Daily

daily@lists.cert.at

1 participants
3441 discussions

Tageszusammenfassung - 29.12.2025
by Daily end-of-shift report 29 Dec '25

29 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-12-2025 18:00 − Montag 29-12-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Schwerwiegende Sicherheitslücke in MongoDB ("MongoBleed") ∗∗∗ --------------------------------------------- In MongoDB wurde um Weihnachten eine schwerwiegende Sicherheitslücke entdeckt. Die Schwachstelle, CVE-2025-14847 (auch bekannt als "MongoBleed") erlaubt es unauthentifizierten Angreifer:innen durch manipulierte, zlib-kompromierte Anfragen Teile des Heap-Speichers auszulesen und damit potentiell sensible Daten (wie beispielsweise Passwörter oder API-Schlüssel) zu stehlen. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/12/schwerwiegende-sicherheitslucke-in… ∗∗∗ WebRAT malware spread via fake vulnerability exploits on GitHub ∗∗∗ --------------------------------------------- The WebRAT malware is now being distributed through GitHub repositories that claim to host proof-of-concept exploits for recently disclosed vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/webrat-malware-spread-via-fa… ∗∗∗ Microsoft Teams to let admins block external users via Defender portal ∗∗∗ --------------------------------------------- Microsoft announced that security administrators will soon be able to block external users from sending messages, calls, or meeting invitations to members of their organization via Teams. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-teams-to-let-admi… ∗∗∗ Romanian energy provider hit by Gentlemen ransomware attack ∗∗∗ --------------------------------------------- A ransomware attack hit Oltenia Energy Complex, Romanias largest coal-based energy producer, on the second day of Christmas, taking down its IT infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/romanian-energy-provider-hit… ∗∗∗ Ubisoft: Rainbow-Six-Siege-Server wegen Hack heruntergefahren ∗∗∗ --------------------------------------------- Hacker erlangten Zugriff auf die Server von Rainbow Six Siege. Nach Bannwellen und Credit-Regen hat Ubisoft mit einem Systemstopp reagiert. --------------------------------------------- https://www.golem.de/news/ubisoft-rainbow-six-siege-server-wegen-hack-herun… ∗∗∗ Evasive Panda APT poisons DNS requests to deliver MgBot ∗∗∗ --------------------------------------------- Kaspersky GReAT experts analyze the Evasive Panda APTs infection chain, including shellcode encrypted with DPAPI and RC5, as well as the MgBot implant. --------------------------------------------- https://securelist.com/evasive-panda-apt/118576/ ∗∗∗ Are We Ready to Be Governed by Artificial Intelligence? ∗∗∗ --------------------------------------------- Artificial Intelligence (AI) overlords are a common trope in science-fiction dystopias, but the reality looks much more prosaic. The technologies of artificial intelligence are already pervading many aspects of democratic government, affecting our lives in ways both large and small. This has occurred largely without our notice or consent. The result is a government incrementally transformed by AI rather than the singular technological overlord of the big screen. --------------------------------------------- https://www.schneier.com/blog/archives/2025/12/are-we-ready-to-be-governed-… ∗∗∗ Fake MAS Windows Activation Domain Used To Spread PowerShell Malware ∗∗∗ --------------------------------------------- An anonymous reader shares a report: A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool was used to distribute malicious PowerShell scripts that infect Windows systems with the Cosmali Loader. BleepingComputer has found that multiple MAS users began reporting on Reddit yesterday that they received pop-up warnings on their systems about a Cosmali Loader infection. --------------------------------------------- https://it.slashdot.org/story/25/12/25/2058205/fake-mas-windows-activation-… ∗∗∗ New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new variant of a macOS information stealer called MacSync thats delivered by means of a digitally signed, notarized Swift application masquerading as a messaging app installer to bypass Apples Gatekeeper checks. --------------------------------------------- https://thehackernews.com/2025/12/new-macsync-macos-stealer-uses-signed.html ∗∗∗ Traditional Security Frameworks Leave Organizations Exposed to AI-Specific Attack Vectors ∗∗∗ --------------------------------------------- In December 2024, the popular Ultralytics AI library was compromised, installing malicious code that hijacked system resources for cryptocurrency mining. In August 2025, malicious Nx packages leaked 2,349 GitHub, cloud, and AI credentials. Throughout 2024, ChatGPT vulnerabilities allowed unauthorized extraction of user data from AI memory. --------------------------------------------- https://thehackernews.com/2025/12/traditional-security-frameworks-leave.html ∗∗∗ 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of what has been described as a "sustained and targeted" spear-phishing campaign that has published over two dozen packages to the npm registry to facilitate credential theft. --------------------------------------------- https://thehackernews.com/2025/12/27-malicious-npm-packages-used-as.html ∗∗∗ Death, torture, and amputation: How cybercrime shook the world in 2025 ∗∗∗ --------------------------------------------- The human harms of cyberattacks piled up this year, and violence expected to increase The knock-on, and often unintentional, impacts of a cyberattack are so rarely discussed. As an industry, the focus is almost always placed on the economic damage: the ransom payment; the cost of business downtime; and goodness, dont forget those poor shareholders. --------------------------------------------- https://www.theregister.com/2025/12/28/death_torture_and_amputation_how/ ∗∗∗ The Age of the All-Access AI Agent Is Here ∗∗∗ --------------------------------------------- Big AI companies courted controversy by scraping wide swaths of the public internet. With the rise of AI agents, the next data grab is far more private. --------------------------------------------- https://www.wired.com/story/expired-tired-wired-all-access-ai-agents/ ∗∗∗ The Worst Hacks of 2025 ∗∗∗ --------------------------------------------- >From university breaches to cyberattacks that shut down whole supply chains, these were the worst cybersecurity incidents of the year. --------------------------------------------- https://www.wired.com/story/worst-hacks-of-2025/ ∗∗∗ Samsung: Ausbleibende Google-Play-Dienstupdates sind Absicht ∗∗∗ --------------------------------------------- Seit einigen Wochen gibt es Verwunderung über ausbleibende Google-Play-Dienstupdates auf Samsung-Smartphones. Jetzt erklärt Samsung das. --------------------------------------------- https://www.heise.de/news/Samsung-erklaert-ausbleibende-Google-Play-Dienstu… ∗∗∗ 39C3: Wie ein Forscher das sichere Mail-Netz der Medizin erneut überlistete ∗∗∗ --------------------------------------------- Ein Sicherheitsexperte zeigte auf dem 39C3, wie sich bei der E-Ärztepost KIM Nachrichten fälschen, Identitäten stehlen und sensible Metadaten abgreifen lassen. --------------------------------------------- https://www.heise.de/news/39C3-Wie-ein-Forscher-das-sichere-Mail-Netz-der-M… ∗∗∗ 39C3: Diverse Lücken in GnuPG und anderen kryptografischen Werkzeugen ∗∗∗ --------------------------------------------- Sicherheitsforscher haben diverse sicherheitsrelevante Fehler in GnuPG und ähnlichen Programmen gefunden. Viele der Lücken sind (noch) nicht behoben. --------------------------------------------- https://www.heise.de/news/39C3-Diverse-Luecken-in-GnuPG-und-anderen-kryptog… ∗∗∗ Notepad++: Update entrümpelt Self-Signed-Zertifikatreste ∗∗∗ --------------------------------------------- In Notepad++ konnten Angreifer dem Updater Malware unterschieben. Ein weiteres Update verbessert die Sicherheit und korrigiert Regressionen. --------------------------------------------- https://www.heise.de/news/Notepad-Update-zum-Aufraeumen-von-Self-Signed-Zer… ∗∗∗ Millionen Kundendaten vom Wired-Magazin im Netz – Diebstahl bei Condé Nast? ∗∗∗ --------------------------------------------- Have I been Pwned listet einen Data Breach für Wired, der sensible Daten von 2,3 Millionen Nutzern umfasst. Mutmaßlich könnten weitere Millionen folgen. --------------------------------------------- https://www.heise.de/news/Millionen-Kundendaten-vom-Wired-Magazin-im-Netz-D… ∗∗∗ 39C3: Skynet Starter Kit – Forscher übernehmen humanoide Roboter per Funk und KI ∗∗∗ --------------------------------------------- Auf dem 39C3 demonstrieren Experten, wie schlecht es um die Security humanoider Roboter steht. Die Angriffspalette reicht bis zum Jailbreak der integrierten KI. --------------------------------------------- https://www.heise.de/hintergrund/39C3-Skynet-Starter-Kit-Forscher-uebernehm… ∗∗∗ 39C3: Sicherheitsforscher kapert KI-Coding-Assistenten mit Prompt Injection ∗∗∗ --------------------------------------------- Auf dem 39C3 zeigte Johann Rehberger, wie leicht sich KI-Coding-Assistenten kapern lassen. Viele Lücken wurden gefixt, doch das Grundproblem bleibt. --------------------------------------------- https://www.heise.de/news/39C3-Sicherheitsforscher-kapert-KI-Coding-Assiste… ∗∗∗ 1800 Nordkoreaner versuchten, sich bei Amazon einzuschleusen ∗∗∗ --------------------------------------------- Es ist nicht das erste Mal, dass Unternehmen von nordkoreanischen Agenten berichten, die gezielt versuchen, sich in ihre Betriebe einzuschleusen. Das Ausmaß der Versuche scheint sich jedoch noch einmal vergrößert zu haben. --------------------------------------------- https://www.derstandard.at/story/3000000302007/1800-nordkoreaner-versuchten… ∗∗∗ A brush with online fraud: What are brushing scams and how do I stay safe? ∗∗∗ --------------------------------------------- Have you ever received a package you never ordered? It could be a warning sign that your data has been compromised, with more fraud to follow. --------------------------------------------- https://www.welivesecurity.com/en/scams/brush-online-fraud-what-are-brushin… ∗∗∗ Cyber volunteer effort for small water utilities announces new MSSP effort ∗∗∗ --------------------------------------------- An organization is looking to develop a first-of-its-kind managed security service provider (MSSP) model tailored specifically for rural water utilities. --------------------------------------------- https://therecord.media/cyber-volunteer-water-utility-mssp ∗∗∗ Georgia arrests ex-spy chief over alleged protection of scam call centers ∗∗∗ --------------------------------------------- Grigol Liluashvili, who ran the Republic of Georgias state security service from 2020 until April of this year, is facing allegations that he protected scam call centers that defrauded victims around the world. --------------------------------------------- https://therecord.media/republic-of-georgia-former-spy-chief-arrested-scam-… ∗∗∗ Eurostar Accused Researchers of Blackmail for Reporting AI Chatbot Flaws ∗∗∗ --------------------------------------------- Researchers discovered critical flaws in Eurostar’s AI chatbot including prompt injection, HTML injection, guardrail bypass, and unverified chat IDs - Eurostar later accused them of blackmail. --------------------------------------------- https://hackread.com/eurostar-blackmail-research-report-ai-chatbot-flaw/ ∗∗∗ Hacker Leaks 2.3M Wired.com Records, Claims 40M-User Condé Nast Breach ∗∗∗ --------------------------------------------- A hacker using the alias “Lovely” has leaked what they claim is the personal data of over 2.3 million Wired.com users, a prominent American magazine and website. The leak was posted on December 20, 2025, on a newly launched hacking forum called Breach Stars. --------------------------------------------- https://hackread.com/hacker-leak-wired-com-records-conde-nast-breach/ ∗∗∗ Bitlocker bekommt Verschlüsselung per Hardware zurück ∗∗∗ --------------------------------------------- Mehr Tempo und mehr Sicherheit – nach dem Aus 2019 setzt die Windows-Verschlüsselung bald wieder auf Crypto-Hardware statt CPUs. --------------------------------------------- https://heise.de/-11124708 ∗∗∗ Microsoft Is Finally Killing RC4 ∗∗∗ --------------------------------------------- After twenty-six years, Microsoft is finally upgrading the last remaining instance of the encryption algorithm RC4 in Windows. --------------------------------------------- https://www.schneier.com/blog/archives/2025/12/microsoft-is-finally-killing… ∗∗∗ Strengthening supply chain security: Preparing for the next malware campaign ∗∗∗ --------------------------------------------- Security advice for users and maintainers to help reduce the impact of the next supply chain malware attack. --------------------------------------------- https://github.blog/security/supply-chain-security/strengthening-supply-cha… ∗∗∗ Forensic Insights into an EDR Freeze Attack ∗∗∗ --------------------------------------------- I have analyzed EDR-Freeze.exe, which puts EDR processes into a suspended “coma” state. Unlike typical EDR attacks (BYOVD etc.) techniques, this approach is more subtle and abuses legitimate Windows functionality. --------------------------------------------- https://detect.fyi/forensic-insights-into-an-edr-freeze-attack-e559b0e50a91 ∗∗∗ 2025 Report: Destructive Malware in Open Source Packages ∗∗∗ --------------------------------------------- Over the past year, the Socket Threat Research Team observed a steady rise in destructive and sabotage-oriented malware embedded in open source packages across multiple ecosystems. Unlike financially motivated campaigns that focus on credential theft, cryptomining, or wallet draining, these incidents were built to damage developer environments directly, deleting source code, breaking builds, or wiping repositories outright. --------------------------------------------- https://socket.dev/blog/2025-report-destructive-malware-in-open-source-pack… ∗∗∗ Demand Without Development ∗∗∗ --------------------------------------------- The cybersecurity talent shortage is not just a problem of numbers, but of structure. By systematically avoiding the hiring and training of true junior staff, the industry is reinforcing a feedback loop that shrinks its own future workforce. --------------------------------------------- https://bytesandborscht.com/demand-without-development/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kodi, pgbouncer, and rails), Fedora (duc, fluidsynth, gdu, singularity-ce, and tkimg), Slackware (vim), and SUSE (buildah, duc, gnutls, python39, qemu, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/1052236/ ∗∗∗ Critical 0day flaw Exposes 70k XSpeeder Devices as Vendor Ignores Alert ∗∗∗ --------------------------------------------- Researchers reveal CVE-2025-54322, a critical unpatched flaw in XSpeeder networking gear found by AI agents. 70,000 industrial and branch devices are exposed. --------------------------------------------- https://hackread.com/xspeeder-0day-flaw-devices-vendor-ignores-alert/ ∗∗∗ Product Security Advisory and Analysis: Observed Abuse of FG-IR-19-283 ∗∗∗ --------------------------------------------- Fortinet has observed recent abuse of the July 2020 vulnerability FG-IR-19-283 / CVE-2020-12812 in the wild based on specific configurations. This blog analysis describes the observed abuse and provides additional context so that administrators can confirm that they are not impacted and guidance based on Fortinet observations to prevent FG-IR-19-283 from being exploited. --------------------------------------------- https://www.fortinet.com/blog/psirt-blogs/product-security-advisory-and-ana… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 23.12.2025
by Daily end-of-shift report 23 Dec '25

23 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Montag 22-12-2025 18:00 − Dienstag 23-12-2025 18:15 Handler: Alexander Riepl Co-Handler: Felician Fuchs Das gesamte CERT.at Team bedankt sich herzlich für Ihr Interessen an unserem Daily Newsletter. Wir wünschen Ihnen frohe Weihnachten und erholsame Feiertage. ===================== = News = ===================== ∗∗∗ Interpol-led action decrypts 6 ransomware strains, arrests hundreds ∗∗∗ --------------------------------------------- An Interpol-coordinated initiative called Operation Sentinel led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents. --------------------------------------------- https://www.bleepingcomputer.com/news/security/interpol-led-action-decrypts… ∗∗∗ CISA flags ASUS Live Update CVE, but the attack is years old ∗∗∗ --------------------------------------------- An ASUS Live Update vulnerability tracked as CVE-2025-59374 has been making the rounds in infosec feeds, with some headlines implying recent or ongoing exploitation. A closer look, however, shows the CVE documents a historic supply-chain attack in an End-of-Life (EoL) software product, not a new attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-flags-asus-live-update-… ∗∗∗ New MacSync malware dropper evades macOS Gatekeeper checks ∗∗∗ --------------------------------------------- The latest variant of the MacSync information stealer targeting macOS systems is delivered through a digitally signed, notarized Swift application. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-macsync-malware-dropper-… ∗∗∗ Nissan says thousands of customers exposed in Red Hat breach ∗∗∗ --------------------------------------------- Nissan Motor Co. Ltd. (Nissan) has confirmed that information of thousands of its customers has been compromised after the data breach at Red Hat in September. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nissan-says-thousands-of-cus… ∗∗∗ Microsoft Teams strengthens messaging security by default in January ∗∗∗ --------------------------------------------- Microsoft Teams will automatically enable messaging safety features by default in January to strengthen defenses against content tagged as malicious. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-teams-strengthens… ∗∗∗ Gutscheincodes im Netz: Honey erpresste offenbar Onlineshops und nutzte Kinder aus ∗∗∗ --------------------------------------------- Gezielte Werbung an Kinder, das Sammeln von privaten Daten und Schaden für Onlineshops: Honey ist wohl schlimmer, als bisher gedacht. --------------------------------------------- https://www.golem.de/news/gutscheincodes-im-netz-honey-erpresste-offenbar-o… ∗∗∗ From cheats to exploits: Webrat spreading via GitHub ∗∗∗ --------------------------------------------- We dissect the new Webrat campaign where the Trojan spreads via GitHub repositories, masquerading as critical vulnerability exploits to target cybersecurity researchers. --------------------------------------------- https://securelist.com/webrat-distributed-via-github/118555/ ∗∗∗ Assessing SIEM effectiveness ∗∗∗ --------------------------------------------- We share the results of assessing the effectiveness of Kaspersky SIEM in real-world infrastructures and explore common challenges and solutions to these. --------------------------------------------- https://securelist.com/siem-effectiveness-assessment/118560/ ∗∗∗ Microsoft Is Finally Killing RC4 ∗∗∗ --------------------------------------------- After twenty-six years, Microsoft is finally upgrading the last remaining instance of the encryption algorithm RC4 in Windows. --------------------------------------------- https://www.schneier.com/blog/archives/2025/12/microsoft-is-finally-killing… ∗∗∗ Chinese Crypto Scammers on Telegram Are Fueling the Biggest Darknet Markets Ever ∗∗∗ --------------------------------------------- Online black markets once lurked in the shadows of the dark web. Today, they’ve moved onto public platforms like Telegram—and are racking up historic illicit fortunes. --------------------------------------------- https://www.wired.com/story/expired-tired-wired-chinese-scammer-crypto-mark… ∗∗∗ Cyber spies use fake New Year concert invites to target Russian military ∗∗∗ --------------------------------------------- The campaign surfaced earlier in October after researchers at the New York-based cybersecurity firm Intezer identified a malicious XLL file uploaded to VirusTotal, first from Ukraine and later from Russia. --------------------------------------------- https://therecord.media/cyber-spies-fake-new-year-concert-russian-phishing ∗∗∗ DDoS incident disrupts France’s postal and banking services ahead of Christmas ∗∗∗ --------------------------------------------- Frances La Poste confirmed that a distributed denial-of-service (DDoS) attack was the source of problems with its websites and mobile applications. --------------------------------------------- https://therecord.media/la-poste-france-ddos-disruption-days-before-christm… ∗∗∗ Scam: Uphold Sicherheitsvorfall über Drittanbieter? ∗∗∗ --------------------------------------------- Heute bin ich darüber "informiert" worden, dass es zu einer "Datenpanne" bei einem Drittanbieter gekommen sei, die Nutzer von Uphold betrifft. Uphold ist eine Plattform, die eine Wallet für Kryptogeld bereitstellt. Und diese Nachricht ist Scam. Ich ziehe mal einige Informationen zusammen, und warum man mutmaßlich die Finger von dem ganzen Zeugs lassen sollte. --------------------------------------------- https://borncity.com/blog/2025/12/22/uphold-sicherheitsvorfall-ueber-dritta… ∗∗∗ I foretold that Mac app notarization is security theater ∗∗∗ --------------------------------------------- This morning 9to5Mac reported, MacSync Stealer variant finds a way to bypass Apple malware protections, based on an investigation by Jamf. --------------------------------------------- https://lapcatsoftware.com/articles/2025/12/5.html ∗∗∗ Malicious Chrome Extensions “Phantom Shuttle” Masquerade as a VPN to Intercept Traffic and Exfiltrate Credentials ∗∗∗ --------------------------------------------- Sockets Threat Research Team identified two malicious Chrome extensions sharing the same name Phantom Shuttle (幻影穿梭), published by the same threat actor using the email theknewone.com(a)gmail[.]com, distributed since at least 2017. The extensions market themselves as "multi-location network speed testing plugins" for developers and foreign trade personnel. --------------------------------------------- https://socket.dev/blog/malicious-chrome-extensions-phantom-shuttle ===================== = Vulnerabilities = ===================== ∗∗∗ Forscher warnen: Kritische n8n-Lücke betrifft über 17.000 deutsche Server ∗∗∗ --------------------------------------------- Eine Sicherheitslücke lässt Angreifer n8n-Instanzen kapern und Schadcode einschleusen. Besonders viele anfällige Systeme gibt es in Deutschland. --------------------------------------------- https://www.golem.de/news/forscher-warnen-kritische-n8n-luecke-betrifft-ueb… ∗∗∗ Patches: Hitachi Infrastructure Analytics und Ops Center sind verwundbar ∗∗∗ --------------------------------------------- Zwei Sicherheitslücken bedrohen Hitachi Infrastructure Analytics und Ops Center. Angreifer können die Anmeldung umgehen. --------------------------------------------- https://www.heise.de/news/Patches-Hitachi-Infrastructure-Analytics-und-Ops-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (binutils, curl, gcc-toolset-13-binutils, git-lfs, httpd, httpd:2.4, keylime, libssh, mod_md, openssh, php:8.3, podman, python3.12, python3.9, python39:3.9, skopeo, tomcat, tomcat9, and webkit2gtk3), Fedora (mingw-glib2, mingw-libsoup, and mingw-python3), Mageia (roundcubemail), Oracle (git-lfs and mod_md), and SUSE (glib2, kernel, mariadb, and qemu). --------------------------------------------- https://lwn.net/Articles/1051758/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 22.12.2025
by Daily end-of-shift report 22 Dec '25

22 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-12-2025 18:00 − Montag 22-12-2025 18:15 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ RansomHouse upgrades encryption with multi-layered data processing ∗∗∗ --------------------------------------------- The RansomHouse ransomware-as-a-service (RaaS) has recently upgraded its encryptor, switching from a relatively simple single-phase linear technique to a more complex, multi-layered method. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomhouse-upgrades-encrypt… ∗∗∗ Malicious npm package steals WhatsApp accounts and messages ∗∗∗ --------------------------------------------- A malicious package in the Node Package Manager (NPM) registry poses as a legitimate WhatsApp Web API library to steal WhatsApp messages, collect contacts, and gain access to the account. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-npm-package-steals… ∗∗∗ Leicht hackbar: Deutschlandticket-Betrug erreicht dreistellige Millionenhöhe ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben massive Schwachstellen beim Deutschlandticket aufgedeckt. Der Schaden durch Betrug liegt im dreistelligen Millionenbereich. --------------------------------------------- https://www.golem.de/news/leicht-hackbar-deutschlandticket-betrug-erreicht-… ∗∗∗ Airbus Moving Critical Systems Away From AWS, Google, and Microsoft Citing Data Sovereignty Concerns ∗∗∗ --------------------------------------------- Airbus is preparing to tender a major contract to move mission-critical systems like ERP, manufacturing, and aircraft design data onto a digitally sovereign European cloud, citing national security concerns and fears around U.S. extraterritorial laws like the CLOUD Act. --------------------------------------------- https://slashdot.org/story/25/12/19/2252254/airbus-moving-critical-systems-… ∗∗∗ Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers ∗∗∗ --------------------------------------------- A suspected Russia-aligned group has been attributed to a phishing campaign that employs device code authentication workflows to steal victims Microsoft 365 credentials and conduct account takeover attacks. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. --------------------------------------------- https://thehackernews.com/2025/12/russia-linked-hackers-use-microsoft-365.h… ∗∗∗ ATM jackpotting gang accused of unleashing Ploutus malware across US ∗∗∗ --------------------------------------------- Latest charges join the mountain of indictments facing alleged Tren de Aragua members. A Venezuelan gang described by US officials as "a ruthless terrorist organization" faces charges over alleged deployment of malware on ATMs across the country, illegally siphoning millions of dollars. --------------------------------------------- https://www.theregister.com/2025/12/19/tren_de_aragua_atm/ ∗∗∗ Around 1,000 systems compromised in ransomware attack on Romanian water agency ∗∗∗ --------------------------------------------- On-site staff keep key systems working while all but one region battles with encrypted PCs Romanias cybersecurity agency confirms a major ransomware attack on the countrys water management administration has compromised around 1,000 systems, with work to remediate them still ongoing. --------------------------------------------- https://www.theregister.com/2025/12/22/around_1000_systems_compromised_in/ ∗∗∗ Zscaler Threat Hunting Catches Evasive SideWinder APT Campaign ∗∗∗ --------------------------------------------- Zscaler Threat Hunting has identified a sophisticated espionage campaign targeting Indian entities by masquerading as the Income Tax Department of India. By reconstructing the complete attack lifecycle from a deceptive “Inspection” lure to a reflectively loaded resident implant, Zscaler Threat Hunting has observed activity which is typically associated with SideWinder APT (also known as Rattlesnake or APT-C-17). --------------------------------------------- https://www.zscaler.com/blogs/security-research/zscaler-threat-hunting-catc… ∗∗∗ l+f: Reverse Engineering Schritt-für-Schritt – KI hilft auch mit ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher nimmt Interessierte mit auf eine Reise in eine IP-Kamera-Firmware. Das Ergebnis sind Patches für TP-Links Tapo-C200-Modell. --------------------------------------------- https://www.heise.de/news/l-f-Reverse-Engineering-Schritt-fuer-Schritt-KI-h… ∗∗∗ Eurostar AI vulnerability: when a chatbot goes off the rails ∗∗∗ --------------------------------------------- I first encountered the chatbot as a normal Eurostar customer while planning a trip. When it opened, it clearly told me that “the answers in this chatbot are generated by AI”, which is good disclosure but immediately raised my curiosity about how it worked and what its limits were. --------------------------------------------- https://www.pentestpartners.com/security-blog/eurostar-ai-vulnerability-whe… ∗∗∗ Phishing Campaign Leverages Trusted Google Cloud Automation Capabilities to Evade Detection ∗∗∗ --------------------------------------------- This report describes a phishing campaign in which attackers impersonate legitimate Google generated messages by abusing Google Cloud Application Integration to distribute malicious emails that appear to originate from trusted Google infrastructure. The emails mimic routine enterprise notifications such as voicemail alerts and file access or permission requests, making them appear normal and trustworthy to recipients. --------------------------------------------- https://blog.checkpoint.com/research/phishing-campaign-leverages-trusted-go… ∗∗∗ Denmark summons Russian ambassador over alleged cyberattacks on water utility, elections ∗∗∗ --------------------------------------------- Russia’s ambassador to Copenhagen, Vladimir Barbin, confirmed to Russian state media on Friday that he had been called to the Danish foreign ministry, but rejected the accusations as unfounded. --------------------------------------------- https://therecord.media/denmark-summons-russian-ambassador-cyberattack-elec… ∗∗∗ Nigeria arrests suspected RaccoonO365 phishing kit developer on tip from Microsoft, FBI ∗∗∗ --------------------------------------------- One of the alleged developers behind the RaccoonO365 subscription-based phishing kit was arrested by Nigerian police this week. --------------------------------------------- https://therecord.media/nigeria-raccoon-developer-tip ∗∗∗ Nefilim ransomware hacker pleads guilty to computer fraud ∗∗∗ --------------------------------------------- A Ukrainian national pleaded guilty in U.S. federal court to one charge stemming from attacks using Nefilim ransomware on companies in the U.S., Canada and Australia. --------------------------------------------- https://therecord.media/nefilim-ransomware-hacker-fraud ∗∗∗ Judge rules that NSO cannot continue to install spyware via WhatsApp pending appeal ∗∗∗ --------------------------------------------- NSO Group had sought to stay the order pending a decision on its appeal in the case, which centers on allegations that it targeted 1,400 WhatsApp users with its powerful zero-click Pegasus spyware in 2019. --------------------------------------------- https://therecord.media/judge-rules-nso-cannot-continue-whatsapp-spyware ∗∗∗ Hackers Abuse Popular Monitoring Tool Nezha as a Stealth Trojan ∗∗∗ --------------------------------------------- Cybersecurity firm Ontinue reveals how the open-source tool Nezha is being used as a Remote Access Trojan (RAT) to bypass security and control servers globally. --------------------------------------------- https://hackread.com/hackers-abuse-monitoring-tool-nezha-trojan/ ∗∗∗ Gefälschter Speicher: Jetzt ist besondere Vorsicht geboten ∗∗∗ --------------------------------------------- Während der Weihnachtszeit macht gefälschte Hardware gern die Runde. Die Speicherkrise macht Betrug noch lukrativer. --------------------------------------------- https://heise.de/-11123055 ∗∗∗ "Karvi-geddon": Mangelhafte Sicherheitsarchitektur bei Lieferdienst-Plattform ∗∗∗ --------------------------------------------- Eine auf Github veröffentlichte Sicherheitsanalyse zeigt schwerwiegende Mängel bei Karvi Solutions. Davon sind zehntausende Restaurant-Kunden betroffen. --------------------------------------------- https://heise.de/-11122678 ∗∗∗ Task Injection – Exploiting agency of autonomous AI agents ∗∗∗ --------------------------------------------- This blog post describes what a Task Injection attack is, how this type of attack differs from Prompt Injection, and how it is particularly relevant to AI agents designed for a wide range of actions and tasks, such as computer-use agents. --------------------------------------------- https://bughunters.google.com/blog/4823857172971520/task-injection-exploiti… ∗∗∗ A Deep Dive into A Vulnerability Apple Deemed Unexploitable ∗∗∗ --------------------------------------------- I’m going to share with you an interesting race condition issue lurking in Apple’s core file-copy API. Apple was aware of the security issue. But they did nothing at first because they deemed it would be nearly impossible to exploit the bug, due to the race condition’s microscopic time window. But I will prove them wrong. --------------------------------------------- https://jhftss.github.io/Exploiting-the-Impossible/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, dropbear, mediawiki, php8.4, python-mechanize, rails, roundcube, usbmuxd, and wordpress), Fedora (cef, chromium, fonttools, gobuster, gosec, mingw-libpng, moby-engine, mqttcli, nextcloud, pgadmin4, python-unicodedata2, uriparser, and util-linux), Mageia (php and webkit2), Oracle (binutils, curl, gcc-toolset-13-binutils, gimp, git-lfs, kernel, openssh, php:8.3, podman, python-kdcproxy, python3.12, python3.9, skopeo, and webkit2gtk3), Red Hat (rsync), Slackware (php), SUSE (alloy, busybox, chromedriver, chromium, coredns-for-k8s, duc, firefox, kernel-devel, libpng16, libruby3_4-3_4, mariadb, netty, php8, python311-tornado6, rsync, taglib, and xen), and Ubuntu (linux-oracle-5.4, linux-raspi, linux-realtime-6.14, and linux-xilinx). --------------------------------------------- https://lwn.net/Articles/1051572/ ∗∗∗ Progress Kemp LoadMaster Schwachstellen patchen (17. Dez. 2025) ∗∗∗ --------------------------------------------- Kurze Vorankündigung für Administratoren, die den Kemp Progress Load Balancer im Einsatz haben. Es gibt wohl Schwachstellen im Produkt, die zeitnah zu patchen sind. Die Informationen sind derzeit nicht öffentlich und sollen erst zum 12. Januar 2026 offen gelegt werden (trage ich dann hier nach). --------------------------------------------- https://borncity.com/blog/2025/12/21/progress-kemp-loadmaster-schwachstelle… ∗∗∗ BIOS-Sicherheitslücke: Angreifer können Schadcode auf Dell-Server schieben ∗∗∗ --------------------------------------------- Verschiedene Modelle von Dells PowerEdge-Server-Reihe sind verwundbar. Sicherheitspatches sind verfügbar. --------------------------------------------- https://heise.de/-11122626 ∗∗∗ Sicherheitspatches: DoS-Attacken auf IBM App Connect Enterprise möglich ∗∗∗ --------------------------------------------- IBMs Integrationssoftwareangebot App Connect Enterprise ist verwundbar. In aktuellen Versionen haben die Entwickler eine Sicherheitslücke geschlossen. --------------------------------------------- https://heise.de/-11122938 ∗∗∗ Security Advisory - multiple vulnerabilities in Foxit PDF Reader & Editor ∗∗∗ --------------------------------------------- https://www.foxit.com/support/security-bulletins.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 19.12.2025
by Daily end-of-shift report 19 Dec '25

19 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-12-2025 18:00 − Freitag 19-12-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Kritische Zero-Day-Lücke in Cisco Secure Email-Lösungen aktiv ausgenutzt ∗∗∗ --------------------------------------------- Cisco warnt in einer am 17. Dezember veröffentlichten Meldung vor einer kritischen, bislang ungepatchten Sicherheitslücke (CVE-2025-20393) in seinen auf AsyncOS basierenden E-Mail-Sicherheitslösungen. Die Schwachstelle ist mit einem maximalen CVSS-Score von 10.0 bewertet und erlaubt es entfernten Angreifer:innen, beliebige Befehle mit Root-Rechten auf den betroffenen Systemen auszuführen. Laut Cisco wird die Lücke bereits seit mindestens November 2025 aktiv ausgenutzt. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/12/kritische-zero-day-lucke-in-cisco-… ∗∗∗ Kritische Sicherheitslücken in mehreren Fortinet-Produkten (FortiCloud SSO) - aktiv ausgenutzt - Updates verfügbar ∗∗∗ --------------------------------------------- 19. Dezember 2025 Beschreibung In mehreren Fortinet-Produkten existieren kritische Sicherheitslücken im FortiCloud SSO-Login-Mechanismus. Die Schwachstellen ermöglichen es unauthentifizierten Angreifern, die FortiCloud SSO-Authentifizierung durch manipulierte SAML-Nachrichten zu umgehen und administrativen Zugriff zuerlangen. Die Lücken werden bereits aktiv ausgenutzt. --------------------------------------------- https://www.cert.at/de/warnungen/2025/12/kritische-sicherheitslucken-in-meh… ∗∗∗ Amazon: Nordkoreanischer Fake-ITler dank Tastatur-Lag enttarnt ∗∗∗ --------------------------------------------- Ein nordkoreanischer Betrüger ist offenbar über einen Dienstleister an einen Job bei Amazon gelangt. Dass seine Eingaben um die halbe Welt mussten, fiel auf. --------------------------------------------- https://www.golem.de/news/amazon-nordkoreanischer-fake-itler-dank-tastatur-… ∗∗∗ Über deutsche IP-Adressen: Hacker attackieren massenhaft VPN-Zugänge ∗∗∗ --------------------------------------------- VPN-Zugänge von Cisco und Palo Alto Networks werden angegriffen. Die Attacken scheinen primär über einen deutschen Hoster zu laufen. --------------------------------------------- https://www.golem.de/news/ueber-deutsche-ip-adressen-hacker-attackieren-mas… ∗∗∗ Yet another DCOM object for lateral movement ∗∗∗ --------------------------------------------- Kaspersky expert describes how DCOM interfaces can be abused to load malicious DLLs into memory using the Windows Registry and Control Panel. --------------------------------------------- https://securelist.com/lateral-movement-via-dcom-abusing-control-panel/1182… ∗∗∗ China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware ∗∗∗ --------------------------------------------- A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan. The end goal of these attacks is cyber espionage, Slovak cybersecurity company ESET said in a report published today. The threat activity cluster has been assessed to be active since at least September 2023. --------------------------------------------- https://thehackernews.com/2025/12/china-aligned-threat-group-uses-windows.h… ∗∗∗ Your car’s web browser may be on the road to cyber ruin ∗∗∗ --------------------------------------------- Study finds built-in browsers across gadgets often ship years out of date Web browsers for desktop and mobile devices tend to receive regular security updates, but that often isnt the case for those that reside within game consoles, televisions, e-readers, cars, and other devices. These outdated, embedded browsers can leave you open to phishing and other security vulnerabilities. --------------------------------------------- https://www.theregister.com/2025/12/18/web_browsers_in_devices_security_vul… ∗∗∗ Bundestrojaner: BND soll zur Spyware-Installation in Wohnungen eindringen dürfen ∗∗∗ --------------------------------------------- Kanzleramt reformiert BND-Gesetz: Mehr Befugnisse, inklusive Eindringen in Wohnungen zur Installation von Spionagesoftware. --------------------------------------------- https://www.heise.de/news/Bundestrojaner-BND-soll-zur-Spyware-Installation-… ∗∗∗ CISA warns ASUS Live Update backdoor is still exploitable, seven years on ∗∗∗ --------------------------------------------- Seven years after the original attack, CISA has added the ASUS Live Update backdoor to its Known Exploited Vulnerabilities catalog. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/12/cisa-warns-asus-live-update-… ∗∗∗ ESET Threat Report H2 2025 ∗∗∗ --------------------------------------------- Ein Blick auf die Bedrohungslandschaft im zweiten Halbjahr 2025 aus Sicht von ESET Telemetrie und -Experten --------------------------------------------- https://www.welivesecurity.com/de/eset-research/eset-threat-report-h2-2025/ ∗∗∗ Austria’s high court orders Meta to change its personalized ad practices ∗∗∗ --------------------------------------------- Austrias Supreme Court ruled that Meta’s personalized advertising model is illegal — a ruling that will set legal precedent across the European Union. --------------------------------------------- https://therecord.media/austria-court-meta-ruling ∗∗∗ Iranian APT ‘Prince of Persia’ Resurfaces With New Tools and Targets ∗∗∗ --------------------------------------------- SafeBreach reports the resurgence of the Iranian APT group Prince of Persia (Infy). Discover how these state-sponsored hackers are now using Telegram bots and Thunder and Lightning malware to target victims globally across Europe, India, and Canada. --------------------------------------------- https://hackread.com/iran-apt-prince-of-persia-resurfaces/ ∗∗∗ Lazarus Group Embed New BeaverTail Variant in Developer Tools ∗∗∗ --------------------------------------------- North Korea’s Lazarus Group deploys a new BeaverTail variant to steal credentials and crypto using fake job lures, dev tools, and smart contracts. --------------------------------------------- https://hackread.com/lazarus-embed-beavertail-variant-developer-tools/ ∗∗∗ CISA and Partners Release Update to Malware Analysis Report BRICKSTORM Backdoor ∗∗∗ --------------------------------------------- Today, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, and Canadian Centre for Cyber Security released an update to the Malware Analysis Report BRICKSTORM Backdoor with indicators of compromise (IOCs) and detection signatures for additional BRICKSTORM samples. This update provides information on additional samples, including Rust-based samples. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/19/cisa-and-partners-releas… ∗∗∗ I got hacked, my server started mining Monero this morning ∗∗∗ --------------------------------------------- My first thought was “I’m completely fucked.” My host had been running a crypto miner for a week, the whole think was borked. Time to just nuke it from orbit and rebuild. --------------------------------------------- https://blog.jakesaunders.dev/my-server-started-mining-monero-this-morning/ ===================== = Vulnerabilities = ===================== ∗∗∗ New critical WatchGuard Firebox firewall flaw exploited in attacks ∗∗∗ --------------------------------------------- WatchGuard has warned customers to patch a critical, actively exploited remote code execution (RCE) vulnerability in its Firebox firewalls. --------------------------------------------- https://www.bleepingcomputer.com/news/security/watchguard-warns-of-new-rce-… ∗∗∗ New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards ∗∗∗ --------------------------------------------- Certain motherboard models from vendors like ASRock, ASUSTeK Computer, GIGABYTE, and MSI are affected by a security vulnerability that leaves them susceptible to early-boot direct memory access (DMA) attacks across architectures that implement a Unified Extensible Firmware Interface (UEFI) and input–output memory management unit (IOMMU). --------------------------------------------- https://thehackernews.com/2025/12/new-uefi-flaw-enables-early-boot-dma.html ∗∗∗ HPE tells customers to patch fast as OneView RCE bug scores a perfect 10 ∗∗∗ --------------------------------------------- Maximum-severity vuln lets unauthenticated attackers execute code on trusted infra management platform Hewlett Packard Enterprise has told customers to drop whatever theyre doing and patch OneView after admitting a maximum-severity bug could let attackers run code on the management platform without so much as a login prompt. --------------------------------------------- https://www.theregister.com/2025/12/19/hpe_oneview_rce_bug/ ∗∗∗ Windows-Notfall-Update korrigiert Message-Queuing-Probleme ∗∗∗ --------------------------------------------- Windows-Sicherheitsupdates führen zu Störungen des Message Queuing (MSMQ) von Windows 10 und Server bis 2019. Notfallupdates lösen das. --------------------------------------------- https://www.heise.de/news/Update-ausser-der-Reihe-Microsoft-fixt-Message-Qu… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (roundcube), Fedora (checkpointctl, containernetworking-plugins, mingw-libpng, NetworkManager, php, python3-docs, python3.13, and webkitgtk), Oracle (kernel, keylime, and libssh), and SUSE (apache2, clair, colord, flannel, gnutls, golang-github-prometheus-alertmanager, grafana, grub2, helm, ImageMagick, libpng16, netty, openssl-3, postgresql13, postgresql14, postgresql15, python36, salt, uyuni-tools, and venv-salt-minion). --------------------------------------------- https://lwn.net/Articles/1051384/ ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released nine Industrial Control Systems (ICS) Advisories. Affected Products are: Inductive Automation Ignition, Schneider Electric EcoStruxure Foxboro DCS Advisor, National Instruments LabView, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electrics Products, Siemens Interniche IP-Stack, Advantech WebAccess/SCADAm, Rockwell Automation (Micro820, Micro850, Micro 870), Axis Communications (Camera Station Pro, Camera Station, and Device Manager) and Mitsubishi Electric CNC Series (Update C) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/18/cisa-releases-nine-indus… ∗∗∗ ZDI-25-1140: (0Day) Hugging Face Accelerate Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1140/ ∗∗∗ ZDI-25-1152: (0Day) NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1152/ ∗∗∗ ZDI-25-1147: (0Day) Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1147/ ∗∗∗ ZDI-25-1164: RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1164/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 18.12.2025
by Daily end-of-shift report 18 Dec '25

18 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-12-2025 18:00 − Donnerstag 18-12-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ WhatsApp device linking abused in account hijacking attacks ∗∗∗ --------------------------------------------- Threat actors are abusing the legitimate device-linking feature to hijack WhatsApp accounts via pairing codes in a campaign dubbed GhostPairing. --------------------------------------------- https://www.bleepingcomputer.com/news/security/whatsapp-device-linking-abus… ∗∗∗ Cloud: Zoff im Datenraum ∗∗∗ --------------------------------------------- China baut bis 2028 über 100 Datenräume auf. Europa reagiert darauf mit eigenen Konzepten, die aber werden bislang zu wenig wahrgenommen. --------------------------------------------- https://www.golem.de/news/cloud-zoff-im-datenraum-2512-203364.html ∗∗∗ Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App ∗∗∗ --------------------------------------------- The North Korean threat actor known as Kimsuky has been linked to a new campaign that distributes a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics (formerly CJ Korea Express). --------------------------------------------- https://thehackernews.com/2025/12/kimsuky-spreads-docswap-android-malware.h… ∗∗∗ North Korea-Linked Hackers Steal $2.02 Billion in 2025, Leading Global Crypto Theft ∗∗∗ --------------------------------------------- Threat actors with ties to the Democratic People's Republic of Korea (DPRK or North Korea) have been instrumental in driving a surge in global cryptocurrency theft in 2025, accounting for at least $2.02 billion out of more than $3.4 billion stolen from January through early December. --------------------------------------------- https://thehackernews.com/2025/12/north-korea-linked-hackers-steal-202.html ∗∗∗ Spionagesoftware enttarnt: Wie Belarus Journalisten mit "ResidentBat" überwacht ∗∗∗ --------------------------------------------- Forscher haben eine Android-Spyware identifiziert, die seit Jahren direkt gegen Medienakteure in Weißrussland eingesetzt wird. Sie baut auf dreiste Täuschung. --------------------------------------------- https://www.heise.de/news/Spionagesoftware-enttarnt-Wie-Belarus-Journaliste… ∗∗∗ Russlands Einfluss – Kritik an Lücken bei Cybersicherheit ∗∗∗ --------------------------------------------- Die Grünen sehen sich in ihrer Einschätzung bestärkt, dass die aktuellen Maßnahmen zum Schutz der Demokratie gegen russische Einflussoperationen nicht reichen. --------------------------------------------- https://www.heise.de/news/Russlands-Einfluss-Kritik-an-Luecken-bei-Cybersic… ∗∗∗ SSH-Server Dropbear erlaubt Rechteausweitung ∗∗∗ --------------------------------------------- Der schlanke SSH-Server Dropbear stopft mit einer aktualisierten Version unter anderem eine Rechteausweitungslücke. --------------------------------------------- https://www.heise.de/news/SSH-Server-Dropbear-erlaubt-Rechteausweitung-1111… ∗∗∗ Vorsicht, Trojaner: Hochaktuelle Phishing-Welle im Namen der Polizei! ∗∗∗ --------------------------------------------- Seit einigen Stunden sorgt eine E-Mail-Nachricht für Verwirrung, die auf den ersten Blick von der Landespolizeidirektion Wien zu stammen scheint. Im Zentrum steht eine „erforderliche Prüfung amtlicher Unterlagen“. Hinter dem angehängten HTML-Dokument versteckt sich allerdings gefährliche Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/news/trojaner-phishing-polizei/ ∗∗∗ Achtung, ÖGK-Phishing! Klicken Sie nicht auf diese E-Mail zur Rückzahlung ∗∗∗ --------------------------------------------- Eine Rückzahlung der ÖGK aufgrund einer Überzahlung im Jahr 2024? Leider nein. Was wie eine schöne vorweihnachtliche Überraschung klingt, entpuppt sich als Phishing-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-oegk-phishing/ ∗∗∗ 700Credit Breach: What Organizations Need to Know ∗∗∗ --------------------------------------------- 700Credit, a US-based credit check and compliance provider, disclosed in late October that it had suffered a significant data breach affecting nearly 18,000 dealerships and more than 5.6 million consumers. According to the company’s disclosure and subsequent reporting, the exposed data includes names, addresses, dates of birth, and Social Security numbers. --------------------------------------------- https://outpost24.com/blog/700credit-data-breach/ ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances ∗∗∗ --------------------------------------------- SonicWall has rolled out fixes to address a security flaw in Secure Mobile Access (SMA) 100 series appliances that it said has been actively exploited in the wild. --------------------------------------------- https://thehackernews.com/2025/12/sonicwall-fixes-actively-exploited-cve.ht… ∗∗∗ Multiple Vulnerabilities in Certain Autodesk Products ∗∗∗ --------------------------------------------- Several Autodesk products rely on a shared component that contains the vulnerabilities listed below. Each product listed below is affected by all of the vulnerabilities. Successful exploitation could allow code execution, but doing so requires user interaction. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 ∗∗∗ Docker Inc. macht gehärtete Abbilder kostenlos verfügbar ∗∗∗ --------------------------------------------- Gehärtete Docker-Images sind auf ein Minimum reduziert, sodass möglichst wenig Angriffsfläche bleibt. Docker Inc. stellt solche jetzt kostenfrei zur Verfügung. --------------------------------------------- https://www.heise.de/news/Docker-Inc-macht-gehaertete-Abbilder-kostenlos-ve… ∗∗∗ Angriffe auf Zero-Day-Lücken: Cisco, Sonicwall und Asus Live Update ∗∗∗ --------------------------------------------- Die CISA warnt vor beobachteten Angriffen auf Cisco-, Sonicwall- und Asus-Sicherheitslücken. Updates sind teils verfügbar. --------------------------------------------- https://www.heise.de/news/Angriffe-auf-Zero-Day-Luecken-Cisco-Sonicwall-und… ∗∗∗ Apache Commons Text: Kritische Lücke in älterer Version der Bibliothek ∗∗∗ --------------------------------------------- Apache Commons Text dient zur Verarbeitung von Zeichenketten in Java-Apps. Eine kritische Lücke ermöglicht einschleusen von Schadcode. --------------------------------------------- https://www.heise.de/news/Apache-Commons-Text-Codeschmuggel-Luecke-in-aelte… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, keylime, mysql:8.4, and tomcat), Debian (c-ares and webkit2gtk), Fedora (brotli, cups, golang-github-facebook-time, nebula, NetworkManager, perl-Alien-Brotli, python-django4.2, python-django5, and vips), Red Hat (binutils, buildah, curl, go-toolset:rhel8, golang, grafana, multiple packages, php:8.3, podman, python3.12, python39:3.9, ruby:3.3, and skopeo), SUSE (buildah, cups, firefox, glib2, grub2, helm, icinga-php-library, icingaweb2, ImageMagick, imagemagick, kernel, libpng12, libpng16, mariadb, openssl-3, poppler, python39, usbmuxd, webkit2gtk3, wireshark, and xkbcomp), and Ubuntu (linux-azure-fips). --------------------------------------------- https://lwn.net/Articles/1051156/ ∗∗∗ CVE-2025-14269: Credential caching in Headlamp with Helm enabled ∗∗∗ --------------------------------------------- Credential caching in Headlamp with Helm enabled --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/135798 ∗∗∗ Sicherheitslücken: Nvidia wappnet KI- und Robotiksoftware vor möglichen Attacken ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Schwachstellen in Nvidia Isaac Lab, NeMo Framework und Resiliency Extension. --------------------------------------------- https://heise.de/-11119236 ∗∗∗ Wednesday, January 7, 2026 Security Releases ∗∗∗ --------------------------------------------- https://nodejs.org/en/blog/vulnerability/december-2025-security-releases ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/17/cisa-adds-three-known-ex… ∗∗∗ CISA Releases Six Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/16/cisa-releases-seven-indu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 17.12.2025
by Daily end-of-shift report 17 Dec '25

17 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-12-2025 19:10 − Mittwoch 17-12-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Amazon disrupts Russian GRU hackers attacking edge network devices ∗∗∗ --------------------------------------------- The Amazon Threat Intelligence team has disrupted active operations attributed to hackers working for the Russian foreign military intelligence agency, the GRU, who targeted customers cloud infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-disrupts-russian-gru-… ∗∗∗ Cellik Android malware builds malicious versions from Google Play apps ∗∗∗ --------------------------------------------- A new Android malware-as-a-service (MaaS) named Cellik is being advertised on underground cybercrime forums offering a robust set of capabilities that include the option to embed it in any app available on the Google Play Store. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cellik-android-malware-build… ∗∗∗ Attackers Use Stolen AWS Credentials in Cryptomining Campaign ∗∗∗ --------------------------------------------- Threat actors wielding stolen AWS Identity and Access Management (IAM) credentials leverage Amazon EC and EC2 infrastructure across multiple customer environments. --------------------------------------------- https://www.darkreading.com/cloud-security/attackers-use-stolen-aws-credent… ∗∗∗ Deliberate Internet Shutdowns ∗∗∗ --------------------------------------------- For two days in September, Afghanistan had no internet. No satellite failed; no cable was cut. This was a deliberate outage, mandated by the Taliban government. It followed a more localized shutdown two weeks prior, reportedly instituted “to prevent immoral activities.” No additional explanation was given. The timing couldn’t have been worse: communities still reeling from a major earthquake lost emergency communications, flights were grounded, and banking was interrupted. --------------------------------------------- https://www.schneier.com/blog/archives/2025/12/deliberate-internet-shutdown… ∗∗∗ GhostPoster Malware Found in 17 Firefox Add-ons with 50,000+ Downloads ∗∗∗ --------------------------------------------- A new campaign named GhostPoster has leveraged logo files associated with 17 Mozilla Firefox browser add-ons to embed malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud. The extensions have been collectively downloaded over 50,000 times, according to Koi Security, which discovered the campaign. The add-ons are no longer available. --------------------------------------------- https://www.thehackernews.com/2025/12/ghostposter-malware-found-in-17-firef… ∗∗∗ APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign ∗∗∗ --------------------------------------------- The Russian state-sponsored threat actor known as APT28 has been attributed to what has been described as a "sustained" credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine. --------------------------------------------- https://www.thehackernews.com/2025/12/apt28-targets-ukrainian-ukr-net-users… ∗∗∗ New ForumTroll Phishing Attacks Target Russian Scholars Using Fake eLibrary Emails ∗∗∗ --------------------------------------------- The threat actor linked to Operation ForumTroll has been attributed to a fresh set of phishing attacks targeting individuals within Russia, according to Kaspersky. The Russian cybersecurity vendor said it detected the new activity in October 2025. The origins of the threat actor are presently unknown. --------------------------------------------- https://www.thehackernews.com/2025/12/new-forumtroll-phishing-attacks-targe… ∗∗∗ Chinas Ink Dragon hides out in European government networks ∗∗∗ --------------------------------------------- Misconfigured servers are in, 0-days out Chinese espionage crew Ink Dragon has expanded its snooping activities into European government networks, using compromised servers to create illicit relay nodes for future operations. --------------------------------------------- https://www.theregister.com/2025/12/16/chinas_ink_dragon_hides_out/ ∗∗∗ Microsoft security updates breaks MSMQ on older Win systems ∗∗∗ --------------------------------------------- Folder permission changes cause queue failures and misleading error messages, no real fix yet Microsoft has good news for administrators: while some organizations now pay for security updates on older Windows versions, the inconsistent quality remains free. --------------------------------------------- https://www.theregister.com/2025/12/17/microsoft_admits_that_message_queuin… ∗∗∗ NATOs battle for cloud sovereignty: Speed is existential ∗∗∗ --------------------------------------------- Build a digital backbone faster than adversaries can evolve or lose the information war NATO is in an existential race to develop sovereign cloud-based technologies to underpin its mission, the alliances Assistant Secretary General for Cyber and Digital Transformation told an audience at the Royal United Services Institute (RUSI) last week. --------------------------------------------- https://www.theregister.com/2025/12/17/sovereign_cloud_is_existential_nato/ ∗∗∗ BlindEagle Targets Colombian Government Agency with Caminho and DCRAT ∗∗∗ --------------------------------------------- IntroductionIn early September 2025, Zscaler ThreatLabz discovered a new spear phishing campaign attributed to BlindEagle, a threat actor who operates in South America and targets users in Spanish-speaking countries, such as Colombia. In this campaign, BlindEagle targeted a government agency under the control of the Ministry of Commerce, Industry and Tourism (MCIT) in Colombia using a phishing email sent from what appears to be a compromised account within the same organization. --------------------------------------------- https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombia… ∗∗∗ WhatsApp und Signal: Privatsphäre angreifbar, Tracker-Software verfügbar ∗∗∗ --------------------------------------------- Die WhatsApp- und Signal-Messenger verraten Informationen über Nutzer durch Bestätigungs-Laufzeiten. Eine Einstellung hilft. --------------------------------------------- https://www.heise.de/news/WhatsApp-und-Signal-Privatsphaere-angreifbar-Trac… ∗∗∗ Telekom startet System gegen Betrugsanrufe ∗∗∗ --------------------------------------------- Jemand ruft an, die Nummer ist nicht eingespeichert. Man geht ran und lässt sich in ein Gespräch verwickeln. Das ist meist keine gute Idee. --------------------------------------------- https://www.heise.de/news/Telekom-startet-System-gegen-Betrugsanrufe-111176… ∗∗∗ Inside a purchase order PDF phishing campaign ∗∗∗ --------------------------------------------- A “purchase order” PDF blocked by Malwarebytes led to a credential-harvesting phishing site. So we analyzed the attack and where the data went next. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intel/2025/12/inside-a-purchase-or… ∗∗∗ Systemwarnung? Virus gefunden? Welche Gefahren von PopUp-Fenstern ausgehen können ∗∗∗ --------------------------------------------- Sie zählen wohl zu den unbeliebtesten Erfindungen rund um das Internet: PopUp-Fenster. Wenig überraschend werden sie seit Langem auch für dubiose Machenschaften genutzt. Was hinter den Benachrichtigungen lauert und woran sich ein möglicher Betrugsversuch erkennen lässt. --------------------------------------------- https://www.watchlist-internet.at/news/dubiose-popup-fenster/ ∗∗∗ From Linear to Complex: An Upgrade in RansomHouse Encryption ∗∗∗ --------------------------------------------- Operators behind RansomHouse, a ransomware-as-a-service (RaaS) group, have upgraded their encryption methods from single-phase to complex and layered. --------------------------------------------- https://unit42.paloaltonetworks.com/ransomhouse-encryption-upgrade/ ∗∗∗ ESET Threat Report H2 2025 ∗∗∗ --------------------------------------------- The second half of the year underscored just how quickly attackers adapt and innovate, with rapid changes sweeping across the threat landscape. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/eset-threat-report-h2-2025/ ∗∗∗ Theres Payloads, And Then Theres pAIloads: A Look At Selected Opportunistic (And Possibly AI-"Enhanced") React2Shell Probes and Attacks ∗∗∗ --------------------------------------------- Over the past ~1.5 weeks, the React2Shell campaign has unleashed a flood of exploitation attempts targeting vulnerable React Server Components. Analyzing the payload size distribution across these attacks reveals a clear fingerprint of modern cybercrime, and a landscape dominated by automated scanners with a handful of sophisticated outliers. --------------------------------------------- https://www.greynoise.io/blog/react2shell-payload-analysis ===================== = Vulnerabilities = ===================== ∗∗∗ VU#382314: Vulnerability in UEFI firmware modules prevents IOMMU initialization on some UEFI-based motherboards ∗∗∗ --------------------------------------------- A newly identified vulnerability in some UEFI-supported motherboard models leaves systems vulnerable to early-boot DMA attacks across architectures that implement UEFI and IOMMU. --------------------------------------------- https://kb.cert.org/vuls/id/382314 ∗∗∗ Reports About Cyberattacks Against Cisco Secure Email Gateway And Cisco Secure Email and Web Manager ∗∗∗ --------------------------------------------- On December 10, Cisco became aware of a new cyberattack campaign targeting a limited subset of appliances with certain ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ HPE OneView: Kritische Lücke erlaubt Codeschmuggel aus dem Netz ∗∗∗ --------------------------------------------- In HPEs OneView können bösartige Akteure aus dem Netz ohne Authentifizierung Schadcode einschleusen. Ein Update steht bereit. --------------------------------------------- https://www.heise.de/news/HPE-OneView-Kritische-Luecke-erlaubt-Codeschmugge… ∗∗∗ Two Chrome flaws could be triggered by simply browsing the web: Update now ∗∗∗ --------------------------------------------- Googles patched two flaws in Chrome, both of which can be triggered remotely when a user loads specially crafted web content. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/12/two-chrome-flaws-could-be-tr… ∗∗∗ TYPO3-EXT-SA-2025-016: Vulnerability in bundled package in extension "Single Sign-on with SAML" (md_saml) ∗∗∗ --------------------------------------------- It has been discovered that the extension "Single Sign-on with SAML" (md_saml) bundles a vulnerable version of “onelogin/php-saml“ which is susceptible to Authentication Bypass. --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-016 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-url-parse), Fedora (assimp, conda-build, mod_md, util-linux, and webkitgtk), Oracle (firefox), SUSE (chromium, librsvg, poppler, python311, qemu, strongswan, webkit2gtk3, wireshark, and xen), and Ubuntu (linux-azure, linux-azure-5.4, linux-azure-5.15, linux-azure-fips, and linux-raspi, linux-raspi-realtime, linux-xilinx). --------------------------------------------- https://lwn.net/Articles/1050942/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0010 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2025-14174 Versions affected: WebKitGTK and WPE WebKit before 2.50.4. Credit to Apple and Google Threat Analysis Group. Impact: Processing maliciously crafted web content may lead to memory corruption. --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0010.html ∗∗∗ Unzählige Sicherheitslücken in IBM DataPower Gateway geschlossen ∗∗∗ --------------------------------------------- Angreifer können IBMs Sicherheits- und Integrationsplattform DataPower Gateway über verschiedene Wege attackieren. --------------------------------------------- https://heise.de/-11118285 ∗∗∗ ZDI-25-1104: Sante PACS Server HTTP Content-Length Header Handling NULL Pointer Dereference Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1104/ ∗∗∗ [F5] K000158176: NGINX Ingress Controller vulnerability CVE-2025-14727 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158176 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 16.12.2025
by Daily end-of-shift report 16 Dec '25

16 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Montag 15-12-2025 18:30 − Dienstag 16-12-2025 19:10 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Arctic Wolf Observes Malicious SSO Logins on FortiGate Devices Following Disclosure of CVE-2025-59718 and CVE-2025-59719 ∗∗∗ --------------------------------------------- In December 12, 2025, Arctic Wolf began observing intrusions involving malicious SSO logins on FortiGate appliances. Fortinet had previously released an advisory for two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9, 2025. Arctic Wolf had also sent out a security bulletin for the vulnerabilities shortly thereafter. --------------------------------------------- https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-lo… ∗∗∗ AWS Blames Russia’s GRU for Years-Long Espionage Campaign Targeting Western Energy Infrastructure ∗∗∗ --------------------------------------------- Amazon Web Services (AWS) has attributed a persistent multi-year cyber espionage campaign targeting Western critical infrastructure, particularly the energy sector, to a group strongly linked with Russia’s Main Intelligence Directorate (GRU), known widely as Sandworm (or APT44). --------------------------------------------- https://thecyberexpress.com/espionage-western-critical-infrastructure/ ∗∗∗ New SantaStealer malware steals data from browsers, crypto wallets ∗∗∗ --------------------------------------------- A new malware-as-a-service (MaaS) information stealer named SantaStealer is being advertised on Telegram and hacker forums as operating in memory to avoid file-based detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-santastealer-malware-ste… ∗∗∗ Google is shutting down its dark web report feature in January ∗∗∗ --------------------------------------------- Google is discontinuing its "dark web report" security tool, stating that it wants to focus on other tools it believes are more helpful. --------------------------------------------- https://www.bleepingcomputer.com/news/google/google-is-shutting-down-its-da… ∗∗∗ SoundCloud confirms breach after member data stolen, VPN access disrupted ∗∗∗ --------------------------------------------- Audio streaming platform SoundCloud has confirmed that outages and VPN connection issues over the past few days were caused by a security breach in which threat actors stole a database containing user information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/soundcloud-confirms-breach-a… ∗∗∗ European authorities dismantle call center fraud ring in Ukraine ∗∗∗ --------------------------------------------- European law enforcement authorities dismantled a fraud network operating call centers in Ukraine that scammed victims across Europe out of more than 10 million euros. --------------------------------------------- https://www.bleepingcomputer.com/news/security/european-authorities-dismant… ∗∗∗ Microsoft to block Exchange Online access for outdated mobile devices ∗∗∗ --------------------------------------------- Microsoft announced on Monday that it will soon block mobile devices running outdated email software from accessing Exchange Online services until theyre updated. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-to-block-exchange… ∗∗∗ Cyberattack disrupts Venezuelan oil giant PDVSAs operations ∗∗∗ --------------------------------------------- Petróleos de Venezuela (PDVSA), Venezuelas state-owned oil company, was hit by a cyberattack over the weekend that disrupted its export operations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cyberattack-disrupts-venezue… ∗∗∗ Updaten: Warnung vor Angriffen auf Apple-Lücken und Gladinet ∗∗∗ --------------------------------------------- Die CISA warnt vor laufenden Angriffen auf Schwachstellen in Apples iOS und macOS sowie auf Gladinet CentreStack und Triofox. --------------------------------------------- https://www.heise.de/news/Updaten-Warnung-vor-Angriffen-auf-Apple-Luecken-u… ∗∗∗ Defender-Problem nach Windows Update KB5072033 – Get-MPComputerStatus leer ∗∗∗ --------------------------------------------- Das kumulative Update KB5072033 vom 9. Dezember 2025 kann unter Windows 11 24H2 und 25H2, sowie ggf. unter Windows Server 2025, Probleme verursachen. Die Statusabfrage, ob der Windows Defender noch korrekt arbeitet, funktioniert per PowerShell eventuell nicht. --------------------------------------------- https://www.borncity.com/blog/2025/12/16/defender-fehler-nach-windows-updat… ∗∗∗ The Detection & Response Chronicles: Exploring Telegram Abuse ∗∗∗ --------------------------------------------- Adversaries utilizing popular messaging apps throughout different attack phases is nothing new. Telegram, in particular, has constantly been the subject of abuse by multiple threat actors, favoured for its anonymity, accessibility, resilience, and operational advantages. In this blog, we explore popular Telegram Bot APIs, recent campaigns involving Telegram abuse, and provide detection and hunting opportunities. --------------------------------------------- https://blog.nviso.eu/2025/12/16/the-detection-response-chronicles-explorin… ∗∗∗ Malicious NuGet Package Typosquats Popular .NET Tracing Library to Steal Wallet Passwords ∗∗∗ --------------------------------------------- The Socket Threat Research Team uncovered a malicious NuGet package, Tracer.Fody.NLog, that typosquats and impersonates the legitimate Tracer.Fody library and its maintainer. It presents itself as a standard .NET tracing integration but in reality functions as a cryptocurrency wallet stealer. --------------------------------------------- https://socket.dev/blog/malicious-nuget-package-typosquats-popular-net-trac… ∗∗∗ PornHub Confirms Premium User Data Exposure Linked to Mixpanel Breach ∗∗∗ --------------------------------------------- PornHub is facing renewed scrutiny after confirming that some Premium users activity data was exposed following a security incident at a third-party analytics provider. The PornHub data breach disclosure comes as the platform faces increasing regulatory scrutiny in the United States and reported extortion attempts linked to the stolen data. The issue stems from a data breach linked not to PornHub’s own systems, but to Mixpanel, an analytics vendor the platform previously used. --------------------------------------------- https://thecyberexpress.com/pornhub-data-breach-premium-users/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (binwalk, glib2.0, libgd2, paramiko, and python-apt), Fedora (chromium, python3.13, python3.14, qt6-qtdeclarative, and usd), Mageia (ffmpeg, firefox, nspr, nss, and thunderbird), Oracle (kernel, mysql, mysql:8.0, mysql:8.4, ruby:3.3, wireshark, and xorg-x11-server), Red Hat (expat, mingw-expat, and rsync), SUSE (binutils, curl, glib2, gnutls, go1.24, go1.25, keylime, libmicrohttpd, libssh, openexr, postgresql15, python311, and xkbcomp), and Ubuntu (libsoup3, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-azure-6.14, linux-azure, linux-azure-6.8, linux-azure-fips, linux-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-kvm, linux-oem-6.14, linux-raspi, and linux-realtime, linux-realtime-6.8). --------------------------------------------- https://lwn.net/Articles/1050778/ ∗∗∗ Node.js Security Releases ∗∗∗ --------------------------------------------- The team is still working on a particularly challenging patch, for this reason the release is being postponed to Thursday, December 18th or shortly after. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/december-2025-security-releases ∗∗∗ [R1] Nessus Versions 10.11.1 and 10.9.6 Fix Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus leverages third-party software to help provide underlying functionality. Several of the third-party components (expat, libxml2, libxslt) were found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2025-24 ∗∗∗ JumpCloud Remote Assist Flaw Lets Users Gain Full Control of Company Devices ∗∗∗ --------------------------------------------- A critical vulnerability (CVE-2025-34352) found by XM Cyber in the JumpCloud Remote Assist for Windows agent allows local users to gain full SYSTEM privileges. Businesses must update to version 0.317.0 or later immediately to patch the high-severity flaw. --------------------------------------------- https://hackread.com/jumpcloud-remote-assist-flaw-full-devices-control/ ∗∗∗ Sicherheitslücken: HPE-ProLiant-Server mit Intel QuickAssist sind verwundbar ∗∗∗ --------------------------------------------- Sicherheitspatches schließen mehrere Lücken in HPE ProLiant. Server sind aber nur unter bestimmten Bedinungen angreifbar. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-HPE-ProLiant-Server-mit-Intel-… ∗∗∗ SEIKO EPSON printer Web Config vulnerable to stack-based buffer overflow ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN51846148/ ∗∗∗ Synology-SA-25:18 C2 Identity Edge Server (PWN2OWN 2025) ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_18 ∗∗∗ Mitsubishi Electric GT Designer3 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-04 ∗∗∗ Hitachi Energy AFS, AFR and AFF Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-03 ∗∗∗ Johnson Controls PowerG, IQPanel and IQHub ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02 ∗∗∗ Güralp Systems Fortimus Series, Minimus Series, and Certimus Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 15.12.2025
by Daily end-of-shift report 15 Dec '25

15 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-12-2025 18:00 − Montag 15-12-2025 18:30 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ French Interior Ministry confirms cyberattack on email servers ∗∗∗ --------------------------------------------- The French Interior Minister confirmed on Friday that the countrys Ministry of the Interior was breached in a cyberattack that compromised e-mail servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/france-interior-ministry-con… ∗∗∗ Microsoft: Recent Windows updates break VPN access for WSL users ∗∗∗ --------------------------------------------- Microsoft says that recent Windows 11 security updates are causing VPN networking failures for enterprise users running Windows Subsystem for Linux. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-recent-windows-up… ∗∗∗ Flaw in Hacktivist Ransomware Lets Victims Decrypt Own Files ∗∗∗ --------------------------------------------- A new version of VolkLocker, wielded by the pro-Russia RaaS group CyberVolk, has some key enhancements but one fatal flaw. --------------------------------------------- https://www.darkreading.com/threat-intelligence/flaw-hacktivist-ransomware-… ∗∗∗ Cyberangriff: Hacker attackieren Ideal Versicherung mit Ransomware ∗∗∗ --------------------------------------------- Die auf Alters- und Pflegevorsorgeversicherungen spezialisierte Ideal Gruppe untersucht einen Ransomware-Befall. Der Geschäftsbetrieb ist eingeschränkt. --------------------------------------------- https://www.golem.de/news/cyberangriff-hacker-attackieren-ideal-versicherun… ∗∗∗ A look at an Android ITW DNG exploit ∗∗∗ --------------------------------------------- Between July 2024 and February 2025, 6 suspicious image files were uploaded to VirusTotal. Thanks to a lead from Meta, these samples came to the attention of Google Threat Intelligence Group. Investigation of these images showed that these images were DNG files targeting the Quram library, an image parsing library specific to Samsung devices. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/12/a-look-at-android-itw-dng-ex… ∗∗∗ Frogblight threatens you with a court case: a new Android banker targets Turkish users ∗∗∗ --------------------------------------------- Kaspersky researchers have discovered a new Android banking Trojan targeting Turkish users and posing as an app for accessing court case files via an official government webpage. The malware is being actively developed and may become MaaS in the future. --------------------------------------------- https://securelist.com/frogblight-banker/118440/ ∗∗∗ ClickFix Attacks Still Using the Finger ∗∗∗ --------------------------------------------- Since as early as November 2025, the finger protocol has been used in ClickFix social engineering attacks. BleepingComputer posted a report of this activity on November 15th, and Didier Stevens posted a short follow-up in an ISC diary the next day. --------------------------------------------- https://isc.sans.edu/diary/rss/32566 ∗∗∗ Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new campaign thats leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT. --------------------------------------------- https://thehackernews.com/2025/12/fake-osint-and-gpt-utility-github-repos.h… ∗∗∗ Arbeitssuchende aufgepasst! Vorsicht vor Jobportalen wie trabajo.org und bebee.com ∗∗∗ --------------------------------------------- Jobportale wie trabajo.org oder bebee.com werben mit attraktiven Stellenangeboten. Tatsächlich gibt es jedoch zahlreiche Hinweise darauf, dass man hier keine Jobs bekommt und sogar Daten abgegriffen werden könnten. --------------------------------------------- https://www.watchlist-internet.at/news/arbeitssuchende-aufgepasst-warum-sie… ∗∗∗ Exploitation of Critical Vulnerability in React Server Components (Updated December 12) ∗∗∗ --------------------------------------------- We discuss the CVSS 10.0-rated RCE vulnerability in the Flight protocol used by React Server Components. This is tracked as CVE-2025-55182. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478… ∗∗∗ PureRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading ∗∗∗ --------------------------------------------- Job seekers looking out for opportunities might instead find their personal devices compromised, as a PureRAT campaign propagated through email leverages Foxit PDF Reader for concealment and DLL side-loading for initial entry. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html ∗∗∗ Fake Microsoft Teams and Google Meet Downloads Spread Oyster Backdoor ∗∗∗ --------------------------------------------- The Oyster backdoor (also known as Broomstick) is targeting the financial world, using malicious search ads for PuTTY, Teams, and Google Meet. --------------------------------------------- https://hackread.com/fake-microsoft-teams-google-meet-download-oyster-backd… ∗∗∗ 16TB of MongoDB Database Exposes 4.3 Billion Lead Gen Records ∗∗∗ --------------------------------------------- Cybersecurity researchers discovered an unsecured 16TB database exposing 4.3 billion professional records, including names, emails, and LinkedIn data. Learn what happened, why this massive data leak enables new scams, and how to protect your PII. --------------------------------------------- https://hackread.com/mongodb-database-expose-lead-gen-records/ ∗∗∗ GitHub Scanner for React2Shell (CVE-2025-55182) Turns Out to Be Malware ∗∗∗ --------------------------------------------- A GitHub repository posing as a vulnerability scanner for CVE-2025-55182, also referred to as “React2Shell,” was exposed as malicious after spreading malware. The project, named React2shell-scanner, was hosted under the user niha0wa and has since been removed from the platform following community reports. --------------------------------------------- https://hackread.com/github-scanner-react2shell-cve-2025-55182-malware/ ∗∗∗ Patchday-Problem: Message-Queuing-Störungen in Windows 10, Server 2016 und 2019 ∗∗∗ --------------------------------------------- Die Sicherheitsupdates im Dezember stören das Message Queuing in Windows 10, Server 2016 und 2019. Fehlermeldungen sind die Folge. --------------------------------------------- https://heise.de/-11114815 ∗∗∗ "Careless Whisper" side-channel attack affects WhatsApp and Signal ∗∗∗ --------------------------------------------- A tool for tracking over three billion WhatsApp and Signal users has been publicly released. Just by knowing the phone number, attackers can determine when users come home, when they are actively using the phone, when they go to sleep, or when they are offline. They can also drain batteries and data limits without the users noticing anything. --------------------------------------------- https://cybernews.com/security/whatsapp-signal-real-time-tracking-battery-d… ∗∗∗ Rich Headers: leveraging this mysterious artifact of the PE format ∗∗∗ --------------------------------------------- We started our project with low expectations, thinking that there must be a reason the Rich Headers feature is overlooked and not widely utilized. Over time, we became more and more impressed with how much could be achieved by searching for feature clusters based on such a small part of an executable, and how powerful it can be when leveraged correctly. --------------------------------------------- https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-heade… ∗∗∗ Decompiling run-only AppleScripts ∗∗∗ --------------------------------------------- We validate the tool against XCSSET samples with known source Explore anti-analysis and anti-sandbox behavior in older malware Show common obfuscation tricks used in the wild Walk through key internals that make the decompiler workIntro to run-only AppleScripts. --------------------------------------------- https://pberba.github.io/security/2025/12/14/decompiling-run-only-applescri… ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day-Lücken in Webkit: Angriffe auf iPhone-Nutzer beobachtet ∗∗∗ --------------------------------------------- Zwei aktiv ausgenutzte Sicherheitslücken gefährden Apple-Geräte wie iPhones, iPads und Macs. Anwender sollten zügig patchen. --------------------------------------------- https://www.golem.de/news/zero-day-luecken-in-webkit-angriffe-auf-iphone-nu… ∗∗∗ Kein Patch von Microsoft: Zero-Day-Lücke gefährdet alle gängigen Windows-Versionen ∗∗∗ --------------------------------------------- Forscher warnen vor einer Zero-Day-Lücke unter Windows. Richtig gefährlich wird diese in Kombination mit einer bereits bekannten Lücke. --------------------------------------------- https://www.golem.de/news/kein-patch-von-microsoft-zero-day-luecke-gefaehrd… ∗∗∗ FreePBX Patches Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws Enabling RCE ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical flaw that could result in an authentication bypass under certain configurations. --------------------------------------------- https://thehackernews.com/2025/12/freepbx-authentication-bypass-exposed.html ∗∗∗ Researcher Uncovers 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE Attacks ∗∗∗ --------------------------------------------- Over 30 security vulnerabilities have been disclosed in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution. --------------------------------------------- https://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, grafana, kernel, libsoup3, mysql8.4, and wireshark), Debian (ruby-git, ruby-sidekiq, thunderbird, and vlc), Fedora (apptainer, chromium, firefox, golangci-lint, libpng, and xkbcomp), Mageia (golang), SUSE (binutils, chromium, firefox, gegl, go1.25, govulncheck-vulndb, hauler, kernel, keylime, libpng12, pgadmin4, postgresql16, python, python-Django, python-django, python3, python311, rhino, thunderbird, unbound, and xkbcomp), and Ubuntu (usbmuxd). --------------------------------------------- https://lwn.net/Articles/1050523/ ∗∗∗ Security updates 1.6.12 and 1.5.12 released ∗∗∗ --------------------------------------------- We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported two security vulnerabilities. --------------------------------------------- https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 ∗∗∗ React2Shell-Patch unzureichend, Angriffe weiten sich aus ∗∗∗ --------------------------------------------- Updates zum Schließen einer kritischen Lücke in React-Servern sind unvollständig. Immer mehr Angreifer missbrauchen das Leck. --------------------------------------------- https://www.heise.de/news/React2Shell-Patch-unzureichend-Angriffe-weiten-si… ∗∗∗ Angreifer können mit TeamViewer DEX verwaltete PCs attackieren ∗∗∗ --------------------------------------------- Über TeamViewer DEX (Digital Employee Experience) managen Admins Firmencomputer. Nun können Angreifer an mehreren Schwachstellen ansetzen, um Geräte zu attackieren. --------------------------------------------- https://heise.de/-11114835 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 12.12.2025
by Daily end-of-shift report 12 Dec '25

12 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-12-2025 18:00 − Freitag 12-12-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ NIS-2 in Österreich umgesetzt (NISG 2026) ∗∗∗ --------------------------------------------- Das Netz- und Informationssystemsicherheitsgesetz 2026 (NISG 2026) wurde heute (12.12.2025) im Nationalrat beschlossen. Die Kundmachung erfolgt nach Beschluss des Bundesrates und Unterzeichnung des Bundespräsidenten. Das Gesetz wird neun Monate nach seiner Kundmachung (voraussichtlich im Herbst 2026) in Kraft treten. --------------------------------------------- https://certitude.consulting/blog/de/nis-2-in-osterreich-umgesetzt-nisg-202… ∗∗∗ Technical Analysis of the BlackForce Phishing Kit ∗∗∗ --------------------------------------------- Zscaler ThreatLabz identified a new phishing kit named BlackForce, which was first observed in the beginning of August 2025 with at least five distinct versions. BlackForce is capable of stealing credentials and performing Man-in-the-Browser (MitB) attacks to steal one-time tokens and bypass multi-factor authentication (MFA). The phishing kit is actively marketed and sold on Telegram forums for €200–€300. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-blackfor… ∗∗∗ Cybersecurity Performance Goals 2.0 for Critical Infrastructure ∗∗∗ --------------------------------------------- Today, CISA released updated Cross-Sector Cybersecurity Performance Goals (CPG 2.0) with measurable actions for critical infrastructure owners and operators to achieve a foundational level of cybersecurity. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/11/cybersecurity-performanc… ∗∗∗ SHADOW-VOID-042 Targets Multiple Industries with Void Rabisu-like Tactics ∗∗∗ --------------------------------------------- In November, a targeted spear-phishing campaign was observed using Trend Micro-themed lures against various industries, but this was quickly detected and thwarted by the Trend Vision One™ platform. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html ∗∗∗ Malicious VSCode Marketplace extensions hid trojan in fake PNG file ∗∗∗ --------------------------------------------- A stealthy campaign with 19 extensions on the VSCode Marketplace has been active since February, targeting developers with malware hidden inside dependency folders. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-vscode-marketplace… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, luksmeta, mysql, mysql:8.0, mysql:8.4, tomcat, and wireshark), Debian (chromium, kernel, and tzdata), Fedora (brotli, dr_libs, perl-Alien-Brotli, python-urllib3, singularity-ce, wireshark, and yarnpkg), Oracle (firefox, grafana, lasso, libsoup3, luksmeta, ruby, ruby:3.3, tomcat, and wireshark), Slackware (mozilla), SUSE (container-suseconnect, kubernetes-client, libpoppler-cpp2, postgresql14, postgresql15, and python3), and Ubuntu (c-ares, keystone, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux-azure, linux-azure-4.15, linux-oracle,, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-hwe-6.8, linux-oracle-6.8, linux-raspi, linux-realtime, linux-intel-iot-realtime, and python-urllib3). --------------------------------------------- https://lwn.net/Articles/1050251/ ∗∗∗ New Windows RasMan zero-day flaw gets free, unofficial patches ∗∗∗ --------------------------------------------- Free unofficial patches are available for a new Windows zero-day vulnerability that allows attackers to crash the Remote Access Connection Manager (RasMan) service. RasMan is a critical Windows system service that starts automatically, runs in the background with SYSTEM-level privileges, and manages VPN, Point-to-Point Protocol over Ethernet (PPoE), and other remote network connections. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/new-windows-rasman-zero-day… ∗∗∗ Fernwartung ScreenConnect: Kritische Lücke ermöglicht Schadcodeausführung ∗∗∗ --------------------------------------------- In der Fernwartungssoftware Connectwise ScreenConnect können angemeldete Angreifer Schadcode einschleusen. Ein Update steht bereit. --------------------------------------------- https://www.heise.de/news/Fernwartung-ScreenConnect-Kritische-Luecke-ermoeg… ∗∗∗ GitLab: Angreifer können Wiki-Seiten mit Malware anlegen ∗∗∗ --------------------------------------------- Die DevSecOps-Plattform GitLab ist verwundbar. In aktuellen Versionen haben die Entwickler mehrere Sicherheitslücken geschlossen. Im schlimmsten Fall können Angreifer Systeme kompromittieren. --------------------------------------------- https://www.heise.de/news/GitLab-Angreifer-koennen-Wiki-Seiten-mit-Malware-… ∗∗∗ New React RSC Vulnerabilities Enable DoS and Source Code Exposure ∗∗∗ --------------------------------------------- The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. --------------------------------------------- https://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.html ∗∗∗ Google fixes super-secret 8th Chrome 0-day ∗∗∗ --------------------------------------------- Google issued an emergency fix for a Chrome vulnerability already under exploitation, which marks the world's most popular browser's eighth zero-day bug of 2025. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/12/11/google_fixes… ∗∗∗ DSA-6080-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00246.html ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-adds-one-known-expl… ∗∗∗ CISA Releases 12 Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-releases-12-industr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.12.2025
by Daily end-of-shift report 11 Dec '25

11 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-12-2025 18:00 − Donnerstag 11-12-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Identitätsklau möglich: Gravierende Sicherheitsmängel bei eID-Karten aufgedeckt ∗∗∗ --------------------------------------------- Seit 2021 können EU-Bürger in Deutschland eine sogenannte eID-Karte beantragen, um sich beispielsweise bei Onlinediensten auszuweisen. Recherchen der Süddeutschen Zeitung zufolge gibt es bei der Beantragung dieser Karten aber erhebliche Sicherheitsprobleme, weil Ämter wohl oft nicht sauber prüfen können, wer eigentlich der Antragsteller ist. Mögliche Folgen sind Missbrauch für Geldwäsche und andere betrügerische Aktivitäten. --------------------------------------------- https://www.golem.de/news/identitaetsklau-moeglich-gravierende-sicherheitsm… ∗∗∗ Brisantes Datenleck auf Docker Hub: Über 10.000 Docker-Images leaken Zugangsdaten ∗∗∗ --------------------------------------------- Sicherheitsforscher von Flare haben auf Docker Hub bereitgestellte Docker-Images auf enthaltene Anmeldeinformationen durchsucht und sind fündig geworden. Laut eigenem Blogbeitrag fanden die Forscher bei einem einmonatigen Suchlauf in mehr als 10.000 Images unzählige Geheimnisse von über 100 verschiedenen Organisationen – darunter ein Fortune-500-Unternehmen und eine große staatliche Bank. --------------------------------------------- https://www.golem.de/news/docker-hub-zugangsdaten-in-ueber-10-000-docker-im… ∗∗∗ NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new fully-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control (C2) purposes. --------------------------------------------- https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html ∗∗∗ SMS vom Bundeskanzleramt? Phishing-Falle statt Rückerstattung ∗∗∗ --------------------------------------------- Eine SMS-Nachricht, versendet im Namen des Bundeskanzleramts, verspricht eine Rückerstattung von über 100 Euro. Dahinter verbirgt sich aber wenig überraschend nichts anderes als eine Phishing-Falle. Kriminelle wollen über diesen Weg an Login-Daten für Onlinebanking gelangen. --------------------------------------------- https://www.watchlist-internet.at/news/bundeskanzleramt-phishing-rueckersta… ∗∗∗ Scammers Sent 40,000 E-Signature Phishing Emails to 6,000 Firms in Just 2 Weeks ∗∗∗ --------------------------------------------- Phishing campaign: Scammers sent over 40,000 spoofed SharePoint, DocuSign and e-sign emails to companies, hiding malicious links behind trusted redirect services. --------------------------------------------- https://hackread.com/scammers-e-signature-phishing-emails/ ∗∗∗ New ‘DroidLock’ Android Malware Locks Users Out, Spies via Front Camera ∗∗∗ --------------------------------------------- Zimperium zLabs reveals DroidLock, a new Android malware acting like ransomware that can hijack Android devices, steal credentials via phishing, and stream your screen via VNC. --------------------------------------------- https://hackread.com/droidlock-android-malware-users-spy-camera/ ∗∗∗ Active Attacks Exploit Gladinets Hard-Coded Keys for Unauthorized Access and Code Execution ∗∗∗ --------------------------------------------- Huntress is warning of a new actively exploited vulnerability in Gladinet's CentreStack and Triofox products stemming from the use of hard-coded cryptographic keys that have affected nine organizations so far. --------------------------------------------- https://thehackernews.com/2025/12/hard-coded-gladinet-keys-let-attackers.ht… ∗∗∗ .NET SOAPwn Flaw Opens Door for File Writes and Remote Code Execution via Rogue WSDL ∗∗∗ --------------------------------------------- New research has uncovered exploitation primitives in the .NET Framework that could be leveraged against enterprise-grade applications to achieve remote code execution. WatchTowr Labs, which has codenamed the "invalid cast vulnerability" SOAPwn, said the issue impacts Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. But the number of affected vendors is likely to be longer given the widespread use of .NET. --------------------------------------------- https://thehackernews.com/2025/12/net-soapwn-flaw-opens-door-for-file.html ∗∗∗ New ConsentFix attack hijacks Microsoft accounts via Azure CLI ∗∗∗ --------------------------------------------- A new variation of the ClickFix attack dubbed 'ConsentFix' abuses the Azure CLI OAuth app to hijack Microsoft accounts without the need for a password or to bypass multi-factor authentication (MFA) verifications. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-consentfix-attack-hijack… ∗∗∗ Hackers exploit unpatched Gogs zero-day to breach 700 servers ∗∗∗ --------------------------------------------- An unpatched zero-day vulnerability in Gogs, a popular self-hosted Git service, has enabled attackers to gain remote code execution on Internet-facing instances and compromise hundreds of servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-gogs-zero-day-rce-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, firefox-esr, libsndfile, and rear), Fedora (httpd, perl-CGI-Simple, and tinyproxy), Oracle (firefox, kernel, libsoup, mysql8.4, tigervnc, tomcat, tomcat9, and uek-kernel), SUSE (alloy, curl, dovecot24, fontforge, glib2, himmelblau, java-17-openjdk, java-21-openjdk, kernel, krb5, lasso, libvirt, mozjs128, mysql-connector-java, nvidia-open-driver-G07-signed-check, openssh, poppler, postgresql17, postgresql18, python-cbor2, python-Django, python310, python311-Django, runc, strongswan, tomcat11, and xwayland), and Ubuntu (binutils, libpng1.6, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-hwe-6.14, linux-raspi, linux, linux-aws, linux-gcp, linux-realtime, and qtbase-opensource-src). --------------------------------------------- https://lwn.net/Articles/1050117/ ∗∗∗ Google warnt vor Sicherheitslücke: Chrome-Nutzer werden attackiert ∗∗∗ --------------------------------------------- Ein Notfallupdate für den Webbrowser Chrome schließt mehrere gefährliche Sicherheitslücken. Mindestens eine davon wird bereits ausgenutzt. --------------------------------------------- https://www.golem.de/news/google-warnt-vor-sicherheitsluecke-chrome-nutzer-… ∗∗∗ Barracuda RMM: Kritische Sicherheitslücken erlauben Codeschmuggel ∗∗∗ --------------------------------------------- IT-Verantwortliche, die ihre IT mit Barracuda RMM – ehemals unter dem Namen Managed Workplace bekannt – verwalten, sollten schleunigst den bereitstehenden Hotfix 2025.1.1 installieren, sofern das noch nicht geschehen ist. Er schließt mehrere Sicherheitslücken, von denen gleich drei die Höchstwertung CVSS 10 erhalten und damit ein großes Risiko darstellen. --------------------------------------------- https://heise.de/-11111274 ∗∗∗ WinRAR: Codeschmuggel-Lücke wird attackiert ∗∗∗ --------------------------------------------- Im Packprogramm WinRAR klafft bis zur Version 7.12 Beta 1 eine Sicherheitslücke, die Angreifern das Einschleusen von Schadcode erlaubt. Attacken auf diese Lücken wurden nun beobachtet. Wer WinRAR einsetzt, sollte daher zügig auf eine neuere Version aktualisieren. --------------------------------------------- https://heise.de/-11111474 ∗∗∗ ZDI-25-1060: Senstar Symphony FetchStoredLicense Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1060/ ∗∗∗ MISP v2.5.28 Release: Security, Dashboard Upgrade, and Community Enhancements ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.28 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily