Daily

daily@lists.cert.at

1 participants
3316 discussions

Tageszusammenfassung - 17.12.2025
by Daily end-of-shift report 17 Dec '25

17 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-12-2025 19:10 − Mittwoch 17-12-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Amazon disrupts Russian GRU hackers attacking edge network devices ∗∗∗ --------------------------------------------- The Amazon Threat Intelligence team has disrupted active operations attributed to hackers working for the Russian foreign military intelligence agency, the GRU, who targeted customers cloud infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-disrupts-russian-gru-… ∗∗∗ Cellik Android malware builds malicious versions from Google Play apps ∗∗∗ --------------------------------------------- A new Android malware-as-a-service (MaaS) named Cellik is being advertised on underground cybercrime forums offering a robust set of capabilities that include the option to embed it in any app available on the Google Play Store. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cellik-android-malware-build… ∗∗∗ Attackers Use Stolen AWS Credentials in Cryptomining Campaign ∗∗∗ --------------------------------------------- Threat actors wielding stolen AWS Identity and Access Management (IAM) credentials leverage Amazon EC and EC2 infrastructure across multiple customer environments. --------------------------------------------- https://www.darkreading.com/cloud-security/attackers-use-stolen-aws-credent… ∗∗∗ Deliberate Internet Shutdowns ∗∗∗ --------------------------------------------- For two days in September, Afghanistan had no internet. No satellite failed; no cable was cut. This was a deliberate outage, mandated by the Taliban government. It followed a more localized shutdown two weeks prior, reportedly instituted “to prevent immoral activities.” No additional explanation was given. The timing couldn’t have been worse: communities still reeling from a major earthquake lost emergency communications, flights were grounded, and banking was interrupted. --------------------------------------------- https://www.schneier.com/blog/archives/2025/12/deliberate-internet-shutdown… ∗∗∗ GhostPoster Malware Found in 17 Firefox Add-ons with 50,000+ Downloads ∗∗∗ --------------------------------------------- A new campaign named GhostPoster has leveraged logo files associated with 17 Mozilla Firefox browser add-ons to embed malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud. The extensions have been collectively downloaded over 50,000 times, according to Koi Security, which discovered the campaign. The add-ons are no longer available. --------------------------------------------- https://www.thehackernews.com/2025/12/ghostposter-malware-found-in-17-firef… ∗∗∗ APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign ∗∗∗ --------------------------------------------- The Russian state-sponsored threat actor known as APT28 has been attributed to what has been described as a "sustained" credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine. --------------------------------------------- https://www.thehackernews.com/2025/12/apt28-targets-ukrainian-ukr-net-users… ∗∗∗ New ForumTroll Phishing Attacks Target Russian Scholars Using Fake eLibrary Emails ∗∗∗ --------------------------------------------- The threat actor linked to Operation ForumTroll has been attributed to a fresh set of phishing attacks targeting individuals within Russia, according to Kaspersky. The Russian cybersecurity vendor said it detected the new activity in October 2025. The origins of the threat actor are presently unknown. --------------------------------------------- https://www.thehackernews.com/2025/12/new-forumtroll-phishing-attacks-targe… ∗∗∗ Chinas Ink Dragon hides out in European government networks ∗∗∗ --------------------------------------------- Misconfigured servers are in, 0-days out Chinese espionage crew Ink Dragon has expanded its snooping activities into European government networks, using compromised servers to create illicit relay nodes for future operations. --------------------------------------------- https://www.theregister.com/2025/12/16/chinas_ink_dragon_hides_out/ ∗∗∗ Microsoft security updates breaks MSMQ on older Win systems ∗∗∗ --------------------------------------------- Folder permission changes cause queue failures and misleading error messages, no real fix yet Microsoft has good news for administrators: while some organizations now pay for security updates on older Windows versions, the inconsistent quality remains free. --------------------------------------------- https://www.theregister.com/2025/12/17/microsoft_admits_that_message_queuin… ∗∗∗ NATOs battle for cloud sovereignty: Speed is existential ∗∗∗ --------------------------------------------- Build a digital backbone faster than adversaries can evolve or lose the information war NATO is in an existential race to develop sovereign cloud-based technologies to underpin its mission, the alliances Assistant Secretary General for Cyber and Digital Transformation told an audience at the Royal United Services Institute (RUSI) last week. --------------------------------------------- https://www.theregister.com/2025/12/17/sovereign_cloud_is_existential_nato/ ∗∗∗ BlindEagle Targets Colombian Government Agency with Caminho and DCRAT ∗∗∗ --------------------------------------------- IntroductionIn early September 2025, Zscaler ThreatLabz discovered a new spear phishing campaign attributed to BlindEagle, a threat actor who operates in South America and targets users in Spanish-speaking countries, such as Colombia. In this campaign, BlindEagle targeted a government agency under the control of the Ministry of Commerce, Industry and Tourism (MCIT) in Colombia using a phishing email sent from what appears to be a compromised account within the same organization. --------------------------------------------- https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombia… ∗∗∗ WhatsApp und Signal: Privatsphäre angreifbar, Tracker-Software verfügbar ∗∗∗ --------------------------------------------- Die WhatsApp- und Signal-Messenger verraten Informationen über Nutzer durch Bestätigungs-Laufzeiten. Eine Einstellung hilft. --------------------------------------------- https://www.heise.de/news/WhatsApp-und-Signal-Privatsphaere-angreifbar-Trac… ∗∗∗ Telekom startet System gegen Betrugsanrufe ∗∗∗ --------------------------------------------- Jemand ruft an, die Nummer ist nicht eingespeichert. Man geht ran und lässt sich in ein Gespräch verwickeln. Das ist meist keine gute Idee. --------------------------------------------- https://www.heise.de/news/Telekom-startet-System-gegen-Betrugsanrufe-111176… ∗∗∗ Inside a purchase order PDF phishing campaign ∗∗∗ --------------------------------------------- A “purchase order” PDF blocked by Malwarebytes led to a credential-harvesting phishing site. So we analyzed the attack and where the data went next. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intel/2025/12/inside-a-purchase-or… ∗∗∗ Systemwarnung? Virus gefunden? Welche Gefahren von PopUp-Fenstern ausgehen können ∗∗∗ --------------------------------------------- Sie zählen wohl zu den unbeliebtesten Erfindungen rund um das Internet: PopUp-Fenster. Wenig überraschend werden sie seit Langem auch für dubiose Machenschaften genutzt. Was hinter den Benachrichtigungen lauert und woran sich ein möglicher Betrugsversuch erkennen lässt. --------------------------------------------- https://www.watchlist-internet.at/news/dubiose-popup-fenster/ ∗∗∗ From Linear to Complex: An Upgrade in RansomHouse Encryption ∗∗∗ --------------------------------------------- Operators behind RansomHouse, a ransomware-as-a-service (RaaS) group, have upgraded their encryption methods from single-phase to complex and layered. --------------------------------------------- https://unit42.paloaltonetworks.com/ransomhouse-encryption-upgrade/ ∗∗∗ ESET Threat Report H2 2025 ∗∗∗ --------------------------------------------- The second half of the year underscored just how quickly attackers adapt and innovate, with rapid changes sweeping across the threat landscape. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/eset-threat-report-h2-2025/ ∗∗∗ Theres Payloads, And Then Theres pAIloads: A Look At Selected Opportunistic (And Possibly AI-"Enhanced") React2Shell Probes and Attacks ∗∗∗ --------------------------------------------- Over the past ~1.5 weeks, the React2Shell campaign has unleashed a flood of exploitation attempts targeting vulnerable React Server Components. Analyzing the payload size distribution across these attacks reveals a clear fingerprint of modern cybercrime, and a landscape dominated by automated scanners with a handful of sophisticated outliers. --------------------------------------------- https://www.greynoise.io/blog/react2shell-payload-analysis ===================== = Vulnerabilities = ===================== ∗∗∗ VU#382314: Vulnerability in UEFI firmware modules prevents IOMMU initialization on some UEFI-based motherboards ∗∗∗ --------------------------------------------- A newly identified vulnerability in some UEFI-supported motherboard models leaves systems vulnerable to early-boot DMA attacks across architectures that implement UEFI and IOMMU. --------------------------------------------- https://kb.cert.org/vuls/id/382314 ∗∗∗ Reports About Cyberattacks Against Cisco Secure Email Gateway And Cisco Secure Email and Web Manager ∗∗∗ --------------------------------------------- On December 10, Cisco became aware of a new cyberattack campaign targeting a limited subset of appliances with certain ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ HPE OneView: Kritische Lücke erlaubt Codeschmuggel aus dem Netz ∗∗∗ --------------------------------------------- In HPEs OneView können bösartige Akteure aus dem Netz ohne Authentifizierung Schadcode einschleusen. Ein Update steht bereit. --------------------------------------------- https://www.heise.de/news/HPE-OneView-Kritische-Luecke-erlaubt-Codeschmugge… ∗∗∗ Two Chrome flaws could be triggered by simply browsing the web: Update now ∗∗∗ --------------------------------------------- Googles patched two flaws in Chrome, both of which can be triggered remotely when a user loads specially crafted web content. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/12/two-chrome-flaws-could-be-tr… ∗∗∗ TYPO3-EXT-SA-2025-016: Vulnerability in bundled package in extension "Single Sign-on with SAML" (md_saml) ∗∗∗ --------------------------------------------- It has been discovered that the extension "Single Sign-on with SAML" (md_saml) bundles a vulnerable version of “onelogin/php-saml“ which is susceptible to Authentication Bypass. --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-016 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-url-parse), Fedora (assimp, conda-build, mod_md, util-linux, and webkitgtk), Oracle (firefox), SUSE (chromium, librsvg, poppler, python311, qemu, strongswan, webkit2gtk3, wireshark, and xen), and Ubuntu (linux-azure, linux-azure-5.4, linux-azure-5.15, linux-azure-fips, and linux-raspi, linux-raspi-realtime, linux-xilinx). --------------------------------------------- https://lwn.net/Articles/1050942/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0010 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2025-14174 Versions affected: WebKitGTK and WPE WebKit before 2.50.4. Credit to Apple and Google Threat Analysis Group. Impact: Processing maliciously crafted web content may lead to memory corruption. --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0010.html ∗∗∗ Unzählige Sicherheitslücken in IBM DataPower Gateway geschlossen ∗∗∗ --------------------------------------------- Angreifer können IBMs Sicherheits- und Integrationsplattform DataPower Gateway über verschiedene Wege attackieren. --------------------------------------------- https://heise.de/-11118285 ∗∗∗ ZDI-25-1104: Sante PACS Server HTTP Content-Length Header Handling NULL Pointer Dereference Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1104/ ∗∗∗ [F5] K000158176: NGINX Ingress Controller vulnerability CVE-2025-14727 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158176 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 16.12.2025
by Daily end-of-shift report 16 Dec '25

16 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Montag 15-12-2025 18:30 − Dienstag 16-12-2025 19:10 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Arctic Wolf Observes Malicious SSO Logins on FortiGate Devices Following Disclosure of CVE-2025-59718 and CVE-2025-59719 ∗∗∗ --------------------------------------------- In December 12, 2025, Arctic Wolf began observing intrusions involving malicious SSO logins on FortiGate appliances. Fortinet had previously released an advisory for two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9, 2025. Arctic Wolf had also sent out a security bulletin for the vulnerabilities shortly thereafter. --------------------------------------------- https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-lo… ∗∗∗ AWS Blames Russia’s GRU for Years-Long Espionage Campaign Targeting Western Energy Infrastructure ∗∗∗ --------------------------------------------- Amazon Web Services (AWS) has attributed a persistent multi-year cyber espionage campaign targeting Western critical infrastructure, particularly the energy sector, to a group strongly linked with Russia’s Main Intelligence Directorate (GRU), known widely as Sandworm (or APT44). --------------------------------------------- https://thecyberexpress.com/espionage-western-critical-infrastructure/ ∗∗∗ New SantaStealer malware steals data from browsers, crypto wallets ∗∗∗ --------------------------------------------- A new malware-as-a-service (MaaS) information stealer named SantaStealer is being advertised on Telegram and hacker forums as operating in memory to avoid file-based detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-santastealer-malware-ste… ∗∗∗ Google is shutting down its dark web report feature in January ∗∗∗ --------------------------------------------- Google is discontinuing its "dark web report" security tool, stating that it wants to focus on other tools it believes are more helpful. --------------------------------------------- https://www.bleepingcomputer.com/news/google/google-is-shutting-down-its-da… ∗∗∗ SoundCloud confirms breach after member data stolen, VPN access disrupted ∗∗∗ --------------------------------------------- Audio streaming platform SoundCloud has confirmed that outages and VPN connection issues over the past few days were caused by a security breach in which threat actors stole a database containing user information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/soundcloud-confirms-breach-a… ∗∗∗ European authorities dismantle call center fraud ring in Ukraine ∗∗∗ --------------------------------------------- European law enforcement authorities dismantled a fraud network operating call centers in Ukraine that scammed victims across Europe out of more than 10 million euros. --------------------------------------------- https://www.bleepingcomputer.com/news/security/european-authorities-dismant… ∗∗∗ Microsoft to block Exchange Online access for outdated mobile devices ∗∗∗ --------------------------------------------- Microsoft announced on Monday that it will soon block mobile devices running outdated email software from accessing Exchange Online services until theyre updated. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-to-block-exchange… ∗∗∗ Cyberattack disrupts Venezuelan oil giant PDVSAs operations ∗∗∗ --------------------------------------------- Petróleos de Venezuela (PDVSA), Venezuelas state-owned oil company, was hit by a cyberattack over the weekend that disrupted its export operations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cyberattack-disrupts-venezue… ∗∗∗ Updaten: Warnung vor Angriffen auf Apple-Lücken und Gladinet ∗∗∗ --------------------------------------------- Die CISA warnt vor laufenden Angriffen auf Schwachstellen in Apples iOS und macOS sowie auf Gladinet CentreStack und Triofox. --------------------------------------------- https://www.heise.de/news/Updaten-Warnung-vor-Angriffen-auf-Apple-Luecken-u… ∗∗∗ Defender-Problem nach Windows Update KB5072033 – Get-MPComputerStatus leer ∗∗∗ --------------------------------------------- Das kumulative Update KB5072033 vom 9. Dezember 2025 kann unter Windows 11 24H2 und 25H2, sowie ggf. unter Windows Server 2025, Probleme verursachen. Die Statusabfrage, ob der Windows Defender noch korrekt arbeitet, funktioniert per PowerShell eventuell nicht. --------------------------------------------- https://www.borncity.com/blog/2025/12/16/defender-fehler-nach-windows-updat… ∗∗∗ The Detection & Response Chronicles: Exploring Telegram Abuse ∗∗∗ --------------------------------------------- Adversaries utilizing popular messaging apps throughout different attack phases is nothing new. Telegram, in particular, has constantly been the subject of abuse by multiple threat actors, favoured for its anonymity, accessibility, resilience, and operational advantages. In this blog, we explore popular Telegram Bot APIs, recent campaigns involving Telegram abuse, and provide detection and hunting opportunities. --------------------------------------------- https://blog.nviso.eu/2025/12/16/the-detection-response-chronicles-explorin… ∗∗∗ Malicious NuGet Package Typosquats Popular .NET Tracing Library to Steal Wallet Passwords ∗∗∗ --------------------------------------------- The Socket Threat Research Team uncovered a malicious NuGet package, Tracer.Fody.NLog, that typosquats and impersonates the legitimate Tracer.Fody library and its maintainer. It presents itself as a standard .NET tracing integration but in reality functions as a cryptocurrency wallet stealer. --------------------------------------------- https://socket.dev/blog/malicious-nuget-package-typosquats-popular-net-trac… ∗∗∗ PornHub Confirms Premium User Data Exposure Linked to Mixpanel Breach ∗∗∗ --------------------------------------------- PornHub is facing renewed scrutiny after confirming that some Premium users activity data was exposed following a security incident at a third-party analytics provider. The PornHub data breach disclosure comes as the platform faces increasing regulatory scrutiny in the United States and reported extortion attempts linked to the stolen data. The issue stems from a data breach linked not to PornHub’s own systems, but to Mixpanel, an analytics vendor the platform previously used. --------------------------------------------- https://thecyberexpress.com/pornhub-data-breach-premium-users/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (binwalk, glib2.0, libgd2, paramiko, and python-apt), Fedora (chromium, python3.13, python3.14, qt6-qtdeclarative, and usd), Mageia (ffmpeg, firefox, nspr, nss, and thunderbird), Oracle (kernel, mysql, mysql:8.0, mysql:8.4, ruby:3.3, wireshark, and xorg-x11-server), Red Hat (expat, mingw-expat, and rsync), SUSE (binutils, curl, glib2, gnutls, go1.24, go1.25, keylime, libmicrohttpd, libssh, openexr, postgresql15, python311, and xkbcomp), and Ubuntu (libsoup3, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-azure-6.14, linux-azure, linux-azure-6.8, linux-azure-fips, linux-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-kvm, linux-oem-6.14, linux-raspi, and linux-realtime, linux-realtime-6.8). --------------------------------------------- https://lwn.net/Articles/1050778/ ∗∗∗ Node.js Security Releases ∗∗∗ --------------------------------------------- The team is still working on a particularly challenging patch, for this reason the release is being postponed to Thursday, December 18th or shortly after. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/december-2025-security-releases ∗∗∗ [R1] Nessus Versions 10.11.1 and 10.9.6 Fix Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus leverages third-party software to help provide underlying functionality. Several of the third-party components (expat, libxml2, libxslt) were found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2025-24 ∗∗∗ JumpCloud Remote Assist Flaw Lets Users Gain Full Control of Company Devices ∗∗∗ --------------------------------------------- A critical vulnerability (CVE-2025-34352) found by XM Cyber in the JumpCloud Remote Assist for Windows agent allows local users to gain full SYSTEM privileges. Businesses must update to version 0.317.0 or later immediately to patch the high-severity flaw. --------------------------------------------- https://hackread.com/jumpcloud-remote-assist-flaw-full-devices-control/ ∗∗∗ Sicherheitslücken: HPE-ProLiant-Server mit Intel QuickAssist sind verwundbar ∗∗∗ --------------------------------------------- Sicherheitspatches schließen mehrere Lücken in HPE ProLiant. Server sind aber nur unter bestimmten Bedinungen angreifbar. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-HPE-ProLiant-Server-mit-Intel-… ∗∗∗ SEIKO EPSON printer Web Config vulnerable to stack-based buffer overflow ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN51846148/ ∗∗∗ Synology-SA-25:18 C2 Identity Edge Server (PWN2OWN 2025) ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_18 ∗∗∗ Mitsubishi Electric GT Designer3 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-04 ∗∗∗ Hitachi Energy AFS, AFR and AFF Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-03 ∗∗∗ Johnson Controls PowerG, IQPanel and IQHub ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02 ∗∗∗ Güralp Systems Fortimus Series, Minimus Series, and Certimus Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 15.12.2025
by Daily end-of-shift report 15 Dec '25

15 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-12-2025 18:00 − Montag 15-12-2025 18:30 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ French Interior Ministry confirms cyberattack on email servers ∗∗∗ --------------------------------------------- The French Interior Minister confirmed on Friday that the countrys Ministry of the Interior was breached in a cyberattack that compromised e-mail servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/france-interior-ministry-con… ∗∗∗ Microsoft: Recent Windows updates break VPN access for WSL users ∗∗∗ --------------------------------------------- Microsoft says that recent Windows 11 security updates are causing VPN networking failures for enterprise users running Windows Subsystem for Linux. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-recent-windows-up… ∗∗∗ Flaw in Hacktivist Ransomware Lets Victims Decrypt Own Files ∗∗∗ --------------------------------------------- A new version of VolkLocker, wielded by the pro-Russia RaaS group CyberVolk, has some key enhancements but one fatal flaw. --------------------------------------------- https://www.darkreading.com/threat-intelligence/flaw-hacktivist-ransomware-… ∗∗∗ Cyberangriff: Hacker attackieren Ideal Versicherung mit Ransomware ∗∗∗ --------------------------------------------- Die auf Alters- und Pflegevorsorgeversicherungen spezialisierte Ideal Gruppe untersucht einen Ransomware-Befall. Der Geschäftsbetrieb ist eingeschränkt. --------------------------------------------- https://www.golem.de/news/cyberangriff-hacker-attackieren-ideal-versicherun… ∗∗∗ A look at an Android ITW DNG exploit ∗∗∗ --------------------------------------------- Between July 2024 and February 2025, 6 suspicious image files were uploaded to VirusTotal. Thanks to a lead from Meta, these samples came to the attention of Google Threat Intelligence Group. Investigation of these images showed that these images were DNG files targeting the Quram library, an image parsing library specific to Samsung devices. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/12/a-look-at-android-itw-dng-ex… ∗∗∗ Frogblight threatens you with a court case: a new Android banker targets Turkish users ∗∗∗ --------------------------------------------- Kaspersky researchers have discovered a new Android banking Trojan targeting Turkish users and posing as an app for accessing court case files via an official government webpage. The malware is being actively developed and may become MaaS in the future. --------------------------------------------- https://securelist.com/frogblight-banker/118440/ ∗∗∗ ClickFix Attacks Still Using the Finger ∗∗∗ --------------------------------------------- Since as early as November 2025, the finger protocol has been used in ClickFix social engineering attacks. BleepingComputer posted a report of this activity on November 15th, and Didier Stevens posted a short follow-up in an ISC diary the next day. --------------------------------------------- https://isc.sans.edu/diary/rss/32566 ∗∗∗ Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new campaign thats leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT. --------------------------------------------- https://thehackernews.com/2025/12/fake-osint-and-gpt-utility-github-repos.h… ∗∗∗ Arbeitssuchende aufgepasst! Vorsicht vor Jobportalen wie trabajo.org und bebee.com ∗∗∗ --------------------------------------------- Jobportale wie trabajo.org oder bebee.com werben mit attraktiven Stellenangeboten. Tatsächlich gibt es jedoch zahlreiche Hinweise darauf, dass man hier keine Jobs bekommt und sogar Daten abgegriffen werden könnten. --------------------------------------------- https://www.watchlist-internet.at/news/arbeitssuchende-aufgepasst-warum-sie… ∗∗∗ Exploitation of Critical Vulnerability in React Server Components (Updated December 12) ∗∗∗ --------------------------------------------- We discuss the CVSS 10.0-rated RCE vulnerability in the Flight protocol used by React Server Components. This is tracked as CVE-2025-55182. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478… ∗∗∗ PureRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading ∗∗∗ --------------------------------------------- Job seekers looking out for opportunities might instead find their personal devices compromised, as a PureRAT campaign propagated through email leverages Foxit PDF Reader for concealment and DLL side-loading for initial entry. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html ∗∗∗ Fake Microsoft Teams and Google Meet Downloads Spread Oyster Backdoor ∗∗∗ --------------------------------------------- The Oyster backdoor (also known as Broomstick) is targeting the financial world, using malicious search ads for PuTTY, Teams, and Google Meet. --------------------------------------------- https://hackread.com/fake-microsoft-teams-google-meet-download-oyster-backd… ∗∗∗ 16TB of MongoDB Database Exposes 4.3 Billion Lead Gen Records ∗∗∗ --------------------------------------------- Cybersecurity researchers discovered an unsecured 16TB database exposing 4.3 billion professional records, including names, emails, and LinkedIn data. Learn what happened, why this massive data leak enables new scams, and how to protect your PII. --------------------------------------------- https://hackread.com/mongodb-database-expose-lead-gen-records/ ∗∗∗ GitHub Scanner for React2Shell (CVE-2025-55182) Turns Out to Be Malware ∗∗∗ --------------------------------------------- A GitHub repository posing as a vulnerability scanner for CVE-2025-55182, also referred to as “React2Shell,” was exposed as malicious after spreading malware. The project, named React2shell-scanner, was hosted under the user niha0wa and has since been removed from the platform following community reports. --------------------------------------------- https://hackread.com/github-scanner-react2shell-cve-2025-55182-malware/ ∗∗∗ Patchday-Problem: Message-Queuing-Störungen in Windows 10, Server 2016 und 2019 ∗∗∗ --------------------------------------------- Die Sicherheitsupdates im Dezember stören das Message Queuing in Windows 10, Server 2016 und 2019. Fehlermeldungen sind die Folge. --------------------------------------------- https://heise.de/-11114815 ∗∗∗ "Careless Whisper" side-channel attack affects WhatsApp and Signal ∗∗∗ --------------------------------------------- A tool for tracking over three billion WhatsApp and Signal users has been publicly released. Just by knowing the phone number, attackers can determine when users come home, when they are actively using the phone, when they go to sleep, or when they are offline. They can also drain batteries and data limits without the users noticing anything. --------------------------------------------- https://cybernews.com/security/whatsapp-signal-real-time-tracking-battery-d… ∗∗∗ Rich Headers: leveraging this mysterious artifact of the PE format ∗∗∗ --------------------------------------------- We started our project with low expectations, thinking that there must be a reason the Rich Headers feature is overlooked and not widely utilized. Over time, we became more and more impressed with how much could be achieved by searching for feature clusters based on such a small part of an executable, and how powerful it can be when leveraged correctly. --------------------------------------------- https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-heade… ∗∗∗ Decompiling run-only AppleScripts ∗∗∗ --------------------------------------------- We validate the tool against XCSSET samples with known source Explore anti-analysis and anti-sandbox behavior in older malware Show common obfuscation tricks used in the wild Walk through key internals that make the decompiler workIntro to run-only AppleScripts. --------------------------------------------- https://pberba.github.io/security/2025/12/14/decompiling-run-only-applescri… ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day-Lücken in Webkit: Angriffe auf iPhone-Nutzer beobachtet ∗∗∗ --------------------------------------------- Zwei aktiv ausgenutzte Sicherheitslücken gefährden Apple-Geräte wie iPhones, iPads und Macs. Anwender sollten zügig patchen. --------------------------------------------- https://www.golem.de/news/zero-day-luecken-in-webkit-angriffe-auf-iphone-nu… ∗∗∗ Kein Patch von Microsoft: Zero-Day-Lücke gefährdet alle gängigen Windows-Versionen ∗∗∗ --------------------------------------------- Forscher warnen vor einer Zero-Day-Lücke unter Windows. Richtig gefährlich wird diese in Kombination mit einer bereits bekannten Lücke. --------------------------------------------- https://www.golem.de/news/kein-patch-von-microsoft-zero-day-luecke-gefaehrd… ∗∗∗ FreePBX Patches Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws Enabling RCE ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical flaw that could result in an authentication bypass under certain configurations. --------------------------------------------- https://thehackernews.com/2025/12/freepbx-authentication-bypass-exposed.html ∗∗∗ Researcher Uncovers 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE Attacks ∗∗∗ --------------------------------------------- Over 30 security vulnerabilities have been disclosed in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution. --------------------------------------------- https://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, grafana, kernel, libsoup3, mysql8.4, and wireshark), Debian (ruby-git, ruby-sidekiq, thunderbird, and vlc), Fedora (apptainer, chromium, firefox, golangci-lint, libpng, and xkbcomp), Mageia (golang), SUSE (binutils, chromium, firefox, gegl, go1.25, govulncheck-vulndb, hauler, kernel, keylime, libpng12, pgadmin4, postgresql16, python, python-Django, python-django, python3, python311, rhino, thunderbird, unbound, and xkbcomp), and Ubuntu (usbmuxd). --------------------------------------------- https://lwn.net/Articles/1050523/ ∗∗∗ Security updates 1.6.12 and 1.5.12 released ∗∗∗ --------------------------------------------- We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported two security vulnerabilities. --------------------------------------------- https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 ∗∗∗ React2Shell-Patch unzureichend, Angriffe weiten sich aus ∗∗∗ --------------------------------------------- Updates zum Schließen einer kritischen Lücke in React-Servern sind unvollständig. Immer mehr Angreifer missbrauchen das Leck. --------------------------------------------- https://www.heise.de/news/React2Shell-Patch-unzureichend-Angriffe-weiten-si… ∗∗∗ Angreifer können mit TeamViewer DEX verwaltete PCs attackieren ∗∗∗ --------------------------------------------- Über TeamViewer DEX (Digital Employee Experience) managen Admins Firmencomputer. Nun können Angreifer an mehreren Schwachstellen ansetzen, um Geräte zu attackieren. --------------------------------------------- https://heise.de/-11114835 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 12.12.2025
by Daily end-of-shift report 12 Dec '25

12 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-12-2025 18:00 − Freitag 12-12-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ NIS-2 in Österreich umgesetzt (NISG 2026) ∗∗∗ --------------------------------------------- Das Netz- und Informationssystemsicherheitsgesetz 2026 (NISG 2026) wurde heute (12.12.2025) im Nationalrat beschlossen. Die Kundmachung erfolgt nach Beschluss des Bundesrates und Unterzeichnung des Bundespräsidenten. Das Gesetz wird neun Monate nach seiner Kundmachung (voraussichtlich im Herbst 2026) in Kraft treten. --------------------------------------------- https://certitude.consulting/blog/de/nis-2-in-osterreich-umgesetzt-nisg-202… ∗∗∗ Technical Analysis of the BlackForce Phishing Kit ∗∗∗ --------------------------------------------- Zscaler ThreatLabz identified a new phishing kit named BlackForce, which was first observed in the beginning of August 2025 with at least five distinct versions. BlackForce is capable of stealing credentials and performing Man-in-the-Browser (MitB) attacks to steal one-time tokens and bypass multi-factor authentication (MFA). The phishing kit is actively marketed and sold on Telegram forums for €200–€300. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-blackfor… ∗∗∗ Cybersecurity Performance Goals 2.0 for Critical Infrastructure ∗∗∗ --------------------------------------------- Today, CISA released updated Cross-Sector Cybersecurity Performance Goals (CPG 2.0) with measurable actions for critical infrastructure owners and operators to achieve a foundational level of cybersecurity. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/11/cybersecurity-performanc… ∗∗∗ SHADOW-VOID-042 Targets Multiple Industries with Void Rabisu-like Tactics ∗∗∗ --------------------------------------------- In November, a targeted spear-phishing campaign was observed using Trend Micro-themed lures against various industries, but this was quickly detected and thwarted by the Trend Vision One™ platform. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html ∗∗∗ Malicious VSCode Marketplace extensions hid trojan in fake PNG file ∗∗∗ --------------------------------------------- A stealthy campaign with 19 extensions on the VSCode Marketplace has been active since February, targeting developers with malware hidden inside dependency folders. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-vscode-marketplace… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, luksmeta, mysql, mysql:8.0, mysql:8.4, tomcat, and wireshark), Debian (chromium, kernel, and tzdata), Fedora (brotli, dr_libs, perl-Alien-Brotli, python-urllib3, singularity-ce, wireshark, and yarnpkg), Oracle (firefox, grafana, lasso, libsoup3, luksmeta, ruby, ruby:3.3, tomcat, and wireshark), Slackware (mozilla), SUSE (container-suseconnect, kubernetes-client, libpoppler-cpp2, postgresql14, postgresql15, and python3), and Ubuntu (c-ares, keystone, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux-azure, linux-azure-4.15, linux-oracle,, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-hwe-6.8, linux-oracle-6.8, linux-raspi, linux-realtime, linux-intel-iot-realtime, and python-urllib3). --------------------------------------------- https://lwn.net/Articles/1050251/ ∗∗∗ New Windows RasMan zero-day flaw gets free, unofficial patches ∗∗∗ --------------------------------------------- Free unofficial patches are available for a new Windows zero-day vulnerability that allows attackers to crash the Remote Access Connection Manager (RasMan) service. RasMan is a critical Windows system service that starts automatically, runs in the background with SYSTEM-level privileges, and manages VPN, Point-to-Point Protocol over Ethernet (PPoE), and other remote network connections. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/new-windows-rasman-zero-day… ∗∗∗ Fernwartung ScreenConnect: Kritische Lücke ermöglicht Schadcodeausführung ∗∗∗ --------------------------------------------- In der Fernwartungssoftware Connectwise ScreenConnect können angemeldete Angreifer Schadcode einschleusen. Ein Update steht bereit. --------------------------------------------- https://www.heise.de/news/Fernwartung-ScreenConnect-Kritische-Luecke-ermoeg… ∗∗∗ GitLab: Angreifer können Wiki-Seiten mit Malware anlegen ∗∗∗ --------------------------------------------- Die DevSecOps-Plattform GitLab ist verwundbar. In aktuellen Versionen haben die Entwickler mehrere Sicherheitslücken geschlossen. Im schlimmsten Fall können Angreifer Systeme kompromittieren. --------------------------------------------- https://www.heise.de/news/GitLab-Angreifer-koennen-Wiki-Seiten-mit-Malware-… ∗∗∗ New React RSC Vulnerabilities Enable DoS and Source Code Exposure ∗∗∗ --------------------------------------------- The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. --------------------------------------------- https://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.html ∗∗∗ Google fixes super-secret 8th Chrome 0-day ∗∗∗ --------------------------------------------- Google issued an emergency fix for a Chrome vulnerability already under exploitation, which marks the world's most popular browser's eighth zero-day bug of 2025. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/12/11/google_fixes… ∗∗∗ DSA-6080-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00246.html ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-adds-one-known-expl… ∗∗∗ CISA Releases 12 Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-releases-12-industr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.12.2025
by Daily end-of-shift report 11 Dec '25

11 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-12-2025 18:00 − Donnerstag 11-12-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Identitätsklau möglich: Gravierende Sicherheitsmängel bei eID-Karten aufgedeckt ∗∗∗ --------------------------------------------- Seit 2021 können EU-Bürger in Deutschland eine sogenannte eID-Karte beantragen, um sich beispielsweise bei Onlinediensten auszuweisen. Recherchen der Süddeutschen Zeitung zufolge gibt es bei der Beantragung dieser Karten aber erhebliche Sicherheitsprobleme, weil Ämter wohl oft nicht sauber prüfen können, wer eigentlich der Antragsteller ist. Mögliche Folgen sind Missbrauch für Geldwäsche und andere betrügerische Aktivitäten. --------------------------------------------- https://www.golem.de/news/identitaetsklau-moeglich-gravierende-sicherheitsm… ∗∗∗ Brisantes Datenleck auf Docker Hub: Über 10.000 Docker-Images leaken Zugangsdaten ∗∗∗ --------------------------------------------- Sicherheitsforscher von Flare haben auf Docker Hub bereitgestellte Docker-Images auf enthaltene Anmeldeinformationen durchsucht und sind fündig geworden. Laut eigenem Blogbeitrag fanden die Forscher bei einem einmonatigen Suchlauf in mehr als 10.000 Images unzählige Geheimnisse von über 100 verschiedenen Organisationen – darunter ein Fortune-500-Unternehmen und eine große staatliche Bank. --------------------------------------------- https://www.golem.de/news/docker-hub-zugangsdaten-in-ueber-10-000-docker-im… ∗∗∗ NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new fully-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control (C2) purposes. --------------------------------------------- https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html ∗∗∗ SMS vom Bundeskanzleramt? Phishing-Falle statt Rückerstattung ∗∗∗ --------------------------------------------- Eine SMS-Nachricht, versendet im Namen des Bundeskanzleramts, verspricht eine Rückerstattung von über 100 Euro. Dahinter verbirgt sich aber wenig überraschend nichts anderes als eine Phishing-Falle. Kriminelle wollen über diesen Weg an Login-Daten für Onlinebanking gelangen. --------------------------------------------- https://www.watchlist-internet.at/news/bundeskanzleramt-phishing-rueckersta… ∗∗∗ Scammers Sent 40,000 E-Signature Phishing Emails to 6,000 Firms in Just 2 Weeks ∗∗∗ --------------------------------------------- Phishing campaign: Scammers sent over 40,000 spoofed SharePoint, DocuSign and e-sign emails to companies, hiding malicious links behind trusted redirect services. --------------------------------------------- https://hackread.com/scammers-e-signature-phishing-emails/ ∗∗∗ New ‘DroidLock’ Android Malware Locks Users Out, Spies via Front Camera ∗∗∗ --------------------------------------------- Zimperium zLabs reveals DroidLock, a new Android malware acting like ransomware that can hijack Android devices, steal credentials via phishing, and stream your screen via VNC. --------------------------------------------- https://hackread.com/droidlock-android-malware-users-spy-camera/ ∗∗∗ Active Attacks Exploit Gladinets Hard-Coded Keys for Unauthorized Access and Code Execution ∗∗∗ --------------------------------------------- Huntress is warning of a new actively exploited vulnerability in Gladinet's CentreStack and Triofox products stemming from the use of hard-coded cryptographic keys that have affected nine organizations so far. --------------------------------------------- https://thehackernews.com/2025/12/hard-coded-gladinet-keys-let-attackers.ht… ∗∗∗ .NET SOAPwn Flaw Opens Door for File Writes and Remote Code Execution via Rogue WSDL ∗∗∗ --------------------------------------------- New research has uncovered exploitation primitives in the .NET Framework that could be leveraged against enterprise-grade applications to achieve remote code execution. WatchTowr Labs, which has codenamed the "invalid cast vulnerability" SOAPwn, said the issue impacts Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. But the number of affected vendors is likely to be longer given the widespread use of .NET. --------------------------------------------- https://thehackernews.com/2025/12/net-soapwn-flaw-opens-door-for-file.html ∗∗∗ New ConsentFix attack hijacks Microsoft accounts via Azure CLI ∗∗∗ --------------------------------------------- A new variation of the ClickFix attack dubbed 'ConsentFix' abuses the Azure CLI OAuth app to hijack Microsoft accounts without the need for a password or to bypass multi-factor authentication (MFA) verifications. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-consentfix-attack-hijack… ∗∗∗ Hackers exploit unpatched Gogs zero-day to breach 700 servers ∗∗∗ --------------------------------------------- An unpatched zero-day vulnerability in Gogs, a popular self-hosted Git service, has enabled attackers to gain remote code execution on Internet-facing instances and compromise hundreds of servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-gogs-zero-day-rce-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, firefox-esr, libsndfile, and rear), Fedora (httpd, perl-CGI-Simple, and tinyproxy), Oracle (firefox, kernel, libsoup, mysql8.4, tigervnc, tomcat, tomcat9, and uek-kernel), SUSE (alloy, curl, dovecot24, fontforge, glib2, himmelblau, java-17-openjdk, java-21-openjdk, kernel, krb5, lasso, libvirt, mozjs128, mysql-connector-java, nvidia-open-driver-G07-signed-check, openssh, poppler, postgresql17, postgresql18, python-cbor2, python-Django, python310, python311-Django, runc, strongswan, tomcat11, and xwayland), and Ubuntu (binutils, libpng1.6, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-hwe-6.14, linux-raspi, linux, linux-aws, linux-gcp, linux-realtime, and qtbase-opensource-src). --------------------------------------------- https://lwn.net/Articles/1050117/ ∗∗∗ Google warnt vor Sicherheitslücke: Chrome-Nutzer werden attackiert ∗∗∗ --------------------------------------------- Ein Notfallupdate für den Webbrowser Chrome schließt mehrere gefährliche Sicherheitslücken. Mindestens eine davon wird bereits ausgenutzt. --------------------------------------------- https://www.golem.de/news/google-warnt-vor-sicherheitsluecke-chrome-nutzer-… ∗∗∗ Barracuda RMM: Kritische Sicherheitslücken erlauben Codeschmuggel ∗∗∗ --------------------------------------------- IT-Verantwortliche, die ihre IT mit Barracuda RMM – ehemals unter dem Namen Managed Workplace bekannt – verwalten, sollten schleunigst den bereitstehenden Hotfix 2025.1.1 installieren, sofern das noch nicht geschehen ist. Er schließt mehrere Sicherheitslücken, von denen gleich drei die Höchstwertung CVSS 10 erhalten und damit ein großes Risiko darstellen. --------------------------------------------- https://heise.de/-11111274 ∗∗∗ WinRAR: Codeschmuggel-Lücke wird attackiert ∗∗∗ --------------------------------------------- Im Packprogramm WinRAR klafft bis zur Version 7.12 Beta 1 eine Sicherheitslücke, die Angreifern das Einschleusen von Schadcode erlaubt. Attacken auf diese Lücken wurden nun beobachtet. Wer WinRAR einsetzt, sollte daher zügig auf eine neuere Version aktualisieren. --------------------------------------------- https://heise.de/-11111474 ∗∗∗ ZDI-25-1060: Senstar Symphony FetchStoredLicense Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1060/ ∗∗∗ MISP v2.5.28 Release: Security, Dashboard Upgrade, and Community Enhancements ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.28 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 10.12.2025
by Daily end-of-shift report 10 Dec '25

10 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-12-2025 18:00 − Mittwoch 10-12-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Der doppelte Login: Phishing-Versuch bei der Salzburg AG ∗∗∗ --------------------------------------------- Mit Phishing-Mails locken Kriminelle die Kund:innen der Salzburg AG auf eine gefälschte Login-Seite. Der erste Anmeldeversuch schlägt zwar fehl, übermittelt aber Usernamen und Passwort an die Betrüger:innen – und öffnet die echte Eingabemaske. Da der zweite Versuch klappt, schöpfen die Opfer keinen Verdacht. Warum die Masche auch für Nicht-Kund:innen relevant ist, erklärt dieser Artikel. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-doppelter-login/ ∗∗∗ 01flip: Multi-Platform Ransomware Written in Rust ∗∗∗ --------------------------------------------- In June 2025, we observed a new ransomware family named 01flip targeting a limited set of victims in the Asia-Pacific region. 01flip ransomware is fully written in the Rust programming language and supports multi-platform architectures by leveraging the cross-compilation feature of Rust. --------------------------------------------- https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/ ∗∗∗ Opportunistic Pro-Russia Hacktivists Attack US and Global Critical Infrastructure ∗∗∗ --------------------------------------------- CISA, in partnership with Federal Bureau of Investigation, the National Security Agency, Department of Energy, Environmental Protection Agency, the Department of Defense Cyber Crime Center, and other international partners published a joint cybersecurity advisory, Pro-Russia Hacktivists Create Opportunistic Attacks Against US and Global Critical Infrastructure. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/09/opportunistic-pro-russia… ∗∗∗ Spiderman Phishing Kit Targets European Banks with Real-Time Credential Theft ∗∗∗ --------------------------------------------- Varonis threat analysts warn about Spiderman, a dangerous new kit that automates attacks against European banks and crypto customers, stealing a victim’s full identity profile. --------------------------------------------- https://hackread.com/spiderman-phishing-kit-european-banks-credential-theft/ ===================== = Vulnerabilities = ===================== ∗∗∗ Besser manuell patchen: Hacker nutzen gefährliche Lücke im Notepad++-Updater aus ∗∗∗ --------------------------------------------- Angreifer verbreiten über eine Sicherheitslücke im Updater von Notepad++ Malware. Der Entwickler warnt und rät zum Update – aber besser von Hand. --------------------------------------------- https://www.golem.de/news/besser-manuell-patchen-hacker-nutzen-gefaehrliche… ∗∗∗ Patchday: Angreifer nutzen Sicherheitslücke in Windows und Windows Server aus ∗∗∗ --------------------------------------------- Derzeit haben Angreifer unter anderem Windows 11 und Windows Server 2022 im Visier. Demzufolge sollten Admins sicherstellen, dass Windows Update auf ihren Systemen aktiv ist und die aktuellen Sicherheitspatches installiert sind. --------------------------------------------- https://www.heise.de/news/Patchday-Angreifer-nutzen-Sicherheitsluecke-in-Wi… ∗∗∗ Bitdefender: Sicherheitsleck ermöglicht Rechteausweitung im Virenschutz ∗∗∗ --------------------------------------------- In der Virenschutzsoftware von Bitdefender wurde eine Sicherheitslücke entdeckt, die Angreifern das Ausweiten ihrer Rechte im System ermöglicht. Betroffen sind diverse Bitdefender-Varianten. Aktualisierungen zum Ausbessern der Schwachstelle sind verfügbar. --------------------------------------------- https://www.heise.de/news/Bitdefender-Sicherheitsleck-ermoeglicht-Rechteaus… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (abrt and kernel), Debian (libpng1.6, libsoup2.4, pdns-recursor, webkit2gtk, and wordpress), Fedora (imhex, libwebsockets, lunasvg, python3-docs, and python3.14), Mageia (python3 and webkit2), Red Hat (abrt, firefox, mysql8.4, and postgresql:15), Slackware (mozilla), SUSE (gegl, gnutls, go1.24, go1.25, libpng16-16, openssh, postgresql13, python-Jinja2, and sssd), and Ubuntu (fonttools and netty). --------------------------------------------- https://lwn.net/Articles/1049939/ ∗∗∗ Fortinet-Patchday: SSO-Login in vielen Produkten umgehbar ∗∗∗ --------------------------------------------- Angreifer können verschiedene Fortinet-Produkte attackieren und sich unter anderem unbefugt Zugriff verschaffen. Sicherheitsupdates stehen zum Download bereit. Bislang sind keine Berichte zu laufenden Attacken bekannt. Admins sollten mit dem Patchen aber nicht zu lange warten. --------------------------------------------- https://heise.de/-11109878 ∗∗∗ Ivanti stopft kritische Sicherheitlücke im Endpoint Manager ∗∗∗ --------------------------------------------- Ein Update für Ivantis Endpoint Manager schließt unter anderem eine kritische Sicherheitslücke, durch die Angreifer Javascript einschleusen können. --------------------------------------------- https://heise.de/-11110277 ∗∗∗ DSA-6075-1 wordpress - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00241.html ∗∗∗ ZDI-25-1045: Schneider Electric PowerChute Serial Shutdown Directory Traversal Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1045/ ∗∗∗ ZDI-25-1042: Siemens Simcenter Femap IGS File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1042/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 140.6 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-96/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 146 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-95/ ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/09/cisa-releases-three-indu… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/09/cisa-adds-two-known-expl… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/05/cisa-adds-one-known-expl… ∗∗∗ K000158128: SQLite vulnerability CVE-2025-6965 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158128 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 09.12.2025
by Daily end-of-shift report 09 Dec '25

09 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-12-2025 18:00 − Dienstag 09-12-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malicious VSCode extensions on Microsofts registry drop infostealers ∗∗∗ --------------------------------------------- Two malicious extensions on Microsoft's Visual Studio Code Marketplace infect developers' machines with information-stealing malware that can take screenshots, steal credentials, crypto wallets, and hijack browser sessions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-… ∗∗∗ Ransomware gangs turn to Shanya EXE packer to hide EDR killers ∗∗∗ --------------------------------------------- Multiple ransomware gangs are using a packer-as-a-service platform named Shanya to help them deploy payloads that disable endpoint detection and response solutions on victim systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-turn-to-sha… ∗∗∗ North Korean hackers exploit React2Shell flaw in EtherRAT malware attacks ∗∗∗ --------------------------------------------- A new malware implant called EtherRAT, deployed in a recent React2Shell attack, runs five separate Linux persistence mechanisms and leverages Ethereum smart contracts for communication with the attacker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit… ∗∗∗ ‘Broadside’ Mirai Variant Targets Maritime Logistics Sector ∗∗∗ --------------------------------------------- Yet another variant of the Mirai botnet is threatening the maritime logistics sector by exploiting a critical flaw in digital recording devices used by companies on seagoing vessels. The attacks allow for remote command injection via the vulnerability, enabling attackers to establish Netlink-based process monitoring for persistence and other malicious activities. --------------------------------------------- https://www.darkreading.com/threat-intelligence/broadside-mirai-variant-mar… ∗∗∗ Lumma Stealer: Danger lurking in fake game updates from itch.io and Patreon ∗∗∗ --------------------------------------------- After patches on mainstream gaming platforms like Steam, indie game platforms as well as Patreon have become the latest platforms for distributing malware. --------------------------------------------- https://feeds.feedblitz.com/~/932262560/0/gdatasecurityblog-en~Lumma-Steale… ∗∗∗ Attacken laufen bereits: Rund 29.000 Server über React-Lücke angreifbar ∗∗∗ --------------------------------------------- Angreifer attackieren eine React2Shell genannte kritische Lücke im React-Framework. Allein in Deutschland gibt es noch über 3.000 anfällige Server. --------------------------------------------- https://www.golem.de/news/attacken-laufen-bereits-rund-29-000-server-ueber-… ∗∗∗ Zero-Click Agentic Browser Attack Can Delete Entire Google Drive Using Crafted Emails ∗∗∗ --------------------------------------------- A new agentic browser attack targeting Perplexity's Comet browser that's capable of turning a seemingly innocuous email into a destructive action that wipes a user's entire Google Drive contents, findings from Straiker STAR Labs show. --------------------------------------------- https://thehackernews.com/2025/12/zero-click-agentic-browser-attack-can.html ∗∗∗ Android Malware FvncBot, SeedSnatcher, and ClayRat Gain Stronger Data Theft Features ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of two new Android malware families dubbed FvncBot and SeedSnatcher, as another upgraded version of ClayRat has been spotted in the wild. --------------------------------------------- https://thehackernews.com/2025/12/android-malware-fvncbot-seedsnatcher.html ∗∗∗ Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new campaign dubbed JS#SMUGGLER that has been observed leveraging compromised websites as a distribution vector for a remote access trojan named NetSupport RAT. --------------------------------------------- https://thehackernews.com/2025/12/experts-confirm-jssmuggler-uses.html ∗∗∗ STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware ∗∗∗ --------------------------------------------- Canadian organizations have emerged as the focus of a targeted cyber campaign orchestrated by a threat activity cluster known as STAC6565. --------------------------------------------- https://thehackernews.com/2025/12/stac6565-targets-canada-in-80-of.html ∗∗∗ Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading ∗∗∗ --------------------------------------------- The threat actor known as Storm-0249 is likely shifting from its role as an initial access broker to adopt a combination of more advanced tactics like domain spoofing, DLL side-loading, and fileless PowerShell execution to facilitate ransomware attacks. --------------------------------------------- https://thehackernews.com/2025/12/storm-0249-escalates-ransomware-attacks.h… ∗∗∗ Novel clickjacking attack relies on CSS and SVG ∗∗∗ --------------------------------------------- Security researcher Lyra Rebane has devised a novel clickjacking attack that relies on Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS). --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/12/05/css_svg_clic… ∗∗∗ Crims using social media images, videos in virtual kidnapping scams ∗∗∗ --------------------------------------------- Criminals are altering social media and other publicly available images of people to use as fake proof of life photos in "virtual kidnapping" and extortion scams, the FBI warned on Friday. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/12/05/virtual_kidn… ∗∗∗ New Prompt Injection Attack Vectors Through MCP Sampling ∗∗∗ --------------------------------------------- This article examines the security implications of the Model Context Protocol (MCP) sampling feature in the context of a widely used coding copilot application. MCP is a standard for connecting large language model (LLM) applications to external data sources and tools. --------------------------------------------- https://unit42.paloaltonetworks.com/model-context-protocol-attack-vectors/ ∗∗∗ New BYOVD loader behind DeadLock ransomware attack ∗∗∗ --------------------------------------------- Talos observed a threat actor leveraging a BYOVD technique to disable endpoint detection and escalate privileges in an attack that eventually delivered DeadLock ransomware as the payload. --------------------------------------------- https://blog.talosintelligence.com/byovd-loader-deadlock-ransomware/ ∗∗∗ Space Bears Ransomware Claims Comcast Data Theft Through QuasarBreach ∗∗∗ --------------------------------------------- Space Bears ransomware group is claiming that it obtained internal Comcast material by exploiting a breach at Quasar Inc., a telecommunications engineering contractor based in Georgia. --------------------------------------------- https://hackread.com/space-bears-ransomware-comcast-quasar-breach/ ∗∗∗ ChrimeraWire Trojan Fakes Chrome Activity to Manipulate Search Rankings ∗∗∗ --------------------------------------------- ChrimeraWire is a new Windows trojan that automates web browsing through Chrome to simulate user activity and manipulate search engine rankings. --------------------------------------------- https://hackread.com/chrimerawire-trojan-fakes-chrome-search-activity/ ∗∗∗ SimpleX Chat X Account Hacked, Fake Site Promotes Crypto Wallet Scam ∗∗∗ --------------------------------------------- SimpleX Chat’s X account hacked to promote fake crypto site urging users to connect wallets. Site mimicked official design to steal funds. --------------------------------------------- https://hackread.com/simplex-chat-x-account-hacked-fake-site-wallet-scam/ ∗∗∗ Coupongogo: Remote-Controlled Crypto Stealer Targeting Developers on GitHub ∗∗∗ --------------------------------------------- Deep dive into the Coupongogo browser extension (v1.1.12): The alarming cryptostealer waiting for activation. --------------------------------------------- https://www.rastersec.com/blog/coupongogo-cryptostealer ∗∗∗ CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones ∗∗∗ --------------------------------------------- CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability. --------------------------------------------- https://www.ibm.com/think/x-force/cve-2023-20078-technical-analysis ∗∗∗ Malicious Crate Mimicking ‘Finch’ Exfiltrates Credentials via a Hidden Dependency ∗∗∗ --------------------------------------------- Socket found a Rust typosquat (finch-rust) that loads sha-rust to steal credentials, using impersonation and an unpinned dependency to auto-deliver updates. --------------------------------------------- https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credent… ∗∗∗ Researchers Uncover 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE Attacks ∗∗∗ --------------------------------------------- Over 30 security vulnerabilities have been disclosed in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution. --------------------------------------------- https://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.html ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-6073-1 ffmpeg - security update ∗∗∗ --------------------------------------------- Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed. --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00239.html ∗∗∗ Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack. The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity. --------------------------------------------- https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html ∗∗∗ Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks ∗∗∗ --------------------------------------------- A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence. The remote code execution vulnerability in question is CVE-2025-6389 (CVSS score: 9.8), which affects all versions of the plugin prior to and including 8.3. It has been patched in version 8.4, released on August 5, 2025. The plugin has more than 1,700 active installations. --------------------------------------------- https://thehackernews.com/2025/12/sneeit-wordpress-rce-exploited-in-wild.ht… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, krita, lasso, and libpng1.6), Fedora (abrt, cef, chromium, tinygltf, webkitgtk, and xkbcomp), Oracle (buildah, delve and golang, expat, python-kdcproxy, qt6-qtquick3d, qt6-qtsvg, sssd, thunderbird, and valkey), Red Hat (webkit2gtk3), and SUSE (git-bug, go1, and libpng12-0). --------------------------------------------- https://lwn.net/Articles/1049657/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, and webkit2gtk3), Fedora (abrt and mingw-libpng), Mageia (apache and libpng), Oracle (abrt, go-toolset:rhel8, kernel, sssd, and webkit2gtk3), Red Hat (kernel and kernel-rt), SUSE (gimp, gnutls, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, and postgresql13), and Ubuntu (gnupg2, python-apt, radare2, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1049769/ ∗∗∗ iOS 26.2: Apple behebt kritische Bugs im zweiten Release Candidate ∗∗∗ --------------------------------------------- Das wahrscheinlich letzte große iOS-Update des Jahres, iOS 26.2, lässt etwas länger auf sich warten: Apple hat stattdessen am Montagabend deutscher Zeit einen zweiten Release Candidate des Updates für das iPhone-Betriebssystem veröffentlicht. Was genau im RC2 geändert wurde, verrieten die Kalifornier bisher nicht. Es gilt aber als sicher, dass einer oder mehrere kritische Fehler behoben werden. Offen bleibt, wann mit dem finalen Release zu rechnen ist. --------------------------------------------- https://heise.de/-11108257 ∗∗∗ Multiple vulnerabilities in ABB Terra AC Wallbox ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN84024274/ ∗∗∗ Multiple vulnerabilities in GroupSession ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN19940619/ ∗∗∗ SAP-Patchday: 14 Sicherheitswarnungen zum Jahresende ∗∗∗ --------------------------------------------- https://www.heise.de/news/SAP-Patchday-14-Sicherheitswarnungen-zum-Jahresen… ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 140.6 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-94/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.31 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-93/ ∗∗∗ Security Vulnerabilities fixed in Firefox 146 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-92/ ∗∗∗ Vulnerability Summary for the Week of December 1, 2025 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb25-342 ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/08/cisa-adds-two-known-expl… ∗∗∗ K000158118: PostgreSQL vulnerabilities CVE-2025-8713, CVE-2025-8715 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158118 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 05.12.2025
by Daily end-of-shift report 05 Dec '25

05 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-12-2025 18:00 − Freitag 05-12-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ React2Shell - Angriffe gegen verwundbare Anwendungen auf von Basis React.JS und weiterer Frameworks ∗∗∗ --------------------------------------------- Diese Woche wurden kritische Sicherheitslücken in den React Server Components veröffentlicht. Diese Schwachstellen ermöglichen unauthentifizierte Remote-Code Execution sofern Anwendungen die betroffenen Server Components einsetzen. Mittlerweile wird diese Sicherheitslücke aktiv ausgenutzt um verwundbare Installationen zu kompromittieren. Proof-of-Concept Exploits sind bereits öffentlich zugänglich. CVE-Nummer(n): CVE-2025-55182 --------------------------------------------- https://www.cert.at/de/warnungen/2025/12/react2shell-angriffe-gegen-verwund… ∗∗∗ CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far ∗∗∗ --------------------------------------------- GreyNoise is already seeing opportunistic, largely automated exploitation attempts consistent with the newly disclosed React Server Components (RSC) “Flight” protocol RCE—often referred to publicly as “React2Shell” and tracked as CVE-2025-55182. --------------------------------------------- https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-expl… ∗∗∗ Cloudflare blames todays outage on emergency React2Shell patch ∗∗∗ --------------------------------------------- Cloudflare has blamed todays outage on the emergency patching of a critical React remote code execution vulnerability, which is now actively exploited in attacks. [..] "The issue was not caused, directly or indirectly, by a cyber attack on Cloudflare’s systems or malicious activity of any kind. Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components," Cloudflare CTO Dane Knecht noted in a post-mortem. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloudflare-blames-todays-out… ∗∗∗ Cybersecurity industry overreacts to React vulnerability, starts panic, burns own house down again ∗∗∗ --------------------------------------------- The disclosure write up is great — it’s full of facts, and explains when you are and aren’t vulnerable. I don’t think anybody knows how to parse it and people have started taking actions before even knowing what they’re doing. [..] Check with your developers and suppliers if they even use React v19 yet. They most probably don’t, in which case you aren’t vulnerable. --------------------------------------------- https://doublepulsar.com/cybersecurity-industry-overreacts-to-react-vulnera… ∗∗∗ Hackers are exploiting ArrayOS AG VPN flaw to plant webshells ∗∗∗ --------------------------------------------- Threat actors have been exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users. Array Networks fixed the vulnerability in a May security update, but has not assigned an identifier, complicating efforts to track the flaw and patch management. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-array… ∗∗∗ FBI warns of virtual kidnapping scams using altered social media photos ∗∗∗ --------------------------------------------- The FBI warns that criminals are altering images shared on social media and using them as fake proof of life photos in virtual kidnapping ransom scams. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-virtual-kidnapp… ∗∗∗ Asus supplier hit by ransomware attack as gang flaunts alleged 1 TB haul ∗∗∗ --------------------------------------------- Laptop maker says a vendor breach exposed some phone camera code, but not its own systems Asus has admitted that a third-party supplier was popped by cybercrims after the Everest ransomware gang claimed it had rifled through the tech titans internal files. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/12/05/asus_supplie… ∗∗∗ SMS Phishers Pivot to Points, Taxes, Fake Retailers ∗∗∗ --------------------------------------------- Over the past week, thousands of domain names were registered for scam websites that purport to offer T-Mobile customers the opportunity to claim a large number of rewards points. The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones. --------------------------------------------- https://krebsonsecurity.com/2025/12/sms-phishers-pivot-to-points-taxes-fake… ∗∗∗ Warnung: Neue Phishing-E-Mails im Namen der WKO im Umlauf ∗∗∗ --------------------------------------------- Kriminelle imitieren besonders gern bekannte Organisationen. Aktuell ist erneut die WKO betroffen. Bei einer neuen Phishing-Variante werden Empfänger:innen unter dem Vorwand einer „Qualitätssicherung“ dazu aufgefordert, ihre Daten zu überprüfen. --------------------------------------------- https://www.watchlist-internet.at/news/wko-phishing-e-mails-datenerfassung/ ∗∗∗ A Hidden Pattern Within Months of Credential-Based Attacks Against Palo Alto GlobalProtect ∗∗∗ --------------------------------------------- GreyNoise detected a surge of 7,000+ IPs attempting to log into GlobalProtect, sharing fingerprints with a surge in SonicWall API scanning and earlier Palo Alto campaigns, exposing a persistent credential-based attack pattern. --------------------------------------------- https://www.greynoise.io/blog/hidden-pattern-credential-based-attacks-palo-… ∗∗∗ November CVEs Fell 25% YoY, Driven by Slowdowns at Major CNAs ∗∗∗ --------------------------------------------- 2025 CVE volume is still running ahead of 2024 overall, even as November cooled off year over year. [..] For security teams, the practical takeaway is to be careful about using “global CVE count” as a proxy for risk. CVE volume can still be useful as a publishing health signal, especially when concentrated among a small number of high-output CNAs and programs. --------------------------------------------- https://socket.dev/blog/november-cves-fell-25-yoy-driven-by-slowdowns-at-ma… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, firefox, gimp:2.8, go-toolset:rhel8, ipa, kea, kernel, kernel-rt, pcs, qt6-qtquick3d, qt6-qtsvg, systemd, and valkey), Debian (chromium and unbound), Fedora (alexvsbus, CuraEngine, fcgi, libcoap, python-kdcproxy, texlive-base, timg, and xpdf), Mageia (digikam, darktable, libraw, gnutls, python-django, unbound, webkit2, and xkbcomp), Oracle (bind, firefox, gimp:2.8, haproxy, ipa, java-25-openjdk, kea, kernel, libsoup3, libssh, libtiff, openssl, podman, qt6-qtsvg, squid, systemd, vim, and xorg-x11-server-Xwayland), Slackware (httpd and libpng), SUSE (chromedriver, kernel, and python-mistralclient), and Ubuntu (cups, linux-azure, linux-gcp, linux-gcp, linux-gke, linux-gkeop, linux-ibm-6.8, linux-iot, and mame). --------------------------------------------- https://lwn.net/Articles/1049417/ ∗∗∗ VU#441887: Duc contains a stack buffer overflow vulnerability in the buffer_get function, allowing for out-of-bounds memory read ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/441887 ∗∗∗ Drupal: Security advisories for contributed projects ∗∗∗ --------------------------------------------- https://www.drupal.org/security/contrib ∗∗∗ Socomec DIRIS Digiware M series and Easy Config, PDF XChange Editor vulnerabilities ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/socomec-diris-digiware-m-series-and-easy… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 04.12.2025
by Daily end-of-shift report 04 Dec '25

04 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-12-2025 18:30 − Donnerstag 04-12-2025 18:30 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Fraudulent gambling network may be a nation-state spying operation ∗∗∗ --------------------------------------------- A sprawling infrastructure that has been bilking unsuspecting people through fraudulent gambling websites for 14 years is likely a dual operation run by a nation-state-sponsored group that is targeting government and private-industry organizations in the US and Europe, researchers said Wednesday. --------------------------------------------- https://arstechnica.com/security/2025/12/fraudulent-gambling-network-may-be… ∗∗∗ Sparkurs bei MacOS: Apple verärgert Forscher mit gekürzten Bug-Bounty-Prämien ∗∗∗ --------------------------------------------- Forscher, die Sicherheitslücken in dem Apple-Betriebssystem MacOS erkunden und an den Hersteller melden, erhalten dafür künftig geringere Belohnungen. Darauf machte kürzlich der Sicherheitsforscher Csaba Fitzl in einem Beitrag auf Linkedin aufmerksam. Er wirft Apple vor, MacOS mit diesem Schritt abzuwerten und sich nicht mehr für den Datenschutz der Nutzer zu interessieren. --------------------------------------------- https://www.golem.de/news/macos-apple-veraergert-forscher-mit-gekuerzten-bu… ∗∗∗ Attempts to Bypass CDNs, (Wed, Dec 3rd) ∗∗∗ --------------------------------------------- Currently, in order to provide basic DDoS protection and filter aggressive bots, some form of Content Delivery Network (CDN) is usually the simplest and most cost-effective way to protect a web application. In a typical setup, DNS is used to point clients to the CDN, and the CDN will then forward the request to the actual web server. There are a number of companies offering services like this, and cloud providers will usually have solutions like this as well. --------------------------------------------- https://isc.sans.edu/diary/rss/32532 ∗∗∗ Nation-State Attack or Compromised Government? [Guest Diary], (Thu, Dec 4th) ∗∗∗ --------------------------------------------- The ISC internship didn't just teach me about security, it changed how I thought about threats entirely. There's something intriguing about watching live attacks materialize on your DShield Honeypot, knowing that somewhere across the world, an attacker just made a move. And the feedback loop of writing detailed attack observations, then having experienced analysts critique and refine your analysis? That's where real learning happens. One attack observation in particular stands out as a perfect example of what makes this internship so powerful. Let me show you what I discovered! --------------------------------------------- https://isc.sans.edu/diary/rss/32536 ∗∗∗ Record 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hosts ∗∗∗ --------------------------------------------- The botnet has prominently targeted telecommunication providers, gaming companies, hosting providers, and financial services. Also tackled by Cloudflare was a 14.1 Bpps DDoS attack from the same botnet. AISURU is believed to be powered by a massive network comprising an estimated 1-4 million infected hosts worldwide. --------------------------------------------- https://thehackernews.com/2025/12/record-297-tbps-ddos-attack-linked-to.html ∗∗∗ Gartenfreude oder Betrugsfalle? Warnung vor betrügerischen Pflanzenshops ∗∗∗ --------------------------------------------- Der Beginn des Winters ist einer der besten Zeitpunkte, um Obstbäume zu pflanzen. Das wissen nicht nur Gartenfreund:innen, sondern leider auch Kriminelle. Immer mehr Fake-Shops locken mit vermeintlich attraktiven Angeboten und führen Konsument:innen in die Falle. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-betruegerischen-pflanzen… ∗∗∗ BRICKSTORM Backdoor ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) assess People’s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems. CISA, NSA, and Cyber Centre are releasing this Malware Analysis Report to share indicators of compromise (IOCs) and detection signatures based off analysis of eight BRICKSTORM samples. CISA, NSA, and Cyber Centre urge organizations to use the IOCs and detection signatures to identify BRICKSTORM malware samples. --------------------------------------------- https://www.cisa.gov/news-events/analysis-reports/ar25-338a ∗∗∗ ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading ∗∗∗ --------------------------------------------- Job seekers looking out for opportunities might instead find their personal devices compromised, as a ValleyRAT campaign propagated through email leverages Foxit PDF Reader for concealment and DLL side-loading for initial entry. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html ∗∗∗ Fake ChatGPT Atlas Browser Used in ClickFix Attack to Steal Passwords ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a critical ChatGPT Atlas browser attack, confirming the danger of the ongoing surge in the ClickFix threat. --------------------------------------------- https://hackread.com/fake-chatgpt-atlas-clickfix-steal-passwords/ ∗∗∗ Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue ∗∗∗ --------------------------------------------- Despite extensive scrutiny and public reporting, commercial surveillance vendors continue to operate unimpeded. A prominent name continues to surface in the world of mercenary spyware, Intellexa. Known for its “Predator” spyware, the company was sanctioned by the US Government. New Google Threat Intelligence Group (GTIG) analysis shows that Intellexa is evading restrictions and thriving. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/intellexa-zero-day… ∗∗∗ New Stealthy Linux Malware Combines Mirai DDoS Botnet with Cryptominer ∗∗∗ --------------------------------------------- Cyble researchers have identified new Linux malware that combines Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, enabling both network disruption and financial profit in the same threat campaign. --------------------------------------------- https://thecyberexpress.com/linux-malware-mirai-botnet-cryptominer/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (expat and libxml2), Debian (openvpn and webkit2gtk), Fedora (gi-loadouts, kf6-kcoreaddons, kf6-kguiaddons, kf6-kjobwidgets, kf6-knotifications, kf6-kstatusnotifieritem, kf6-kunitconversion, kf6-kwidgetsaddons, kf6-kxmlgui, nanovna-saver, persepolis, python-ezdxf, python-pyside6, sigil, stb, syncplay, tinyproxy, torbrowser-launcher, ubertooth, and usd), Mageia (cups), SUSE (cups, gegl, icinga2, mozjs128, and Security), and Ubuntu (ghostscript, kernel, linux, linux-aws, linux-aws-5.15, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-hwe, linux-kvm, linux-oracle, linux-aws-fips, linux-fips, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-fips, linux-gcp, linux-gcp-4.15, linux-hwe, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-gcp-6.14, linux-raspi, linux-gcp-fips, linux-intel-iot-realtime, linux-realtime, linux-raspi, linux-raspi-realtime, linux-xilinx, and postgresql-14, postgresql-16, postgresql-17). --------------------------------------------- https://lwn.net/Articles/1049251/ ∗∗∗ Cross-Site Scripting in Nextcloud: Development files shipped in files_pdfviewer app ∗∗∗ --------------------------------------------- Nextcloud’s PDF viewer uses an outdated version of PDF.js vulnerable to CVE-2024-4367. Attackers with regular user access to a Nextcloud instance are able to prepare a special link. If this link is visited by other logged-in users a cross-site scripting is executed and attackers get access to that users’ files. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-003/ ∗∗∗ Jetzt patchen! Kritische Schadcodelücke bedroht React ∗∗∗ --------------------------------------------- Softwareentwickler, die mit React arbeiten, sollten die JavaScript-Programmbibliothek aus Sicherheitsgründen umgehend auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer eine Schwachstelle ausnutzen und Systeme durch das Ausführen von Schadcode vollständig kompromittieren. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-11102366 ∗∗∗ Chrome 143.0.7499.40 / 41 schließt Schwachstellen ∗∗∗ --------------------------------------------- Zum 2. Dezember 2025 hat Google den Chrome-Browser auf die Versionen 143.0.7499.40 / 41 aktualisiert, um gleich mehrere Schwachstellen zu schließen. Auch der Extended Stable Chromium-Entwicklungszweig hat ein Update erhalten. Ich ziehe mal einige Informationen zu diesen Themen nachfolgend kurz zusammen. --------------------------------------------- https://www.borncity.com/blog/2025/12/04/chrome-143-0-7499-40-41-schliesst-… ∗∗∗ DSA-6069-1 openvpn - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00235.html ∗∗∗ K000158050: SQLite vulnerability CVE-2019-8457 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158050 ∗∗∗ K000158042: Apache HTTP server vulnerabilities CVE-2024-47252 and CVE-2025-49812 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158042 ∗∗∗ K000158059: Next.js vulnerability CVE-2025-66478 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158059 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 03.12.2025
by Daily end-of-shift report 03 Dec '25

03 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-12-2025 18:00 − Mittwoch 03-12-2025 18:30 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Aisuru botnet behind new record-breaking 29.7 Tbps DDoS attack ∗∗∗ --------------------------------------------- In just three months, the massive Aisuru botnet launched more than 1,300 distributed denial-of-service attacks, one of them setting a new record with a peak at 29.7 terabits per second. --------------------------------------------- https://www.bleepingcomputer.com/news/security/aisuru-botnet-behind-new-rec… ∗∗∗ Deep dive into DragonForce ransomware and its Scattered Spider connection ∗∗∗ --------------------------------------------- DragonForce expanded its ransomware operation in 2025 by working with English-speaking hackers known for advanced social engineering and initial access. Acronis explains how the "Scattered Spider" collaboration enables coordinated, multistage intrusions across major environments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/deep-dive-into-dragonforce-r… ∗∗∗ Technical Analysis of Matanbuchus 3.0 ∗∗∗ --------------------------------------------- Matanbuchus is a malicious downloader, written in C++, which has been offered as a Malware-as-a-Service (MaaS) since 2020. Over this time, Matanbuchus has undergone several development stages. In July 2025, version 3.0 of Matanbuchus was identified in-the-wild. Matanbuchus offers threat actors the option to deploy additional payloads and perform hands-on keyboard activity via shell commands. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-matanbuc… ∗∗∗ Grundrechte: Gericht stoppt Massenüberwachung des Schweizer Geheimdienstes ∗∗∗ --------------------------------------------- Das Schweizer Bundesverwaltungsgericht erklärt die Fernmeldeaufklärung des Nachrichtendienstes des Bundes nach Klage von Bürgerrechtlern für verfassungswidrig. --------------------------------------------- https://www.heise.de/news/Grundrechte-Gericht-stoppt-Massenueberwachung-des… ∗∗∗ Falsche Schlangen: Neues von MuddyWater ∗∗∗ --------------------------------------------- MuddyWater hat es auf kritische Infrastrukturen in Israel und Ägypten abgesehen und setzt dabei auf maßgeschneiderte Malware, verbesserte Taktiken und ein vorhersehbares Spielbuch. --------------------------------------------- https://www.welivesecurity.com/de/eset-research/falsche-schlangen-neues-von… ∗∗∗ Aktuelle Welle: Phishing im Namen der Volksbank ∗∗∗ --------------------------------------------- Seit einigen Wochen versenden Kriminelle ihre Phishing-Versuche besonders häufig im Namen der Volksbank. Sie setzen dabei auf die altbekannten E-Mails bzw. SMS-Nachrichten. Wer dem Link zur „Datenaktualisierung“ oder „Konto-Entsperrung“ folgt, läuft Gefahr, Logindaten für Onlinebanking preiszugeben. --------------------------------------------- https://www.watchlist-internet.at/news/starke-welle-phishing-volksbank/ ∗∗∗ India backs off mandatory cyber safety app after surveillance backlash ∗∗∗ --------------------------------------------- Mobile phone makers will no longer be required to load the Indian governments Sanchar Saathi app onto new devices after the initial announcement prompted pushback from companies and privacy groups. --------------------------------------------- https://therecord.media/india-drops-mandate-sanchar-saathi-app-privacy-surv… ∗∗∗ Small numbers of Notepad++ users reporting security woes ∗∗∗ --------------------------------------------- I’ve heard from 3 orgs now who’ve had security incidents on boxes with Notepad++ installed, where it appears Notepad++ processes have spawned the initial access. These have resulted in hands on keyboard threat actors. --------------------------------------------- https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-… ∗∗∗ Everest Ransomware Claims ASUS Breach and 1TB Data Theft ∗∗∗ --------------------------------------------- Everest ransomware group claims it breached ASUS, stealing over 1TB of data including camera source code. ASUS has been given 21 hours to respond via Qtox. --------------------------------------------- https://hackread.com/everest-ransomware-asus-breach-1tb-data/ ∗∗∗ Paying the Ransom: A Short-Term Fix or Long-Term Risks? ∗∗∗ --------------------------------------------- Ransomware attacks rose by nearly 25% in 2024. If compromised, should you pay ransomware demands or not? We review the risks, reasons to pay or not, and more. --------------------------------------------- https://www.bitsight.com/blog/paying-ransom-for-ransomware ∗∗∗ Industrielle Kontrollsysteme: Iskra iHUB bleibt vorerst ohne Sicherheitspatch ∗∗∗ --------------------------------------------- Für einige industrielle Steuerungs- und Automatisierungssysteme von etwa Mitsubishi sind Sicherheitsupdates erschienen. Eine kritische Lücke bleibt aber offen. --------------------------------------------- https://heise.de/-11101017 ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability & Patch Roundup — November 2025 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2025/11/vulnerability-patch-roundup-november-2025.h… ∗∗∗ 100,000 WordPress Sites Affected by Remote Code Execution Vulnerability in Advanced Custom Fields: Extended WordPress Plugin ∗∗∗ --------------------------------------------- On November 18th, 2025, we received a submission for an unauthenticated Remote Code Execution vulnerability in Advanced Custom Fields: Extended, a WordPress plugin with more than 100,000 active installations. This vulnerability can be leveraged to execute code remotely. --------------------------------------------- https://www.wordfence.com/blog/2025/12/100000-wordpress-sites-affected-by-r… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (containerd, mako, and xen), Fedora (forgejo, nextcloud, openbao, rclone, restic, and tigervnc), Oracle (firefox, kernel, libtiff, libxml2, and postgresql), SUSE (libecpg6, lightdm-kde-greeter, python-cbor2, python-mistralclient-doc, python315, and python39), and Ubuntu (kdeconnect, linux, linux-aws, linux-realtime, python-django, and unbound). --------------------------------------------- https://lwn.net/Articles/1049103/ ∗∗∗ Microsoft schließt stillschweigend LNK-Schwachstelle CVE-2025-9491 ∗∗∗ --------------------------------------------- Seit Ende August 2025 ist eine LNK-File-Schwachstelle (CVE-2025-9491) bekannt. Diese lässt sich unter Windows für eine Remote Code-Ausführung missbrauchen. Microsoft wollte erst keinen Patch bereitstellen, hat dann aber doch was per Update getan. --------------------------------------------- https://www.borncity.com/blog/2025/12/03/microsoft-schliesst-stillschweigen… ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released five Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-336-01 Industrial Video & Control LongwatchICSA-25-336-02 Iskra iHUB and iHUB Lite. ICSMA-25-336-01 Mirion Medical EC2 Software NMIS BioDose. ICSA-25-201-01 Mitsubishi Electric CNC Series (Update A) and ICSA-23-157-02 Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (Update C). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/02/cisa-releases-five-indus… ∗∗∗ ZDI-25-1039: (Pwn2Own) Synology BeeStation Plus auth_info Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1039/ ∗∗∗ Splunk SVD-2025-1209: Third-Party Package Updates in Splunk Enterprise - December 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1209 ∗∗∗ Splunk SVD-2025-1206: Incorrect permissions assignment on Splunk Universal Forwarder for Windows during new installation or upgrade ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1206 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily