Daily

daily@lists.cert.at

1 participants
3252 discussions

Tageszusammenfassung - 03.09.2025
by Daily end-of-shift report 03 Sep '25

03 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-09-2025 18:00 − Mittwoch 03-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers breach fintech firm in attempted $130M bank heist ∗∗∗ --------------------------------------------- Hackers tried to steal $130 million from Evertecs Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central banks real-time payment system (Pix). --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-breach-fintech-firm-… ∗∗∗ What Is a Passkey? Here’s How to Set Up and Use Them (2025) ∗∗∗ --------------------------------------------- Passkeys were built to enable a password-free future. Heres what they are and how you can start using them. --------------------------------------------- https://www.wired.com/story/what-is-a-passkey-and-how-to-use-them/ ∗∗∗ Patchday: Kritische Schadcode-Lücke bedroht Android 15 und 16 ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Sicherheitslücken in verschiedenen Android-Versionen. --------------------------------------------- https://www.heise.de/news/Patchday-Kritische-Schadcode-Luecke-bedroht-Andro… ∗∗∗ Phishing-Alarm: FinanzOnline droht nicht mit der Pfändung des Hausrats! ∗∗∗ --------------------------------------------- Eine höchst aktuelle Phishing-Welle im Namen von FinanzOnline sorgt für große Verunsicherung. Die zentrale Drohung: Pfändung des Hausrats durch den Gerichtsvollzieher! Klingt besorgniserregend, ist in Wahrheit aber nichts anderes als ein Betrugsversuch. Wir erklären, .. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-finanzonline-pfaendun… ∗∗∗ Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust ∗∗∗ --------------------------------------------- Model namespace reuse is a potential security risk in the AI supply chain. Attackers can misuse platforms like Hugging Face for remote code execution. --------------------------------------------- https://unit42.paloaltonetworks.com/model-namespace-reuse/ ∗∗∗ Digitale Souveränität: Cloud Edition. ∗∗∗ --------------------------------------------- Das erratische Verhalten der aktuellen US-Regierung hat die Sorgen um die Abhängigkeit Europas von den großen US-Cloudbetreibern verstärkt. In der EU haben sowohl die Kommission als auch das Parlament Dokumente zu diesem Thema vorgelegt, heuer hat die Kommission bereits um Ideen zu einem Cloud and AI Development Act gebeten. Auch in Deutschland .. --------------------------------------------- https://www.cert.at/de/blog/2025/9/digitale-souveranitat-cloud-edition ∗∗∗ Cloudflare, Zscaler among companies impacted by Salesloft Drift incident ∗∗∗ --------------------------------------------- Multiple tech firms have publicly detailed how incidents involving the third-party Salesloft Drift tool have exposed customer data. --------------------------------------------- https://therecord.media/salesloft-drift-breach-cloudflare-zscaler-palo-alto… ∗∗∗ Corruption case against ousted cyber chief is ‘revenge,’ Ukraine’s security service says ∗∗∗ --------------------------------------------- Ukraine’s security service is accusing the country’s anti-corruption agencies of seeking “revenge” by bringing charges against Illia Vitiuk, the former head of the agency’s cybersecurity unit. --------------------------------------------- https://therecord.media/corruption-case-against-ousted-cyber ∗∗∗ Cloudflare Mitigates Largest Ever Recorded DDoS Attack at 11.5 Tbps ∗∗∗ --------------------------------------------- Cloudflare mitigated the largest DDoS attack ever recorded, an 11.5 Tbps flood that lasted 35 seconds without disrupting… --------------------------------------------- https://hackread.com/cloudflare-mitigates-largest-ddos-attack-11-5-tbps/ ∗∗∗ CISA, NSA and 19 International Partners Release Shared Vision of Software Bill of Materials for Cybersecurity Guide ∗∗∗ --------------------------------------------- CISA, NSA, and 19 international partners release a shared vision of Software Bill of Materials (SBOM) highlighting the importance of SBOM in securing global supply chains & enhancing software resilience worldwide. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-nsa-and-19-international-partner… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (httpd, kernel, and kernel-rt), Debian (python-eventlet and python-h2), Mageia (aide, gnutls, tomcat, and vim), Oracle (httpd, mod_http2, postgresql:15, python3.11, python3.12, python3.9, and udisks2), Red Hat (kernel, postgresql, postgresql:12, and postgresql:15), SUSE (dcmtk, jupyter-bqplot-jupyterlab, kured, libudisks2-0, munge, python-eventlet, python-future, python311-eventlet, rekor, traefik2, and ucode-intel), and Ubuntu (linux-aws, .. --------------------------------------------- https://lwn.net/Articles/1036567/ ∗∗∗ Vulnerability & Patch Roundup — August 2025 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2025/08/vulnerability-patch-roundup-august-2025.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 02.09.2025
by Daily end-of-shift report 02 Sep '25

02 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 01-09-2025 18:00 − Dienstag 02-09-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zscaler data breach exposes customer info after Salesloft Drift compromise ∗∗∗ --------------------------------------------- In an advisory, Zscaler says that its Salesforce instance was impacted by this supply-chain attack, exposing customers' information. [..] This warning follows the compromise of Salesloft Drift, an AI chat agent that integrates with Salesforce, in which attackers stole OAuth and refresh tokens, enabling them to gain access to customer Salesforce environments and exfiltrate sensitive data. [..] The company stresses that the data breach only impacts its Salesforce instance and no Zscaler products, services, or infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zscaler-data-breach-exposes-… ∗∗∗ Stolen OAuth tokens expose Palo Alto customer data ∗∗∗ --------------------------------------------- Palo Alto Networks is writing to customers that may have had commercially sensitive data exposed after criminals used stolen OAuth credentials lifted from the Salesloft Drift break-in to gain entry to its Salesforce instance. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/02/stolen_oauth… ∗∗∗ No, Google did not warn 2.5 billion Gmail users to reset passwords ∗∗∗ --------------------------------------------- This is just the latest such story, which numerous news websites and cybersecurity companies have reported without verification in recent years. [..] However, as the company explained on a Monday blog post addressing these inaccurate stories, "Gmail's protections are strong and effective, and claims of a major Gmail security warning are false." --------------------------------------------- https://www.bleepingcomputer.com/news/technology/no-google-did-not-warn-25-… ∗∗∗ Badges, behavior, and BMS: Why the human perimeter matters in energy cybersecurity ∗∗∗ --------------------------------------------- Over the summer, a hacker brought a 158-year-old European technology company to its knees with a guessed password. By identifying a weak admin credential, the attacker gained access to internal systems and extracted sensitive information, laying the groundwork for a broader ransomware campaign. [..] Energy cybersecurity is not just about software protection —it’s also about managing human interaction and physical access to critical infrastructure. [..] Even the most secure system in the world won’t help if someone holds the door open for the wrong person. --------------------------------------------- https://blog.se.com/digital-transformation/cybersecurity/2025/09/01/badges-… ∗∗∗ Cookies and how to bake them: what they are for, associated risks, and what session hijacking has to do with it ∗∗∗ --------------------------------------------- Kaspersky experts explain the different types of cookies, how to configure them correctly, and how to protect yourself from session hijacking attacks. --------------------------------------------- https://securelist.com/cookies-and-session-hijacking/117390/ ∗∗∗ A quick look at sextortion at scale: 1,900 messages and 205 Bitcoin addresses spanning four years, (Tue, Sep 2nd) ∗∗∗ --------------------------------------------- What can almost 2,000 sextortion messages tell us about how threat actors operate and whether they are successful? [..] The use of specific cryptocurrency addresses in sextortion messages seems to be fairly short-lived. Approximately 46% of the addresses in the dataset were only used for a single day [..] the average requested amount was 1,716 USD, with a median of 1,370 USD [..] Of the 205 cryptocurrency addresses in our dataset, only 57 (~28%) didn’t receive any payment at all, while the remaining addresses did. --------------------------------------------- https://isc.sans.edu/diary/rss/32252 ∗∗∗ Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a Ukrainian IP network for engaging in massive brute-force and password spraying campaigns targeting SSL VPN and RDP devices between June and July 2025. The activity originated from a Ukraine-based autonomous system FDN3 (AS211736), per French cybersecurity company Intrinsec. --------------------------------------------- https://thehackernews.com/2025/09/ukrainian-network-fdn3-launches-massive.h… ∗∗∗ Achtung, Bitpanda-Phishing: Krypto-Guthaben in Gefahr! ∗∗∗ --------------------------------------------- Kriminelle versenden SMS-Nachrichten und warnen vor einem angeblichen Login auf das Bitpanda-Konto des Opfers. Sie liefern außerdem eine Telefonnummer mit, bei der man sich zur Klärung melden solle. Am anderen warten allerdings die Betrüger:innen – und die haben es auf Krypto-Assets abgesehen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-bitpanda-phishing-krypto/ ===================== = Vulnerabilities = ===================== ∗∗∗ Heimautomatisierung: ESPHome-Lücke erlaubt volle Kompromittierung ∗∗∗ --------------------------------------------- In der ESP-IDF-Plattform der ESPHome-Firmwarebasis führt eine nun entdeckte Sicherheitslücke dazu, dass Angreifer eine Authentifizierung umgehen können. Das ermöglicht ihnen sogar, eigene Firmware auf verwundbare Controller zu verfrachten. [..] Ein neuer Schwachstelleneintrag vom Montag dieser Woche erörtert die Sicherheitslücke in der Firmware. [..] (CVE-2025-57808 / noch kein EUVD, CVSS 8.1, Risiko "hoch") --------------------------------------------- https://www.heise.de/news/Heimautomatisierung-ESPHome-Luecke-erlaubt-volle-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, mod_http2, postgresql, postgresql:15, and python39:3.9), Debian (libsndfile), Mageia (ceph, glibc, and golang), Oracle (postgresql and python39:3.9), Red Hat (aide, postgresql:12, postgresql:13, postgresql:15, and postgresql:16), SUSE (git, govulncheck-vulndb, jetty-minimal, nginx, python-future, and ruby2.5), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/1036369/ ∗∗∗ TYPO3-EXT-SA-2025-011: Command Injection in extension "TYPO3 Backup Plus" (ns_backup) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-011 ∗∗∗ Delta Electronics EIP Builder ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-01 ∗∗∗ SunPower PVS6 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-03 ∗∗∗ Fuji Electric FRENIC-Loader 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 01.09.2025
by Daily end-of-shift report 01 Sep '25

01 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-08-2025 18:00 − Montag 01-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Transparenz und Kommunikation: BSI rät indirekt von weiterer Paypal-Nutzung ab ∗∗∗ --------------------------------------------- Was passiert mit den Daten, werden bei Ausfällen Gründe genannt? Ohne Paypal zu nennen, ruft das BSI auf, nicht nur nach der Usability auszuwählen. --------------------------------------------- https://www.golem.de/news/transparenz-und-kommunikation-bsi-raet-indirekt-v… ∗∗∗ AWS warnt: Russische Hacker bei Attacken auf Microsoft-Nutzer erwischt ∗∗∗ --------------------------------------------- Die berüchtigte Hackergruppe APT29 soll bestehende Webseiten mit Schadcode verseucht haben, um an die Microsoft-Konten der Besucher zu gelangen. --------------------------------------------- https://www.golem.de/news/aws-warnt-russische-hacker-bei-attacken-auf-micro… ∗∗∗ Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling ∗∗∗ --------------------------------------------- Cybersecurity researchers have called attention to a cyber attack in which unknown threat actors deployed an open-source endpoint monitoring and digital forensic tool called Velociraptor, illustrating ongoing abuse of legitimate software for malicious purposes. --------------------------------------------- https://thehackernews.com/2025/08/attackers-abuse-velociraptor-forensic.html ∗∗∗ Traffic to government domains often crosses national borders, or flows through risky bottlenecks ∗∗∗ --------------------------------------------- Sites at yourcountry.gov may also not bother with HTTPs Internet traffic to government domains often flows across borders, relies on a worryingly small number of network connections, or does not require encryption, according to new research. --------------------------------------------- https://www.theregister.com/2025/09/01/isoc_government_domain_traffic_measu… ∗∗∗ SSA Whistleblower’s Resignation Email Mysteriously Disappeared From Inboxes ∗∗∗ --------------------------------------------- Less than 30 minutes after the Social Security Administration’s chief data officer resigned following a whistleblower complaint, recipients could no longer access the resignation email. --------------------------------------------- https://www.wired.com/story/charles-borges-resignation-email-disappearance/ ∗∗∗ Hintertür-Bericht: Britische Regierung will Vollzugriff auf iCloud ∗∗∗ --------------------------------------------- Noch immer ist nicht final entschieden, ob Apple britischen Strafverfolgern Zugriff auf iCloud geben muss. Nun wurde die ganze Datenbreite bekannt. --------------------------------------------- https://www.heise.de/news/Hintertuer-Bericht-Britische-Regierung-will-Vollz… ∗∗∗ Nach Kritik: Ameos Kliniken wollen proaktiv über Datenleak informieren ∗∗∗ --------------------------------------------- Nach einem erfolgreichen Cyberangriff hatte der Klinikkonzern Ameos ein Auskunftsformular bereitgestellt. Nach Kritik wurde selbiges jetzt geändert. --------------------------------------------- https://www.heise.de/news/Ameos-Kliniken-Nach-IT-Angriff-steht-Auskunftsfor… ∗∗∗ IT-Infrastruktur des Innenministeriums "gezielt und professionell" gehackt ∗∗∗ --------------------------------------------- Polizeiliche Daten oder Anwendungen sollen nach eigenen Angaben nicht betroffen sein. Der Angriff fand vor einigen Wochen statt, wurde aber erst jetzt kommuniziert. --------------------------------------------- https://www.derstandard.at/story/3000000285630/cyberangriff-auf-it-infrastr… ∗∗∗ Sweden scrambles after ransomware attack puts sensitive worker data at risk ∗∗∗ --------------------------------------------- Municipal government organisations across Sweden have found themselves impacted after a ransomware attack at a third-party software service supplier. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/sweden-scrambles-afte… ∗∗∗ Merkwürdige Spam-Mail; Accenture gehackt? ∗∗∗ --------------------------------------------- Ein Blog-Leser hat mich vor einigen Tage darauf hingewiesen, dass er eine merkwürdige Spam-Mail bekam, die von einer Accenture-Domain verschickt wurde. Inzwischen ist die Domain nicht mehr erreichbar – was die Frage nach dem Hintergrund aufwirft. --------------------------------------------- https://www.borncity.com/blog/2025/08/31/accenture-gehackt-merkwuerdige-phi… ∗∗∗ Starker Anstieg der Cyberangriffe auf den Bildungssektor ∗∗∗ --------------------------------------------- Sicherheitsanbieter Check Point warnt vor einem starken Anstieg von Cyber-Angriffen im Bildungssektor: Weltweit um 41 Prozent, in Deutschland sogar plus 56 Prozent. Bildungseinrichtungen verzeichnen im Schnitt mehr als 4300 Angriffe pro Woche, getrieben von saisonalen Phishing-Kampagnen zum Schul- und Semesterstart. --------------------------------------------- https://www.borncity.com/blog/2025/08/31/starker-anstieg-der-cyberangriffe-… ∗∗∗ PromptLock: Erste KI-gestützte Malware von ESET entdeckt ∗∗∗ --------------------------------------------- ESET-Sicherheitsforscher haben die ihrer Meinung nach "erste bekannte KI-gestützte Ransomware" mit dem Namen PromptLock entdeckt. --------------------------------------------- https://www.borncity.com/blog/2025/08/31/promptlock-erste-ki-gestuetzte-mal… ∗∗∗ Citrix Netscaler backdoors — Part One — May 2025 activity against governments ∗∗∗ --------------------------------------------- This is a follow up post to the prior one, part of a series looking at different Netscaler vulnerabilities that have been exploited in the wild as zero days. --------------------------------------------- https://doublepulsar.com/citrix-netscaler-backdoors-part-one-may-2025-activ… ∗∗∗ 8 Malicious NPM Packages Stole Chrome User Data on Windows ∗∗∗ --------------------------------------------- JFrog researchers found eight malicious NPM packages using 70 layers of obfuscation to steal data from Chrome browser users on Windows. The attack highlights a growing threat to developers. --------------------------------------------- https://hackread.com/malicious-npm-packages-stole-chrome-user-data-windows/ ∗∗∗ Widespread Data Theft Targets Salesforce Instances via Salesloft Drift ∗∗∗ --------------------------------------------- Update (August 28) Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesfo… ∗∗∗ ShadowSilk Data Exfiltration Attack ∗∗∗ --------------------------------------------- Nearly three dozen organizations across Central Asia and the Asia-Pacific region, predominantly government agencies, have been compromised in data exfiltration campaigns attributed to the Russian and Chinese-speaking threat group known as ShadowSilk, according to Group-IB. --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6190 ∗∗∗ Vishing: So gelingt der Angriff per Telefon selbst auf Großunternehmen ∗∗∗ --------------------------------------------- Auf der Def Con konnte man sich live ansehen, wie Vishing funktioniert. Erstaunlich oft ergattern Angreifer per Telefon selbst wichtigste Firmeninformationen. --------------------------------------------- https://heise.de/-10625451 ∗∗∗ A16-FuseBypass: Debug Logic Enabled on Production Apple Silicon ∗∗∗ --------------------------------------------- This repository documents a critical hardware-level vulnerability in the Apple A16 Bionic chip used in iPhone 14 Pro Max and related devices. --------------------------------------------- https://github.com/JGoyd/A16-FuseBypass ∗∗∗ KernelSnitch: Side-Channel Attacks on Kernel Data Structures ∗∗∗ --------------------------------------------- In this paper, we present a novel generic software side-channel attack, KernelSnitch, targeting kernel data structures such as hash tables and trees. --------------------------------------------- https://lukasmaar.github.io/papers/ndss25-kernelsnitch.pdf ∗∗∗ Client-side RCE via CSS Injection in Google Web Designer for Windows ∗∗∗ --------------------------------------------- After my recent discovery of two client-side remote code execution vulnerabilities in Google Web Designer (previously disclosed in my articles earlier this year: CVE-2025-1079, CVE-2025-4613), in April 2025 I've found yet another serious issue in the app. --------------------------------------------- https://balintmagyar.com/articles/google-web-designer-css-injection-client-… ∗∗∗ Passkeys are incompatible with open-source software ∗∗∗ --------------------------------------------- After reading more of the spec authors’ comments on open-source Passkey implementations, I cannot support this tech. In addition to what I covered at the bottom of this blog post, I found more instances where the spec authors have expressed positions that are incompatible with open-source software and user freedom. --------------------------------------------- https://www.smokingonabike.com/2025/01/04/passkey-marketing-is-lying-to-you/ ∗∗∗ Wallet-Draining npm Package Impersonates Nodemailer to Hijack Crypto Transactions ∗∗∗ --------------------------------------------- Socket’s Threat Research Team identified a malicious npm package, nodejs-smtp, that impersonates the popular email library nodemailer, which averages roughly 3.9 million weekly downloads, while implanting code into desktop cryptocurrency wallets on Windows. --------------------------------------------- https://socket.dev/blog/wallet-draining-npm-package-impersonates-nodemailer ∗∗∗ The CISO’s Codex – Leo and the Laws of Security ∗∗∗ --------------------------------------------- A a storytelling approach to cybersecurity, where a new CISO named Leo guides his company through foundational security models like Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash, and Graham-Denning/HRU. --------------------------------------------- https://thecyberthrone.in/2025/08/30/the-cisos-codex-leo-and-the-laws-of-se… ∗∗∗ Nevada Faces Unprecedented Ransomware Attack ∗∗∗ --------------------------------------------- On August 24, 2025, Nevada made headlines as the victim of a historic cyberattack that forced a near-total shutdown of state government operations. --------------------------------------------- https://thecyberthrone.in/2025/08/31/nevada-faces-unprecedented-ransomware-… ===================== = Vulnerabilities = ===================== ∗∗∗ IT-Sicherheitslösung Acronis Cyber Protect Cloud Agent ist verwundbar ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate schließt eine Schwachstelle in Acronis Cyber Protect Cloud Agent. --------------------------------------------- https://www.heise.de/news/IT-Sicherheitsloesung-Acronis-Cyber-Protect-Cloud… ∗∗∗ Qnap: Teils hochriskante Lücken in QTS und QuTS hero geschlossen ∗∗∗ --------------------------------------------- Aktualisierungen für die QTS- und QuTS-hero-Firmwares von Qnap-Geräten schließen als hochriskant eingestuft Sicherheitslücken. --------------------------------------------- https://www.heise.de/news/Qnap-Update-schliesst-teils-hochriskante-Luecken-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (postgresql16, postgresql:16, python3.11, and thunderbird), Debian (firebird4.0, libcommons-lang3-java, mbedtls, nodejs, openvpn, and ruby-saml), Fedora (cef, chromium, docker-buildx, exiv2, firefox, rocm-rpp, and udisks2), Oracle (postgresql:16), Red Hat (fence-agents, firefox, gdk-pixbuf2, httpd, kernel, kernel-rt, libarchive, libxml2, multiple packages, postgresql, postgresql16, postgresql:15, postgresql:16, python3.11, python3.12, python39:3.9, and thunderbird), Slackware (udisks2), SUSE (go-sendxmpp, helm, ImageMagick, javamail, jq, kea, kernel, libarchive, libsoup, libssh, libxml2, openssl-3, postgresql14, postgresql15, python, python-future, systemd, and xz), and Ubuntu (open-vm-tools and python2.7). --------------------------------------------- https://lwn.net/Articles/1036084/ ∗∗∗ Authenticated Attackers Could Exploit IBM Watsonx Vulnerability to Access Sensitive Data ∗∗∗ --------------------------------------------- A newly disclosed security vulnerability, tracked as CVE-2025-0165, has been reported, specifically concerning the users of the IBM Watsonx Orchestrate Cartridge within the IBM Cloud Pak for Data platform. --------------------------------------------- https://thecyberexpress.com/decoding-cve-2025-0165-flaw/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 29.08.2025
by Daily end-of-shift report 29 Aug '25

29 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-08-2025 18:00 − Freitag 29-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Polizei warnt vor Anrufen von Fake-Innenminister, der Geld will ∗∗∗ --------------------------------------------- Innenminister Karner soll um Spenden für Lösegeldzahlungen gebeten haben. Die Kontaktaufnahme geschah dabei mit einer echten Nummer des Innenministeriums. --------------------------------------------- https://futurezone.at/digital-life/fake-innenminister-karner-anruf-scam-pol… ∗∗∗ Vorsicht! Ankündigung einer Betriebsprüfung durch das Finanzamt ist eine Falle! ∗∗∗ --------------------------------------------- Eine neue Betrugsmasche im Namen des österreichischen Finanzamts macht aktuell die Runde. Diesmal ist es kein Zugangscode, der abläuft. Keine Rückerstattung, die auf ihre Auszahlung wartet. Im aktuellen Fall versuchen Kriminelle, über die Ankündigung einer Betriebsprüfung für Schaden zu sorgen. --------------------------------------------- https://www.watchlist-internet.at/news/falle-finanzamt-betriebspruefung/ ∗∗∗ Citrix forgot to tell you CVE-2025–6543 has been used as a zero day since May 2025 ∗∗∗ --------------------------------------------- Netscaler customers have a problem: the product is on fire. And not in a good way. Serious threat actors are running rings around the product on a regular basis, zero days being exploited regularly, and Citrix/Cloud Software Group simply aren’t being transparent about what is happening with customers so they cannot make real assessments of compromise. Applying patches after already being exploited is not working. --------------------------------------------- https://doublepulsar.com/citrix-forgot-to-tell-you-cve-2025-6543-has-been-u… ∗∗∗ Vorzeitige Beendigung des Supports für SonicWall SMA100 ∗∗∗ --------------------------------------------- Am 31. Oktober 2025 soll Schluss mit dem Support sein, wie es in einer Mitteilung eines SonicWall-Partners heißt. --------------------------------------------- https://www.borncity.com/blog/2025/08/29/vorzeitige-beendigung-des-supports… ∗∗∗ How attackers adapt to built-in macOS protection ∗∗∗ --------------------------------------------- We analyze the built-in protection mechanisms in macOS: how they work, how threat actors can attack them or deceive users, and how to detect such attacks. --------------------------------------------- https://securelist.com/macos-security-and-typical-attacks/117367/ ∗∗∗ Passkeys Pwned: Turning WebAuthn Against Itself ∗∗∗ --------------------------------------------- On the DEFCON 33 main stage, SquareX researchers disclosed a major passkey vulnerability that uses malicious extensions/scripts to fake passkey registration and logins, allowing attackers to access enterprise SaaS apps without the user’s device or biometrics. --------------------------------------------- https://labs.sqrx.com/passkeys-pwned-0dbddb7ade1a ∗∗∗ Ransomware gang takedowns causing explosion of new, smaller groups ∗∗∗ --------------------------------------------- The ransomware ecosystem continues to splinter, with new gangs proliferating in the wake of law enforcement takedowns that have scattered affiliates and prompted criminal rebrands. --------------------------------------------- https://therecord.media/ransomware-gang-takedown-proliferation ===================== = Vulnerabilities = ===================== ∗∗∗ Windows: Zero-Day-Lücke bei der LNK-Anzeige ∗∗∗ --------------------------------------------- Laut ZDI stellte Microsoft sich auf den Standpunkt, dass die Sicherheitslücke nicht den Schweregrad für eine Behandlung erreicht. Auch nach etwa einem halben Jahr hin und her änderte Microsoft seine Meinung dazu nicht. Schließlich hat ZDI die Meldung veröffentlicht und jetzt auch einen CVE-Schwachstelleneintrag dazu herausgegeben. [..] "Die Schwachstelle ermöglicht Angreifern aus dem Netz, beliebigen Code auf betroffenen Installationen von Microsoft Windows auszuführen. Benutzerinteraktion ist für den Missbrauch erforderlich, diese müssen eine bösartige Seite besuchen oder eine bösartige Datei öffnen", schlussfolgert die ZDI. [..] (CVE-2025-9491 / noch kein EUVD, CVSS 7.0, Risiko "hoch") --------------------------------------------- https://heise.de/-10625780 ∗∗∗ FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available ∗∗∗ --------------------------------------------- The vulnerability, assigned the CVE identifier CVE-2025-57819, carries a CVSS score of 10.0, indicating maximum severity. "Insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator, leading to arbitrary database manipulation and remote code execution," the project maintainers said in an advisory. [..] "We are seeing active exploitation of FreePBX in the wild with activity traced back as far as August 21 and backdoors being dropped post-compromise," watchTowr CEO Benjamin Harris said in a statement shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/08/freepbx-servers-targeted-by-zero-day.html ∗∗∗ clickstudios Passwordstate 2025-08-28 ∗∗∗ --------------------------------------------- Fixed a potential authentication bypass issue associated with accessing the core Passwordstate Products' Emergency Access page, by using a carefully crafted URL, which could allow access to the Passwordstate Administration section. --------------------------------------------- https://www.clickstudios.com.au/security/advisories/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (aide, fence-agents, firefox, kernel-rt, python-cryptography, and thunderbird), Debian (golang-github-gin-contrib-cors, libxml2, and udisks2), Fedora (chromium), Oracle (postgresql16, postgresql:16, python3.11, and thunderbird), Red Hat (lz4 and mpfr), SUSE (chromium, docker, dpkg, firefox, gdk-pixbuf, git, git, git-lfs, obs-scm-bridge, python-PyYAML, gnutls, kernel, libarchive, libxml2, net-tools, netty, perl-Crypt-CBC, polkit, postgresql14, postgresql15, sqlite3, thunderbird, tomcat10, and udisks2), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-hwe-6.14, linux-raspi, linux-realtime, linux-realtime-6.14, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-gke, linux-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-gke, linux-kvm, linux-oem-6.14, linux-realtime, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, openldap, and udisks2). --------------------------------------------- https://lwn.net/Articles/1035724/ ∗∗∗ QNAP: Multiple Vulnerabilities in File Station 5 ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-19 ∗∗∗ QNAP: Multiple Vulnerabilities in QTS and QuTS hero ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-21 ∗∗∗ Tenable: [R1] Stand-alone Security Patches Available for Tenable Security Center versions 6.4.x, 6.5.1 and 6.6.0: SC-202508.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-17 ∗∗∗ Mitsubishi Electric MELSEC iQ-F Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-01 ∗∗∗ Mitsubishi Electric MELSEC iQ-F Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-02 ∗∗∗ GE Vernova CIMPLICITY ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-06 ∗∗∗ Delta Electronics CNCSoft-G2 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-04 ∗∗∗ Delta Electronics COMMGR ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 28.08.2025
by Daily end-of-shift report 28 Aug '25

28 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-08-2025 18:00 − Donnerstag 28-08-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Experimental PromptLock ransomware uses AI to encrypt, steal data ∗∗∗ --------------------------------------------- Threat researchers discovered the first AI-powered ransomware, called PromptLock, that uses Lua scripts to steal and encrypt data on Windows, macOS, and Linux systems. The malware uses OpenAI’s gpt-oss:20b model through the Ollama API to dynamically generate the malicious Lua scripts from hard-coded prompts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/experimental-promptlock-rans… ∗∗∗ ZipLine Phishers Flip Script as Victims Email First ∗∗∗ --------------------------------------------- "ZipLine" appears to be a sophisticated and carefully planned campaign that has already affected dozens of small, medium, and large A financially motivated threat actor is flipping the phishing playbook by getting victims to make the first email contact with the attacker rather than the other way around. The scam involves the adversary hitting up Contact Us forms on company websites under the guise of partnership inquiries or other business pretexts and waiting for the target to respond. Over a couple of weeks, they build credibility with carefully crafted, professional-sounding emails before hitting their mark with a weaponized zip file. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/zipline-phishers-vic… ∗∗∗ AppSuite PDF Editor Backdoor: A Detailed Technical Analysis ∗∗∗ --------------------------------------------- Some threat actors are bold enough to submit their own malware as false positive to antivirus companies and demand removal of the detection. This is exactly what happened with AppSuite PDF Editor. Initially, automation flagged it as a potentially unwanted program—a verdict that is typically reserved for legitimate software with shady features like unwanted advertisement or installation of third-party programs without proper consent. In the case of AppSuite, however, we found a backdoor. --------------------------------------------- https://feeds.feedblitz.com/~/923960972/0/gdatasecurityblog-en~AppSuite-PDF… ∗∗∗ Schweden: Cyberangriff legt Systeme Hunderter Kommunen lahm ∗∗∗ --------------------------------------------- Ein schwedischer IT-Dienstleister namens Miljödata ist offenbar Ziel einer folgenschweren Cyberattacke geworden. Einem Bericht von Bleeping Computer(öffnet im neuen Fenster) zufolge soll der Angriff in mehr als 200 schwedischen Verwaltungen zu Ausfällen führen. Bei dem Nachrichtenportal Sweden Herald(öffnet im neuen Fenster) ist sogar von 250 betroffenen Kunden die Rede, von denen mindestens 164 Kommunalverwaltungen sein sollen. --------------------------------------------- https://www.golem.de/news/schweden-cyberangriff-legt-systeme-hunderter-komm… ∗∗∗ Malicious Screen Connect Campaign Abuses AI-Themed Lures for Xworm Delivery ∗∗∗ --------------------------------------------- During a recent Advanced Continual Threat Hunt (ACTH) investigation, the Trustwave SpiderLabs Threat Hunt team identified a deceptive campaign that abused fake AI-themed content to lure users into executing a malicious, pre-configured ScreenConnect installer. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-s… ∗∗∗ Mehr als 28.000 Netscaler-Instanzen anfällig für Citrix Bleed 3 ∗∗∗ --------------------------------------------- Am Mittwoch wurde bekannt, dass Schwachstellen in den Netscalern (ADC und Gateways) von Citrix angegriffen werden, die bereits als "Citrix Bleed 3" tituliert werden. Die Shadowserver Foundation hat am Mittwoch Zahlen veröffentlicht, denen zufolge weltweit am Dienstag noch mehr als 28.000 Systeme für die Lücke "Citrix Bleed 3" verwundbar sind. Angreifer können darauf vermutlich die Schwachstellen missbrauchen. --------------------------------------------- https://www.heise.de/news/Mehr-als-28-000-Netscaler-Instanzen-anfaellig-fue… ∗∗∗ Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System ∗∗∗ --------------------------------------------- People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks. While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks. These actors often modify routers to maintain persistent, long-term access to networks. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a ∗∗∗ Microsoft warnt: Ransomware-Gruppe Storm-0501 greift (Azure) Cloud an, verlangt Zahlungen ∗∗∗ --------------------------------------------- Microsoft warnt vor der finanziell motivierten Gruppe Storm-0501, die kontinuierlich mit Angriffen auf Cloud-Instanzen (Azure) zielt. Bei Erfolg werden Daten abgezogen, dann die Originale verschlüsselt und Backups zerstört. Anschließend wird Lösegeld verlangt. --------------------------------------------- https://www.borncity.com/blog/2025/08/28/microsoft-warnt-ransomware-gruppe-… ∗∗∗ Zip Slip, Path Traversal Vulnerability during File Decompression ∗∗∗ --------------------------------------------- Path traversal or directory traversal vulnerabilities are security vulnerabilities that occur mainly due to improper validation of user inputs. Attackers can read, modify, or even create new files that are originally inaccessible or located in unintended paths using relative or absolute paths. Although these vulnerabilities have been known for a long time, they are still being discovered in various environments and applications, not just web environments. This article examines Zip Slip, a path traversal vulnerability that occurs during the file decompression process of compression programs, and aims to introduce its main vulnerabilities. --------------------------------------------- https://asec.ahnlab.com/en/89890/ ∗∗∗ Thousands of Developer Credentials Stolen in macOS “s1ngularity” Attack ∗∗∗ --------------------------------------------- A supply chain attack called “s1ngularity” on Nx versions 20.9.0-21.8.0 stole thousands of developer credentials. The attack targeted macOS and AI tools, according to GitGuardian’s analysis. --------------------------------------------- https://hackread.com/developer-credentials-stolen-macos-s1ngularity-attack/ ∗∗∗ Cisco: Mehrere Produkte mit teils hochriskanten Lücken ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat am Mittwoch zehn neue Sicherheitsmeldungen herausgegeben. Sie behandeln teils hochriskante Schwachstellen in mehreren Produkten. --------------------------------------------- https://heise.de/-10623826 ∗∗∗ Referral Beware, Your Rewards are Mine (Part 1) ∗∗∗ --------------------------------------------- Referral rewards programs are nearly ubiquitous today, from consumer tech to SaaS companies, but are rarely given much security oversight. In this blog post we’ll dig into the common technical implementations of rewards programs on web apps, common security issues with each approach, and recommendations for secure development of similar programs. In a subsequent post, we’ll explore real-world examples of these vulnerability classes in detail. --------------------------------------------- https://rhinosecuritylabs.com/research/referral-beware-your-rewards-are-min… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (aide, firefox, kernel, and mod_http2), Debian (chromium and unbound), Fedora (mod_auth_openidc), Oracle (fence-agents and kernel), SUSE (ignition, jetty-minimal, kernel, libmozjs-128-0, matrix-synapse, postgresql13, postgresql15, postgresql16, and postgresql17), and Ubuntu (kernel). --------------------------------------------- https://lwn.net/Articles/1035464/ ∗∗∗ Libbiosig, Tenda, SAIL, PDF XChange, Foxit vulnerabilities ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/libbiosig-tenda-sail-pdf-xchange-foxit-v… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 27.08.2025
by Daily end-of-shift report 27 Aug '25

27 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-08-2025 18:00 − Mittwoch 27-08-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cyberangriff auf Ameos: Großer Klinikverbund erleidet Datenklau ∗∗∗ --------------------------------------------- Daten von Patienten und Mitarbeitern der Ameos Gruppe sind in die Hände Cyberkrimineller gelangt. Betroffene können jetzt Details anfragen. --------------------------------------------- https://www.golem.de/news/cyberangriff-auf-ameos-grosser-klinikverbund-erle… ∗∗∗ Schadcode im Anmarsch: Aktiv ausgenutzte Git-Lücke gefährdet Entwickler ∗∗∗ --------------------------------------------- Wer Git im Einsatz hat, sollte die Software dringend aktualisieren. Angreifer bedienen sich einer Sicherheitslücke, um Schadcode einzuschleusen. --------------------------------------------- https://www.golem.de/news/schadcode-im-anmarsch-aktiv-ausgenutzte-git-lueck… ∗∗∗ Cyber-Dome: Bundesregierung plant stärkere Cyberabwehr ∗∗∗ --------------------------------------------- Die Pläne zu einer besseren Cyberabwehr sind noch sehr vage. Ein Gesetzentwurf von Alexander Dobrindt soll bis Ende 2025 kommen. --------------------------------------------- https://www.golem.de/news/cyber-dome-bundesregierung-plant-staerkere-cybera… ∗∗∗ US-Regierung steigt bei Intel ein: Krypto-Funktionen weiter vertrauenswürdig? ∗∗∗ --------------------------------------------- Der Einstieg der US-Regierung bei Intel unterminiert Funktionen wie Confidential Computing und "souveräne Cloud". --------------------------------------------- https://www.heise.de/news/Intel-Chips-USA-inside-10622136.html ∗∗∗ Google Chrome: Update schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Im Webbrowser Google Chrome haben die Entwickler eine Sicherheitslücke geschlossen, die als kritisches Risiko eingestuft wurde. Wer den Browser einsetzt, sollte sicherstellen, die jüngste Version zu nutzen. --------------------------------------------- https://www.heise.de/news/Google-Chrome-Update-schliesst-kritische-Sicherhe… ∗∗∗ Paypal: Deutsche Banken blockierten offenbar Zahlungen von Milliarden Euro ∗∗∗ --------------------------------------------- Die Süddeutsche Zeitung berichtet, dass Deutsche Banken Zahlungen an Paypal gestoppt hatten. Auslöser war ein Sicherheitsproblem. --------------------------------------------- https://www.heise.de/news/Paypal-Deutsche-Banken-blockierten-offenbar-Zahlu… ∗∗∗ Governments, tech companies meet in Tokyo to share tips on fighting North Korea IT worker scheme ∗∗∗ --------------------------------------------- The U.S. State Department said it worked with the Ministries of Foreign Affairs in Japan and South Korea to organize the forum, which had more than 130 attendees from freelance work platforms, payment service providers, cryptocurrency companies, AI firms and more. --------------------------------------------- https://therecord.media/japan-us-south-korea-forum-north-korea-it-worker-sc… ∗∗∗ Widespread Data Theft Targets Salesforce Instances via Salesloft Drift ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations about a widespread data theft campaign, carried out by the actor tracked as UNC6395. Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesfo… ∗∗∗ The One Where We Just Steal The Vulnerabilities (CrushFTP CVE-2025-54309) ∗∗∗ --------------------------------------------- As we’ve all experienced in 2025, 2025 has been the year of vendors burying their heads in the sand with regard to in-the-wild exploitation, even in the face of impressively indisputable evidence, and using their status as a CNA to somehow get CVEs with suspiciously similar identifiers to the point that confusion appears almost intentional. --------------------------------------------- https://labs.watchtowr.com/the-one-where-we-just-steal-the-vulnerabilities-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-cipher-base), Fedora (keylime-agent-rust and libtiff), Oracle (aide, kernel, mod_http2, pam, pki-deps:10.6, python-cryptography, python3, python3.12, and thunderbird), SUSE (cheat, ffmpeg, firebird, govulncheck-vulndb, postgresql17, tomcat, tomcat10, tomcat11, ucode-intel-20250812, and v2ray-core), and Ubuntu (binutils, gst-plugins-base1.0, gst-plugins-good1.0, and linux-raspi-realtime). --------------------------------------------- https://lwn.net/Articles/1035307/ ∗∗∗ Malicious versions of Nx and some supporting plugins were published ∗∗∗ --------------------------------------------- https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 26.08.2025
by Daily end-of-shift report 26 Aug '25

26 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Montag 25-08-2025 18:00 − Dienstag 26-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New AI attack hides data-theft prompts in downscaled images ∗∗∗ --------------------------------------------- Researchers have developed a novel attack that steals user data by injecting malicious prompts in images processed by AI systems before delivering them to a large language model. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ai-attack-hides-data-the… ∗∗∗ ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners ∗∗∗ --------------------------------------------- A new large-scale campaign has been observed exploiting over 100 compromised WordPress sites to direct site visitors to fake CAPTCHA verification pages that employ the ClickFix social engineering tactic to deliver information stealers, ransomware, and cryptocurrency miners.The large-scale cybercrime campaign, first detected in August 2025, .. --------------------------------------------- https://thehackernews.com/2025/08/shadowcaptcha-exploits-wordpress-sites.ht… ∗∗∗ Malware-ridden apps made it into Googles Play Store, scored 19 million downloads ∗∗∗ --------------------------------------------- Everythings fine, the ad slinger assures us Cloud security vendor Zscaler says customers of Google’s Play Store have downloaded more than 19 million instances of malware-laden apps that evaded the web giant’s security scans. --------------------------------------------- https://www.theregister.com/2025/08/26/apps_android_malware/ ∗∗∗ Sicherheitsupdates: Unbefugte Zugriffe auf GitHub Enterprise Server möglich ∗∗∗ --------------------------------------------- Eine Sicherheitslücke bedroht GitHub Enterprise Server. Admins sollten die gepatchte Ausgabe zeitnah installieren. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Unbefugte-Zugriffe-auf-GitHub-… ∗∗∗ ScreenConnect-Admins im Visier von Spear-Phishing-Angriffen ∗∗∗ --------------------------------------------- Derzeit läuft eine Phishing-Kampagne, die Zugangsdaten zu ScreenConnect abgreift. Die Angreifer wollen Ransomware platzieren. --------------------------------------------- https://www.heise.de/news/ScreenConnect-Admins-im-Visier-von-Spear-Phishing… ∗∗∗ HP Security Manager: Schadcode-Lücke in Druckerverwaltungstool ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in HPs Security Manager erlaubt Angreifern, Schadcode einzuschleusen. Ein Update steht bereit. --------------------------------------------- https://www.heise.de/news/HP-Security-Manager-Schadcode-Luecke-in-Druckerve… ∗∗∗ DSLRoot, Proxies, and the Threat of ‘Legal Botnets’ ∗∗∗ --------------------------------------------- The cybersecurity community on Reddit responded in disbelief this month when a self-described Air National Guard member with top secret security clearance began questioning the arrangement theyd made with company called DSLRoot, which was paying $250 a month to plug a pair of laptops into the Redditors high-speed Internet connection in the United States. This post .. --------------------------------------------- https://krebsonsecurity.com/2025/08/dslroot-proxies-and-the-threat-of-legal… ∗∗∗ Cyberangriff auf die Stadt Nürnberg: Prorussische Hacker im Verdacht ∗∗∗ --------------------------------------------- Haftbefehle wurden gegen russische Staatsangehörige erlassen --------------------------------------------- https://www.derstandard.at/story/3000000285014/cyberangriff-auf-die-stadt-n… ∗∗∗ Ewig ruft das Passwort ∗∗∗ --------------------------------------------- Die Verwendung von Passwörtern hat eine lange Tradition in der IT. Und regelmäßig sind sich alle einig, dass wir sie eigentlich loswerden sollten. Das haben wir das noch immer nicht geschafft, auch wenn Passkeys ein interessanter Ansatz sind. Daher sitzen wir alle auf großen Sammlungen von Passwörtern – die ca. 250 Einträge in .. --------------------------------------------- https://www.cert.at/de/blog/2025/8/ewig-ruft-das-passwort ∗∗∗ Nearly 2,000 Malicious IPs Probe Microsoft Remote Desktop in Single-Day Surge ∗∗∗ --------------------------------------------- On August 21, GreyNoise observed a sharp surge in scanning against Microsoft Remote Desktop (RDP) services. The wave’s aim was clear: test for timing flaws that reveal valid usernames, laying the groundwork for credential-based intrusions. --------------------------------------------- https://www.greynoise.io/blog/surge-malicious-ips-probe-microsoft-remote-de… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, firebird3.0, and luajit), Fedora (chromium, python3-docs, and python3.13), Oracle (aide, firefox, glibc, libxml2, and tomcat), Red Hat (aide, git, kernel, kernel-rt, libarchive, pam, python-cryptography, python3, python3.12, and webkit2gtk3), SUSE (cmake3, ffmpeg-4, kernel, kubernetes1.18, libqt4, minikube, net-tools, pam, postgresql16, proftpd, python-urllib3, python311, python312, python36, tomcat10, tomcat11, and webkit2gtk3), and .. --------------------------------------------- https://lwn.net/Articles/1035110/ ∗∗∗ Mehrere (teils kritische) Schwachstellen in NetScaler ADC and NetScaler Gateway ∗∗∗ --------------------------------------------- 26. August 2025 Beschreibung Citrix hat ein Advisory zu mehreren, zum Teil kritischen, Schwachstellen in den Produkten NetScaler ADC (ehemals Citrix ADC) und NetScaler Gateway (ehemals Citrix Gateway) veröffentlicht. Laut Citrix wurden bereits Angriffsversuche gegen verwundbare Systeme beobachtet, welche zumindest die kritische Schwachstelle CVE-2025-7775 auszunutzen versuchten. CVE-Nummern(n): CVE-2025-7775, CVE-2025-7776, CVE-2025-8424 CVSS v4.0 Base Score(s): 9.2, 8.8, 8.7 .. --------------------------------------------- https://www.cert.at/de/warnungen/2025/8/citrix-netscaler-adc-schwachstellen… ∗∗∗ Multiple Vulnerabilities in File Station 5 ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-31 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 25.08.2025
by Daily end-of-shift report 25 Aug '25

25 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-08-2025 18:00 − Montag 25-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New Android malware poses as antivirus from Russian intelligence agency ∗∗∗ --------------------------------------------- A new Android malware posing as an antivirus tool software created by Russias Federal Security Services agency (FSB) is being used to target executives of Russian businesses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-android-malware-poses-as… ∗∗∗ Social Engineering: Krypto-Anleger verliert Bitcoin im Wert von 90 Millionen USD ∗∗∗ --------------------------------------------- Betrüger haben einen Krypto-Anleger um ein Vermögen gebracht. Der Geschädigte ist nun um 783 Bitcoin ärmer. Das Geld sieht er wohl nie wieder. --------------------------------------------- https://www.golem.de/news/social-engineering-krypto-anleger-verliert-bitcoi… ∗∗∗ Criminal background checker APCS faces data breach ∗∗∗ --------------------------------------------- The attack first affected an upstream provider of bespoke software Exclusive A leading UK provider of criminal record checks for employers is handling a data breach stemming from a third-party development company. --------------------------------------------- https://www.theregister.com/2025/08/22/apcs_breach/ ∗∗∗ Botnet-Kampagne "Gayfemboy" auch in Deutschland aktiv ∗∗∗ --------------------------------------------- IT-Forscher von Fortinet beobachten ein IoT-Botnet, das auf "Mirai" basiert und "Gayfemboy" genannt wird. Es versteckt sich gut. --------------------------------------------- https://www.heise.de/news/Mirai-basierte-Botnet-Kampagne-Gayfemboy-auch-in-… ∗∗∗ Kriminelle locken mit angeblichen Kryptoguthaben ∗∗∗ --------------------------------------------- Lukas kann seinen Augen kaum trauen. In seinem Postfach liegt eine E-Mail, die behauptet, dass sich ein hoher Betrag in seinem Kryptowallet befindet. Um wieder Zugriff zu erhalten, soll er lediglich ein paar einfache Schritte befolgen. Doch Vorsicht: Die E-Mail stammt von Kriminellen, die ihn zu hohen Überweisungen bewegen wollen! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-locken-mit-angeblichen-kr… ∗∗∗ Beliebte eSIMs für Reisen leiten heimlich Daten über China um ∗∗∗ --------------------------------------------- Eine aktuelle Untersuchung zeigt grobe Sicherheits- und Privatsphärendefizite bei vielen Anbietern auf. --------------------------------------------- https://www.derstandard.at/story/3000000284843/beliebte-esims-fuer-reisen-l… ∗∗∗ Phishing in the Classroom: 115,000 Emails Exploit Google Classroom to Target 13,500 Organizations ∗∗∗ --------------------------------------------- Check Point researchers have uncovered a large-scale active phishing campaign abusing Google Classroom, a platform trusted by millions of students and educators worldwide. Over the course of just one week, attackers launched .. --------------------------------------------- https://blog.checkpoint.com/email-security/phishing-in-the-classroom-115000… ∗∗∗ Chrome-Erweiterung FreeVPN.One zeichnete Screenshots von Seitenbesuchen auf ∗∗∗ --------------------------------------------- Wer bisher glaubte, dass Microsofts Recall in Punkto Überwachung an der Spitze liegt, muss umdenken. Sicherheitsforscher sind auf die Erweiterung FreeVPN.One des Google Chrome-Browsers gestoßen. Diese fertigte Screenshots von allen .. --------------------------------------------- https://www.borncity.com/blog/2025/08/24/chrome-erweiterung-freevpn-one-zei… ∗∗∗ Cybercriminals Exploit Cheap VPS to Launch SaaS Hijacking Attacks ∗∗∗ --------------------------------------------- Darktrace researchers have discovered a new wave of attacks where cybercriminals use cheap Virtual Private Servers (VPS) .. --------------------------------------------- https://hackread.com/cybercriminals-exploit-cheap-vps-saas-hijack-attacks/ ∗∗∗ Phishing Campaign Targeting Companies via UpCrypter ∗∗∗ --------------------------------------------- FortiGuard Labs recently identified a phishing campaign leveraging carefully crafted emails to deliver malicious URLs linked to convincing phishing pages. These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter, malware that ultimately deploys various remote access tools (RATs). --------------------------------------------- https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-c… ∗∗∗ Webhosting-Software cPanel: Updates schließen Sicherheitslücke ∗∗∗ --------------------------------------------- Die Verwaltungssoftware cPanel und WHM für Webhosting schließt mit neuen Versionen mindestens eine Sicherheitslücke, die als hochriskant gilt. --------------------------------------------- https://heise.de/-10599503 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 22.08.2025
by Daily end-of-shift report 22 Aug '25

22 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-08-2025 18:00 − Freitag 22-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Dev gets 4 years for creating kill switch on ex-employers systems ∗∗∗ --------------------------------------------- A software developer has been sentenced to four years in prison for sabotaging his ex-employers Windows network with custom malware and a kill switch that locked out employees when his account was disabled. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dev-gets-4-years-for-creatin… ∗∗∗ Fake Mac fixes trick users into installing new Shamos infostealer ∗∗∗ --------------------------------------------- A new infostealer malware targeting Mac devices, called Shamos, is targeting Mac devices in ClickFix attacks that impersonate troubleshooting guides and fixes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-mac-fixes-trick-users-i… ∗∗∗ Trotz Rolling Code: Inoffizielle Flipper-Zero-Firmware soll Autos knacken ∗∗∗ --------------------------------------------- Ein russischer Akteur verkauft eine eigene Firmware für den Flipper Zero. Selbst neueste Autos gängiger Marken sollen sich damit entriegeln lassen. --------------------------------------------- https://www.golem.de/news/trotz-rolling-code-inoffizielle-flipper-zero-firm… ∗∗∗ Think before you Click(Fix): Analyzing the ClickFix social engineering technique ∗∗∗ --------------------------------------------- The ClickFix social engineering technique has been growing in popularity, with campaigns targeting thousands of enterprise and end-user devices daily. This technique exploits users’ tendency to resolve technical issues by tricking them into running malicious commands. These commands, in turn, deliver payloads that ultimately lead to information theft and .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-c… ∗∗∗ Coinbase Reverses Remote-First Policy After North Korean Infiltration Attempts ∗∗∗ --------------------------------------------- Remote work policies designed to attract top talent are becoming security vulnerabilities as state-sponsored hackers seek employment at cryptocurrency firms. Coinbase has implemented mandatory in-person orientation and US citizenship requirements for sensitive roles after detecting North Korean IT workers attempting to infiltrate the company .. --------------------------------------------- https://slashdot.org/story/25/08/22/1515238/coinbase-reverses-remote-first-… ∗∗∗ Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a novel attack chain that employs phishing emails to deliver an open-source backdoor called VShell.The "Linux-specific malware infection chain that starts with a spam email with a malicious .. --------------------------------------------- https://thehackernews.com/2025/08/linux-malware-delivered-via-malicious.html ∗∗∗ Interpol bags 1,209 suspects, $97M in cybercrime operation focused on Africa ∗∗∗ --------------------------------------------- Crypto mines, BEC scams, fake passports, and a $300M fraud empire allegedly brought down during Serengeti 2.0 Interpols latest clampdown on cybercrime resulted in 1,209 arrests across the African continent, from ransomware crooks to business .. --------------------------------------------- https://www.theregister.com/2025/08/22/interpol_serengeti_20/ ∗∗∗ KI-Assistent: Microsofts Copilot verfälschte monatelang Zugriffsprotokolle ∗∗∗ --------------------------------------------- Fragte man den virtuellen Copilot etwa nach Dokumenten-Zusammenfassungen, unterschlug er mitunter seine Zugriffe. Microsoft verschwieg das Problem. --------------------------------------------- https://www.heise.de/news/KI-Assistent-Microsofts-Copilot-verfaelschte-mona… ∗∗∗ Electronics manufacturer Data I/O reports ransomware attack to SEC ∗∗∗ --------------------------------------------- The tech manufacturer Data I/O reported a ransomware attack to federal regulators, writing that the incident has taken down critical operational systems. --------------------------------------------- https://therecord.media/electronics-manufacturer-dataio-ransomware ∗∗∗ AI Browsers Can Be Tricked Into Paying Fake Stores in PromptFix Attack ∗∗∗ --------------------------------------------- The PromptFix attack tricks AI browsers with fake CAPTCHAs, leading them to phishing sites and fake stores .. --------------------------------------------- https://hackread.com/ai-browsers-trick-paying-fake-stores-promptfix-attack/ ∗∗∗ AUR Chaos malware: an analysis ∗∗∗ --------------------------------------------- Recently, an incident involving malware in the AUR made the headlines. I read a lot of things around this topic, both right and wrong, and sometimes misleading. I was involved in the incident handling I chose to write this blog post, not only for transparency but also for laying down what I learned both during and .. --------------------------------------------- https://www.mh4ckt3mh4ckt1c4s.xyz/blog/aur-chaos-malware-analysis/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (tomcat), Debian (squid), Fedora (matrix-synapse, rust-slab, socat, and webkitgtk), SUSE (firefox-esr, gdk-pixbuf, gdk-pixbuf-devel, govulncheck-vulndb, rust-keylime, and wicked2nm), and Ubuntu (linux-nvidia, linux-oracle, linux-oracle-6.8, php7.0, php7.2, php7.4, python3.13, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4, and ruby-webrick). --------------------------------------------- https://lwn.net/Articles/1034755/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 21.08.2025
by Daily end-of-shift report 21 Aug '25

21 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-08-2025 18:00 − Donnerstag 21-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iPhone, iPad und Mac: Aktiv ausgenutzte Sicherheitslücke gefährdet Apple-Nutzer ∗∗∗ --------------------------------------------- Notfallupdates schließen eine aktiv ausgenutzte Sicherheitslücke in iOS, iPadOS und MacOS. Anwender sollten dringend patchen. --------------------------------------------- https://www.golem.de/news/iphone-ipad-und-mac-aktiv-ausgenutzte-sicherheits… ∗∗∗ Airtell Router Scans, and Mislabeled usernames ∗∗∗ --------------------------------------------- Looking at new usernames collected by our Cowrie honeypots, you will first of all notice a number of HTTP headers. It is very common for attackers to scan for web servers on ports that are covered by our Telnet honeypots. The result .. --------------------------------------------- https://isc.sans.edu/forums/diary/Airtell+Router+Scans+and+Mislabeled+usern… ∗∗∗ Neue Tricks mit QR-Codes ∗∗∗ --------------------------------------------- QR-Codes sind beliebte Vehikel für Verbrecher, Hyperlinks an Sicherheitssystemen vorbei zum Opfer zu schleusen. Der Einfallsreichtum ist groß. --------------------------------------------- https://www.heise.de/news/Neue-Tricks-mit-QR-Codes-10559942.html ∗∗∗ Docker Desktop: Kritische Sicherheitslücke erlaubt Host-Zugriff ∗∗∗ --------------------------------------------- In Docker Desktop können bösartige Container auf das Host-System durchgreifen, Schutzmaßnahmen greifen nicht. Ein Update hilft. --------------------------------------------- https://www.heise.de/news/Docker-Desktop-Kritische-Sicherheitsluecke-erlaub… ∗∗∗ Modern Solution: Verurteilter IT-Experte reicht Verfassungsbeschwerde ein ∗∗∗ --------------------------------------------- Das Urteil gegen einen nach dem Hackerparagrafen verurteilten Sicherheitsforscher ist rechtskräftig. Der Verurteilte geht nun nach Karlsruhe. --------------------------------------------- https://www.heise.de/news/Modern-Solution-Verurteilter-IT-Experte-reicht-Ve… ∗∗∗ SIM-Swapper, Scattered Spider Hacker Gets 10 Years ∗∗∗ --------------------------------------------- A 21-year-old Florida man at the center of a prolific cybercrime group known as "Scattered Spider" was sentenced to 10 years in federal prison today, and ordered to pay roughly $13 million in restitution to victims. Noah Michael Urban of Palm Coast, Fla. pleaded guilty in April 2025 to charges of wire fraud and conspiracy. Florida prosecutors alleged Urban .. --------------------------------------------- https://krebsonsecurity.com/2025/08/sim-swapper-scattered-spider-hacker-get… ∗∗∗ Achtung, Phishing-Falle: FinanzOnline will keine Infos zu Krypto-Beständen einholen! ∗∗∗ --------------------------------------------- Aufgrund einer neuen „Steuervorschrift für Kryptowährungen“ verlangt „FinanzOnline“ aktuell via E-Mail vermeintlich die Übermittlung umfassender Informationen rund um Krypto-Vermögen. Natürlich meldet sich hier nicht das echte Finanzportal. Vielmehr versuchen Kriminelle über diese Masche an die Zugangsdaten der Krypto-Wallets ihrer Opfer zu gelangen. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-falle-finanzonline-krypto/ ∗∗∗ Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth ∗∗∗ --------------------------------------------- A campaign leverages CVE-2024-36401 to stealthily monetize victims bandwidth where legitimate software development kits (SDKs) are deployed for passive income. --------------------------------------------- https://unit42.paloaltonetworks.com/attackers-sell-your-bandwidth-using-sdk… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily