Daily

daily@lists.cert.at

1 participants
3289 discussions

Tageszusammenfassung - 07.11.2025
by Daily end-of-shift report 07 Nov '25

07 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-11-2025 18:00 − Freitag 07-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ID verification laws are fueling the next wave of breaches ∗∗∗ --------------------------------------------- ID laws are forcing companies to store massive amounts of sensitive data, turning compliance into a security risk. Acronis explains how integrated backup and cybersecurity platforms help MSPs reduce complexity and close the gaps attackers exploit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/id-verification-laws-are-fue… ∗∗∗ Test der EFF: Diese Anti-Virus-Tools schützen am besten vor Spionage-Apps ∗∗∗ --------------------------------------------- Mit Stalkerware lassen sich leicht Mitmenschen ausspionieren. Ein neuer Test zeigt, welche Anti-Virus-Tools für Android den besten Schutz bieten. --------------------------------------------- https://www.golem.de/news/test-der-eff-diese-anti-virus-tools-schuetzen-am-… ∗∗∗ The Cats Out of the Bag: A Meow Attack Data Corruption Campaign Simulation via MAD-CAT ∗∗∗ --------------------------------------------- In 2024, I published Feline Hackers Among Us? (A Deep Dive and Simulation of the Meow Attack), which explored the notorious Meow attack campaign that had plagued unsecured databases since 2020. That article focused on demonstrating the attack against a single MongoDB instance using a simple Python script. A proof-of-concept that illustrates how devastating misconfigurations can be. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-cats-ou… ∗∗∗ Google Launches New Maps Feature to Help Businesses Report Review-Based Extortion Attempts ∗∗∗ --------------------------------------------- Google on Thursday said its rolling out a dedicated form to allow businesses listed on Google Maps to report extortion attempts made by threat actors who post inauthentic bad reviews on the platform and demand ransoms to remove the negative .. --------------------------------------------- https://thehackernews.com/2025/11/google-launches-new-maps-feature-to.html ∗∗∗ Gootloader malware back for the attack, serves up ransomware ∗∗∗ --------------------------------------------- Move fast - miscreants compromised a domain controller in 17 hours Gootloader JavaScript malware, commonly used to deliver ransomware, is back in action after a period of reduced activity. --------------------------------------------- https://www.theregister.com/2025/11/06/gootloader_back_ransomware/ ∗∗∗ Cybercrims plant destructive time bomb malware in industrial .NET extensions ∗∗∗ --------------------------------------------- Multi-year wait for destruction comes to an end for mystery attackers Security experts have helped remove malicious NuGet packages planted in 2023 that were designed to destroy systems years in advance, with some payloads not due to hit .. --------------------------------------------- https://www.theregister.com/2025/11/07/cybercriminals_plant_destructive_tim… ∗∗∗ Cisco: Tausende Firewalls verwundbar, neue Angriffswege beobachtet ∗∗∗ --------------------------------------------- Zum Missbrauch der seit Ende September bekannten Sicherheitslücken in Cisco-Firewalls haben Angreifer neue Wege gefunden. Tausende sind verwundbar. --------------------------------------------- https://www.heise.de/news/Cisco-Tausende-Firewalls-verwundbar-neue-Angriffs… ∗∗∗ Groupware Zimbra: Updates stopfen mehrere Sicherheitslücken ∗∗∗ --------------------------------------------- In der Groupware Zimbra haben die Entwickler mit aktualisierten Paketen mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Groupware-Zimbra-Updates-stopfen-mehrere-Sicherhe… ∗∗∗ Supply-Chain-Attacken: Fast jedes dritte Unternehmen betroffen ∗∗∗ --------------------------------------------- Ist die Firmen-IT zu gut geschützt, attackieren Angreifer gezielt Zulieferer. Knapp 28 Prozent der Firmen sind betroffen – viele davon mit spürbaren Folgen. --------------------------------------------- https://www.heise.de/news/Supply-Chain-Attacken-Fast-jedes-dritte-Unternehm… ∗∗∗ Exploiting AgTech connectivity to corner the grain market ∗∗∗ --------------------------------------------- I live in the countryside & as a result, know quite a few farmers. The subject of connected farming systems comes up quite a lot in the local pub. Those of you who have watched Clarkson’s Farm will understand just how complex and confusing some tractor systems .. --------------------------------------------- https://www.pentestpartners.com/security-blog/exploiting-agtech-connectivit… ∗∗∗ “Pay up or we share the tapes”: Hackers target massage parlour clients in blackmail scheme ∗∗∗ --------------------------------------------- South Korean police have uncovered a hacking operation that stole sensitive data from massage parlours and blackmailed their male clientele. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/pay-up-or-we-share-th… ∗∗∗ LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices ∗∗∗ --------------------------------------------- Commercial-grade LANDFALL spyware exploits CVE-2025-21042 in Samsung Android’s image processing library. The spyware was embedded in malicious DNG files. --------------------------------------------- https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-androi… ∗∗∗ “I Paid Twice” Scam Infects Booking.com Users with PureRAT via ClickFix ∗∗∗ --------------------------------------------- Cybersecurity firm Sekoia reports a widespread fraud where criminals compromise hotel systems (Booking.com, Expedia and others) with PureRAT malware, then use stolen reservation data to phish and defraud guests. --------------------------------------------- https://hackread.com/i-paid-twice-scam-booking-com-purerat-clickfix/ ∗∗∗ What’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299) ∗∗∗ --------------------------------------------- Happy Friday, friends and.. others.We’re glad/sorry to hear that your week has been good/bad, and it’s the weekend/but at least it’s almost the weekend!What’re We Doing Today, Mr Fox?Today, in a tale that seems all too --------------------------------------------- https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remot… ∗∗∗ Hausärztin: "Elektronische Patientenakte ist ein digitaler Pappkarton" ∗∗∗ --------------------------------------------- Datenschutz, Technik und Vertrauen bei der elektronischen Patientenakte. Darüber diskutierten Fachleute im rheinland-pfälzischen Landtag. --------------------------------------------- https://heise.de/-11069279 ∗∗∗ Kubevirt security audit ∗∗∗ --------------------------------------------- Security is a core concern in the development of any open-source project. To ensure reliability and resilience, many teams choose to conduct independent audits that help identify potential weaknesses and strengthen their systems. In this context, Quarkslab experts recently performed a security assessment of the KubeVirt with the goal of supporting its .. --------------------------------------------- http://blog.quarkslab.com/kubevirt-security-audit.html ∗∗∗ Results from Testing Six AI Models on Advanced Security Exploits ∗∗∗ --------------------------------------------- We ran three advanced security vulnerabilities through GPT-5, o3, Claude, Gemini, and Grok. --------------------------------------------- https://blog.kilocode.ai/p/we-tested-6-ai-models-on-3-advanced ∗∗∗ 9 Malicious NuGet Packages Deliver Time-Delayed Destructive Payloads ∗∗∗ --------------------------------------------- Sockets Threat Research Team discovered nine malicious NuGet packages that inject time-delayed destructive payloads into database operations and target industrial control systems. Published under the NuGet alias shanhai666 between 2023 and 2024, these packages terminate the host application process with 20% probability on each database query after specific .. --------------------------------------------- https://socket.dev/blog/9-malicious-nuget-packages-deliver-time-delayed-des… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 06.11.2025
by Daily end-of-shift report 06 Nov '25

06 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-11-2025 18:00 − Donnerstag 06-11-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ 5 AI-developed malware families analyzed by Google fail to work and are easily detected ∗∗∗ --------------------------------------------- You wouldnt know it from the hype, but the results fail to impress. --------------------------------------------- https://arstechnica.com/security/2025/11/ai-generated-malware-poses-little-… ∗∗∗ Fernzugriff per SIM-Karte: Auch dänische Elektrobusse aus China steuerbar ∗∗∗ --------------------------------------------- Der Hersteller Yutong kann seine Elektrobusse theoretisch jederzeit aus der Ferne lahmlegen. In Dänemark sind die Fahrzeuge großflächig im Einsatz. --------------------------------------------- https://www.golem.de/news/fernzugriff-per-sim-karte-auch-daenische-elektrob… ∗∗∗ Extortion and ransomware drive over half of cyberattacks ∗∗∗ --------------------------------------------- In 80% of the cyber incidents Microsoft’s security teams investigated last year, attackers sought to steal data—a trend driven more by financial gain than intelligence gathering. --------------------------------------------- https://blogs.microsoft.com/on-the-issues/2025/10/16/mddr-2025/ ∗∗∗ Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detection ∗∗∗ --------------------------------------------- The threat actor known as Curly COMrades has been observed exploiting virtualization technologies as a way to bypass security solutions and execute custom malware. According to a new report from Bitdefender, the adversary is said to have enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine. --------------------------------------------- https://thehackernews.com/2025/11/hackers-weaponize-windows-hyper-v-to.html ∗∗∗ Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine ∗∗∗ --------------------------------------------- A previously unknown threat activity cluster has been observed impersonating Slovak cybersecurity company ESET as part of phishing attacks targeting Ukrainian entities. The campaign, detected in May 2025, is tracked by the security outfit under the moniker InedibleOchotense, describing it as Russia-aligned. --------------------------------------------- https://thehackernews.com/2025/11/trojanized-eset-installers-drop.html ∗∗∗ Cisco Warns of New Firewall Attack Exploiting CVE-2025-20333 and CVE-2025-20362 ∗∗∗ --------------------------------------------- Cisco on Wednesday disclosed that it became aware of a new attack variant thats designed to target devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software releases that are susceptible to CVE-2025-20333 and CVE-2025-20362. --------------------------------------------- https://thehackernews.com/2025/11/cisco-warns-of-new-firewall-attack.html ∗∗∗ SonicWall fingers state-backed cyber crew for September firewall breach ∗∗∗ --------------------------------------------- Spies, not crooks, were behind digital heist – damage stopped at the backups, says US cybersec biz. SonicWall has blamed an unnamed, state-sponsored collective for the September break-in that saw cybercriminals rifle through a cache of firewall configuration backups. --------------------------------------------- https://www.theregister.com/2025/11/06/sonicwall_fingers_statebacked_cyber_… ∗∗∗ Industry Attacks Surge, Mobile Malware Spreads: The ThreatLabz 2025 Mobile, IoT & OT Report ∗∗∗ --------------------------------------------- Mobile devices, IoT sensors, and OT systems are no longer distinct domains; they are the interconnected backbone of modern business and infrastructure. From the factory floor and hospital ward to the global supply chain, this convergence powers innovation and efficiency. However, it has also created a sprawling, interdependent attack surface that threat actors are exploiting with increasing speed and sophistication. --------------------------------------------- https://www.zscaler.com/blogs/security-research/industry-attacks-surge-mobi… ∗∗∗ Fakeshops täuschen Online-Käufer ∗∗∗ --------------------------------------------- Fakeshops ziehen den Menschen ohne Gegenleistung das Geld aus der Tasche. Laut einer Umfrage sind nicht gerade wenige User von dieser Betrugs-Masche betroffen. --------------------------------------------- https://www.heise.de/news/Fakeshops-taeuschen-Online-Kaeufer-11067321.html ∗∗∗ Have I Been Pwned: Milliarden neuer Passwörter in Sammlung ∗∗∗ --------------------------------------------- Aus Infostealer-Datensätzen konnte Have-I-Been-Pwned-Betreiber Troy Hunt 1,3 Milliarden einzigartige Passwörter extrahieren. --------------------------------------------- https://www.heise.de/news/Have-I-Been-Pwned-Milliarden-neuer-Passwoerter-in… ∗∗∗ Bundestag: Koalition einigt sich bei NIS2-Richtlinien-Umsetzung ∗∗∗ --------------------------------------------- Unions- und SPD-Fraktion haben sich nach intensiven Verhandlungen bei der Überarbeitung der Cybersicherheitsvorgaben für Kritische Infrastrukturen geeinigt. --------------------------------------------- https://www.heise.de/news/Bundestag-Koalition-einigt-sich-bei-NIS2-Richtlin… ∗∗∗ Windows: Oktober-Sicherheitsupdates können Bitlocker-Wiederherstellung auslösen ∗∗∗ --------------------------------------------- Die Sicherheitsupdates vom Oktober-Patchday für Windows können dazu führen, dass die Bitlocker-Wiederherstellung startet. --------------------------------------------- https://www.heise.de/news/Windows-Oktober-Sicherheitsupdates-koennen-Bitloc… ∗∗∗ Cloudflare Scrubs Aisuru Botnet from Top Domains List ∗∗∗ --------------------------------------------- For the past week, domains associated with the massive Aisuru botnet have repeatedly usurped Amazon, Apple, Google and Microsoft in Cloudflares public ranking of the most frequently requested websites. Cloudflare responded by redacting Aisuru domain names from their top websites list. The chief executive at Cloudflare says Aisurus overlords are using the botnet to boost their malicious domain rankings, while simultaneously attacking the companys domain name system (DNS) service. --------------------------------------------- https://krebsonsecurity.com/2025/11/cloudflare-scrubs-aisuru-botnet-from-to… ∗∗∗ Account-Takeover: Kriminelle wollen mithilfe einer Fake-Abstimmung die Kontrolle über WhatsApp-Konten erlangen ∗∗∗ --------------------------------------------- Das Smartphone meldet sich, eine neue WhatsApp-Mitteilung ist eingegangen. Es geht um ein Voting, eine Stimme für die Tochter einer Bekannten. Als Hauptpreis winkt ein „kostenloses Stipendium“ für eine junge Nachwuchstänzerin. Dahinter versteckt sich allerdings der Versuch von Kriminellen, das WhatsApp-Konto ihrer Opfer zu übernehmen. --------------------------------------------- https://www.watchlist-internet.at/news/account-takeover-fake-abstimmung/ ∗∗∗ Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming ∗∗∗ --------------------------------------------- How a fast-growing scam is tricking WhatsApp users into revealing their most sensitive financial and other data. --------------------------------------------- https://www.welivesecurity.com/en/scams/sharing-is-scaring-whatsapp-screen-… ∗∗∗ Russia’s Sandworm hackers deploying wipers against Ukraine’s grain industry ∗∗∗ --------------------------------------------- The Russian state-backed hacking unit Sandworm has been targeting Ukraines grain industry with wiper malware amid Moscows ongoing efforts to undermine Kyivs wartime economy. --------------------------------------------- https://therecord.media/russia-sandworm-grain-wipers ∗∗∗ An Unerring Spear: Cephalus Ransomware Analysis ∗∗∗ --------------------------------------------- Cephalus is a new ransomware group that first appeared in mid-June 2025. The group claims that they are motivated 100% by financial gain. Their main method of breaching organizations is by stealing credentials through Remote Desktop Protocol (RDP) accounts that do not have multi-factor authentication (MFA) enabled. --------------------------------------------- https://asec.ahnlab.com/en/90878/ ∗∗∗ Hackers Steal Personal Data and 17K Slack Messages in Nikkei Data Breach ∗∗∗ --------------------------------------------- Nikkei confirms breach after a virus infected an employee PC, exposing 17,368 names and Slack chat histories. The media giant reported the incident voluntarily. --------------------------------------------- https://hackread.com/nikkei-data-breach-hackers-steal-data-slack-messages/ ∗∗∗ What GreyNoise Learned from Deploying MCP Honeypots ∗∗∗ --------------------------------------------- GreyNoise deployed MCP honeypots to see what happens when AI middleware meets the open internet — revealing how attackers interact with this new layer of AI infrastructure. --------------------------------------------- https://www.greynoise.io/blog/deploying-mcp-honeypots ===================== = Vulnerabilities = ===================== ∗∗∗ [UPDATE] Cisco Secure Firewall Adaptive Security Appliance Software, Secure Firewall Threat Defense Software, IOS Software, IOS XE Software, and IOS XR Software Web Services Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Added information on first fixed releases for Cisco Secure Firewall ASA Software releases 9.12 and 9.14. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Sicherheitslücken gefährden PCs mit Dell CloudLink und Command Monitor ∗∗∗ --------------------------------------------- Patches lösen mehrere Sicherheitsprobleme mit Dell CloudLink und Command Monitor. --------------------------------------------- https://www.heise.de/news/Unbefugte-Zugriffe-auf-Dell-CloudLink-und-Command… ∗∗∗ WatchGuard Fireware OS IKEv2 Out-of-Bounds Vulnerability ∗∗∗ --------------------------------------------- A critical Out-of-Bounds Write vulnerability (CVE-2025-9242) exists in the WatchGuard Fireware OS iked process, which handles IKEv2 VPN connections. The flaw allows a remote, unauthenticated attacker to execute arbitrary code on affected devices. --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6247 ∗∗∗ Google Issues Emergency Chrome 142 Update to Fix Multiple High-Risk Vulnerabilities ∗∗∗ --------------------------------------------- Google has rolled out an emergency update for its Chrome browser, version 142, to address a series of serious remote code execution (RCE) vulnerabilities that could allow attackers to take control of affected systems. The update, released on November 5, 2025, is being distributed gradually across desktop platforms, Windows, macOS, and Linux, as well as Android devices through Google Play and Chrome’s built-in update mechanism. --------------------------------------------- https://thecyberexpress.com/google-chrome-142-fixes-rce-flaws/ ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released four Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS: ICSA-25-310-01 Advantech DeviceOn iEdge, ICSA-25-310-02 Ubia Ubox, ICSA-25-310-03 ABB FLXeon Controllers and ICSA-25-282-01 Hitachi Energy Asset Suite (Update A). CISA encourages users and administrators to review newly released ICS Advisories for technical details and mitigations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/11/06/cisa-releases-four-indus… ∗∗∗ CISA warns of critical CentOS Web Panel bug exploited in attacks ∗∗∗ --------------------------------------------- The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning that threat actors are exploiting a critical remote command execution flaw in CentOS Web Panel (CWP). --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-cento… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 05.11.2025
by Daily end-of-shift report 05 Nov '25

05 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-11-2025 18:00 − Mittwoch 05-11-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Aktuelle Phishingwelle im Namen von FinanzOnline ∗∗∗ --------------------------------------------- Aktuell erreichen uns vermehrt Meldungen über Phishing-Kampagnen im Namen des österreichischen FInanzministeriums. Während eine Welle an Mails versucht Nutzer:innen mit einer gefälschten Mehrwertsteuer-Rückerstattung in die Falle zu locken warnen SMS-Nachrichten vor einem angeblich abgelaufenen FinanzOnline-Zugang. Auch Watchlist Internet berichtet bereits über diese Angriffe. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/11/aktuelle-phishingwelle-im-namen-vo… ∗∗∗ Malicious Android apps on Google Play downloaded 42 million times ∗∗∗ --------------------------------------------- Hundreds of malicious Android apps on Google Play were downloaded more than 40 million times between June 2024 and May 2025, notes a report from cloud security company Zscaler. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-android-apps-on-go… ∗∗∗ Sicherheitsupdates: Windows 10 verwirrt Nutzer mit Anzeigefehler zum Supportende ∗∗∗ --------------------------------------------- Einige Windows-10-Systeme zeigen trotz bestehendem Support oder ESU-Lizenz an, nicht mehr unterstützt zu werden. Laut Microsoft ist das ein Bug. --------------------------------------------- https://www.golem.de/news/sicherheitsupdates-windows-10-verwirrt-nutzer-mit… ∗∗∗ Google Uncovers PROMPTFLUX Malware That Uses Gemini AI to Rewrite Its Code Hourly ∗∗∗ --------------------------------------------- Google on Wednesday said it discovered an unknown threat actor using an experimental Visual Basic Script (VB Script) malware dubbed PROMPTFLUX that interacts with its Gemini artificial intelligence (AI) model API to write its own source code for improved obfuscation and evasion. --------------------------------------------- https://thehackernews.com/2025/11/google-uncovers-promptflux-malware-that.h… ∗∗∗ Microsoft gibt Tipps für erweiterten Support für kommerzielles Windows 10 ∗∗∗ --------------------------------------------- Inzwischen sollte es sattsam bekannt sein: Microsoft hat den Support für Windows 10 offiziell zum 14. Oktober 2025 eingestellt. Privatnutzer in der EU bekommen nach langem Hin und Her ein Jahr kostenlos erweiterten Support (Extended Security Updates, ESU), wenn sie sich dafür anmelden. --------------------------------------------- https://www.heise.de/news/Microsoft-gibt-Tipps-fuer-erweiterten-Support-fue… ∗∗∗ Ransomware: Apache OpenOffice bestreitet Cyber-Attacke ∗∗∗ --------------------------------------------- Bei der Apache Software Foundation soll es im Kontext von OpenOffice zu einer Cyberattacke gekommen sein, bei der Kriminelle interne Daten kopiert haben. Das gibt zumindest die Ransomwarebande Akira auf ihrer Website an. Nun schaltet sich Apache ein und dementiert eine Attacke. --------------------------------------------- https://www.heise.de/news/Cybercrime-Apache-OpenOffice-dementiert-Ransomwar… ∗∗∗ Nein, Europol & Interpol haben kein Ermittlungsverfahren eingeleitet! ∗∗∗ --------------------------------------------- Sie zählt zu den Klassikern des Online-Betrugs: Eine E-Mail, die über ein kürzlich eröffnetes Ermittlungsverfahren von Europol und/oder Interpol informiert. Es geht um schwere Anschuldigungen, alle relevanten Informationen finden sich in einem angehängten Dokument. Von derartigen Nachrichten gehen zwei Gefahren gleichzeitig aus! --------------------------------------------- https://www.watchlist-internet.at/news/europol-interpol-ermittlungsverfahre… ∗∗∗ 9 arrested in Europe in operation against fake platforms for crypto investments ∗∗∗ --------------------------------------------- A multinational operation in late October targeted a network that “created dozens of fake cryptocurrency investment platforms that looked like legitimate websites and promised high returns,” but simply took the money and laundered it, Eurojust said. --------------------------------------------- https://therecord.media/9-arrested-europe-crypto-platform-takedown ∗∗∗ Norton Crack Midnight Ransomware, Release Free Decryptor ∗∗∗ --------------------------------------------- Norton finds a flaw in the new Midnight ransomware built from Babuk code and releases a free decryptor to help victims recover files without paying a ransom. --------------------------------------------- https://hackread.com/norton-midnight-ransomware-free-decryptor/ ∗∗∗ GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools ∗∗∗ --------------------------------------------- Based on recent analysis of the broader threat landscape, Google Threat Intelligence Group (GTIG) has identified a shift that occurred within the last year: adversaries are no longer leveraging artificial intelligence (AI) just for productivity gains, they are deploying novel AI-enabled malware in active operations. This marks a new operational phase of AI abuse, involving tools that dynamically alter behavior mid-execution. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage… ∗∗∗ Enormer Finanzanlage-Betrug: 9 Europäer verhaftet ∗∗∗ --------------------------------------------- Über dutzende Kryptowährungs-Angebote soll ein europäisches Verbrechernetzwerk mehr als 600 Millionen Euro eingenommen und über Blockchains gewaschen haben. Vergangene Woche wurden neun Personen an ihren jeweiligen Wohnsitzen verhaftet: in Köln, Katalonien und auf Zypern. --------------------------------------------- https://heise.de/-11056948 ∗∗∗ Kreditkartenbetrug: Durchsuchungen auf drei Kontinenten ∗∗∗ --------------------------------------------- In einer koordinierten Aktion auf drei Kontinenten sind Ermittler gegen mutmaßliche Betrugs- und Geldwäschenetzwerke vorgegangen – auch in Deutschland. Den Beschuldigten wird vorgeworfen, Kreditkartendaten von Geschädigten aus 193 Ländern genutzt zu haben, um mehr als 19 Millionen Abonnements über professionell betriebene Schein-Webseiten abzuschließen, wie das Bundeskriminalamt mitteilte. --------------------------------------------- https://heise.de/-11057117 ∗∗∗ Iran-linked Threat Group Claims Breach of Israeli Defense Contractor’s Security Cameras ∗∗∗ --------------------------------------------- An Iran-linked threat group claims to have accessed the security cameras of an Israeli defense contractor and leaked videos of internal meetings and employees working on defense systems. The threat group – Cyber Toufan – has been posting about the alleged breach of Maya Engineering on its Telegram channels for at least a few weeks, but the group’s claims became public in recent days in an X post and articles on media sites such as Straight Arrow News and Breached Company. --------------------------------------------- https://thecyberexpress.com/israeli-defense-contractors-breach/ ===================== = Vulnerabilities = ===================== ∗∗∗ Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058) ∗∗∗ --------------------------------------------- SummaryZscaler uncovered a vulnerability in Keras that exposed AI and machine learning environments to file access and network exploitation risks, highlighting the urgent need to secure the AI model supply chain. --------------------------------------------- https://www.zscaler.com/blogs/security-research/zscaler-discovers-vulnerabi… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9 and gimp), Fedora (chromium, fastapi-cli, fastapi-cloud-cli, gherkin, libnbd, maturin, openapi-python-client, python-annotated-doc, python-cron-converter, python-fastapi, python-inline-snapshot, python-jiter, python-openapi-core, python-platformio, python-pydantic, python-pydantic-core, python-pydantic-extra-types, python-rignore, python-starlette, python-typer, python-typing-inspection, python-uv-build, ruff, rust-astral-tokio-tar, rust-attribute-derive, rust-attribute-derive-macro, rust-collection_literals, rust-get-size-derive2, rust-get-size2, rust-interpolator, rust-jiter, rust-manyhow, rust-manyhow-macros, rust-proc-macro-utils, rust-quote-use, rust-quote-use-macros, rust-regex, rust-regex-automata, rust-reqsign, rust-reqsign-aws-v4, rust-reqsign-command-execute-tokio, rust-reqsign-core, rust-reqsign-file-read-tokio, rust-reqsign-http-send-reqwest, rust-serde_json, rust-speedate, rust-tikv-jemalloc-sys, rust-tikv-jemallocator, and uv), Mageia (golang and libavif), Red Hat (bind9.16, pcs, and qt6-qtsvg), SUSE (colord, ffmpeg, govulncheck-vulndb, jasper, openjpeg, poppler, qatengine, qatlib, runc, sccache, and tiff), and Ubuntu (keystone, libssh, linux-hwe-6.14, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-raspi, runc-app, runc-stable, squid, squid3, and unbound). --------------------------------------------- https://lwn.net/Articles/1045124/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 04.11.2025
by Daily end-of-shift report 04 Nov '25

04 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Montag 03-11-2025 18:00 − Dienstag 04-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake Solidity VSCode extension on Open VSX backdoors developers ∗∗∗ --------------------------------------------- A remote access trojan dubbed SleepyDuck, and disguised as the well-known Solidity extension in the Open VSX open-source registry, uses an Ethereum smart contract to establish a communication channel with the attacker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-solidity-vscode-extensi… ∗∗∗ Lösegeldverhandler angeklagt: Ex-Cyberangestellte sollen Unternehmen gehackt haben ∗∗∗ --------------------------------------------- Drei Ex-Mitarbeiter von Cybersecurityfirmen scheinen ein äußerst fragwürdiges Nebengeschäft betrieben zu haben. Es war Ransomware im Spiel. --------------------------------------------- https://www.golem.de/news/ex-mitarbeiter-angeklagt-loesegeldverhandler-wohl… ∗∗∗ SesameOp: Novel backdoor uses OpenAI Assistants API for command and control ∗∗∗ --------------------------------------------- Microsoft Incident Response – Detection and Response Team (DART) researchers uncovered a new backdoor that is notable for its novel use of the OpenAI Assistants Application Programming Interface (API) as a mechanism for command-and-control (C2) communications. Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-bac… ∗∗∗ Apple Patches Everything, Again, (Tue, Nov 4th) ∗∗∗ --------------------------------------------- Apple released its expected set of operating system upgrades. This is a minor feature upgrade that also includes fixes for 110 different vulnerabilities. As usual for Apple, many of the vulnerabilities affect multiple operating systems. None of the vulnerabilities .. --------------------------------------------- https://isc.sans.edu/diary/Apple+Patches+Everything+Again/32448 ∗∗∗ Scattered LAPSUS$ Hunters: Anatomy of a Federated Cybercriminal Brand ∗∗∗ --------------------------------------------- Trustwave SpiderLabs’ Cyber Threat Intelligence team is tracking the recent emergence of what appears to be the consolidation of three well-known threat groups into a “federated alliance” that offers, among its activities, Extortion-as-a-Service (EaaS). --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scattered-l… ∗∗∗ Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks ∗∗∗ --------------------------------------------- Details have emerged about a now-patched critical security flaw in the popular "@react-native-community/cli" npm package that could be potentially exploited to run malicious operating system (OS) commands under certain .. --------------------------------------------- https://thehackernews.com/2025/11/critical-react-native-cli-flaw-exposed.ht… ∗∗∗ Europol and Eurojust Dismantle €600 Million Crypto Fraud Network in Global Sweep ∗∗∗ --------------------------------------------- Nine people have been arrested in connection with a coordinated law enforcement operation that targeted a cryptocurrency money laundering network that defrauded victims of €600 million (~$688 million).According to a statement released by Eurojust today, the .. --------------------------------------------- https://thehackernews.com/2025/11/europol-and-eurojust-dismantle-600.html ∗∗∗ Chinas president Xi Jinping jokes about backdoors in Xiaomi smartphones ∗∗∗ --------------------------------------------- South Koreas president laughed, so perhaps it was funny? Unlike Chinas censorship and snooping Chinese president Xi Jinping has joked that smartphones from Xiaomi might include backdoors. --------------------------------------------- https://www.theregister.com/2025/11/04/chinas_president_xi_jinping_jokes/ ∗∗∗ Russland verhindert 2-Faktor-SMS für Telegram und Whatsapp ∗∗∗ --------------------------------------------- Der Kreml will Informationskontrolle. SMS- und Telefonanruf-Blockaden sollen Whatsapp und Telegram aushungern. --------------------------------------------- https://www.heise.de/news/Russland-verhindert-2-Faktor-SMS-fuer-Telegram-un… ∗∗∗ Patchday: Kritische Schadcode-Lücke in Android 13, 14, 15, 16 geschlossen ∗∗∗ --------------------------------------------- Angreifer können Geräte mit Android attackieren und im schlimmsten Fall Schadcode ausführen. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://www.heise.de/news/Patchday-Kritische-Schadcode-Luecke-in-Android-13… ∗∗∗ Rückerstattung und abgelaufene ID: Doppelte Phishing-Welle im Namen von FinanzOnline ∗∗∗ --------------------------------------------- Eine aktuell massenhaft versendete E-Mail im Namen von FinanzOnline verspricht eine üppige Mehrwertsteuerrückerstattung. Knapp 300 Euro warten angeblich. Tatsächlich haben es die Kriminellen auf Zugangsdaten zum Online-Banking und das Geld ihrer Opfer abgesehen. Daneben kursieren vermehrt die klassischen Fake-SMS, die vor einem Ablauf des FinanzOnline-Zugangs warnen. --------------------------------------------- https://www.watchlist-internet.at/news/mehrwertsteuer-phishing-finanzonline/ ∗∗∗ Millionen für Abhörsysteme: EU förderte offenbar massiv die Spyware-Industrie ∗∗∗ --------------------------------------------- In Reaktion auf einen aktuellen Bericht meldeten sich 39 Mitglieder des Europäischen Parlaments "tief besorgt". Man wolle die Vergabe an fragwürdige Unternehmen nun prüfen --------------------------------------------- https://www.derstandard.at/story/3000000294846/millionen-fuer-abhoersysteme… ∗∗∗ Cargo theft gets a boost from hackers using remote monitoring tools ∗∗∗ --------------------------------------------- Cybersecurity researchers have been tracking thieves who are using their deep knowledge of trucking and transportation technology to steal cargo. --------------------------------------------- https://therecord.media/cargo-theft-hackers-remote-monitoring-tools ∗∗∗ More than $100 million stolen in exploit of Balancer DeFi protocol ∗∗∗ --------------------------------------------- Hackers pilfered millions of dollars worth of cryptocurrency on Monday from the decentralized finance protocol Balancer. --------------------------------------------- https://therecord.media/crypto-heist-balancer-exploit ∗∗∗ CyberSlop — meet the new threat actor, MIT and Safe Security ∗∗∗ --------------------------------------------- Cybersecurity vendors peddling nonsense isn’t new, but lately we have a new dimension — Generative AI. This has allowed vendors — and educators — to peddle cyberslop for profit. --------------------------------------------- https://doublepulsar.com/cyberslop-meet-the-new-threat-actor-mit-and-safe-s… ∗∗∗ PHP Cryptomining Campaign: October/November 2025 ∗∗∗ --------------------------------------------- >From Aug–Oct 2025, GreyNoise observed a surge in exploitation attempts against PHP and PHP-based frameworks as attackers deployed cryptominers—driven by rising Bitcoin prices and higher mining payoffs. --------------------------------------------- https://www.greynoise.io/blog/php-cryptomining-campaign ∗∗∗ Für Entkriminalisierung: BSI-Chefin fordert Überarbeitung des Hackerparagrafen ∗∗∗ --------------------------------------------- Die Präsidentin des Bundesamts für Sicherheit in der Informationstechnik hat Änderungen am Hackerparagrafen gefordert. Unterstützung kommt aus der Opposition. --------------------------------------------- https://heise.de/-11044176 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dcmtk, geographiclib, gimp, pure-ftpd, and ruby-rack), Fedora (dotnet9.0), Oracle (expat, kernel, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), Red Hat (git, mariadb:10.5, multiple packages, osbuild-composer, pcs, sssd, and tigervnc), SUSE (kernel and redis), and Ubuntu (google-guest-agent). --------------------------------------------- https://lwn.net/Articles/1044949/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 03.11.2025
by Daily end-of-shift report 03 Nov '25

03 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 31-10-2025 18:00 − Montag 03-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Open VSX rotates access tokens used in supply-chain malware attack ∗∗∗ --------------------------------------------- The Open VSX registry rotated access tokens after they were accidentally leaked by developers in public repositories and allowed threat actors to publish malicious extensions in an attempted supply-chain attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/open-vsx-rotates-tokens-used… ∗∗∗ Hackers use RMM tools to breach freighters and steal cargo shipments ∗∗∗ --------------------------------------------- Threat actors are targeting freight brokers and trucking carriers with malicious links and emails to deploy remote monitoring and management tools (RMMs) that enable them to hijack cargo and steal physical goods. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-rmm-tools-to-bre… ∗∗∗ Attacken auf EU: Ungepatchte Windows-Lücke wird seit Jahren ausgenutzt ∗∗∗ --------------------------------------------- Die Sicherheitslücke ist Microsoft schon seit über einem Jahr bekannt. Bisher lehnt der Konzern es jedoch ab, einen Patch bereitzustellen. --------------------------------------------- https://www.golem.de/news/attacken-auf-eu-ungepatchte-windows-luecke-wird-s… ∗∗∗ Cyberbedrohung: China kann jederzeit Norwegens Elektrobusse lahmlegen ∗∗∗ --------------------------------------------- Möglich ist das aufgrund einer in den Bussen verbauten SIM-Karte, über die OTA-Updates bezogen werden. Die potenziellen Folgen sind weitreichend. --------------------------------------------- https://www.golem.de/news/cyberbedrohung-china-kann-jederzeit-norwegens-ele… ∗∗∗ Warnung vor Angriffen auf Lücken in VMware und XWiki ∗∗∗ --------------------------------------------- Angreifer missbauchen Schwachstellen in VMware und XWiki, warnt die IT-Sicherheitsbehörde CISA. Updates stopfen die Lücken. --------------------------------------------- https://www.heise.de/news/Warnung-vor-Angriffen-auf-Luecken-in-VMware-und-X… ∗∗∗ Monitoring-Software: Schwachstellen bedrohen IBM Tivoli Monitoring und Nagios XI ∗∗∗ --------------------------------------------- Angreifer können IBM Tivoli Monitoring und Nagios XI attackieren und Dateien manipulieren oder sogar Schadcode ausführen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://www.heise.de/news/Monitoring-Software-IBM-Tivoli-Monitoring-und-Nag… ∗∗∗ Alleged Jabber Zeus Coder ‘MrICQ’ in U.S. Custody ∗∗∗ --------------------------------------------- A Ukrainian man indicted in 2012 for conspiring with a prolific hacking group to steal tens of millions of dollars from U.S. businesses was arrested in Italy and is now in custody in the United States, KrebsOnSecurity has learned. Sources close to the investigation say Yuriy Igorevich Rybtsov, a 41-year-old from the Russia-controlled city of Donetsk, .. --------------------------------------------- https://krebsonsecurity.com/2025/11/alleged-jabber-zeus-coder-mricq-in-u-s-… ∗∗∗ Wer verschenkt schon einen Porsche?! Datendiebstahl statt Wohltätigkeit ∗∗∗ --------------------------------------------- Mit Hilfe von Fake-Profilen auf Social Media ködern Kriminelle ihre Opfer. Sie locken sie auf eine Website, wo ein angebliches Gewinnspiel für einen Porsche wartet. Wer teilnehmen will, muss (sehr persönliche) Informationen übermitteln. Eine direkte Gefahr für das Bankkonto besteht zwar nicht, die erbeuteten Daten kommen allerdings bei späteren Betrugsmaschen zum Einsatz. --------------------------------------------- https://www.watchlist-internet.at/news/porsche-zu-verschenken/ ∗∗∗ Politischer Cyberangriff an der University of Pennsylvania zielt auf "woke" Studenten ab ∗∗∗ --------------------------------------------- Die Hacker griffen unter anderem eine Gruppe an, die sich gegen die Berücksichtigung von Ethnie im Bewerbungsprozess einsetzt --------------------------------------------- https://www.derstandard.at/story/3000000294635/politischer-cyberangriff-an-… ∗∗∗ Betrugsmasche: Warnung vor vermeintlichen Finanz-Online-Nachrichten ∗∗∗ --------------------------------------------- Ein Opfer in Oberösterreich wurde um eine halbe Million Euro geprellt --------------------------------------------- https://www.derstandard.at/story/3000000294680/betrugsmasche-warnung-vor-ve… ∗∗∗ Ernst & Young (EY): 4TB DB-Backup im Internet gefunden ∗∗∗ --------------------------------------------- Kleiner Nachtrag von voriger Woche. Bei Ernst & Young (kurz EY) hat es mutmaßlich einen veritablen Datenschutz- und Sicherheitsvorfall gegeben. Sicherheitsforscher sind im Internet auf eine Backup-Datei für einen .. --------------------------------------------- https://www.borncity.com/blog/2025/11/03/ernst-young-ey-4tb-db-backup-im-in… ∗∗∗ North Korean Hackers Caught on Video Using AI Filters in Fake Job Interviews ∗∗∗ --------------------------------------------- North Korean hackers from the Famous Chollima group used AI deepfakes and stolen identities in fake job interviews to infiltrate crypto and Web3 companies. --------------------------------------------- https://hackread.com/north-korean-hackers-video-ai-filter-fake-job-intervie… ===================== = Vulnerabilities = ===================== ∗∗∗ Ilevia EVE X1/X5 Server 4.7.18.0.eden Default Credentials ∗∗∗ --------------------------------------------- The EVE X1 server uses a weak set of default administrative credentials that can be found and used to gain full control of the system. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5963.php ∗∗∗ Normal Drupal core security window rescheduled for November 12, 2025 due to DrupalCon - PSA-2025-11-03 ∗∗∗ --------------------------------------------- The upcoming Drupal core security release window has been rescheduled from November 19, 2025 to November 12, 2025. As normal, the window will occur between 1600 UTC and 2200 UTC.Schedule change for back-to-back DrupalConsThis schedule change is due to DrupalCons Vienna and Nara overlapping the October and November core security windows. We do not schedule core security windows .. --------------------------------------------- https://www.drupal.org/psa-2025-11-03 ∗∗∗ HashiCorp Consul <= 1.21.5 Event Denial of Service (CVE-2025-11375) ∗∗∗ --------------------------------------------- ADVISORY INFORMATION Product: HashiCorp ConsulVendor URL: https://developer.hashicorp.com/consulCWE: Memory Allocation with Excessive Size Value [CWE-789]Date found: 2025-09-19Date published: 2025-11-02CVSSv4 Score: 7.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)CVE: CVE-2025-11375 VERSIONS AFFECTED Consul Community Edition <= 1.21.5Consul Enterprise <= 1.21.5, 1.20.7, 1.19.9 and 1.18.11 INTRODUCTION Consul is a service networking solution that enables teams to --------------------------------------------- https://www.rcesecurity.com/2025/11/hashicorp-consul-1-21-5-event-denial-of… ∗∗∗ HashiCorp Consul <= 1.21.5 KVS Denial of Service (CVE-2025-11374) ∗∗∗ --------------------------------------------- ADVISORY INFORMATION Product: HashiCorp ConsulVendor URL: https://developer.hashicorp.com/consulCWE: Memory Allocation with Excessive Size Value [CWE-789]Date found: 2025-09-19Date published: 2025-11-02CVSSv4 Score: 7.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)CVE: CVE-2025-11374 VERSIONS AFFECTED Consul Community Edition <= 1.21.5Consul Enterprise <= 1.21.5, 1.20.7, 1.19.9 and 1.18.11 INTRODUCTION Consul is a service networking solution that enables teams to --------------------------------------------- https://www.rcesecurity.com/2025/11/hashicorp-consul-1-21-5-kvs-denial-of-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 31.10.2025
by Daily end-of-shift report 31 Oct '25

31 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-10-2025 18:00 − Freitag 31-10-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ CISA and NSA Issue Urgent Guidance to Secure WSUS and Microsoft Exchange Servers ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with international partners from Australia and Canada, have released guidance to harden on-premise Microsoft Exchange Server instances from potential exploitation. --------------------------------------------- https://thehackernews.com/2025/10/cisa-and-nsa-issue-urgent-guidance-to.html ∗∗∗ Windows zero-day actively exploited to spy on European diplomats ∗∗∗ --------------------------------------------- A China-linked hacking group is exploiting a Windows zero-day in attacks targeting European diplomats in Hungary, Belgium, and other European nations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chinese-hackers-exploit-wind… ∗∗∗ Russian Ransomware Gangs Weaponize Open-Source AdaptixC2 for Advanced Attacks ∗∗∗ --------------------------------------------- The open-source command-and-control (C2) framework known as AdaptixC2 is being used by a growing number of threat actors, some of whom are related to Russian ransomware gangs. AdaptixC2 is an emerging extensible post-exploitation and adversarial emulation framework designed for penetration testing. --------------------------------------------- https://thehackernews.com/2025/10/russian-ransomware-gangs-weaponize-open.h… ∗∗∗ Massive surge of NFC relay malware steals Europeans’ credit cards ∗∗∗ --------------------------------------------- Near-Field Communication (NFC) relay malware has grown massively popular in Eastern Europe, with researchers discovering over 760 malicious Android apps using the technique to steal peoples payment card information in the past few months. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-surge-of-nfc-relay-m… ∗∗∗ China-Linked Tick Group Exploits Lanscope Zero-Day to Hijack Corporate Systems ∗∗∗ --------------------------------------------- The exploitation of a recently disclosed critical security flaw in Motex Lanscope Endpoint Manager has been attributed to a cyber espionage group known as Tick. The vulnerability, tracked as CVE-2025-61932 (CVSS score: 9.3), allows remote attackers to execute arbitrary commands with SYSTEM privileges on on-premise versions of the program. --------------------------------------------- https://thehackernews.com/2025/10/china-linked-tick-group-exploits.html ∗∗∗ Nation-State Hackers Deploy New Airstalk Malware in Suspected Supply Chain Attack ∗∗∗ --------------------------------------------- A suspected nation-state threat actor has been linked to the distribution of a new malware called Airstalk as part of a likely supply chain attack. Palo Alto Networks Unit 42 said its tracking the cluster under the moniker CL-STA-1009, where "CL" stands for cluster and "STA" refers to state-backed motivation. --------------------------------------------- https://thehackernews.com/2025/10/nation-state-hackers-deploy-new.html ∗∗∗ Proton trains new service to expose corporate infosec cover-ups ∗∗∗ --------------------------------------------- Service will tell on compromised organizations, even if they didnt plan on doing so themselves Some orgs would rather you not know when theyve suffered a cyberattack, but a new platform from privacy-focused tech firm Proton will shine a light on the big breaches that might otherwise stay buried. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/10/30/proton_data_… ∗∗∗ Open VSX: Eclipse Foundation zieht Konsequenzen aus GlassWorm-Attacke ∗∗∗ --------------------------------------------- Die Eclipse Foundation hat ihren jüngsten Sicherheitsvorfall rund um Open VSX – den Open-Source-Marktplatz für VS-Code-Erweiterungen – aufgearbeitet. In den vergangenen Wochen war bekannt geworden, dass Zugangstokens versehentlich in öffentlichen Repositories gelandet waren. Ein Teil davon wurde missbraucht, um manipulierte Erweiterungen einzuschleusen. --------------------------------------------- https://www.heise.de/news/Open-VSX-Eclipse-Foundation-zieht-Konsequenzen-au… ∗∗∗ Hacking India’s largest automaker: Tata Motors ∗∗∗ --------------------------------------------- If you are in the US and ask your friends and family if they have heard of “Tata Motors”, they would likely say no. However, if you go overseas, Tata Motors and the Tata Group in general are a massive, well-known conglomerate. Back in 2023, I took my hacking adventures overseas and found many vulnerabilities with Tata Motors. This post covers 4 of the most impactful findings I discovered that I am finally ready to share today. Let’s dive in! --------------------------------------------- https://eaton-works.com/2025/10/28/tata-motors-hack/ ∗∗∗ Hacktivist ICS Attacks Target Canadian Critical Infrastructure ∗∗∗ --------------------------------------------- Canadian cybersecurity officials are warning that hacktivists are increasingly targeting critical infrastructure in the country. In an October 29 alert, the Canadian Centre for Cyber Security described three recent attacks on internet-accessible industrial control systems (ICS). --------------------------------------------- https://thecyberexpress.com/hacktivist-ics-attacks-canada/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-1.8.0-openjdk, java-17-openjdk, libtiff, redis, and redis:6), Debian (chromium, mediawiki, pypy3, and squid), Fedora (openbao), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, chromium, chrony, expat, haproxy, himmelblau, ImageMagick, iputils, kernel, libssh, libxslt, openssl-3, podman, strongswan, xorg-x11-server, and xwayland), and Ubuntu (kernel, libxml2, libyaml-syck-perl, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux-fips, linux-aws-fips, linux-gcp-fips, linux-kvm, and netty). --------------------------------------------- https://lwn.net/Articles/1044380/ ∗∗∗ ZDI-25-983: evernote-mcp-server openBrowser Command Injection Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-983/ ∗∗∗ ZDI-25-982: oobabooga text-generation-webui trust_remote_code Reliance on Untrusted Inputs Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-982/ ∗∗∗ ZDI-25-980: Heimdall Data Database Proxy Cross-Site Scripting Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-980/ ∗∗∗ ZDI-25-979: Netgate pfSense CE Suricata Path Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-979/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 30.10.2025
by Daily end-of-shift report 30 Oct '25

30 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-10-2025 18:00 − Donnerstag 30-10-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kein Fix verfügbar: Milliarden von Webbrowsern lassen sich in Sekunden crashen ∗∗∗ --------------------------------------------- Eine bisher ungepatchte Sicherheitslücke betrifft Nutzer Chromium-basierter Browser. Die Software lässt sich sekundenschnell zum Absturz bringen. --------------------------------------------- https://www.golem.de/news/kein-fix-verfuegbar-milliarden-von-webbrowsern-la… ∗∗∗ GIMP: Manipulierte Bilder können Schadcode einschmuggeln ∗∗∗ --------------------------------------------- Die GIMP-Version 3.0.6 schließt einige hochriskante Sicherheitslücken. Angreifer können mit präparierten Bildern Malware einschleusen. --------------------------------------------- https://www.heise.de/news/Bildbarbeitung-GIMP-Version-3-0-6-schliesst-Codes… ∗∗∗ Sicherheitslücke: MOVEit Transfer ist für Attacken anfällig ∗∗∗ --------------------------------------------- Ein Patch schließt eine Schwachstelle in der Dateiübertragungssoftware MOVEit Transfer. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecke-Angreifer-koennen-Dienst-von-MO… ∗∗∗ USA: Verkaufsverbot für TP-Link-Router wird immer wahrscheinlicher ∗∗∗ --------------------------------------------- Das US-Handelsministerium schlägt ein Verkaufsverbot für TP-Link-Router vor. Mehrere Bundesbehörden sehen ein Sicherheitsrisiko durch Verbindungen nach China. --------------------------------------------- https://www.heise.de/news/USA-Verkaufsverbot-fuer-TP-Link-Router-wird-immer… ∗∗∗ Security awareness: four pillars for staying safe online ∗∗∗ --------------------------------------------- TL;DR Introduction When it comes to being security aware, there are seemingly endless things you need to consider. Here are four key areas as a user you can focus on to keep yourself secure. --------------------------------------------- https://www.pentestpartners.com/security-blog/security-awareness-four-pilla… ∗∗∗ #5TageGegenDeepfakes: Kriminelle nutzen Deepfakes von Promis für Investmentscams ∗∗∗ --------------------------------------------- Einige Prominente genießen aufgrund ihrer Persönlichkeit eine hohe Vertrauenswürdigkeit. Kriminelle machen sich dies zunutze und erstellen Deepfakes der Promis, um sie betrügerische Investments bewerben zu lassen. --------------------------------------------- https://www.watchlist-internet.at/news/5tagegegendeepfakes-kriminelle-nutze… ∗∗∗ Former Trenchant exec pleads guilty to selling cyber exploits to Russian broker ∗∗∗ --------------------------------------------- The former executive sold the trade secrets to a Russian cyber-tools broker that “publicly advertises itself as a reseller of cyber exploits to various customers, including the Russian government,” according to the Department of Justice. --------------------------------------------- https://therecord.media/trenchant-exec-pleads-guilty-russia-secrets ∗∗∗ Cyber info sharing ‘holding steady’ despite lapse in CISA 2015, official says ∗∗∗ --------------------------------------------- The comments come roughly a month after the expiration of the 2015 Cybersecurity Information Sharing Act, which incentivized private entities to share threat data with the government with antitrust and liability safeguards. --------------------------------------------- https://therecord.media/cyber-info-sharing-holding-steady-official-says ∗∗∗ Russian Hackers Exploit Adaptix Pentesting Tool in Ransomware Attacks ∗∗∗ --------------------------------------------- Silent Push wars of Russian hackers exploiting Adaptix, a pentesting tool built for Windows, Linux, and macOS, in ransomware campaigns. --------------------------------------------- https://hackread.com/russian-hackers-adaptix-pentest-ransomware/ ∗∗∗ New Guidance Released on Microsoft Exchange Server Security Best Practices ∗∗∗ --------------------------------------------- Today, CISA, in partnership with the National Security Agency and international cybersecurity partners, released Microsoft Exchange Server Security Best Practices, a guide to help network defenders harden on-premises Exchange servers against exploitation .. at high risk of compromise. Best practices in this guide focus on hardening user --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/30/new-guidance-released-mi… ∗∗∗ Learnings from recent npm supply chain compromises ∗∗∗ --------------------------------------------- A look at recent npm supply chain compromises and how we can learn from them to better prepare for future incidents. --------------------------------------------- https://securitylabs.datadoghq.com/articles/learnings-from-recent-npm-compr… ∗∗∗ Vulnerabilities in LUKS2 disk encryption for confidential VMs ∗∗∗ --------------------------------------------- Trail of Bits is disclosing vulnerabilities in eight different confidential computing systems that use Linux Unified Key Setup version 2 (LUKS2) for disk encryption. Using these vulnerabilities, a malicious actor with access to storage disks can extract all confidential data stored on that disk and can modify the contents of the disk arbitrarily. The vulnerabilities are caused by malleable metadata headers that allow an attacker to trick a trusted execution environment guest into encrypting .. --------------------------------------------- https://blog.trailofbits.com/2025/10/30/vulnerabilities-in-luks2-disk-encry… ===================== = Vulnerabilities = ===================== ∗∗∗ SVD-2025-1011: Third-Party Package Updates in Splunk Operator for Kubernetes Add-on - October 2025 ∗∗∗ --------------------------------------------- Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Operator for Kubernetes Add-on version 3.0.0 and higher. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1011 ∗∗∗ SVD-2025-1010: Third-Party Package Updates in Splunk AppDynamics Analytics Agent - October 2025 ∗∗∗ --------------------------------------------- Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk AppDynamics Analytics Agent version 25.7.0 and higher. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1010 ∗∗∗ SVD-2025-1009: Third-Party Package Updates in Splunk AppDynamics Private Synthetic Agent - October 2025 ∗∗∗ --------------------------------------------- Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk AppDynamics Private Synthetic Agent version 25.7.0 and higher. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1009 ∗∗∗ SVD-2025-1008: Third-Party Package Updates in Splunk AppDynamics Machine Agent - October 2025 ∗∗∗ --------------------------------------------- Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk AppDynamics Machine Agent version 25.7.0 and higher. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1008 ∗∗∗ Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-114 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 29.10.2025
by Daily end-of-shift report 29 Oct '25

29 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-10-2025 18:00 − Mittwoch 29-10-2025 18:00 Handler: Alexander Riepl Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ How typosquatting tricked me (a bit) ∗∗∗ --------------------------------------------- Typosquatting is a popular method using similarly looking names to draw people into malicious content – such as phishing websites or fake software packages. It leverages our “brain optimization” that matches what we see with what we already know – even if it’s not exactly the same. I haven’t installed any shady software, but it’s still a good example how easily our brain could be used against us by utilizing our biases. --------------------------------------------- https://www.cert.at/en/blog/2025/10/how-typosquatting-tricked-me-a-bit ∗∗∗ Qilin ransomware abuses WSL to run Linux encryptors in Windows ∗∗∗ --------------------------------------------- The Qilin ransomware operation was spotted executing Linux encryptors in Windows using Windows Subsystem for Linux (WSL) to evade detection by traditional security tools. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qilin-ransomware-abuses-wsl-… ∗∗∗ Collins Aerospace: Mangelhafte Passwörter ermöglichten Nachrichten an Cockpits ∗∗∗ --------------------------------------------- Durch mangelhaften Zugriffsschutz bei Collins Aerospace ließen sich Nachrichten an Flugzeug-Cockpits schicken. --------------------------------------------- https://www.heise.de/news/Collins-Aerospace-Mangelhafte-Passwoerter-ermoegl… ∗∗∗ Aisuru Botnet Shifts from DDoS to Residential Proxies ∗∗∗ --------------------------------------------- Aisuru, the botnet responsible for a series of record-smashing distributed denial-of-service (DDoS) attacks this year, recently was overhauled to support a more low-key, lucrative and sustainable business: Renting hundreds of thousands of infected Internet of Things (IoT) devices to proxy services that help cybercriminals anonymize their traffic. Experts say a glut of proxies from Aisuru and other sources is fueling large-scale data harvesting efforts tied to various artificial intelligence (AI) projects, helping content scrapers evade detection by routing their traffic through residential connections that appear to be regular Internet users. --------------------------------------------- https://krebsonsecurity.com/2025/10/aisuru-botnet-shifts-from-ddos-to-resid… ∗∗∗ HTTPS by default ∗∗∗ --------------------------------------------- One year from now, with the release of Chrome 154 in October 2026, we will change the default settings of Chrome to enable “Always Use Secure Connections”. This means Chrome will ask for the user's permission before the first access to any public site without HTTPS. --------------------------------------------- http://security.googleblog.com/2025/10/https-by-default.html ∗∗∗ Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated October 28) ∗∗∗ --------------------------------------------- On Oct. 14, 2025, a critical, unauthenticated remote code execution (RCE) vulnerability was identified in Microsoft's Windows Server Update Services (WSUS), a core enterprise component for patch management. Microsoft's initial patch during the October Patch Tuesday did not fully address the flaw, necessitating an emergency out-of-band security update released Oct. 23, 2025. Within hours of the emergency update, Unit 42 and other security researchers observed active exploitation in the wild. The combination of a remotely exploitable, unauthenticated RCE in a core infrastructure service, coupled with observed active exploitation in the wild, represents a severe and time-sensitive risk. --------------------------------------------- https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/ ∗∗∗ Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack ∗∗∗ --------------------------------------------- We have discovered a new Windows-based malware family we've named Airstalk, which is available in both PowerShell and .NET variants. We assess with medium confidence that a possible nation-state threat actor used this malware in a likely supply chain attack. We have created the threat activity cluster CL-STA-1009 to identify and track any further related activity. --------------------------------------------- https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airsta… ∗∗∗ Cybersecurity on a budget: Strategies for an economic downturn ∗∗∗ --------------------------------------------- This blog offers practical strategies, creative defenses, and talent management advice to help your business stay secure when every dollar counts. --------------------------------------------- https://blog.talosintelligence.com/cybersecurity-on-a-budget-strategies-for… ∗∗∗ Hackers Hijack Corporate XWiki Servers for Crypto Mining ∗∗∗ --------------------------------------------- Hackers exploit critical XWiki flaw CVE-2025-24893 to hijack corporate servers for cryptomining, with active attacks confirmed by VulnCheck researchers. --------------------------------------------- https://hackread.com/hackers-hijack-xwiki-servers-crypto-mining/ ∗∗∗ iOS: Sicherheitsforscher warnen vor Third-Party-App-Store "Flekst0re" ∗∗∗ --------------------------------------------- Apple muss in der EU Konkurrenten zum iOS App Store zulassen. Flekst0re ist eines der Angebote, wobei es Sonderwege beschreitet. Das reißt Sicherheitslücken. --------------------------------------------- https://heise.de/-10961981 ∗∗∗ What We Talk About When We Talk About Sideloading ∗∗∗ --------------------------------------------- We recently published a blog post with our reaction to the new Google Developer Program and how it impacts your freedom to use the devices that you own in the ways that you want. The post garnered quite a lot of feedback and interest from the community and press, as well as various civil society groups and regulatory agencies. --------------------------------------------- https://f-droid.org/2025/10/28/sideloading.html ===================== = Vulnerabilities = ===================== ∗∗∗ BSI warnt vor Bind-Lücke: Daten unzähliger DNS-Server manipulierbar ∗∗∗ --------------------------------------------- In der weitverbreiteten DNS-Lösung Bind klafft eine gefährliche Sicherheitslücke, die es Angreifern ermöglicht, durch sogenanntes Cache-Poisoning DNS-Einträge zu manipulieren. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat eine Warnung herausgegeben (öffnet im neuen Fenster), laut der inzwischen auch ein Proof of Concept (PoC) zur Ausnutzung der Lücke im Netz kursiert. Admins sollten zügig handeln. --------------------------------------------- https://www.golem.de/news/exploit-code-verfuegbar-dns-eintraege-unzaehliger… ∗∗∗ Lücken gefährden Systeme mit IBMs Sicherheitslösungen Concert und QRadar SIEM ∗∗∗ --------------------------------------------- Angreifer können an mehreren Sicherheitslücken in IBM Concert und QRadar SIEM ansetzen. Patches sind verfügbar. --------------------------------------------- https://www.heise.de/news/Luecken-gefaehrden-Systeme-mit-IBMs-Sicherheitslo… ∗∗∗ Jetzt patchen! Attacken auf DELMIA Apriso beobachtet ∗∗∗ --------------------------------------------- Das Fertigungsmanagementtool DELMIA Apriso ist derzeit im Fokus von Angreifern. Sicherheitspatches stehen schon seit Sommer dieses Jahres zum Download bereit. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Attacken-auf-DELMIA-Apriso-beobacht… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gimp, python-authlib, and xorg-server), Fedora (chromium and git-lfs), Mageia (poppler and tomcat), Red Hat (kernel, kernel-rt, redis, and redis:6), SUSE (fetchmail, grafana, ImageMagick, kernel-devel, libluajit-5_1-2, proxy-helm, python-Authlib, and xen), and Ubuntu (linux-intel-iotg, linux-intel-iotg-5.15 and squid, squid3). --------------------------------------------- https://lwn.net/Articles/1043983/ ∗∗∗ Ungeschützte NFC-Kartenmanipulation führt zu kostenloser Aufladung in GiroWeb Cashless Catering Solutions bei veralteter Kundeninfrastruktur ∗∗∗ --------------------------------------------- Bei Verwendung der GiroWeb Cashless Catering-Lösung mit älteren NFC-Karten kann das gespeicherte Kartenguthaben ohne Backend-Überprüfung geändert werden. Dieses Verhalten tritt auf, weil der Guthabenwert ausschließlich auf der Karte gespeichert ist. Der Anbieter hat erklärt, dass dieses Verhalten mit dem Design des spezifischen NFC-Kartentyps zusammenhängt und daher keine Schwachstelle in der Zahlungslösung selbst darstellt, sondern auf die unsicheren Karten zurückzuführen ist, die von seinen Kunden in älteren Umgebungen verwendet werden. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/ungeschuetzte-nfc-kar… ∗∗∗ ZDI-25-977: Delta Electronics ASDA-Soft PAR File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-977/ ∗∗∗ ZDI-25-975: X.Org Server XkbSetCompatMap Numeric Truncation Error Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-975/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 28.10.2025
by Daily end-of-shift report 28 Oct '25

28 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Montag 27-10-2025 18:00 − Dienstag 28-10-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Google disputes false claims of massive Gmail data breach ∗∗∗ --------------------------------------------- Google was once again forced to announce that it had not suffered a data breach after numerous news outlets published sensational stories about a fake breach that purportedly exposed 183 million accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-disputes-false-claims… ∗∗∗ Millionen Gmail-Passwörter gestohlen: Ist eures darunter? ∗∗∗ --------------------------------------------- Laut dem Cybersecurity-Experten Troy Hunt, der das Datenleck aufgedeckt hat, könnten 3,5 Terabyte an Daten betroffen sein. --------------------------------------------- https://futurezone.at/digital-life/gmail-passwoerter-datenleak-pwned-cybers… ∗∗∗ Ransomware: Immer weniger Unternehmen zahlen Hackern ein Lösegeld ∗∗∗ --------------------------------------------- Die Rentabilität von Ransomware-Attacken fällt. Nicht nur zahlen immer weniger Opfer das Lösegeld. Auch die Höhe der Zahlungen ist zuletzt stark gefallen. --------------------------------------------- https://www.golem.de/news/ransomware-immer-weniger-unternehmen-zahlen-hacke… ∗∗∗ Admin-Zugang gekapert: Insasse hackt Gefängnis-IT und macht Mithäftlinge reich ∗∗∗ --------------------------------------------- Aufgeflogen ist alles, weil Inhaftierte ihre Gier nicht im Griff hatten. Ein Millionenbetrag auf dem Konto eines Insassen ist dann doch etwas auffällig. --------------------------------------------- https://www.golem.de/news/admin-zugang-gekapert-insasse-hackt-gefaengnis-it… ∗∗∗ Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs ∗∗∗ --------------------------------------------- Kaspersky GReAT experts dive deep into the BlueNoroff APTs GhostCall and GhostHire campaigns. Extensive research detailing multiple malware chains targeting macOS, including a stealer suite, fake Zoom and Microsoft Teams clients and ChatGPT-enhanced images. --------------------------------------------- https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117… ∗∗∗ BSI: Checkliste für Vorgehen bei geknackten Konten ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat zusammen mit dem Programm polizeiliche Kriminalprävention (ProPK) eine Checkliste veröffentlicht, die Privatanwendern helfen soll, wenn ihre Zugänge von Kriminellen übernommen wurden. --------------------------------------------- https://www.heise.de/news/BSI-Checkliste-fuer-Vorgehen-bei-geknackten-Konte… ∗∗∗ Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild ∗∗∗ --------------------------------------------- On Oct. 14, 2025, a critical, unauthenticated remote code execution (RCE) vulnerability was identified in Microsoft's Windows Server Update Services (WSUS), a core enterprise component for patch management. Microsoft's initial patch during the October Patch Tuesday did not fully address the flaw, necessitating an emergency out-of-band security update released Oct. 23, 2025. Within hours of the emergency update, Unit 42 and other security researchers observed active exploitation in the wild. --------------------------------------------- https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/ ∗∗∗ US declines to join more than 70 countries in signing UN cybercrime treaty ∗∗∗ --------------------------------------------- More than 70 countries signed the landmark UN Convention against Cybercrime in Hanoi this weekend, a significant step in the yearslong effort to create a global mechanism to counteract digital crime. --------------------------------------------- https://therecord.media/us-declines-signing-cybercrime-treaty ∗∗∗ Steigende Cyber-Attacken auf die Fertigungsindustrie ∗∗∗ --------------------------------------------- Die Fertigungsindustrie gerät wohl immer mehr ins Visier von Cyber-Kriminellen. Check Point Research stellt steigende Fallzahlen von Angriffen fest. Führungskräfte sollten sich mit diesem Trend auseinandersetzen, denn Cyber-Sicherheit ist kein exklusives Thema mehr, welches man seiner IT-Abteilung überlässt. --------------------------------------------- https://www.borncity.com/blog/2025/10/28/steigende-cyber-attacken-auf-die-f… ∗∗∗ Vulnerability Management – Process Perspective ∗∗∗ --------------------------------------------- In this post, we dive deeper into the HOW of vulnerability management. This post is dedicated to the processes to provide a comprehensive overview. --------------------------------------------- https://blog.nviso.eu/2025/10/28/vulnerability-management-process-perspecti… ∗∗∗ Keys to the Kingdom: A Defenders Guide to Privileged Account Monitoring ∗∗∗ --------------------------------------------- Privileged access stands as the most critical pathway for adversaries seeking to compromise sensitive systems and data. Its protection is not only a best practice, it is a fundamental imperative for organizational resilience. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/privileged-account… ∗∗∗ Friends don’t let friends reuse IVs ∗∗∗ --------------------------------------------- If you’ve encountered cryptography software, you’ve probably heard the advice to never use an IV (initial value) twice—in fact, that’s where the other common name for that concept, nonce (number used once), comes from. Depending on the cryptography involved, a reused nonce can reveal encrypted messages, or even leak your secret key! But common knowledge may not cover every possible way to accidentally reuse nonces. Sometimes, the techniques that are supposed to prevent nonce reuse have subtle flaws. --------------------------------------------- https://blog.trailofbits.com/2024/09/13/friends-dont-let-friends-reuse-nonc… ===================== = Vulnerabilities = ===================== ∗∗∗ Docker Desktop: Windows-Installer für Ausführung von Schadcode anfällig ∗∗∗ --------------------------------------------- Der Windows-Installer von Docker Desktop lässt sich falsche DLLs unterschieben. Die Entwickler steuern mit einer aktualisierten Software-Version gegen. --------------------------------------------- https://www.heise.de/news/Docker-Desktop-Windows-Installer-fuer-Ausfuehrung… ∗∗∗ Proxmon Backup Server: Angreifer können Backup-Snapshots zerstören ∗∗∗ --------------------------------------------- Die Entwickler der Backuplösung Proxmon Backup Server haben Sicherheitslücken geschlossen. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://www.heise.de/news/Proxmon-Backup-Server-Angreifer-koennen-Backup-Sn… ∗∗∗ 100,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in Anti-Malware Security and Brute-Force Firewall WordPress Plugin ∗∗∗ --------------------------------------------- On October 3rd, 2025, we received a submission for an Arbitrary File Read vulnerability in Anti-Malware Security and Brute-Force Firewall, a WordPress plugin with more than 100,000 active installations. --------------------------------------------- https://www.wordfence.com/blog/2025/10/100000-wordpress-sites-affected-by-a… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, libtiff, squid:4, and thunderbird), Debian (strongswan and webkit2gtk), Fedora (pcre2, qt5-qtbase, squid, unbound, and xen), Mageia (icu and libtpms), Oracle (java-1.8.0-openjdk, java-17-openjdk, java-21-openjdk, kernel, squid:4, and thunderbird), Red Hat (libtiff, squid, squid:4, and webkit2gtk3), SUSE (cmake, dracut-saltboot, erlang, exim, expat, ffmpeg-4, firefox, golang-github-prometheus-alertmanager, haproxy, java-11-openjdk, kernel, libxslt, multi-linux-manager, openssl-3, podman, rabbitmq-server, spacewalk-web, strongswan, and wireshark), and Ubuntu (gst-plugins-good1.0, linux-aws-5.15, radare2, ruby2.3, ruby2.5, ruby2.7, and strongswan). --------------------------------------------- https://lwn.net/Articles/1043776/ ∗∗∗ Security Vulnerabilities fixed in Firefox 144.0.2, High impact ∗∗∗ --------------------------------------------- Starting with Firefox 142, it was possible for a compromised child process to trigger a use-after-free in the GPU or browser process using WebGPU-related IPC calls. This may have been usable to escape the child process sandbox. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-86/ ∗∗∗ "ChatGPT Tainted Memories" Exploit Enables Command Injection in Atlas Browser ∗∗∗ --------------------------------------------- LayerX Security found a flaw in OpenAI’s ChatGPT Atlas browser that lets attackers inject commands into its memory, posing major security and phishing risks. --------------------------------------------- https://hackread.com/chatgpt-tainted-memories-atlas-browser/ ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released three Industrial Control Systems (ICS) Advisories: ICSA-25-301-01 Schneider Electric EcoStruxure, ICSMA-25-301-01 Vertikal Systems Hospital Manager Backend Services and ICSA-24-352-04 Schneider Electric Modicon (Update B). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/28/cisa-releases-three-indu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 27.10.2025
by Daily end-of-shift report 27 Oct '25

27 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-10-2025 18:00 − Montag 27-10-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New CoPhish attack steals OAuth tokens via Copilot Studio agents ∗∗∗ --------------------------------------------- A new phishing technique dubbed CoPhish weaponizes Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests via legitimate and trusted Microsoft domains. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cophish-attack-steals-oa… ∗∗∗ Hackers steal Discord accounts with RedTiger-based infostealer ∗∗∗ --------------------------------------------- Attackers are using the open-source red-team tool RedTiger to build an infostealer that collects Discord account data and payment information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-discord-accoun… ∗∗∗ Dringend patchen: Hacker attackieren Windows-Server über kritische WSUS-Lücke ∗∗∗ --------------------------------------------- Angreifer können unter anderem manipulierte Windows-Updates einschleusen und diese an Clients verteilen lassen. Admins sollten schnell handeln. --------------------------------------------- https://www.golem.de/news/dringend-patchen-windows-server-werden-ueber-wsus… ∗∗∗ Mem3nt0 mori – The Hacking Team is back! ∗∗∗ --------------------------------------------- Kaspersky researchers discovered previously unidentified commercial Dante spyware developed by Memento Labs (formerly Hacking Team) and linked it to the ForumTroll APT attacks. --------------------------------------------- https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/ ∗∗∗ North Korea Has Stolen Billions in Cryptocurrency and Tech Firm Salaries, Report Says ∗∗∗ --------------------------------------------- The Associated Press reports that "North Korean hackers have pilfered billions of dollars" by breaking into cryptocurrency exchanges and by creating fake identities to get remote tech jobs at foreign companies — all orchestrated by the North Korean government to finance R&D on nuclear arms. Thats according to a new the 138-page report by a group watching .. --------------------------------------------- https://yro.slashdot.org/story/25/10/25/1246241/north-korea-has-stolen-bill… ∗∗∗ ChatGPT Atlas Browser Can Be Tricked by Fake URLs into Executing Hidden Commands ∗∗∗ --------------------------------------------- The newly released OpenAI Atlas web browser has been found to be susceptible to a prompt injection attack where its omnibox can be jailbroken by disguising a malicious prompt as a seemingly harmless URL to .. --------------------------------------------- https://thehackernews.com/2025/10/chatgpt-atlas-browser-can-be-tricked-by.h… ∗∗∗ Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack ∗∗∗ --------------------------------------------- The ransomware group known as Qilin (aka Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the start of 2025, barring January, with the number of postings on its data leak site touching a high of 100 cases in .. --------------------------------------------- https://thehackernews.com/2025/10/qilin-ransomware-combines-linux-payload.h… ∗∗∗ X says passkey reset isnt about a security issue – its to finally kill off twitter.com ∗∗∗ --------------------------------------------- Social media site dispatches crucial clarification days after curious announcement X (formerly Twitter) sparked security concerns over the weekend when it announced users must re-enroll their security keys by November 10 or face account lockouts — without initially explaining why. --------------------------------------------- https://www.theregister.com/2025/10/27/x_passkey_reset/ ∗∗∗ Collins Aerospace: Alte Passwörter und verzögerte Reaktion ermöglichen Datenklau ∗∗∗ --------------------------------------------- Neue Details zum Cyberangriff auf Collins Aerospace: Alte Passwörter ermöglichten Datenklau, wohl Millionen Passagierdaten betroffen – mehr als nur Ransomware. --------------------------------------------- https://www.heise.de/news/Collins-Aerospace-Alte-Passwoerter-und-verzoegert… ∗∗∗ Ubiquiti UniFi Access: Angreifer können sich unbefugt Zugriff verschaffen ∗∗∗ --------------------------------------------- In Ubiquitis UniFi Door Access klafft eine kritische Sicherheitslücke, die Angreifern unbefugten Zugriff ermöglicht. --------------------------------------------- https://www.heise.de/news/Ubiquiti-UniFi-Access-Angreifer-koennen-sich-unbe… ∗∗∗ Angreifer können Authentifizierung bei Dell Storage Manager umgehen ∗∗∗ --------------------------------------------- In einer aktuellen Version von Dells Storage Manager haben die Entwickler drei Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Angreifer-koennen-Authentifizierung-bei-Dell-Stor… ∗∗∗ Schneider Electric Opfer der Oracle E-Business Suite 0-day Schwachstelle CVE-2025-61882 ∗∗∗ --------------------------------------------- Nutzer der Oracle Oracle E-Business Suite (EBS) werden seit Juli 2025 über eine erst am 4. Oktober 2025 gepatchte 0-day-Schwachstelle CVE-2025-61882 erfolgreich angegriffen. Inzwischen werden die Namen von Opfern bekannt. So ist .. --------------------------------------------- https://www.borncity.com/blog/2025/10/24/oracle-e-business-suite-0-day-schw… ∗∗∗ Distribution of Rhadamanthys Malware Disguised as a Game Developed with Ren’Py ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has confirmed that the Infostealer malware Rhadamanthys is being distributed disguised as a game created with RenPy. RenPy is a game development tool based on Python that allows users to easily .. --------------------------------------------- https://asec.ahnlab.com/en/90767/ ∗∗∗ Uncovering Qilin attack methods exposed through multiple cases ∗∗∗ --------------------------------------------- Cisco Talos investigated the Qilin ransomware group, uncovering its frequent attacks on the manufacturing sector, use of legitimate tools for credential theft and data exfiltration, and sophisticated methods for lateral movement, evasion, and persistence. --------------------------------------------- https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-… ===================== = Vulnerabilities = ===================== ∗∗∗ Unauthenticated Local File Disclosure in MPDV Mikrolab MIP 2 / FEDRA 2 / HYDRA X Manufacturing Execution System ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/unauthenticated-local-fi… ∗∗∗ Potential Security Impact of ASP.NET Vulnerability on NetBak PC Agent ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-44 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily