=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 05-03-2025 18:00 − Donnerstag 06-03-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ Massive botnet that appeared overnight is delivering record-size DDoSes ∗∗∗
---------------------------------------------
Eleven11bot infects video recorders, with the largest concentration of them in the US.
---------------------------------------------
https://arstechnica.com/security/2025/03/massive-botnet-that-appeared-overn…
∗∗∗ Malicious Chrome extensions can spoof password managers in new attack ∗∗∗
---------------------------------------------
A newly devised "polymorphic" attack allows malicious Chrome extensions to morph into other browser extensions, including password managers, crypto wallets, and banking apps, to steal sensitive information.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-chrome-extensions-…
∗∗∗ Trojans disguised as AI: Cybercriminals exploit DeepSeek’s popularity ∗∗∗
---------------------------------------------
Kaspersky experts have discovered campaigns distributing stealers, malicious PowerShell scripts, and backdoors through web pages mimicking the DeepSeek and Grok websites.
---------------------------------------------
https://securelist.com/backdoors-and-stealers-prey-on-deepseek-and-grok/115…
∗∗∗ PayPal-Passwort wurde geändert? Achtung: Phishing-Alarm! ∗∗∗
---------------------------------------------
Aktuell machen Phishing-Mails die Runde, welche angeblich von PayPal stammen. In ihnen wird behauptet, das Passwort des Opfers sei geändert worden. Um diese Änderung rückgängig zu machen, müsse man lediglich auf einen Link klicken und ein paar persönliche Daten angeben. Hinter dieser Aufforderung verstecken sich allerdings Kriminelle, die es auf persönliche Informationen und Bankdaten abgesehen haben.
---------------------------------------------
https://www.watchlist-internet.at/news/paypal-passwort-phishing/
∗∗∗ Decrypting the Forest From the Trees ∗∗∗
---------------------------------------------
SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via the Administration Service API.
---------------------------------------------
https://posts.specterops.io/decrypting-the-forest-from-the-trees-661694ed16…
∗∗∗ Medusa Ransomware Activity Continues to Increase ∗∗∗
---------------------------------------------
Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024.
---------------------------------------------
https://www.security.com/threat-intelligence/medusa-ransomware-attacks
∗∗∗ Unveiling EncryptHub: Analysis of a multi-stage malware campaign ∗∗∗
---------------------------------------------
EncryptHub, a rising cybercriminal entity, has recently caught the attention of multiple threat intelligence teams, including our own (Outpost24’s KrakenLabs). While other reports have begun to shed light on this actor’s operations, our investigation goes a step further, uncovering previously unseen aspects of their infrastructure, tooling, and behavioral patterns.
---------------------------------------------
https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr), Fedora (firefox and vim), Red Hat (firefox), Slackware (mozilla), SUSE (firefox, firefox-esr, kernel, and podman), and Ubuntu (gpac, kernel, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-hwe-5.15, and redis).
---------------------------------------------
https://lwn.net/Articles/1013209/
∗∗∗ Sicherheitsupdate: Kritische Schadcode-Lücke bedroht Kibana ∗∗∗
---------------------------------------------
Wie die Entwickler in einer Warenmeldung ausführen, sind die Versionen >= 8.15.0 und < 8.17.1 nur attackierbar, wenn Angreifer über Viewer-Role-Rechte verfügen. [..] Die Lücke schrammt mit dem CVSS Score 3.1 9.9 von 10 knapp an der Höchstwertung vorbei. (CVE-2025-25012)
---------------------------------------------
https://heise.de/-10306066
∗∗∗ ABB Cylon Aspect 3.08.01 (caldavUpload.php) Funkalicious Exploit ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5926.php
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 04-03-2025 18:00 − Mittwoch 05-03-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ Text-basiertes QR Code Phishing im Umlauf ∗∗∗
---------------------------------------------
Über den neuen Ansatz hatten wir 2024 in unseren Newslettern berichtet, nun erhalten wir auch direkt Meldungen über "bildlose" QR-Code Phishs. Kurz umrissen: der QR-Code wird nicht wie oft üblich als Bilddatei übermittelt, sondern aus einzelnen ASCII-/Unicode Block-Zeichen zusammengesetzt. Dadurch kann der im QR-Code enthaltene Inhalt Sicherheitslösungen verborgen bleiben, für optische QR-Code Scanner jedoch funktional bleiben.
---------------------------------------------
https://www.cert.at/de/aktuelles/2025/3/text-basiertes-qr-code-phishing-im-…
∗∗∗ Use one Virtual Machine to own them all — active exploitation of ESXicape ∗∗∗
---------------------------------------------
Yesterday, VMware quietly released patches for three ESXi zero day vulnerabilities: CVE-2025–22224, CVE-2025–22225, CVE-2025–22226. Although the advisory doesn’t explicitly say it, this is a hypervisor escape (aka a VM Escape). A threat actor with access to run code on a virtual machine can chain the three vulnerabilities to elevate access to the ESX hypervisor.
---------------------------------------------
https://doublepulsar.com/use-one-virtual-machine-to-own-them-all-active-exp…
∗∗∗ BadBox malware disrupted on 500K infected Android devices ∗∗∗
---------------------------------------------
The BadBox Android malware botnet has been disrupted again by removing 24 malicious apps from Google Play and sinkholing communications for half a million infected devices. [..] The BadBox botnet is a cyber-fraud operation targeting primarily low-cost Android-based devices like TV streaming boxes, tablets, smart TVs, and smartphones. These devices either come pre-loaded with the BadBox malware from the manufacturer or are infected by malicious apps or firmware downloads.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/badbox-malware-disrupted-on-…
∗∗∗ Undercover miner: how YouTubers get pressed into distributing SilentCryptoMiner as a restriction bypass tool ∗∗∗
---------------------------------------------
Attackers blackmail YouTubers with complaints and account blocking threats, forcing them to distribute a miner disguised as a bypass tool.
---------------------------------------------
https://securelist.com/silentcryptominer-spreads-through-blackmail-on-youtu…
∗∗∗ The Russia-Ukraine Cyber War Part 3: Attacks on Telecom and Critical Infrastructure ∗∗∗
---------------------------------------------
This post is the third part of our blog series that tackles the Russia-Ukraine war in the digital realm.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-russia-…
∗∗∗ BAMF: Skurrile Testkonten ermöglichten unautorisierten Datenzugriff ∗∗∗
---------------------------------------------
Anhand von Screenshots der Web-Applikation sei ersichtlich gewesen, dass im Test- und Integrationssystem offenbar ein Account mit der Nutzerkennung "max.mustermann(a)testtraeger.de" existierte. Die Domain sei noch frei gewesen.
---------------------------------------------
https://www.heise.de/news/BAMF-Skurrile-Testkonten-ermoeglichten-unautorisi…
∗∗∗ Beneath the Surface: Detecting and Blocking Hidden Malicious Traffic Distribution Systems ∗∗∗
---------------------------------------------
Adversaries widely abuse TDS infrastructure to build dynamic and resilient network infrastructure for malicious web services. These redirection networks enhance resilience against takedowns and enable scaling and cloaking of malicious content.
---------------------------------------------
https://unit42.paloaltonetworks.com/detect-block-malicious-traffic-distribu…
∗∗∗ CVE-2024-43639: Remote Code Execution in Microsoft Windows KDC Proxy ∗∗∗
---------------------------------------------
The following is a portion of their write-up covering CVE-2024-43639, with a few minimal modifications. [..] This vulnerability was patched by the vendor in November. To date, no attacks have been detected in the wild.
---------------------------------------------
https://www.thezdi.com/blog/2025/3/3/cve-2024-43639
∗∗∗ Scammers Mailing Ransom Letters While Posing as BianLian Ransomware ∗∗∗
---------------------------------------------
Scammers are impersonating BianLian ransomware, and mailing fake ransom letters to businesses.
---------------------------------------------
https://hackread.com/scammers-mailing-ransom-letters-bianlian-ransomware/
∗∗∗ LinkedIn Phishing Scam: Fake InMail Messages Spreading ConnectWise Trojan ∗∗∗
---------------------------------------------
Cybersecurity researchers at Cofense have recently uncovered a deceptive campaign that distributes malicious software using a spoofed LinkedIn email. [..] The fraudulent email is designed to mimic a notification for a LinkedIn InMail message, a feature that allows users to contact individuals outside of their immediate network. The email effectively leverages LinkedIn’s branding, convincingly creating legitimacy.
---------------------------------------------
https://hackread.com/scammers-fake-linkedin-inmail-deliver-connectwise-troj…
∗∗∗ GreyNoise Observes Exploitation of Three Newly Added KEV Vulnerabilities ∗∗∗
---------------------------------------------
On March 3, 2025, the Cybersecurity and Infrastructure Security Agency added five vulnerabilities to its Known Exploited Vulnerabilities catalog, confirming their exploitation in the wild. [..] CVE-2022-43939 (Authorization Bypass) & CVE-2022-43769 (Special Element Injection) Hitachi Vantara Pentaho BA Server [..] CVE-2024-4885 Progress WhatsUp Gold Path Traversal Vulnerability.
---------------------------------------------
https://www.greynoise.io/blog/greynoise-observes-exploitation-three-newly-a…
∗∗∗ GoStringUngarbler: Deobfuscating Strings in Garbled Binaries ∗∗∗
---------------------------------------------
In this blog post, we'll detail garble’s string transformations and the process of automatically deobfuscating them.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/gostringungarbler-…
∗∗∗ Trigon: developing a deterministic kernel exploit for iOS ∗∗∗
---------------------------------------------
CVE-2023-32434 was an integer overflow in the VM subsystem of the XNU kernel. It was patched in iOS 16.5.1 after being found in-the-wild as part of the Operation Triangulation spyware chain, discovered after it was used to infect a group of security researchers at Kaspersky. These researchers then captured and reverse-engineered the entire chain, leading to the patching of a WebKit bug, a kernel bug, a userspace PAC bypass and a PPL (and, technically, a KTRR) bypass. [..] This writeup simply shows the steps involved in the final, working exploit. It does not, however, convey just how many failed ideas and attempts there were during the process.
---------------------------------------------
https://alfiecg.uk/2025/03/01/Trigon.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libreoffice), Fedora (exim and fscrypt), Red Hat (kernel), Slackware (mozilla), SUSE (docker, firefox, and podman), and Ubuntu (linux, linux-lowlatency, linux-lowlatency-hwe-5.15, linux, linux-lowlatency, linux-lowlatency-hwe-6.8, linux, linux-oem-6.11, linux-aws, linux-aws-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux-aws, linux-gcp, linux-hwe-6.11, linux-oracle, linux-raspi, linux-realtime, linux-aws, linux-gkeop, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, and linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop).
---------------------------------------------
https://lwn.net/Articles/1013063/
∗∗∗ Cisco Secure Client for Windows with Secure Firewall Posture Engine DLL Hijacking Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco TelePresence Management Suite Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Security Vulnerabilities fixed in Thunderbird ESR 128.8 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-18/
∗∗∗ Security Vulnerabilities fixed in Thunderbird 136 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-17/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 03-03-2025 18:00 − Dienstag 04-03-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Polish Space Agency offline as it recovers from cyberattack ∗∗∗
---------------------------------------------
The Polish Space Agency (POLSA) has been offline since it disconnected its systems from the Internet over the weekend to contain a breach of its IT infrastructure.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/polish-space-agency-offline-…
∗∗∗ Booking a Threat: Inside LummaStealers Fake reCAPTCHA ∗∗∗
---------------------------------------------
Cybercriminals are taking advantage of the increased demand in travel by setting up fake booking sites, phishing scams and fraudulent listings to trick unsuspecting travelers.
---------------------------------------------
https://www.gdatasoftware.com/blog/2025/03/38154-lummastealer-fake-recaptcha
∗∗∗ KI-Trainingsdaten: Tausende gültiger API-Keys in gecrawlten Webdaten entdeckt ∗∗∗
---------------------------------------------
Bei der Analyse eines frei verfügbaren Archivs mit rund 400 TBytes an Websitedaten haben Forscher fast 12.000 gültige API-Keys und Passwörter gefunden.
---------------------------------------------
https://www.golem.de/news/ki-trainingsdaten-tausende-gueltiger-api-keys-in-…
∗∗∗ Kritische Lücke in VMware ESXi, Fusion und Workstation wird missbraucht ∗∗∗
---------------------------------------------
Broadcom warnt vor teils kritischen Sicherheitslecks in VMware ESXi, Fusion und Workstation. Angreifer missbrauchen sie bereits.
---------------------------------------------
https://www.heise.de/news/Kritische-Luecke-in-VMware-ESXi-Fusion-und-Workst…
∗∗∗ DNSSEC NSEC. The accidental treasure map to your subdomains ∗∗∗
---------------------------------------------
TL;DR: DNSSEC secures DNS but may unintentionally expose domain structures via NSEC/NSEC3 records, enabling zone walking to enumerate subdomains. NSEC openly lists domain names, making enumeration easy. NSEC3 hashes ..
---------------------------------------------
https://www.pentestpartners.com/security-blog/dnssec-nsec-the-accidental-tr…
∗∗∗ MeinELBA-Zugang läuft bald ab? Vorsicht, Phishing-Versuch! ∗∗∗
---------------------------------------------
Kriminelle versenden aktuell wieder vermehrt SMS-Nachrichten, in denen vor einem Ablaufen des MeinELBA-Zugangs gewarnt wird. Wer verlängern möchte, müsse einen Link anklicken und auf einer vermeintlichen Login-Seite seine Onlinebanking-Daten eingeben. Diese Seite ist natürlich eine Fälschung. Allerdings eine sehr gut gemachte! Wie Sie sie erkennen und was Sie tun können, wenn Sie dort vertrauliche Informationen eingegeben haben, verrät dieser Artikel.
---------------------------------------------
https://www.watchlist-internet.at/news/meinelba-zugang-phishing/
∗∗∗ A Revision of the EU Cybersecurity Blueprint ∗∗∗
---------------------------------------------
The original EU cybersecurity blueprint from 2017 (officially: “Commission Recommendation of 13.9.2017 on Coordinated Response to Large Scale Cybersecurity Incidents and Crises”) is now close to seven years old and an update is overdue. The Commission recently published a draft for an updated version, and I’d like to take this opportunity to ..
