=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 05-05-2026 18:00 − Mittwoch 06-05-2026 18:00
Handler: Felician Fuchs
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ MuddyWater hackers use Chaos ransomware as a decoy in attacks ∗∗∗
---------------------------------------------
The MuddyWater Iranian hackers disguised their operations as a Chaos ransomware attack, relying on Microsoft Teams social engineering to gain access and establish persistence.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/muddywater-hackers-use-chaos…
∗∗∗ OceanLotus suspected of using PyPI to deliver ZiChatBot malware ∗∗∗
---------------------------------------------
Kaspersky researchers uncovered malicious wheel packages in PyPI that targeted both Windows and Linux and contained a dropper delivering malware dubbed ZiChatBot. We attribute this activity to OceanLotus APT.
---------------------------------------------
https://securelist.com/oceanlotus-suspected-pypi-zichatbot-campaign/119603/
∗∗∗ Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader ∗∗∗
---------------------------------------------
OpenClaw, previously known as Clawdbot, Moltbot, and Molty, is an open-source framework designed for autonomous AI agents that execute complex tasks requiring high-privilege local system access. While intended for automation, its modular "skill" architecture has been weaponized as a significant attack vector.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-di…
∗∗∗ Behörde für abgesicherte Ausweise geknackt: 15-Jähriger verhaftet ∗∗∗
---------------------------------------------
Millionen Datensätze aus französischen „abgesicherten Ausweisen” gerieten in falsche Hände. Kein fremder Geheimdienst, sondern ein Bursche ist verdächtig.
---------------------------------------------
https://www.heise.de/news/Behoerde-fuer-abgesicherte-Ausweise-geknackt-15-J…
∗∗∗ „Pressure Cooker“: Europols geheime Datenverarbeitung ohne Aufsicht ∗∗∗
---------------------------------------------
Interne, per Infofreiheit erlangte Warnungen belegen, dass das EU-Polizeiamt lange operative Netzwerke ohne IT-Kontrolle und richtige Protokollierung betrieb.
---------------------------------------------
https://www.heise.de/news/Pressure-Cooker-Europols-geheime-Datenverarbeitun…
∗∗∗ FSFE warnt: NHS sollte quelloffenen Code nicht depublizieren ∗∗∗
---------------------------------------------
Die Free Software Foundation Europe warnt vor dem Umstellen der NHS-Code-Repositories auf Privat aus Angst vor KI-Schwachstellensuche.
---------------------------------------------
https://www.heise.de/news/FSFE-warnt-NHS-sollte-quelloffenen-Code-nicht-dep…
∗∗∗ IPFire: Neue DNS Firewall soll URL-Filter und Pi-hole ablösen ∗∗∗
---------------------------------------------
Die Firewall-Distribution IPFire bringt mit Core Update 201 eine DNS Firewall mit, die unerwünschte Domains schon bei der Namensauflösung blockiert.
---------------------------------------------
https://www.heise.de/news/IPFire-Neue-DNS-Firewall-soll-URL-Filter-und-Pi-h…
∗∗∗ Discounter-Falle: Gefälschte Suchergebnisse führen in Lidl-Fake-Shop ∗∗∗
---------------------------------------------
Wer sich online auf die Suche nach günstigen Haushaltsgeräten, Fahrrädern, Werkzeugen oder anderen beliebten Artikeln macht, landet häufig in einem Fake-Shop. Als „gesponserte Suchergebnisse“ getarnte Werbeanzeigen führen direkt in die Falle, die optisch dem Web-Auftritt des bekannten Discounters Lidl nachempfunden ist.
---------------------------------------------
https://www.watchlist-internet.at/news/lidl-fake-shop/
∗∗∗ Paramiko Security Audit ∗∗∗
---------------------------------------------
Paramiko is a pure-Python implementation of SSHv2 that provides both client- and server-side functionality. It serves as the foundation for the high-level SSH library Fabric and is widely regarded as one of the most popular SSH solutions in the Python ecosystem. The Cryptography library, for its part, offers Python developers access to a broad range of cryptographic algorithms and primitives. It is a widely adopted Python/Rust library with more than 25,000 known dependencies.
---------------------------------------------
http://blog.quarkslab.com/paramiko-security-audit.html
∗∗∗ The Jenkins Threat Landscape ∗∗∗
---------------------------------------------
What usage patterns, plugin adoption, and configuration choices reveal about the Jenkins attack surface.
---------------------------------------------
https://www.wiz.io/blog/jenkins-threat-risk-insights
∗∗∗ New Infostealer Dubbed ‘Pheno’ Hijacks Windows’ Phone Link App to Steal MFA OTPs ∗∗∗
---------------------------------------------
Attackers have found a way to intercept SMS-based one-time passwords from a victims mobile device without deploying a single line of malware on the phone itself. Instead, they go through the Windows PC the phone is already connected to.
---------------------------------------------
https://thecyberexpress.com/new-infostealer-pheno-steals-mfa-otps/
=====================
= Vulnerabilities =
=====================
∗∗∗ Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE ∗∗∗
---------------------------------------------
The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in the HTTP Server, including a severe vulnerability that could potentially lead to remote code execution (RCE). The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of "double free and possible RCE" in the HTTP/2 protocol handling.
---------------------------------------------
https://thehackernews.com/2026/05/critical-apache-http2-flaw-cve-2026.html
∗∗∗ PAN-OS-Lücke wird angegriffen, Updates erst in Wochen geplant ∗∗∗
---------------------------------------------
Palo Alto Networks warnt vor einer bereits angegriffenen kritischen Sicherheitslücke in PAN-OS. Updates kommen frühestens Mitte Mai.
---------------------------------------------
https://www.heise.de/news/PAN-OS-Luecke-wird-angegriffen-Updates-erst-in-Wo…
∗∗∗ An exploitable integer overflow in Lix (CVE-2026-44028) ∗∗∗
---------------------------------------------
Security researchers have found a security issue in Lix. This issue has been assigned CVE-2026-44028.
---------------------------------------------
https://lix.systems/blog/2026-05-05-lix-unsigned-integer-overflow/
∗∗∗ Attackers Actively Exploiting Critical Vulnerability in Breeze Cache Plugin ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2026/05/attackers-actively-exploiting-critic…
∗∗∗ LWN Security updates for Wednesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1071466/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 04-05-2026 18:00 − Dienstag 05-05-2026 18:00
Handler: Felician Fuchs
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Trellix discloses data breach after source code repository hack ∗∗∗
---------------------------------------------
Cybersecurity firm Trellix disclosed a data breach after attackers gained access to "a portion" of its source code repository.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/trellix-discloses-data-breac…
∗∗∗ Amazon SES increasingly abused in phishing to evade detection ∗∗∗
---------------------------------------------
The Amazon Simple Email Service (SES) is being increasingly abused to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/amazon-ses-increasingly-abus…
∗∗∗ Weaver E-cology critical bug exploited in attacks since March ∗∗∗
---------------------------------------------
Hackers have been exploiting a critical vulnerability (CVE-2026-22679) in the Weaver E-cology office automation since mid-March to run discovery commands.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/weaver-e-cology-critical-bug…
∗∗∗ CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs ∗∗∗
---------------------------------------------
A new version of the CloudZ remote access tool (RAT) is deploying a previously unseen malicious plugin called Pheno that hijacks the Microsoft Phone Link connection to steal sensitive codes from mobile devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cloudz-malware-abuses-micros…
∗∗∗ Webbrowser: Klartext-Passwörter im Speicher von Microsoft Edge entdeckt ∗∗∗
---------------------------------------------
Der in Edge integrierte Passwortmanager ist offenbar keine sichere Wahl. Passwörter landen beim Start im Prozessspeicher und lassen sich auslesen.
---------------------------------------------
https://www.golem.de/news/webbrowser-klartext-passwoerter-permanent-im-spei…
∗∗∗ Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools ∗∗∗
---------------------------------------------
An active phishing campaign has been observed targeting multiple vectors since at least April 2025 with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts.
---------------------------------------------
https://thehackernews.com/2026/05/phishing-campaign-hits-80-orgs-using.html
∗∗∗ Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries ∗∗∗
---------------------------------------------
Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed lures and legitimate email services to direct users to attacker-controlled domains and steal authentication tokens.
---------------------------------------------
https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html
∗∗∗ Vimeo-Datenleck: 119.000 E-Mail-Adressen betroffen ∗∗∗
---------------------------------------------
Die Cybergang ShinyHunters hat Daten von Vimeo bei Anodot gestohlen und ins Darknet gestellt. Nun hat Have-I-Been-Pwned sie aufgenommen.
---------------------------------------------
https://www.heise.de/news/Vimeo-Datenleck-119-000-E-Mail-Adressen-betroffen…
∗∗∗ Datenschutzvorfall bei Verlag Delius Klasing ∗∗∗
---------------------------------------------
Der Verlag Delius Klasing räumt in einer E-Mail an Kunden einen IT-Vorfall ein. Personenbezogene Kundendaten wurden offengelegt.
---------------------------------------------
https://www.heise.de/news/Datenschutzvorfall-bei-Verlag-Delius-Klasing-1128…
∗∗∗ Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities ∗∗∗
---------------------------------------------
TrendAI™ Research breaks down Quasar Linux (QLNX), a previously undocumented sophisticated Linux RAT with low detection rates. In this blog, we examine a full-featured Linux threat incorporating a rootkit, a PAM backdoor, credential harvesting, and more, revealing how this malware enables stealthy access, persistence, and potential supply-chain attacks.
---------------------------------------------
https://www.trendmicro.com/en_us/research/26/e/quasar-linux-qlnx-a-silent-f…
∗∗∗ CISA Unveils New Initiative to Fortify America’s Critical Infrastructure ∗∗∗
---------------------------------------------
Today, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance to help critical infrastructure (CI) entities across all sectors prepare to operate through a crisis or conflict, continuing vital service delivery even as their systems are under attack.
---------------------------------------------
https://www.cisa.gov/news-events/news/cisa-unveils-new-initiative-fortify-a…
=====================
= Vulnerabilities =
=====================
∗∗∗ Patchday: Kritische Schadcode-Lücke bedroht Android 14, 15 und 16 ∗∗∗
---------------------------------------------
Schadcode kann durch ein fehlerhaftes Debugging-Modul auf Androidgeräte schlüpfen. Nun hat Google die kritische Schwachstelle geschlossen.
---------------------------------------------
https://www.heise.de/news/Patchday-Kritische-Schadcode-Luecke-bedroht-Andro…
∗∗∗ Daemon Tools Lite: Infizierte Installer durch Supply-Chain-Attacke ∗∗∗
---------------------------------------------
Offiziell signierte Daemon-Tools-Installer von der Herstellerseite bringen Malware mit. Offenbar durch einen Lieferkettenangriff.
---------------------------------------------
https://www.heise.de/news/Daemon-Tools-Lite-Infizierte-Installer-durch-Supp…
∗∗∗ Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass ∗∗∗
---------------------------------------------
Progress Software has released updates to address two security flaws in MOVEit Automation, including a critical bug that could result in an authentication bypass. MOVEit Automation (formerly Central) is a secure, server-based managed file transfer (MFT) solution used to schedule and automate file movement workflows in enterprise environments without requiring any custom scripts.
---------------------------------------------
https://thehackernews.com/2026/05/progress-patches-critical-moveit.html
∗∗∗ LWN Security updates for Tuesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1071324/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 30-04-2026 18:00 − Montag 04-05-2026 18:00
Handler: Felician Fuchs
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ ConsentFix v3 attacks target Azure with automated OAuth abuse ∗∗∗
---------------------------------------------
A new attack type, dubbed ConsentFix v3, has been circulating on hacker forums, building on the previous technique by adding automation and scaling potential.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/consentfix-v3-attacks-target…
∗∗∗ Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks ∗∗∗
---------------------------------------------
A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel.
---------------------------------------------
https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html
∗∗∗ Trellix: Angreifer erlangten Zugriff auf Quellcode ∗∗∗
---------------------------------------------
Trellix, das aus FireEye und McAfee hervorging, hat einen IT-Vorfall gemeldet. Angreifer haben Zugriff auf Quellcode erlangt.
---------------------------------------------
https://www.heise.de/news/Trellix-Angreifer-erlangten-Zugriff-auf-Quellcode…
∗∗∗ Vorfall bei DigiCert: Malware-Autoren klauten Zertifikate ∗∗∗
---------------------------------------------
Die Zertifizierungsstelle DigiCert hat im April mehrere Zertifikate zur Signierung von Programmen („Code Signing Certificate“) an Malware-Autoren ausgegeben. Diese hatten zuvor Kundendienstmitarbeiter bei DigiCert mit Schadsoftware angegriffen und deren Rechner übernommen. Weil verschiedene Schutzmaßnahmen versagten, erlangten die Kriminellen Zugriff auf ein geschütztes Kundenportal – inklusive aller notwendigen Informationen, um die Zertifikate abzurufen.
---------------------------------------------
https://www.heise.de/news/Nach-Malware-Angriff-Kriminelle-nutzten-Codesigni…
∗∗∗ Build a Decoy MCP Server to Catch AI Agent Attackers ∗∗∗
---------------------------------------------
Your AI agents MCP config can be a target for an attacker who reaches your machine. A decoy MCP server entry pointing at a Cloudflare Worker can reveal the attackers presence and their intent.
---------------------------------------------
https://zeltser.com/decoy-mcp-server-honeypot
∗∗∗ ESC-Tickets im Netz: Drittanbieter wie ticombo.com bergen ein hohes Risiko! ∗∗∗
---------------------------------------------
Für den ausverkauften Eurovision Song Contest tauchen immer wieder Ticketangebote bei Drittanbietern auf. Wir erklären, warum man besser die Finger davon lassen sollte.
---------------------------------------------
https://www.watchlist-internet.at/news/esc-tickets-plattformen-wie-ticomboc…
∗∗∗ That AI Extension Helping You Write Emails? It’s Reading Them First ∗∗∗
---------------------------------------------
Unit 42 uncovers high-risk AI browser extensions. Disguised as productivity tools, they steal data, intercept prompts, and exfiltrate passwords. Protect your browser.
---------------------------------------------
https://unit42.paloaltonetworks.com/high-risk-gen-ai-browser-extensions/
∗∗∗ EV-Zertifikate von Lenovo & Co. durch GoldenEyeDog missbraucht ∗∗∗
---------------------------------------------
Hersteller wie Lenovo, Kingston, Shuttle Inc. und Palit Microsystems sind von einem Zertifikatsproblem betroffen. Eine chinesische Hackergruppe namens GoldenEyeDog (APT-Q-27) war in der Lage, EV-Zertifikate im Namen der oben genannten Organisationen auszustellen und für kriminelle Zwecke zu missbrauchen.
---------------------------------------------
https://borncity.com/blog/2026/05/03/ev-zertifikate-von-lenovo-co-durch-gol…
∗∗∗ Careful Adoption of Agentic AI Services ∗∗∗
---------------------------------------------
CISA, in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and other international and U.S. partners, released guidance for organizations on adopting agentic artificial intelligence (AI) systems.
---------------------------------------------
https://www.cisa.gov/resources-tools/resources/careful-adoption-agentic-ai-…
∗∗∗ The Life-Dinner Principle in Detection ∗∗∗
---------------------------------------------
Cybersecurity has its own folk saying. You have heard it at conferences, on panels, in vendor decks, and in LinkedIn posts from CISOs who are “humbled” to announce something: “The attacker only has to be right once. The defender has to be right every time.”
---------------------------------------------
https://detect.fyi/the-life-dinner-principle-in-detection-822169d9da2c
∗∗∗ Evaluating our Threat Hunting Detection Rules (+ KQL Query Evaluation) ∗∗∗
---------------------------------------------
I really enjoy creating detection rules — they give me better visibility into current threats, help me stay proactive, and bring many other advantages. On the other hand, it’s a double-edged sword.
---------------------------------------------
https://detect.fyi/evaluating-our-threat-hunting-detection-rules-kql-query-…
∗∗∗ Practical Package Security: The Unofficial Guide ∗∗∗
---------------------------------------------
Get actionable best practices to shrink your attack surface, protect execution environments, control package ingestion, and catch compromises early.
---------------------------------------------
https://www.wiz.io/blog/practical-package-security-the-unofficial-guide
∗∗∗ Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise ∗∗∗
---------------------------------------------
Socket found a malicious Intercom PHP package on Packagist using Composer plugin execution to steal credentials and spread across ecosystems.
---------------------------------------------
https://socket.dev/blog/mini-shai-hulud-packagist-malicious-intercom-php-pa…
∗∗∗ Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables ∗∗∗
---------------------------------------------
The Socket Research Team has detected an active supply-chain attack targeting the unscoped tanstack package on npm, a brand-squatted impersonation of the legitimate @tanstack/* organization.
---------------------------------------------
https://socket.dev/blog/tanstack-brandsquat-compromise
∗∗∗ NCSC Warns Organisations to Act Fast as Hidden Software Flaws Surface ∗∗∗
---------------------------------------------
Organisations worldwide are being urged to prepare for a vulnerability patch wave, as security experts warn that advances in artificial intelligence (AI) could rapidly expose long-standing weaknesses across software systems. The warning comes from National Cyber Security Centre (NCSC), which says businesses must act now to strengthen their environments before a surge of critical updates arrives.
---------------------------------------------
https://thecyberexpress.com/ncsc-vulnerability-patch-wave/
∗∗∗ FBI Warns of Surge in Cyber-Enabled Cargo Theft Targeting Logistics Firms ∗∗∗
---------------------------------------------
The Federal Bureau of Investigation (FBI) has issued a public warning over a sharp rise in cyber-enabled cargo theft, as threat actors increasingly use digital tactics to impersonate legitimate businesses, hijack freight, and steal high-value shipments. According to the FBI, cybercriminals are targeting transportation and logistics companies involved in shipping, receiving, and insuring cargo.
---------------------------------------------
https://thecyberexpress.com/cyber-enabled-cargo-theft-fbi-issues-alert/
=====================
= Vulnerabilities =
=====================
∗∗∗ Copy Fail Update #1: Kritische Linux-Kernel-Schwachstelle ermöglicht lokale Root-Rechte ∗∗∗
---------------------------------------------
04.05.2026 Wir haben den Hinweis erhalten, dass ein Workaround existiert, der auf Systemen greift, bei denen der betroffene Code in einem Kernel-Modul enthalten ist (wie unter anderem Debian-basierte Systeme wie Ubuntu). Dabei wird das Laden des Moduls verhindert.
---------------------------------------------
https://www.cert.at/de/warnungen/2026/4/copy-fail-kritische-linux-kernel-sc…
∗∗∗ Progress warns of critical MOVEit Automation auth bypass flaw ∗∗∗
---------------------------------------------
Progress Software warned customers to patch a critical authentication bypass vulnerability in its MOVEit Automation enterprise-grade managed file transfer (MFT) application.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/moveit-automation-customers-…
∗∗∗ Netzwerkanalysetool Wireshark: Zahlreiche Sicherheitslücken geschlossen ∗∗∗
---------------------------------------------
In zwei aktuellen Versionen von Wireshark haben die Entwickler mehrere Schwachstellen geschlossen.
---------------------------------------------
https://www.heise.de/news/Netzwerkanalysetool-Wireshark-Zahlreiche-Sicherhe…
∗∗∗ Tails 7.7.1: Notfallupdate für anonymisierendes Linux stopft Firefox-Lecks ∗∗∗
---------------------------------------------
Das anonymisierende Linux Tails schließt in Version 7.7.1 unter anderem Firefox-Sicherheitslücken im Tor-Browser.
---------------------------------------------
https://www.heise.de/news/Tails-7-7-1-Notfallupdate-fuer-anonymisierendes-L…
∗∗∗ Bösartige npm-Pakete: SAP-Software kompromittiert ∗∗∗
---------------------------------------------
Mehrere npm-Pakete von SAP waren einer Supply‑Chain‑Attacke ausgesetzt. Dahinter steckt die Hackergruppe TeamPCP, sagen Sicherheitsforscher.
---------------------------------------------
https://www.heise.de/news/Boesartige-npm-Pakete-SAP-Software-kompromittiert…
∗∗∗ LWN Security updates for Monday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1071167/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 29-04-2026 18:00 − Donnerstag 30-04-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Popular WordPress redirect plugin hid dormant backdoor for years ∗∗∗
---------------------------------------------
The Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, had a backdoor added five years ago that allows injecting arbitrary code into users sites.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/popular-wordpress-redirect-p…
∗∗∗ RDP Security: CPS Threats Spark Need for Secure Remote Access ∗∗∗
---------------------------------------------
1.8 million RDP and 1.6 million VNC servers are exposed on the internet. [..] 18% of exposed RDP servers run end-of-life Windows versions; an additional 42% run Windows 10, which reached end of support last October. [..] 19,000+ RDP servers remain vulnerable to BlueKeep (CVE-2019-0708) — a critical remote code execution flaw. Nearly 60,000 VNC servers have authentication disabled — 670+ of those have direct access to OT/ICS control panels. [..] Hacktivist groups are sharing custom tools to scan for vulnerable VNC servers and selling access to compromised assets.
---------------------------------------------
https://www.forescout.com/blog/rdp-security-cps-threats-spark-need-for-secu…
∗∗∗ Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution ∗∗∗
---------------------------------------------
Google has addressed a maximum severity security flaw in Gemini CLI -- the "@google/gemini-cli" npm package and the "google-github-actions/run-gemini-cli" GitHub Actions workflow -- that could have allowed attackers to execute arbitrary commands on host systems. [..] The update addresses the problem by requiring folders to be explicitly trusted before configuration files can be accessed. To that end, users are being urged to review their workflows and adopt one of two approaches.
---------------------------------------------
https://thehackernews.com/2026/04/google-fixes-cvss-10-gemini-cli-ci-rce.ht…
∗∗∗ Aktive Ausnutzung einer schwerwiegenden Sicherheitslücke in cPanel und WHM ∗∗∗
---------------------------------------------
Der Hersteller cPanel hat kürzlich Sicherheitsupdates zur Behebung einer kritischen Schwachstelle (CVE-2026-41940) in den Produkten cPanel & WHM sowie WP Squared veröffentlicht. Laut Berichten von watchTowr wird diese Schwachstelle bereits aktiv durch Angreifer:innen ausgenutzt, um Hosting-Infrastrukturen zu kompromittieren. Es gibt Hinweise darauf, dass gezielte Zero-Day-Angriffe bereits seit Ende Februar 2026 stattfinden.
---------------------------------------------
https://www.cert.at/de/aktuelles/2026/4/aktive-ausnutzung-einer-schwerwiege…
∗∗∗ New AI-Powered Bluekit Phishing Kit Targets Major Platforms with MFA Bypass Attacks ∗∗∗
---------------------------------------------
Bluekit Phishing Kit is a new PhaaS tool that targets major platforms, using AiTM techniques to steal session data and bypass MFA protections. [..] According to Varonis’ experts, when a victim enters their details on a fake Bluekit page, the kit doesn’t just grab the password; it also steals session cookies and local storage data.
---------------------------------------------
https://hackread.com/bluekit-phishing-kit-targets-platforms-mfa-bypass-atta…
∗∗∗ Adapting Zero Trust Principles to Operational Technology ∗∗∗
---------------------------------------------
This guidance supports OT owners and operators in addressing the unique challenges of transitioning to a ZT architecture, considering technology gaps from legacy infrastructure, operational constraints, and safety requirements. It focuses on establishing comprehensive asset visibility, proactively addressing supply chain risks, and implementing robust identity and access management while stressing the importance of layered security measures—including network segmentation, secure communication protocols, and vulnerability management.
---------------------------------------------
https://www.cisa.gov/resources-tools/resources/adapting-zero-trust-principl…
∗∗∗ Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables ∗∗∗
---------------------------------------------
The Socket Research Team has detected an active supply-chain attack targeting the unscoped tanstack package on npm, a brand-squatted impersonation of the legitimate @tanstack/* organization. Beginning today, the package's maintainer (sh20raj) began pushing malicious versions that silently steal environment variable files, including .env, .env.local, and .env.production, from developers' machines at install time, exfiltrating them to an attacker-controlled endpoint. Versions 2.0.4 through 2.0.7 are confirmed malicious.
---------------------------------------------
https://socket.dev/blog/tanstack-brandsquat-compromise?utm_medium=feed
=====================
= Vulnerabilities =
=====================
∗∗∗ SonicWall SonicOS: Sicherheitslücke erlaubt Management-Interface-Zugriff ∗∗∗
---------------------------------------------
SonicWall warnt vor drei Sicherheitslücken in SonicOS. [..] Am schwersten wiegt eine Schwachstelle, die die Entwickler als schwache Authentifizierung einstufen. Dadurch können Angreifer unbefugt auf bestimmte, nicht genannte Management-Interface-Funktionen zugreifen – unter ebenfalls nicht genannten Umständen (CVE-2026-0204, CVSS 8.0, Risiko „hoch“).
---------------------------------------------
https://www.heise.de/news/SonicWall-SonicOS-Sicherheitsluecke-erlaubt-Manag…
∗∗∗ ProFTPD: Codeschmuggel durch mod_sql möglich ∗∗∗
---------------------------------------------
Laut der Schwachstellenbeschreibung ist mod_sql von ProFTPD vor der Version 1.3.10rc1 von der Sicherheitslücke betroffen. Durch den übertragenen Nutzernamen können bösartige Akteure aus dem Netz ohne vorherige Anmeldung beliebige SQL-Befehle und Schadcode einschleusen. Das gelingt in Szenarien, die USER-Anfragen mit Erweiterungen wie „%U“ loggen und in denen das SQL-Backend Befehle zulässt, beispielsweise „COPY TO PROGRAM“ (CVE-2026-42167, CVSS 8.1, Risiko „hoch“). [..] Admins sollten daher prüfen, ob sie das mod_sql etwa für Logging in Datenbanken überhaupt einsetzen.
---------------------------------------------
https://www.heise.de/news/ProFTPD-Codeschmuggel-durch-mod-sql-moeglich-1127…
∗∗∗ Copy Fail: Kritische Linux-Kernel-Schwachstelle ermöglicht lokale Root-Rechte ∗∗∗
---------------------------------------------
Die Schwachstelle steckt im Linux-Kernel und beruht auf einem simplen, aber schweren Logikfehler. Benutzer:innen können dadurch mit wenig Daten gezielt in eigentlich geschützte Speicherbereiche schreiben. Das reicht aus, um interne Strukturen zu verändern und sich höhere Rechte zu verschaffen. Der Vorgang funktioniert zuverlässig und ohne typische Hürden wie Race Conditions oder spezielle Systemabhängigkeiten.
---------------------------------------------
https://www.cert.at/de/warnungen/2026/4/copy-fail-kritische-linux-kernel-sc…
∗∗∗ LWN: Security updates for Thursday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1070640/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 28-04-2026 18:00 − Mittwoch 29-04-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Per Git-Push-Befehl: Angreifer hätten Millionen von Github-Repos kapern können ∗∗∗
---------------------------------------------
Sicherheitsforscher von Wiz haben eine extrem gefährliche Sicherheitslücke in der internen Git-Infrastruktur von Github entdeckt. Laut Blogbeitrag der Forscher hätten Angreifer durch einen einfachen Git-Push-Befehl Schadcode auf die Backend-Server von Github schleusen und damit tief in die Infrastruktur eindringen können. Auch Github Enterprise Server ist betroffen. [..] Auf Github.com soll die Lücke innerhalb weniger Stunden nach Meldung der Forscher gepatcht worden sein. [..] Wer einen eigenen Github-Enterprise-Server betreibt, muss den Patch hingegen selbst einspielen, sofern noch nicht geschehen.
---------------------------------------------
https://www.golem.de/news/per-git-push-befehl-angreifer-haetten-millionen-v…
∗∗∗ Nach Cyberangriff: Hacker erpressen Vimeo mit Nutzerdaten ∗∗∗
---------------------------------------------
Der berüchtigte Cyberakteur Shinyhunters ist offenbar bei einem Cyberangriff auf einen Dienstleister an Daten der beliebten Videoplattform und Youtube-Alternative Vimeo gelangt. Betroffen sind laut Mitteilung des Betreibers sowohl Nutzer- als auch Kundendaten. [..] Ursache des Datenabflusses war den Angaben zufolge ein Sicherheitsvorfall bei dem KI-Analyseanbieter Anodot.
---------------------------------------------
https://www.golem.de/news/cyberangriff-trifft-videoplattform-hacker-erbeute…
∗∗∗ LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure ∗∗∗
---------------------------------------------
In yet another instance of threat actors quickly jumping on the exploitation bandwagon, a newly disclosed critical security flaw in BerriAI's LiteLLM Python package has come under active exploitation in the wild within 36 hours of the bug becoming public knowledge. The vulnerability, tracked as CVE-2026-42208 (CVSS score: 9.3), is an SQL injection that could be exploited to modify the underlying LiteLLM proxy database. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example, POST /chat/completions) and reach this query through the proxy's error-handling path.
---------------------------------------------
https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html
∗∗∗ 30 ClawHub skills secretly turn AI agents into a crypto swarm ∗∗∗
---------------------------------------------
Thirty ClawHub skills published by a single author are silently co-opting AI agents and creating a mass cryptocurrency mining swarm – without any malware or user consent.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2026/04/29/30_clawhub_s…
∗∗∗ CISA flags data-theft bug in NSA-built OT networking tool ∗∗∗
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA) is warning anyone who uses GrassMarlin, a tool developed by the National Security Agency (NSA), about a new vulnerability that attackers can use to snoop on sensitive information. [..] GrassMarlin went EOL in 2017, so there are no fixes in the works.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2026/04/29/cisa_flags_d…
∗∗∗ Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer ∗∗∗
---------------------------------------------
A new npm supply-chain compromise is targeting the SAP developer ecosystem. [..] The pattern is familiar but also a bit different: a trusted package receives a new preinstall hook, the hook runs a new setup.mjs file, and that loader downloads the Bun JavaScript runtime to execute a large obfuscated payload named execution.js. The payload is an 11.7 MB credential stealer and propagation framework.
---------------------------------------------
https://www.aikido.dev/blog/mini-shai-hulud-has-appeared
∗∗∗ Fake-Krypto-Casino: Wenn Promis einen Registrierungs-Bonus versprechen ∗∗∗
---------------------------------------------
Mithilfe übernommener Social-Media-Profile oder geschickt platzierter Werbeanzeigen locken Kriminelle ihre Opfer in angebliche Krypto-Casinos. Durch die Einzahlung von 200 Euro werde ein Registrierungsbonus von 2.500 Euro freigeschaltet. Vor einer Beanspruchung der Gewinne müssen allerdings erst diverse Gebühren und Steuern beglichen werden.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-krypto-casino/
∗∗∗ RIPE NCC RPKI exploit chain ∗∗∗
---------------------------------------------
One click on a malicious, but not suspicious, link. That is all it could take for a network operator to get disconnected from the internet, through a chain of vulnerabilities I discovered. From that single click, I could fully control their routing authorisations in a RIPE NCC portal, telling the rest of the internet not to accept their routes. I could also hijack all their RIPE Database objects, locking the legitimate owners out until RIPE NCC staff manually restore them. This attack chain comes down to surprising entry points, risky architectural decisions, and components that don’t look security-critical until they are.
---------------------------------------------
https://mxsasha.eu/posts/ripe-ncc-rpki-exploit-chain/
=====================
= Vulnerabilities =
=====================
∗∗∗ IT-Sicherheitsplattform: Anreifer können Wazuh kompromittieren ∗∗∗
---------------------------------------------
Wie aus dem Sicherheitsbereich der GitHub-Website von Wazuh hervorgeht, ist eine Schwachstelle (CVE-2026-30893) mit dem Bedrohungsgrad „kritisch“ eingestuft. Im Zuge einer Path-Traversal-Attacke können Angreifer unbefugt auf eigentlich geschützte Pfade zugreifen.
---------------------------------------------
https://www.heise.de/news/IT-Sicherheitsplattform-Anreifer-koennen-Wazuh-ko…
∗∗∗ Schwachstelle in cPanel und WHM (28. April 2026) ∗∗∗
---------------------------------------------
Zum 28. April 2026 wurden gravierende Schwachstellen in der Software bekannt. Diese erlauben einen unautorisierte Anmeldung an der cPanel oder WHM Oberfläche.
---------------------------------------------
https://borncity.com/blog/2026/04/29/schwachstelle-in-cpanel-und-whm/
∗∗∗ Abermals kritische Sicherheitslücke in Nginx UI geschlossen ∗∗∗
---------------------------------------------
Eine Schwachstelle (CVE-2026-42238) gilt als „kritisch“. Weil bei jeder Neuinstallation und jedem Neustart die Backup-Restore-Points für zehn Minuten ohne Authentifizierung ansprechbar sind, können entfernte Angreifer manipulierte Backups hochladen. Dabei können sie die Konfigurationsdatei app.ini mit eigenen Befehlen überschreiben und die volle Kontrolle über Instanzen erlangen. Durch das erfolgreiche Ausnutzen einer weiteren Lücke (CVE-2026-42221 „hoch“) können Angreifer im Zuge der Ersteinrichtung Admin-Accounts kapern. Das soll ohne Authentifizierung möglich sein.
---------------------------------------------
https://heise.de/-11276012
∗∗∗ LWN: Security updates for Wednesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1070428/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 27-04-2026 18:00 − Dienstag 28-04-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Open source package with 1 million monthly downloads stole user credentials ∗∗∗
---------------------------------------------
On Friday, unknown attackers exploited the vulnerability to push a new version of element-data, a command-line interface that helps users monitor performance and anomalies in machine-learning systems. [..] The malicious version was tagged as 0.23.3 and was published to the developers’ Python Package Index and Docker image accounts. It was removed about 12 hours later, on Saturday. [..] If you’re one of millions using element-data, it’s time to check for compromise.
---------------------------------------------
https://arstechnica.com/security/2026/04/open-source-package-with-1-million…
∗∗∗ Windows-Shell-Lücke wird angegriffen ∗∗∗
---------------------------------------------
Im Februar hat Microsoft eine Windows-Shell-Lücke geschlossen, jedoch unvollständig. Jetzt wurden Angriffe entdeckt. [..] Die Auswirkungen scheinen nicht so gravierend wie vor dem unzureichenden Patch aus dem Februar. [..] Akamai hat im Blog jedoch eine weitergehende Analyse veröffentlicht. Die IT-Analysten stufen die neue Schwachstelle anders als Microsoft als Zero-Click-Schwachstelle ein. [..] Microsoft hat die neue Schwachstelle CVE-2026-32202 (CVSS 4.3, Risiko „mittel“) am April-Patchday mit Softwareflicken ausgebessert.
---------------------------------------------
https://www.heise.de/news/Windows-Shell-Luecke-wird-angegriffen-11274647.ht…
∗∗∗ Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub data ∗∗∗
---------------------------------------------
Application security company Checkmarx has confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository. Although the investigation is ongoing, Checkmarx believes that the access vector was the Trivy supply-chain attack attributed to the hacker group known as TeamPCP. which provided access to credentials from downstream users.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/checkmarx-confirms-lapsus-ha…
∗∗∗ Cyberangriff trifft Medtronic: Datenklau bei großem Medizintechnik-Konzern ∗∗∗
---------------------------------------------
Medtronic ist vor allem für seine Herzschrittmacher bekannt. Nun gesteht der Konzern, dass Hacker Daten aus seiner IT-Umgebung abziehen konnten. [..] Shinyhunters hatte Medtronic einem Bericht von Bleeping Computer zufolge schon am 18. April im Darknet erpresst. Die Hackergruppe gab dort an, mehr als neun Millionen Datensätze respektive "Terabytes" an personenbezogenen Daten und anderen unternehmensinternen Informationen erbeutet zu haben. [..] Der Konzern versichert zudem, die Netzwerke seiner Krankenhauskunden seien von den IT-Netzwerken von Medtronic getrennt und würden von den IT-Teams der jeweiligen Kunden gesichert und verwaltet.
---------------------------------------------
https://www.golem.de/news/datenklau-cyberangriff-trifft-medizintechnik-konz…
∗∗∗ Cyber Threat Intelligence - Art, Science, something else entirely? ∗∗∗
---------------------------------------------
As everyone who has been in this area for a while can probably still remember, hoarding indicators of compromise is a fun activity and can be incredibly enticing when you have not yet a real clue of what you are doing. It is, at least initially, certainly more interesting than diving straight into anthropological, psychological, sociological, or analytical textbooks. However, as I became more experienced in and, more importantly, more fascinated by the analytical work that makes intelligence .. well, intelligence .. I began to notice that it's not really clear what "type" of activity intelligence analysis is.
---------------------------------------------
https://bytesandborscht.com/cyber-threat-intelligence-art-science-something…
∗∗∗ Secure-Boot-Zertifikate: Microsoft Defender verschafft Überblick ∗∗∗
---------------------------------------------
Die Zeit wird knapp: Die Secure-Boot-Zertifikate aus 2011 laufen ab Juni dieses Jahres ab. [..] Im Message-Center der Windows-Release-Health-Notizen hat Microsoft jetzt die neue Funktion für den Microsoft Defender angekündigt. [..] Jetzt können IT-Teams an zentraler Stelle die Verbreitung der Secure-Boot-Zertifikate aus dem Jahr 2023 in ihrem Gerätepark einsehen, erklärt das Unternehmen.
---------------------------------------------
https://www.heise.de/news/Secure-Boot-Zertifikate-Microsoft-Defender-versch…
∗∗∗ VECT: Ransomware by design, Wiper by accident ∗∗∗
---------------------------------------------
VECT Ransomware is a Ransomware-as-a-Service (RaaS) program that made its first appearance in December 2025 on a Russian-language cybercrime forum. [..] Check Point Research discovers that the VECT 2.0 ransomware permanently destroys “large files” rather than encrypting them.
---------------------------------------------
https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-acc…
∗∗∗ KI-Enkeltrick und Deepfakes: Interpol warnt vor verschärfter Betrugswelle ∗∗∗
---------------------------------------------
Europa ist zum primären Ziel einer weltweiten Betrugswelle geworden. Laut dem „Global Financial Fraud Threat Assessment 2026“ von Interpol verzeichnete keine andere Region einen so starken Anstieg bei Betrugsmaschen: ein Plus von 69 Prozent im Vergleich zum Vorjahr. [..] Der Interpol-Bericht verdeutlicht, dass der Erfolg dieser Betrugsmaschen auf einer hochgradig arbeitsteiligen Unterwelt basiert. Ein Faktor sei die Zunahme von „Fraud-as-a-Service“-Modellen.
---------------------------------------------
https://heise.de/-11274056
=====================
= Vulnerabilities =
=====================
∗∗∗ Xen Security Advisories 20.04.2026 ∗∗∗
---------------------------------------------
Xen has released 5 new security advisories.
---------------------------------------------
https://xenbits.xen.org/xsa/
∗∗∗ Mozilla Security Advisories for Firefox 28.04.2026 ∗∗∗
---------------------------------------------
Mozilla has release multiple security advisories for Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1. (1x critical)
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/
∗∗∗ Notepad++ Releases 8.9.4 Patch to Fix String Injection Vulnerability (CVE-2026-3008) in 8.9.3 ∗∗∗
---------------------------------------------
A vulnerability has been identified in the popular open-source text editor, Notepad++, with the release of CVE-2026-3008. The vulnerability, discovered and reported by CSA under its Responsibility Vulnerability Disclosure Policy, is linked to a potential string injection flaw in Notepad++ version 8.9.3. To mitigate the risk associated with this vulnerability, users and administrators are strongly urged to update their installations to version 8.9.4 immediately.
---------------------------------------------
https://thecyberexpress.com/notepad-cve-2026-3008-vulnerability/
∗∗∗ Security updates available in Foxit PDF Reader 2026.1.1 and Foxit PDF Editor 2026.1.1/14.0.4 ∗∗∗
---------------------------------------------
https://www.foxit.com/support/security-bulletins.html
∗∗∗ LWN: Security updates for Tuesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1070184/
∗∗∗ Zyxel security advisory for command injection vulnerabilities in certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders ∗∗∗
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 24-04-2026 18:00 − Montag 27-04-2026 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Cyber Threat Intelligence - Art, Science, something else entirely? ∗∗∗
---------------------------------------------
Is Cyber Threat Intelligence an art, science, both, or something else entirely?
---------------------------------------------
https://bytesandborscht.com/cyber-threat-intelligence-art-science-something…
∗∗∗ New BlackFile extortion group linked to surge of vishing attacks ∗∗∗
---------------------------------------------
A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-blackfile-extortion-gang…
∗∗∗ ADT confirms data breach after ShinyHunters leak threat ∗∗∗
---------------------------------------------
Home security giant ADT has confirmed a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/adt-confirms-data-breach-aft…
∗∗∗ Panne bei RDP-Verbindungen: Windows-Update mit kaputter Warnmeldung verteilt ∗∗∗
---------------------------------------------
Neue Warnmeldungen sollen Windows-Nutzer eigentlich vor bösartigen RDP-Dateien schützen. Doch die sind manchmal weder gut lesbar noch bedienbar.
---------------------------------------------
https://www.golem.de/news/panne-bei-rdp-verbindungen-windows-update-mit-kap…
∗∗∗ Attacken auf Firmennetzwerke: Hacker tricksen Teams-Nutzer mit Spam aus ∗∗∗
---------------------------------------------
Google-Forscher warnen vor einer Hackergruppe, die Nutzer bei Microsoft Teams austrickst, um gefährliche Malware in Firmennetzwerke zu schleusen.
---------------------------------------------
https://www.golem.de/news/attacken-auf-firmennetzwerke-hacker-tricksen-team…
∗∗∗ FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches ∗∗∗
---------------------------------------------
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed federal civilian agency's Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with a new malware called FIRESTARTER.
---------------------------------------------
https://thehackernews.com/2026/04/firestarter-backdoor-hit-federal-cisco.ht…
∗∗∗ Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a new Lua-based malware created years before the notorious Stuxnet worm that aimed to sabotage Iran's nuclear program by destroying uranium enrichment centrifuges.
---------------------------------------------
https://thehackernews.com/2026/04/researchers-uncover-pre-stuxnet-fast16.ht…
∗∗∗ LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure ∗∗∗
---------------------------------------------
A high-severity security flaw in LMDeploy, an open-source toolkit for compressing, deploying, and serving large language models (LLMs), has come under active exploitation in the wild less than 13 hours after its public disclosure.
---------------------------------------------
https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.ht…
∗∗∗ Gesundheitsdaten aus UK Biobank auf Alibaba angeboten ∗∗∗
---------------------------------------------
Gesundheitsdaten der UK Biobank wurden online angeboten. Der Zugriff ist inzwischen gestoppt. Weitere Sicherheitsmaßnahmen sind geplant.
---------------------------------------------
https://www.heise.de/news/Gesundheitsdaten-aus-UK-Biobank-auf-Alibaba-angeb…
∗∗∗ New ClickFix attack Hides in Native Windows Tools to Reduce Detection Risk ∗∗∗
---------------------------------------------
Fake CAPTCHA ClickFix attack tricks users into running malicious commands, using cmdkey and regsvr32 to maintain persistence and avoid detection on Windows.
---------------------------------------------
https://hackread.com/clickfix-variant-native-windows-tools-bypass-security/
∗∗∗ Microsoft Entra Agent ID Flaw Enabled Tenant Takeover via Privilege Escalation ∗∗∗
---------------------------------------------
Microsoft Entra Agent ID flaw allowed privilege escalation and tenant takeover via Service Principal abuse, now fully patched by Microsoft.
---------------------------------------------
https://hackread.com/microsoft-entra-agent-id-flaw-tenant-takeover/
∗∗∗ Angriffe auf SimpleHelp, Samsung MagicINFO und D-Link DIR-823X beobachtet ∗∗∗
---------------------------------------------
Die US-Behörde CISA warnt vor beobachteten Attacken auf Schwachstellen in SimpleHelp, Samsung MagicINFO und D-Link DIR-823X.
---------------------------------------------
https://heise.de/-11272629
∗∗∗ 73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations ∗∗∗
---------------------------------------------
Socket is tracking cloned Open VSX extensions tied to GlassWorm, with several updated from benign-looking sleepers into malware delivery vehicles.
---------------------------------------------
https://socket.dev/blog/73-open-vsx-sleeper-extensions-glassworm?utm_medium…
∗∗∗ Udemy Data Breach — ShinyHunters Claims 1.4M Records ∗∗∗
---------------------------------------------
The notorious cybercriminal group ShinyHunters posted a “Pay or Leak” warning on their data leak site on April 24, 2026, claiming the compromise of over 1.4 million records containing PII and internal corporate data from Udemy. The final deadline set for Udemy to respond is April 27, 2026, or face public exposure.
---------------------------------------------
https://thecyberthrone.in/2026/04/24/udemy-data-breach-shinyhunters-claims-…
∗∗∗ Operation TrustTrap Reveals 16,800 Fake Domains Exploiting User Trust ∗∗∗
---------------------------------------------
In a world where digital threats are becoming more confusing, Cyble Research and Intelligence Labs (CRIL) has uncovered one of the most extensive deceptive domain spoofing campaigns to date.
---------------------------------------------
https://thecyberexpress.com/operation-trusttrap/
∗∗∗ Fake CAPTCHA Scam Abuses Verification Clicks to Send Costly International Texts ∗∗∗
---------------------------------------------
Research from Infoblox reveals a massive Click2SMS fraud scheme using fake CAPTCHAs and back button hijacking to trick victims into sending costly international texts.
---------------------------------------------
https://hackread.com/fake-captcha-pages-exploit-clicks-send-texts/
=====================
= Vulnerabilities =
=====================
∗∗∗ Werbeblocker Pi-hole: Update stopft Codeschmuggel- und Rechteausweitungslücken ∗∗∗
---------------------------------------------
Die Entwickler haben den DNS-basierten Werbeblocker Pi-hole aktualisiert. Das Update stopft hochriskante Sicherheitslecks.
---------------------------------------------
https://www.heise.de/news/Werbeblocker-Pi-hole-Update-stopft-Codeschmuggel-…
∗∗∗ VMware Tanzu Spring Boot: Angreifer können auf Endpoints zugreifen ∗∗∗
---------------------------------------------
Wichtige Sicherheitsupdates schließen mehrere Schwachstellen in der VMware-Tanzu-Spring-Framework-Komponente Spring Boot.
---------------------------------------------
https://heise.de/-11272771
∗∗∗ „Pack2TheRoot“: Sicherheitslücke betrifft mehrere Linux-Distributionen ∗∗∗
---------------------------------------------
Das Telekom-Sicherheitsteam hat die Sicherheitslücke „Pack2TheRoot“ entdeckt, die Rechteausweitung in mehreren Distributionen ermöglicht.
---------------------------------------------
https://heise.de/-11272897
∗∗∗ LWN Security updates for Monday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1069938/
∗∗∗ K000160994: SQLite vulnerability CVE-2025-70873 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000160994
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 23-04-2026 18:00 − Freitag 24-04-2026 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Trigona ransomware attacks use custom exfiltration tool to steal data ∗∗∗
---------------------------------------------
Recently observed Trigona ransomware attacks are using a custom, command-line tool to steal data from compromised environments faster and more efficiently.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/trigona-ransomware-attacks-u…
∗∗∗ LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure ∗∗∗
---------------------------------------------
A high-severity security flaw in LMDeploy, an open-source toolkit for compressing, deploying, and serving LLMs, has come under active exploitation in the wild less than 13 hours after its public disclosure.
---------------------------------------------
https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.ht…
∗∗∗ Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 ∗∗∗
---------------------------------------------
Chinese-speaking individuals are the target of a new campaign that uses a trojanized version of SumatraPDF reader to deploy the AdaptixC2 Beacon post-exploitation agent and ultimately facilitate the abuse of Microsoft Visual Studio Code (VS Code) tunnels for remote access.
---------------------------------------------
https://thehackernews.com/2026/04/tropic-trooper-uses-trojanized.html
∗∗∗ Behörde für abgesicherte Ausweise geknackt – Millionen Franzosen betroffen ∗∗∗
---------------------------------------------
Frankreichs Behörde für Ausweise gesteht ein, dass Daten von 12 Millionen Franzosen auf dem Schwarzmarkt feilgeboten werden. Der Täter spricht von 19 Millionen.
---------------------------------------------
https://www.heise.de/news/Behoerde-fuer-abgesicherte-Ausweise-geknackt-Mill…
∗∗∗ Handala Hack Team: Threat Actor Profile ∗∗∗
---------------------------------------------
Handala Hack Team, also stylized as Handala_hack, is a hacktivist threat group aligned with pro-Palestinian messaging and Iranian strategic interests. It emerged in December 2023 following the escalation of the Gaza conflict, shortly after the 7 October 2023 Hamas attack on Israel, presenting itself as a pro-Palestinian hacktivist collective. Its operations closely mirror Iranian state-linked activity and indicate a focus on disruption and psychological impact rather than financial gain.
---------------------------------------------
https://outpost24.com/blog/handala-hack-threat-profile/
∗∗∗ Analyzing GLOBAL GROUP (BlackLock) Artifacts ∗∗∗
---------------------------------------------
In the rapidly evolving threat landscape of early 2026, ransomware operations have shifted dramatically toward high-impact infrastructure targets, with VMware ESXi hypervisors emerging as a prime vector for mass disruption. Ransomware groups like GLOBAL GROUP are one of those groups. It started all today with an technical analysis of a publicly shared X domain by the MalwareHunterTeam and the leak of the whole ecosystem of RAMP .
---------------------------------------------
https://detect.fyi/analyzing-global-group-blacklock-artifacts-72dabc14c500?…
=====================
= Vulnerabilities =
=====================
∗∗∗ Update #1: Schwerwiegende Sicherheitslücken in Cisco Adaptive Security Appliance - aktiv ausgenutzt - Updates verfügbar ∗∗∗
---------------------------------------------
Cisco hat Informationen zu einer vermutlich bereits seit einigen Monaten laufenden Angriffskampagne veröffentlicht. Im Rahmen dieser Kampagne haben Angreifer:innen, denen bereits im vergangenen Jahr eine breitgefächerte Kampagne gegen Edge-Devices zugerechnet wurde, Cisco Adaptive Security Appliance (ASA) Systeme der 5500-X Reihe welche "VPN web services" kompromittiert um in weiterer Folge auf den übernommenen Geräten Schadsoftware zu platzieren und Daten zu stehlen.
---------------------------------------------
https://www.cert.at/de/warnungen/2026/4/schwerwiegende-sicherheitslucken-in…
∗∗∗ Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks ∗∗∗
---------------------------------------------
Over 10,000 Zimbra Collaboration Suite (ZCS) instances exposed online are vulnerable to ongoing attacks exploiting a cross-site scripting (XSS) security flaw, according to nonprofit security organization Shadowserver. On Friday, Internet security watchdog Shadowserver also warned that over 10,500 Zimbra servers exposed online remain unpatched, most of them in Asia (3,794) and Europe (3,793).
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-says-zimbra-flaw-now-ex…
∗∗∗ Fast 12 Jahre unentdeckt: Telekom deckt gefährliche Root-Lücke in Linux auf ∗∗∗
---------------------------------------------
Sicherheitsforscher der Telekom haben Claude auf Linux -Systeme losgelassen. Die KI hat eine seit 2014 bestehende Root-Lücke in Packagekit gefunden.
---------------------------------------------
https://www.golem.de/news/fast-12-jahre-unentdeckt-telekom-deckt-gefaehrlic…
∗∗∗ Patch richtet fehlerhafte Zugriffskontrolle in HCL BigFix Service Management ∗∗∗
---------------------------------------------
Die KI-gestützte Endpoint-Verwaltungsplattform HCL BigFix Service Management ist verwundbar. Aufgrund einer fehlerhaften Zugriffskontrolle können Angreifer auf Instanzen zugreifen. Ein Sicherheitspatch steht zum Download bereit. Bislang gibt es keine Berichte zu Attacken.
---------------------------------------------
https://www.heise.de/news/Patch-richtet-fehlerhafte-Zugriffskontrolle-in-HC…
∗∗∗ LWN Security updates for Friday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1069549/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 22-04-2026 18:00 − Donnerstag 23-04-2026 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ New Mirai campaign exploits RCE flaw in EoL D-Link routers ∗∗∗
---------------------------------------------
A new Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-mirai-campaign-exploits-…
∗∗∗ New GopherWhisper APT group abuses Outlook, Slack, Discord for comms ∗∗∗
---------------------------------------------
A previously undocumented state-backed threat actor named GopherWhisper is using a Go-based custom toolkit and legitimate services like Microsoft 365 Outlook, Slack, and Discord in attacks against government entities.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-gopherwhisper-apt-group-…
∗∗∗ Electricity Is a Growing Area of Cyber Risk ∗∗∗
---------------------------------------------
IT has long been concerned about ensuring systems receive the right amount of electricity. Cyberattackers are realizing they can manipulate voltage fluctuations for their purposes, too.
---------------------------------------------
https://www.darkreading.com/cyber-risk/are-power-regulators-becoming-a-new-…
∗∗∗ Hacker erbeuten Daten von Intersport-Kunden ∗∗∗
---------------------------------------------
Die Cyberkriminellen haben Kundendaten von Usern erbeutet, die den Onlineshop von Intersport benutzt haben.
---------------------------------------------
https://futurezone.at/digital-life/intersport-hacker-angriff-kriminelle-dat…
∗∗∗ Vercel Finds More Compromised Accounts in Context.ai-Linked Breach ∗∗∗
---------------------------------------------
Vercel on Wednesday revealed that it has identified an additional set of customer accounts that were compromised as part of a security incident that enabled unauthorized access to its internal systems.
---------------------------------------------
https://thehackernews.com/2026/04/vercel-finds-more-compromised-accounts.ht…
∗∗∗ Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages ∗∗∗
---------------------------------------------
Apple has rolled out a software fix for iOS and iPadOS to address a Notification Services flaw that stored notifications marked for deletion on the device.The vulnerability, tracked as CVE-2026-28950 (CVSS score: N/A), has been described as a logging issue that has been addressed with improved data redaction.
---------------------------------------------
https://thehackernews.com/2026/04/apple-patches-ios-flaw-that-stored.html
∗∗∗ AI Tools Are Helping Mediocre North Korean Hackers Steal Millions ∗∗∗
---------------------------------------------
One group of hackers used AI for everything from vibe coding their malware to creating fake company websites—and stole as much as $12 million in three months.
---------------------------------------------
https://www.wired.com/story/ai-tools-are-helping-mediocre-north-korean-hack…
∗∗∗ Tropic Trooper Pivots to AdaptixC2 and Custom Beacon Listener ∗∗∗
---------------------------------------------
On March 12, 2026, Zscaler ThreatLabz discovered a malicious ZIP archive containing military-themed document lures targeting Chinese-speaking individuals. Our analysis of this sample uncovered a campaign leveraging a multi-stage attack chain where a trojanized SumatraPDF reader deploys an AdaptixC2 Beacon agent, ultimately leading to the download and abuse of Visual Studio (VS) Code tunnels for remote access.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/tropic-trooper-pivots-adapt…
∗∗∗ Sicherheitsbehörden warnen vor chinesischen Mitnutzern ∗∗∗
---------------------------------------------
Nachrichtendienste und Cybersicherheitsbehörden warnen vor Angreifern aus der Volksrepublik, die Infrastruktur Nichtsahnender für Operationen nutzenn.
---------------------------------------------
https://www.heise.de/news/Sicherheitsbehoerden-warnen-vor-chinesischen-Mitn…
∗∗∗ Fake-Fahrzeugbericht: Diese Falle wartet beim Online-Autoverkauf! ∗∗∗
---------------------------------------------
Wer online ein KFZ verkaufen möchte, erhält oft seltsame Anfragen. Bestehen Interessent:innen auf der Erstellung eines zusätzlichen Prüfberichts und liefern gleich die dafür passende Website mit, ist allerhöchste Vorsicht angebracht! Mit derartigen Fake-Portalen ziehen Kriminellen ihren Opfern das Geld aus der Tasche und ergaunern Kreditkartendaten.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-fahrzeugbericht/
∗∗∗ Hackers deployed wiper malware in destructive attacks on Venezuela’s energy sector ∗∗∗
---------------------------------------------
Hackers deployed a previously unknown wiper malware against Venezuela’s energy and utilities sector in an attack that appears to have been designed to destroy systems.
---------------------------------------------
https://therecord.media/hackers-venezuela-wiper-malware-oil
∗∗∗ Defending against China-nexus covert networks of compromised devices ∗∗∗
---------------------------------------------
Explaining the widespread shift in tactics, techniques and procedures (TTPs) towards networks of compromised infrastructure, and how to defend against it
---------------------------------------------
https://www.ncsc.gov.uk/news/defending-against-china-nexus-covert-networks-…
∗∗∗ Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite ∗∗∗
---------------------------------------------
Google Threat Intelligence Group (GTIG) identified a multistage intrusion campaign by a newly tracked threat group, UNC6692, that leveraged persistent social engineering, a custom modular malware suite, and deft pivoting inside the victim’s environment to achieve deep network penetration.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-eng…
∗∗∗ Signal-Phishing-Warnung: Auslöser wohl Angriff auf Julia Klöckner ∗∗∗
---------------------------------------------
Julia Klöckner ist offenbar Opfer der Signal-Phishing-Angriffe geworden, vor denen BfV und BSI am Mittwoch erneut gewarnt haben.
---------------------------------------------
https://heise.de/-11268708
∗∗∗ Tails 7.7: Warnung vor abgelaufenen Secure-Boot-Zertifikaten ∗∗∗
---------------------------------------------
Die Linux-Distribution für anonymes Bewegen im Netz, Tails, ist in Version 7.7 erschienen. Sie warnt vor alten Secure-Boot-Zertifikaten.
---------------------------------------------
https://heise.de/-11269936
∗∗∗ University of Warsaw Data Breach Exposes 200,000+ Sensitive Files on Darknet ∗∗∗
---------------------------------------------
Over 200,000 files containing sensitive personal information from the University of Warsaw have been leaked online. The University of Warsaw cyberattack, which targeted the institutions digital systems, resulted in the publication of the stolen data on the darknet in mid-April 2026.
---------------------------------------------
https://thecyberexpress.com/university-of-warsaw-cyberattack/
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitsupdate: Diverse Attacken auf IBM App Connect Enterprise möglich ∗∗∗
---------------------------------------------
IBMs Integrationsplattform App Connect Enterprise ist verwundbar. Angreifer können an mehreren Schwachstellen ansetzen.
---------------------------------------------
https://www.heise.de/news/Sicherheitsupdate-Diverse-Attacken-auf-IBM-App-Co…
∗∗∗ n8n: Updates beheben kritische Sicherheitslücken in Automatisierungsplattform ∗∗∗
---------------------------------------------
Die Aktualisierung wurde per E-Mail allen Admins angekündigt, diese sollten sie nun prompt einspielen. Es droht Code-Einschleusung.
---------------------------------------------
https://heise.de/-11268464
∗∗∗ VMware Tanzu Spring Security: Angreifer können bösartigen Clients anmelden ∗∗∗
---------------------------------------------
Aufgrund von Sicherheitsproblemen ist im Kontext von VMware Tanzu Spring Security unter anderem die Authentifizierung umgehbar.
---------------------------------------------
https://heise.de/-11268714
∗∗∗ Kritische Lücke in Rubys Standardbibliothek ERB: Angreifer können Code ausführen ∗∗∗
---------------------------------------------
Die Ruby-Lücke ist nicht einfach auszunutzen, ermöglicht einem Angreifer aber, sensible Daten auszulesen, Code zu starten und Backdoors zu installieren.
---------------------------------------------
https://heise.de/-11268704
∗∗∗ Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions ∗∗∗
---------------------------------------------
Docker alerted Socket to malicious images pushed to the official checkmarx/kics Docker Hub repository after internal monitoring flagged suspicious new activity around KICS image tags. Our investigation found that attackers appear to have overwritten existing tags, including v2.1.20 and alpine, while also introducing a new v2.1.21 tag that does not correspond to a legitimate upstream release.
---------------------------------------------
https://socket.dev/blog/checkmarx-supply-chain-compromise
∗∗∗ Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign ∗∗∗
---------------------------------------------
Socket researchers discovered that the Bitwarden CLI was compromised as part of the ongoing Checkmarx supply chain campaign. The affected package version appears to be @bitwarden/cli2026.4.0, and the malicious code was published in bw1.js, a file included in the package contents. The attack appears to have leveraged a compromised GitHub Action in Bitwarden’s CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign.
---------------------------------------------
https://socket.dev/blog/bitwarden-cli-compromised
∗∗∗ NTFS-Treiber für Linux: NTFS-3G schließt Rechteausweitungslücke ∗∗∗
---------------------------------------------
https://www.heise.de/news/NTFS-Treiber-fuer-Linux-NTFS-3G-schliesst-Rechtea…
∗∗∗ LWN Security updates for Thursday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1069356/
∗∗∗ DLL Hijacking in EfficientLab Controlio (cloud-based employee monitoring service) ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/dll-hijacking-in-effi…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 21-04-2026 18:00 − Mittwoch 22-04-2026 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ New GoGra malware for Linux uses Microsoft Graph API for comms ∗∗∗
---------------------------------------------
A Linux variant of the GoGra backdoor uses legitimate Microsoft infrastructure, relying on an Outlook inbox for stealthy payload delivery.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-gogra-malware-for-linux-…
∗∗∗ New npm supply-chain attack self-spreads to steal auth tokens ∗∗∗
---------------------------------------------
A new supply chain attack targeting the Node Package Manager (npm) ecosystem is stealing developer credentials and attempting to spread through packages published from compromised accounts.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-npm-supply-chain-attack-…
∗∗∗ Inside Caller-as-a-Service Fraud: The Scam Economy Has a Hiring Process ∗∗∗
---------------------------------------------
Fraud operations now operate like call centers, complete with hiring, training, and performance tracking. Flare reveals how cybercriminals manage "Caller-as-a-Service" operations like a professional sales team.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/inside-caller-as-a-service-f…
∗∗∗ 13 Jahre unentdeckt: Mittels KI aufgespürte Lücke gefährdet Tausende Server ∗∗∗
---------------------------------------------
Hacker nutzen eine gefährliche und mithilfe von KI entdeckte Sicherheitslücke in Apache ActiveMQ aus. Auch in Deutschland sollten Admins tätig werden.
---------------------------------------------
https://www.golem.de/news/deutschland-auf-platz-4-tausende-apache-activemq-…
∗∗∗ Backdoor in Claude-Desktop-App: Stille Brücke aus dem Browser ∗∗∗
---------------------------------------------
Claude Desktop legt auf MacOS Native Messaging Hosts in jeden Chromium-Browser, sogar in noch nicht installierte. Das ist nicht harmlos - was nun zu tun ist.
---------------------------------------------
https://www.golem.de/news/backdoor-in-claude-desktop-app-stille-bruecke-aus…
∗∗∗ Impressums-Diebstahl: Fake-Shops für Anhänger als Dauerbrenner ∗∗∗
---------------------------------------------
Sie zählen zu den am häufigsten gemeldeten Fake-Shops: Portale für KFZ-Anhänger. Zu Bestpreisen, versteht sich. Nach der Bezahlung via Vorauskasse sind die Kriminellen plötzlich nicht mehr erreichbar. Das Geld ist weg, der Anhänger kommt nie. Was die Shops so gefährlich macht und woran man sie erkennt, erklärt dieser Artikel.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-shops-anhaenger/
∗∗∗ Kritische Schwachstelle in Microsoft-GitHub-Repository ∗∗∗
---------------------------------------------
Sicherheitsforscher von Tenable Research haben eine kritische Schwachstelle (CVSSv4 Score 9,3) in einem Microsoft-GitHub-Repository entdeckt. Die Sicherheitslücke ermöglicht Remote Code Execution (RCE) sowie unautorisierten Zugriff auf Repository-Secrets. Die Entdeckung unterstreicht, dass CI/CD-Infrastrukturen ein zentraler Bestandteil moderner Angriffsflächen sind.
---------------------------------------------
https://borncity.com/blog/2026/04/22/kritische-schwachstelle-in-microsoft-g…
∗∗∗ Attacken laufen bereits: Rund 1.300 Sharepoint-Instanzen sind angreifbar ∗∗∗
---------------------------------------------
Eine Lücke in Microsoft Sharepoint lässt Angreifer vertrauliche Daten lesen und ändern. Obwohl es einen Patch gibt, sind die meisten Systeme ungeschützt.
---------------------------------------------
https://www.golem.de/news/attacken-laufen-bereits-rund-1-300-sharepoint-ins…
∗∗∗ Surge in Bomgar RMM Exploitation Demonstrates Supply Chain Risk ∗∗∗
---------------------------------------------
The critical remote code execution flaw (CVE-2026-1731) in the remote monitoring and management tool can be exploited to spread ransomware and compromise supply chains.
---------------------------------------------
https://www.darkreading.com/cyberattacks-data-breaches/surge-bomgar-rmm-exp…
=====================
= Vulnerabilities =
=====================
∗∗∗ Microsoft releases emergency patches for critical ASP.NET flaw ∗∗∗
---------------------------------------------
Microsoft has released out-of-band (OOB) security updates to patch a critical ASP.NET Core privilege escalation vulnerability. The security flaw (tracked as CVE-2026-40372) was found in the ASP.NET Core Data Protection cryptographic APIs, and it could allow unauthenticated attackers to gain SYSTEM privileges on affected devices by forging authentication cookies.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergenc…
∗∗∗ Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape ∗∗∗
---------------------------------------------
A critical security vulnerability has been disclosed in a Python-based sandbox called Terrarium that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-5752, is rated 9.3 on the CVSS scoring system.
---------------------------------------------
https://thehackernews.com/2026/04/cohere-ai-terrarium-sandbox-flaw.html
∗∗∗ Schadcode-Schlupflöcher bedrohen Apache Airflow und Airflow Keycloak ∗∗∗
---------------------------------------------
Apaches Open-Source-Workflow-Management-Plattformen Airflow und Airflow Keycloak sind verwundbar. Eine Lücke gilt als kritisch.
---------------------------------------------
https://www.heise.de/news/Schadcode-Schlupfloecher-bedrohen-Apache-Airflow-…
∗∗∗ Oracle Critical Patch Update Advisory - April 2026 ∗∗∗
---------------------------------------------
https://www.oracle.com/security-alerts/cpuapr2026.html
∗∗∗ LWN Security updates for Wednesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1069105/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/