abuse-and-salty-2fa-kits-fuel.html
∗∗∗ Salt Typhoon and UNC4841: Silent Push Discovers New Domains; Urges Defenders to Check Telemetry and Log Data ∗∗∗
---------------------------------------------
Silent Push has identified dozens of previously unreported domains, all aiming to obtain long-term, stealthy access to targeted organizations, used by the Chinese APT group, Salt Typhoon, along with some related People’s Republic of China (PRC) state-backed threat actors.
---------------------------------------------
https://www.silentpush.com/blog/salt-typhoon-2025/
∗∗∗ BSI warnt: "Digitale Angriffsflächen im Automobilsektor wachsen rasant" ∗∗∗
---------------------------------------------
Digitale Dienste, Over-the-Air-Updates, KI und vernetzte Steuergeräte prägen Fahrzeugarchitekturen, weiß das BSI. Hersteller und Ausrüster müssten vorsorgen.
---------------------------------------------
https://www.heise.de/news/BSI-warnt-Digitale-Angriffsflaechen-im-Automobils…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (openafs and qemu), Fedora (buildah, containers-common, podman, python-flask, and snapshot), Mageia (postgresql, python-django, and udisks2), Oracle (kernel and libxml2), Red Hat (apache-commons-beanutils, firefox, httpd, httpd:2.4, kernel, kernel-rt, mod_http2, qt5-qt3d, and thunderbird), Slackware (libxml2), SUSE (firebird, go1.25-openssl, ImageMagick, microcode_ctl, netty, netty-tcnative, and ovmf), and Ubuntu (libetpan and postgresql-14, postgresql-16, postgresql-17).
---------------------------------------------
https://lwn.net/Articles/1037308/
∗∗∗ Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed ∗∗∗
---------------------------------------------
An analysis of the Gentlemen ransomware group, which employs advanced, adaptive tactics, techniques, and procedure to target critical industries worldwide.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-rans…
∗∗∗ Zero-Day in Sitecore Exploited to Deploy WEEPSTEEL Malware ∗∗∗
---------------------------------------------
Hackers exploit a Sitecore zero-day (CVE-2025-53690) to deploy WEEPSTEEL Malware via ViewState attacks, enabling Remote Code Execution (RCE).
---------------------------------------------
https://hackread.com/zero-day-sitecore-exploited-deploy-weepsteel-malware/
∗∗∗ OpenAI Paper: Halluzinationen offenbar unumgänglich ∗∗∗
---------------------------------------------
In einem neuen, wissenschaftlichen Paper, das OpenAI veröffentlicht hat, geht es um Halluzinationen. Das sind falsche Informationen und Zusammenhänge, die Large Language Models (LLMs) und damit auch KI-Chatbots ausgeben. Alle KI-Unternehmen arbeiten daran, Halluzinationen möglichst gering zu halten. Sie ganz auszuschalten, scheint hingegen unmöglich. Das schreibt nun auch OpenAI selbst.
---------------------------------------------
https://heise.de/-10637744
∗∗∗ LockBit Attempts Comeback with LockBit 5.0 Ransomware Release ∗∗∗
---------------------------------------------
LockBit was once the most feared ransomware group until global law enforcement action sent the group into decline last year. Now the threat group hopes to mount a comeback with LockBit 5.0.
---------------------------------------------
https://thecyberexpress.com/lockbit-5-0-ransomware/
=====================
= Vulnerabilities =
=====================
∗∗∗ Adobe patches critical SessionReaper flaw in Magento eCommerce platform ∗∗∗
---------------------------------------------
Adobe is warning of a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms that researchers call SessionReaper and describe as one of " the most severe" flaws in the history of the product.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/adobe-patches-critical-sessi…
∗∗∗ Populäre JavaScript Pakete manipuliert ∗∗∗
---------------------------------------------
Eine Reihe populärer JavaScript Pakete wurde kürzlich manipuliert um Krypotwährungstransaktionen zu manipulieren. Ursache dieses Supply-Chain-Angriffs scheint eine erfolgreiche Phishing Attacke gegen den Maintainer dieser Pakete und dessen NPM Konto gewesen zu sein. Manipulierte Versionen der betroffenen Pakete wurden bereits zurückgezogen.
---------------------------------------------
https://www.cert.at/de/aktuelles/2025/9/populare-javascript-pakete-manipuli…
∗∗∗ September 2025 Security Update ∗∗∗
---------------------------------------------
Ivanti is disclosing vulnerabilities in Ivanti Endpoint Manager (EPM) and Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access.
---------------------------------------------
https://www.ivanti.com/blog/september-2025-security-update
∗∗∗ SAP Security Patch Day – September 2025 ∗∗∗
---------------------------------------------
SAP has released its September 2025 security patch package containing 26 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes four HotNews vulnerabilities with CVSS ratings up to 10.0, four High priority issues, sixteen Medium priority fixes, and two Low priority updates. The patches affect NetWeaver AS Java, S/4HANA, SAP HCM, Business Planning and Consolidation, Commerce Cloud, and SAP Business One.
---------------------------------------------
https://redrays.io/blog/sap-security-patch-day-september-2025/
∗∗∗ VU#461364: Hiawatha open-source web server has multiple vulnerabilities ∗∗∗
---------------------------------------------
https://kb.cert.org/vuls/id/461364
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 05-09-2025 18:00 − Montag 08-09-2025 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ iCloud Calendar abused to send phishing emails from Apple’s servers ∗∗∗
---------------------------------------------
iCloud Calendar invites are being abused to send callback phishing emails disguised as purchase notifications directly from Apple's email servers, making them more likely to bypass spam filters to land in targets' inboxes.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/icloud-calendar-abused-to-se…
∗∗∗ Fraunhofer SIT gibt auf: Die Volksverschlüsselung wird eingestellt ∗∗∗
---------------------------------------------
Die Volksverschlüsselung, eine gemeinsame Initiative des Fraunhofer-Instituts für Sichere Informationstechnologie (SIT) und der Deutschen Telekom, wird nach rund zehnjährigem Bestehen zum 31. Januar 2026 eingestellt. Das geht aus einer Mitteilung auf der zugehörigen Webseite(öffnet im neuen Fenster) hervor. Ziel der Volksverschlüsselung war es, Ende-zu-Ende-verschlüsselte Kommunikation benutzerfreundlicher zu machen. Doch das Projekt stieß schon zum Start auf Kritik.
---------------------------------------------
https://www.golem.de/news/fraunhofer-sit-gibt-auf-die-volksverschluesselung…
∗∗∗ Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test ∗∗∗
---------------------------------------------
A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan. The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025.
---------------------------------------------
https://thehackernews.com/2025/09/noisy-bear-targets-kazakhstan-energy.html
∗∗∗ GPUGate Malware Uses Google Ads and Fake GitHub Commits to Target IT Firms ∗∗∗
---------------------------------------------
Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop. While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing altered links that point to attacker-controlled infrastructure.
---------------------------------------------
https://thehackernews.com/2025/09/gpugate-malware-uses-google-ads-and.html
∗∗∗ Netflix-Phishing-Mail im Umlauf ∗∗∗
---------------------------------------------
Derzeit kursiert eine E-Mail, die angeblich von Netflix stammt. Darin wird behauptet, eine Aktualisierung der Kontodaten sei erforderlich. Andernfalls würden 8,99 € fällig und der Zugang würde eingeschränkt werden. Vorsicht: Es handelt sich um eine Fälschung! Die Nachricht führt auf eine Phishing-Website, über die Kriminelle versuchen, Kontodaten zu stehlen.
---------------------------------------------
https://www.watchlist-internet.at/news/netflix-phishing-mail-im-umlauf-1/
∗∗∗ Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs ∗∗∗
---------------------------------------------
The intrusion began in September 2024 with a download of a malicious file mimicking the EarthTime application by DeskSoft. Upon execution, SectopRAT was deployed which opened a connection to its command and control (C2) infrastructure. The threat actor established persistence by relocating the malicious file and placing a shortcut in the Startup folder, configured to trigger on user logon. They further elevated access by creating a new local account and assigning it local administrative privileges.
---------------------------------------------
https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-con…
∗∗∗ GhostAction Attack Steals 3,325 Secrets from GitHub Projects ∗∗∗
---------------------------------------------
On September 2, 2025, a GitHub user known as Grommash9 committed a new workflow file to the FastUUID project. The file, labelled “Github Actions Security,” appeared similar to routine automation scripts but was later found to contain malicious code designed to collect CI/CD secrets and send them to an external server.
---------------------------------------------
https://hackread.com/ghostaction-attack-steals-github-projects-secrets/
∗∗∗ Lazarus Group Deploys Malware With ClickFix Scam in Fake Job Interviews ∗∗∗
---------------------------------------------
A recent investigation by SentinelLABS and internet intelligence platform Validin reveals that North Korean threat actors behind the Contagious Interview campaign are actively abusing public cybersecurity platforms like Validin, Maltrail, and VirusTotal to improve their malicious activities.
---------------------------------------------
https://hackread.com/lazarus-group-malware-clickfix-scam-fake-job-interview/
∗∗∗ MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access ∗∗∗
---------------------------------------------
FortiGuard Labs recently discovered a phishing campaign that employs multiple advanced evasion techniques. These include the use of an Easy Programming Language (EPL) to develop a staged payload, concealing malicious operations and disabling security tools to prevent alert triggers, securing Command and Control (C2) communications using mutual TLS (mTLS), supporting various methods for deploying additional payloads, and even installing popular remote access tools to grant attackers complete control over the compromised system.
---------------------------------------------
https://feeds.fortinet.com/~/924516446/0/fortinet/blogs~MostereRAT-Deployed…
∗∗∗ Ecovacs Deebot: Angreifer können beliebigen Code einschleusen ∗∗∗
---------------------------------------------
Schwachstellenbeschreibungen vom Wochenende erörtern teils hochriskante Sicherheitslücken in Staubsaugerrobotern aus dem Hause Ecovacs. Für die betroffenen Deebot-Modelle stehen bereits seit einiger Zeit Updates bereit, die die Sicherheitslecks abdichten. Besitzer sollten sicherstellen, die Basisstationen und Saugroboter auf den aktuellen Stand zu bringen.
---------------------------------------------
https://heise.de/-10636233
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, libhtp, modsecurity-apache, shibboleth-sp, and wireless-regdb), Fedora (chromium, kea, tcpreplay, and yq), Mageia (rootcerts, nspr, nss & firefox and thunderbird), Red Hat (python3), and SUSE (7zip, chromedriver, go1.25, libQt5Pdf5, libsixel-bash-completion, libsoup2, libwireshark18, netty, rav1e, and trivy).
---------------------------------------------
https://lwn.net/Articles/1037157/
∗∗∗ RICOH Streamline NX vulnerable to tampering with operation history ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN75307484/
∗∗∗ CVE-2025-8699: NFC Card Vulnerability Exploitation Leading to Free Top-Up in KioSoft "Stored Value" Unattended Payment Solution ∗∗∗
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-e…
∗∗∗ Beckhoff Security Advisory 2025-001: CVE-2025-41701 ∗∗∗
---------------------------------------------
https://download.beckhoff.com/download/document/product-security/Advisories…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 04-09-2025 18:00 − Freitag 05-09-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ The number of mis-issued 1.1.1.1 certificates grows. Here’s the latest. ∗∗∗
---------------------------------------------
Everything to know about the mishap that threatened to expose millions of users queries.
---------------------------------------------
https://arstechnica.com/information-technology/2025/09/the-number-of-mis-is…
∗∗∗ Max severity Argo CD API flaw leaks repository credentials ∗∗∗
---------------------------------------------
An Argo CD vulnerability allows API tokens with even low project-level get permissions to access API endpoints and retrieve all repository credentials associated with the project.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/max-severity-argo-cd-api-fla…
∗∗∗ Seit Mai 2024 bekannt: TP-Link bestätigt Zero-Day-Lücke in Archer-Routern ∗∗∗
---------------------------------------------
Es sind auch hierzulande angebotene TP-Link-Modelle betroffen. Angreifer können unter Umständen aus der Ferne Schadcode einschleusen.
---------------------------------------------
https://www.golem.de/news/seit-mai-2024-bekannt-tp-link-bestaetigt-zero-day…
∗∗∗ IT threat evolution in Q2 2025. Mobile statistics ∗∗∗
---------------------------------------------
The report contains statistics on mobile threats (malware, adware, and unwanted software for Android) for Q2 2025, as well as a description of the most notable malware types identified during the reporting period.
---------------------------------------------
https://securelist.com/malware-report-q2-2025-mobile-statistics/117349/
∗∗∗ IT threat evolution in Q2 2025. Non-mobile statistics ∗∗∗
---------------------------------------------
The report presents statistics for Windows, macOS, IoT, and other threats, including ransomware, miners, local and web-based threats, for Q2 2025.
---------------------------------------------
https://securelist.com/malware-report-q2-2025-pc-iot-statistics/117421/
∗∗∗ SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild ∗∗∗
---------------------------------------------
A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild.The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of ..
---------------------------------------------
https://thehackernews.com/2025/09/sap-s4hana-critical-vulnerability-cve.html
∗∗∗ Schwachstellen: KI- und Netzwerktechnik von Nvidia ist angreifbar ∗∗∗
---------------------------------------------
Sicherheitsupdates schließen Lücken in unter anderem Nvidias KI-Plattformen DGX und HGX.
---------------------------------------------
https://www.heise.de/news/Sicherheitsluecken-Nvidia-KI-und-Netzwerktechnik-…
∗∗∗ Stealerium-Malware macht heimlich Webcam-Fotos für Erpressung ∗∗∗
---------------------------------------------
Die frei verfügbare Malware Stealerium erkennt Pornokonsum und fertigt heimlich Webcam-Aufnahmen an. Cyberkriminelle nutzen die Fotos für Erpressung.
---------------------------------------------
https://www.heise.de/news/Malware-fotografiert-Nutzer-heimlich-bei-Porno-Ko…
∗∗∗ Cyberattack forces Jaguar Land Rover to tell staff to stay at home ∗∗∗
---------------------------------------------
Luxury automaker Jaguar Land Rover says employees should stay home through the weekend as it works to mitigate the impact of a cyberattack.
---------------------------------------------
https://therecord.media/jaguar-land-rover-cyberattack-workers-stay-home
∗∗∗ SEO fraud-as-a-service scheme hijacks Windows servers to promote gambling websites ∗∗∗
---------------------------------------------
A malware campaign dubbed GhostRedirector by researchers at ESET attempts to compromise websites to drive traffic to gambling sites.
---------------------------------------------
https://therecord.media/seo-scheme-windows-malware-gambling-sites-ghostredi…
∗∗∗ Scammers Exploit Grok AI With Video Ad Scam to Push Malware on X ∗∗∗
---------------------------------------------
Researchers at Guardio Labs have uncovered a new “Grokking” scam where attackers trick Grok AI into spreading malicious…
---------------------------------------------
https://hackread.com/scammers-exploit-grok-ai-video-ad-scam-x-malware/
∗∗∗ Microsoft erzwingt mehr Multifaktorauthentifizierung ∗∗∗
---------------------------------------------
Microsoft aktualisiert die Pläne für "Phase 2" der erzwungenen Multifaktorauthentifizierung für Azure. Am 1.10. sind mehr Dienste fällig.
---------------------------------------------
https://heise.de/-10633932
∗∗∗ Czechia Warns of Chinese Data Transfers and Remote Administration for Espionage ∗∗∗
---------------------------------------------
Czechia’s national cybersecurity watchdog has issued a warning about foreign cyber operations, focussed on Chinese data transfers and remote administration, urging both government bodies and private businesses to bolster defenses amid rising espionage campaigns tied to China and Russia. The alert, published this week by the National Cyber and I..
---------------------------------------------
https://thecyberexpress.com/czechia-warns-of-chinese-data-transfer/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (udisks2), Oracle (httpd:2.4 and kernel), Red Hat (python-requests), and SUSE (chromium, gn, dcmtk, firefox, himmelblau, nginx, perl-Authen-SASL, perl-Crypt-URandom, postgresql15, python-Django, and python-maturin).
---------------------------------------------
https://lwn.net/Articles/1036907/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 03-09-2025 18:00 − Donnerstag 04-09-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Mis-issued certificates for 1.1.1.1 DNS service pose a threat to the Internet ∗∗∗
---------------------------------------------
The three certificates were issued in May but only came to light Wednesday.
---------------------------------------------
https://arstechnica.com/security/2025/09/mis-issued-certificates-for-1-1-1-…
∗∗∗ Automated Sextortion Spyware Takes Webcam Pics of Victims Watching Porn ∗∗∗
---------------------------------------------
A new specimen of “infostealer” malware offers a disturbing feature: It monitors a targets browser for NSFW content, then takes simultaneous screenshots and webcam photos of the victim.
---------------------------------------------
https://www.wired.com/story/stealerium-infostealer-porn-sextortion/
∗∗∗ Serientäter bekennen sich zu IT-Angriff auf Jaguar Land Rover ∗∗∗
---------------------------------------------
Drei britische Verbrecherbanden haben sich offenbar zusammengetan. Sie prahlen mit der IT-Attacke auf Jaguar Land Rover.
---------------------------------------------
https://www.heise.de/news/Serientaeter-bekennen-sich-zu-IT-Angriff-auf-Jagu…
∗∗∗ Kritische Infrastrukturen: Attacken auf industrielle Kontrollsysteme möglich ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitsupdates für industrielle Kontrollsysteme von unter anderem Hitachi erschienen. Ein Patch steht aber noch aus.
---------------------------------------------
https://www.heise.de/news/Kritische-Infrastrukturen-Attacken-auf-industriel…
∗∗∗ TP-Link warns of botnet infecting routers and targeting Microsoft 365 accounts ∗∗∗
---------------------------------------------
The Quad7 botnet is adding End-of-Life TP-Link routers to its arsenal and using them to steal Microsoft 365 accounts.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2025/09/tp-link-warns-of-botnet-infe…
∗∗∗ Microsoft-Support-Betrug: Phishing-Falle statt Online-Hilfe ∗∗∗
---------------------------------------------
Drängt ein Pop-up-Fenster zu einem Anruf bei der Microsoft-Helpline, ist allerhöchste Vorsicht angesagt! Hinter der Aufforderung warten nämlich keine IT-Expert:innen darauf, bei Computerproblemen weiterzuhelfen. Vielmehr wollen Kriminelle auf diesem Weg Zugriff auf das Konto ihrer Opfer bekommen.
---------------------------------------------
https://www.watchlist-internet.at/news/microsoft-support-betrug/
∗∗∗ Scattered Lapsus$ Hunters Demand Google Fire Security Experts or Face Data Leak ∗∗∗
---------------------------------------------
Scattered Lapsus$ Hunters threaten Google, demanding that two security experts, Austin Larsen of Google’s Threat Intelligence Group and Charles Carmakal of Mandiant, be fired or they will leak alleged stolen Google data.
---------------------------------------------
https://hackread.com/scattered-lapsus-hunters-google-fire-experts-data-leak/
∗∗∗ 25,000 IPs Scanned Cisco ASA Devices — New Vulnerability Potentially Incoming ∗∗∗
---------------------------------------------
GreyNoise observed two scanning surges against Cisco Adaptive Security Appliance (ASA) devices in late August including more than 25,000 unique IPs in a single burst. This activity represents a significant elevation above baseline, typically registering at less than 500 IPs per day.
---------------------------------------------
https://www.greynoise.io/blog/scanning-surge-cisco-asa-devices
∗∗∗ ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690) ∗∗∗
---------------------------------------------
In a recent investigation, Mandiant Threat Defense discovered an active ViewState deserialization attack affecting Sitecore deployments leveraging a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. An attacker leveraged the exposed ASP.NET machine keys to perform remote code ..
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserial…
∗∗∗ Cookie Chaos: How to bypass __Host and __Secure cookie prefixes ∗∗∗
---------------------------------------------
Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and ..
---------------------------------------------
https://portswigger.net/research/cookie-chaos-how-to-bypass-host-and-secure…
∗∗∗ Linux Kernel SMB 0-Day Vulnerability CVE-2025-37899 Uncovered Using ChatGPT o3 ∗∗∗
---------------------------------------------
For the first time, a zero-day vulnerability in the Linux kernel has been discovered using a large language model, OpenAI’s o3. Discovered by security researcher Sean Heelan and assigned ..
---------------------------------------------
https://www.upwind.io/feed/linux-kernel-smb-0-day-vulnerability-cve-2025-37…
∗∗∗ s1ngularitys Aftermath: AI, TTPs, and Impact in the Nx Supply Chain Attack ∗∗∗
---------------------------------------------
A deeper look at the Nx supply chain attack: analyzing the performance of AI-powered malware, calculating incident impact, and sharing novel TTPs for further investigation.
---------------------------------------------
https://www.wiz.io/blog/s1ngularitys-aftermath
∗∗∗ Nx Investigation Reveals GitHub Actions Workflow Exploit Led to npm Token Theft, Prompting Switch to Trusted Publishing ∗∗∗
---------------------------------------------
On August 26, 2025, the JavaScript ecosystem witnessed a watershed moment in supply chain security. The popular Nx build system, with over 4.6 million weekly downloads, fell victim to an attack that stole thousands of credentials and pioneered a disturbing new technique: weaponizing AI developer tools for scaling reconnaissance and data theft.The Nx team ..
---------------------------------------------
https://socket.dev/blog/nx-supply-chain-attack-investigation-github-actions…
∗∗∗ Exploit development for IBM i ∗∗∗
---------------------------------------------
At TROOPERS24, we demonstrated how IBM i systems – still widely used in enterprise environments – can be compromised in both authenticated and unauthenticated scenarios, using only built-in services and a basic understanding of the underlying mechanisms. Despite being labeled “legacy,” these systems remain active in finance, logistics, and manufacturing, often handling critical workloads with little attention paid to their security posture.
---------------------------------------------
https://blog.silentsignal.eu/2025/09/04/Exploit-development-for-IBM-i/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 02-09-2025 18:00 − Mittwoch 03-09-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Hackers breach fintech firm in attempted $130M bank heist ∗∗∗
---------------------------------------------
Hackers tried to steal $130 million from Evertecs Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central banks real-time payment system (Pix).
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-breach-fintech-firm-…
∗∗∗ What Is a Passkey? Here’s How to Set Up and Use Them (2025) ∗∗∗
---------------------------------------------
Passkeys were built to enable a password-free future. Heres what they are and how you can start using them.
---------------------------------------------
https://www.wired.com/story/what-is-a-passkey-and-how-to-use-them/
∗∗∗ Patchday: Kritische Schadcode-Lücke bedroht Android 15 und 16 ∗∗∗
---------------------------------------------
Wichtige Sicherheitsupdates schließen mehrere Sicherheitslücken in verschiedenen Android-Versionen.
---------------------------------------------
https://www.heise.de/news/Patchday-Kritische-Schadcode-Luecke-bedroht-Andro…
∗∗∗ Phishing-Alarm: FinanzOnline droht nicht mit der Pfändung des Hausrats! ∗∗∗
---------------------------------------------
Eine höchst aktuelle Phishing-Welle im Namen von FinanzOnline sorgt für große Verunsicherung. Die zentrale Drohung: Pfändung des Hausrats durch den Gerichtsvollzieher! Klingt besorgniserregend, ist in Wahrheit aber nichts anderes als ein Betrugsversuch. Wir erklären, ..
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-alarm-finanzonline-pfaendun…
∗∗∗ Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust ∗∗∗
---------------------------------------------
Model namespace reuse is a potential security risk in the AI supply chain. Attackers can misuse platforms like Hugging Face for remote code execution.
---------------------------------------------
https://unit42.paloaltonetworks.com/model-namespace-reuse/
∗∗∗ Digitale Souveränität: Cloud Edition. ∗∗∗
---------------------------------------------
Das erratische Verhalten der aktuellen US-Regierung hat die Sorgen um die Abhängigkeit Europas von den großen US-Cloudbetreibern verstärkt. In der EU haben sowohl die Kommission als auch das Parlament Dokumente zu diesem Thema vorgelegt, heuer hat die Kommission bereits um Ideen zu einem Cloud and AI Development Act gebeten. Auch in Deutschland ..
---------------------------------------------
https://www.cert.at/de/blog/2025/9/digitale-souveranitat-cloud-edition
∗∗∗ Cloudflare, Zscaler among companies impacted by Salesloft Drift incident ∗∗∗
---------------------------------------------
Multiple tech firms have publicly detailed how incidents involving the third-party Salesloft Drift tool have exposed customer data.
---------------------------------------------
https://therecord.media/salesloft-drift-breach-cloudflare-zscaler-palo-alto…
∗∗∗ Corruption case against ousted cyber chief is ‘revenge,’ Ukraine’s security service says ∗∗∗
---------------------------------------------
Ukraine’s security service is accusing the country’s anti-corruption agencies of seeking “revenge” by bringing charges against Illia Vitiuk, the former head of the agency’s cybersecurity unit.
---------------------------------------------
https://therecord.media/corruption-case-against-ousted-cyber
∗∗∗ Cloudflare Mitigates Largest Ever Recorded DDoS Attack at 11.5 Tbps ∗∗∗
---------------------------------------------
Cloudflare mitigated the largest DDoS attack ever recorded, an 11.5 Tbps flood that lasted 35 seconds without disrupting…
---------------------------------------------
https://hackread.com/cloudflare-mitigates-largest-ddos-attack-11-5-tbps/
∗∗∗ CISA, NSA and 19 International Partners Release Shared Vision of Software Bill of Materials for Cybersecurity Guide ∗∗∗
---------------------------------------------
CISA, NSA, and 19 international partners release a shared vision of Software Bill of Materials (SBOM) highlighting the importance of SBOM in securing global supply chains & enhancing software resilience worldwide.
---------------------------------------------
https://www.cisa.gov/news-events/news/cisa-nsa-and-19-international-partner…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (httpd, kernel, and kernel-rt), Debian (python-eventlet and python-h2), Mageia (aide, gnutls, tomcat, and vim), Oracle (httpd, mod_http2, postgresql:15, python3.11, python3.12, python3.9, and udisks2), Red Hat (kernel, postgresql, postgresql:12, and postgresql:15), SUSE (dcmtk, jupyter-bqplot-jupyterlab, kured, libudisks2-0, munge, python-eventlet, python-future, python311-eventlet, rekor, traefik2, and ucode-intel), and Ubuntu (linux-aws, ..
---------------------------------------------
https://lwn.net/Articles/1036567/
∗∗∗ Vulnerability & Patch Roundup — August 2025 ∗∗∗
---------------------------------------------
https://blog.sucuri.net/2025/08/vulnerability-patch-roundup-august-2025.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 01-09-2025 18:00 − Dienstag 02-09-2025 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Zscaler data breach exposes customer info after Salesloft Drift compromise ∗∗∗
---------------------------------------------
In an advisory, Zscaler says that its Salesforce instance was impacted by this supply-chain attack, exposing customers' information. [..] This warning follows the compromise of Salesloft Drift, an AI chat agent that integrates with Salesforce, in which attackers stole OAuth and refresh tokens, enabling them to gain access to customer Salesforce environments and exfiltrate sensitive data. [..] The company stresses that the data breach only impacts its Salesforce instance and no Zscaler products, services, or infrastructure.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/zscaler-data-breach-exposes-…
∗∗∗ Stolen OAuth tokens expose Palo Alto customer data ∗∗∗
---------------------------------------------
Palo Alto Networks is writing to customers that may have had commercially sensitive data exposed after criminals used stolen OAuth credentials lifted from the Salesloft Drift break-in to gain entry to its Salesforce instance.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/09/02/stolen_oauth…
∗∗∗ No, Google did not warn 2.5 billion Gmail users to reset passwords ∗∗∗
---------------------------------------------
This is just the latest such story, which numerous news websites and cybersecurity companies have reported without verification in recent years. [..] However, as the company explained on a Monday blog post addressing these inaccurate stories, "Gmail's protections are strong and effective, and claims of a major Gmail security warning are false."
---------------------------------------------
https://www.bleepingcomputer.com/news/technology/no-google-did-not-warn-25-…
∗∗∗ Badges, behavior, and BMS: Why the human perimeter matters in energy cybersecurity ∗∗∗
---------------------------------------------
Over the summer, a hacker brought a 158-year-old European technology company to its knees with a guessed password. By identifying a weak admin credential, the attacker gained access to internal systems and extracted sensitive information, laying the groundwork for a broader ransomware campaign. [..] Energy cybersecurity is not just about software protection —it’s also about managing human interaction and physical access to critical infrastructure. [..] Even the most secure system in the world won’t help if someone holds the door open for the wrong person.
---------------------------------------------
https://blog.se.com/digital-transformation/cybersecurity/2025/09/01/badges-…
∗∗∗ Cookies and how to bake them: what they are for, associated risks, and what session hijacking has to do with it ∗∗∗
---------------------------------------------
Kaspersky experts explain the different types of cookies, how to configure them correctly, and how to protect yourself from session hijacking attacks.
---------------------------------------------
https://securelist.com/cookies-and-session-hijacking/117390/
∗∗∗ A quick look at sextortion at scale: 1,900 messages and 205 Bitcoin addresses spanning four years, (Tue, Sep 2nd) ∗∗∗
---------------------------------------------
What can almost 2,000 sextortion messages tell us about how threat actors operate and whether they are successful? [..] The use of specific cryptocurrency addresses in sextortion messages seems to be fairly short-lived. Approximately 46% of the addresses in the dataset were only used for a single day [..] the average requested amount was 1,716 USD, with a median of 1,370 USD [..] Of the 205 cryptocurrency addresses in our dataset, only 57 (~28%) didn’t receive any payment at all, while the remaining addresses did.
---------------------------------------------
https://isc.sans.edu/diary/rss/32252
∗∗∗ Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices ∗∗∗
---------------------------------------------
Cybersecurity researchers have flagged a Ukrainian IP network for engaging in massive brute-force and password spraying campaigns targeting SSL VPN and RDP devices between June and July 2025. The activity originated from a Ukraine-based autonomous system FDN3 (AS211736), per French cybersecurity company Intrinsec.
---------------------------------------------
https://thehackernews.com/2025/09/ukrainian-network-fdn3-launches-massive.h…
∗∗∗ Achtung, Bitpanda-Phishing: Krypto-Guthaben in Gefahr! ∗∗∗
---------------------------------------------
Kriminelle versenden SMS-Nachrichten und warnen vor einem angeblichen Login auf das Bitpanda-Konto des Opfers. Sie liefern außerdem eine Telefonnummer mit, bei der man sich zur Klärung melden solle. Am anderen warten allerdings die Betrüger:innen – und die haben es auf Krypto-Assets abgesehen.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-bitpanda-phishing-krypto/
=====================
= Vulnerabilities =
=====================
∗∗∗ Heimautomatisierung: ESPHome-Lücke erlaubt volle Kompromittierung ∗∗∗
---------------------------------------------
In der ESP-IDF-Plattform der ESPHome-Firmwarebasis führt eine nun entdeckte Sicherheitslücke dazu, dass Angreifer eine Authentifizierung umgehen können. Das ermöglicht ihnen sogar, eigene Firmware auf verwundbare Controller zu verfrachten. [..] Ein neuer Schwachstelleneintrag vom Montag dieser Woche erörtert die Sicherheitslücke in der Firmware. [..] (CVE-2025-57808 / noch kein EUVD, CVSS 8.1, Risiko "hoch")
---------------------------------------------
https://www.heise.de/news/Heimautomatisierung-ESPHome-Luecke-erlaubt-volle-…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel, mod_http2, postgresql, postgresql:15, and python39:3.9), Debian (libsndfile), Mageia (ceph, glibc, and golang), Oracle (postgresql and python39:3.9), Red Hat (aide, postgresql:12, postgresql:13, postgresql:15, and postgresql:16), SUSE (git, govulncheck-vulndb, jetty-minimal, nginx, python-future, and ruby2.5), and Ubuntu (imagemagick).
---------------------------------------------
https://lwn.net/Articles/1036369/
∗∗∗ TYPO3-EXT-SA-2025-011: Command Injection in extension "TYPO3 Backup Plus" (ns_backup) ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2025-011
∗∗∗ Delta Electronics EIP Builder ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-01
∗∗∗ SunPower PVS6 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-03
∗∗∗ Fuji Electric FRENIC-Loader 4 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-02
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 29-08-2025 18:00 − Montag 01-09-2025 18:00
Handler: Felician Fuchs
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ Transparenz und Kommunikation: BSI rät indirekt von weiterer Paypal-Nutzung ab ∗∗∗
---------------------------------------------
Was passiert mit den Daten, werden bei Ausfällen Gründe genannt? Ohne Paypal zu nennen, ruft das BSI auf, nicht nur nach der Usability auszuwählen.
---------------------------------------------
https://www.golem.de/news/transparenz-und-kommunikation-bsi-raet-indirekt-v…
∗∗∗ AWS warnt: Russische Hacker bei Attacken auf Microsoft-Nutzer erwischt ∗∗∗
---------------------------------------------
Die berüchtigte Hackergruppe APT29 soll bestehende Webseiten mit Schadcode verseucht haben, um an die Microsoft-Konten der Besucher zu gelangen.
---------------------------------------------
https://www.golem.de/news/aws-warnt-russische-hacker-bei-attacken-auf-micro…
∗∗∗ Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling ∗∗∗
---------------------------------------------
Cybersecurity researchers have called attention to a cyber attack in which unknown threat actors deployed an open-source endpoint monitoring and digital forensic tool called Velociraptor, illustrating ongoing abuse of legitimate software for malicious purposes.
---------------------------------------------
https://thehackernews.com/2025/08/attackers-abuse-velociraptor-forensic.html
∗∗∗ Traffic to government domains often crosses national borders, or flows through risky bottlenecks ∗∗∗
---------------------------------------------
Sites at yourcountry.gov may also not bother with HTTPs Internet traffic to government domains often flows across borders, relies on a worryingly small number of network connections, or does not require encryption, according to new research.
---------------------------------------------
https://www.theregister.com/2025/09/01/isoc_government_domain_traffic_measu…
∗∗∗ SSA Whistleblower’s Resignation Email Mysteriously Disappeared From Inboxes ∗∗∗
---------------------------------------------
Less than 30 minutes after the Social Security Administration’s chief data officer resigned following a whistleblower complaint, recipients could no longer access the resignation email.
---------------------------------------------
https://www.wired.com/story/charles-borges-resignation-email-disappearance/
∗∗∗ Hintertür-Bericht: Britische Regierung will Vollzugriff auf iCloud ∗∗∗
---------------------------------------------
Noch immer ist nicht final entschieden, ob Apple britischen Strafverfolgern Zugriff auf iCloud geben muss. Nun wurde die ganze Datenbreite bekannt.
---------------------------------------------
https://www.heise.de/news/Hintertuer-Bericht-Britische-Regierung-will-Vollz…
∗∗∗ Nach Kritik: Ameos Kliniken wollen proaktiv über Datenleak informieren ∗∗∗
---------------------------------------------
Nach einem erfolgreichen Cyberangriff hatte der Klinikkonzern Ameos ein Auskunftsformular bereitgestellt. Nach Kritik wurde selbiges jetzt geändert.
---------------------------------------------
https://www.heise.de/news/Ameos-Kliniken-Nach-IT-Angriff-steht-Auskunftsfor…
∗∗∗ IT-Infrastruktur des Innenministeriums "gezielt und professionell" gehackt ∗∗∗
---------------------------------------------
Polizeiliche Daten oder Anwendungen sollen nach eigenen Angaben nicht betroffen sein. Der Angriff fand vor einigen Wochen statt, wurde aber erst jetzt kommuniziert.
---------------------------------------------
https://www.derstandard.at/story/3000000285630/cyberangriff-auf-it-infrastr…
∗∗∗ Sweden scrambles after ransomware attack puts sensitive worker data at risk ∗∗∗
---------------------------------------------
Municipal government organisations across Sweden have found themselves impacted after a ransomware attack at a third-party software service supplier.
---------------------------------------------
https://www.bitdefender.com/en-us/blog/hotforsecurity/sweden-scrambles-afte…
∗∗∗ Merkwürdige Spam-Mail; Accenture gehackt? ∗∗∗
---------------------------------------------
Ein Blog-Leser hat mich vor einigen Tage darauf hingewiesen, dass er eine merkwürdige Spam-Mail bekam, die von einer Accenture-Domain verschickt wurde. Inzwischen ist die Domain nicht mehr erreichbar – was die Frage nach dem Hintergrund aufwirft.
---------------------------------------------
https://www.borncity.com/blog/2025/08/31/accenture-gehackt-merkwuerdige-phi…
∗∗∗ Starker Anstieg der Cyberangriffe auf den Bildungssektor ∗∗∗
---------------------------------------------
Sicherheitsanbieter Check Point warnt vor einem starken Anstieg von Cyber-Angriffen im Bildungssektor: Weltweit um 41 Prozent, in Deutschland sogar plus 56 Prozent. Bildungseinrichtungen verzeichnen im Schnitt mehr als 4300 Angriffe pro Woche, getrieben von saisonalen Phishing-Kampagnen zum Schul- und Semesterstart.
---------------------------------------------
https://www.borncity.com/blog/2025/08/31/starker-anstieg-der-cyberangriffe-…
∗∗∗ PromptLock: Erste KI-gestützte Malware von ESET entdeckt ∗∗∗
---------------------------------------------
ESET-Sicherheitsforscher haben die ihrer Meinung nach "erste bekannte KI-gestützte Ransomware" mit dem Namen PromptLock entdeckt.
---------------------------------------------
https://www.borncity.com/blog/2025/08/31/promptlock-erste-ki-gestuetzte-mal…
∗∗∗ Citrix Netscaler backdoors — Part One — May 2025 activity against governments ∗∗∗
---------------------------------------------
This is a follow up post to the prior one, part of a series looking at different Netscaler vulnerabilities that have been exploited in the wild as zero days.
---------------------------------------------
https://doublepulsar.com/citrix-netscaler-backdoors-part-one-may-2025-activ…
∗∗∗ 8 Malicious NPM Packages Stole Chrome User Data on Windows ∗∗∗
---------------------------------------------
JFrog researchers found eight malicious NPM packages using 70 layers of obfuscation to steal data from Chrome browser users on Windows. The attack highlights a growing threat to developers.
---------------------------------------------
https://hackread.com/malicious-npm-packages-stole-chrome-user-data-windows/
∗∗∗ Widespread Data Theft Targets Salesforce Instances via Salesloft Drift ∗∗∗
---------------------------------------------
Update (August 28) Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesfo…
∗∗∗ ShadowSilk Data Exfiltration Attack ∗∗∗
---------------------------------------------
Nearly three dozen organizations across Central Asia and the Asia-Pacific region, predominantly government agencies, have been compromised in data exfiltration campaigns attributed to the Russian and Chinese-speaking threat group known as ShadowSilk, according to Group-IB.
---------------------------------------------
https://fortiguard.fortinet.com/threat-signal-report/6190
∗∗∗ Vishing: So gelingt der Angriff per Telefon selbst auf Großunternehmen ∗∗∗
---------------------------------------------
Auf der Def Con konnte man sich live ansehen, wie Vishing funktioniert. Erstaunlich oft ergattern Angreifer per Telefon selbst wichtigste Firmeninformationen.
---------------------------------------------
https://heise.de/-10625451
∗∗∗ A16-FuseBypass: Debug Logic Enabled on Production Apple Silicon ∗∗∗
---------------------------------------------
This repository documents a critical hardware-level vulnerability in the Apple A16 Bionic chip used in iPhone 14 Pro Max and related devices.
---------------------------------------------
https://github.com/JGoyd/A16-FuseBypass
∗∗∗ KernelSnitch: Side-Channel Attacks on Kernel Data Structures ∗∗∗
---------------------------------------------
In this paper, we present a novel generic software side-channel attack, KernelSnitch, targeting kernel data structures such as hash tables and trees.
---------------------------------------------
https://lukasmaar.github.io/papers/ndss25-kernelsnitch.pdf
∗∗∗ Client-side RCE via CSS Injection in Google Web Designer for Windows ∗∗∗
---------------------------------------------
After my recent discovery of two client-side remote code execution vulnerabilities in Google Web Designer (previously disclosed in my articles earlier this year: CVE-2025-1079, CVE-2025-4613), in April 2025 I've found yet another serious issue in the app.
---------------------------------------------
https://balintmagyar.com/articles/google-web-designer-css-injection-client-…
∗∗∗ Passkeys are incompatible with open-source software ∗∗∗
---------------------------------------------
After reading more of the spec authors’ comments on open-source Passkey implementations, I cannot support this tech. In addition to what I covered at the bottom of this blog post, I found more instances where the spec authors have expressed positions that are incompatible with open-source software and user freedom.
---------------------------------------------
https://www.smokingonabike.com/2025/01/04/passkey-marketing-is-lying-to-you/
∗∗∗ Wallet-Draining npm Package Impersonates Nodemailer to Hijack Crypto Transactions ∗∗∗
---------------------------------------------
Socket’s Threat Research Team identified a malicious npm package, nodejs-smtp, that impersonates the popular email library nodemailer, which averages roughly 3.9 million weekly downloads, while implanting code into desktop cryptocurrency wallets on Windows.
---------------------------------------------
https://socket.dev/blog/wallet-draining-npm-package-impersonates-nodemailer
∗∗∗ The CISO’s Codex – Leo and the Laws of Security ∗∗∗
---------------------------------------------
A a storytelling approach to cybersecurity, where a new CISO named Leo guides his company through foundational security models like Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash, and Graham-Denning/HRU.
---------------------------------------------
https://thecyberthrone.in/2025/08/30/the-cisos-codex-leo-and-the-laws-of-se…
∗∗∗ Nevada Faces Unprecedented Ransomware Attack ∗∗∗
---------------------------------------------
On August 24, 2025, Nevada made headlines as the victim of a historic cyberattack that forced a near-total shutdown of state government operations.
---------------------------------------------
https://thecyberthrone.in/2025/08/31/nevada-faces-unprecedented-ransomware-…
=====================
= Vulnerabilities =
=====================
∗∗∗ IT-Sicherheitslösung Acronis Cyber Protect Cloud Agent ist verwundbar ∗∗∗
---------------------------------------------
Ein Sicherheitsupdate schließt eine Schwachstelle in Acronis Cyber Protect Cloud Agent.
---------------------------------------------
https://www.heise.de/news/IT-Sicherheitsloesung-Acronis-Cyber-Protect-Cloud…
∗∗∗ Qnap: Teils hochriskante Lücken in QTS und QuTS hero geschlossen ∗∗∗
---------------------------------------------
Aktualisierungen für die QTS- und QuTS-hero-Firmwares von Qnap-Geräten schließen als hochriskant eingestuft Sicherheitslücken.
---------------------------------------------
https://www.heise.de/news/Qnap-Update-schliesst-teils-hochriskante-Luecken-…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (postgresql16, postgresql:16, python3.11, and thunderbird), Debian (firebird4.0, libcommons-lang3-java, mbedtls, nodejs, openvpn, and ruby-saml), Fedora (cef, chromium, docker-buildx, exiv2, firefox, rocm-rpp, and udisks2), Oracle (postgresql:16), Red Hat (fence-agents, firefox, gdk-pixbuf2, httpd, kernel, kernel-rt, libarchive, libxml2, multiple packages, postgresql, postgresql16, postgresql:15, postgresql:16, python3.11, python3.12, python39:3.9, and thunderbird), Slackware (udisks2), SUSE (go-sendxmpp, helm, ImageMagick, javamail, jq, kea, kernel, libarchive, libsoup, libssh, libxml2, openssl-3, postgresql14, postgresql15, python, python-future, systemd, and xz), and Ubuntu (open-vm-tools and python2.7).
---------------------------------------------
https://lwn.net/Articles/1036084/
∗∗∗ Authenticated Attackers Could Exploit IBM Watsonx Vulnerability to Access Sensitive Data ∗∗∗
---------------------------------------------
A newly disclosed security vulnerability, tracked as CVE-2025-0165, has been reported, specifically concerning the users of the IBM Watsonx Orchestrate Cartridge within the IBM Cloud Pak for Data platform.
---------------------------------------------
https://thecyberexpress.com/decoding-cve-2025-0165-flaw/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 28-08-2025 18:00 − Freitag 29-08-2025 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Polizei warnt vor Anrufen von Fake-Innenminister, der Geld will ∗∗∗
---------------------------------------------
Innenminister Karner soll um Spenden für Lösegeldzahlungen gebeten haben. Die Kontaktaufnahme geschah dabei mit einer echten Nummer des Innenministeriums.
---------------------------------------------
https://futurezone.at/digital-life/fake-innenminister-karner-anruf-scam-pol…
∗∗∗ Vorsicht! Ankündigung einer Betriebsprüfung durch das Finanzamt ist eine Falle! ∗∗∗
---------------------------------------------
Eine neue Betrugsmasche im Namen des österreichischen Finanzamts macht aktuell die Runde. Diesmal ist es kein Zugangscode, der abläuft. Keine Rückerstattung, die auf ihre Auszahlung wartet. Im aktuellen Fall versuchen Kriminelle, über die Ankündigung einer Betriebsprüfung für Schaden zu sorgen.
---------------------------------------------
https://www.watchlist-internet.at/news/falle-finanzamt-betriebspruefung/
∗∗∗ Citrix forgot to tell you CVE-2025–6543 has been used as a zero day since May 2025 ∗∗∗
---------------------------------------------
Netscaler customers have a problem: the product is on fire. And not in a good way. Serious threat actors are running rings around the product on a regular basis, zero days being exploited regularly, and Citrix/Cloud Software Group simply aren’t being transparent about what is happening with customers so they cannot make real assessments of compromise. Applying patches after already being exploited is not working.
---------------------------------------------
https://doublepulsar.com/citrix-forgot-to-tell-you-cve-2025-6543-has-been-u…
∗∗∗ Vorzeitige Beendigung des Supports für SonicWall SMA100 ∗∗∗
---------------------------------------------
Am 31. Oktober 2025 soll Schluss mit dem Support sein, wie es in einer Mitteilung eines SonicWall-Partners heißt.
---------------------------------------------
https://www.borncity.com/blog/2025/08/29/vorzeitige-beendigung-des-supports…
∗∗∗ How attackers adapt to built-in macOS protection ∗∗∗
---------------------------------------------
We analyze the built-in protection mechanisms in macOS: how they work, how threat actors can attack them or deceive users, and how to detect such attacks.
---------------------------------------------
https://securelist.com/macos-security-and-typical-attacks/117367/
∗∗∗ Passkeys Pwned: Turning WebAuthn Against Itself ∗∗∗
---------------------------------------------
On the DEFCON 33 main stage, SquareX researchers disclosed a major passkey vulnerability that uses malicious extensions/scripts to fake passkey registration and logins, allowing attackers to access enterprise SaaS apps without the user’s device or biometrics.
---------------------------------------------
https://labs.sqrx.com/passkeys-pwned-0dbddb7ade1a
∗∗∗ Ransomware gang takedowns causing explosion of new, smaller groups ∗∗∗
---------------------------------------------
The ransomware ecosystem continues to splinter, with new gangs proliferating in the wake of law enforcement takedowns that have scattered affiliates and prompted criminal rebrands.
---------------------------------------------
https://therecord.media/ransomware-gang-takedown-proliferation
=====================
= Vulnerabilities =
=====================
∗∗∗ Windows: Zero-Day-Lücke bei der LNK-Anzeige ∗∗∗
---------------------------------------------
Laut ZDI stellte Microsoft sich auf den Standpunkt, dass die Sicherheitslücke nicht den Schweregrad für eine Behandlung erreicht. Auch nach etwa einem halben Jahr hin und her änderte Microsoft seine Meinung dazu nicht. Schließlich hat ZDI die Meldung veröffentlicht und jetzt auch einen CVE-Schwachstelleneintrag dazu herausgegeben. [..] "Die Schwachstelle ermöglicht Angreifern aus dem Netz, beliebigen Code auf betroffenen Installationen von Microsoft Windows auszuführen. Benutzerinteraktion ist für den Missbrauch erforderlich, diese müssen eine bösartige Seite besuchen oder eine bösartige Datei öffnen", schlussfolgert die ZDI. [..] (CVE-2025-9491 / noch kein EUVD, CVSS 7.0, Risiko "hoch")
---------------------------------------------
https://heise.de/-10625780
∗∗∗ FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available ∗∗∗
---------------------------------------------
The vulnerability, assigned the CVE identifier CVE-2025-57819, carries a CVSS score of 10.0, indicating maximum severity. "Insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator, leading to arbitrary database manipulation and remote code execution," the project maintainers said in an advisory. [..] "We are seeing active exploitation of FreePBX in the wild with activity traced back as far as August 21 and backdoors being dropped post-compromise," watchTowr CEO Benjamin Harris said in a statement shared with The Hacker News.
---------------------------------------------
https://thehackernews.com/2025/08/freepbx-servers-targeted-by-zero-day.html
∗∗∗ clickstudios Passwordstate 2025-08-28 ∗∗∗
---------------------------------------------
Fixed a potential authentication bypass issue associated with accessing the core Passwordstate Products' Emergency Access page, by using a carefully crafted URL, which could allow access to the Passwordstate Administration section.
---------------------------------------------
https://www.clickstudios.com.au/security/advisories/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (aide, fence-agents, firefox, kernel-rt, python-cryptography, and thunderbird), Debian (golang-github-gin-contrib-cors, libxml2, and udisks2), Fedora (chromium), Oracle (postgresql16, postgresql:16, python3.11, and thunderbird), Red Hat (lz4 and mpfr), SUSE (chromium, docker, dpkg, firefox, gdk-pixbuf, git, git, git-lfs, obs-scm-bridge, python-PyYAML, gnutls, kernel, libarchive, libxml2, net-tools, netty, perl-Crypt-CBC, polkit, postgresql14, postgresql15, sqlite3, thunderbird, tomcat10, and udisks2), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-hwe-6.14, linux-raspi, linux-realtime, linux-realtime-6.14, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-gke, linux-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-gke, linux-kvm, linux-oem-6.14, linux-realtime, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, openldap, and udisks2).
---------------------------------------------
https://lwn.net/Articles/1035724/
∗∗∗ QNAP: Multiple Vulnerabilities in File Station 5 ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-25-19
∗∗∗ QNAP: Multiple Vulnerabilities in QTS and QuTS hero ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-25-21
∗∗∗ Tenable: [R1] Stand-alone Security Patches Available for Tenable Security Center versions 6.4.x, 6.5.1 and 6.6.0: SC-202508.1 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2025-17
∗∗∗ Mitsubishi Electric MELSEC iQ-F Series CPU Module ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-01
∗∗∗ Mitsubishi Electric MELSEC iQ-F Series CPU Module ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-02
∗∗∗ GE Vernova CIMPLICITY ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-06
∗∗∗ Delta Electronics CNCSoft-G2 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-04
∗∗∗ Delta Electronics COMMGR ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-05
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 27-08-2025 18:00 − Donnerstag 28-08-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Experimental PromptLock ransomware uses AI to encrypt, steal data ∗∗∗
---------------------------------------------
Threat researchers discovered the first AI-powered ransomware, called PromptLock, that uses Lua scripts to steal and encrypt data on Windows, macOS, and Linux systems. The malware uses OpenAI’s gpt-oss:20b model through the Ollama API to dynamically generate the malicious Lua scripts from hard-coded prompts.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/experimental-promptlock-rans…
∗∗∗ ZipLine Phishers Flip Script as Victims Email First ∗∗∗
---------------------------------------------
"ZipLine" appears to be a sophisticated and carefully planned campaign that has already affected dozens of small, medium, and large A financially motivated threat actor is flipping the phishing playbook by getting victims to make the first email contact with the attacker rather than the other way around. The scam involves the adversary hitting up Contact Us forms on company websites under the guise of partnership inquiries or other business pretexts and waiting for the target to respond. Over a couple of weeks, they build credibility with carefully crafted, professional-sounding emails before hitting their mark with a weaponized zip file.
---------------------------------------------
https://www.darkreading.com/cyberattacks-data-breaches/zipline-phishers-vic…
∗∗∗ AppSuite PDF Editor Backdoor: A Detailed Technical Analysis ∗∗∗
---------------------------------------------
Some threat actors are bold enough to submit their own malware as false positive to antivirus companies and demand removal of the detection. This is exactly what happened with AppSuite PDF Editor. Initially, automation flagged it as a potentially unwanted program—a verdict that is typically reserved for legitimate software with shady features like unwanted advertisement or installation of third-party programs without proper consent. In the case of AppSuite, however, we found a backdoor.
---------------------------------------------
https://feeds.feedblitz.com/~/923960972/0/gdatasecurityblog-en~AppSuite-PDF…
∗∗∗ Schweden: Cyberangriff legt Systeme Hunderter Kommunen lahm ∗∗∗
---------------------------------------------
Ein schwedischer IT-Dienstleister namens Miljödata ist offenbar Ziel einer folgenschweren Cyberattacke geworden. Einem Bericht von Bleeping Computer(öffnet im neuen Fenster) zufolge soll der Angriff in mehr als 200 schwedischen Verwaltungen zu Ausfällen führen. Bei dem Nachrichtenportal Sweden Herald(öffnet im neuen Fenster) ist sogar von 250 betroffenen Kunden die Rede, von denen mindestens 164 Kommunalverwaltungen sein sollen.
---------------------------------------------
https://www.golem.de/news/schweden-cyberangriff-legt-systeme-hunderter-komm…
∗∗∗ Malicious Screen Connect Campaign Abuses AI-Themed Lures for Xworm Delivery ∗∗∗
---------------------------------------------
During a recent Advanced Continual Threat Hunt (ACTH) investigation, the Trustwave SpiderLabs Threat Hunt team identified a deceptive campaign that abused fake AI-themed content to lure users into executing a malicious, pre-configured ScreenConnect installer.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-s…
∗∗∗ Mehr als 28.000 Netscaler-Instanzen anfällig für Citrix Bleed 3 ∗∗∗
---------------------------------------------
Am Mittwoch wurde bekannt, dass Schwachstellen in den Netscalern (ADC und Gateways) von Citrix angegriffen werden, die bereits als "Citrix Bleed 3" tituliert werden. Die Shadowserver Foundation hat am Mittwoch Zahlen veröffentlicht, denen zufolge weltweit am Dienstag noch mehr als 28.000 Systeme für die Lücke "Citrix Bleed 3" verwundbar sind. Angreifer können darauf vermutlich die Schwachstellen missbrauchen.
---------------------------------------------
https://www.heise.de/news/Mehr-als-28-000-Netscaler-Instanzen-anfaellig-fue…
∗∗∗ Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System ∗∗∗
---------------------------------------------
People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks. While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks. These actors often modify routers to maintain persistent, long-term access to networks.
---------------------------------------------
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a
∗∗∗ Microsoft warnt: Ransomware-Gruppe Storm-0501 greift (Azure) Cloud an, verlangt Zahlungen ∗∗∗
---------------------------------------------
Microsoft warnt vor der finanziell motivierten Gruppe Storm-0501, die kontinuierlich mit Angriffen auf Cloud-Instanzen (Azure) zielt. Bei Erfolg werden Daten abgezogen, dann die Originale verschlüsselt und Backups zerstört. Anschließend wird Lösegeld verlangt.
---------------------------------------------
https://www.borncity.com/blog/2025/08/28/microsoft-warnt-ransomware-gruppe-…
∗∗∗ Zip Slip, Path Traversal Vulnerability during File Decompression ∗∗∗
---------------------------------------------
Path traversal or directory traversal vulnerabilities are security vulnerabilities that occur mainly due to improper validation of user inputs. Attackers can read, modify, or even create new files that are originally inaccessible or located in unintended paths using relative or absolute paths. Although these vulnerabilities have been known for a long time, they are still being discovered in various environments and applications, not just web environments. This article examines Zip Slip, a path traversal vulnerability that occurs during the file decompression process of compression programs, and aims to introduce its main vulnerabilities.
---------------------------------------------
https://asec.ahnlab.com/en/89890/
∗∗∗ Thousands of Developer Credentials Stolen in macOS “s1ngularity” Attack ∗∗∗
---------------------------------------------
A supply chain attack called “s1ngularity” on Nx versions 20.9.0-21.8.0 stole thousands of developer credentials. The attack targeted macOS and AI tools, according to GitGuardian’s analysis.
---------------------------------------------
https://hackread.com/developer-credentials-stolen-macos-s1ngularity-attack/
∗∗∗ Cisco: Mehrere Produkte mit teils hochriskanten Lücken ∗∗∗
---------------------------------------------
Der Netzwerkausrüster Cisco hat am Mittwoch zehn neue Sicherheitsmeldungen herausgegeben. Sie behandeln teils hochriskante Schwachstellen in mehreren Produkten.
---------------------------------------------
https://heise.de/-10623826
∗∗∗ Referral Beware, Your Rewards are Mine (Part 1) ∗∗∗
---------------------------------------------
Referral rewards programs are nearly ubiquitous today, from consumer tech to SaaS companies, but are rarely given much security oversight. In this blog post we’ll dig into the common technical implementations of rewards programs on web apps, common security issues with each approach, and recommendations for secure development of similar programs. In a subsequent post, we’ll explore real-world examples of these vulnerability classes in detail.
---------------------------------------------
https://rhinosecuritylabs.com/research/referral-beware-your-rewards-are-min…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (aide, firefox, kernel, and mod_http2), Debian (chromium and unbound), Fedora (mod_auth_openidc), Oracle (fence-agents and kernel), SUSE (ignition, jetty-minimal, kernel, libmozjs-128-0, matrix-synapse, postgresql13, postgresql15, postgresql16, and postgresql17), and Ubuntu (kernel).
---------------------------------------------
https://lwn.net/Articles/1035464/
∗∗∗ Libbiosig, Tenda, SAIL, PDF XChange, Foxit vulnerabilities ∗∗∗
---------------------------------------------
https://blog.talosintelligence.com/libbiosig-tenda-sail-pdf-xchange-foxit-v…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/