---------------------------------------------
https://www.cert.at/en/blog/2025/3/a-revision-of-the-eu-cybersecurity-bluep…
∗∗∗ Did Trump Admin Order U.S. Cyber Command and CISA to Stand Down on Russia? ∗∗∗
---------------------------------------------
Two blockbuster stories published on Friday that appear to confirm what many Americans suspected would occur under the Trump administration – that the new regime is going to be softer on Russia than previous administrations, particularly with regard to the threat that Russia poses in cyber space. Since publication, however, ..
---------------------------------------------
https://www.zetter-zeroday.com/did-trump-admin-order-u-s-cyber-command-and-…
∗∗∗ The Dangers of Exposed Secrets – and How to Prevent Them ∗∗∗
---------------------------------------------
Modern enterprise software relies on authentication tokens, API keys, encryption keys, certificates, and other sensitive credentials to enable secure communication between applications, microservices, APIs, and DevOps pipelines. However, these secrets often end up hardcoded in source code during the development process, whether unintentionally or as a shortcut for quick ..
---------------------------------------------
https://checkmarx.com/blog/exposed-secrets-and-how-to-prevent-them/
∗∗∗ Do not run any Cargo commands on untrusted projects ∗∗∗
---------------------------------------------
TL;DR: Treat anything starting with cargo as if it is cargo run.
---------------------------------------------
https://shnatsel.medium.com/do-not-run-any-cargo-commands-on-untrusted-proj…
∗∗∗ Hacking the Xbox 360 Hypervisor Part 2: The Bad Update Exploit ∗∗∗
---------------------------------------------
Welcome to part 2 of the Hacking the Xbox 360 Hypervisor blog series. In this part I’ll cover how I found and exploited bugs in the Xbox 360 hypervisor to get full code execution and create the “Bad Update” exploit. If you haven’t already, I highly recommend you read (or at least skim through) part 1 as this post will reference a lot of the material discussed there.
---------------------------------------------
https://icode4.coffee/?p=1081
=====================
= Vulnerabilities =
=====================
∗∗∗ Docusnap Inventory Files Encrypted with Static Key ∗∗∗
---------------------------------------------
Inventory files created by Docusnap, containing information like installed programs, firewall rules and local administrators, are encrypted with a static key. The decryption key can be obtained easily from the .NET application, downloadable from the vendor’s website. When following Docusnap’s installation instructions for Windows Domains, every domain user has read access to these files.
---------------------------------------------
https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-012/
∗∗∗ Security Vulnerabilities fixed in Firefox ESR 128.8 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-16/
∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.21 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-15/
∗∗∗ Security Vulnerabilities fixed in Firefox 136 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-14/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 28-02-2025 18:00 − Montag 03-03-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks ∗∗∗
---------------------------------------------
Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-gangs-exploit-par…
∗∗∗ Ohne Nutzerinteraktion: Wie Hacker fremde Gitlab-Accounts übernehmen konnten ∗∗∗
---------------------------------------------
Letztes Jahr hat Gitlab eine gefährliche Sicherheitslücke geschlossen. Ein neuer Bericht zeigt, wie leicht sich damit fremde Konten kapern ließen.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecke-per-passwort-reset-fremde-gitla…
∗∗∗ Mobile malware evolution in 2024 ∗∗∗
---------------------------------------------
The most notable mobile threats of 2024, and statistics on Android-specific malware, adware and potentially unwanted software.
---------------------------------------------
https://securelist.com/mobile-threat-report-2024/115494/
∗∗∗ Dornröschenschlaf: mit diesem einfachen Trick Crowdstrike Falcon zähmen ∗∗∗
---------------------------------------------
Nachdem Angreifer die Rechte eines Benutzers mit "NT AUTHORITY\SYSTEM" Berechtigungen erlangt haben, indem andere Schwachstellen ..
---------------------------------------------
https://sec-consult.com/de/blog/detail/dornroeschenschlaf-mit-diesem-einfac…
∗∗∗ Vo1d Botnets Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries ∗∗∗
---------------------------------------------
Brazil, South Africa, Indonesia, Argentina, and Thailand have become the targets of a campaign that has infected Android TV devices with a botnet malware dubbed Vo1d.The improved variant of Vo1d has been found to encompass 800,000 daily active IP ..
---------------------------------------------
https://thehackernews.com/2025/03/vo1d-botnets-peak-surpasses-159m.html
∗∗∗ Cybersecurity not the hiring-em-like-hotcakes role it once was ∗∗∗
---------------------------------------------
Ghost positions, HR AI no help – biz should talk to infosec staff and create realistic job outline, say experts Analysis Its a familiar refrain in the security industry that there is a massive skills gap in the sector. And while its true there are specific shortages in certain areas, some industry watchers believe we may be reaching the point of oversupply for generalists.
---------------------------------------------
https://www.theregister.com/2025/03/03/cybersecurity_jobs_market/
∗∗∗ Massive Sicherheitslücken bei Gebäude-Zugangssystemen entdeckt ∗∗∗
---------------------------------------------
Cyberkriminelle können leicht auf Zugangssysteme von Gebäuden weltweit zugreifen. Eine Studie nennt das Ausmaß und die Ursachen.
---------------------------------------------
https://www.heise.de/news/Massive-Sicherheitsluecken-bei-Gebaeude-Zugangssy…
∗∗∗ Angreifer bringen verwundbaren Paragon-Treiber mit und missbrauchen ihn ∗∗∗
---------------------------------------------
Angreifer missbrauchen ein Leck in einem Treiber von Paragon Partition Manager. Besonders gefährlich: den können sie selbst mitbringen.
---------------------------------------------
https://www.heise.de/news/Sicherheitsleck-in-Treiber-von-Paragon-Partition-…
∗∗∗ Thule-Radanhänger: Pedalritter im Visier von Fake-Shops ∗∗∗
---------------------------------------------
Die Fahrradanhänger des Traditionsunternehmens Thule genießen zurecht einen hervorragenden Ruf. Diesen machen sich Kriminelle aber immer wieder zu Nutze. Sie bauen den Thule-Onlinestore nach und locken ihre Opfer dort mit vermeintlichen Top-Schnäppchen in die Falle. In diesem Artikel erfahren Sie, wie Sie die Fake-Shops erkennen können und welche Optionen Sie im Fall einer getätigten Zahlung noch haben.
---------------------------------------------
https://www.watchlist-internet.at/news/thule-radanhaenger-fake-shops/
∗∗∗ Uncovering .NET Malware Obfuscated by Encryption and Virtualization ∗∗∗
---------------------------------------------
Malware authors use AES encryption and code virtualization to evade sandbox static analysis. We explore how this facilitates spread of Agent Tesla, XWorm and more.
---------------------------------------------
https://unit42.paloaltonetworks.com/malware-obfuscation-techniques/
∗∗∗ Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal ∗∗∗
---------------------------------------------
In this blog entry, we discuss how the Black Basta and Cactus ransomware groups utilized the BackConnect malware to maintain persistent control and exfiltrate sensitive data from compromised machines.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomwar…
∗∗∗ Not Lost in Translation: Rosetta 2 Artifacts in macOS Intrusions ∗∗∗
---------------------------------------------
Rosetta 2 is Apples translation technology for running x86-64 binaries on Apple Silicon (ARM64) macOS systems.Rosetta 2 translation creates a cache of Ahead-Of-Time (AOT) files that can serve as valuable forensic artifacts.Mandiant has observed sophisticated threat actors leveraging x86-64 compiled macOS malware, likely due to broader ..
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/rosetta2-artifacts…
∗∗∗ how to gain code execution on millions of people and hundreds of popular apps ∗∗∗
---------------------------------------------
.. and of course, firebase was (partially) the cause
---------------------------------------------
https://kibty.town/blog/todesktop/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ffmpeg, kernel, linux-6.1, mariadb-10.5, proftpd-dfsg, and xorg-server), Fedora (chromium, cutter-re, iniparser, nodejs22, rizin, webkitgtk, wireshark, xen, and xorg-x11-server), Mageia (binutils and ffmpeg), Oracle (emacs and kernel), Red Hat (emacs and webkit2gtk3), SUSE (azure-cli, bsdtar, gnutls, govulncheck-vulndb, ..
---------------------------------------------
https://lwn.net/Articles/1012760/
∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-20118 Cisco Small Business RV Series Routers Command Injection ..
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/03/03/cisa-adds-five-known-exp…
∗∗∗ DSA-5872-1 xorg-server - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2025/msg00034.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 27-02-2025 18:00 − Freitag 28-02-2025 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Auch in Deutschland: 49.000 Zutrittskontrollsysteme hängen ungeschützt am Netz ∗∗∗
---------------------------------------------
Weltweit sorgen unzählige Zutrittskontrollsysteme (AMS – Access Management Systems) dafür, dass nur berechtigte Personen beispielsweise per Codeeingabe, Fingerabdruck oder RFID-Schlüsselkarte Zugang zu bestimmten Arealen, Gebäuden oder Räumlichkeiten haben. Sicherheitsforscher von Modat haben über 49.000 solcher Systeme entdeckt, die sich aufgrund von Konfigurationsfehlern manipulieren lassen und über das Internet erreichbar sind.
---------------------------------------------
https://www.golem.de/news/auch-in-deutschland-49-000-zutrittskontrollsystem…
∗∗∗ The SOC files: Chasing the web shell ∗∗∗
---------------------------------------------
Kaspersky SOC analysts discuss a recent incident where the well-known Behinder web shell was used as a post-exploitation backdoor, showing how web shells have evolved.
---------------------------------------------
https://securelist.com/soc-files-web-shell-chase/115714/
∗∗∗ 5,000 Phishing PDFs on 260 Domains Distribute Lumma Stealer via Fake CAPTCHAs ∗∗∗
---------------------------------------------
Cybersecurity researchers have uncovered a widespread phishing campaign that uses fake CAPTCHA images shared via PDF documents hosted on Webflows content delivery network (CDN) to deliver the Lumma stealer malware.
---------------------------------------------
https://thehackernews.com/2025/02/5000-phishing-pdfs-on-260-domains.html
∗∗∗ Cyber-Bande Cl0p: Angeblich Daten bei HP und HPE geklaut ∗∗∗
---------------------------------------------
Insgesamt 230 neue Opfer listet die kriminelle Gruppe Cl0p auf ihrer Darknet-Webseite auf. Darunter sind auch namhafte wie HP und HPE. [..] Die Kriminellen nennen auch kein Datum als Ultimatum, bis wann sich die angeblichen Opfer melden müssten. Belege für den Datenabzug liefert Cl0p ebenfalls nicht. In der Vergangenheit hatten sich die behaupteten Angriffe jedoch als wahr herausgestellt.
---------------------------------------------
https://www.heise.de/news/Cyber-Bande-Cl0p-Angeblich-Daten-bei-HP-und-HPE-g…
∗∗∗ Warning issued as hackers offer firms fake cybersecurity audits to break into their systems ∗∗∗
---------------------------------------------
Companies are being warned that malicious hackers are using a novel technique to break into businesses - by pretending to offer audits of the companys cybersecurity.
---------------------------------------------
https://www.tripwire.com/state-of-security/beware-fake-cybersecurity-audits…
∗∗∗ Attack and Defense in OT: Enhancing Cyber Resilience in Industrial Systems with Red Team Operations ∗∗∗
---------------------------------------------
This edition of the series focuses on how Red Team assessments can assist companies in identifying and mitigating threats in OT environments. After giving some background about the current threat landscape and terminology, we start by explaining how an external attacker gains an initial foothold in the network.
---------------------------------------------
https://blog.nviso.eu/2025/02/28/attack-and-defense-in-ot-enhancing-cyber-r…
∗∗∗ Microsoft: Unsichere DES-Verschlüsselung fliegt aus Windows raus ∗∗∗
---------------------------------------------
Microsoft hat jetzt angekündigt, dass der lange als unsicher geltende Cipher DES zum September aus Windows entfernt wird. [..] Bereits 1998 haben IT-Sicherheitsforscher demonstriert, dass DES-Schlüssel, die aufgrund US-amerikanischer Export-Beschränkungen zudem auf 56 Bit Länge beschränkt waren, innerhalb von nicht einmal drei Tagen und mit begrenztem Budget zu knacken waren.
---------------------------------------------
https://heise.de/-10299473
∗∗∗ Next-Gen Phishing Techniques – How Back-End Tech Made Scams More Effective ∗∗∗
---------------------------------------------
Today’s sophisticated back-end technologies take phishing and social engineering to the next level. Hackers are now able to create not only better messages but also more convincing, harder-to-detect phishing websites.
---------------------------------------------
https://heimdalsecurity.com/blog/next-gen-phishing-techniques/
=====================
= Vulnerabilities =
=====================
∗∗∗ Videoeditor DaVinci Resolve ermöglicht Rechteausweitung in macOS ∗∗∗
---------------------------------------------
Das polnische CERT warnt vor einer Schwachstelle in der Video-Editiersoftware DaVinci Resolve für Macs.
---------------------------------------------
https://www.heise.de/news/Videoeditor-DaVinci-Resolve-ermoeglicht-Rechteaus…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (emacs, freerdp2, and gst-plugins-good1.0), Fedora (java-17-openjdk, python3.6, and xorg-x11-server-Xwayland), Mageia (radare2), SUSE (libX11, openvswitch3, postgresql13, procps, ruby2.5, webkit2gtk3, and xorg-x11-server), and Ubuntu (git, linux-aws, linux-aws, linux-aws-6.8, linux-aws, linux-oracle, linux-oracle-5.4, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, and linux-oem-6.11).
---------------------------------------------
https://lwn.net/Articles/1012367/
∗∗∗ DSA-5871-1 emacs - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2025/msg00033.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 26-02-2025 18:00 − Donnerstag 27-02-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ The surveillance tech waiting for workers as they return to the office ∗∗∗
---------------------------------------------
Warehouse-style employee-tracking technology is coming for the office worker.
---------------------------------------------
https://arstechnica.com/information-technology/2025/02/the-surveillance-tec…
∗∗∗ Find-My-Netzwerk: Angriff macht fremde Bluetooth-Geräte trackbar wie Airtags ∗∗∗
---------------------------------------------
Forscher haben einen Weg gefunden, fremde Bluetooth-Geräte mit hoher Genauigkeit zu orten - mit erheblichen Auswirkungen auf die Privatsphäre.
---------------------------------------------
https://www.golem.de/news/find-my-netzwerk-angriff-macht-fremde-bluetooth-g…
∗∗∗ Wallbleed vulnerability unearths secrets of Chinas Great Firewall 125 bytes at a time ∗∗∗
---------------------------------------------
Boffins poked around inside censorship engines for years before Beijing patched hole Smart folks investigating a memory-dumping vulnerability in the Great Firewall of China (GFW) finally released their findings after probing it for years.
---------------------------------------------
https://www.theregister.com/2025/02/27/wallbleed_vulnerability_great_firewa…
∗∗∗ U.S. Soldier Charged in AT&T Hack Searched “Can Hacking Be Treason” ∗∗∗
---------------------------------------------
A U.S. Army soldier who pleaded guilty last week to leaking phone records for high-ranking U.S. government officials searched online for non-extradition countries and for an answer to the question "can hacking be treason?" prosecutors in the case said Wednesday. The government disclosed the details in a court motion to keep the defendant in custody until he is discharged from the military.
---------------------------------------------
https://krebsonsecurity.com/2025/02/u-s-soldier-charged-in-att-hack-searche…
∗∗∗ Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations ∗∗∗
---------------------------------------------
We analyze the backdoor Squidoor, used by a suspected Chinese threat actor to steal sensitive information. This multi-platform backdoor is built for stealth.
---------------------------------------------
https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/
∗∗∗ Belgium probes suspected Chinese hack of state security service ∗∗∗
---------------------------------------------
A breach of the Belgian state security services email system appears to be the work of Chinese state-backed hackers, according to prosecutors.
---------------------------------------------
https://therecord.media/belgium-investigation-alleged-china-cyber-espionage…
∗∗∗ Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools ∗∗∗
---------------------------------------------
Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
---------------------------------------------
https://blog.talosintelligence.com/lotus-blossom-espionage-group/
∗∗∗ Russian campaign targeting Romanian WhatsApp numbers ∗∗∗
---------------------------------------------
We’ve identified a campaign that advises people to vote for a contest so they can win “prizes”. The only “prize” is that they’ll lose access to their WhatsApp account. Multiple hints indicate that the campaign originates from Russia. This ..
---------------------------------------------
https://cybergeeks.tech/russian-campaign-targeting-romanian-whatsapp-number…
∗∗∗ GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs ∗∗∗
---------------------------------------------
Ransomware group Black Basta’s chat logs were leaked, revealing 62 mentioned CVEs (Source: VulnCheck). GreyNoise identified 23 of these CVEs as actively exploited, with some targeted in the last 24 hours. Notably, CVE-2023-6875 is ..
---------------------------------------------
https://www.greynoise.io/blog/greynoise-detects-active-exploitation-cves-bl…
∗∗∗ GreyNoise 2025 Mass Internet Exploitation Report: Attackers Are Moving Faster Than Ever — Are You Ready? ∗∗∗
---------------------------------------------
Attackers are automating exploitation at scale, targeting both new and old vulnerabilities — some before appearing in KEV. Our latest report breaks down which CVEs were exploited most in 2024, how ransomware groups are leveraging mass ..
---------------------------------------------
https://www.greynoise.io/blog/2025-mass-internet-exploitation-report
∗∗∗ Taking the relaying capabilities of multicast poisoning to the next level: tricking Windows SMB clients into falling back to WebDav ∗∗∗
---------------------------------------------
When performing LLMNR/mDNS/NBTNS poisoning in an Active Directory environment, it is fairly common to be able to trigger SMB authentications to an attacker-controlled machine. This kind of authentication may be useful, but is rather limited from a relaying standpoint, due to the fact that Windows SMB clients ..
---------------------------------------------
https://www.synacktiv.com/publications/taking-the-relaying-capabilities-of-…
∗∗∗ MITRE Releases OCCULT Framework ∗∗∗
---------------------------------------------
The Operational Evaluation Framework for Cyber Security Risks in AI (OCCULT) is a pioneering methodology developed by MITRE to assess the potential risks posed by large language models (LLMs) in offensive cyber operations (OCO). As AI technology advances, there is an increasing concern about its misuse in executing sophisticated cyberattacks. The OCCULT Framework aims to […]
---------------------------------------------
https://thecyberthrone.in/2025/02/27/mitre-releases-occult-framework/
=====================
= Vulnerabilities =
=====================
∗∗∗ XSA-467 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-467.html
∗∗∗ ZDI-25-100: Linux Kernel ksmbd Session Setup Race Condition Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability. However, only systems with ksmbd enabled are vulnerable. The ZDI has assigned a CVSS rating of 9.0.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-100/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 25-02-2025 18:00 − Mittwoch 26-02-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ Datenleck-Such-Website Have I Been Pwned um 284 Millionen Accounts aufgestockt ∗∗∗
---------------------------------------------
Im Telegram-Kanal ALIEN TXTBASE wurden von Infostealer-Malware erbeute Mailadressen und Passwörter geteilt. Diese Daten sind nun in HIBP integriert.
---------------------------------------------
https://www.heise.de/news/Datenleck-Such-Website-Have-I-Been-Pwned-um-284-M…
∗∗∗ Russian officials warn of potential compromise of major tech services provider ∗∗∗
---------------------------------------------
In an unusual public disclosure, the Russian government said that subsidiaries of LANIT, a major tech services provider, had potentially been breached.
---------------------------------------------
https://therecord.media/lanit-russia-government-contractor-potential-compro…
∗∗∗ EncryptHub breaches 618 orgs to deploy infostealers, ransomware ∗∗∗
---------------------------------------------
A threat actor tracked as EncryptHub, aka Larva-208, has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/encrypthub-breaches-618-orgs…
∗∗∗ Cyberattacken: Lücken in Zimbra und Microsoft Partner Center werden angegriffen ∗∗∗
---------------------------------------------
Ältere Sicherheitslücken in Zimbra und Microsoft Partner Center werden aktuell angegriffen, warnt die US-IT-Sicherheitsbehörde CISA.
---------------------------------------------
https://heise.de/-10296961
∗∗∗ Wenn Fußballliebe teuer wird: Fake-Shops im Namen von Manchester United, Real Madrid oder FC Barcelona ∗∗∗
---------------------------------------------
Betrüger:innen imitieren immer wieder die Onlinestores der Top-Clubs und locken mit niedrigsten Preisen. Die Fans freuen sich über ein vermeintliches Super-Sonderangebot. Die Ware erhalten Sie aber nie, das Geld ist weg.
---------------------------------------------
https://www.watchlist-internet.at/news/fussball-fake-shops/
∗∗∗ Android happy to check your nudes before you forward them ∗∗∗
---------------------------------------------
The Android app SafetyCore was silently installed and looks at incoming and outgoing pictures to check their decency. [..] The good people at ZDNet provided instructions on how to get rid of SafetyCore or disable it if you would like to do so.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2025/02/android-happy-to-check-your-…
∗∗∗ Exploits and vulnerabilities in Q4 2024 ∗∗∗
---------------------------------------------
This report provides statistics on vulnerabilities and exploits and discusses the most frequently exploited vulnerabilities in Q4 2024.
---------------------------------------------
https://securelist.com/vulnerabilities-and-exploits-in-q4-2024/115761/
∗∗∗ The Best Security Is When We All Agree To Keep Everything Secret (Except The Secrets) - NAKIVO Backup & Replication (CVE-2024-48248) ∗∗∗
---------------------------------------------
Today, we’re here to talk about an unauthenticated Arbitrary File Read vulnerability we discovered in NAKIVO's Backup and Replication solution - specifically in version 10.11.3.86570 [..] 18th October 2024 watchTowr is assigned CVE-2024-48248 for this vulnerability [..] 4th November 2024: NAKIVO silently patches the vulnerability (v11.0.0.88174)
---------------------------------------------
https://labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-e…
∗∗∗ A dive into the Rockchip Bootloader ∗∗∗
---------------------------------------------
Rockchip has a structured sequence of bootloaders. Using various plugs can allow access to the MCU’s RAM and storage. There are many utilities to allow reading of information from the MCU. Use this guide to access and reverse engineer bootloaders.
---------------------------------------------
https://www.pentestpartners.com/security-blog/a-dive-into-the-rockchip-boot…
∗∗∗ Technical Advisory: Multiple Vulnerabilities in TCPDF ∗∗∗
---------------------------------------------
NCC Group has identified multiple vulnerabilities in TCPDF, which is a popular library used for PDF generation. [..] 12/23/24 - Vendor releases version 6.8.0 to address issues.
---------------------------------------------
https://www.nccgroup.com/us/research-blog/technical-advisory-multiple-vulne…
∗∗∗ Pwn everything Bounce everywhere all at once (part 1) ∗∗∗
---------------------------------------------
The following article describes how, during an "assumed breach" security audit, we compromised multiple web applications on our client's network in order to carry out a watering hole attack by installing fake Single Sign-On pages on the compromised servers.
---------------------------------------------
http://blog.quarkslab.com/pwn-everything-bounce-everywhere-all-at-once-part…
∗∗∗ Pwn everything Bounce everywhere all at once (part 2) ∗∗∗
---------------------------------------------
In our second episode we take a look at SOPlanning, a project management application that we encountered during the audit.
---------------------------------------------
http://blog.quarkslab.com/pwn-everything-bounce-everywhere-all-at-once-part…
=====================
= Vulnerabilities =
=====================
∗∗∗ Synology-SA-25:03 DSM ∗∗∗
---------------------------------------------
A vulnerability allows attackers to read any file via writable Network File System (NFS) service.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_25_03
∗∗∗ Cisco Application Policy Infrastructure Controller Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Nexus 3000 and 9000 Series Switches Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Nexus 3000 and 9000 Series Switches Health Monitoring Diagnostics Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 24-02-2025 18:00 − Dienstag 25-02-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Parallels Desktop: Zero-Day-Exploit verleiht Angreifern Root-Zugriff auf MacOS ∗∗∗
---------------------------------------------
Eigentlich gibt es für die Sicherheitslücke längst einen Patch. Effektiv ist dieser aber wohl nicht. Ein Forscher zeigt, wie er sich umgehen lässt.
---------------------------------------------
https://www.golem.de/news/patch-laesst-sich-umgehen-root-luecke-in-parallel…
∗∗∗ Google binning SMS MFA at last and replacing it with QR codes ∗∗∗
---------------------------------------------
Everyone knew texted OTPs were a dud back in 2016 Google has confirmed it will phase out the use of SMS text messages for multi-factor authentication in favor of more secure technologies.
---------------------------------------------
https://www.theregister.com/2025/02/25/google_sms_qr/
∗∗∗ How nice that state-of-the-art LLMs reveal their reasoning ... for miscreants to exploit ∗∗∗
---------------------------------------------
Blueprints shared for jail-breaking models that expose their chain-of-thought process Analysis AI models like OpenAI o1/o3, DeepSeek-R1, and Gemini 2.0 Flash Thinking can mimic human reasoning through a process called chain of thought.
---------------------------------------------
https://www.theregister.com/2025/02/25/chain_of_thought_jailbreaking/
∗∗∗ Malware variants that target operational tech systems are very rare – but 2 were found last year ∗∗∗
---------------------------------------------
Fuxnet and FrostyGoop were both used in the Russia-Ukraine war Two new malware variants specifically designed to disrupt critical industrial processes were set loose on operational technology networks last year, shutting off heat to more than 600 apartment buildings in one instance and jamming communications to gas, water, and sewage network sensors in the other.
---------------------------------------------
https://www.theregister.com/2025/02/25/new_ics_malware_dragos/
∗∗∗ This Russian Tech Bro Helped Steal $93 Million and Landed in US Prison. Then Putin Called ∗∗∗
---------------------------------------------
In the epic US-Russian prisoner swap last summer, Vladimir Putin brought home an assassin, spies, and another prized ally: the man behind one of the biggest insider trading cases of all time.
---------------------------------------------
https://www.wired.com/story/russian-prisoner-swap-vladislav-klyushin-evan-g…
∗∗∗ ‘OpenAI’ Job Scam Targeted International Workers Through Telegram ∗∗∗
---------------------------------------------
An alleged job scam, led by “Aiden” from “OpenAI,” recruited workers in Bangladesh for months before disappearing overnight, according to FTC complaints obtained by WIRED.
---------------------------------------------
https://www.wired.com/story/openai-job-scam/
∗∗∗ DeepSeek Lure Using CAPTCHAs To Spread Malware ∗∗∗
---------------------------------------------
The rapid rise of generative AI tools has created opportunities and challenges for cybercriminals. In an instant, industries are being reshaped while new attack surfaces are being exposed. DeepSeek AI chatbot that launched on January 20, 2025, quickly gained international attention, making it a prime target for abuse. Leveraging a tactic known as brand ..
---------------------------------------------
https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captcha…
∗∗∗ Password-Spraying-Angriff auf M365-Konten von Botnet mit über 130.000 Drohnen ∗∗∗
---------------------------------------------
IT-Forscher haben ein Botnet aus mehr als 130.000 Drohnen bei Password-Spraying-Angriffen gegen Microsoft-365-Konten beobachtet.
---------------------------------------------
https://www.heise.de/news/Password-Spraying-Angriff-auf-M365-Konten-von-Bot…
∗∗∗ Background check provider data breach affects 3 million people who may not have heard of the company ∗∗∗
---------------------------------------------
Background check provider DISA has disclosed a major data breach which may have affected over 3 million people.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2025/02/background-check-provider-da…
∗∗∗ 100,000 WordPress Sites Affected by Arbitrary File Upload, Read and Deletion Vulnerability in Everest Forms WordPress Plugin ∗∗∗
---------------------------------------------
100,000 WordPress Sites Affected by Arbitrary File Upload, Read and Deletion Vulnerability in Everest Forms WordPress Plugin.
---------------------------------------------
https://www.wordfence.com/blog/2025/02/100000-wordpress-sites-affected-by-a…
∗∗∗ Vorsicht, Phishing: „Ihre Registrierung für die Finanz Online-ID läuft ab“ ∗∗∗
---------------------------------------------
Aktuell werden immer wieder E-Mails und SMS-Nachrichten mit der Warnung vor einer angeblich ablaufenden Nutzer-ID für FinanzOnline versendet. Wer auf den mitgesendeten Link klickt und den Anweisungen folgt, gibt allerdings wichtige persönliche Daten an Betrüger:innen weiter.
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-finanz-online-id/
∗∗∗ Mixing up Public and Private Keys in OpenID Connect deployments ∗∗∗
---------------------------------------------
I am developing a tool to check cryptographic public keys for known vulnerabilities called badkeys. During the Q&A session of a presentation about badkeys at the German OWASP Day, I was asked whether I had ever used badkeys to check cryptographic keys in OpenID Connect setups. I had not until then. OpenID Connect is a single sign-on protocol that allows ..
---------------------------------------------
https://blog.hboeck.de:443/archives/909-Mixing-up-Public-and-Private-Keys-i…
∗∗∗ Auto-Color: An Emerging and Evasive Linux Backdoor ∗∗∗
---------------------------------------------
The new Linux malware named Auto-color uses advanced evasion tactics. Discovered by Unit 42, this article cover its installation, evasion features and more.
---------------------------------------------
https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/
∗∗∗ Swedish authorities seek backdoor to encrypted messaging apps ∗∗∗
---------------------------------------------
Sweden’s law enforcement and security agencies are pushing legislation to force Signal and WhatsApp to create technical backdoors allowing them to access communications sent over the encrypted messaging apps.
---------------------------------------------
https://therecord.media/sweden-seeks-backdoor-access-to-messaging-apps
∗∗∗ Siberias largest dairy plant reportedly disrupted with LockBit variant ∗∗∗
---------------------------------------------
Reports said the dairy company Sayanmolokos plant in Semyonishna was attacked with LockBit ransomware, possibly because of its support for Russian troops in Ukraine. Company printers reportedly churned out leaflets.
---------------------------------------------
https://therecord.media/siberia-dairy-plant-cyberattack-lockbit-variant
∗∗∗ Your item has sold! Avoiding scams targeting online sellers ∗∗∗
---------------------------------------------
There are many risks associated with selling items on online marketplaces that individuals and organizations should be aware of when conducting business on these platforms.
---------------------------------------------
https://blog.talosintelligence.com/online-marketplace-scams/
∗∗∗ GreyNoise Observes Active Exploitation of Cisco Vulnerabilities Tied to Salt Typhoon Attacks ∗∗∗
---------------------------------------------
GreyNoise has observed exploitation attempts targeting two Cisco vulnerabilities, CVE-2023-20198 and CVE-2018-0171. CVE-2023-20198 is being actively exploited by over 110 malicious IPs, primarily from Bulgaria, Brazil, and Singapore, while CVE-2018-0171 has seen exploitation attempts from two malicious IPs traced to Switzerland and the United States. These ..
---------------------------------------------
https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-cis…
∗∗∗ TON Wallet Security Threat: Malicious npm Package Steals Cryptocurrency Wallet Keys ∗∗∗
---------------------------------------------
The Socket Research Team has discovered a malicious npm package, @ton-wallet/create, that has been stealing mnemonic phrases from unsuspecting users and developers in the TON ecosystem. TON was built around The Open Network blockchain originally developed by Telegram and is widely used for decentralized applications (dApps), smart contracts, and ..
---------------------------------------------
https://socket.dev/blog/ton-wallet-security-threat-malicious-npm-package-st…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (libpq, postgresql:13, postgresql:15, and postgresql:16), Debian (nodejs and php-nesbot-carbon), Mageia (neomutt), Red Hat (python3.11-urllib3 and tuned), SUSE (crun, ovmf, pam_pkcs11, qemu, and webkit2gtk3), and Ubuntu (iniparser, libcap2, linux, linux-hwe, linux, linux-hwe-5.4, linux, linux-lowlatency, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-ibm-5.4, linux-azure, linux-azure-fde, linux-gkeop, linux-nvidia, ..
---------------------------------------------
https://lwn.net/Articles/1011764/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 21-02-2025 18:00 − Montag 24-02-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Do not fucking expose management interfaces to the Internet. ∗∗∗
---------------------------------------------
While infrastructure as code and other approaches to automated configuration management have become increasingly popular, in most organizations IT environments management interfaces - especially when it comes to edge devices such as firewalls, VPNs and other remote access solutions, and security appliances - are still very ..
---------------------------------------------
https://bytesandborscht.com/do-not-fucking-expose-management-interfaces-to-…
∗∗∗ Leaked chat logs expose inner workings of secretive ransomware group ∗∗∗
---------------------------------------------
Researchers are poring over the data and feeding it into ChatGPT.
---------------------------------------------
https://arstechnica.com/security/2025/02/leaked-chat-logs-expose-inner-work…
∗∗∗ How APT Naming Conventions Make Us Less Safe ∗∗∗
---------------------------------------------
Only by addressing the inefficiencies of current naming conventions can we create a safer, more resilient landscape for all defenders.
---------------------------------------------
https://www.darkreading.com/cyber-risk/how-apt-naming-conventions-make-us-l…
∗∗∗ Fernzugriff auf fremde Betten: Backdoor in smarter Matratzenauflage entdeckt ∗∗∗
---------------------------------------------
Die Auflage kann die Temperatur der Matratze regeln, Schlafdaten erfassen und Nutzer per Vibration wecken. Eine Backdoor verleiht Vollzugriff.
---------------------------------------------
https://www.golem.de/news/fernzugriff-auf-fremde-betten-backdoor-in-smarter…
∗∗∗ Neue Adresse: Phishing-Masche schockt Nutzer mit echten E-Mails von Paypal ∗∗∗
---------------------------------------------
Einige Paypal-Nutzer erhalten unerwartet E-Mails, die auf neu hinzugefügte Adressen hindeuten. Absender ist tatsächlich Paypal. Betrug ist es dennoch.
---------------------------------------------
https://www.golem.de/news/neue-adresse-phishing-masche-schockt-nutzer-mit-e…
∗∗∗ The GitVenom campaign: cryptocurrency theft using GitHub ∗∗∗
---------------------------------------------
Kaspersky researchers discovered GitVenom campaign distributing stealers and open-source backdoors via fake GitHub projects.
---------------------------------------------
https://securelist.com/gitvenom-campaign/115694/
∗∗∗ Australien verbannt Kaspersky von Regierungsrechnern ∗∗∗
---------------------------------------------
Zum Wochenende hat das australische Innenministerium die Installation von Kaspersky-Produkten auf Regierungsrechnern verboten.
---------------------------------------------
https://www.heise.de/news/Australien-verbannt-Kaspersky-von-Regierungsrechn…
∗∗∗ Trump 2.0 Brings Cuts to Cyber, Consumer Protections ∗∗∗
---------------------------------------------
One month into his second term, President Trumps actions to shrink the government through mass layoffs, firings and withholding funds allocated by Congress have thrown federal cybersecurity and consumer protection programs into disarray. At the same time, agencies are battling an ongoing effort by the worlds richest man to wrest control over their networks and data.
---------------------------------------------
https://krebsonsecurity.com/2025/02/trump-2-0-brings-cuts-to-cyber-consumer…
∗∗∗ Three questions about Apple, encryption, and the U.K. ∗∗∗
---------------------------------------------
Two weeks ago, the Washington Post reported that the U.K. government had issued a secret order to Apple demanding that the company include a “backdoor” into the company’s end-to-end encrypted iCloud Backup feature. From the article: The British government’s undisclosed order, issued last month, requires blanket capability to view fully encrypted ..
---------------------------------------------
https://blog.cryptographyengineering.com/2025/02/23/three-questions-about-a…
∗∗∗ Confluence Exploit Leads to LockBit Ransomware ∗∗∗
---------------------------------------------
The intrusion started with the exploitation of CVE-2023-22527, a critical remote code execution vulnerability in Confluence, against a Windows server. The first indication of threat ..
---------------------------------------------
https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ra…
∗∗∗ Investigators Link $1.4B Bybit Hack to North Korea’s Lazarus Group ∗∗∗
---------------------------------------------
Investigators link the $1.4B Bybit hack to North Korea’s Lazarus Group, exposing a major crypto heist tied to state-backed cybercrime and money laundering.
---------------------------------------------
https://hackread.com/investigators-link-bybit-hack-north-korea-lazarus-grou…
∗∗∗ Phishing Campaigns Targeting Higher Education Institutions ∗∗∗
---------------------------------------------
Beginning in August 2024, Mandiant observed a notable increase in phishing attacks targeting the education industry, specifically U.S.-based universities. A separate investigation conducted by the Google’s Workspace Trust and Safety team identified a long-term campaign spanning from at least October 2022, with a noticeable pattern of shared filenames, targeting thousands of ..
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/phishing-targeting…
∗∗∗ Security Tips For Your AI Cloud Infrastructure ∗∗∗
---------------------------------------------
In the current panorama of AI expansion, more and more companies are deciding to take advantage of its powerful capabilities. However, using AI from scratch is not a piece of cake: algorithms complexity and data requirements, among others, may be ..
---------------------------------------------
https://www.nccgroup.com/us/research-blog/security-tips-for-your-ai-cloud-i…
∗∗∗ Threat Hunting via Autonomous System Numbers (ASN) ∗∗∗
---------------------------------------------
Nowadays, blocking specific IPs or domains after they start malicious activities, is becoming less effective due the ease of accessing global hosting services . However, if we focus on detect a bigger indicator, for example, rating Autonomous ..
---------------------------------------------
https://detect.fyi/threat-hunting-via-autonomous-system-numbers-asn-99e038d…
∗∗∗ Don’t recurse on untrusted input ∗∗∗
---------------------------------------------
We developed a simple CodeQL query to find denial-of-service (DoS) vulnerabilities in several high-profile Java projects.
---------------------------------------------
https://blog.trailofbits.com/2025/02/21/dont-recurse-on-untrusted-input/
=====================
= Vulnerabilities =
=====================
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 20-02-2025 18:00 − Freitag 21-02-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Angry Likho: Old beasts in a new forest ∗∗∗
---------------------------------------------
Kaspersky experts analyze the Angry Likho APT groups attacks, which use obfuscated AutoIt scripts and the Lumma stealer for data theft.
---------------------------------------------
https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/
∗∗∗ Three Years of Cyber Warfare: How Digital Attacks Have Shaped the Russia-Ukraine War ∗∗∗
---------------------------------------------
As the third anniversary of the start of the Russia-Ukraine war approaches, Trustwave SpiderLabs created a series of blog posts to look back, reflect upon, and explain how this 21st Century war is being fought not just on the ground, air, and sea but also in the realm of cyber.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/three-years…
∗∗∗ Ivanti endpoint manager can become endpoint ravager, thanks to quartet of critical flaws ∗∗∗
---------------------------------------------
PoC exploit code shows why this is a patch priority Security engineers have released a proof-of-concept exploit for four critical Ivanti Endpoint Manager bugs, giving those who havent already installed patches released in January extra incentive to revisit their to-do lists.
---------------------------------------------
https://www.theregister.com/2025/02/21/ivanti_traversal_flaw_poc_exploit/
∗∗∗ The National Institute of Standards and Technology Braces for Mass Firings ∗∗∗
---------------------------------------------
Approximately 500 NIST staffers, including at least three lab directors, are expected to lose their jobs at the safety-standards agency as part of the ongoing DOGE purge, sources tell WIRED.
---------------------------------------------
https://www.wired.com/story/the-national-institute-of-standards-and-technol…
∗∗∗ The US Is Considering a TP-Link Router Ban—Should You Worry? ∗∗∗
---------------------------------------------
Several government departments are investigating TP-Link routers over Chinese cyberattack fears, but the company denies links.
---------------------------------------------
https://www.wired.com/story/tp-link-router-ban-investigation/
∗∗∗ Ransomware im LLM: Forscher füttern ChatGPT mit Daten der "Black Basta"-Bande ∗∗∗
---------------------------------------------
Kriminelle hinter der "Ransomware as a Service" haben sich zerstritten, nun veröffentlichte ein Insider Chatnachrichten. Sie geben tiefe Einblicke.
---------------------------------------------
https://www.heise.de/news/Einblicke-in-Ransomware-Geschaeft-ChatGPT-kennt-I…
∗∗∗ Pen testing avionics under ED-203a ∗∗∗
---------------------------------------------
The aviation industry realised some time ago that taking a standard approach to the cyber security of its products was needed and that this was a specialist discipline. A family ..
---------------------------------------------
https://www.pentestpartners.com/security-blog/pen-testing-avionics-under-ed…
∗∗∗ Nach Hackerangriff auf Stadtgemeinde Tulln: Systeme wieder verfügbar ∗∗∗
---------------------------------------------
Derzeit gibt es keine Hinweise auf einen Datenabfluss. Der Angriff fand am 11. Februar statt
---------------------------------------------
https://www.derstandard.at/story/3000000258352/nach-hackerangriff-auf-stadt…
∗∗∗ Investigating LLM Jailbreaking of Popular Generative AI Web Products ∗∗∗
---------------------------------------------
We discuss vulnerabilities in popular GenAI web products to LLM jailbreaks. Single-turn strategies remain effective, but multi-turn approaches show greater success.
---------------------------------------------
https://unit42.paloaltonetworks.com/jailbreaking-generative-ai-web-products/
∗∗∗ China-linked hackers target European healthcare orgs in suspected espionage campaign ∗∗∗
---------------------------------------------
A previously unknown hacking group has been spotted targeting European healthcare organizations using spyware linked to Chinese state-backed hackers and a new ransomware strain, researchers said.
---------------------------------------------
https://therecord.media/china-linked-hackers-target-european-health-orgs
∗∗∗ Black Basta is latest ransomware group to be hit by leak of chat logs ∗∗∗
---------------------------------------------
Cybersecurity researchers are analyzing about 200,000 messages from inside the high-profile Black Basta ransomware operation that were leaked recently.
---------------------------------------------
https://therecord.media/black-basta-ransomware-group-chat-logs-leaked
∗∗∗ Apple turns off iCloud encryption feature in UK following reported government legal order ∗∗∗
---------------------------------------------
The removal of the Advanced Data Protection (ADP) feature in the U.K. follows the British government reportedly issuing a secret legal demand to Apple to provide it with access to encrypted iCloud accounts.
---------------------------------------------
https://therecord.media/apple-encryption-feature-off-britain
∗∗∗ LummaC2 Malware Distributed Disguised as Total Commander Crack ∗∗∗
---------------------------------------------
AhnLab SEcurity intelligence Center (ASEC) has discovered the LummaC2 malware being distributed disguised as the Total Commander tool. Total Commander is a file manager for Windows that supports various file formats. It offers convenient file management ..
---------------------------------------------
https://asec.ahnlab.com/en/86435/
∗∗∗ Unauthenticated RCE in Grandstream HT802V2 and probably others ∗∗∗
---------------------------------------------
The Grandstream HT802V2 uses busybox' udhcpc for DHCP. When a DHCP event occurs, udhcpc calls a script (/usr/share/udhcpc/default.script by default) to further process the received data. On the HT802V2 this is used to (among others) parse the data in DHCP option 43 (vendor) using the Grandstream-specific parser ..
---------------------------------------------
https://www.die-welt.net/2025/02/unauthenticated-rce-in-grandstream-ht802v2…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily