Daily

daily@lists.cert.at

1 participants
3437 discussions

Tageszusammenfassung - 03.04.2026
by Daily end-of-shift report 03 Apr '26

03 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-04-2026 18:00 − Freitag 03-04-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Rowhammer attacks give complete control of machines running Nvidia GPUs ∗∗∗ --------------------------------------------- Over the past decade, dozens of newer Rowhammer attacks have evolved to, among other things [..] On Thursday, two research teams, working independently of each other, demonstrated attacks against two cards from Nvidia’s Ampere generation that take GPU rowhammering into new—and potentially much more consequential—territory: GDDR bitflips that give adversaries full control of CPU memory, resulting in full system compromise of the host machine. For the attack to work, IOMMU memory management must be disabled, as is the default in BIOS settings. --------------------------------------------- https://arstechnica.com/security/2026/04/new-rowhammer-attacks-give-complet… ∗∗∗ Picking Up Skull Vibrations? Could Be XR Headset Authentication ∗∗∗ --------------------------------------------- The next frontier for biometric authentication may be upon us, and it involves the vibrations of one's skull. Last week, a research team led by Rutgers University introduced a new biometric authentication software compatible with extended reality (XR) headsets — the umbrella term for virtual reality, augmented reality, and mixed reality hardware. --------------------------------------------- https://www.darkreading.com/remote-workforce/skull-vibrations-could-be-xr-h… ∗∗∗ Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials ∗∗∗ --------------------------------------------- A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale. --------------------------------------------- https://thehackernews.com/2026/04/hackers-exploit-cve-2025-55182-to.html ∗∗∗ They thought they were downloading Claude Code source. They got a nasty dose of malware instead ∗∗∗ --------------------------------------------- Source code with a side of Vidar stealer and GhostSocks Tens of thousands of people eagerly downloaded the leaked Claude Code source code this week, and some of those downloads came with a side of credential-stealing malware. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2026/04/02/trojanized_c… ∗∗∗ Neuer "Storm"-Infostealer klaut Zugangsdaten und wird im Darknet angeboten ∗∗∗ --------------------------------------------- Sicherheitsforscher von den Varonis Threat Labs sind Anfang 2026 auf einen neuen Infostealer „Storm" gestoßen. Der wird derzeit unter Cyberkriminellen gehandelt und kann remote Sitzungsdaten aus den derzeit beliebtesten Browsern (Google Chrome, Microsoft Edge und Mozilla Firefox) sammeln. --------------------------------------------- https://borncity.com/blog/2026/04/03/neuer-storm-infostealer-klaut-zugangsd… ∗∗∗ Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads ∗∗∗ --------------------------------------------- A packaging error in Anthropic’s Claude Code npm release briefly exposed internal source code. This entry examines how threat actors rapidly weaponized the resulting attention, pivoting an existing AI-themed campaign to spread Vidar and GhostSocks. --------------------------------------------- https://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-signals-cl… ∗∗∗ Axios Maintainer Confirms Social Engineering Attack Behind npm Compromise ∗∗∗ --------------------------------------------- On March 31, two malicious versions of Axios were briefly published to npm, introducing a dependency that installed a remote access trojan across macOS, Windows, and Linux.We covered the initial attack and its scope earlier, as well as a deeper technical analysis of its hidden blast radius and how dependency resolution expanded its impact exponentially. Now, the project’s lead maintainer has shared additional details about how the compromise occurred. --------------------------------------------- https://socket.dev/blog/axios-maintainer-confirms-social-engineering-behind… ===================== = Vulnerabilities = ===================== ∗∗∗ LWN: Security updates for Friday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1066236/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 02.04.2026
by Daily end-of-shift report 02 Apr '26

02 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-04-2026 18:00 − Donnerstag 02-04-2026 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ NoVoice Android malware on Google Play infected 2.3 million devices ∗∗∗ --------------------------------------------- A new Android malware named NoVoice was found on Google Play, hidden in more than 50 apps that were downloaded at least 2.3 million times. --------------------------------------------- https://www.bleepingcomputer.com/news/security/novoice-android-malware-on-g… ∗∗∗ New EvilTokens service fuels Microsoft device code phishing attacks ∗∗∗ --------------------------------------------- A new malicious kit called EvilTokens integrates device code phishing capabilities, allowing attackers to hijack Microsoft accounts and provide advanced features for business email compromise attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-eviltokens-service-fuels… ∗∗∗ Hackers exploit TrueConf zero-day to push malicious software updates ∗∗∗ --------------------------------------------- Hackers have targeted TrueConf conference servers in attacks that exploit a zero-day vulnerability, allowing them to execute arbitrary files on all connected endpoints. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-trueconf-zer… ∗∗∗ Over 14,000 F5 BIG-IP APM instances still exposed to RCE attacks ∗∗∗ --------------------------------------------- Internet security watchdog Shadowserver has found over 14,000 BIG-IP APM instances exposed online amid ongoing attacks exploiting a critical-severity remote code execution (RCE) vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-14-000-f5-big-ip-apm-in… ∗∗∗ Cyberangriff auf Hasbro: Hacker infiltrieren IT von großem Spielwarenkonzern ∗∗∗ --------------------------------------------- Ein Angreifer ist in die IT-Umgebung von Hasbro eingedrungen. Der Spielwarenhersteller rechnet mit einer Aufarbeitungszeit von mehreren Wochen. --------------------------------------------- https://www.golem.de/news/cyberangriff-auf-hasbro-hacker-infiltrieren-it-vo… ∗∗∗ Nur schwer löschbar: Android-Malware millionenfach über Google Play verteilt ∗∗∗ --------------------------------------------- Eine über den Google Play Store verbreitete Android-Malware nutzt alte Lücken aus, um tief ins System einzudringen. Anwender merken davon nichts. --------------------------------------------- https://www.golem.de/news/nur-schwer-loeschbar-android-malware-millionenfac… ∗∗∗ CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails ∗∗∗ --------------------------------------------- The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a new phishing campaign in which the cybersecurity agency itself was impersonated to distribute a remote administration tool known as AGEWHEEZE. --------------------------------------------- https://thehackernews.com/2026/04/cert-ua-impersonation-campaign-spread.html ∗∗∗ Incident Report: LiteLLM/Telnyx supply-chain attacks, with guidance ∗∗∗ --------------------------------------------- This post will drill deeper into two recent supply chain exploits, targeting users of popular PyPI packages - litellm & telnyx. We also provide Python developers and maintainers with guidance on what they can do to prepare and protect themselves from future incidents. --------------------------------------------- https://blog.pypi.org/posts/2026-04-02-incident-report-litellm-telnyx-suppl… ∗∗∗ European Commission cloud breach: a supply-chain compromise ∗∗∗ --------------------------------------------- In the interest of transparency, and in full agreement with the European Commission, CERT-EU is publishing this blog post to inform the wider community about a cybersecurity incident affecting the European Commission’s public website platform “europa.eu” hosted on Amazon Web Services (AWS) cloud infrastructure. --------------------------------------------- https://cert.europa.eu/blog/european-commission-cloud-breach-trivy-supply-c… ∗∗∗ Polizeiliche Anzeigenstatistik 2025: Aktuelle Entwicklungen im Bereich „Internetbetrug“ ∗∗∗ --------------------------------------------- Einen leichten Rückgang bei den Anzeigen, eine dezent gesunkene Aufklärungsquote – und eine Empfehlung für die Watchlist Internet. All das findet sich in der kürzlich veröffentlichten polizeilichen Anzeigenstatistik für das Jahr 2025. --------------------------------------------- https://www.watchlist-internet.at/news/polizeiliche-anzeigenstatistik-202/ ∗∗∗ Achtung Fake-Politiker: Wenn der Finanzminister plötzlich Anlagetipps verschickt ∗∗∗ --------------------------------------------- Wenn Kriminelle sich als bekannte Persönlichkeiten ausgeben, kann das schnell gefährlich werden. Besonders, wenn es um vermeintlich exklusive Anlagemöglichkeiten geht. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-politiker-wenn-der-fina… ∗∗∗ The Invisible Army: Why IP Reputation Fails Against the Rotation Economy ∗∗∗ --------------------------------------------- Attackers route malicious traffic through ordinary home internet connections — and to a reputation feed, the source IP is indistinguishable from a legitimate users connection. GreyNoise analyzed 4 billion sessions over 90 days and found that 39% of unique IPs targeting the edge come from residential address space. 78% vanish after just 1–2 sessions, before any reputation system can flag them. --------------------------------------------- https://www.greynoise.io/blog/invisible-army-why-ip-reputation-fails-agains… ∗∗∗ vSphere and BRICKSTORM Malware: A Defenders Guide ∗∗∗ --------------------------------------------- Building on recent BRICKSTORM research from Google Threat Intelligence Group (GTIG), this post explores the evolving threats facing virtualized environments. These operations directly target the VMware vSphere ecosystem, specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/vsphere-brickstorm… ∗∗∗ You’re Not Supposed To ShareFile With Everyone (Progress ShareFile Pre-Auth RCE Chain CVE-2026-2699 & CVE-2026-2701) ∗∗∗ --------------------------------------------- If you squint and look at the CISA KEV list, you might think its made up exclusively of vulnerabilities in file transfer solutions. While this would be wrong (and you shouldn’t squint, it’s bad for your eyes), file transfer solutions do play a decent role in the CISA KEV list due to how fondly threat actors, APT groups, and ransomware gangs alike perceive them. --------------------------------------------- https://labs.watchtowr.com/youre-not-supposed-to-sharefile-with-everyone-pr… ∗∗∗ FBI Warns of AVrecon Malware Targeting Network Devices Across 163 Countries ∗∗∗ --------------------------------------------- The router sitting in your home office or small business did not need to be hacked by a skilled operator to end up serving as infrastructure for banking fraud, password attacks, and digital marketplace scams. All it needed was an unpatched vulnerability and a malware dubbed "AVrecon" to infect and sell access to it within minutes. Last month, FBI alongside several international law enforcement agencies took down SocksEscort residential proxy service. --------------------------------------------- https://thecyberexpress.com/fbi-warns-of-avrecon-malware/ ∗∗∗ Vietnam-Linked PXA Stealer Campaign Exploits LinkedIn to Target Professionals Globally ∗∗∗ --------------------------------------------- A newly exposed global malware campaign reveals how PXA Stealer has been wielded by Vietnam‑linked actors to siphon sensitive data from professionals across multiple countries using trusted platforms like LinkedIn. First documented in late 2024, this campaign has evolved into a new threat that leverages social engineering, advanced payload delivery, and stealthy execution to outmaneuver traditional defenses. --------------------------------------------- https://thecyberexpress.com/pxa-stealer-vietnam-linked-actors-linkedin/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Cisco IMC auth bypass gives attackers Admin access ∗∗∗ --------------------------------------------- Cisco has patched several critical and high-severity vulnerabilities, including an Integrated Management Controller (IMC) authentication bypass that enables attackers to gain Admin access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-cisco-imc-auth-bypa… ∗∗∗ SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031 ∗∗∗ --------------------------------------------- This module enables you to perform SAML-protocol-based single-sign-on (SSO) on a Drupal site.The module doesnt sufficiently block access, leading to a authentication bypass vulnerability. Solution: Install the latest version. --------------------------------------------- https://www.drupal.org/sa-contrib-2026-031 ∗∗∗ XZ Utils 5.8.3: Sicherheitsupdate mit unklarem Risiko ∗∗∗ --------------------------------------------- Die Entwickler der weitverbreiteten XZ Utils haben eine aktualisierte Version veröffentlicht, die Sicherheitslücken ausbessert. --------------------------------------------- https://www.heise.de/news/XZ-Utils-5-8-3-Sicherheitsupdate-mit-unklarem-Ris… ∗∗∗ 200,000 WordPress Sites Affected by Arbitrary File Move Vulnerability in MW WP Form WordPress Plugin ∗∗∗ --------------------------------------------- On March 16th, 2026, we received a submission for an Arbitrary File Move vulnerability in MW WP Form, a WordPress plugin with more than 200,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to move arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. This vulnerability can only be exploited if the "Saving inquiry data in database" option in the form settings is enabled. --------------------------------------------- https://www.wordfence.com/blog/2026/04/200000-wordpress-sites-affected-by-a… ∗∗∗ LWN Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1066084/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 01.04.2026
by Daily end-of-shift report 01 Apr '26

01 Apr '26

===================== = End-of-Day report = ===================== Timeframe: Dienstag 31-03-2026 18:00 − Mittwoch 01-04-2026 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cisco source code stolen in Trivy-linked dev environment breach ∗∗∗ --------------------------------------------- Cisco has suffered a cyberattack after threat actors used stolen credentials from the recent Trivy supply chain attack to breach its internal development environment and steal source code belonging to the company and its customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-source-code-stolen-in-… ∗∗∗ FBI warns against using Chinese mobile apps due to privacy risks ∗∗∗ --------------------------------------------- The U.S. Federal Bureau of Investigation (FBI) warned Americans against using foreign-developed mobile applications, particularly those created by Chinese developers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-against-using-chin… ∗∗∗ A laughing RAT: CrystalX combines spyware, stealer, and prankware features ∗∗∗ --------------------------------------------- Kaspersky researchers analyze a new CrystalX RAT distributed as MaaS and featuring extensive spyware, stealer, and prankware capabilities. --------------------------------------------- https://securelist.com/crystalx-rat-with-prankware-features/119283/ ∗∗∗ Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms ∗∗∗ --------------------------------------------- Anthropic on Tuesday confirmed that internal code for its popular artificial intelligence (AI) coding assistant, Claude Code, had been inadvertently released due to a human error." No sensitive customer data or credentials were involved or exposed," an Anthropic spokesperson said in a statement shared with CNBC News. --------------------------------------------- https://thehackernews.com/2026/04/claude-code-tleaked-via-npm-packaging.html ∗∗∗ Apple Will Push Out Rare ‘Backported’ Patches to Protect iOS 18 Users From DarkSword Hacking Tool ∗∗∗ --------------------------------------------- As DarkSword spreads, Apple tells WIRED it will enable iOS 18-specific fixes for millions of iPhone owners who remain on that iOS version rather than force them to update to iOS 26. --------------------------------------------- https://www.wired.com/story/apple-will-push-out-rare-backported-patches-to-… ∗∗∗ Hands-Free Lockpicking: Critical Vulnerabilities in dormakaba’s Physical Access Control System ∗∗∗ --------------------------------------------- In this post, Clemens Stockenreitner and Werner Schober of the SEC Consult Vulnerability Lab highlight several critical vulnerabilities found in dormakaba’s physical access control systems based on exos 9300. --------------------------------------------- https://sec-consult.com/blog/detail/hands-free-lockpicking-critical-vulnera… ∗∗∗ Weaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructure ∗∗∗ --------------------------------------------- TeamPCP continues its string of supply chain attacks, and announces a partnership with Vect ransomware group. --------------------------------------------- https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/ ∗∗∗ Databricks mutmaßlich Opfer des TeamPCP LiteLLM-Lieferkettenangriffs ∗∗∗ --------------------------------------------- Es gibt die Aussage, dass Databricks (eine cloudbasierte Datenanalyseplattform, die von Unternehmen weltweit zur Verwaltung riesiger Datensätze genutzt wird) mutmaßlich Opfer der Cybergruppe TeamPCP geworden ist. --------------------------------------------- https://borncity.com/blog/2026/03/30/databricks-mutmasslich-opfer-des-teamp… ∗∗∗ The Real Risk of Vibecoding ∗∗∗ --------------------------------------------- This blog looks at how AI‑driven vibecoding speeds up software development while increasing security risk by outpacing traditional review and ownership. It explains why security needs to move earlier and be built into modern development workflows. --------------------------------------------- https://www.trendmicro.com/en_us/research/26/c/the-real-risk-of-vibecoding.… ∗∗∗ North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package "axios." Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "plain-crypto-js" into axios NPM releases versions 1.14.1 and 0.30.4. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat… ∗∗∗ Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747) ∗∗∗ --------------------------------------------- To our knowledge, this is the first remote kernel exploit both discovered and exploited by an AI. --------------------------------------------- https://blog.calif.io/p/mad-bugs-claude-wrote-a-full-freebsd ∗∗∗ AI Startup Mercor Hit by Supply Chain Attack Linked to LiteLLM ∗∗∗ --------------------------------------------- A recent Mercor cyberattack has brought renewed attention to the risks associated with open-source software dependencies, after the AI recruiting startup confirmed it was impacted by a broader supply chain compromise. The Mercor data breach, which is still under investigation, has been linked to a malicious incident involving the widely used LiteLLM project. --------------------------------------------- https://thecyberexpress.com/mercor-cyberattack/ ===================== = Vulnerabilities = ===================== ∗∗∗ Schadcode per Klick: Attackierte Chrome-Lücke gefährdet Millionen von Nutzern ∗∗∗ --------------------------------------------- In Google Chrome klafft eine Sicherheitslücke, mit der sich per Webseitenaufruf Schadcode einschleusen lässt. Angreifer nutzen das bereits aus. --------------------------------------------- https://www.golem.de/news/schadcode-per-klick-attackierte-chrome-luecke-gef… ∗∗∗ Gigabyte Control Center: Schadcode-Lücke in verbreitetem Hardware-Steuertool ∗∗∗ --------------------------------------------- Viele Nutzer mit Gigabyte-Hardware verwenden das Gigabyte Control Center. Eine Lücke darin lässt Angreifer unter anderem Schadcode einschleusen. --------------------------------------------- https://www.golem.de/news/gigabyte-control-center-schadcode-luecke-in-verbr… ∗∗∗ KI findet kritische ImageMagick-Lücken in Standardkonfigurationen ∗∗∗ --------------------------------------------- Ein KI-Pentesting-Tool hat in Standardkonfigurationen von ImageMagick kritische Sicherheitslücken aufgespürt. Workarounds schützen. --------------------------------------------- https://www.heise.de/news/KI-findet-kritische-ImageMagick-Luecken-in-Standa… ∗∗∗ LWN Security updates for Wednesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1065814/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 31.03.2026
by Daily end-of-shift report 31 Mar '26

31 Mar '26

===================== = End-of-Day report = ===================== Timeframe: Montag 30-03-2026 18:00 − Dienstag 31-03-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ New RoadK1ll WebSocket implant used to pivot on breached networks ∗∗∗ --------------------------------------------- A newly identified malicious implant named RoadK1ll is enabling threat actors to quietly move from a compromised host to other systems on the network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-roadk1ll-websocket-impla… ∗∗∗ DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials ∗∗∗ --------------------------------------------- A new campaign has leveraged the ClickFix social engineering tactic as a way to distribute a previously undocumented malware loader referred to as DeepLoad. --------------------------------------------- https://thehackernews.com/2026/03/deepload-malware-uses-clickfix-and-wmi.ht… ∗∗∗ Telnyx joins LiteLLM in latest PyPI package poisoning tied to Trivy breach ∗∗∗ --------------------------------------------- The cybercrime crew linked to the Trivy supply-chain attack has struck again, this time pushing malicious Telnyx package versions to PyPI in an effort to plant credential-stealing malware on developers’ systems. --------------------------------------------- https://www.theregister.com/2026/03/30/telnyx_pypi_supply_chain_attack_lite… ∗∗∗ OpenAI patches ChatGPT flaw that smuggled data over DNS ∗∗∗ --------------------------------------------- Check Point says outbound controls blocked web traffic but overlooked DNS OpenAI talks up data security for its AI services, yet Check Point says that ChatGPT allowed data to leak through a DNS side channel before the flaw was fixed. --------------------------------------------- https://www.theregister.com/2026/03/30/openai_chatgpt_dns_data_snuggling_fl… ∗∗∗ Telegram: Hickhack um kritische oder hochriskante Sicherheitslücke ∗∗∗ --------------------------------------------- IT-Forscher haben eine vermeintlich kritische Zero-Click-Schwachstelle in Telegram ausgemacht. Telegram widerspricht dem. --------------------------------------------- https://www.heise.de/news/Telegram-Hickhack-um-kritische-oder-hochriskante-… ∗∗∗ Security Governance at the Speed of Vibe Coding ∗∗∗ --------------------------------------------- Vibe-coded apps now reach production without security review, dependency scanning, or organizational oversight, built by employees whove never written code. The SaaS and DevOps transitions give security teams a starting governance approach that works at this speed. --------------------------------------------- https://zeltser.com/security-governance-vibe-coding ∗∗∗ Gefälschte Post-Rechnung: Wenn der QR-Code in die Falle führt ∗∗∗ --------------------------------------------- „Das Paket ist auf dem Weg, Sie können den Betrag jetzt überweisen!“ Kriminelle versuchen über fingierte Kleinanzeigen-Verkäufe an die Kreditkartendaten und das Geld ihrer Opfer zu kommen. Als vermeintliche Bestätigung für den Versand übermitteln sie das Foto einer Rechnung der Post AG. Aber Achtung: Hier ist alles gefälscht! --------------------------------------------- https://www.watchlist-internet.at/news/post-rechnung-fake/ ∗∗∗ Double Agents: Exposing Security Blind Spots in GCP Vertex AI ∗∗∗ --------------------------------------------- Unit 42 uncovers a "double agent" flaw in Google Clouds Vertex AI, demonstrating how overprivileged AI agents can compromise cloud environments. --------------------------------------------- https://unit42.paloaltonetworks.com/double-agents-vertex-ai/ ∗∗∗ When Trusted Software Updates Become the Attack Vector: Inside Operation TrueChaos and a New Zero Day Vulnerability in a Popular Collaboration Tool ∗∗∗ --------------------------------------------- At the start of 2026, Check Point Research uncovered a targeted cyber espionage campaign that challenges long held assumptions about trust inside enterprise and government networks. Dubbed Operation TrueChaos, the campaign did not rely on phishing, stolen credentials, or exploitation of internet facing servers. Instead, attackers abused a previously unknown zero day vulnerability in a trusted, widely deployed enterprise videoconferencing platform to quietly distribute malware across multiple government agencies at once. --------------------------------------------- https://blog.checkpoint.com/research/when-trusted-software-updates-become-t… ∗∗∗ OpenAI Codex Vulnerability Allowed Attackers to Steal GitHub Tokens ∗∗∗ --------------------------------------------- OpenAI Codex vulnerability allowed attackers to steal GitHub tokens via malicious branch names using hidden Unicode command injection flaw. --------------------------------------------- https://hackread.com/openai-codex-vulnerability-steal-github-tokens/ ∗∗∗ AI Integration Security: Why the Biggest Risk Is Not the Model ∗∗∗ --------------------------------------------- AI integration security matters more than model security alone. Learn why the biggest AI risk comes from connected systems, stacked privileges, and workflow access. --------------------------------------------- https://www.bitsight.com/blog/ai-integration-security-biggest-risk-not-the-… ∗∗∗ Vulnerability Research Is Cooked ∗∗∗ --------------------------------------------- For the last two years, technologists have ominously predicted that AI coding agents will be responsible for a deluge of security vulnerabilities. They were right! Just, not for the reasons they thought. --------------------------------------------- https://sockpuppet.org/blog/2026/03/30/vulnerability-research-is-cooked/ ∗∗∗ Railway Incident Report: Authenticated user data cached ∗∗∗ --------------------------------------------- Railway experienced an incident where CDN features were accidentally enabled for some domains without users enabling them. For those affected, this may have resulted in potentially authenticated data being served to unauthenticated users. --------------------------------------------- https://blog.railway.com/p/incident-report-march-30-2026-accidental-cdn-cac… ===================== = Vulnerabilities = ===================== ∗∗∗ Kompromittierte axios npm-Pakete verbreiten Schadsoftware ∗∗∗ --------------------------------------------- Die weit verbreitete JavaScript-Bibliothek axios (HTTP-Client mit über 300 Millionen wöchentlichen Downloads auf npm) wurde durch kompromittierte Paketversionen als Angriffsvektor missbraucht. Über den gekaperten npm-Account eines Hauptentwicklers wurden zwei schadhafte Versionen veröffentlicht: axios(a)1.14.1 und axios(a)0.30.4. Beide Versionen enthalten eine zusätzliche Abhängigkeit (plain-crypto-js(a)4.2.1), die beim Installieren automatisch einen Remote Access Trojaner (RAT) für macOS, Windows und Linux nachlädt. Die schadhaften Versionen wurden mittlerweile von npm entfernt. --------------------------------------------- https://www.cert.at/de/warnungen/2026/3/kompromittierte-axios-npm-pakete-ve… ∗∗∗ RCE Vulnerability in F5 BIG-IP APM (CVE-2025-53521) ∗∗∗ --------------------------------------------- This issue was previously classified as a Denial-of-Service (DoS) vulnerability but has been re‑categorized as an RCE in March 2026 following new information. --------------------------------------------- https://www.truesec.com/hub/blog/rce-vulnerability-cve-2025-53521 ∗∗∗ Claude finds RCE in Vim and Emacs ∗∗∗ --------------------------------------------- We asked Claude to find a bug in Vim. It found an RCE. Just open a file, and you’re owned. We joked: fine, we’ll switch to Emacs. Then Claude found an RCE there too. --------------------------------------------- https://blog.calif.io/p/mad-bugs-vim-vs-emacs-vs-claude ∗∗∗ LWN Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1065585/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 30.03.2026
by Daily end-of-shift report 30 Mar '26

30 Mar '26

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-03-2026 18:00 − Montag 30-03-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Backdoored Telnyx PyPI package pushes malware hidden in WAV audio ∗∗∗ --------------------------------------------- TeamPCP hackers compromised the Telnyx package on the Python Package Index today, uploading malicious versions that deliver credential-stealing malware hidden inside a WAV file. --------------------------------------------- https://www.bleepingcomputer.com/news/security/backdoored-telnyx-pypi-packa… ∗∗∗ Nach Cyberangriff: Hacker erpressen gelähmte und hirngeschädigte Patienten ∗∗∗ --------------------------------------------- Die BHD-Klinik Greifswald behandelt primär querschnittsgelähmte und hirngeschädigte Patienten. Hacker haben Daten erbeutet und missbrauchen diese nun. --------------------------------------------- https://www.golem.de/news/nach-cyberangriff-hacker-erpressen-gelaehmte-und-… ∗∗∗ EU-Kommission: Cyberangriff auf Cloud-Dienste ∗∗∗ --------------------------------------------- Die Europäische Kommission ist Opfer eines Cyberangriffes geworden. Ein mutmaßlicher Angreifer meldete sich bei der Presse. --------------------------------------------- https://www.heise.de/news/Cyberangriff-auf-Cloud-der-EU-Kommission-11228549… ∗∗∗ Phishing-SMS zielen auf Trade-Republic-Kund:innen ab ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit Phishing SMS im Namen des Online Brokers Trade Republic. Ihr Ziel: Zugriff auf Konten und Kryptovermögen der Betroffenen zu erlangen. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-trade-republic-kundinnen/ ∗∗∗ Schwachstelle CVE-2026-3055 in Citrix Netscaler ADC und Gateway wird angegriffen ∗∗∗ --------------------------------------------- Zum 24. März 2026 hatte ich im Beitrag Kritische Schwachstellen in Citrix Netscaler ADC und Gateway (März 2026) vor zwei kritischen Schwachstellen in den genannten Citrix-Produkten gewarnt. Nun werden Angriffe in freier Wildbahn über eine Schwachstelle beobachtet. --------------------------------------------- https://borncity.com/blog/2026/03/30/schwachstelle-cve-2026-3055-in-citrix-… ∗∗∗ TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM ∗∗∗ --------------------------------------------- Moving beyond their LiteLLM campaign, TeamPCP weaponizes the Telnyx Python SDK with stealthy WAV‑based payloads to steal credentials across Linux, macOS, and Windows. --------------------------------------------- https://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-… ∗∗∗ The Sequels Are Never As Good, But Were Still In Pain (Citrix NetScaler CVE-2026-3055 Memory Overread) ∗∗∗ --------------------------------------------- Sequels? Pain? Were obviously talking about Citrix NetScalers, yet again. Welcome back to another watchTowr Labs blog post - pull up a chair, we always welcome new members to our group therapy sessions. --------------------------------------------- https://labs.watchtowr.com/the-sequels-are-never-as-good-but-were-still-in-… ∗∗∗ FortiClient EMS: Sicherheitslücke wird attackiert ∗∗∗ --------------------------------------------- Im Februar hat Fortinet eine kritische Sicherheitslücke in FortiClient EMS mit einem Sicherheitspatch bedacht. Sie wird nun angegriffen. --------------------------------------------- https://heise.de/-11229898 ∗∗∗ The Comforting Lie Of SHA Pinning ∗∗∗ --------------------------------------------- In March 2026, Trivy became the latest reminder that software supply chains are, at best, loosely held together with convention and trust. A typosquatting attack slipped malicious code into what looked like a legitimate dependency path. The post-mortems are worth reading, and they all converge on a single recommendation: pin your dependencies. In the GitHub Actions world, that usually translates to use commit SHAs, not tags. --------------------------------------------- https://www.vaines.org/posts/2026-03-24-the-comforting-lie-of-sha-pinning/ ∗∗∗ A Detection Researcher Mindset ∗∗∗ --------------------------------------------- As detection researchers we are frequently asked where do our detection ideas come from (and to build a backlog for them, and when will it all be done, etc.). At some point I needed to stop referencing Demetri Martins’ stand up where he describes how his jokes are delivered by a delicate fairy from a magical shire (the AI drawing may make more sense now…or not). --------------------------------------------- https://detect.fyi/a-detection-researcher-mindset-f2ed045480c5 ∗∗∗ Threats based on Clipboards actions (+ KQL Query) ∗∗∗ --------------------------------------------- We are currently placing a strong focus on threats related to AI — and while I truly believe that is the right direction, we shouldn’t forget that there are many long-standing techniques that attackers continue to abuse effectively. One of those overlooked areas is clipboard activity. --------------------------------------------- https://detect.fyi/threats-based-on-clipboards-actions-kql-query-93615eef79… ∗∗∗ Hackers Impersonate Ukrainian CERT to Plant a RAT on Government, Hospital Networks ∗∗∗ --------------------------------------------- Ukraines frontline cyber defense agency became the subject of its own investigation last week after an unknown threat actor built a convincing fake version of its website, sent emails impersonating its staff and instructed recipients across the country to download malware packaged as official security software. --------------------------------------------- https://thecyberexpress.com/hackers-impersonate-cert-ua-agewheeze-rat/ ∗∗∗ ksmbd - Exploiting CVE-2025-37947 (3/3) ∗∗∗ --------------------------------------------- This is the last of our posts about ksmbd. For the previous posts, see part1 and part2. Considering all discovered bugs and proof-of-concept exploits we reported, we had to select some suitable candidates for exploitation. In particular, we wanted to use something reported more recently to avoid downgrading our working environment. --------------------------------------------- https://blog.doyensec.com/2025/10/08/ksmbd-3.html ===================== = Vulnerabilities = ===================== ∗∗∗ File read flaw in Smart Slider plugin impacts 500K WordPress sites ∗∗∗ --------------------------------------------- A vulnerability in the Smart Slider 3 WordPress plugin, active on more than 800,000 websites, can be exploited to allow subscriber-level users access to arbitrary files on the server. --------------------------------------------- https://www.bleepingcomputer.com/news/security/file-read-flaw-in-smart-slid… ∗∗∗ Jetzt updaten! Angriffe auf F5 BIG-IP Access Policy Manager beobachtet ∗∗∗ --------------------------------------------- Die US-amerikanische IT-Sicherheitsbehörde CISA warnt vor laufenden Angriffen auf F5 BIG-IP Access Policy Manager. --------------------------------------------- https://heise.de/-11229172 ∗∗∗ Updaten! Angriffe auf Gambio-Webshops ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in Gambio-Webshops ermöglicht Angreifern, diese zu knacken. Und das machen bösartige Akteure offenbar bereits. --------------------------------------------- https://heise.de/-11229519 ∗∗∗ Video Calling Vulnerabilities in Miko Smart Kid Robots - Security Research ∗∗∗ --------------------------------------------- Miko robots have been vulnerable to exploits which can initiate video calls to the robots and get personal information from them remotely. --------------------------------------------- https://blog.mgdproductions.com/miko-robots-vulnerabilities/ ∗∗∗ LWN Security updates for Monday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1065419/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 27.03.2026
by Daily end-of-shift report 27 Mar '26

27 Mar '26

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-03-2026 18:00 − Freitag 27-03-2026 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ IT vom Netz genommen: Cyberangriff mündet in Hafenbetrieb mit Stift und Papier ∗∗∗ --------------------------------------------- Spaniens Puerto de Vigo gilt als wichtiger Hafen für den weltweiten Fischereiverkehr. Nach einem Cyberangriff muss der Hafenbetrieb ohne IT auskommen. --------------------------------------------- https://www.golem.de/news/cyberangriff-hacker-legen-it-von-spaniens-groesst… ∗∗∗ Erpressungen erwartet: Hacker wollen riesige Supply-Chain-Attacke zu Geld machen ∗∗∗ --------------------------------------------- Nach verheerenden Attacken auf Trivy, LiteLLM und andere Tools will TeamPCP massenhaft eingesammelte Zugangsdaten für Ransomware-Angriffe einsetzen. --------------------------------------------- https://www.golem.de/news/erpressungen-erwartet-hacker-wollen-riesige-suppl… ∗∗∗ Digitale Schläferzellen: Versteckte Linux-Malware in Telko-Netzwerken entdeckt ∗∗∗ --------------------------------------------- Forscher haben Netze von Telko-Providern untersucht und eine versteckte Backdoor-Malware gefunden. Hacker sollen damit Spionage betreiben. --------------------------------------------- https://www.golem.de/news/digitale-schlaeferzellen-versteckte-linux-malware… ∗∗∗ China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ∗∗∗ --------------------------------------------- A long-term and ongoing campaign attributed to a China-nexus threat actor has embedded itself in telecom networks to conduct espionage against government networks. The strategic positioning activity, which involves implanting and maintaining stealthy access mechanisms within critical environments, has been attributed to Red Menshen, a threat cluster thats also tracked as Earth Bluecrow, --------------------------------------------- https://thehackernews.com/2026/03/china-linked-red-menshen-uses-stealthy.ht… ∗∗∗ Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks ∗∗∗ --------------------------------------------- The kernel exploit for two security vulnerabilities used in the recently uncovered Apple iOS exploit kit known as Coruna is an updated version of the same exploit that was used in the Operation Triangulation campaign back in 2023, according to new findings from Kaspersky. --------------------------------------------- https://thehackernews.com/2026/03/coruna-ios-kit-reuses-2023.html ∗∗∗ LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed three security vulnerabilities impacting LangChain and LangGraph that, if successfully exploited, could expose filesystem data, environment secrets, and conversation history. Both LangChain and LangGraph are open-source frameworks that are used to build applications powered by Large Language Models (LLMs). --------------------------------------------- https://thehackernews.com/2026/03/langchain-langgraph-flaws-expose-files.ht… ∗∗∗ Security boffins scoured the web and found hundreds of valid API keys ∗∗∗ --------------------------------------------- Global banks devs have some cleaning up to do after cloud creds found in website code Computer security boffins have conducted an analysis of 10 million websites and found almost 2,000 API credentials strewn across 10,000 webpages. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2026/03/27/security_bof… ∗∗∗ 293.000 E-Mail-Konten geleakt: IT-Vorfall bei Plug-in-Hersteller Sound Radix ∗∗∗ --------------------------------------------- Beim Have-I-Been-Pwned-Projekt lässt sich prüfen, ob die eigene E-Mail-Adresse Teil des Datenlecks beim VST-Plug-in-Hersteller Sound Radix ist. --------------------------------------------- https://www.heise.de/news/IT-Vorfall-bei-Musik-Plug-in-Schmiede-Sound-Radix… ∗∗∗ Qilin: Linkspartei meldet russischen Ransomware-Angriff ∗∗∗ --------------------------------------------- Die Partei „Die Linke“ sieht sich mit einem Cybersicherheitsvorfall konfrontiert – Mitgliederdaten seien jedoch nicht betroffen. --------------------------------------------- https://heise.de/-11227181 ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Schadcode-Attacken auf KI-Tool Langflow beobachtet ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke in Langflow dient Angreifern dazu, Schadcode auf PCs zu schieben und auszuführen. Ein Sicherheitspatch ist verfügbar. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Schadcode-Attacken-auf-KI-Tool-Lang… ∗∗∗ LWN Security updates for Friday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1065015/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 26.03.2026
by Daily end-of-shift report 26 Mar '26

26 Mar '26

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-03-2026 18:00 − Donnerstag 26-03-2026 18:30 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Abusing Modern Browser Features for Phishing ∗∗∗ --------------------------------------------- Modern browsers have come a long way from rendering marked-up text to being used as a runtime for client applications. Many of the modern APIs require explicit user consent (e.g. when accessing Bluetooth, USB devices, location or local files) while others are allowed by default. As security researchers we are always interested in the worst-case – so what can malicious websites do without user consent? As it turns out – a very legitimate-looking phishing attempt! [..] We have reported this issue to both the Chromium project and Mozilla in May 2024. Though the issues have been accepted, no patch timeframe, solution approach or any other piece of information that would lead us to believe this issue will be resolved at any point was provided for almost two years. We have thus decided to publish the vulnerability details. --------------------------------------------- https://certitude.consulting/blog/en/abusing-modern-browser-features-for-ph… ∗∗∗ TikTok for Business accounts targeted in new phishing campaign ∗∗∗ --------------------------------------------- Threat actors are targeting TikTok for Business accounts in a phishing campaign that prevents security bots from analyzing malicious pages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tiktok-for-business-accounts… ∗∗∗ Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a vulnerability in Anthropics Claude Google Chrome Extension that could have been exploited to trigger malicious prompts simply by visiting a web page. [..] Following responsible disclosure on December 27, 2025, Anthropic deployed a patch to the Chrome extension (version 1.0.41) that enforces a strict origin check requiring an exact match to the domain "claude[.]ai." Arkose Labs has since fixed the XSS flaw at its end as of February 19, 2026. --------------------------------------------- https://thehackernews.com/2026/03/claude-extension-flaw-enabled-zero.html ∗∗∗ “Stack Overflow for AI Agents” Sounds Great — Until Someone Poisons the Answers ∗∗∗ --------------------------------------------- What if someone poisoned a doc in Context Hub’s registry? We simulated exactly that — built poisoned docs locally and served them through chub’s own MCP server. From the agent’s perspective, it is identical to the real thing. Haiku installed the fake dependency in 100% of runs. Warned the developer in 0%. --------------------------------------------- https://medium.com/@mickey.shmueli/stack-overflow-for-ai-agents-sounds-grea… ∗∗∗ Willhaben-Fake: Der Chatbot, der das Konto leerräumt ∗∗∗ --------------------------------------------- Eine SMS aus heiterem Himmel. Ein gefaktes Willhaben-Abrechnungsportal. Ein KI-Chatbot, der konkret auf Nachfragen eingeht. Die Kombination dieser drei Komponenten ist es, die einen aktuellen Betrugsversuch im Namen von Willhaben so gefährlich macht. Geht der Plan der Kriminellen auf, räumen Sie am Ende das Konto ihres Opfers komplett leer. --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-fake-chatbot/ ∗∗∗ New PXA Stealer Malware Targets Banks, Uses Telegram to Exfiltrate Data ∗∗∗ --------------------------------------------- Financial firms across the globe are facing a fresh wave of digital break-ins this year. According to cyber threat detection firm CyberProof, a relatively new malware known as the PXA Stealer has seen a sudden spike in activity. During the first quarter of 2026, experts tracked an 8% to 10% increase in attacks using this specific tool. --------------------------------------------- https://hackread.com/financial-firms-rise-pxa-stealer-attacks/ ∗∗∗ Ghost Fleet: Half of All New Scanning IPs Last Week Geolocated to Hong Kong — Nearly None Completed a Connection ∗∗∗ --------------------------------------------- Last week, the GreyNoise Observation Grid observed something unusual: 242,666 new scanning IPs geolocating to Hong Kong appeared in seven days and 99.7% of them never completed a single TCP connection. --------------------------------------------- https://www.greynoise.io/blog/ghost-fleet-half-new-scanning-ips-geolocated-… ∗∗∗ GhostClaw: Infostealer für macOS auf GitHub ∗∗∗ --------------------------------------------- Dieser versucht vom aktuellen Boom beim KI-Agenten OpenClaw zu profitieren und hofft, auf Nutzer zu treffen, die sich wenig mit dem Terminal auskennen – und dort Befehle einzutippen, die die Installation erst ermöglichen. Auch Entwickler, die nach OpenClaw-Werkzeugen suchen, könnten in die Falle tappen. --------------------------------------------- https://heise.de/-11222743 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 25.03.2026 ∗∗∗ --------------------------------------------- Cisco has released 13 security advisories (1x critical, 5x high, 7x medium severity). --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/publicationListing.x ∗∗∗ Zwei kritische Schadcode-Lücken bedrohen Automatisierungsplattform n8n ∗∗∗ --------------------------------------------- Wie aus dem Sicherheitsbereich der GitHub-Website des Tools hervorgeht, haben die Entwickler insgesamt sechs Sicherheitslücken geschlossen. Zwei davon gelten als „kritisch“ (CVE-2026-33696, CVE-2026-33660). Im ersten Fall kann nach einer Prototyp-Pollution-Attacke Schadcode auf Systeme gelangen und sie kompromittieren. Im zweiten Fall kann das ebenfalls möglich. Dieses Mal, weil AlaSQL sandbox bestimmte SQL-Anweisungen nicht ausreichend eingeschränkt. --------------------------------------------- https://www.heise.de/news/Zwei-kritische-Schadcode-Luecken-bedrohen-Automat… ∗∗∗ Trend Micro Apex One™ Service Pack 1 (2025) und kritischer Patch Build 17079 verfügbar ∗∗∗ --------------------------------------------- Trend Micro hat zum 26. März 2026 sowohl sein Trend Micro Apex One™ Service Pack 1 (2025) veröffentlicht, als auch den kritischen Patch Build 17079 freigegeben. Letzterer enthält die gleichen Sicherheitsfixes wie das Service Pack 1 (2025), steht aber als Upgrade-Paket für bestehende Apex One-Installationen zur Verfügung. Sonderlich viele Informationen gibt es nicht. --------------------------------------------- https://borncity.com/blog/2026/03/26/trend-micro-apex-one-service-pack-1-20… ∗∗∗ TP-Link: Security Advisory on Multiple Vulnerabilities on TP-Link Archer NX200, NX210, NX500 and NX600 (CVE-2025-15517 to CVE-2025-15519 and CVE-2025-15605) ∗∗∗ --------------------------------------------- https://www.tp-link.com/us/support/faq/5027/ ∗∗∗ node.js: March 24, 2026 Security Releases ∗∗∗ --------------------------------------------- https://nodejs.org/en/blog/vulnerability/march-2026-security-releases ∗∗∗ GitLab Patch Release: 18.10.1, 18.9.3, 18.8.7 ∗∗∗ --------------------------------------------- https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-r… ∗∗∗ LWN Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1064761/ ∗∗∗ Vienna Assistant: Local Privilege Escalation in Vienna Assistant (MacOS) - Vienna Symphonic Library ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 25.03.2026
by Daily end-of-shift report 25 Mar '26

25 Mar '26

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-03-2026 18:00 − Mittwoch 25-03-2026 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Supply Chain Security im CI/CD Umfeld ∗∗∗ --------------------------------------------- In den letzten Wochen wurden mehrere Security Lösungen aus dem Continuous Integration/Continuous Delivery (CI/CD) Umfeld erfolgreich kompromittiert: Xygeni, Trivy, Checkmarx. Durch Injektion böswilligen Codes wurden vordergründig Zugangsdaten aus automatisierten CI/CD Pipelines, in welchen die Softwarepakete der kompromittierten Unternehmen genutzt werden, gestohlen. Durch die so erlangten Zugangsdaten wurden in weiterer Folge andere Softwarepakete kompromittiert. --------------------------------------------- https://www.cert.at/de/aktuelles/2026/3/supply-chain-security-im-cicd-umfeld ∗∗∗ SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2), (Wed, Mar 25th) ∗∗∗ --------------------------------------------- This diary provides indicators from the SmartApeSG (ZPHP, HANEYMANEY) campaign I saw on Tuesday, 2026-03-24. SmartApeSG is one of many campaigns that use the ClickFix technique. --------------------------------------------- https://isc.sans.edu/diary/rss/32826 ∗∗∗ Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to an active device code phishing campaign thats targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany. The activity, per Huntress, was first spotted on February 19, 2026, with subsequent cases appearing at an accelerated pace since then. --------------------------------------------- https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.h… ∗∗∗ GlassWorm Malware Uses Solana Dead Drops to Deliver RAT and Steal Browser, Crypto Data ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a new evolution of the GlassWorm campaign that delivers a multi-stage framework capable of comprehensive data theft and installing a remote access trojan (RAT), which deploys an information-stealing Google Chrome extension masquerading as an offline version of Google Docs. --------------------------------------------- https://thehackernews.com/2026/03/glassworm-malware-uses-solana-dead.html ∗∗∗ 1K+ cloud environments infected following Trivy supply chain attack ∗∗∗ --------------------------------------------- Crims creating a snowball effect across open source projects RSAC 2026 Thousands of organizations cloud environments have been infected with secret-stealing malware as a result of the Trivy supply-chain attack last week, and now the crims that compromised the open source scanners are working with notorious extortion crews like Lapsus$. --------------------------------------------- https://www.theregister.com/2026/03/24/1k_cloud_environments_infected_follo… ∗∗∗ Der Gebrauchtwagen, der niemals existierte: Vorschussbetrug im Namen von Sixt Car Sales ∗∗∗ --------------------------------------------- Eine E-Mail flattert ins virtuelle Postfach, die angeblich von der Sixt Car Sales GmbH stammt. Ihr Inhalt: Kurzfristig stünden günstige Gebrauchtwagen zum Verkauf. Man möge doch im angehängten Katalog schmökern, vielleicht ist ja ein passendes Fahrzeug dabei. Wer sich auf das Geschäft einlässt und den vereinbarten Preis überweist, erhält allerdings nie ein Auto. Und das Geld ist auch weg. --------------------------------------------- https://www.watchlist-internet.at/news/gebrauchtwagen-vorschussbetrug-sixt/ ∗∗∗ Threat Brief: Recruiting Scheme Impersonating Palo Alto Networks Talent Acquisition Team ∗∗∗ --------------------------------------------- Unit 42 identifies a recruitment phishing campaign targeting senior professionals via impersonation and fraudulent resume fees.The post Threat Brief: Recruiting Scheme Impersonating Palo Alto Networks Talent Acquisition Team appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/phishing-attackers-pose-as-panw-recruit… ∗∗∗ 5 Malicious npm Packages Typosquat Solana and Ethereum Libraries to Steal Private Keys ∗∗∗ --------------------------------------------- Sockets Threat Research Team identified five malicious npm packages published under the account galedonovan, all targeting cryptocurrency developers. Each package typosquats a legitimate crypto library and exfiltrates private keys to a single hardcoded Telegram bot. The campaign covers both the Solana and Ethereum ecosystems, and the C2 infrastructure was confirmed active as of March 23, 2026. --------------------------------------------- https://socket.dev/blog/5-malicious-npm-packages-typosquat-solana-and-ether… ===================== = Vulnerabilities = ===================== ∗∗∗ PTC warns of imminent threat from critical Windchill, FlexPLM RCE bug ∗∗∗ --------------------------------------------- PTC Inc. is warning of a critical vulnerability in Windchill and FlexPLM, widely used product lifecycle management (PLM) solutions, that could allow remote code execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ptc-warns-of-imminent-threat… ∗∗∗ Supply-Chain-Attacke auf LiteLLM: Betroffene sollen Credentials sofort ändern ∗∗∗ --------------------------------------------- Es hat offenbar ein Angriff auf die Open-Source-Bibliothek zur Anbindung an LLMs stattgefunden, wodurch zwei kompromittierte Pakete Credentials stehlen können. --------------------------------------------- https://heise.de/-11223618 ∗∗∗ Datenbankmanagementsystem MariaDB kann crashen oder Schadcode auf Systeme lassen ∗∗∗ --------------------------------------------- Die Entwickler von MariaDB haben eine Sicherheitslücke geschlossen. Ein Patch ist verfügbar. --------------------------------------------- https://heise.de/-11224256 ∗∗∗ iStat Menus < 7.20.5 local privilege escalation ∗∗∗ --------------------------------------------- iStat Menu version < 7.20.5 has a local privilege escalation vulnerability due to insecure world-writable permissions set by the install helper component. This allows standard users to execute commands as root. --------------------------------------------- https://markuta.com/istat-menus-local-privilege-escalation/ ∗∗∗ LWN Security updates for Wednesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1064634/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 24.03.2026
by Daily end-of-shift report 24 Mar '26

24 Mar '26

===================== = End-of-Day report = ===================== Timeframe: Montag 23-03-2026 18:00 − Dienstag 24-03-2026 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Tycoon2FA phishing platform returns after recent police disruption ∗∗∗ --------------------------------------------- The Tycoon2FA phishing-as-a-service (PhaaS) platform that Europol and partners disrupted on March 4 has already returned to previously observed activity levels. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tycoon2fa-phishing-platform-… ∗∗∗ Exploit-Kit veröffentlicht: Leak auf Github gefährdet Millionen von iPhones ∗∗∗ --------------------------------------------- Eine neue Version des Exploit-Kits Darksword ist auf Github aufgetaucht. Zahlreiche iPhones lassen sich dadurch mit nur einem Klick infiltrieren. --------------------------------------------- https://www.golem.de/news/exploit-kit-veroeffentlicht-leak-auf-github-gefae… ∗∗∗ IIS ohne Support: Hunderttausende angreifbare Microsoft-Server im Netz ∗∗∗ --------------------------------------------- Mehr als eine halbe Million online erreichbare IIS-Webserver haben ihren End-of-Life-Status erreicht. Auch in Deutschland stehen einige davon. --------------------------------------------- https://www.golem.de/news/iis-ohne-support-hunderttausende-angreifbare-micr… ∗∗∗ North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware ∗∗∗ --------------------------------------------- The North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have been attributed to a malware family tracked as StoatWaffle thats distributed via malicious Microsoft Visual Studio Code (VS Code) projects. --------------------------------------------- https://thehackernews.com/2026/03/north-korean-hackers-abuse-vs-code-auto.h… ∗∗∗ Country that put backdoors into Cisco routers to spy on world bans foreign routers ∗∗∗ --------------------------------------------- Unfortunately, there arent many options unless youre Starlink Citing national security fears, America is effectively banning any new consumer-grade network routers made abroad. --------------------------------------------- https://www.theregister.com/2026/03/24/fcc_foreign_routers/ ∗∗∗ Scam compounds hiring “AI models” to seal the deal in deepfake video calls ∗∗∗ --------------------------------------------- Forced labor doesn’t play well on camera, so scam compounds are hiring women to deepfake their faces on video calls. --------------------------------------------- https://www.malwarebytes.com/blog/news/2026/03/scam-compounds-hiring-ai-mod… ∗∗∗ orfbeitragportal.at: Kostenpflichtige Hilfe für kostenloses Angebot ∗∗∗ --------------------------------------------- Im Alltag anfallende Behördenwege können sich zu einem dezenten Zeitfresser entwickeln. Mittlerweile gibt es deshalb eine wachsende Anzahl an Portalen, die hier ihre Hilfe anbieten. Sie erledigen besagte Behörden- und andere Wege im Namen ihrer Klient:innen. Angeblich. Warum das problematischer ist, als man auf den ersten Blick annehmen möchte und was wirklich dahintersteckt, erklärt dieser Artikel am Beispiel der Website „orfbeitragportal.at“. --------------------------------------------- https://www.watchlist-internet.at/news/orfbeitragportal-kostenpflichtige-hi… ∗∗∗ Google Authenticator: The Hidden Mechanisms of Passwordless Authentication ∗∗∗ --------------------------------------------- Explore Google’s synced passkey architecture. Unit 42 details its mechanisms, key management, and secure communication in passwordless systems. --------------------------------------------- https://unit42.paloaltonetworks.com/passwordless-authentication/ ∗∗∗ Hack des Hosters: Händler haben ihre JTL-Wawi-Daten verloren (23. März 2026) ∗∗∗ --------------------------------------------- Einige Händler, die auf das Warenwirtschaftssystem von JTL für ihre Online-Shops setzen, und bei einem bestimmten Hoster gebucht haben, sind wohl von der nächsten Hiobsbotschaft betroffen. --------------------------------------------- https://borncity.com/blog/2026/03/24/hack-des-hosters-haendler-haben-ihre-j… ∗∗∗ New CanisterWorm Targets Kubernetes Clusters, Deploys “Kamikaze” Wiper ∗∗∗ --------------------------------------------- CanisterWorm spreads via npm supply chain attack, hijacks developer accounts, targets Kubernetes clusters, and deploys destructive Kamikaze wiper payload. --------------------------------------------- https://hackread.com/canisterworm-kubernetes-clusters-kamikaze-wiper/ ∗∗∗ Box of secrets: Discreetly modding an apartment intercom with Matter ∗∗∗ --------------------------------------------- [..] This was such a fun project to work on, and it allowed me to dip my toes into circuit hacking, something I don’t get to do nearly enough. The components for this project are all super simple, so if you’re in the same position as Frank, give it a try! --------------------------------------------- https://www.jackhogan.me/blog/box-of-secrets ∗∗∗ KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack ∗∗∗ --------------------------------------------- Checkmarx KICS scanner is the latest victim of a credential-stealing supply chain attack by TeamPCP. Between 12:58–16:50 UTC on March 23, 35 tags were hijacked. Learn how to audit your workflows, identify malicious activity, and secure your GitHub Actions. --------------------------------------------- https://www.wiz.io/blog/teampcp-attack-kics-github-action ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Attacken auf Quest KACE Systems Management Appliance ∗∗∗ --------------------------------------------- Angreifer melden sich beim Endpoint-Managementsystem Quest KACE Systems Management Appliance an. Ein Sicherheitspatch ist schon länger verfügbar. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Quest-KACE-Systems-Man… ∗∗∗ Sicherheitspatches: Verschiedene Attacken auf SmarterMail möglich ∗∗∗ --------------------------------------------- Der E-Mail- und Collaboration-Server SmarterMail ist verwundbar. Die Entwickler haben mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Sicherheitspatches-Verschiedene-Attacken-auf-Smar… ∗∗∗ Tausende Magento-Websites gehackt (März 2026) ∗∗∗ --------------------------------------------- Derzeit läuft wohl eine Kampagne, bei der Magento-Websites gehackt und mit einer Defacement-Meldung verunstaltet werden. Es sollen wohl Tausende an Magento-Websites betroffen sein. Am 7. März 2026 waren alleine 7.500 Magento Webseiten (bzw. Shops) betroffen, wie ein Sicherheitsanbieter mitteilte. --------------------------------------------- https://borncity.com/blog/2026/03/23/tausende-magento-websites-gehackt-maer… ∗∗∗ Stackfield Desktop App: RCE via Path Traversal and Arbitrary File Write (CVE-2026-28373) ∗∗∗ --------------------------------------------- CVE-2026-28373 describes a path traversal vulnerability in the Stackfield desktop app affecting all versions up to 1.10.1 on Windows and macOS. --------------------------------------------- https://www.rcesecurity.com/2026/03/stackfield-desktop-app-rce-via-path-tra… ∗∗∗ LWN Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1064474/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 23.03.2026
by Daily end-of-shift report 23 Mar '26

23 Mar '26

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-03-2026 18:00 − Montag 23-03-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft Azure Monitor alerts abused in callback phishing campaigns ∗∗∗ --------------------------------------------- Azure Monitor is Microsoft's cloud-based monitoring service that collects and analyzes data from Azure resources, applications, and infrastructure. [..] Over the past month, numerous people have reported receiving Azure Monitor alerts warning of suspicious charges or invoice activity on their accounts, urging them to call an enclosed phone number. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-azure-monitor-aler… ∗∗∗ VoidStealer malware steals Chrome master key via debugger trick ∗∗∗ --------------------------------------------- “VoidStealer is the first infostealer observed in the wild adopting a novel debugger-based Application-Bound Encryption (ABE) bypass technique that leverages hardware breakpoints to extract the v20_master_key directly from browser memory,” says Vojtěch Krejsa, threat researcher at Gen Digital. --------------------------------------------- https://www.bleepingcomputer.com/news/security/voidstealer-malware-steals-c… ∗∗∗ Sicherheitsvorfall bei SAP-Dienstleister In4MD Service GmbH ∗∗∗ --------------------------------------------- Kurzer Nachtrag über einen Sicherheitsvorfall bei der In4MD Service GmbH, der sich bereits zum 14. März 2026 ereignet hat. Die In4MD Service GmbH ist meinen Informationen nach ein Dienstleister im SAP-Umfeld und wurde Opfer eines Cyberangriffs auf seine IT-Systeme. Kunden wurden inzwischen informiert. --------------------------------------------- https://borncity.com/blog/2026/03/22/sicherheitsvorfall-bei-sap-dienstleist… ∗∗∗ Trivy Supply Chain Attack Expands to Compromised Docker Images ∗∗∗ --------------------------------------------- Newly published Trivy Docker images (0.69.4, 0.69.5, and 0.69.6) were found to contain infostealer IOCs and were pushed to Docker Hub without corresponding GitHub releases. --------------------------------------------- https://socket.dev/blog/trivy-docker-images-compromised ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day erlaubt Codeausführung in WindChill und FlexPLM ∗∗∗ --------------------------------------------- Informationen zur Sicherheitslücke sind spärlich, weder eine CVE-Kennung noch Warnungen der nationalen CERTs (Computer Emergency Response Team) sind verfügbar. [..] Der Hersteller ruft dringend dazu auf, Sicherheitsmaßnahmen zu ergreifen – ein Patch ist zur Stunde noch nicht verfügbar. [..] Wie der Windchill-Dienstleister EAC in einer Aussendung an seine Kunden beschreibt, ist dazu eine Konfigurationsänderung des Apache-Webservers notwendig. --------------------------------------------- https://www.heise.de/news/Zero-Day-erlaubt-Codeausfuehrung-in-WindChill-und… ∗∗∗ VMware Tanzu: Verschiedene Spring-Produkte sind attackierbar ∗∗∗ --------------------------------------------- Im Umgang mit HTTP-Headern kann es zu Fehlern kommen, sodass Angreifer unrechtmäßig auf sensible Daten zugreifen können. [..] Im Kontext von Spring Boot können Angreifer unter anderem die Authentifizierung umgehen (etwa CVE-2026-22731 „hoch“). --------------------------------------------- https://www.heise.de/news/VMware-Tanzu-Verschiedene-Spring-Produkte-sind-at… ∗∗∗ Schwerwiegende Sicherheitslücken in Citrix NetScaler ADC und NetScaler Gateway - Patches verfügbar ∗∗∗ --------------------------------------------- In NetScaler ADC (vormals Citrix ADC) und NetScaler Gateway (vormals Citrix Gateway) wurden zwei schwerwiegende Sicherheitslücken, CVE-2026-3055 und CVE-2026-4368, entdeckt. Die Ausnutzung dieser Schwachstellen ermöglicht Angreifer:innen unter Umständen Zugriff auf sensible Informationen. --------------------------------------------- https://www.cert.at/de/aktuelles/2026/3/schwerwiegende-sicherheitslucken-in… ∗∗∗ LWN: Security updates for Monday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1064298/ ∗∗∗ Synology-SA-26:03 GNU Inetutils ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_26_03 ∗∗∗ Stackfield Desktop App for Windows and macOS <= 1.10.1 Path Traversal Remote Code Execution ∗∗∗ --------------------------------------------- https://www.rcesecurity.com/advisories/cve-2026-28373/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

← Newer
1
2
3
4
5
6
7
8
9
...
344
Older →

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily