=====================
= End-of-Day report =
=====================
Timeframe: Montag 11-08-2025 18:00 − Dienstag 12-08-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs ∗∗∗
---------------------------------------------
The Netherlands National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability tracked as CVE-2025-6543 was exploited to breach "critical organizations" in the country.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/netherlands-citrix-netscaler…
∗∗∗ Over 3,000 NetScaler devices left unpatched against CitrixBleed 2 bug ∗∗∗
---------------------------------------------
Over 3,300 Citrix NetScaler devices remain unpatched against a critical vulnerability that allows attackers to bypass authentication by hijacking user sessions, nearly two months after patches were released.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/over-3-000-netscaler-devices…
∗∗∗ Scam hunter scammed by tax office impersonators ∗∗∗
---------------------------------------------
Scam hunter Julie-Anne Kearns, who helps scam victims online, opened up about a tax scam she fell for herself.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2025/08/scam-hunter-scammed-by-tax-o…
∗∗∗ Russian-Linked Curly COMrades Deploy MucorAgent Malware in Europe ∗∗∗
---------------------------------------------
A new report from Bitdefender reveals the Russian-linked hacking group Curly COMrades is targeting Eastern Europe with a new backdoor called MucorAgent. Learn how they’re using advanced tactics to steal data.
---------------------------------------------
https://hackread.com/russian-curly-comrades-mucoragent-malware-europe/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (Multiple CVEs) ∗∗∗
---------------------------------------------
Ivanti has released updates for Ivanti Connect Secure which addresses medium, high, and critical vulnerabilities. At the time of disclosure, there have been no reports of customers being exploited by this vulnerability.
---------------------------------------------
https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Connect…
∗∗∗ August Security Advisory Ivanti Virtual Application Delivery Controller (vADC previously vTM) (CVE-2025-8310) ∗∗∗
---------------------------------------------
Ivanti has released updates for Ivanti Virtual Application Delivery Controller (vADC), previously Virtual Traffic Manager (vTM), which addresses one medium severity vulnerability. Successful exploitation could lead to account takeover. At the time of disclosure, there have been no reports of customers being exploited by this vulnerability.
---------------------------------------------
https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Virtual…
∗∗∗ 40,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in UiCore Elements WordPress Plugin ∗∗∗
---------------------------------------------
On June 13th, 2025, we received a submission for an Arbitrary File Read vulnerability in UiCore Elements, a WordPress plugin with more than 40,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to read arbitrary files on the server, which can contain sensitive information. During the disclosure process, our investigation revealed that the vulnerability leveraged an underlying issue in Elementor’s import functionality.
---------------------------------------------
https://www.wordfence.com/blog/2025/08/40000-wordpress-sites-affected-by-ar…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel, kernel-rt, and python-requests), Debian (ca-certificates-java), Fedora (chromium, clash-meta, mingw-python3, openjpeg, php-adodb, and toolbox), Mageia (kernel and kernel-linus), SUSE (chromium, ImageMagick, libgcrypt, libssh, libxml2, opensc, postgresql14, and postgresql16), and Ubuntu (dnsmasq, linux-gcp-6.8, linux-raspi, linux-oracle-6.14, and openjdk-17).
---------------------------------------------
https://lwn.net/Articles/1033445/
∗∗∗ Vtenext 25.02: A three-way path to RCE ∗∗∗
---------------------------------------------
Multiple vulnerabilities in vtenext 25.02 and prior versions allow unauthenticated attackers to bypass authentication through three separate vectors, ultimately leading to remote code execution on the underlying server.
---------------------------------------------
https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/
∗∗∗ OMSA-2025-0004: Omnissa Workspace ONE UEM addresses multiple vulnerabilities (CVE-2025-25229, CVE-2025-25231) ∗∗∗
---------------------------------------------
https://www.omnissa.com/omsa-2025-0004/
∗∗∗ OMSA-2025-0003: Omnissa Secure Email Gateway (SEG) updates address Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-25235) ∗∗∗
---------------------------------------------
https://www.omnissa.com/omsa-2025-0003/
∗∗∗ Matrix protocol vulnerabilities fixed in room version 12 ∗∗∗
---------------------------------------------
https://matrix.org/blog/2025/08/security-release/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 08-08-2025 18:00 − Montag 11-08-2025 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ WinRAR zero-day flaw exploited by RomCom hackers in phishing attacks ∗∗∗
---------------------------------------------
A recently fixed WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing attacks to install the RomCom malware. [..] The flaw is a directory traversal vulnerability that was fixed in WinRAR 7.13, which allows specially crafted archives to extract files into a file path selected by the attacker.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/winrar-zero-day-flaw-exploit…
∗∗∗ Command Injection in Jenkins via Git Parameter (CVE-2025-53652) ∗∗∗
---------------------------------------------
On July 9, Jenkins disclosed CVE-2025-53652 (aka SECURITY-34191), one of 31 plugin vulnerabilities announced that day. [..] was disclosed as medium severity, but it enables command injection via the Jenkins Git Parameter plugin. [..] Around 15,000 Jenkins servers appear to allow unauthenticated access, making RCE viable in the wild. [..] The patch can be disabled, so detection remains important even after upgrading.
---------------------------------------------
https://www.vulncheck.com/blog/git-parameter-rce
∗∗∗ EU law to protect journalists from spyware takes effect ∗∗∗
---------------------------------------------
Critics from press freedom groups say member states have not taken steps to give the law any teeth.
---------------------------------------------
https://therecord.media/eu-law-to-protect-journalists-from-spyware-takes-ef…
∗∗∗ Sicherheitslücken: Hacker knackt Auto über Webportal des Herstellers ∗∗∗
---------------------------------------------
Er konnte nicht nur aus der Ferne unzählige fremde Autos orten, entriegeln und starten, sondern auch nach Belieben die Halterdaten abfragen. [..] Zveare stellte seine Entdeckungen am vergangenen Sonntag auf der Def Con in Las Vegas vor. Den Angaben zufolge konnte er sich in dem besagten Händlerportal ein "nationales Administratorkonto" erstellen und erhielt damit einen weitreichenden Zugriff, der "nur wenigen ausgewählten Unternehmensnutzern vorbehalten ist" und "eine Vielzahl von lustigen Exploits" ermöglichte.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecken-hacker-knackt-auto-ueber-webpo…
∗∗∗ Spionage: Rauchwarnmelder in Abhörwanzen verwandelt ∗∗∗
---------------------------------------------
Zwei junge Sicherheitsforscher haben im Rahmen der Def Con in Las Vegas Sicherheitslücken in smarten Rauchwarnmeldern des Typs Halo 3C aufgedeckt. [..] Der Hersteller der Halo-3C-Warnmelder hört auf den Namen IPVideo und ist laut der Webseite seit 2023 Teil von Motorola Solutions. Das Unternehmen hat dem Wired-Bericht zufolge bereits ein Firmwareupdate bereitgestellt, um die von Garcia und seinem Kollegen entdeckten Sicherheitslücken zu schließen. Mit der Cloud verbundene Geräte sollen das Update automatisch erhalten.
---------------------------------------------
https://www.golem.de/news/spionage-smarte-rauchwarnmelder-in-abhoerwanzen-v…
∗∗∗ Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models ∗∗∗
---------------------------------------------
Cybersecurity researchers have uncovered multiple security flaws in Dells ControlVault3 firmware and its associated Windows APIs that could have been abused by attackers to bypass Windows login, extract cryptographic keys, as well as maintain access even after a fresh operating system install by deploying undetectable malicious implants into the firmware. [..] Attackers can chain the vulnerabilities, which were presented at the Black Hat USA security conference, to escalate their privileges after initial access, bypass authentication controls, and maintain persistence on compromised systems that survive operating system updates or reinstallations.
---------------------------------------------
https://thehackernews.com/2025/08/researchers-reveal-revault-attack.html
∗∗∗ DEF CON hackers plug security holes in US water systems amid tsunami of threats ∗∗∗
---------------------------------------------
A DEF CON hacker walks into a small-town water facility … no, this is not the setup for a joke or a (super-geeky) odd-couple rom-com. It's a true story that happened at five utilities across four states.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/08/10/def_con_hack…
∗∗∗ libarchive: Sicherheitslücke entpuppt sich als kritisch ∗∗∗
---------------------------------------------
In der Open-Source-Kompressionsbibliothek libarchive klafft eine Sicherheitslücke, die zunächst als lediglich niedriges Risiko eingestuft wurde. [..] Die ursprüngliche Meldung der Lücke an das libarchive-Projekt durch Tobias Stöckmann mitsamt eines Proof-of-Concept-Exploits fand bereits am 10. Mai dieses Jahres statt. Am 20. Mai haben die Entwickler die Version 3.8.0 von libarchive herausgegeben. Die öffentliche Schwachstellenmeldung erfolgte am 9. Juni ebenfalls auf Github. Dort wurde auch die CVE-Nummer CVE-2025-5914 zugewiesen, jedoch zunächst mit dem Schweregrad CVSS 3.9, Risiko "niedrig", wie Red Hat die Lücke einordnete.
---------------------------------------------
https://www.heise.de/news/libarchive-Sicherheitsluecke-entpuppt-sich-als-kr…
∗∗∗ Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild ∗∗∗
---------------------------------------------
CVE-2025-32433 allows for remote code execution in sshd for certain versions of Erlang programming language’s OTP. We reproduced this CVE and share our findings.
---------------------------------------------
https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/
∗∗∗ BadCam Attack Turns Trusted Linux Webcams into Stealthy USB Weapons ∗∗∗
---------------------------------------------
A new class of USB-based attacks has come to light. [..] Attackers can now exploit vulnerabilities in commonly used USB webcams running embedded Linux, transforming them into BadUSB devices capable of injecting keystrokes and executing covert operations independently of the host operating system.
---------------------------------------------
https://thecyberexpress.com/badcam-linux-webcam/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base and libxml2), Debian (distro-info-data, gnutls28, modsecurity-crs, and node-tmp), Fedora (chromium, incus, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, varnish, and xen), Red Hat (kernel, kernel-rt, and rhc), and SUSE (chromedriver, ffmpeg-4, go1.23, go1.24, go1.25, govulncheck-vulndb, himmelblau, iperf, keylime-ima-policy, net-tools, sqlite3, texmaker, tomcat, and zabbix).
---------------------------------------------
https://lwn.net/Articles/1033328/
∗∗∗ SQUID-2025:1 Buffer Overflow in URN Handling ∗∗∗
---------------------------------------------
https://github.com/squid-cache/squid/security/advisories/GHSA-w4gv-vw3f-29g3
∗∗∗ Xerox® FreeFlow® Core v8.0.5 ∗∗∗
---------------------------------------------
https://securitydocs.business.xerox.com/wp-content/uploads/2025/08/Xerox-Se…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 07-08-2025 18:00 − Freitag 08-08-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ New EDR killer tool used by eight different ransomware groups ∗∗∗
---------------------------------------------
A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of 'EDRKillShifter,' developed by RansomHub, has been observed in attacks by eight different ransomware gangs. Such tools help ransomware operators turn off security products on breached systems so they can deploy payloads, escalate privileges, attempt lateral movement, and ultimately encrypt devices on the network without being detected.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-edr-killer-tool-used-by-…
∗∗∗ Why blow up satellites when you can just hack them? ∗∗∗
---------------------------------------------
Four countries have now tested anti-satellite missiles (the US, China, Russia, and India), but it's much easier and cheaper just to hack them. In a briefing at the Black Hat conference in Las Vegas, Milenko Starcik and Andrzej Olchawa from German biz VisionSpace Technologies demonstrated how easy it is by exploiting software vulnerabilities in the software used in the satellites themselves, as well as the ground stations that control them.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/08/07/balck_hat_sa…
∗∗∗ US confirms takedown of BlackSuit ransomware gang that racked up $370 million in ransoms ∗∗∗
---------------------------------------------
U.S. law enforcement agencies provided new details on an operation that dismantled critical infrastructure used by the BlackSuit ransomware gang after the organization’s leak site was replaced with a takedown banner nearly two weeks ago. The group — which rebranded from its Royal name after a devastating 2023 attack that shut down the city of Dallas — successfully attacked more than 450 entities in the U.S. Since emerging in 2022, the gang secured more than $370 million in ransom payments, according to U.S. investigators.
---------------------------------------------
https://therecord.media/us-confirms-blacksuit-takedown
∗∗∗ Abusing Ubuntu 24.04 features for root privilege escalation ∗∗∗
---------------------------------------------
With the recent release of Ubuntu 24.04, we at Snyk Security Labs thought it would be interesting to examine the latest version of this Linux distribution to see if we could find any interesting privilege escalation vulnerabilities. In this post, we have seen that it only takes the leveraging of one small vulnerability, combined with a number of features, to achieve a chain of exploitation resulting in a full privilege escalation. Even where security controls are in place preventing the direct exploitation of a small vulnerability it may still be possible to finesse limited exploitation potential into a much greater impact.
---------------------------------------------
https://labs.snyk.io/resources/abusing-ubuntu-root-privilege-escalation/
∗∗∗ Oops Safari, I think You Spilled Something ∗∗∗
---------------------------------------------
In February 2023, researchers at Exodus Intelligence discovered a bug in the Data Flow Graph (DFG) compiler of WebKit, the browser engine used by Safari. This bug, CVE-2024-44308, was patched by Apple in November 2024. While it was alive, its exploit was chained with PAC and APRR bypasses on Apple Silicon to yield renderer remote code execution capabilities on macOS and iOS. Such capabilities, and many others including LPEs and RCEs on Windows and Linux, are available to Exodus’ customers.
---------------------------------------------
https://blog.exodusintel.com/2025/08/04/oops-safari-i-think-you-spilled-som…
∗∗∗ 60 Malicious Ruby Gems Used in Targeted Credential Theft Campaign ∗∗∗
---------------------------------------------
Socket’s Threat Research Team has uncovered a long-running supply chain attack in the RubyGems ecosystem. Since at least March 2023, a threat actor using the aliases zon, nowon, kwonsoonje, and soonje has published 60 malicious gems posing as automation tools for Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver. These gems deliver their advertised functionality, such as bulk posting or engagement, but covertly exfiltrate credentials (usernames and passwords) to threat actor-controlled infrastructure, which classifies them as infostealer malware.
---------------------------------------------
https://socket.dev/blog/60-malicious-ruby-gems-used-in-targeted-credential-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (gdk-pixbuf2, glibc, kernel, kernel-rt, libxml2, and opentelemetry-collector), Fedora (firefox, mingw-opencv, moby-engine, varnish, webkitgtk, xen, and yarnpkg), Oracle (firefox, gdk-pixbuf2, glibc, kernel, libblockdev, libxml2, python-requests, python3.12-setuptools, and qt5-qt3d), Red Hat (libxml2, pcs, and sudo), and SUSE (agama, chromium, dpkg, ghostscript, iperf, kubo, libIex-3_3-32, libpoppler-cpp2, libsoup, libtiff-devel-32bit, nginx, python-urllib3, ruby2.5, tgt, traefik, and traefik2).
---------------------------------------------
https://lwn.net/Articles/1033009/
∗∗∗ CISA Issues ED 25-02: Mitigate Microsoft Exchange Vulnerability ∗∗∗
---------------------------------------------
Today, CISA issued Emergency Directive (ED) 25-02: Mitigate Microsoft Exchange Vulnerability in response to CVE-2025-53786, a vulnerability in Microsoft Exchange server hybrid deployments. ED 25-02 directs all Federal Civilian Executive Branch (FCEB) agencies with Microsoft Exchange hybrid environments to implement required mitigations by 9:00 AM EDT on Monday, August 11, 2025. This vulnerability presents significant risk to all organizations operating Microsoft Exchange hybrid-joined configurations that have not yet implemented the April 2025 patch guidance.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/08/07/cisa-issues-ed-25-02-mit…
∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/08/07/cisa-releases-ten-indust…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 06-08-2025 18:00 − Donnerstag 07-08-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ New Ghost Calls tactic abuses Zoom and Microsoft Teams for C2 operations ∗∗∗
---------------------------------------------
A new post-exploitation command-and-control (C2) evasion method called Ghost Calls abuses TURN servers used by conferencing apps like Zoom and Microsoft Teams to tunnel traffic through trusted infrastructure.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-ghost-calls-tactic-abuse…
∗∗∗ Wave of 150 crypto-draining extensions hits Firefox add-on store ∗∗∗
---------------------------------------------
A malicious campaign dubbed GreedyBear has snuck onto the Mozilla add-ons store, targeting Firefox users with 150 malicious extensions and stealing an estimated $1,000,000 from unsuspecting victims.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wave-of-150-crypto-draining-…
∗∗∗ Critical Zero-Day Bugs Crack Open CyberArk, HashiCorp Password Vaults ∗∗∗
---------------------------------------------
Secrets managers hold all the keys to an enterprises kingdom. Two popular ones had longstanding, critical, unauthenticated RCE vulnerabilities.
---------------------------------------------
https://www.darkreading.com/cybersecurity-operations/critical-zero-day-bugs…
∗∗∗ Researchers Uncover ECScape Flaw in Amazon ECS Enabling Cross-Task Credential Theft ∗∗∗
---------------------------------------------
Cybersecurity researchers have demonstrated an "end-to-end privilege escalation chain" in Amazon Elastic Container Service (ECS) that could be exploited by an attacker to conduct lateral movement, access sensitive data, and seize control of the cloud environment.
---------------------------------------------
https://thehackernews.com/2025/08/researchers-uncover-ecscape-flaw-in.html
∗∗∗ How To Find SQL Injection Vulnerabilities in WordPress Plugins and Themes ∗∗∗
---------------------------------------------
SQL Injection (SQLi), a vulnerability almost as old as database-driven web applications themselves (CWE-89), persists as a classic example of failing to neutralize user-supplied input before its used in a SQL query. So why does this well-understood vulnerability type continue to exist?
---------------------------------------------
https://www.wordfence.com/blog/2025/08/how-to-find-sql-injection-vulnerabil…
∗∗∗ New Promptware Attack Hijacks User’s Gemini AI Via Google Calendar Invite ∗∗∗
---------------------------------------------
Cybersecurity researchers demonstrate a new attack on Google Gemini AI for Workspace. Discover how a simple calendar invite can be used to perform phishing, steal emails, and even control home appliances.
---------------------------------------------
https://hackread.com/promptware-attack-hijack-gemini-ai-google-calendar-inv…
∗∗∗ Unveiling a New Variant of the DarkCloud Campaign ∗∗∗
---------------------------------------------
In early July 2025, a new DarkCloud campaign was observed in the wild by Fortinet’s FortiGuard Labs team. It began with a phishing email containing an attached RAR archive. I subsequently investigated this campaign and conducted a step-by-step analysis.
---------------------------------------------
https://feeds.fortinet.com/~/922857380/0/fortinet/blogs~Unveiling-a-New-Var…
∗∗∗ HTTP/1.1 must die: the desync endgame ∗∗∗
---------------------------------------------
Upstream HTTP/1.1 is inherently insecure and regularly exposes millions of websites to hostile takeover. Six years of attempted mitigations have hidden the issue, but failed to fix it. This paper introduces several novel classes of HTTP desync attack capable of mass compromise of user credentials.
---------------------------------------------
https://portswigger.net/research/http1-must-die
∗∗∗ Malicious npm Packages Target WhatsApp Developers with Remote Kill Switch ∗∗∗
---------------------------------------------
Two npm packages masquerading as WhatsApp developer libraries include a kill switch that deletes all files if the phone number isn’t whitelisted.
---------------------------------------------
https://socket.dev/blog/malicious-npm-packages-target-whatsapp-developers-w…
=====================
= Vulnerabilities =
=====================
∗∗∗ 6,500 Axis Servers Expose Remoting Protocol, 4,000 in U.S. Vulnerable to Exploits ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed multiple security flaws in video surveillance products from Axis Communications that, if successfully exploited, could expose them to takeover attacks.
---------------------------------------------
https://thehackernews.com/2025/08/6500-axis-servers-expose-remoting.html
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (glibc, kernel, libxml2, python-requests, and python-setuptools), Debian (chromium), Fedora (chromium, firefox, gdk-pixbuf2, iputils, libsoup3, libssh, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, and poppler), Gentoo (Composer and Spreadsheet-ParseExcel), Oracle (glibc, kernel, libxml2, python-setuptools, sqlite, and virt:rhel and virt-devel:rhel), Red Hat (libxml2), SUSE (grub2, libarchive, libgcrypt, and python311), and Ubuntu (cifs-utils and poppler).
---------------------------------------------
https://lwn.net/Articles/1032861/
∗∗∗ Erhöhte Bedrohungsaktivität gegen SonicWall Gen 7 Firewalls mit SSLVPN - Sofortmaßnahmen empfohlen ∗∗∗
---------------------------------------------
Update: 07. August 2025 Ergänzung von technischen Indikatoren für eine forensische Untersuchung möglicherweise betroffener Geräte sowie Informationen zu der angeblich relevanten Schwachstelle.
---------------------------------------------
https://www.cert.at/de/warnungen/2025/8/erhohte-bedrohungsaktivitat-gegen-s…
∗∗∗ Sicherheitslücken: Angreifer können IBM Tivoli Monitoring crashen lassen ∗∗∗
---------------------------------------------
IBMs IT-Verwaltungssoftware Tivoli Monitoring ist verwundbar und Angreifer können an zwei Sicherheitslücken ansetzen. Ein Update zum Schließen der Lücken steht zum Download bereit.
---------------------------------------------
https://heise.de/-10513072
∗∗∗ EG4 Electronics EG4 Inverters ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07
∗∗∗ Dreame Technology iOS and Android Mobile Applications ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-06
∗∗∗ Packet Power EMX and EG ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-05
∗∗∗ Rockwell Automation Arena ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-04
∗∗∗ Burk Technology ARC Solo ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-03
∗∗∗ Johnson Controls FX80 and FX90 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-02
∗∗∗ Delta Electronics DIAView ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 05-08-2025 18:00 − Mittwoch 06-08-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Driver of destruction: How a legitimate driver is being used to take down AV processes ∗∗∗
---------------------------------------------
In an incident response case, Kaspersky experts discovered new malware that terminates AV processes by abusing the legitimate ThrottleStop driver.
---------------------------------------------
https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/
∗∗∗ CISA Adds 3 D-Link Router Flaws to KEV Catalog After Active Exploitation Reports ∗∗∗
---------------------------------------------
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three old security flaws impacting D-Link routers to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild.
---------------------------------------------
https://thehackernews.com/2025/08/cisa-adds-3-d-link-router-flaws-to-kev.ht…
∗∗∗ CERT-UA Warns of HTA-Delivered C# Malware Attacks Using Court Summons Lures ∗∗∗
---------------------------------------------
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks carried out by a threat actor called UAC-0099 targeting government agencies, the defense forces, and enterprises of the defense-industrial complex in the country.
---------------------------------------------
https://thehackernews.com/2025/08/cert-ua-warns-of-hta-delivered-c.html
∗∗∗ GenAI Used For Phishing Websites Impersonating Brazil’s Government ∗∗∗
---------------------------------------------
In this blog post, ThreatLabz explores a campaign that uses generative AI tools like DeepSite AI and BlackBox AI to create malicious replicas of Brazil's State Department of Traffic and Ministry of Education.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/genai-used-phishing-website…
∗∗∗ Kriminelle versenden gefälschte Zahlungsaufforderungen im Namen der WKO ∗∗∗
---------------------------------------------
Die Wirtschatfskammer Österreich (WKO) ist erneut Ziel einer Phishing-Attacke geworden. Aktuell kursiert eine betrügerische E-Mail, die vorgibt, von der WKO zu stammen. In der E-Mail wird der Eindruck erweckt, dass eine ausstehende Mitgliedsrechnung bezahlt werden müsse. Das Ziel der Attacke ist es, an persönliche Informationen und Log-in-Daten zu kommen.
---------------------------------------------
https://www.watchlist-internet.at/news/kriminelle-versenden-gefaelschte-zah…
∗∗∗ Makop Ransomware Identified in Attacks in South Korea ∗∗∗
---------------------------------------------
AhnLab SEcurity intelligence Center (ASEC) recently identified cases of Makop ransomware attacks targeting South Korean users. The Makop ransomware has been distributed to South Korean users by disguising as resumes or emails related to copyrights for several years. Recently, it has been reported that the ransomware is exploiting RDP for attacks.
---------------------------------------------
https://asec.ahnlab.com/en/89397/
∗∗∗ The Cost of a Call: From Voice Phishing to Data Extortion ∗∗∗
---------------------------------------------
In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations. The instance was used to store contact information and related notes for small and medium businesses.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-dat…
=====================
= Vulnerabilities =
=====================
∗∗∗ Experience Manager: Adobe patcht 90 Tage nicht und bringt nun Notfallupdate ∗∗∗
---------------------------------------------
Da Proof-of-Concept-Code im Umlauf ist, könnten Angriffe auf Adobe Experience Manager bevorstehen. Angreifer können an zwei Sicherheitslücken [..] ansetzen, um Systeme zu attackieren. Die Schwachstellen sind seit April dieses Jahres bekannt, Sicherheitspatches gibt es aber erst jetzt.
---------------------------------------------
https://www.heise.de/news/Experience-Manager-Adobe-patcht-90-Tage-nicht-und…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel and python3.12-setuptools), Fedora (perl-Crypt-CBC and unbound), Gentoo (FontForge, GPL Ghostscript, Mozilla Network Security Service (NSS), and PAM), Oracle (gdk-pixbuf2, jq, kernel, mod_security, ncurses, python-requests, and python3-setuptools), Red Hat (python-requests and socat), SUSE (docker, kernel-livepatch-MICRO-6-0-RT_Update_2, kernel-livepatch-MICRO-6-0-RT_Update_4, kernel-livepatch-MICRO-6-0-RT_Update_5, kernel-livepatch-MICRO-6-0-RT_Update_6, kernel-livepatch-MICRO-6-0-RT_Update_7, kernel-livepatch-MICRO-6-0_Update_2, kernel-livepatch-MICRO-6-0_Update_4, kernel-livepatch-MICRO-6-0_Update_5, kernel-livepatch-MICRO-6-0_Update_6, kubeshark-cli, libgcrypt, pam-config, perl, python-requests, python311, and python313), and Ubuntu (linux-raspi).
---------------------------------------------
https://lwn.net/Articles/1032700/
∗∗∗ Docker: Sicherheitsalptraum MCP – sechs Lücken identifiziert ∗∗∗
---------------------------------------------
Die Containerplattform Docker warnt vor Sicherheitsrisiken, die sich durch die Nutzung von MCP-Quellen ergeben und Angreifern leichten Zugriff auf Dateien, Datenbanken, Netzwerk und Secrets eröffnen. Außerdem können die Täter weitreichend Befehle absetzen und schädlichen Code einschleusen.
---------------------------------------------
https://heise.de/-10510262
∗∗∗ Sicherheitsupdates: Root-Attacken auf Dell PowerProtect und Unity möglich ∗∗∗
---------------------------------------------
Um möglichen Attacken vorzubeugen, sollten Admins Dell PowerProtect Data Domain und Unity, UnityVSA sowie Unity XT auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer unter anderem mit Root-Rechten auf Instanzen zugreifen und diese kompromittieren.
---------------------------------------------
https://heise.de/-10511706
∗∗∗ JVN: Multiple vulnerabilities in Sato label printers CL4/6NX Plus and CL4/6NX-J Plus series ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN16547726/
∗∗∗ ZDI-25-771: Trend Micro Apex One Console Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-771/
∗∗∗ ZDI-25-807: (0Day) AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-807/
∗∗∗ Stable Channel Update for Desktop ∗∗∗
---------------------------------------------
http://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desk…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 04-08-2025 18:00 − Dienstag 05-08-2025 18:00
Handler: Felician Fuchs
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ Android gets patches for Qualcomm flaws exploited in attacks ∗∗∗
---------------------------------------------
Google has released security patches for six vulnerabilities in Androids August 2025 security update, including two Qualcomm flaws exploited in targeted attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/android-gets-patches-for-qua…
∗∗∗ Stealing Machine Keys for fun and profit (or riding the SharePoint wave) ∗∗∗
---------------------------------------------
About 10 days ago exploits for Microsoft SharePoint (CVE-2025-53770, CVE-2025-53771) started being publicly abused ..
---------------------------------------------
https://isc.sans.edu/diary/Stealing+Machine+Keys+for+fun+and+profit+or+ridi…
∗∗∗ Antivirus vendors fail to spot persistent, nasty, stealthy Linux backdoor ∗∗∗
---------------------------------------------
Plague malware has been around for months without tripping alarms Updated Researchers at German infosec services company Nextron Threat have spotted malware that creates a highly-persistent Linux backdoor and say antivirus engines do not flag the code as malicious.
---------------------------------------------
https://www.theregister.com/2025/08/05/plague_linux_backdoor/
∗∗∗ CrowdStrike investigated 320 North Korean IT worker cases in the past year ∗∗∗
---------------------------------------------
Threat hunters saw North Korean operatives almost daily, reflecting a 220% year-over-year increase in activity, CrowdStrike said in a new report.
---------------------------------------------
https://cyberscoop.com/crowdstrike-north-korean-operatives/
∗∗∗ Mozilla: Phishing-Attacken auf Add-on-Entwickler beobachtet ∗∗∗
---------------------------------------------
Zurzeit haben es Kriminelle auf Add-on-Entwickler abgesehen, die Erweiterungen für Firefox erstellen.
---------------------------------------------
https://www.heise.de/news/Mozilla-warnt-vor-Phishing-Attacken-auf-Add-on-En…
∗∗∗ From code to stolen wallets: How hackers are trapping AI development tools ∗∗∗
---------------------------------------------
When AI becomes a target At a time when AI technology is developing rapidly, AI has been increasingly integrated into our daily lives. However, due ..
---------------------------------------------
https://blog.360totalsecurity.com/en/from-code-to-stolen-wallets-how-hacker…
∗∗∗ Achtung Fake-Shop: vorwerk-deutschland.de ∗∗∗
---------------------------------------------
Auf vorwerk-deutschland.de freuen sich viele Kund:innen über ein Schnäppchen. Der neue Thermomix TM7 wird dort zu einem günstigeren Preis angeboten. Doch Vorsicht: Es handelt sich um einen Fake-Shop, der nur Zahlung per Vorkasse akzeptiert. Wer hier bestellt, verliert sein Geld und erhält keine Ware.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-fake-shop-vorwerk-deutschlan…
∗∗∗ Ukrainische Hacker erbeuteten Geheimdokumente über das neueste russische Atom-U-Boot ∗∗∗
---------------------------------------------
Die erbeuteten Daten umfassen Besatzungslisten, Einsatzdaten und Baupläne. Laut dem ukrainischen Geheimdienst wurden auch die Schwächen des U-Boots offengelegt
---------------------------------------------
https://www.derstandard.at/story/3000000282244/ukrainische-hacker-erbeutete…
∗∗∗ Erhöhte Bedrohungsaktivität gegen SonicWall Gen 7 Firewalls mit SSLVPN - Sofortmaßnahmen empfohlen ∗∗∗
---------------------------------------------
SonicWall berichtet über eine deutliche Zunahme von Sicherheitsvorfällen in den letzten 96 Stunden, die Gen 7 SonicWall Firewalls mit aktiviertem SSLVPN betreffen. Die Bedrohungsaktivität wurde sowohl intern als auch von externen Organisationen und Unternehmen wie Arctic Wolf, Google Mandiant und Huntress gemeldet. Es ist noch nicht ..
---------------------------------------------
https://www.cert.at/de/warnungen/2025/8/erhohte-bedrohungsaktivitat-gegen-s…
∗∗∗ From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira ∗∗∗
---------------------------------------------
Bumblebee malware has been an initial access tool used by threat actors since late 2021. In 2023 the malware was first reported as using SEO poisoning as a delivery ..
---------------------------------------------
https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumbleb…
∗∗∗ Cursor IDE: Persistent Code Execution via MCP Trust Bypass ∗∗∗
---------------------------------------------
Check Point Research uncovered a persistent remote code execution vulnerability in Cursor, a fast-growing AI-powered coding platform trusted by developers worldwide. MCP Vulnerability Cursor allows attackers to gain long-term, silent access to ..
---------------------------------------------
https://blog.checkpoint.com/research/cursor-ide-persistent-code-execution-v…
∗∗∗ Vietnamese-speaking hackers appear to be running global data theft operation through Telegram ∗∗∗
---------------------------------------------
A combination of phishing lures, a previously spotted infostealer and Telegram bots are fueling a campaign by apparent Vietnamese-speaking hackers to capture and sell sensitive data globally.
---------------------------------------------
https://therecord.media/pxa-infostealer-telegram-bots-vietnamese-speaking-h…
∗∗∗ Neue Insights zum SharePoint-Gate: Mitarbeiter aus China für die Wartung ∗∗∗
---------------------------------------------
Seit dem SharePoint-Desaster im Juli 2025, bei dem Schwachstellen angegriffen wurden, gibt es fast jeden Tag neue Enthüllungen. Es wurde spekuliert, dass mutmaßlich chinesische Hacker vorab auf interne ..
---------------------------------------------
https://www.borncity.com/blog/2025/08/05/neue-insights-zum-sharepoint-gate-…
∗∗∗ Microsoft Recall erfasst weiterhin (Juli 2025) Kreditkartendaten und Passwörter ∗∗∗
---------------------------------------------
Ist es eine Überraschung? Nein, keine Überraschung, sondern zu erwarten. Die Spionagefunktion Recall, die Microsoft auf die Windows-Systeme drückt, erfasst weiterhin Sensitives wie Kreditkartendaten und Passwörter. Und dies, ..
---------------------------------------------
https://www.borncity.com/blog/2025/08/05/microsoft-recall-erfasst-weiterhin…
∗∗∗ Detection Engineering: Practicing Detection-as-Code – Validation – Part 3 ∗∗∗
---------------------------------------------
In this part, we focus on implementing validation checks to improve consistency and ensure a minimum level of quality within the detection repository. Setting up validation pipelines is a key step, as it helps enforce the defined standards, reduce errors, and ensure that detections are reliable and consistent.
---------------------------------------------
https://blog.nviso.eu/2025/08/05/detection-engineering-practicing-detection…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 01-08-2025 18:00 − Montag 04-08-2025 18:00
Handler: Felician Fuchs
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ Pi-hole discloses data breach triggered by WordPress plugin flaw ∗∗∗
---------------------------------------------
Pi-hole, a popular network-level ad-blocker, has disclosed that donor names and email addresses were exposed through a security vulnerability in the GiveWP WordPress donation plugin.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/pi-hole-discloses-data-breac…
∗∗∗ Mozilla warns of phishing attacks targeting add-on developers ∗∗∗
---------------------------------------------
Mozilla has warned browser extension developers of an active phishing campaign targeting accounts on its official AMO (addons.mozilla.org) repository.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/mozilla-warns-of-phishing-at…
∗∗∗ New Plague Linux malware stealthily maintains SSH access ∗∗∗
---------------------------------------------
A newly discovered Linux malware, which has evaded detection for over a year, allows attackers to gain persistent SSH access and bypass authentication on compromised systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-plague-malware-backdoors…
∗∗∗ Exchange: China wirft den USA Militär-Hacking vor ∗∗∗
---------------------------------------------
China beschuldigt US-Geheimdienste, über ein Jahr lang Microsoft Exchange-Schwachstellen ausgenutzt zu haben, um Militärdaten zu stehlen.
---------------------------------------------
https://www.golem.de/news/exchange-china-wirft-den-usa-militaer-hacking-vor…
∗∗∗ CISA roasts unnamed critical national infrastructure body for shoddy security hygiene ∗∗∗
---------------------------------------------
Plaintext passwords, shared admin accounts, and insufficient logging rampant at mystery org CISA is using the findings from a recent probe of an unidentified critical infrastructure organization to warn about the dangers of getting cybersecurity seriously wrong.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/08/02/cisa_coast_g…
∗∗∗ Lazarus Group rises again, this time with malware-laden fake FOSS ∗∗∗
---------------------------------------------
Software supply chain management vendor Sonatype last week published research in which it claimed that Lazarus Group has created hundreds of “shadow downloads” that appear to be popular open source software development tools but are full of malware.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/08/04/infosec_in_b…
∗∗∗ Gefälschte Rückerstattungs-Mails im Namen der WKO ∗∗∗
---------------------------------------------
Derzeit werden E-Mails mit dem Betreff „Ihr möglicher Erstattungsbetrag von bis zu 476 Euro“ an zahlreiche Mitglieder der Wirtschaftskammer Österreich (WKO) versendet. Darin wird behauptet, dass möglicherweise ein Rückerstattungsanspruch der Mitgliederbeiträge besteht, den man über einen Link prüfen kann. Achtung: Der Link führt zu einer betrügerischen Website, auf der persönliche Daten gestohlen werden.
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerische-e-mails-zu-rueckersta…
∗∗∗ Akira Ransomware Exploiting Potential Zero-Day in SonicWall SSL VPN ∗∗∗
---------------------------------------------
Artic Wolf also suggest that the attacks could be exploiting an undetermined security flaw in the appliances, meaning a Zero-Day vulnerability, given that some of the incidents affected SonicWall devices which were fully patched.
---------------------------------------------
https://www.truesec.com/hub/blog/akira-ransomware-exploiting-potential-zero…
∗∗∗ Doch Sicherheitsvorfall bei Logitech-Partnerliste ∗∗∗
---------------------------------------------
Es hat einen Sicherheitsvorfall bei einem Dienstleister gegeben, der für die Firma Logitech die Logitech-Partner betreut. Logitech-Partner erhielten die Tage eine Betrugs-Mail, die vor dem Risiko eines Angriffs auf eine MetaMask-Wallet warnte, aber einen Phishing-Link enthielt.
---------------------------------------------
https://www.borncity.com/blog/2025/08/03/doch-sicherheitsvorfall-bei-logite…
∗∗∗ New Attack Uses Windows Shortcut Files to Install REMCOS Backdoor ∗∗∗
---------------------------------------------
Security firm Point Wild has exposed a new malware campaign using malicious LNK files to install the REMCOS backdoor. This report details how attackers disguise files to gain full system control.
---------------------------------------------
https://hackread.com/attack-windows-shortcut-files-install-remcos-backdoor/
∗∗∗ When Flatpak’s Sandbox Cracks: Real‑Life Security Issues Beyond the Ideal ∗∗∗
---------------------------------------------
Flatpak’s sandbox model is robust in design, but imperfect in deployment. Sandboxes dissolved through misconfiguration, vulnerabilities like CVE‑2024‑32462, and symlink exploits illustrate the friction between ideal and actual protection.
---------------------------------------------
https://www.linuxjournal.com/content/when-flatpaks-sandbox-cracks-real-life…
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitsupdate: Phishingangriffe auf IBM Operational Decision Manager möglich ∗∗∗
---------------------------------------------
IBMs Businesstool Operational Decision Manager ist verwundbar. In aktuellen Versionen haben die Entwickler zwei Sicherheitslücken geschlossen.
---------------------------------------------
https://www.heise.de/news/Sicherheitsupdate-Phishingangriffe-auf-IBM-Operat…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (java-21-openjdk, kernel, libxml2, and lz4), Debian (exempi, ruby-graphql, and sope), Fedora (binutils, chromium, gdk-pixbuf2, libsoup3, poppler, and reposurgeon), Mageia (glib2.0 and wxgtk), Oracle (jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base and libxml2), Red Hat (kernel, pandoc, pcs, qemu-kvm, redis, and rsync), SUSE (chromedriver, coreutils, cosign, docker, gdk-pixbuf-devel, glib2, gnutls, grub2, gstreamer-plugins-base, helm, ignition, java-21-openjdk, jbigkit, jq, kernel, kubernetes1.28, kwctl, libxml2, nvidia-open-driver-G06-signed, opensc, pam-config, protobuf, python310, tgt, and valkey), and Ubuntu (linux-iot).
---------------------------------------------
https://lwn.net/Articles/1032371/
∗∗∗ Breaking NVIDIA Triton: CVE-2025-23319 - A Vulnerability Chain Leading to AI Server Takeover ∗∗∗
---------------------------------------------
Wiz Research discovers a critical vulnerability chain allowing unauthenticated attackers to take over NVIDIAs Triton Inference Server.
---------------------------------------------
https://www.wiz.io/blog/nvidia-triton-cve-2025-23319-vuln-chain-to-ai-server
∗∗∗ Critical Vulnerability in NestJS Devtools: Localhost RCE via Sandbox Escape ∗∗∗
---------------------------------------------
A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE).
---------------------------------------------
https://socket.dev/blog/nestjs-rce-vuln
∗∗∗ VU#317469: Partner Software/Partner Web does not sanitize Report files and Note content, allowing for XSS and RCE ∗∗∗
---------------------------------------------
https://kb.cert.org/vuls/id/317469
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0005 ∗∗∗
---------------------------------------------
https://webkitgtk.org/security/WSA-2025-0005.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 31-07-2025 18:00 − Freitag 01-08-2025 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Microsoft to disable Excel workbook links to blocked file types ∗∗∗
---------------------------------------------
Microsoft has announced that it will start disabling external workbook links to blocked file types by default between October 2025 and July 2026. [..] After the rollout, Excel workbooks referencing blocked file types will display a #BLOCKED error or fail to refresh, eliminating security risks associated with accessing unsupported or high-risk file types, including, but not limited to, phishing attacks that utilize workbooks to redirect targets to malicious payloads.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-to-disable-extern…
∗∗∗ Kali Linux can now run in Apple containers on macOS systems ∗∗∗
---------------------------------------------
Cybersecurity professionals and researchers can now launch Kali Linux in a virtualized container on macOS Sequoia using Apples new containerization framework.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/kali-linux-can-now-run-in-ap…
∗∗∗ Experts Detect Multi-Layer Redirect Tactic Used to Steal Microsoft 365 Login Credentials ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of a new phishing campaign that conceals malicious payloads by abusing link wrapping services from Proofpoint and Intermedia to bypass defenses.
---------------------------------------------
https://thehackernews.com/2025/07/experts-detect-multi-layer-redirect.html
∗∗∗ Attackers Use Fake OAuth Apps with Tycoon Kit to Breach Microsoft 365 Accounts ∗∗∗
---------------------------------------------
Cybersecurity researchers have detailed a new cluster of activity where threat actors are impersonating enterprises with fake Microsoft OAuth applications to facilitate credential harvesting as part of account takeover attacks. "The fake Microsoft 365 applications impersonate various companies, including RingCentral, SharePoint, Adobe, and Docusign," Proofpoint said in a Thursday report.
---------------------------------------------
https://thehackernews.com/2025/08/attackers-use-fake-oauth-apps-with.html
∗∗∗ Huawei, at the heart of the Post outage ∗∗∗
---------------------------------------------
The cyberattack that hit Post (and Luxembourg) last week is believed to have targeted Huawei routers and their operating software. The presence of the Chinese giant at the heart of the infrastructure raises questions. The public company says it is reserving its answers for the MPs and ministers who will meet this Thursday at 10am in parliament.
---------------------------------------------
https://en.paperjam.lu/article/huawei-at-the-heart-of-the-post-outage
∗∗∗ CISA Releases Open-Source Eviction Strategies Tool for Cyber Incident Response ∗∗∗
---------------------------------------------
“How an organization approaches remediation and eviction of an incident is critically important to a successful response effort. Over the years, we have seen organizations struggle with identifying the right steps to take and the correct sequencing of actions to properly evict advanced adversaries from their enterprises,” said Jermaine Roebuck, Associate Director for Threat Hunting, CISA. “This tool will level the playing field by making it easier for IT staff and cyber defenders to coordinate efforts and achieve a successful eviction. I encourage public and private sector organizations to incorporate this capability into their incident response plans.”
---------------------------------------------
https://www.cisa.gov/news-events/news/cisa-releases-open-source-eviction-st…
∗∗∗ CISA and USCG Issue Joint Advisory to Strengthen Cyber Hygiene in Critical Infrastructure ∗∗∗
---------------------------------------------
CISA, in partnership with the U.S. Coast Guard (USCG), released a joint Cybersecurity Advisory aimed at helping critical infrastructure organizations improve their cyber hygiene. [..] CISA and USCG are sharing their findings and associated mitigations to assist other critical infrastructure organizations identify potential similar issues and take proactive measures to improve their cybersecurity posture. The mitigations include best practices such as not storing passwords or credentials in plaintext, avoiding sharing local administrator account credentials, and implementing comprehensive logging.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/07/31/cisa-and-uscg-issue-join…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (firefox and thunderbird), Debian (libcommons-lang-java, node-form-data, redis, and sope), Fedora (chromium), Mageia (slurm), Oracle (apache-commons-beanutils, firefox, kernel, redis:6, and thunderbird), Red Hat (kernel, kernel-rt, libxml2, and redis), SUSE (chromium, docker, ffmpeg-7, gnutls, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libgcrypt, rav1e, and sccache), and Ubuntu (linux-lowlatency, linux-lowlatency-hwe-6.8).
---------------------------------------------
https://lwn.net/Articles/1032174/
∗∗∗ WordPress Vulnerability & Patch Roundup — July 2025 ∗∗∗
---------------------------------------------
https://blog.sucuri.net/2025/07/wordpress-vulnerability-patch-roundup-july-…
∗∗∗ Rockwell Automation Lifecycle Services with VMware ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-212-02
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 30-07-2025 18:00 − Donnerstag 31-07-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Hackers Exploit Critical WordPress Theme Flaw to Hijack Sites via Remote Plugin Install ∗∗∗
---------------------------------------------
The vulnerability, tracked as CVE-2025-5394, carries a CVSS score of 9.8. Security researcher Thái An has been credited with discovering and reporting the bug. According to Wordfence, the shortcoming relates to an arbitrary file upload affecting all versions of the plugin prior to and including 7.8.3. It has been addressed in version 7.8.5 released on June 16, 2025.
---------------------------------------------
https://thehackernews.com/2025/07/hackers-exploit-critical-wordpress.html
∗∗∗ N. Korean Hackers Used Job Lures, Cloud Account Access, and Malware to Steal Millions in Crypto ∗∗∗
---------------------------------------------
The North Korea-linked threat actor known as UNC4899 has been attributed to attacks targeting two different organizations by approaching their employees via LinkedIn and Telegram.
---------------------------------------------
https://thehackernews.com/2025/07/n-korean-hackers-used-job-lures-cloud.html
∗∗∗ Scammers Unleash Flood of Slick Online Gaming Sites ∗∗∗
---------------------------------------------
Fraudsters are flooding Discord and other social media platforms with ads for hundreds of polished online gaming and wagering websites that lure people with free credits and eventually abscond with any cryptocurrency funds deposited by players. Here’s a closer look at the social engineering tactics and remarkable traits of this sprawling network of more than 1,200 scam sites.
---------------------------------------------
https://krebsonsecurity.com/2025/07/scammers-unleash-flood-of-slick-online-…
∗∗∗ Vorsicht vor dieser iCloud Phishing-Mail ∗∗∗
---------------------------------------------
„Letzte Mitteilung: Ihre Fotos und Videos werden gelöscht – ergreifen Sie Maßnahmen!“ Mit diesem Betreff versenden Kriminelle aktuell Phishing-Mails, die scheinbar von iCloud stammen. Unter dem Vorwand, das Speicherabonnement müsse verlängert werden, versuchen sie, an Zahlungsdaten zu gelangen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-dieser-icloud-phishing-…
∗∗∗ Patents by Silk Typhoon-linked company shed light on Beijing’s offensive hacking capabilities ∗∗∗
---------------------------------------------
SentinelOne's threat researchers pored through recent Justice Department indictments of prominent Chinese hackers and mapped out the country’s evolving web of private companies that are hired to launch cyberattacks on behalf of the government.
---------------------------------------------
https://therecord.media/patents-silk-typhoon-company-beijing
∗∗∗ GreyNoise Uncovers Early Warning Signals for Emerging Vulnerabilities ∗∗∗
---------------------------------------------
It’s well known that the window between CVE disclosure and active exploitation has narrowed. But what happens before a CVE is even disclosed? In our latest research “Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities,” GreyNoise analyzed hundreds of spikes in malicious activity — scanning, brute forcing, exploit attempts, and more — targeting edge technologies. We discovered a consistent and actionable trend: in the vast majority of cases, these spikes were followed by the disclosure of a new CVE affecting the same technology within six weeks.
---------------------------------------------
https://www.greynoise.io/blog/greynoise-uncovers-early-warning-signals-emer…
∗∗∗ In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network ∗∗∗
---------------------------------------------
Hackers planted a Raspberry Pi equipped with a 4G modem in the network of an unnamed bank in an attempt to siphon money out of the financial institution's ATM system, researchers reported Wednesday.
---------------------------------------------
https://arstechnica.com/security/2025/07/in-search-of-riches-hackers-plant-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (firefox, java-21-openjdk, kernel, thunderbird, and unbound), Debian (chromium and systemd), Fedora (libtiff), Oracle (java-21-openjdk, libtpms, nodejs:22, redis:7, thunderbird, and unbound), Red Hat (firefox, redis, and thunderbird), SUSE (apache2, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, java-11-openjdk, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestf, libarchive, nvidia-open-driver-G06-signed, redis, and rmt-server), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-gcp-6.14, linux-hwe-6.14, linux-oem-6.14, linux-raspi, linux-realtime, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux, linux-aws, linux-kvm, linux-aws, linux-lts-xenial, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-fips, linux-intel-iot-realtime, linux-realtime, linux-oracle, linux-oracle-6.8, linux-realtime, and sqlite3).
---------------------------------------------
https://lwn.net/Articles/1032083/
∗∗∗ Schnell installieren: Apple fixt Zero-Day-Angriff in WebKit ∗∗∗
---------------------------------------------
Apples in der Nacht zum Mittwoch erschienene Updates für iOS, iPadOS und macOS sollten dringend schnell eingespielt werden: Wie nun erst bekannt wurde, wird damit auch ein WebKit-Bug gefixt, für den es bereits einen Exploit gibt. Dieser wird allerdings bislang nur verwendet, um Chrome-Nutzer anzugreifen, wie es in der zugehörigen NIST-Meldung heißt (CVE-2025-6558). Der Fehler wird mit "Severity: High" bewertet. Verwirrend: Apple warnt in seinen Sicherheitsunterlagen nicht vor bekannten aktiven Angriffen – offenbar, weil es für den Apple-Browser Safari noch keine entsprechenden Berichte gibt.
---------------------------------------------
https://heise.de/-10505297
∗∗∗ Sicherheitsupdate: Schwachstellen gefährden HCL BigFix Remote Control ∗∗∗
---------------------------------------------
Die Endpoint-Management-Plattform HCL BigFix ist verwundbar (CVE-2025-31965 "hoch"), und Angreifer können unbefugt Daten einsehen oder mit viel Aufwand und richtigem Timing sogar auf einen privaten Schlüssel zugreifen. Die Schwachstellen finden sich konkret in HCL BigFix Remote Control. Eine abgesicherte Version steht zum Download bereit.
---------------------------------------------
https://heise.de/-10505415
∗∗∗ CVE-2025-8292 - DSA-5968-1 chromium - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2025/msg00132.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 29-07-2025 18:00 − Mittwoch 30-07-2025 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Attackers Can Use Browser Extensions to Inject AI Prompts ∗∗∗
---------------------------------------------
A brand-new cyberattack vector allows threat actors to use a poisoned browser extension to inject malicious prompts into all of the top generative AI tools on the market, including ChatGPT, Gemini, and others.
---------------------------------------------
https://www.darkreading.com/vulnerabilities-threats/attackers-use-browser-e…
∗∗∗ PyPI Warns of Ongoing Phishing Campaign Using Fake Verification Emails and Lookalike Domain ∗∗∗
---------------------------------------------
The maintainers of the Python Package Index (PyPI) repository have issued a warning about an ongoing phishing attack thats targeting users in an attempt to redirect them to fake PyPI sites. The attack involves sending email messages bearing the subject line "[PyPI] Email verification" that are sent from the email address noreply(a)pypj[.]org (note that the domain is not "pypi[.]org").
---------------------------------------------
https://thehackernews.com/2025/07/pypi-warns-of-ongoing-phishing-campaign.h…
∗∗∗ 2025 Unit 42 Global Incident Response Report: Social Engineering Edition ∗∗∗
---------------------------------------------
Social engineering thrives on trust and is now boosted by AI. Unit 42 incident response data explains why its surging. We detail eight critical countermeasures.
---------------------------------------------
https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-r…
∗∗∗ Google Project Zero to publicly announce bugs within a week of reporting them ∗∗∗
---------------------------------------------
The vulnerability hunters at Google Project Zero want to address what they call the "upstream patch gap," when a vendor has a fix available but the downstream product providers havent integrated it yet.
---------------------------------------------
https://therecord.media/google-project-zero-publicly-announce-vulnerabiliti…
∗∗∗ Decryptor released for FunkSec ransomware; Avast works with law enforcement to help victims ∗∗∗
---------------------------------------------
Cybersecurity company Avast released a decryptor for the short-lived FunkSec ransomware and said it is assisting dozens of the gangs targets with the process.
---------------------------------------------
https://therecord.media/funksec-ransomware-decryptor-avast
∗∗∗ New Choicejacking Attack Steals Data from Phones via Public Chargers ∗∗∗
---------------------------------------------
Choicejacking is a new USB attack that tricks phones into sharing data at public charging stations, bypassing security prompts in milliseconds.
---------------------------------------------
https://hackread.com/choicejacking-attack-steals-data-phones-public-charger…
∗∗∗ CISA Releases Part One of Zero Trust Microsegmentation Guidance ∗∗∗
---------------------------------------------
This guidance provides a high-level overview of microsegmentation, focusing on its key concepts, associated challenges and potential benefits, and includes recommended actions to modernize network security and advance zero trust principles.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/07/29/cisa-releases-part-one-z…
=====================
= Vulnerabilities =
=====================
∗∗∗ New Lenovo UEFI firmware updates fix Secure Boot bypass flaws ∗∗∗
---------------------------------------------
Lenovo is warning about high-severity BIOS flaws that could allow attackers to potentially bypass Secure Boot in all-in-one desktop PC models that use customized Insyde UEFI (Unified Extensible Firmware Interface).
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-lenovo-uefi-firmware-upd…
∗∗∗ Apple Patches Safari Vulnerability Also Exploited as Zero-Day in Google Chrome ∗∗∗
---------------------------------------------
Apple on Tuesday released security updates for its entire software portfolio, including a fix for a vulnerability that Google said was exploited as a zero-day in the Chrome web browser earlier this month. The vulnerability, tracked as CVE-2025-6558 (CVSS score: 8.8), is an incorrect validation of untrusted input in the browser's ANGLE and GPU components that could result in a sandbox escape via a crafted HTML page.
---------------------------------------------
https://thehackernews.com/2025/07/apple-patches-safari-vulnerability-also.h…
∗∗∗ Critical Dahua Camera Flaws Enable Remote Hijack via ONVIF and File Upload Exploits ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed now-patched critical security flaws in the firmware of Dahua smart cameras that, if left unaddressed, could allow attackers to hijack control of susceptible devices.
---------------------------------------------
https://thehackernews.com/2025/07/critical-dahua-camera-flaws-enable.html
∗∗∗ Autodesk Security Advisory 29.07.2025 ∗∗∗
---------------------------------------------
Certain Autodesk products use a shared component that is affected by multiple vulnerabilities listed below. Exploitation of these vulnerabilities can lead to code execution. Exploitation of these vulnerabilities requires user interaction.
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0015
∗∗∗ Sicherheitsupdates: Angreifer können auf Dell ECS und ObjectScale zugreifen ∗∗∗
---------------------------------------------
Angreifer können mit vergleichsweise wenig Aufwand auf Dell Elastic Cloud Storage (ECS) und ObjectScale zugreifen. Damit setzten Firmen unter anderem Cloudspeicher auf. Liegen dort wichtige Daten, können unbefugte Zugriffe weitreichende Folgen haben. Sicherheitsupdates schließen die Schwachstelle.
---------------------------------------------
https://www.heise.de/news/Sicherheitsupdates-Angreifer-koennen-auf-Dell-ECS…
∗∗∗ Stable Channel Update for Desktop ∗∗∗
---------------------------------------------
The Stable channel has been updated to 138.0.7204.183/.184 for Windows, Mac and 138.0.7204.183 for Linux which will roll out over the coming days/weeks. This update includes 4 security fixes.
---------------------------------------------
http://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desk…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (firefox, icu, kernel-rt, libtpms, redis:6, redis:7, and sqlite), Fedora (chromium and cloud-init), Oracle (icu, java-1.8.0-openjdk, java-21-openjdk, kernel, nodejs:22, perl, and sqlite), SUSE (docker, java-1_8_0-openj9, libxml2, python-starlette, and thunderbird), and Ubuntu (cloud-init, linux-azure, linux-azure-5.4, linux-azure-fips, linux-raspi, linux-raspi-5.4, and perl).
---------------------------------------------
https://lwn.net/Articles/1031919/
∗∗∗ Zahnarzt Praxis-Verwaltung-System (PVS): Sicherheitslücken beim CGM Z1 – Teil 1 ∗∗∗
---------------------------------------------
Von der Firma CompuGroup Medical (CGM) wird auch ein Praxis-Verwaltungssystem (PVS) für Zahnärzte vertrieben. Das System ist laut Firmenaussage bei über 7.000 Zahnärzten im Einsatz. Eine anonym bleiben wollende Quelle informierte mich Anfang des Jahres über potentielle Sicherheitsprobleme in dieser Software. Inzwischen hat es ein Software-Update gegeben, mit dem diese Probleme ausgeräumt sein sollten. Ich fasse mal den Sachverhalt in einigen Blog-Beiträgen zusammen.
---------------------------------------------
https://www.borncity.com/blog/2025/07/30/sicherheit-beim-zahnarzt-pvs-z1/
∗∗∗ Delta Electronics DTN Soft ∗∗∗
---------------------------------------------
According to Delta Electronics, if a version of DTN Soft prior to v2.1.0 is installed, it should be updated to v2.1.0 or later. If DTM Soft is also installed, it should be updated to v1.6.0.0 (released on March 25, 2025) or later. Successful exploitation of this vulnerability could allow an attacker to use a specially crafted project file to execute arbitrary code.
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-03
∗∗∗ TP-Link Archer C50 router is vulnerable to configuration-file decryption ∗∗∗
---------------------------------------------
https://kb.cert.org/vuls/id/554637
∗∗∗ Security update for Tenable Patch Management Fixes One Vulnerability ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2025-15
∗∗∗ CISA: Security update for National Instruments LabVIEW ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-01
∗∗∗ CISA: Security update for Samsung HVAC DMS ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-02
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily