=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 17-09-2025 18:00 − Donnerstag 18-09-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks ∗∗∗
---------------------------------------------
The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens. For the past year, the threat actors have been targeting Salesforce customers in data theft attacks using social engineering and malicious OAuth applications to breach Salesforce instances and download data. The stolen data is then used to extort companies into paying a ransom to prevent the data from being publicly leaked.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billi…
∗∗∗ SystemBC malware turns infected VPS systems into proxy highway ∗∗∗
---------------------------------------------
The operators of the SystemBC proxy botnet are hunting for vulnerable commercial virtual private servers (VPS) and maintain an average of 1,500 bots every day that provide a highway for malicious traffic. Compromised servers are located all over the world and have at least one unpatched critical vulnerability, some of them being plagued by tens of security issues.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/systembc-malware-turns-infec…
∗∗∗ Microsoft: Hacker konnten wohl beliebige Entra-ID-Tenants kapern ∗∗∗
---------------------------------------------
Der Sicherheitsforscher Dirk-Jan Mollema hat eine gefährliche Sicherheitslücke in der von vielen Unternehmen genutzten cloudbasierten Identitäts- und Zugriffsverwaltungsplattform Microsoft Entra ID entdeckt. Wie der Forscher in einem Blogbeitrag(öffnet im neuen Fenster) schildert, konnte er damit weltweit so ziemlich jeden Entra-ID-Tenant kompromittieren – mit Ausnahme nationaler Cloud-Deployments, die er lediglich mangels Zugriff nicht testen konnte.
---------------------------------------------
https://www.golem.de/news/microsoft-hacker-konnten-wohl-beliebige-entra-id-…
∗∗∗ SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered two new malicious packages in the Python Package Index (PyPI) repository that are designed to deliver a remote access trojan called SilentSync on Windows systems.
---------------------------------------------
https://thehackernews.com/2025/09/silentsync-rat-delivered-via-two.html
∗∗∗ CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2, and a remote access trojan known as PureHVNC RAT.
---------------------------------------------
https://thehackernews.com/2025/09/countloader-broadens-russian-ransomware.h…
∗∗∗ Phishing-Mails im Namen der Statistik Austria im Umlauf ∗∗∗
---------------------------------------------
Aktuell kursiert eine Phishing-E-Mail, die vorgibt, von der Statistik Austria zu stammen. In der Nachricht werden Unternehmen aufgefordert, sensible Finanz- und Geschäftsdaten (z. B. Listen ausländischer Geschäftspartner, Beträge, Zahlungsfristen) zu übermitteln. Es ist davon auszugehen, dass die Daten für gefälschte Geldforderungen an Geschäftspartner missbraucht werden könnten.
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-mails-im-namen-der-statisti…
∗∗∗ What We Know About the NPM Supply Chain Attack ∗∗∗
---------------------------------------------
On September 15, the Node Package Manager (NPM) repository experienced an ongoing supply chain attack, in which the attackers executed a highly targeted phishing campaign to compromise the account of an NPM package maintainer. With privileged access, the attackers injected malicious code into widely used JavaScript packages, threatening the entire software ecosystem. Notably, the attack has disrupted several key NPM packages, including those integral to application development and cryptography.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/i/npm-supply-chain-attack.html
∗∗∗ New Raven Stealer Malware Hits Browsers for Passwords and Payment Data ∗∗∗
---------------------------------------------
New research reveals Raven Stealer malware that targets browsers like Chrome and Edge to steal personal data. Learn how this threat uses simple tricks like process hollowing to evade antiviruses and why it’s a growing risk for everyday users.
---------------------------------------------
https://hackread.com/raven-stealer-malware-browsers-passwords-payment-data/
∗∗∗ Vane Viper Malvertising Network Posed as Legit Adtech in Global Scams ∗∗∗
---------------------------------------------
Cybersecurity firm Infoblox says it has discovered “Vane Viper,” a massive online ad network that posed as a legitimate business while running global scams and spreading malware. Linked to previously reported PropellerAds and its parent company AdTech Holding, the operation has been active for nearly a decade and is now being called one of the largest malvertising scams seen to date.
---------------------------------------------
https://hackread.com/vane-viper-malvertising-adtech-global-scams/
=====================
= Vulnerabilities =
=====================
∗∗∗ Notfallpatch: Aktiv ausgenutzte Chrome-Lücke gefährdet unzählige Nutzer ∗∗∗
---------------------------------------------
Google hat einen Notfallpatch für seinen weit verbreiteten Webbrowser Chrome bereitgestellt. Damit schließt der Konzern gleich mehrere gefährliche Sicherheitslücken. Eine davon wird bereits aktiv ausgenutzt, wie aus den Release Notes(öffnet im neuen Fenster) hervorgeht. Anwender sollten den Browser daher zügig aktualisieren, um sich vor möglichen Angriffen zu schützen. Betroffen sind Chrome-Versionen für Windows, Mac und Linux.
---------------------------------------------
https://www.golem.de/news/notfallpatch-aktiv-ausgenutzte-chrome-luecke-gefa…
∗∗∗ Schwachstellen bedrohen HPE Aruba Networking EdgeConnect SD-WAN ∗∗∗
---------------------------------------------
Angreifer können Wide Area Networks (WAN) attackieren, die auf HPE Aruba Networking EdgeConnect SD-WAN fußen. Die Entwickler haben jüngst mehrere Sicherheitslücken geschlossen. Nach erfolgreichen Attacken können Angreifer unter anderem Sicherheitsbeschränkungen umgehen oder sogar Schadcode ausführen, um Systeme vollständig zu kompromittieren.
---------------------------------------------
https://www.heise.de/news/Schwachstellen-bedrohen-HPE-Aruba-Networking-Edge…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (gnutls, mysql:8.4, opentelemetry-collector, and python-cryptography), Debian (nextcloud-desktop), Fedora (chromium, firefox, forgejo, gitleaks, kernel, kernel-headers, lemonldap-ng, perl-Cpanel-JSON-XS, and python-pip), Red Hat (firefox and libxml2), Slackware (expat and mozilla), SUSE (avahi, bluez, cups, curl, firefox-esr, gdk-pixbuf, gstreamer, java-1_8_0-ibm, krb5, net-tools, podman, raptor, sevctl, tkimg, ucode-intel, and vim), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-fips, linux-azure-fips, linux-gcp-fips, and linux-gcp-6.14, linux-oracle, linux-oracle-6.14).
---------------------------------------------
https://lwn.net/Articles/1038638/
∗∗∗ Open-Source Tool Greenshot Hit by Severe Code Execution Vulnerability ∗∗∗
---------------------------------------------
A security vulnerability has been discovered in Greenshot, the widely used open-source screenshot tool for Windows. The Greenshot vulnerability exposes to the risk of arbitrary code execution, potentially allowing attackers to bypass established security protocols and launch further malicious activities. A proof-of-concept (PoC) exploit has already been released, drawing attention to the critical nature of the vulnerability.
---------------------------------------------
https://thecyberexpress.com/greenshot-vulnerability/
∗∗∗ ENCS testers help resolve critical vulnerabilities in solar inverters ∗∗∗
---------------------------------------------
ENCS cybersecurity testers uncovered several vulnerabilities in consumer solar inverters widely used in Europe, as part of the work on consumer IoT equipment. We reported these to the Dutch Institute for Vulnerability Disclosure (DIVD) CSIRT to start a responsible vulnerability disclosure process. Six vulnerabilities have now been resolved by the manufacturers.
---------------------------------------------
https://encs.eu/news/encs-testers-help-resolve-critical-vulnerabilities-in-…
∗∗∗ ZDI-25-895: Wondershare Repairit Incorrect Permission Assignment Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-895/
∗∗∗ CVE-2025-9242: WatchGuard Firebox iked Out of Bounds Write Vulnerability ∗∗∗
---------------------------------------------
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015
∗∗∗ Third-Party Libraries and Supply Chains - PSA-2025-09-17 ∗∗∗
---------------------------------------------
https://www.drupal.org/psa-2025-09-17
∗∗∗ Daikin Security Gateway ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-10
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 16-09-2025 18:00 − Mittwoch 17-09-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ From ClickFix to MetaStealer: Dissecting Evolving Threat Actor Techniques ∗∗∗
---------------------------------------------
ClickFix isnt just back—its mutating. New variants use fake CAPTCHAs, File Explorer tricks & MSI lures to drop MetaStealer. Stay ahead with Huntress Tradecraft Tuesday threat briefings.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/from-clickfix-to-metastealer…
∗∗∗ Critical Bugs in Chaos Mesh Enable Cluster Takeover ∗∗∗
---------------------------------------------
"Chaotic Deputy" is a set of four vulnerabilities in the chaos engineering platform that many organizations use to test the resilience of their Kubernetes environments. Such is the case with a set of four serious vulnerabilities that researchers at JFrog recently discovered in Chaos Mesh that give attackers a way to take over entire Kubernetes clusters.
---------------------------------------------
https://www.darkreading.com/cyber-risk/critical-bugs-chaos-mesh-cluster-tak…
∗∗∗ GOLD SALEM’s Warlock operation joins busy ransomware landscape ∗∗∗
---------------------------------------------
Counter Threat Unit (CTU) researchers are monitoring a threat group that refers to itself as Warlock Group. The group, which CTU researchers track as GOLD SALEM, has compromised networks and deployed its Warlock ransomware since March 2025.
---------------------------------------------
https://news.sophos.com/en-us/2025/09/17/gold-salems-warlock-operation-join…
∗∗∗ Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims ∗∗∗
---------------------------------------------
Cybersecurity researchers have tied a fresh round of cyber attacks targeting financial services to the notorious cybercrime group known as Scattered Spider, casting doubt on their claims of going "dark". Threat intelligence firm ReliaQuest said it has observed indications that the threat actor has shifted their focus to the financial sector.
---------------------------------------------
https://thehackernews.com/2025/09/scattered-spider-resurfaces-with.html
∗∗∗ Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing service ∗∗∗
---------------------------------------------
Microsoft’s Digital Crimes Unit (DCU) has disrupted RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords (“credentials”).
---------------------------------------------
https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-w…
∗∗∗ Ransomware HybridPetya hebelt UEFI Secure Boot aus ∗∗∗
---------------------------------------------
ESET Research hat HybridPetya auf der Sample-Sharing-Plattform VirusTotal entdeckt. Es handelt sich um einen Nachahmer der berüchtigten Petya/NotPetya-Malware, der zusätzlich die Fähigkeit besitzt, UEFI-basierte Systeme zu kompromittieren und CVE-2024-7344 als Waffe einzusetzen, um UEFI Secure Boot auf veralteten Systemen zu umgehen.
---------------------------------------------
https://www.welivesecurity.com/de/eset-research/ransomware-hybridpetya-hebe…
∗∗∗ Myth Busting: Why "Innocent Clicks" Dont Exist in Cybersecurity ∗∗∗
---------------------------------------------
Unit 42 explores how innocent clicks can have serious repercussions. Learn how simply visiting a malicious site can expose users to significant digital dangers.
---------------------------------------------
https://unit42.paloaltonetworks.com/why-innocent-clicks-dont-exist-in-cyber…
∗∗∗ Der npm-Angriff geht weiter – "Wurm" infiziert Pakete ∗∗∗
---------------------------------------------
Der Lieferkettenangriff auf ein npm-Entwicklerkonto und 18 kompromittierten Paketen schien glimpflich ausgegangen zu sein. Jetzt wird bekannt, dass die Angriffe (über ein anderes Konto) weitergehen und eine selbstreplizierende Malware (Shai-Hulud) bereits mehr als 500 npm-Pakete infiziert hat.
---------------------------------------------
https://www.borncity.com/blog/2025/09/17/der-npm-angriff-geht-weiter-wurm-i…
∗∗∗ PyPI Token Exfiltration Campaign via GitHub Actions Workflows ∗∗∗
---------------------------------------------
I recently responded to an attack campaign where malicious actors injected code into GitHub Actions workflows attempting to steal PyPI publishing tokens. PyPI was not compromised, and no PyPI packages were published by the attackers.
---------------------------------------------
https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/
∗∗∗ Ongoing Supply Chain Attack Targets CrowdStrike npm Packages ∗∗∗
---------------------------------------------
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that has now impacted nearly 500 packages.
---------------------------------------------
https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm…
∗∗∗ Microsoft: Office 2016 and Office 2019 reach end of support next month ∗∗∗
---------------------------------------------
Microsoft reminded customers again this week that Office 2016 and Office 2019 will reach the end of extended support in less than 30 days, on October 14, 2025.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-office-2016-and-o…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, and podman), Debian (node-sha.js), Fedora (firefox, kea, and perl-JSON-XS), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk), Oracle (kernel, libarchive, podman, and python-cryptography), Red Hat (multiple packages, mysql:8.4, and python3.11), SUSE (expat, java-1_8_0-ibm, krb5, libavif, net-tools, nginx, nvidia-open-driver-G06-signed, onefetch, pcp, rabbitmq-server313, raptor, and vim), and Ubuntu (libyang2, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-aws-fips, linux-fips, linux-gcp-fips, and python-xmltodict).
---------------------------------------------
https://lwn.net/Articles/1038453/
∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
CISA released eight Industrial Control Systems (ICS) advisories on September 16, 2025. The following products are affected, Schneider Electric Altivar Products, Schneider Electric ATVdPAC Module, Schneider Electric ILC992 InterLink Converter, Schneider Electric Galaxy VS, Schneider Electric Galaxy VL, Schneider Electric Galaxy VXL, Hitachi Energy RTU500 Series, Siemens SIMATIC NET CP, Siemens SINEMA, Siemens SCALANCE, Siemens RUGGEDCOM, Siemens SINEC NMS, Siemens Industrial Products (OpenSSL Vulnerability), Siemens Multiple Industrial Products and Delta Electronics DIALink.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/09/16/cisa-releases-eight-indu…
∗∗∗ CVE-2025-9708: Kubernetes C# Client, improper certificate validation in custom CA mode may lead to man-in-the-middle attacks ∗∗∗
---------------------------------------------
https://github.com/kubernetes/kubernetes/issues/134063
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 15-09-2025 18:00 − Dienstag 16-09-2025 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Neuer NPM-Großangriff: Selbst-vermehrende Malware infiziert Dutzende Pakete ∗∗∗
---------------------------------------------
Verschiedene IT-Sicherheitsunternehmen warnen vor neuen Angriffen auf das npm-Ökosystem rund um node.js. Mehrere Dutzend Pakete (mindestens 40, in einem Bericht gar an die 150) sind mit einer Malware infiziert, die geheime Daten stiehlt und über einen Webhook ausleitet. Zudem repliziert sich die Schadsoftware selbsttätig – und ist somit ein Wurm. [..] Unklar ist noch, wo der Angriff begann – einen klaren "Patient Null" nennen die drei analysierenden Unternehmen nicht. [..] JavaScript-Entwickler und insbesondere die Verwalter von auf npm gehosteten Paketen sollten größte Vorsicht walten lassen und die umfangreiche Liste infizierter Pakete konsultieren.
---------------------------------------------
https://heise.de/-10651111
∗∗∗ Apple backports zero-day patches to older iPhones and iPads ∗∗∗
---------------------------------------------
Apple has released security updates to backport patches released last month to older iPhones and iPads, addressing a zero-day bug that was exploited in "extremely sophisticated" attacks. This security flaw is the same one Apple has patched for devices running iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, and macOS (Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8) on August 20.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/apple-backports-zero-day-pat…
∗∗∗ Patchstatus unklar: Angreifer attackieren Fertigungsmanagementtool DELMIA Apriso ∗∗∗
---------------------------------------------
DELMIA Apriso ist eine Manufacturing-Operations-Management-Software (MOM) und ein Manufacturing Execution System (MES) [..] Der Anbieter der Software, Dassault Systèmes, erwähnte die Sicherheitslücke (CVE-2025-5086 "kritisch") bereits im Juni dieses Jahres in einer äußerst knapp formulierten Warnmeldung. [..] Anfang September warnte nun ein Sicherheitsforscher des SANS-Institut Internet Strom Center in einem Beitrag vor Exploitversuchen. [..] Unklar bleibt auch, ob es einen Sicherheitspatch gibt.
---------------------------------------------
https://www.heise.de/news/Patchstatus-unklar-Attacken-auf-Fertigungsmanagem…
∗∗∗ IServ: Schullösung mit Schwäche inbegriffen? ∗∗∗
---------------------------------------------
Am 8. September 2025 ist jemandem aufgefallen, dass das Web-Frontend des IServ-Schul-Servers der IServ GmbH eine "Benutzeraufzählung" im weitesten Sinne ermöglicht. Gibt jemand den Namen einer Person an der IServ-Anmeldeseite einer Schule ein, und versucht er eine Anmeldung, ohne das Passwort zu kennen, schlägt diese Anmeldung natürlich fehl. Noch ist also alles im grünen Bereich, da dieser Anmeldeversuch abgewiesen wird. Das Problem liegt darin, dass sich die Antworten dieser fehlgeschlagenen Anmeldeversuche unterscheiden, nachdem, ob das Benutzerkonto existiert oder nicht und hängt angeblich noch von anderen Bedingungen ab.
---------------------------------------------
https://www.borncity.com/blog/2025/09/16/iserve-schulloesung-mit-schwaeche-…
∗∗∗ Microsoft: Exchange 2016 and 2019 reach end of support in 30 days ∗∗∗
---------------------------------------------
Microsoft has reminded administrators again that Exchange 2016 and Exchange 2019 will reach the end of extended support next month and has provided guidance for decommissioning outdated servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-2016-and…
∗∗∗ Phoenix: Neue Rowhammer-Variante verleiht Angreifern Root-Rechte ∗∗∗
---------------------------------------------
Forscher von Google und der ETH Zürich haben eine neue Variante des Rowhammer-Angriffs vorgestellt. Sie betrifft auch moderne DDR5-RAM-Module, die eigentlich vor entsprechenden Attacken geschützt sein sollten. [..] Die Phoenix genannte Angriffstechnik greift laut Informationsseite der Entdecker(öffnet im neuen Fenster) auf eine Schwachstelle bei den Rowhammer-Abwehrmaßnahmen zurück, die bestimmte Refresh-Intervalle des Speichers nicht abdecken.
---------------------------------------------
https://www.golem.de/news/phoenix-neue-rowhammer-variante-verleiht-angreife…
∗∗∗ RevengeHotels: a new wave of attacks leveraging LLMs and VenomRAT ∗∗∗
---------------------------------------------
Kaspersky GReAT expert takes a closer look at the RevengeHotels threat actors new campaign, including AI-generated scripts, targeted phishing, and VenomRAT.
---------------------------------------------
https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-la…
∗∗∗ New FileFix Variant Delivers StealC Malware Through Multilingual Phishing Site ∗∗∗
---------------------------------------------
Cybersecurity researchers have warned of a new campaign that's leveraging a variant of the FileFix social engineering tactic to deliver the StealC information stealer malware. "The observed campaign uses a highly convincing, multilingual phishing site (e.g., fake Facebook Security page), with anti-analysis techniques and advanced obfuscation to evade detection," Acronis security researcher Eliad Kimhy said in a report shared with The Hacker News.
---------------------------------------------
https://thehackernews.com/2025/09/new-filefix-variant-delivers-stealc.html
∗∗∗ SmokeLoader Rises From the Ashes ∗∗∗
---------------------------------------------
Active since 2011, SmokeLoader (aka Smoke or Dofoil) is a popular malware loader that is designed to deliver second-stage payloads such as trojans, ransomware, and information stealers. [..] In May 2024, Operation Endgame, an international collaboration between law enforcement and private industry (which included Zscaler ThreatLabz) dismantled numerous instances of SmokeLoader and remotely removed the malware from infected systems. [..] ThreatLabz has identified two new SmokeLoader versions that are being used by multiple threat groups.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (node-sha.js and python-django), Fedora (chromium, cups, exiv2, perl-Catalyst-Authentication-Credential-HTTP, perl-Catalyst-Plugin-Session, perl-Plack-Middleware-Session, and qemu), Red Hat (container-tools:rhel8, podman, and udisks2), SUSE (cargo-audit, cargo-c, cargo-packaging, and kernel-devel), and Ubuntu (libcpanel-json-xs-perl, libjson-xs-perl, rubygems, sqlite3, and vim).
---------------------------------------------
https://lwn.net/Articles/1038325/
∗∗∗ Spring Security and Spring Framework Release Fixes for CVE-2025-41248 and CVE-2025-41249 ∗∗∗
---------------------------------------------
https://spring.io/blog/2025/09/15/spring-framework-and-spring-security-fixe…
∗∗∗ LG WebOS TV Path Traversal, Authentication Bypass and Full Device Takeover ∗∗∗
---------------------------------------------
https://ssd-disclosure.com/lg-webos-tv-path-traversal-authentication-bypass…
∗∗∗ Mozilla Security Advisories September 16, 2025 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/
∗∗∗ TYPO3-EXT-SA-2025-013: Vulnerability in bundled package in extension "Base Excel" (base_excel) ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2025-013
∗∗∗ TYPO3-EXT-SA-2025-012: Cross-Site Scripting in extension "Form to Database" (form_to_database) ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2025-012
∗∗∗ Synology-SA-25:11 Safe Access ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_25_11
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 12-09-2025 18:00 − Montag 15-09-2025 18:00
Handler: Felician Fuchs
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Microsoft reminds of Windows 10 support ending in 30 days ∗∗∗
---------------------------------------------
On Friday, Microsoft reminded customers once again that Windows 10 will reach its end of support in 30 days, on October 14.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-reminds-of-window…
∗∗∗ Shiny tools, shallow checks: how the AI hype opens the door to malicious MCP servers ∗∗∗
---------------------------------------------
Kaspersky experts discuss the Model Context Protocol used for AI integration. We describe the MCPs architecture, attack vectors and follow a proof of concept to see how it can be abused.
---------------------------------------------
https://securelist.com/model-context-protocol-for-ai-integration-abused-in-…
∗∗∗ A Cyberattack Victim Notification Framework ∗∗∗
---------------------------------------------
When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry.
---------------------------------------------
https://www.schneier.com/blog/archives/2025/09/a-cyberattack-victim-notific…
∗∗∗ Lawsuit About WhatsApp Security ∗∗∗
---------------------------------------------
Attaullah Baig, WhatsApp’s former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission.
---------------------------------------------
https://www.schneier.com/blog/archives/2025/09/lawsuit-about-whatsapp-secur…
∗∗∗ FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks ∗∗∗
---------------------------------------------
The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for a string of data theft and extortion attacks. "Both groups have recently been observed targeting organizations Salesforce platforms via different initial access mechanisms," the FBI said.
---------------------------------------------
https://thehackernews.com/2025/09/fbi-warns-of-unc6040-and-unc6395.html
∗∗∗ All your vulns are belong to us! CISA wants to maintain gov control of CVE program ∗∗∗
---------------------------------------------
Get ready for a fight over who steers the global standard for vulnerability identification The Cybersecurity and Infrastructure Security Agency (CISA) nearly let the Common Vulnerabilities and Exposures (CVE) program lapse earlier this year, but a new "vision" document it released this week signals that it now wants more control over the global standard for vulnerability identification.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/09/12/cisas_vision…
∗∗∗ Docker Image Security – Teil 2: Minimale und sichere Docker Images ∗∗∗
---------------------------------------------
Distroless Images reduzieren Paketgrößen drastisch, indem sie unnötige Komponenten wie Bash und Paketmanager weglassen. Das erhöht Performance und Sicherheit.
---------------------------------------------
https://www.heise.de/hintergrund/Docker-Image-Security-Teil-2-Minimale-und-…
∗∗∗ Cyberkriminelle: "Scattered Lapsus$ Hunters" haben keine Lust mehr ∗∗∗
---------------------------------------------
Die Bande machte zuletzt durch Cyberangriffe auf Jaguar und Marks & Spencer von sich reden, die immense Schäden verursachten. Nicht alle halten die Füße still.
---------------------------------------------
https://www.heise.de/news/Cybergang-Scattered-Lapsus-Hunters-kuendigt-Absch…
∗∗∗ Angreifer können IT-Sicherheitslösung IBM QRadar SIEM lahmlegen ∗∗∗
---------------------------------------------
Verschiedene Komponenten in IBMs IT-Sicherheitslösung QRadar SIEM sind verwundbar. Nutzen Angreifer die Schwachstellen erfolgreich aus, können sie unter anderem DoS-Zustände erzeugen, sodass Dienste abstürzen. Fällt dadurch der eigentlich durch die Anwendung versprochene Schutz weg, kann das fatale Folgen haben.
---------------------------------------------
https://www.heise.de/news/Angreifer-koennen-IT-Sicherheitsloesung-IBM-QRada…
∗∗∗ Trusted Connections, Hidden Risks: Token Management in the Third-Party Supply Chain ∗∗∗
---------------------------------------------
Effective OAuth token management is crucial for supply chain security, preventing breaches caused by dormant integrations, insecure storage or lack of rotation.
---------------------------------------------
https://unit42.paloaltonetworks.com/third-party-supply-chain-token-manageme…
∗∗∗ npm-Hack: Angreifer schauen weitgehend in die Röhre ∗∗∗
---------------------------------------------
Es war zwar ein Desaster im Hinblick auf die Kompromittierung einer Lieferkette – der Hack eines npm-Entwicklerkontos samt Injektion von Schadcode. Der Angreifer scheint aber mit ziemlich leeren Händen aus der Sache rausgegangen zu sein – er soll, je nach Quelle zwischen 65 und 600 US-Dollar an Kryptogeld gestohlen haben.
---------------------------------------------
https://www.borncity.com/blog/2025/09/14/npm-hack-angreifer-schauen-weitgeh…
∗∗∗ New VoidProxy Phishing Service Bypasses MFA on Microsoft and Google Accounts ∗∗∗
---------------------------------------------
Okta Threat Intelligence exposes VoidProxy, a new PhaaS platform. Learn how this advanced service uses the Adversary-in-the-Middle technique to bypass MFA and how to protect yourself from attacks targeting Microsoft and Google accounts.
---------------------------------------------
https://hackread.com/voidproxy-phishing-service-bypasses-mfa-microsoft-goog…
∗∗∗ Qrator Labs Mitigated Record L7 DDoS Attack from 5.76M-Device Botnet ∗∗∗
---------------------------------------------
Qrator Labs blocked a record L7 DDoS attack from a 5.76M-device botnet targeting government systems, showing rapid global growth since March.
---------------------------------------------
https://hackread.com/qrator-labs-mitigate-l7-ddos-attack-5-76m-botnet/
∗∗∗ 600 GB of Alleged Great Firewall of China Data Published in Largest Leak Yet ∗∗∗
---------------------------------------------
Hackers leaked 600 GB of data linked to the Great Firewall of China, exposing documents, code, and operations. Full details available on the GFW Report.
---------------------------------------------
https://hackread.com/great-firewall-of-china-data-published-largest-leak/
∗∗∗ ShadowSilk Data Exfiltration Attack ∗∗∗
---------------------------------------------
FortiGuard Labs’ network telemetry has observed active exploitation of known vulnerabilities in Drupal Core and the WP-Automatic WordPress plugin for initial access. Following compromise, attackers deploy multiple web shells and utilities to enable lateral movement, privilege escalation, and the installation of remote access trojans (RATs).
---------------------------------------------
https://fortiguard.fortinet.com/outbreak-alert/shadowsilk-data-exfiltration
∗∗∗ Phishing campaign targeting crates.io users ∗∗∗
---------------------------------------------
We received multiple reports of a phishing campaign targeting crates.io users (from the rustfoundation.dev domain name), mentioning a compromise of our infrastructure and asking users to authenticate to limit damage to their crates.
---------------------------------------------
https://blog.rust-lang.org/2025/09/12/crates-io-phishing-campaign/
∗∗∗ The Internet Coup ∗∗∗
---------------------------------------------
A Technical Analysis on How a Chinese Company is Exporting The Great Firewall to Autocratic Regimes.
---------------------------------------------
https://interseclab.org/research/the-internet-coup/
=====================
= Vulnerabilities =
=====================
∗∗∗ Lücke in Microsoft Agentic AI und Visual Studio kann Schadcode passieren lassen ∗∗∗
---------------------------------------------
Angreifer können an einer Schwachstelle in Microsoft Agentic AI und Visual Studio ansetzen. Klappt eine Attacke, können sie Schadcode ausführen und Systeme mit hoher Wahrscheinlichkeit vollständig kompromittieren. Ein Sicherheitsupdate steht zum Download bereit.
---------------------------------------------
https://www.heise.de/news/Schadcode-Schlupfloch-in-Microsoft-Agentic-AI-und…
∗∗∗ Jetzt patchen! Attacken auf Android-Smartphones von Samsung beobachtet ∗∗∗
---------------------------------------------
Derzeit nutzen Angreifer eine Sicherheitslücke in Samsung-Smarthpones mit Android 13, 14, 15 und 16 aus. Darüber kann Schadcode auf Geräte gelangen. Ein Sicherheitspatch ist für ausgewählte Geräte verfügbar.
---------------------------------------------
https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Android-Smartphones-vo…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (cups, kernel, and mysql-selinux and mysql8.4), Debian (cjson, jetty9, and shibboleth-sp), Fedora (bustle, cef, checkpointctl, chromium, civetweb, cups, forgejo, jupyterlab, kernel, libsixel, linenoise, maturin, niri, perl-Cpanel-JSON-XS, python-uv-build, ruff, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-matchers, rust-monitord, rust-monitord-exporter, rust-secret-service, rust-tracing-subscriber, rustup, tcpreplay, tuigreet, udisks2, uv, and xwayland-satellite), Oracle (cups, gdk-pixbuf2, kernel, mysql-selinux and mysql8.4, and php:8.2), Red Hat (kernel, kernel-rt, and multiple packages), Slackware (cups, kernel, and patch), and SUSE (busybox, busybox-links, chromedriver, chromium, cups-filters, curl, go1.25, jasper, java-11-openj9, java-17-openj9, java-1_8_0-openjdk, kernel, kernel-devel, kubo, libssh-config, orthanc-gdcm, python-aiohttp, python-eventlet, python-h2, and xen).
---------------------------------------------
https://lwn.net/Articles/1038231/
∗∗∗ CVE-2025-58434: Critical FlowiseAI Flaw Enables Full Account Takeover ∗∗∗
---------------------------------------------
A severe security vulnerability has been discovered in FlowiseAI, an open-source AI workflow automation tool, exposing users to the risk of complete account compromise. Tracked as CVE-2025-58434, this vulnerability affects both the cloud-hosted version of FlowiseAI and self-hosted deployments that expose the relevant API endpoints.
---------------------------------------------
https://thecyberexpress.com/cve-2025-58434/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 11-09-2025 18:00 − Freitag 12-09-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Panama Ministry of Economy discloses breach claimed by INC ransomware ∗∗∗
---------------------------------------------
Panama's Ministry of Economy and Finance (MEF) has disclosed that one of its computers may have been compromised in a cyberattack. The government noted that it activated the security procedures for these situations, stating that the incident has been contained and didn't impact core systems that are vital to its operations.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/panama-ministry-of-economy-d…
∗∗∗ Vidar Infostealer Back with a Vengeance ∗∗∗
---------------------------------------------
The long-running Vidar infostealer has evolved with new obfuscation techniques. That is according to researchers at cybersecurity vendor Aryaka, which published research last week dedicated to a fresh campaign involving the malware-as-a-service Vidar that has emerged in recent weeks. First tracked in late 2018, Vidar is an infostealer that enables affiliates to grab credentials, operating system details, cookies, sensitive financial data, various authentication tokens, and more from compromised environments.
---------------------------------------------
https://www.darkreading.com/endpoint-security/vidar-infostealer-back-with-v…
∗∗∗ Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence ∗∗∗
---------------------------------------------
U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to probe Microsoft and hold it responsible for what he called "gross cybersecurity negligence" that enabled ransomware attacks on U.S. critical infrastructure, including against healthcare networks.
---------------------------------------------
https://thehackernews.com/2025/09/senator-wyden-urges-ftc-to-probe.html
∗∗∗ New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a new ransomware strain dubbed HybridPetya that resembles the notorious Petya/NotPetya malware, while also incorporating the ability to bypass the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems using a now-patched vulnerability disclosed earlier this year.
---------------------------------------------
https://thehackernews.com/2025/09/new-hybridpetya-ransomware-bypasses.html
∗∗∗ Apple Warns French Users of Fourth Spyware Campaign in 2025, CERT-FR Confirms ∗∗∗
---------------------------------------------
Apple has notified users in France of a spyware campaign targeting their devices, according to the Computer Emergency Response Team of France (CERT-FR). The agency said the alerts were sent out on September 3, 2025, making it the fourth time this year that Apple has notified citizens in the county that at least one of the devices linked to their iCloud accounts may have been compromised as part of highly-targeted attacks.
---------------------------------------------
https://thehackernews.com/2025/09/apple-warns-french-users-of-fourth.html
∗∗∗ Huntresss hilarious attacker surveillance splits infosec community ∗∗∗
---------------------------------------------
Security outfit Huntress has been forced onto the defensive after its latest research – described by senior staff as "hilarious" – split opinion across the cybersecurity community.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/09/12/huntress_att…
∗∗∗ Bulletproof Host Stark Industries Evades EU Sanctions ∗∗∗
---------------------------------------------
In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns. But new findings show those sanctions have done little to stop Stark from simply rebranding and transferring their assets to other corporate entities controlled by its original hosting providers.
---------------------------------------------
https://krebsonsecurity.com/2025/09/bulletproof-host-stark-industries-evade…
∗∗∗ Swiss government looks to undercut privacy tech, stoking fears of mass surveillance ∗∗∗
---------------------------------------------
The Swiss government could soon require service providers with more than 5,000 users to collect government-issued identification, retain subscriber data for six months and, in many cases, disable encryption.
---------------------------------------------
https://therecord.media/switzerland-digital-privacy-law-proton-privacy-surv…
∗∗∗ Wurden Router-URLs sphairon.box und zyxel.box gekapert? ∗∗∗
---------------------------------------------
Ich stelle mal ein Thema hier in den Blog, das mir jetzt von zwei Lesern gemeldet wurde und mich an einen alten Vorfall bei AVM zur fritz.box-URL erinnert. Es sieht so aus, dass die von Routern (Zyxel, Sphairon) zum Zugriff auf die Router-Funktionen verwendeten URLs sphairon.box und zyxel.box durch registrierte Domains gekapert wurden. Die Zielseiten sind als "malicious" einzustufen.
---------------------------------------------
https://www.borncity.com/blog/2025/09/12/wurden-router-urls-sphairon-box-un…
∗∗∗ EvilAI Operators Use AI-Generated Code and Fake Apps for Far-Reaching Attacks ∗∗∗
---------------------------------------------
Combining AI-generated code and social engineering, EvilAI operators are executing a rapidly expanding campaign, disguising their malware as legitimate applications to bypass security, steal credentials, and persistently compromise organizations worldwide.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/i/evilai.html
∗∗∗ Muck Stealer Malware Used Alongside Phishing in New Attack Waves ∗∗∗
---------------------------------------------
A new report from Cofense reveals that cybercriminals are blending phishing and malware, including Muck Stealer, Info Stealer, ConnectWise RAT, and SimpleHelp RAT in dual-threat attacks, making them harder to defend against.
---------------------------------------------
https://hackread.com/muck-stealer-malware-phishing-new-attack-waves/
∗∗∗ Social Engineering & KI: Cyberkriminelle rekrutieren im Darknet ∗∗∗
---------------------------------------------
Cyberkriminelle suchen im Darknet verstärkt nach Experten für Social Engineering und KI. Ein Hinweis darauf, auf welche Bedrohungen Firmen achten sollten.
---------------------------------------------
https://heise.de/-10642617
∗∗∗ ChillyHell macOS Backdoor Resurfaces ∗∗∗
---------------------------------------------
In 2025, cybersecurity researchers uncovered a deeply concerning threat targeting macOS systems called ChillyHell—a modular backdoor malware that had managed to fly under the radar for years by cleverly abusing macOS security mechanisms and Apple’s own notarization process.
---------------------------------------------
https://thecyberthrone.in/2025/09/11/chillyhell-macos-backdoor-resurfaces/
=====================
= Vulnerabilities =
=====================
∗∗∗ Samsung patches actively exploited zero-day reported by WhatsApp ∗∗∗
---------------------------------------------
Samsung has patched a remote code execution vulnerability that was exploited in zero-day attacks targeting its Android devices. Tracked as CVE-2025-21043, this critical security flaw affects Samsung devices running Android 13 or later and was reported by the security teams of Meta and WhatsApp on August 13.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/samsung-patches-actively-exp…
∗∗∗ Jetzt patchen! Erneut Attacken auf SonicWall-Firewalls beobachtet ∗∗∗
---------------------------------------------
Die "kritische" Sicherheitslücke (CVE-2024-40766) ist seit August vergangenen Jahres bekannt. Wiederholt ist die Schwachstelle in bestimmten Firewalls von SonicWall im Visier von Angreifern. Sicherheitsupdates sind bereits seit rund einem Jahr verfügbar, aber offensichtlich weiterhin nicht flächendeckend installiert.
---------------------------------------------
https://www.heise.de/news/Jetzt-patchen-Erneut-Attacken-auf-SonicWall-Firew…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cups, imagemagick, libcpanel-json-xs-perl, and libjson-xs-perl), Fedora (checkpointctl, chromium, civetweb, glycin, kernel, libssh, ruff, rust-secret-service, snapshot, and uv), Mageia (curl), Red Hat (kernel), SUSE (cups, curl, perl-Cpanel-JSON-XS, regionServiceClientConfigAzure, regionServiceClientConfigEC2, regionServiceClientConfigGCE, trivy, and xen), and Ubuntu (cups, node-cipher-base, and qemu).
---------------------------------------------
https://lwn.net/Articles/1037919/
∗∗∗ CISA Releases Eleven Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/09/11/cisa-releases-eleven-ind…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 10-09-2025 18:00 − Donnerstag 11-09-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ New VMScape attack breaks guest-host isolation on AMD, Intel CPUs ∗∗∗
---------------------------------------------
A new Spectre-like attack dubbed VMScape allows a malicious virtual machine (VM) to leak cryptographic keys from an unmodified QEMU hypervisor process running on modern AMD or Intel CPUs.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-vmscape-attack-breaks-gu…
∗∗∗ K2 Think AI Model Jailbroken Mere Hours After Release ∗∗∗
---------------------------------------------
Researchers discovered that measures designed to make AI more transparent to users and regulators can also make it easier for bad actors to abuse.
---------------------------------------------
https://www.darkreading.com/application-security/k2-think-llm-jailbroken
∗∗∗ Ordner öffnen reicht: Beliebter KI-Code-Editor führt automatisch Schadcode aus ∗∗∗
---------------------------------------------
Wer den KI-Code-Editor Cursor verwendet, sollte beim Öffnen fremder Repos vorsichtig sein. Es kann unbemerkt Malware ausgeführt werden.
---------------------------------------------
https://www.golem.de/news/ordner-oeffnen-reicht-beliebter-ki-code-editor-fu…
∗∗∗ Fake Madgicx Plus and SocialMetrics Extensions Are Hijacking Meta Business Accounts ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed two new campaigns that are serving fake browser extensions using malicious ads and fake websites to steal sensitive data. The malvertising campaign, per Bitdefender, is designed to push fake "Meta Verified" browser extensions named SocialMetrics Pro that claim to unlock the blue check badge for Facebook and Instagram profiles.
---------------------------------------------
https://thehackernews.com/2025/09/fake-madgicx-plus-and-socialmetrics.html
∗∗∗ Akira ransomware crims abusing trifecta of SonicWall security holes for extortion attacks ∗∗∗
---------------------------------------------
Affiliates of the Akira ransomware gang are again exploiting a critical SonicWall vulnerability abused last summer, after a suspected zero-day flaw actually turned out to be related to a year-old bug.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/09/10/akira_ransom…
∗∗∗ Beijing went to EggStreme lengths to attack Philippines military, researchers say ∗∗∗
---------------------------------------------
‘EggStreme’ framework looks like the sort of thing Beijing would find handy in its ongoing territorial beefs Infosec outfit Bitdefender says it’s spotted a strain of in-memory malware that looks like the work of Chinese advanced persistent threat groups that wanted to achieve persistent access at a “military company” in the Philippines.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/09/11/eggstreme_ma…
∗∗∗ Technical Analysis of kkRAT ∗∗∗
---------------------------------------------
Zscaler ThreatLabz has identified a malware campaign targeting Chinese-speaking users, which has been active since early May 2025. The campaign delivers three types of malware: ValleyRAT, FatalRAT, and a new Remote Access Trojan (RAT) that ThreatLabz named kkRAT.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/technical-analysis-kkrat
∗∗∗ The Great NPM Heist – September 2025 ∗∗∗
---------------------------------------------
On September 8, 2025, the JavaScript ecosystem experienced what is now considered the largest supply chain attack in npm history. A sophisticated phishing campaign led to the compromise of a trusted maintainer’s account, resulting in the injection of cryptocurrency-stealing malware into 18+ foundational npm packages.
---------------------------------------------
https://blog.checkpoint.com/crypto/the-great-npm-heist-september-2025/
∗∗∗ Global Cyber Threats August 2025: Agriculture in the Crosshairs ∗∗∗
---------------------------------------------
In August 2025, the global cyber threat landscape presented a complex interplay of stability and alarming new challenges. Organizations around the world confronted an average of nearly 2,000 cyber attacks each week—a slight 1% decrease from July but a stark 10% rise compared to the same month last year.
---------------------------------------------
https://blog.checkpoint.com/research/global-cyber-threats-august-2025-agric…
∗∗∗ How the Infamous APT 1 Report Exposing China’s PLA Hackers Came to Be ∗∗∗
---------------------------------------------
This is the first in a series of pieces I’ll publish that take an in-depth look at significant events, people and cases in security and surveillance from the past.
---------------------------------------------
https://www.zetter-zeroday.com/how-the-infamous-apt-1-report-exposing-china…
∗∗∗ CyberVolk Ransomware: Analysis of Double Encryption Structure and Disguised Decryption Logic ∗∗∗
---------------------------------------------
The CyberVolk ransomware, which first emerged in May 2024, has been launching attacks on public institutions and key infrastructures of various countries, posing a continuous threat. The ransomware is particularly notable for its pro-Russia nature, as it primarily targets anti-Russian countries, making it a geopolitically significant cyber threat.
---------------------------------------------
https://asec.ahnlab.com/en/90077/
∗∗∗ Trigona Rebranding Suspicions and Global Threats, and BlackNevas Ransomware Analysis ∗∗∗
---------------------------------------------
BlackNevas has been continuously launching ransomware attacks against companies in various industries and countries, including South Korea. This post provides a technical analysis on the characteristics, encryption methods, and reasons why BlackNevas encrypts files in a way that makes them impossible to decrypt.
---------------------------------------------
https://asec.ahnlab.com/en/90080/
∗∗∗ New Fileless Malware Attack Uses AsyncRAT for Credential Theft ∗∗∗
---------------------------------------------
LevelBlue Labs reports AsyncRAT delivered through a fileless attack chain using ScreenConnect, enabling credential theft and persistence.
---------------------------------------------
https://hackread.com/fileless-malware-attack-asyncrat-credential-theft/
∗∗∗ CISA Presents Vision for the Common Vulnerabilities and Exposures (CVE) Program ∗∗∗
---------------------------------------------
Agency Unveils Upcoming Program Enhancements: Strengthening Partnerships, Modernization, Transparency and Elevating Data Quality and Responsiveness.
---------------------------------------------
https://www.cisa.gov/news-events/news/cisa-presents-vision-common-vulnerabi…
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco IOS XR ARP Broadcast Storm Denial of Service Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the Address Resolution Protocol (ARP) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a broadcast storm, leading to a denial of service (DoS) condition on an affected device.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ DuckDB NPM packages 1.3.3 and 1.29.2 compromised with malware ∗∗∗
---------------------------------------------
The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions.
---------------------------------------------
https://github.com/duckdb/duckdb-node/security/advisories/GHSA-w62p-hx95-gf…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (python3.12-cryptography), Debian (chromium, hsqldb1.8.0, and imagemagick), Fedora (bustle, cef, maturin, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-monitord, rust-monitord-exporter, rustup, tuigreet, and wireshark), Oracle (kernel, microcode_ctl, and python3.12-cryptography), Red Hat (httpd:2.4 and multiple packages), SUSE (coreutils, curl, dpkg, ffmpeg-4, glib2, gnutls, go1.23-openssl, go1.24-openssl, go1.25-openssl, grub2, ImageMagick, jbigkit, kernel, libxslt, Mesa, opensc, opera, perl-JSON-XS, polkit, postgresql16, protobuf, python311, python311-deepdiff, sqlite3, ucode-intel, and warewulf4), and Ubuntu (bind9 and libxml2).
---------------------------------------------
https://lwn.net/Articles/1037777/
∗∗∗ Unauthentifizierte SQL Injection Schwachstelle im Shibboleth Service Provider (SP) (ODBC Interface) ∗∗∗
---------------------------------------------
SEC Consult hat eine unauthentifizierte SQL-Injection-Schwachstelle im Shibboleth Service Provider (SP) in der ODBC Schnittstelle identifiziert, die ein Angreifer ausnutzen könnte, um beliebige Datensätze aus der Datenbank mit den Rechten des Datenbankbenutzers auszulesen.
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/unauthentifizierte-sq…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 09-09-2025 18:00 − Mittwoch 10-09-2025 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Phishing im Namen der WKO: Sensible Daten im Visier ∗∗∗
---------------------------------------------
Kriminelle kopieren aktuell eine echte E-Mail-Nachricht der Wirtschaftskammer Österreich. Über ein angehängtes HTML-Dokument wollen sie Ihre Opfer auf ein Fake-Portal locken und dort sensible Daten erbeuten. Wir zeigen Ihnen, woran Sie den Betrugsversuch erkennen können.
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-wko/
∗∗∗ You Already Have Our Personal Data, Take Our Phone Calls Too (FreePBX CVE-2025-57819) ∗∗∗
---------------------------------------------
Today, inside this hellscape we call the Internet, a mean person has discovered a zero-day(s) in FreePBX (now lovingly called CVE-2025-57819). But they didn’t stop there - the dastardly individual(s) then proceeded to exploit FreePBX hosts en-masse. [..] Today, we are publishing our Detection Artefact Generator which you can find here.
---------------------------------------------
https://labs.watchtowr.com/you-already-have-our-personal-data-take-our-phon…
∗∗∗ US Investment in Spyware Is Skyrocketing ∗∗∗
---------------------------------------------
A new report warns that the number of US investors in powerful commercial spyware rose sharply in 2024 and names new countries linked to the dangerous technology.
---------------------------------------------
https://www.wired.com/story/us-spyware-investment/
∗∗∗ CHILLYHELL macOS Backdoor and ZynorRAT RAT Threaten macOS, Windows, and Linux Systems ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems.
---------------------------------------------
https://thehackernews.com/2025/09/chillyhell-macos-backdoor-and-zynorrat.ht…
∗∗∗ Pwn My Ride: Exploring the CarPlay Attack Surface ∗∗∗
---------------------------------------------
At the recent DefCon conference, we had the opportunity to present Pwn My Ride, a comprehensive exploration of the Apple CarPlay attack surface. With vehicles becoming increasingly connected, the security of in-car systems like CarPlay is critical.
---------------------------------------------
https://www.oligo.security/blog/pwn-my-ride-exploring-the-carplay-attack-su…
∗∗∗ Kerberoasting ∗∗∗
---------------------------------------------
These “Kerberoasting” attacks have been around for ages: the technique and name is credited to Tim Medin who presented it in 2014 (and many popular blogs followed up on it) but the vulnerabilities themselves are much older. [..] I’ll bet most Windows people already know this stuff, but I only happened to learn about it today, after seeing a letter from Senator Wyden to Microsoft, describing how this vulnerability was used in the May 2024 ransomware attack on the Ascension Health hospital system.
---------------------------------------------
https://blog.cryptographyengineering.com/2025/09/10/kerberoasting/
∗∗∗ New Linux Botnet Combines Cryptomining and DDoS Attacks ∗∗∗
---------------------------------------------
Cyble threat intelligence researchers have identified a sophisticated Linux botnet built for cryptocurrency mining, remote command execution, and dozens of DDoS attack types. Cyble Research and Intelligence Labs (CRIL) researchers have dubbed the campaign “Luno.”
---------------------------------------------
https://thecyberexpress.com/linux-botnet-combines-cryptomining-and-ddos/
∗∗∗ Apple Introduces Memory Integrity Enforcement in iPhone 17 to Fight Spyware Exploits ∗∗∗
---------------------------------------------
Apple has introduced Memory Integrity Enforcement (MIE), a system-wide security feature designed to crush one of the most persistent threats to iPhone users—that of Spyware. The company describes MIE as “the most significant upgrade to memory safety in the history of consumer operating systems.”
---------------------------------------------
https://thecyberexpress.com/memory-integrity-enforcement-in-iphone-17/
=====================
= Vulnerabilities =
=====================
∗∗∗ Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days ∗∗∗
---------------------------------------------
Today is Microsofts September 2025 Patch Tuesday, which includes security updates for 81 flaws, including two publicly disclosed zero-day vulnerabilities. [..] The two publicly disclosed zero-days are: CVE-2025-55234 - Windows SMB Elevation of Privilege Vulnerability [..] CVE-2024-21907 - VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-pa…
∗∗∗ Patchday Adobe: Lücken in Acrobat & Co. können Schadcode auf PCs lassen ∗∗∗
---------------------------------------------
Auflistung der Sicherheitspatches: Acrobat and Reader, After Effects, ColdFusion, Commerce, Dreamweaver, Experience Manager, Premiere Pro, Substance 3D Modeler, Substance 3D Viewer
---------------------------------------------
https://www.heise.de/news/Patchday-Adobe-Luecken-in-Acrobat-Co-koennen-Scha…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (buildah, containers-common, glycin, loupe, podman, rust-matchers, and rust-tracing-subscriber), Red Hat (fence-agents, jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base, pki-deps:10.6, python-requests, python3.12-cryptography, redis:6, redis:7, and resource-agents), Slackware (libssh), SUSE (aide, cloud-init, iperf, java-1_8_0-openjdk, jq, kernel-devel, python-deepdiff, regionServiceClientConfigAzure, regionServiceClientConfigEC2, and regionServiceClientConfigGCE), and Ubuntu (gnutls28).
---------------------------------------------
https://lwn.net/Articles/1037471/
∗∗∗ CISA Releases Fourteen Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
ICSA-25-252-01 Rockwell Automation ThinManager,
ICSA-25-252-02 ABB Cylon Aspect BMS/BAS,
ICSA-25-252-03 Rockwell Automation Stratix IOS,
ICSA-25-252-04 Rockwell Automation FactoryTalk Optix,
ICSA-25-252-05 Rockwell Automation FactoryTalk Activation Manager,
ICSA-25-252-06 Rockwell Automation CompactLogix® 5480,
ICSA-25-252-07 Rockwell Automation ControlLogix 5580,
ICSA-25-252-08 Rockwell Automation Analytics LogixAI,
ICSA-25-252-09 Rockwell Automation 1783-NATR
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/09/09/cisa-releases-fourteen-i…
∗∗∗ Google Chrome: Stable Channel Update for Desktop ∗∗∗
---------------------------------------------
http://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desk…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 08-09-2025 18:00 − Dienstag 09-09-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ TOR-Based Cryptojacking Attack Expands Through Misconfigured Docker APIs ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a variant of a recently disclosed campaign that abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs. Akamai, which discovered the latest activity last month, said its designed to block other actors from accessing the Docker API from the internet.
---------------------------------------------
https://thehackernews.com/2025/09/tor-based-cryptojacking-attack-expands.ht…
∗∗∗ GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies ∗∗∗
---------------------------------------------
Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account. Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. Its currently not known how the digital intruders gained access to the GitHub account.
---------------------------------------------
https://thehackernews.com/2025/09/github-account-compromise-led-to.html
∗∗∗ RatOn Android Malware Detected With NFC Relay and ATS Banking Fraud Capabilities ∗∗∗
---------------------------------------------
A new Android malware called RatOn evolved from a basic tool capable of conducting Near Field Communication (NFC) attacks to a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities to conduct device fraud.
---------------------------------------------
https://thehackernews.com/2025/09/raton-android-malware-detected-with-nfc.h…
∗∗∗ Axios Abuse and Salty 2FA Kits Fuel Advanced Microsoft 365 Phishing Attacks ∗∗∗
---------------------------------------------
Threat actors are abusing HTTP client tools like Axios in conjunction with Microsofts Direct Send feature to form a "highly efficient attack pipeline" in recent phishing campaigns, according to new findings from ReliaQuest.
---------------------------------------------
https://thehackernews.com/2025/09/axios-abuse-and-salty-2fa-kits-fuel.html
∗∗∗ Salt Typhoon and UNC4841: Silent Push Discovers New Domains; Urges Defenders to Check Telemetry and Log Data ∗∗∗
---------------------------------------------
Silent Push has identified dozens of previously unreported domains, all aiming to obtain long-term, stealthy access to targeted organizations, used by the Chinese APT group, Salt Typhoon, along with some related People’s Republic of China (PRC) state-backed threat actors.
---------------------------------------------
https://www.silentpush.com/blog/salt-typhoon-2025/
∗∗∗ BSI warnt: "Digitale Angriffsflächen im Automobilsektor wachsen rasant" ∗∗∗
---------------------------------------------
Digitale Dienste, Over-the-Air-Updates, KI und vernetzte Steuergeräte prägen Fahrzeugarchitekturen, weiß das BSI. Hersteller und Ausrüster müssten vorsorgen.
---------------------------------------------
https://www.heise.de/news/BSI-warnt-Digitale-Angriffsflaechen-im-Automobils…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (openafs and qemu), Fedora (buildah, containers-common, podman, python-flask, and snapshot), Mageia (postgresql, python-django, and udisks2), Oracle (kernel and libxml2), Red Hat (apache-commons-beanutils, firefox, httpd, httpd:2.4, kernel, kernel-rt, mod_http2, qt5-qt3d, and thunderbird), Slackware (libxml2), SUSE (firebird, go1.25-openssl, ImageMagick, microcode_ctl, netty, netty-tcnative, and ovmf), and Ubuntu (libetpan and postgresql-14, postgresql-16, postgresql-17).
---------------------------------------------
https://lwn.net/Articles/1037308/
∗∗∗ Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed ∗∗∗
---------------------------------------------
An analysis of the Gentlemen ransomware group, which employs advanced, adaptive tactics, techniques, and procedure to target critical industries worldwide.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-rans…
∗∗∗ Zero-Day in Sitecore Exploited to Deploy WEEPSTEEL Malware ∗∗∗
---------------------------------------------
Hackers exploit a Sitecore zero-day (CVE-2025-53690) to deploy WEEPSTEEL Malware via ViewState attacks, enabling Remote Code Execution (RCE).
---------------------------------------------
https://hackread.com/zero-day-sitecore-exploited-deploy-weepsteel-malware/
∗∗∗ OpenAI Paper: Halluzinationen offenbar unumgänglich ∗∗∗
---------------------------------------------
In einem neuen, wissenschaftlichen Paper, das OpenAI veröffentlicht hat, geht es um Halluzinationen. Das sind falsche Informationen und Zusammenhänge, die Large Language Models (LLMs) und damit auch KI-Chatbots ausgeben. Alle KI-Unternehmen arbeiten daran, Halluzinationen möglichst gering zu halten. Sie ganz auszuschalten, scheint hingegen unmöglich. Das schreibt nun auch OpenAI selbst.
---------------------------------------------
https://heise.de/-10637744
∗∗∗ LockBit Attempts Comeback with LockBit 5.0 Ransomware Release ∗∗∗
---------------------------------------------
LockBit was once the most feared ransomware group until global law enforcement action sent the group into decline last year. Now the threat group hopes to mount a comeback with LockBit 5.0.
---------------------------------------------
https://thecyberexpress.com/lockbit-5-0-ransomware/
=====================
= Vulnerabilities =
=====================
∗∗∗ Adobe patches critical SessionReaper flaw in Magento eCommerce platform ∗∗∗
---------------------------------------------
Adobe is warning of a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms that researchers call SessionReaper and describe as one of " the most severe" flaws in the history of the product.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/adobe-patches-critical-sessi…
∗∗∗ Populäre JavaScript Pakete manipuliert ∗∗∗
---------------------------------------------
Eine Reihe populärer JavaScript Pakete wurde kürzlich manipuliert um Krypotwährungstransaktionen zu manipulieren. Ursache dieses Supply-Chain-Angriffs scheint eine erfolgreiche Phishing Attacke gegen den Maintainer dieser Pakete und dessen NPM Konto gewesen zu sein. Manipulierte Versionen der betroffenen Pakete wurden bereits zurückgezogen.
---------------------------------------------
https://www.cert.at/de/aktuelles/2025/9/populare-javascript-pakete-manipuli…
∗∗∗ September 2025 Security Update ∗∗∗
---------------------------------------------
Ivanti is disclosing vulnerabilities in Ivanti Endpoint Manager (EPM) and Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access.
---------------------------------------------
https://www.ivanti.com/blog/september-2025-security-update
∗∗∗ SAP Security Patch Day – September 2025 ∗∗∗
---------------------------------------------
SAP has released its September 2025 security patch package containing 26 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes four HotNews vulnerabilities with CVSS ratings up to 10.0, four High priority issues, sixteen Medium priority fixes, and two Low priority updates. The patches affect NetWeaver AS Java, S/4HANA, SAP HCM, Business Planning and Consolidation, Commerce Cloud, and SAP Business One.
---------------------------------------------
https://redrays.io/blog/sap-security-patch-day-september-2025/
∗∗∗ VU#461364: Hiawatha open-source web server has multiple vulnerabilities ∗∗∗
---------------------------------------------
https://kb.cert.org/vuls/id/461364
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 05-09-2025 18:00 − Montag 08-09-2025 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ iCloud Calendar abused to send phishing emails from Apple’s servers ∗∗∗
---------------------------------------------
iCloud Calendar invites are being abused to send callback phishing emails disguised as purchase notifications directly from Apple's email servers, making them more likely to bypass spam filters to land in targets' inboxes.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/icloud-calendar-abused-to-se…
∗∗∗ Fraunhofer SIT gibt auf: Die Volksverschlüsselung wird eingestellt ∗∗∗
---------------------------------------------
Die Volksverschlüsselung, eine gemeinsame Initiative des Fraunhofer-Instituts für Sichere Informationstechnologie (SIT) und der Deutschen Telekom, wird nach rund zehnjährigem Bestehen zum 31. Januar 2026 eingestellt. Das geht aus einer Mitteilung auf der zugehörigen Webseite(öffnet im neuen Fenster) hervor. Ziel der Volksverschlüsselung war es, Ende-zu-Ende-verschlüsselte Kommunikation benutzerfreundlicher zu machen. Doch das Projekt stieß schon zum Start auf Kritik.
---------------------------------------------
https://www.golem.de/news/fraunhofer-sit-gibt-auf-die-volksverschluesselung…
∗∗∗ Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test ∗∗∗
---------------------------------------------
A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan. The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025.
---------------------------------------------
https://thehackernews.com/2025/09/noisy-bear-targets-kazakhstan-energy.html
∗∗∗ GPUGate Malware Uses Google Ads and Fake GitHub Commits to Target IT Firms ∗∗∗
---------------------------------------------
Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop. While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing altered links that point to attacker-controlled infrastructure.
---------------------------------------------
https://thehackernews.com/2025/09/gpugate-malware-uses-google-ads-and.html
∗∗∗ Netflix-Phishing-Mail im Umlauf ∗∗∗
---------------------------------------------
Derzeit kursiert eine E-Mail, die angeblich von Netflix stammt. Darin wird behauptet, eine Aktualisierung der Kontodaten sei erforderlich. Andernfalls würden 8,99 € fällig und der Zugang würde eingeschränkt werden. Vorsicht: Es handelt sich um eine Fälschung! Die Nachricht führt auf eine Phishing-Website, über die Kriminelle versuchen, Kontodaten zu stehlen.
---------------------------------------------
https://www.watchlist-internet.at/news/netflix-phishing-mail-im-umlauf-1/
∗∗∗ Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs ∗∗∗
---------------------------------------------
The intrusion began in September 2024 with a download of a malicious file mimicking the EarthTime application by DeskSoft. Upon execution, SectopRAT was deployed which opened a connection to its command and control (C2) infrastructure. The threat actor established persistence by relocating the malicious file and placing a shortcut in the Startup folder, configured to trigger on user logon. They further elevated access by creating a new local account and assigning it local administrative privileges.
---------------------------------------------
https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-con…
∗∗∗ GhostAction Attack Steals 3,325 Secrets from GitHub Projects ∗∗∗
---------------------------------------------
On September 2, 2025, a GitHub user known as Grommash9 committed a new workflow file to the FastUUID project. The file, labelled “Github Actions Security,” appeared similar to routine automation scripts but was later found to contain malicious code designed to collect CI/CD secrets and send them to an external server.
---------------------------------------------
https://hackread.com/ghostaction-attack-steals-github-projects-secrets/
∗∗∗ Lazarus Group Deploys Malware With ClickFix Scam in Fake Job Interviews ∗∗∗
---------------------------------------------
A recent investigation by SentinelLABS and internet intelligence platform Validin reveals that North Korean threat actors behind the Contagious Interview campaign are actively abusing public cybersecurity platforms like Validin, Maltrail, and VirusTotal to improve their malicious activities.
---------------------------------------------
https://hackread.com/lazarus-group-malware-clickfix-scam-fake-job-interview/
∗∗∗ MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access ∗∗∗
---------------------------------------------
FortiGuard Labs recently discovered a phishing campaign that employs multiple advanced evasion techniques. These include the use of an Easy Programming Language (EPL) to develop a staged payload, concealing malicious operations and disabling security tools to prevent alert triggers, securing Command and Control (C2) communications using mutual TLS (mTLS), supporting various methods for deploying additional payloads, and even installing popular remote access tools to grant attackers complete control over the compromised system.
---------------------------------------------
https://feeds.fortinet.com/~/924516446/0/fortinet/blogs~MostereRAT-Deployed…
∗∗∗ Ecovacs Deebot: Angreifer können beliebigen Code einschleusen ∗∗∗
---------------------------------------------
Schwachstellenbeschreibungen vom Wochenende erörtern teils hochriskante Sicherheitslücken in Staubsaugerrobotern aus dem Hause Ecovacs. Für die betroffenen Deebot-Modelle stehen bereits seit einiger Zeit Updates bereit, die die Sicherheitslecks abdichten. Besitzer sollten sicherstellen, die Basisstationen und Saugroboter auf den aktuellen Stand zu bringen.
---------------------------------------------
https://heise.de/-10636233
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, libhtp, modsecurity-apache, shibboleth-sp, and wireless-regdb), Fedora (chromium, kea, tcpreplay, and yq), Mageia (rootcerts, nspr, nss & firefox and thunderbird), Red Hat (python3), and SUSE (7zip, chromedriver, go1.25, libQt5Pdf5, libsixel-bash-completion, libsoup2, libwireshark18, netty, rav1e, and trivy).
---------------------------------------------
https://lwn.net/Articles/1037157/
∗∗∗ RICOH Streamline NX vulnerable to tampering with operation history ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN75307484/
∗∗∗ CVE-2025-8699: NFC Card Vulnerability Exploitation Leading to Free Top-Up in KioSoft "Stored Value" Unattended Payment Solution ∗∗∗
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-e…
∗∗∗ Beckhoff Security Advisory 2025-001: CVE-2025-41701 ∗∗∗
---------------------------------------------
https://download.beckhoff.com/download/document/product-security/Advisories…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 04-09-2025 18:00 − Freitag 05-09-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ The number of mis-issued 1.1.1.1 certificates grows. Here’s the latest. ∗∗∗
---------------------------------------------
Everything to know about the mishap that threatened to expose millions of users queries.
---------------------------------------------
https://arstechnica.com/information-technology/2025/09/the-number-of-mis-is…
∗∗∗ Max severity Argo CD API flaw leaks repository credentials ∗∗∗
---------------------------------------------
An Argo CD vulnerability allows API tokens with even low project-level get permissions to access API endpoints and retrieve all repository credentials associated with the project.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/max-severity-argo-cd-api-fla…
∗∗∗ Seit Mai 2024 bekannt: TP-Link bestätigt Zero-Day-Lücke in Archer-Routern ∗∗∗
---------------------------------------------
Es sind auch hierzulande angebotene TP-Link-Modelle betroffen. Angreifer können unter Umständen aus der Ferne Schadcode einschleusen.
---------------------------------------------
https://www.golem.de/news/seit-mai-2024-bekannt-tp-link-bestaetigt-zero-day…
∗∗∗ IT threat evolution in Q2 2025. Mobile statistics ∗∗∗
---------------------------------------------
The report contains statistics on mobile threats (malware, adware, and unwanted software for Android) for Q2 2025, as well as a description of the most notable malware types identified during the reporting period.
---------------------------------------------
https://securelist.com/malware-report-q2-2025-mobile-statistics/117349/
∗∗∗ IT threat evolution in Q2 2025. Non-mobile statistics ∗∗∗
---------------------------------------------
The report presents statistics for Windows, macOS, IoT, and other threats, including ransomware, miners, local and web-based threats, for Q2 2025.
---------------------------------------------
https://securelist.com/malware-report-q2-2025-pc-iot-statistics/117421/
∗∗∗ SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild ∗∗∗
---------------------------------------------
A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild.The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of ..
---------------------------------------------
https://thehackernews.com/2025/09/sap-s4hana-critical-vulnerability-cve.html
∗∗∗ Schwachstellen: KI- und Netzwerktechnik von Nvidia ist angreifbar ∗∗∗
---------------------------------------------
Sicherheitsupdates schließen Lücken in unter anderem Nvidias KI-Plattformen DGX und HGX.
---------------------------------------------
https://www.heise.de/news/Sicherheitsluecken-Nvidia-KI-und-Netzwerktechnik-…
∗∗∗ Stealerium-Malware macht heimlich Webcam-Fotos für Erpressung ∗∗∗
---------------------------------------------
Die frei verfügbare Malware Stealerium erkennt Pornokonsum und fertigt heimlich Webcam-Aufnahmen an. Cyberkriminelle nutzen die Fotos für Erpressung.
---------------------------------------------
https://www.heise.de/news/Malware-fotografiert-Nutzer-heimlich-bei-Porno-Ko…
∗∗∗ Cyberattack forces Jaguar Land Rover to tell staff to stay at home ∗∗∗
---------------------------------------------
Luxury automaker Jaguar Land Rover says employees should stay home through the weekend as it works to mitigate the impact of a cyberattack.
---------------------------------------------
https://therecord.media/jaguar-land-rover-cyberattack-workers-stay-home
∗∗∗ SEO fraud-as-a-service scheme hijacks Windows servers to promote gambling websites ∗∗∗
---------------------------------------------
A malware campaign dubbed GhostRedirector by researchers at ESET attempts to compromise websites to drive traffic to gambling sites.
---------------------------------------------
https://therecord.media/seo-scheme-windows-malware-gambling-sites-ghostredi…
∗∗∗ Scammers Exploit Grok AI With Video Ad Scam to Push Malware on X ∗∗∗
---------------------------------------------
Researchers at Guardio Labs have uncovered a new “Grokking” scam where attackers trick Grok AI into spreading malicious…
---------------------------------------------
https://hackread.com/scammers-exploit-grok-ai-video-ad-scam-x-malware/
∗∗∗ Microsoft erzwingt mehr Multifaktorauthentifizierung ∗∗∗
---------------------------------------------
Microsoft aktualisiert die Pläne für "Phase 2" der erzwungenen Multifaktorauthentifizierung für Azure. Am 1.10. sind mehr Dienste fällig.
---------------------------------------------
https://heise.de/-10633932
∗∗∗ Czechia Warns of Chinese Data Transfers and Remote Administration for Espionage ∗∗∗
---------------------------------------------
Czechia’s national cybersecurity watchdog has issued a warning about foreign cyber operations, focussed on Chinese data transfers and remote administration, urging both government bodies and private businesses to bolster defenses amid rising espionage campaigns tied to China and Russia. The alert, published this week by the National Cyber and I..
---------------------------------------------
https://thecyberexpress.com/czechia-warns-of-chinese-data-transfer/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (udisks2), Oracle (httpd:2.4 and kernel), Red Hat (python-requests), and SUSE (chromium, gn, dcmtk, firefox, himmelblau, nginx, perl-Authen-SASL, perl-Crypt-URandom, postgresql15, python-Django, and python-maturin).
---------------------------------------------
https://lwn.net/Articles/1036907/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/