Daily

daily@lists.cert.at

1 participants
3279 discussions

Tageszusammenfassung - 26.09.2025
by Daily end-of-shift report 26 Sep '25

26 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-09-2025 18:00 − Freitag 26-09-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Schwerwiegende Sicherheitslücken in Cisco Adaptive Security Appliance - aktiv ausgenutzt - Updates verfügbar ∗∗∗ --------------------------------------------- Cisco hat Informationen zu einer vermutlich bereits seit einigen Monaten laufenden Angriffskampagne veröffentlicht. Im Rahmen dieser Kampagne haben Angreifer:innen, denen bereits im vergangenen Jahr eine breitgefächerte Kampagne gegen Edge-Devices zugerechnet wurde, Cisco Adaptive Security Appliance (ASA) Systeme der 5500-X Reihe welche "VPN web services" kompromittiert um in weiterer Folge auf den übernommenen Geräten Schadsoftware zu platzieren und Daten zu stehlen. --------------------------------------------- https://www.cert.at/de/warnungen/2025/9/schwerwiegende-sicherheitslucken-in… ∗∗∗ Unofficial Postmark MCP npm silently stole users emails ∗∗∗ --------------------------------------------- A npm package copying the official postmark-mcp project on GitHub turned bad with the latest update that added a single line of code to exfiltrate all its users email communication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unofficial-postmark-mcp-npm-… ∗∗∗ Salesforce AI Agents Forced to Leak Sensitive Data ∗∗∗ --------------------------------------------- Yet again researchers have uncovered an opportunity (dubbed "ForcedLeak") for indirect prompt injection against autonomous agents lacking sufficient security controls — but this time the risk involves PII, corporate secrets, physical location data, and so much more. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/salesforce-ai-agents-le… ∗∗∗ HeartCrypt’s wholesale impersonation effort ∗∗∗ --------------------------------------------- How the notorious Packer-as-a-Service operation built itself into a hydra. --------------------------------------------- https://news.sophos.com/en-us/2025/09/26/heartcrypts-wholesale-impersonatio… ∗∗∗ New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks ∗∗∗ --------------------------------------------- The Russian advanced persistent threat (APT) group known as COLDRIVER has been attributed to a fresh round of ClickFix-style attacks designed to deliver two new "lightweight" malware families tracked as BAITSWITCH and SIMPLEFIX. --------------------------------------------- https://thehackernews.com/2025/09/new-coldriver-malware-campaign-joins-bo.h… ∗∗∗ North Koreas Lazarus Group shares its malware with IT work scammers ∗∗∗ --------------------------------------------- North Korean-linked crews connected to the pervasive IT worker scams have upped their malware game, using more advanced tools, including a backdoor that has much of the same code as Pyongyang's infamous Lazarus Group deploys. --------------------------------------------- https://theregister.com/2025/09/25/lazarus_group_shares_malware_with_it_sca… ∗∗∗ LockBits new variant is most dangerous yet, hitting Windows, Linux and VMware ESXi ∗∗∗ --------------------------------------------- Trend Micro has sounded the alarm over the new LockBit 5.0 ransomware strain, which it warns is "significantly more dangerous" than past versions due to its newfound ability to simultaneously target Windows, Linux, and VMware ESXi environments. --------------------------------------------- https://theregister.com/2025/09/26/lockbits_new_variant_is_most/ ∗∗∗ Vietnamese Hackers Use Fake Copyright Notices to Spread Lone None Stealer ∗∗∗ --------------------------------------------- New Lone None Stealer uses Telegram C2 and DLL side-loading to grab passwords, credit cards, and crypto. Find out how to spot this highly evasive phishing scam. --------------------------------------------- https://hackread.com/vietnamese-hackers-fake-copyright-notice-lone-none-ste… ∗∗∗ It Is Bad (Exploitation of Fortra GoAnywhere MFT CVE-2025-10035) - Part 2 ∗∗∗ --------------------------------------------- We’re back, just over 24 hours later, to share our evolving understanding of CVE-2025-10035. --------------------------------------------- https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-… ∗∗∗ SVG Phishing hits Ukraine with Amatera Stealer, PureMiner ∗∗∗ --------------------------------------------- Phishing emails disguised as official notices from Ukraine’s police deliver Amatera Stealer and PureMiner in a fileless attack chain. --------------------------------------------- https://www.fortinet.com/blog/threat-research/svg-phishing-hits-ukraine-wit… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, kernel, and thunderbird), Debian (ceph and thunderbird), Fedora (chromium, mingw-expat, python-deepdiff, python-orderly-set, python-pip, rust-az-cvm-vtpm, rust-az-snp-vtpm, rust-az-tdx-vtpm, and trustee-guest-components), Oracle (aide, kernel, and thunderbird), Red Hat (firefox, kernel, openssh, perl-YAML-LibYAML, and thunderbird), Slackware (expat), SUSE (jasper, libssh, openjpeg2, and python-pycares), and Ubuntu (linux-aws-6.14, linux-hwe-6.14, linux-azure, linux-hwe-6.8, linux-realtime-6.8, node-sha.js, and pcre2). --------------------------------------------- https://lwn.net/Articles/1039749/ ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.5.1 and 6.6.0: SC-202509.1 ∗∗∗ --------------------------------------------- Security Center leverages third-party software to help provide underlying functionality. One of the third-party components (PostgreSQL) was found to contain vulnerabilities, and an updated version has been made available by the provider. --------------------------------------------- https://www.tenable.com/security/tns-2025-18 ∗∗∗ Security Update Dingtian DT-R002 ∗∗∗ --------------------------------------------- All versions of Dingtian DT-R002 are vulnerable to an Insufficiently Protected Credentials vulnerability that could allow an attacker to retrieve the current user's username without authentication. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-268-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 25.09.2025
by Daily end-of-shift report 25 Sep '25

25 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-09-2025 18:00 − Donnerstag 25-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft will offer free Windows 10 security updates in Europe ∗∗∗ --------------------------------------------- Microsoft will offer free extended security updates for Windows 10 users in the European Economic Area (EEA), which includes Iceland, Liechtenstein, Norway, and all 27 European Union member states. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-will-offer-free-w… ∗∗∗ Malicious Rust packages on Crates.io steal crypto wallet keys ∗∗∗ --------------------------------------------- Two malicious packages with nearly 8,500 downloads in Rusts official crate repository scanned developers systems to steal cryptocurrency private keys and other secrets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-rust-packages-on-c… ∗∗∗ Supermicro: Unzählige Server-Mainboards anfällig für Firmware-Backdoors ∗∗∗ --------------------------------------------- Angreifer können in die BMC-Firmware zahlreicher Mainboards von Supermicro Malware einschleusen und damit dauerhaft die Kontrolle übernehmen. --------------------------------------------- https://www.golem.de/news/supermicro-unzaehlige-server-mainboards-anfaellig… ∗∗∗ XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence has uncovered a new variant of the XCSSET malware, which is designed to infect Xcode projects, typically used by software developers building Apple or macOS-related applications. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/09/25/xcsset-evolves-aga… ∗∗∗ OnePlus leaves researchers on read over Android bug that exposes texts ∗∗∗ --------------------------------------------- Rapid7 warns flaw could let any app peek at your SMS, but smartphone vendor wont pick up Updated Security researchers report that OnePlus smartphone users remain vulnerable to a critical bug that allows any application to read SMS and .. --------------------------------------------- https://www.theregister.com/2025/09/23/rapid7_oneplus_android_bug/ ∗∗∗ Jetzt patchen! Root-Attacken auf Cisco-Netzwerkgeräte möglich ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco warnt vor Angriffen unter anderem auf Router und Switches. Admins sollten die aktuellen Sicherheitsupdates installieren. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Angreifer-attackieren-Netzwerkgerae… ∗∗∗ Zu unsicher: IT-Dienstleister NTT Data trennt sich wohl von Ivanti-Produkten ∗∗∗ --------------------------------------------- Nicht nur das interne Netz, sondern auch der Weiterverkauf an Kunden ist betroffen. Die Sicherheit der Produkte sei ein unvertretbares Risiko. --------------------------------------------- https://www.heise.de/news/Zu-unsicher-IT-Dienstleister-NTT-Data-trennt-sich… ∗∗∗ Kriminelle kündigen Bankanruf per SMS oder WhatsApp an ∗∗∗ --------------------------------------------- Dass Kriminelle sich am Telefon als Bankmitarbeiter:innen ausgeben, ist seit Langem bekannt. Neu ist jedoch eine besonders raffinierte Variante, die derzeit im Umlauf ist. Dabei bauen die Kriminellen gezielt Vertrauen auf, indem sie den Anruf vorab per SMS oder WhatsApp-Nachricht ankündigen. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-kuendigen-bankanruf-per-s… ∗∗∗ International anti-fraud crackdown recovers more than $400 million, Interpol says ∗∗∗ --------------------------------------------- Authorities from more than 40 countries and territories blocked 68,000 bank accounts and froze about 400 cryptocurrency wallets as part of the operation from April through August, Interpol said. --------------------------------------------- https://therecord.media/anti-fraud-interpol-crackdown-recovers-over-400-mil… ∗∗∗ Securing Microsoft Entra ID: Lessons from the Field – Part 1 ∗∗∗ --------------------------------------------- This multipart blog series is focused on the real-world lessons learned while securing Microsoft Entra ID. Based on hands-on experience across various environments and organizations, we’ll explore the practical, high-impact strategies that work and more importantly, the common misconfigurations, overlooked settings, and pitfalls that can .. --------------------------------------------- https://blog.nviso.eu/2025/09/25/securing-microsoft-entra-id-lessons-from-t… ∗∗∗ This Is How Your LLM Gets Compromised ∗∗∗ --------------------------------------------- Poisoned data. Malicious LoRAs. Trojan model files. AI attacks are stealthier than ever—often invisible until it’s too late. Here’s how to catch them before they catch you. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/prevent-llm-compromise.html ∗∗∗ Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal services, Software as a Service .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espiona… ∗∗∗ 180,000 ICS/OT Devices and Counting: The Unforgivable Exposure ∗∗∗ --------------------------------------------- A new Bitsight TRACE threat research report shows that Industrial Control System and Operational Technology (ICS/OT) exposure is climbing again. --------------------------------------------- https://www.bitsight.com/blog/the-growing-exposure-of-ics-ot-devices ∗∗∗ Yet Another Random Story: VBScripts Randomize Internals ∗∗∗ --------------------------------------------- In one of our recent posts, Dennis shared an interesting case study of C# exploitation that rode on Random-based password-reset tokens. He demonstrated how to use the single-packet attack, or a bit of old-school math, to beat the game. Recently, I performed a security test on a target which had a dependency written in VBScript. This blog post focuses .. --------------------------------------------- https://blog.doyensec.com/2025/09/25/yet-another-random-story.html ===================== = Vulnerabilities = ===================== ∗∗∗ Zahlreiche Schwachstellen in iMonitorSoft EAM ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 24.09.2025
by Daily end-of-shift report 24 Sep '25

24 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-09-2025 18:00 − Mittwoch 24-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Supermicro server motherboards can be infected with unremovable malware ∗∗∗ --------------------------------------------- One of the two vulnerabilities is the result of an incomplete patch Supermicro released in January, said Alex Matrosov, founder and CEO of Binarly, the security firm that discovered it. [..] The two new vulnerabilities—tracked as CVE-2025-7937 and CVE-2025-6198—reside inside silicon soldered onto Supermicro motherboards that run servers inside data centers. [..] Supermicro said it has updated the BMC firmware to mitigate the vulnerabilities. The company is currently testing and validating affected products. --------------------------------------------- https://arstechnica.com/security/2025/09/supermicro-server-motherboards-can… ∗∗∗ PyPI urges users to reset credentials after new phishing attacks ∗∗∗ --------------------------------------------- The Python Software Foundation has warned victims of a new wave of phishing attacks using a fake Python Package Index (PyPI) website to reset credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-urges-users-to-reset-cr… ∗∗∗ YiBackdoor: A New Malware Family With Links to IcedID and Latrodectus ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a new malware family that we named YiBackdoor, which was first observed in June 2025. The malware is particularly interesting because it contains significant code overlaps with IcedID and Latrodectus. Similar to Zloader and Qakbot, IcedID was originally designed for facilitating banking and wire fraud. --------------------------------------------- https://www.zscaler.com/blogs/security-research/yibackdoor-new-malware-fami… ∗∗∗ Fake Malwarebytes, LastPass, and others on GitHub serve malware ∗∗∗ --------------------------------------------- Fake software—including Malwarebytes and LastPass—is currently circulating on GitHub pages, in a large-scale campaign targeting Mac users. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/09/fake-malwarebytes-lastpass-a… ∗∗∗ Betrugs-Website mit Fake-Investitionsprojekt im Stil von orf.at ∗∗∗ --------------------------------------------- Plus gefälschtes Video von Bundespräsident Van der Bellen. Die Täter wollen persönliche Daten abgreifen und 250 Euro abkassieren --------------------------------------------- https://www.derstandard.at/story/3000000289130/betrugs-website-mit-fake-inv… ∗∗∗ Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. [..] The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espiona… ∗∗∗ Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035) ∗∗∗ --------------------------------------------- On Thursday, September 18, Fortra published a security advisory fi-2025-012 titled: Deserialization Vulnerability in GoAnywhere MFT's License Servlet. The title in itself is reason for alarm, with the description going further to explain how we likely got to a CVSS 10.0 [..] No mystery is complete without a few unanswered questions. Despite our usual routine of reverse engineering and creative detours, we’ve ended this one with more questions than usual. --------------------------------------------- https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-1… ∗∗∗ Mobilfunk-Server mit 100.000 SIM-Karten in New York beschlagnahmt ∗∗∗ --------------------------------------------- Rund um das New Yorker Hauptquartier der UNO wurden 300 SIM-Karten-Server und 100.000 SIM-Karten entdeckt. Deren Zweck ist undeutlich. --------------------------------------------- https://heise.de/-10668021 ∗∗∗ Cyberattacke auf Flughäfen: Weiterhin Probleme am BER und eine Festnahme ∗∗∗ --------------------------------------------- Auch Tage nach der Cyberattacke halten die Beeinträchtigungen am Flughafen BER an. In Großbritannien wurde indessen ein Tatverdächtiger festgenommen. --------------------------------------------- https://heise.de/-10669658 ∗∗∗ How MCP Authentication Flaws Enable RCE in Claude Code, Gemini CLI, and More ∗∗∗ --------------------------------------------- During our security testing, we discovered that connecting to a malicious MCP server via common coding tools like Claude Code and Gemini CLI could give attackers instant control over user computers. --------------------------------------------- https://verialabs.com/blog/from-mcp-to-shell/ ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched flaw in OnePlus phones lets rogue apps text messages ∗∗∗ --------------------------------------------- A vulnerability in multiple OnePlus OxygenOS versions allows any installed app to access SMS data and metadata without requiring permission or user interaction. [..] The flaw, tracked as CVE-2025-10184, and discovered by Rapid7 researchers, is currently unpatched and exploitable. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-flaw-in-oneplus-ph… ∗∗∗ Two Critical Flaws Uncovered in Wondershare RepairIt Exposing User Data and AI Models ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed two security flaws in Wondershare RepairIt that exposed private user data and potentially exposed the system to artificial intelligence (AI) model tampering and supply chain risks. [..] Successful exploitation of the two flaws can allow an attacker to circumvent authentication protection on the system and launch a supply chain attack, ultimately resulting in the execution of arbitrary code on customers' endpoints. [..] The cybersecurity company said it responsibly disclosed the two issues through its Zero Day Initiative (ZDI) in April 2025, but not that it has yet to receive a response from the vendor despite repeated attempts. In the absence of a fix, users are recommended to "restrict interaction with the product." CVE-2025-10643, CVE-2025-10644 --------------------------------------------- https://thehackernews.com/2025/09/two-critical-flaws-uncovered-in.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Fedora (expat), Red Hat (kernel and multiple packages), SUSE (avahi, busybox, busybox-links, kernel, sevctl, tcpreplay, thunderbird, and tor), and Ubuntu (isc-kea, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-aws-6.8, linux-gcp-6.8, linux-aws-fips, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, python-pip, and rabbitmq-server). --------------------------------------------- https://lwn.net/Articles/1039311/ ∗∗∗ Libraesva ESG Security advisory: command injection vulnerability (CVE-2025-59689) ∗∗∗ --------------------------------------------- https://docs.libraesva.com/knowledgebase/security-advisory-command-injectio… ∗∗∗ ZDI-25-907: Autodesk Revit RFA File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-907/ ∗∗∗ Google Chrome: Chrome for Android Update ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/09/chrome-for-android-update_23.h… ∗∗∗ Google Chrome: Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desk… ∗∗∗ AutomationDirect CLICK PLUS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-01 ∗∗∗ Mitsubishi Electric MELSEC-Q Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-02 ∗∗∗ Viessmann Vitogate 300 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 23.09.2025
by Daily end-of-shift report 23 Sep '25

23 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 22-09-2025 18:00 − Dienstag 23-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ SonicWall releases SMA100 firmware update to wipe rootkit malware ∗∗∗ --------------------------------------------- SonicWall has released a firmware update that can help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-releases-sma100-fi… ∗∗∗ GitHub Mandates 2FA and Short-Lived Tokens to Strengthen npm Supply Chain Security ∗∗∗ --------------------------------------------- GitHub on Monday announced that it will be changing its authentication and publishing options "in the near future" in response to a recent wave of supply chain attacks targeting the npm ecosystem, including the Shai-Hulud attack. This includes steps to address threats posed by token abuse and self-replicating malware by allowing local publishing with required two-factor authentication (2FA), granular tokens that will have a limited lifetime of seven days, and trusted publishing, which enables the ability to securely publish npm packages directly from CI/CD workflows using OpenID Connect (OIDC). --------------------------------------------- https://thehackernews.com/2025/09/github-mandates-2fa-and-short-lived.html ∗∗∗ Vier Jahre langes Hin und Her zwischen Sicherheitsforscher und Vasion Print ∗∗∗ --------------------------------------------- Vasion Print war oder ist sogar noch verwundbar. Ob bereits alle Schwachstellen geschlossen sind, ist auf den ersten Blick nicht erkennbar. --------------------------------------------- https://www.heise.de/news/Vier-Jahre-langes-Hin-und-Her-zwischen-Sicherheit… ∗∗∗ [Guest Diary] Distracting the Analyst for Fun and Profit, (Tue, Sep 23rd) ∗∗∗ --------------------------------------------- Distributed denial of service (DDoS) attacks are a type of cyber-attack where the threat actor attempts to disrupt a service by flooding the target with a ton of requests to overload system resources and prevent legitimate traffic from reaching it. [..] We can draw a few conclusions from analyzing each wave of this attack. --------------------------------------------- https://isc.sans.edu/diary/rss/32308 ∗∗∗ Technical Analysis of Zloader Updates ∗∗∗ --------------------------------------------- Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a Zeus-based modular trojan that emerged in 2015. Zloader was originally designed to facilitate banking, but has since been repurposed for initial access, providing an entry point into corporate environments for the deployment of ransomware. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-zloader-… ∗∗∗ CISA Shares Lessons Learned from an Incident Response Engagement ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to highlight lessons learned from an incident response engagement CISA conducted at a U.S. federal civilian executive branch (FCEB) agency. CISA is publicizing this advisory to reinforce the importance of prompt patching, as well as preparing for incidents by practicing incident response plans and by implementing logging and aggregating logs in a centralized out-of-band location. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-266a ===================== = Vulnerabilities = ===================== ∗∗∗ SolarWinds releases third patch to fix Web Help Desk RCE bug ∗∗∗ --------------------------------------------- SolarWinds has released a hotfix for a critical a critical vulnerability in Web Help Desk that allows remote code execution (RCE) without authentication. Tracked as CVE-2025-26399, the security issue is the company's third attempt to address an older flaw identified as CVE-2024-28986 that impacted Web Help Desk (WHD) 12.8.3 and all previous versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-releases-third-pa… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (corosync and kernel), Fedora (checkpointctl, chromium, curl, and perl-Catalyst-Authentication-Credential-HTTP), SUSE (firefox, frr, kernel, rustup, vim, and wireshark), and Ubuntu (glibc and pam). --------------------------------------------- https://lwn.net/Articles/1039124/ ∗∗∗ Fehlende Validierung von Zertifikaten führt zu RCE in CleverControl Überwachungssoftware für Mitarbeitende ∗∗∗ --------------------------------------------- Eine fehlende Validierung des TLS Serverzertifikats in dem Installer der "CleverControl" Überwachungssoftware für Mitarbeitende erlaubt es Angreifern, die sich in die Netzwerkverbindung zwischen Client und Server platzieren können, beliebigen Code mit Administratorrechten auszuführen. CVE-2025-10548 --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/fehlende-validierung-… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0006 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0006.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 22.09.2025
by Daily end-of-shift report 22 Sep '25

22 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-09-2025 18:00 − Montag 22-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Cyberattacke auf Dienstleister behindert Flughäfen in Europa ∗∗∗ --------------------------------------------- Ein Dienstleister für die Systeme zur Passagierabfertigung ist am Freitagabend angegriffen worden, wie der Berliner Flughafen mitteilte. [..] Der Systemanbieter wird europaweit an Flughäfen eingesetzt. [..] Passagiere müssen nun mit längeren Wartezeiten beim Check-in und Boarding und mit Verspätungen rechnen. --------------------------------------------- https://www.heise.de/news/Cyberangriff-behindert-europaeische-Flughaefen-au… ∗∗∗ LastPass: Fake password managers infect Mac users with malware ∗∗∗ --------------------------------------------- LastPass is warning users of a campaign that targets macOS users with malicious software impersonating popular products delivered through fraudulent GitHub repositories. [..] The attackers created a large number of deceptive GitHub repositories from multiple accounts to evade takedown and optimize them to rank high in search results. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lastpass-fake-password-manag… ∗∗∗ BlockBlasters: Infected Steam game downloads malware disguised as patch ∗∗∗ --------------------------------------------- A 2D platformer game called BlockBlasters has recently started showing signs of malicious activity after a patch release on August 30. While the user is playing the game, various bits of information are lifted from the PC the game is running on - including crypto wallet data. Hundreds of users are potentially affected. --------------------------------------------- https://feeds.feedblitz.com/~/925181471/0/gdatasecurityblog-en~BlockBlaster… ∗∗∗ Understanding Spamhaus and Its Role in Email Security ∗∗∗ --------------------------------------------- One of the often “behind‐the‐scenes” organizations helping to defend email systems is Spamhaus. In this post, we’ll explain what Spamhaus is, how it works, why it matters, and what best practices companies should follow to stay out of blacklists and protect deliverability. --------------------------------------------- https://blog.sucuri.net/2025/09/understanding-spamhaus-and-its-role-in-emai… ∗∗∗ Researchers Uncover GPT-4-Powered MalTerminal Malware Creating Ransomware, Reverse Shell ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered what they say is the earliest example known to date of a malware with that bakes in Large Language Model (LLM) capabilities.The malware has been codenamed MalTerminal by SentinelOne SentinelLABS research team. --------------------------------------------- https://thehackernews.com/2025/09/researchers-uncover-gpt-4-powered.html ∗∗∗ Achtung vor WKO Phishing-Mails zu angeblichen Abgabenrückständen! ∗∗∗ --------------------------------------------- Derzeit erhalten viele Unternehmen eine gefälschte E-Mail, die angeblich von der Wirtschaftskammer Österreich (WKO) stammt. Darin wird behauptet, es gebe offene Abgaben von 482,00 Euro, die über einen Link bezahlt werden sollen. Achtung: Zahlen Sie nicht, es handelt sich um einen Betrugsversuch! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-wko-phishing-mails-zu-an… ∗∗∗ Fake-Shops: Kriminelle nutzen die finnische Kultmarke „Marimekko“ als Deckmantel ∗∗∗ --------------------------------------------- Derzeit tauchen auf Social-Media-Plattformen vermehrt Werbeanzeigen auf, die ungewöhnlich hohe Rabatte in Marimekko-Onlineshops versprechen. Natürlich stimmt daran nichts. Die Spezialpreise sollen die Fans der finnischen Design-Marke zu Impulskäufen verleiten. Geliefert werden die bestellten Produkte nie, das Geld ist weg. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-marimekko/ ∗∗∗ Iranian Threat Actor Nimbus Manticore Expands Campaigns into Europe with Advanced Malware and Fake Job Lures ∗∗∗ --------------------------------------------- In this blog, we highlight the evolution of Minibike into a new variant dubbed MiniJunk, the use of fake recruiting portals for malware delivery, victimology across the Middle East and Western Europe, and the broader implications for defense, telecom, and aviation sectors. --------------------------------------------- https://blog.checkpoint.com/research/iranian-threat-actor-nimbus-manticore-… ∗∗∗ Hacking with AI SASTs: An overview of ‘AI Security Engineers’ / ‘LLM Security Scanners’ for Penetration Testers and Security Teams ∗∗∗ --------------------------------------------- For the past few months, I have been trialing various AI-native security scanners, with a main focus on finding a product on the market today that is able to analyze the source code of a project in order to find vulnerabilities. This post will detail that journey, the successes and failures I’ve come across, my thoughts, and offer a general review of new on-the-market products that fit the category. --------------------------------------------- https://joshua.hu/llm-engineer-review-sast-security-ai-tools-pentesters ∗∗∗ Kernel Security in the Wild: Side-Channel-Assisted Exploit Techniques, Kernel-Level Defenses, and Real-World Analysis ∗∗∗ --------------------------------------------- In this thesis, we address all three challenges to advance the state of kernel security. [..] We introduce three novel side channels: SLUBStick, a timing side channel on the kernel’s memory allocator to infer heap memory reuse; KernelSnitch, a software- induced side channel that leaks the location of kernel heap objects via data structure access timing; and a hardware-induced TLB side channel that leaks fine-grained memory layout information. --------------------------------------------- https://tugraz.elsevierpure.com/ws/portalfiles/portal/98775241/main.pdf ===================== = Vulnerabilities = ===================== ∗∗∗ VU#780141: Cross-site scripting vulnerability in Lectora course navigation ∗∗∗ --------------------------------------------- Lectora Desktop versions 21.0–21.3 and Lectora Online versions 7.1.6 and older contained a cross-site scripting (XSS) vulnerability in courses published with Seamless Play Publish (SPP) enabled and Web Accessibility disabled. The vulnerability was initially patched in Lectora Desktop version 21.4 (October 25, 2022), but users must republish existing courses to apply the patch. CVE-2025-9125 --------------------------------------------- https://kb.cert.org/vuls/id/780141 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, jetty12, jetty9, jq, and pam), Fedora (curl, libssh, podman-tui, and prometheus-podman-exporter), Oracle (firefox, gnutls, kernel, and thunderbird), and SUSE (bluez, cairo, chromium, cmake, cups, firefox, frr, govulncheck-vulndb, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, mariadb, mybatis, ognl, python-h2, and rke2). --------------------------------------------- https://lwn.net/Articles/1039053/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 19.09.2025
by Daily end-of-shift report 19 Sep '25

19 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-09-2025 18:00 − Freitag 19-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Backup-Diebstahl: Angreifer stahlen bei Sonicwall Firewallkonfigurationen ∗∗∗ --------------------------------------------- Der Firewallhersteller Sonicwall meldet einen Einbruch in Cloud-Konten seiner Kunden. Dabei haben Unbekannte Sicherungskopien von Firewallkonfigurationsdateien unerlaubt vervielfältigt und exfiltriert. Es handelt sich jedoch nicht um einen Cyberangriff auf Sonicwall, sondern offenbar um massenhaftes Durchprobieren von Zugangsdaten. [..] Die entwendeten Konfigurationsdateien können sensible Informationen enthalten und Angriffe erleichtern. Offenbar sind nur wenige Kunden betroffen. --------------------------------------------- https://heise.de/-10662565 ∗∗∗ CISA exposes malware kits deployed in Ivanti EPMM attacks ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis of the malware deployed in attacks exploiting vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM). The flaws are an authentication bypass in EPMM’s API component (CVE-2025-4427) and a code injection vulnerability (CVE-2025-4428) that allows execution of arbitrary code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-exposes-malware-kits-de… ∗∗∗ New attack on ChatGPT research agent pilfers secrets from Gmail inboxes ∗∗∗ --------------------------------------------- Today’s installment hits OpenAI’s Deep Research agent. Researchers recently devised an attack that plucked confidential information out of a user’s Gmail inbox and sent it to an attacker-controlled web server, with no interaction required on the part of the victim and no sign of exfiltration. --------------------------------------------- https://arstechnica.com/information-technology/2025/09/new-attack-on-chatgp… ∗∗∗ Threat landscape for industrial automation systems in Q2 2025 ∗∗∗ --------------------------------------------- Kaspersky industrial threat report contains statistics on various malicious objects detected and blocked on ICS computers by Kaspersky solutions in Q2 2025. --------------------------------------------- https://securelist.com/industrial-threat-report-q2-2025/117532/ ∗∗∗ How AI-Native Development Platforms Enable Fake Captcha Pages ∗∗∗ --------------------------------------------- Cybercriminals are abusing AI-native platforms like Vercel, Netlify, and Lovable to host fake captcha pages that deceive users, bypass detection, and drive phishing campaigns. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/ai-development-platforms-ena… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortra Releases Critical Patch for CVSS 10.0 GoAnywhere MFT Vulnerability ∗∗∗ --------------------------------------------- Fortra has disclosed details of a critical security flaw in GoAnywhere Managed File Transfer (MFT) software that could result in the execution of arbitrary commands. The vulnerability, tracked as CVE-2025-10035, carries a CVSS score of 10.0, indicating maximum severity. "A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection," Fortra said in an advisory released Thursday. --------------------------------------------- https://thehackernews.com/2025/09/fortra-releases-critical-patch-for-cvss.h… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, cjson, and firefox-esr), Fedora (expat, gh, scap-security-guide, and xen), Oracle (container-tools:rhel8, firefox, grub2, and mysql:8.4), SUSE (busybox, busybox-links, element-web, kernel, shadowsocks-v2ray-plugin, and yt-dlp), and Ubuntu (imagemagick, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-azure, linux-azure-5.15, linux-azure-fips, linux-ibm, linux-ibm-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-oracle-6.8, linux-realtime, and openjpeg2). --------------------------------------------- https://lwn.net/Articles/1038802/ ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-261-01 Westermo Network Technologies WeOS 5, ICSA-25-261-02 Westermo Network Technologies WeOS 5, ICSA-25-261-03 Schneider Electric Saitel DR & Saitel DP Remote Terminal Unit, ICSA-25-261-04 Hitachi Energy Asset Suite, ICSA-25-261-05 Hitachi Energy Service Suite, ICSA-25-261-06 Cognex In-Sight Explorer and In-Sight Camera Firmware, ICSA-25-261-07 Dover Fueling Solutions ProGauge MagLink LX4 Devices --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/18/cisa-releases-nine-indus… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 18.09.2025
by Daily end-of-shift report 18 Sep '25

18 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-09-2025 18:00 − Donnerstag 18-09-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks ∗∗∗ --------------------------------------------- The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens. For the past year, the threat actors have been targeting Salesforce customers in data theft attacks using social engineering and malicious OAuth applications to breach Salesforce instances and download data. The stolen data is then used to extort companies into paying a ransom to prevent the data from being publicly leaked. --------------------------------------------- https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billi… ∗∗∗ SystemBC malware turns infected VPS systems into proxy highway ∗∗∗ --------------------------------------------- The operators of the SystemBC proxy botnet are hunting for vulnerable commercial virtual private servers (VPS) and maintain an average of 1,500 bots every day that provide a highway for malicious traffic. Compromised servers are located all over the world and have at least one unpatched critical vulnerability, some of them being plagued by tens of security issues. --------------------------------------------- https://www.bleepingcomputer.com/news/security/systembc-malware-turns-infec… ∗∗∗ Microsoft: Hacker konnten wohl beliebige Entra-ID-Tenants kapern ∗∗∗ --------------------------------------------- Der Sicherheitsforscher Dirk-Jan Mollema hat eine gefährliche Sicherheitslücke in der von vielen Unternehmen genutzten cloudbasierten Identitäts- und Zugriffsverwaltungsplattform Microsoft Entra ID entdeckt. Wie der Forscher in einem Blogbeitrag(öffnet im neuen Fenster) schildert, konnte er damit weltweit so ziemlich jeden Entra-ID-Tenant kompromittieren – mit Ausnahme nationaler Cloud-Deployments, die er lediglich mangels Zugriff nicht testen konnte. --------------------------------------------- https://www.golem.de/news/microsoft-hacker-konnten-wohl-beliebige-entra-id-… ∗∗∗ SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered two new malicious packages in the Python Package Index (PyPI) repository that are designed to deliver a remote access trojan called SilentSync on Windows systems. --------------------------------------------- https://thehackernews.com/2025/09/silentsync-rat-delivered-via-two.html ∗∗∗ CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2, and a remote access trojan known as PureHVNC RAT. --------------------------------------------- https://thehackernews.com/2025/09/countloader-broadens-russian-ransomware.h… ∗∗∗ Phishing-Mails im Namen der Statistik Austria im Umlauf ∗∗∗ --------------------------------------------- Aktuell kursiert eine Phishing-E-Mail, die vorgibt, von der Statistik Austria zu stammen. In der Nachricht werden Unternehmen aufgefordert, sensible Finanz- und Geschäftsdaten (z. B. Listen ausländischer Geschäftspartner, Beträge, Zahlungsfristen) zu übermitteln. Es ist davon auszugehen, dass die Daten für gefälschte Geldforderungen an Geschäftspartner missbraucht werden könnten. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mails-im-namen-der-statisti… ∗∗∗ What We Know About the NPM Supply Chain Attack ∗∗∗ --------------------------------------------- On September 15, the Node Package Manager (NPM) repository experienced an ongoing supply chain attack, in which the attackers executed a highly targeted phishing campaign to compromise the account of an NPM package maintainer. With privileged access, the attackers injected malicious code into widely used JavaScript packages, threatening the entire software ecosystem. Notably, the attack has disrupted several key NPM packages, including those integral to application development and cryptography. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/npm-supply-chain-attack.html ∗∗∗ New Raven Stealer Malware Hits Browsers for Passwords and Payment Data ∗∗∗ --------------------------------------------- New research reveals Raven Stealer malware that targets browsers like Chrome and Edge to steal personal data. Learn how this threat uses simple tricks like process hollowing to evade antiviruses and why it’s a growing risk for everyday users. --------------------------------------------- https://hackread.com/raven-stealer-malware-browsers-passwords-payment-data/ ∗∗∗ Vane Viper Malvertising Network Posed as Legit Adtech in Global Scams ∗∗∗ --------------------------------------------- Cybersecurity firm Infoblox says it has discovered “Vane Viper,” a massive online ad network that posed as a legitimate business while running global scams and spreading malware. Linked to previously reported PropellerAds and its parent company AdTech Holding, the operation has been active for nearly a decade and is now being called one of the largest malvertising scams seen to date. --------------------------------------------- https://hackread.com/vane-viper-malvertising-adtech-global-scams/ ===================== = Vulnerabilities = ===================== ∗∗∗ Notfallpatch: Aktiv ausgenutzte Chrome-Lücke gefährdet unzählige Nutzer ∗∗∗ --------------------------------------------- Google hat einen Notfallpatch für seinen weit verbreiteten Webbrowser Chrome bereitgestellt. Damit schließt der Konzern gleich mehrere gefährliche Sicherheitslücken. Eine davon wird bereits aktiv ausgenutzt, wie aus den Release Notes(öffnet im neuen Fenster) hervorgeht. Anwender sollten den Browser daher zügig aktualisieren, um sich vor möglichen Angriffen zu schützen. Betroffen sind Chrome-Versionen für Windows, Mac und Linux. --------------------------------------------- https://www.golem.de/news/notfallpatch-aktiv-ausgenutzte-chrome-luecke-gefa… ∗∗∗ Schwachstellen bedrohen HPE Aruba Networking EdgeConnect SD-WAN ∗∗∗ --------------------------------------------- Angreifer können Wide Area Networks (WAN) attackieren, die auf HPE Aruba Networking EdgeConnect SD-WAN fußen. Die Entwickler haben jüngst mehrere Sicherheitslücken geschlossen. Nach erfolgreichen Attacken können Angreifer unter anderem Sicherheitsbeschränkungen umgehen oder sogar Schadcode ausführen, um Systeme vollständig zu kompromittieren. --------------------------------------------- https://www.heise.de/news/Schwachstellen-bedrohen-HPE-Aruba-Networking-Edge… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gnutls, mysql:8.4, opentelemetry-collector, and python-cryptography), Debian (nextcloud-desktop), Fedora (chromium, firefox, forgejo, gitleaks, kernel, kernel-headers, lemonldap-ng, perl-Cpanel-JSON-XS, and python-pip), Red Hat (firefox and libxml2), Slackware (expat and mozilla), SUSE (avahi, bluez, cups, curl, firefox-esr, gdk-pixbuf, gstreamer, java-1_8_0-ibm, krb5, net-tools, podman, raptor, sevctl, tkimg, ucode-intel, and vim), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-fips, linux-azure-fips, linux-gcp-fips, and linux-gcp-6.14, linux-oracle, linux-oracle-6.14). --------------------------------------------- https://lwn.net/Articles/1038638/ ∗∗∗ Open-Source Tool Greenshot Hit by Severe Code Execution Vulnerability ∗∗∗ --------------------------------------------- A security vulnerability has been discovered in Greenshot, the widely used open-source screenshot tool for Windows. The Greenshot vulnerability exposes to the risk of arbitrary code execution, potentially allowing attackers to bypass established security protocols and launch further malicious activities. A proof-of-concept (PoC) exploit has already been released, drawing attention to the critical nature of the vulnerability. --------------------------------------------- https://thecyberexpress.com/greenshot-vulnerability/ ∗∗∗ ENCS testers help resolve critical vulnerabilities in solar inverters ∗∗∗ --------------------------------------------- ENCS cybersecurity testers uncovered several vulnerabilities in consumer solar inverters widely used in Europe, as part of the work on consumer IoT equipment. We reported these to the Dutch Institute for Vulnerability Disclosure (DIVD) CSIRT to start a responsible vulnerability disclosure process. Six vulnerabilities have now been resolved by the manufacturers. --------------------------------------------- https://encs.eu/news/encs-testers-help-resolve-critical-vulnerabilities-in-… ∗∗∗ ZDI-25-895: Wondershare Repairit Incorrect Permission Assignment Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-895/ ∗∗∗ CVE-2025-9242: WatchGuard Firebox iked Out of Bounds Write Vulnerability ∗∗∗ --------------------------------------------- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015 ∗∗∗ Third-Party Libraries and Supply Chains - PSA-2025-09-17 ∗∗∗ --------------------------------------------- https://www.drupal.org/psa-2025-09-17 ∗∗∗ Daikin Security Gateway ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-10 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 17.09.2025
by Daily end-of-shift report 17 Sep '25

17 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-09-2025 18:00 − Mittwoch 17-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ From ClickFix to MetaStealer: Dissecting Evolving Threat Actor Techniques ∗∗∗ --------------------------------------------- ClickFix isnt just back—its mutating. New variants use fake CAPTCHAs, File Explorer tricks & MSI lures to drop MetaStealer. Stay ahead with Huntress Tradecraft Tuesday threat briefings. --------------------------------------------- https://www.bleepingcomputer.com/news/security/from-clickfix-to-metastealer… ∗∗∗ Critical Bugs in Chaos Mesh Enable Cluster Takeover ∗∗∗ --------------------------------------------- "Chaotic Deputy" is a set of four vulnerabilities in the chaos engineering platform that many organizations use to test the resilience of their Kubernetes environments. Such is the case with a set of four serious vulnerabilities that researchers at JFrog recently discovered in Chaos Mesh that give attackers a way to take over entire Kubernetes clusters. --------------------------------------------- https://www.darkreading.com/cyber-risk/critical-bugs-chaos-mesh-cluster-tak… ∗∗∗ GOLD SALEM’s Warlock operation joins busy ransomware landscape ∗∗∗ --------------------------------------------- Counter Threat Unit (CTU) researchers are monitoring a threat group that refers to itself as Warlock Group. The group, which CTU researchers track as GOLD SALEM, has compromised networks and deployed its Warlock ransomware since March 2025. --------------------------------------------- https://news.sophos.com/en-us/2025/09/17/gold-salems-warlock-operation-join… ∗∗∗ Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims ∗∗∗ --------------------------------------------- Cybersecurity researchers have tied a fresh round of cyber attacks targeting financial services to the notorious cybercrime group known as Scattered Spider, casting doubt on their claims of going "dark". Threat intelligence firm ReliaQuest said it has observed indications that the threat actor has shifted their focus to the financial sector. --------------------------------------------- https://thehackernews.com/2025/09/scattered-spider-resurfaces-with.html ∗∗∗ Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing service ∗∗∗ --------------------------------------------- Microsoft’s Digital Crimes Unit (DCU) has disrupted RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords (“credentials”). --------------------------------------------- https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-w… ∗∗∗ Ransomware HybridPetya hebelt UEFI Secure Boot aus ∗∗∗ --------------------------------------------- ESET Research hat HybridPetya auf der Sample-Sharing-Plattform VirusTotal entdeckt. Es handelt sich um einen Nachahmer der berüchtigten Petya/NotPetya-Malware, der zusätzlich die Fähigkeit besitzt, UEFI-basierte Systeme zu kompromittieren und CVE-2024-7344 als Waffe einzusetzen, um UEFI Secure Boot auf veralteten Systemen zu umgehen. --------------------------------------------- https://www.welivesecurity.com/de/eset-research/ransomware-hybridpetya-hebe… ∗∗∗ Myth Busting: Why "Innocent Clicks" Dont Exist in Cybersecurity ∗∗∗ --------------------------------------------- Unit 42 explores how innocent clicks can have serious repercussions. Learn how simply visiting a malicious site can expose users to significant digital dangers. --------------------------------------------- https://unit42.paloaltonetworks.com/why-innocent-clicks-dont-exist-in-cyber… ∗∗∗ Der npm-Angriff geht weiter – "Wurm" infiziert Pakete ∗∗∗ --------------------------------------------- Der Lieferkettenangriff auf ein npm-Entwicklerkonto und 18 kompromittierten Paketen schien glimpflich ausgegangen zu sein. Jetzt wird bekannt, dass die Angriffe (über ein anderes Konto) weitergehen und eine selbstreplizierende Malware (Shai-Hulud) bereits mehr als 500 npm-Pakete infiziert hat. --------------------------------------------- https://www.borncity.com/blog/2025/09/17/der-npm-angriff-geht-weiter-wurm-i… ∗∗∗ PyPI Token Exfiltration Campaign via GitHub Actions Workflows ∗∗∗ --------------------------------------------- I recently responded to an attack campaign where malicious actors injected code into GitHub Actions workflows attempting to steal PyPI publishing tokens. PyPI was not compromised, and no PyPI packages were published by the attackers. --------------------------------------------- https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/ ∗∗∗ Ongoing Supply Chain Attack Targets CrowdStrike npm Packages ∗∗∗ --------------------------------------------- Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that has now impacted nearly 500 packages. --------------------------------------------- https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm… ∗∗∗ Microsoft: Office 2016 and Office 2019 reach end of support next month ∗∗∗ --------------------------------------------- Microsoft reminded customers again this week that Office 2016 and Office 2019 will reach the end of extended support in less than 30 days, on October 14, 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-office-2016-and-o… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, and podman), Debian (node-sha.js), Fedora (firefox, kea, and perl-JSON-XS), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk), Oracle (kernel, libarchive, podman, and python-cryptography), Red Hat (multiple packages, mysql:8.4, and python3.11), SUSE (expat, java-1_8_0-ibm, krb5, libavif, net-tools, nginx, nvidia-open-driver-G06-signed, onefetch, pcp, rabbitmq-server313, raptor, and vim), and Ubuntu (libyang2, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-aws-fips, linux-fips, linux-gcp-fips, and python-xmltodict). --------------------------------------------- https://lwn.net/Articles/1038453/ ∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released eight Industrial Control Systems (ICS) advisories on September 16, 2025. The following products are affected, Schneider Electric Altivar Products, Schneider Electric ATVdPAC Module, Schneider Electric ILC992 InterLink Converter, Schneider Electric Galaxy VS, Schneider Electric Galaxy VL, Schneider Electric Galaxy VXL, Hitachi Energy RTU500 Series, Siemens SIMATIC NET CP, Siemens SINEMA, Siemens SCALANCE, Siemens RUGGEDCOM, Siemens SINEC NMS, Siemens Industrial Products (OpenSSL Vulnerability), Siemens Multiple Industrial Products and Delta Electronics DIALink. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/16/cisa-releases-eight-indu… ∗∗∗ CVE-2025-9708: Kubernetes C# Client, improper certificate validation in custom CA mode may lead to man-in-the-middle attacks ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/134063 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 16.09.2025
by Daily end-of-shift report 16 Sep '25

16 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 15-09-2025 18:00 − Dienstag 16-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Neuer NPM-Großangriff: Selbst-vermehrende Malware infiziert Dutzende Pakete ∗∗∗ --------------------------------------------- Verschiedene IT-Sicherheitsunternehmen warnen vor neuen Angriffen auf das npm-Ökosystem rund um node.js. Mehrere Dutzend Pakete (mindestens 40, in einem Bericht gar an die 150) sind mit einer Malware infiziert, die geheime Daten stiehlt und über einen Webhook ausleitet. Zudem repliziert sich die Schadsoftware selbsttätig – und ist somit ein Wurm. [..] Unklar ist noch, wo der Angriff begann – einen klaren "Patient Null" nennen die drei analysierenden Unternehmen nicht. [..] JavaScript-Entwickler und insbesondere die Verwalter von auf npm gehosteten Paketen sollten größte Vorsicht walten lassen und die umfangreiche Liste infizierter Pakete konsultieren. --------------------------------------------- https://heise.de/-10651111 ∗∗∗ Apple backports zero-day patches to older iPhones and iPads ∗∗∗ --------------------------------------------- Apple has released security updates to backport patches released last month to older iPhones and iPads, addressing a zero-day bug that was exploited in "extremely sophisticated" attacks. This security flaw is the same one Apple has patched for devices running iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, and macOS (Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8) on August 20. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apple-backports-zero-day-pat… ∗∗∗ Patchstatus unklar: Angreifer attackieren Fertigungsmanagementtool DELMIA Apriso ∗∗∗ --------------------------------------------- DELMIA Apriso ist eine Manufacturing-Operations-Management-Software (MOM) und ein Manufacturing Execution System (MES) [..] Der Anbieter der Software, Dassault Systèmes, erwähnte die Sicherheitslücke (CVE-2025-5086 "kritisch") bereits im Juni dieses Jahres in einer äußerst knapp formulierten Warnmeldung. [..] Anfang September warnte nun ein Sicherheitsforscher des SANS-Institut Internet Strom Center in einem Beitrag vor Exploitversuchen. [..] Unklar bleibt auch, ob es einen Sicherheitspatch gibt. --------------------------------------------- https://www.heise.de/news/Patchstatus-unklar-Attacken-auf-Fertigungsmanagem… ∗∗∗ IServ: Schullösung mit Schwäche inbegriffen? ∗∗∗ --------------------------------------------- Am 8. September 2025 ist jemandem aufgefallen, dass das Web-Frontend des IServ-Schul-Servers der IServ GmbH eine "Benutzeraufzählung" im weitesten Sinne ermöglicht. Gibt jemand den Namen einer Person an der IServ-Anmeldeseite einer Schule ein, und versucht er eine Anmeldung, ohne das Passwort zu kennen, schlägt diese Anmeldung natürlich fehl. Noch ist also alles im grünen Bereich, da dieser Anmeldeversuch abgewiesen wird. Das Problem liegt darin, dass sich die Antworten dieser fehlgeschlagenen Anmeldeversuche unterscheiden, nachdem, ob das Benutzerkonto existiert oder nicht und hängt angeblich noch von anderen Bedingungen ab. --------------------------------------------- https://www.borncity.com/blog/2025/09/16/iserve-schulloesung-mit-schwaeche-… ∗∗∗ Microsoft: Exchange 2016 and 2019 reach end of support in 30 days ∗∗∗ --------------------------------------------- Microsoft has reminded administrators again that Exchange 2016 and Exchange 2019 will reach the end of extended support next month and has provided guidance for decommissioning outdated servers. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-2016-and… ∗∗∗ Phoenix: Neue Rowhammer-Variante verleiht Angreifern Root-Rechte ∗∗∗ --------------------------------------------- Forscher von Google und der ETH Zürich haben eine neue Variante des Rowhammer-Angriffs vorgestellt. Sie betrifft auch moderne DDR5-RAM-Module, die eigentlich vor entsprechenden Attacken geschützt sein sollten. [..] Die Phoenix genannte Angriffstechnik greift laut Informationsseite der Entdecker(öffnet im neuen Fenster) auf eine Schwachstelle bei den Rowhammer-Abwehrmaßnahmen zurück, die bestimmte Refresh-Intervalle des Speichers nicht abdecken. --------------------------------------------- https://www.golem.de/news/phoenix-neue-rowhammer-variante-verleiht-angreife… ∗∗∗ RevengeHotels: a new wave of attacks leveraging LLMs and VenomRAT ∗∗∗ --------------------------------------------- Kaspersky GReAT expert takes a closer look at the RevengeHotels threat actors new campaign, including AI-generated scripts, targeted phishing, and VenomRAT. --------------------------------------------- https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-la… ∗∗∗ New FileFix Variant Delivers StealC Malware Through Multilingual Phishing Site ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of a new campaign that's leveraging a variant of the FileFix social engineering tactic to deliver the StealC information stealer malware. "The observed campaign uses a highly convincing, multilingual phishing site (e.g., fake Facebook Security page), with anti-analysis techniques and advanced obfuscation to evade detection," Acronis security researcher Eliad Kimhy said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/09/new-filefix-variant-delivers-stealc.html ∗∗∗ SmokeLoader Rises From the Ashes ∗∗∗ --------------------------------------------- Active since 2011, SmokeLoader (aka Smoke or Dofoil) is a popular malware loader that is designed to deliver second-stage payloads such as trojans, ransomware, and information stealers. [..] In May 2024, Operation Endgame, an international collaboration between law enforcement and private industry (which included Zscaler ThreatLabz) dismantled numerous instances of SmokeLoader and remotely removed the malware from infected systems. [..] ThreatLabz has identified two new SmokeLoader versions that are being used by multiple threat groups. --------------------------------------------- https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (node-sha.js and python-django), Fedora (chromium, cups, exiv2, perl-Catalyst-Authentication-Credential-HTTP, perl-Catalyst-Plugin-Session, perl-Plack-Middleware-Session, and qemu), Red Hat (container-tools:rhel8, podman, and udisks2), SUSE (cargo-audit, cargo-c, cargo-packaging, and kernel-devel), and Ubuntu (libcpanel-json-xs-perl, libjson-xs-perl, rubygems, sqlite3, and vim). --------------------------------------------- https://lwn.net/Articles/1038325/ ∗∗∗ Spring Security and Spring Framework Release Fixes for CVE-2025-41248 and CVE-2025-41249 ∗∗∗ --------------------------------------------- https://spring.io/blog/2025/09/15/spring-framework-and-spring-security-fixe… ∗∗∗ LG WebOS TV Path Traversal, Authentication Bypass and Full Device Takeover ∗∗∗ --------------------------------------------- https://ssd-disclosure.com/lg-webos-tv-path-traversal-authentication-bypass… ∗∗∗ Mozilla Security Advisories September 16, 2025 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ TYPO3-EXT-SA-2025-013: Vulnerability in bundled package in extension "Base Excel" (base_excel) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-013 ∗∗∗ TYPO3-EXT-SA-2025-012: Cross-Site Scripting in extension "Form to Database" (form_to_database) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-012 ∗∗∗ Synology-SA-25:11 Safe Access ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 15.09.2025
by Daily end-of-shift report 15 Sep '25

15 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-09-2025 18:00 − Montag 15-09-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft reminds of Windows 10 support ending in 30 days ∗∗∗ --------------------------------------------- On Friday, Microsoft reminded customers once again that Windows 10 will reach its end of support in 30 days, on October 14. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-reminds-of-window… ∗∗∗ Shiny tools, shallow checks: how the AI hype opens the door to malicious MCP servers ∗∗∗ --------------------------------------------- Kaspersky experts discuss the Model Context Protocol used for AI integration. We describe the MCPs architecture, attack vectors and follow a proof of concept to see how it can be abused. --------------------------------------------- https://securelist.com/model-context-protocol-for-ai-integration-abused-in-… ∗∗∗ A Cyberattack Victim Notification Framework ∗∗∗ --------------------------------------------- When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry. --------------------------------------------- https://www.schneier.com/blog/archives/2025/09/a-cyberattack-victim-notific… ∗∗∗ Lawsuit About WhatsApp Security ∗∗∗ --------------------------------------------- Attaullah Baig, WhatsApp’s former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission. --------------------------------------------- https://www.schneier.com/blog/archives/2025/09/lawsuit-about-whatsapp-secur… ∗∗∗ FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks ∗∗∗ --------------------------------------------- The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for a string of data theft and extortion attacks. "Both groups have recently been observed targeting organizations Salesforce platforms via different initial access mechanisms," the FBI said. --------------------------------------------- https://thehackernews.com/2025/09/fbi-warns-of-unc6040-and-unc6395.html ∗∗∗ All your vulns are belong to us! CISA wants to maintain gov control of CVE program ∗∗∗ --------------------------------------------- Get ready for a fight over who steers the global standard for vulnerability identification The Cybersecurity and Infrastructure Security Agency (CISA) nearly let the Common Vulnerabilities and Exposures (CVE) program lapse earlier this year, but a new "vision" document it released this week signals that it now wants more control over the global standard for vulnerability identification. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/12/cisas_vision… ∗∗∗ Docker Image Security – Teil 2: Minimale und sichere Docker Images ∗∗∗ --------------------------------------------- Distroless Images reduzieren Paketgrößen drastisch, indem sie unnötige Komponenten wie Bash und Paketmanager weglassen. Das erhöht Performance und Sicherheit. --------------------------------------------- https://www.heise.de/hintergrund/Docker-Image-Security-Teil-2-Minimale-und-… ∗∗∗ Cyberkriminelle: "Scattered Lapsus$ Hunters" haben keine Lust mehr ∗∗∗ --------------------------------------------- Die Bande machte zuletzt durch Cyberangriffe auf Jaguar und Marks & Spencer von sich reden, die immense Schäden verursachten. Nicht alle halten die Füße still. --------------------------------------------- https://www.heise.de/news/Cybergang-Scattered-Lapsus-Hunters-kuendigt-Absch… ∗∗∗ Angreifer können IT-Sicherheitslösung IBM QRadar SIEM lahmlegen ∗∗∗ --------------------------------------------- Verschiedene Komponenten in IBMs IT-Sicherheitslösung QRadar SIEM sind verwundbar. Nutzen Angreifer die Schwachstellen erfolgreich aus, können sie unter anderem DoS-Zustände erzeugen, sodass Dienste abstürzen. Fällt dadurch der eigentlich durch die Anwendung versprochene Schutz weg, kann das fatale Folgen haben. --------------------------------------------- https://www.heise.de/news/Angreifer-koennen-IT-Sicherheitsloesung-IBM-QRada… ∗∗∗ Trusted Connections, Hidden Risks: Token Management in the Third-Party Supply Chain ∗∗∗ --------------------------------------------- Effective OAuth token management is crucial for supply chain security, preventing breaches caused by dormant integrations, insecure storage or lack of rotation. --------------------------------------------- https://unit42.paloaltonetworks.com/third-party-supply-chain-token-manageme… ∗∗∗ npm-Hack: Angreifer schauen weitgehend in die Röhre ∗∗∗ --------------------------------------------- Es war zwar ein Desaster im Hinblick auf die Kompromittierung einer Lieferkette – der Hack eines npm-Entwicklerkontos samt Injektion von Schadcode. Der Angreifer scheint aber mit ziemlich leeren Händen aus der Sache rausgegangen zu sein – er soll, je nach Quelle zwischen 65 und 600 US-Dollar an Kryptogeld gestohlen haben. --------------------------------------------- https://www.borncity.com/blog/2025/09/14/npm-hack-angreifer-schauen-weitgeh… ∗∗∗ New VoidProxy Phishing Service Bypasses MFA on Microsoft and Google Accounts ∗∗∗ --------------------------------------------- Okta Threat Intelligence exposes VoidProxy, a new PhaaS platform. Learn how this advanced service uses the Adversary-in-the-Middle technique to bypass MFA and how to protect yourself from attacks targeting Microsoft and Google accounts. --------------------------------------------- https://hackread.com/voidproxy-phishing-service-bypasses-mfa-microsoft-goog… ∗∗∗ Qrator Labs Mitigated Record L7 DDoS Attack from 5.76M-Device Botnet ∗∗∗ --------------------------------------------- Qrator Labs blocked a record L7 DDoS attack from a 5.76M-device botnet targeting government systems, showing rapid global growth since March. --------------------------------------------- https://hackread.com/qrator-labs-mitigate-l7-ddos-attack-5-76m-botnet/ ∗∗∗ 600 GB of Alleged Great Firewall of China Data Published in Largest Leak Yet ∗∗∗ --------------------------------------------- Hackers leaked 600 GB of data linked to the Great Firewall of China, exposing documents, code, and operations. Full details available on the GFW Report. --------------------------------------------- https://hackread.com/great-firewall-of-china-data-published-largest-leak/ ∗∗∗ ShadowSilk Data Exfiltration Attack ∗∗∗ --------------------------------------------- FortiGuard Labs’ network telemetry has observed active exploitation of known vulnerabilities in Drupal Core and the WP-Automatic WordPress plugin for initial access. Following compromise, attackers deploy multiple web shells and utilities to enable lateral movement, privilege escalation, and the installation of remote access trojans (RATs). --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/shadowsilk-data-exfiltration ∗∗∗ Phishing campaign targeting crates.io users ∗∗∗ --------------------------------------------- We received multiple reports of a phishing campaign targeting crates.io users (from the rustfoundation.dev domain name), mentioning a compromise of our infrastructure and asking users to authenticate to limit damage to their crates. --------------------------------------------- https://blog.rust-lang.org/2025/09/12/crates-io-phishing-campaign/ ∗∗∗ The Internet Coup ∗∗∗ --------------------------------------------- A Technical Analysis on How a Chinese Company is Exporting The Great Firewall to Autocratic Regimes. --------------------------------------------- https://interseclab.org/research/the-internet-coup/ ===================== = Vulnerabilities = ===================== ∗∗∗ Lücke in Microsoft Agentic AI und Visual Studio kann Schadcode passieren lassen ∗∗∗ --------------------------------------------- Angreifer können an einer Schwachstelle in Microsoft Agentic AI und Visual Studio ansetzen. Klappt eine Attacke, können sie Schadcode ausführen und Systeme mit hoher Wahrscheinlichkeit vollständig kompromittieren. Ein Sicherheitsupdate steht zum Download bereit. --------------------------------------------- https://www.heise.de/news/Schadcode-Schlupfloch-in-Microsoft-Agentic-AI-und… ∗∗∗ Jetzt patchen! Attacken auf Android-Smartphones von Samsung beobachtet ∗∗∗ --------------------------------------------- Derzeit nutzen Angreifer eine Sicherheitslücke in Samsung-Smarthpones mit Android 13, 14, 15 und 16 aus. Darüber kann Schadcode auf Geräte gelangen. Ein Sicherheitspatch ist für ausgewählte Geräte verfügbar. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Android-Smartphones-vo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cups, kernel, and mysql-selinux and mysql8.4), Debian (cjson, jetty9, and shibboleth-sp), Fedora (bustle, cef, checkpointctl, chromium, civetweb, cups, forgejo, jupyterlab, kernel, libsixel, linenoise, maturin, niri, perl-Cpanel-JSON-XS, python-uv-build, ruff, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-matchers, rust-monitord, rust-monitord-exporter, rust-secret-service, rust-tracing-subscriber, rustup, tcpreplay, tuigreet, udisks2, uv, and xwayland-satellite), Oracle (cups, gdk-pixbuf2, kernel, mysql-selinux and mysql8.4, and php:8.2), Red Hat (kernel, kernel-rt, and multiple packages), Slackware (cups, kernel, and patch), and SUSE (busybox, busybox-links, chromedriver, chromium, cups-filters, curl, go1.25, jasper, java-11-openj9, java-17-openj9, java-1_8_0-openjdk, kernel, kernel-devel, kubo, libssh-config, orthanc-gdcm, python-aiohttp, python-eventlet, python-h2, and xen). --------------------------------------------- https://lwn.net/Articles/1038231/ ∗∗∗ CVE-2025-58434: Critical FlowiseAI Flaw Enables Full Account Takeover ∗∗∗ --------------------------------------------- A severe security vulnerability has been discovered in FlowiseAI, an open-source AI workflow automation tool, exposing users to the risk of complete account compromise. Tracked as CVE-2025-58434, this vulnerability affects both the cloud-hosted version of FlowiseAI and self-hosted deployments that expose the relevant API endpoints. --------------------------------------------- https://thecyberexpress.com/cve-2025-58434/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily