=====================
= End-of-Day report =
=====================
Timeframe: Montag 05-05-2025 18:00 − Dienstag 06-05-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Man pleads guilty to using malicious AI software to hack Disney employee ∗∗∗
---------------------------------------------
Fake image-generating app allowed man to download 1.1TB of Disney-owned data.
---------------------------------------------
https://arstechnica.com/ai/2025/05/man-pleads-guilty-to-using-malicious-ai-…
∗∗∗ Luna Moth extortion hackers pose as IT help desks to breach US firms ∗∗∗
---------------------------------------------
The data-theft extortion group known as Luna Moth, aka Silent Ransom Group, has ramped up callback phishing campaigns in attacks on legal and financial institutions in the United States.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/luna-moth-extortion-hackers-…
∗∗∗ "Mirai" Now Exploits Samsung MagicINFO CMS (CVE-2024-7399), (Mon, May 5th) ∗∗∗
---------------------------------------------
Last August, Samsung patched an arbitrary file upload vulnerability that could lead to remote code execution [1]. The announcement was very sparse and did not even include affected ..
---------------------------------------------
https://isc.sans.edu/diary/Mirai+Now+Exploits+Samsung+MagicINFO+CMS+CVE2024…
∗∗∗ CISA slammed for role in censorship industrial complex as budget faces possible $500M cut ∗∗∗
---------------------------------------------
Because who needs cybersecurity when there’s culture wars to win President Trumps dream 2026 budget would gut the US govts Cybersecurity and Infrastructure Security Agency, aka CISA, by $491 million - about 17 percent – and accuses the organization of abandoning its core mission in favor of policing online speech.
---------------------------------------------
https://www.theregister.com/2025/05/06/cisa_budget_cuts/
∗∗∗ Signal-Affäre: Modifizierter Messenger stellt nach zweitem Einbruch Betrieb ein ∗∗∗
---------------------------------------------
In der US-Regierung wird eine modifizierte App benutzt, um per Signal zu kommunizieren. Die heißt TeleMessage, wurde zweimal geknackt und vorerst dicht gemacht.
---------------------------------------------
https://www.heise.de/news/Signal-Affaere-Modifizierter-Messenger-stellt-nac…
∗∗∗ Peru denies it was hit by ransomware attack following Rhysida claims ∗∗∗
---------------------------------------------
The prolific ransomware gang claimed to have taken over the Peruvian governments domain.
---------------------------------------------
https://therecord.media/peru-rhysida-ransomware-claims-denied
∗∗∗ NSA to cut up to 2,000 civilian roles as part of intel community downsizing ∗∗∗
---------------------------------------------
The agency is expected to make the cuts by the end of year, however that deadline could change as it is tied to the Defense Department’s broader push to reduce its budget by 8 percent in each of the next five years.
---------------------------------------------
https://therecord.media/nsa-to-cut-up-to-2000-roles-downsizing
∗∗∗ Verizon DBIR 2025: Edge KEVs Are Increasingly Left Unpatched — and More Often Exploited in Breaches ∗∗∗
---------------------------------------------
Edge vulnerabilities are a critical and growing threat. The 2025 DBIR reveals an eightfold surge in exploitation, yet many remain unpatched despite immediate risk.
---------------------------------------------
https://www.greynoise.io/blog/verizon-dbir-2025-edge-kevs-increasingly-left…
∗∗∗ Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines ∗∗∗
---------------------------------------------
UNC3944, which overlaps with public reporting on Scattered Spider, is a financially-motivated threat actor characterized by its persistent use of social engineering and brazen communications with victims. In early operations, UNC3944 largely targeted telecommunications-related organizations to support SIM swap operations. However, after shifting to ..
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-…
∗∗∗ A Timely Reminder: Russia’s Enduring Cyber Threat to Critical Infrastructure ∗∗∗
---------------------------------------------
Russia’s cyber operations — ranging from power-grid disruptions to global ransomware — continue to be among the world’s most prolific and destructive, underscoring the continued ..
---------------------------------------------
https://detect.fyi/a-timely-reminder-russias-enduring-cyber-threat-to-criti…
∗∗∗ How to Harden GitHub Actions: The Unofficial Guide ∗∗∗
---------------------------------------------
Build resilient GitHub Actions workflows with lessons from recent attacks.
---------------------------------------------
https://www.wiz.io/blog/github-actions-security-guide
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (chromium and kappanhang), Red Hat (osbuild-composer and thunderbird), SUSE (chromedriver), and Ubuntu (c-ares, corosync, mysql-8.0, mysql-8.4, openjdk-17, openjdk-21, openjdk-24, openjdk-8, and openjdk-lts).
---------------------------------------------
https://lwn.net/Articles/1020222/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 02-05-2025 18:00 − Montag 05-05-2025 18:00
Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ Magento supply chain attack compromises hundreds of e-stores ∗∗∗
---------------------------------------------
A supply chain attack involving 21 backdoored Magento extensions has compromised between 500 and 1,000 e-commerce stores, including one belonging to a $40 billion multinational.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/magento-supply-chain-attack-…
∗∗∗ StealC malware enhanced with stealth upgrades and data theft tools ∗∗∗
---------------------------------------------
The creators of StealC, a widely-used information stealer and malware downloader, have released its second major version, bringing multiple stealth and data theft enhancements.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/stealc-malware-enhanced-with…
∗∗∗ Shuffling the Greatest Hits: How DragonForce Ransomware Samples LockBit and Conti Into a Ransomware Jukebox ∗∗∗
---------------------------------------------
DragonForce ransomware has been assessed as a sophisticated threat that tactically deploys payloads derived from leaked source code of both the notorious LockBit 3.0 and Conti ransomware families. While the samples share some similar core functionality, DragonForce distinguishes itself in several ..
---------------------------------------------
https://hybrid-analysis.blogspot.com/2025/05/shuffling-greatest-hits-how-dr…
∗∗∗ Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware ∗∗∗
---------------------------------------------
An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years.The activity, which lasted from at least May 2023 to February 2025, ..
---------------------------------------------
https://thehackernews.com/2025/05/iranian-hackers-maintain-2-year-access.ht…
∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/05/02/cisa-adds-two-known-expl…
∗∗∗ CVE-2025-31324: Critical SAP NetWeaver Vulnerability Actively Exploited ∗∗∗
---------------------------------------------
SAP has recently released a critical security patch for a severe vulnerability in SAP NetWeaver Visual Composer that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-31324, has recently been patched with the release of SAP Security Note 3594142.
---------------------------------------------
https://www.truesec.com/hub/blog/cve-2025-31324-critical-sap-netweaver-vuln…
∗∗∗ DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door ∗∗∗
---------------------------------------------
The individuals operating under the DragonForce banner and attacking UK high street retailers are using social engineering for entry. I think it’s in the public interest to break down what is happening.
---------------------------------------------
https://doublepulsar.com/dragonforce-ransomware-cartel-attacks-on-uk-high-s…
∗∗∗ NPM targeted by malware campaign mimicking familiar library names ∗∗∗
---------------------------------------------
Developers looking for familiar packages from other programming languages are increasingly falling victim to malicious attacks. Summary #The Socket threat research team uncovered a coordinated malware operation across the NPM ecosystem. The actor behind the campaign published dozens of malicious NPM packages that mimic well-known Python, Java, C++, .NET, ..
---------------------------------------------
https://socket.dev/blog/npm-targeted-by-malware-campaign-mimicking-familiar…
∗∗∗ Apache Parquet Java Vulnerability CVE-2025-46762 Exposes Systems to Remote Code Execution Attacks ∗∗∗
---------------------------------------------
A vulnerability has been identified in Apache Parquet Java, which could leave systems exposed to remote code execution (RCE) attacks. Apache Parquet contributor Gang Wu discovered, this flaw, tracked as CVE-2025-46762, ..
---------------------------------------------
https://thecyberexpress.com/apache-parquet-java-flaw-cve-2025-46762/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ansible, containerd, and vips), Fedora (chromium, java-17-openjdk, nodejs-bash-language-server, nodejs-pnpm, ntpd-rs, redis, rust-hickory-proto, thunderbird, and valkey), Mageia (apache-mod_auth_openidc, fcgi, graphicsmagick, kernel-linus, pam, poppler, and tomcat), Red Hat (firefox, libsoup, nodejs:20, redis:6, ..
---------------------------------------------
https://lwn.net/Articles/1020130/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 30-04-2025 18:00 − Freitag 02-05-2025 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Jetzt patchen! Angreifer setzen erneut an älteren Sonicwall-Lücken an ∗∗∗
---------------------------------------------
Aufgrund von laufenden Attacken sollten Admins ihre Fernwartungslösungen der SMA-Serie von Sonicwall umgehend auf den aktuellen Stand bringen. [..] Beide Schwachstellen betreffen die SMA-Reihen SMA 200, 210, 400, 410 und 500v. Die Entwickler versichern, die Lücken ab der Firmware 10.2.1.14-75sv geschlossen zu haben. [..] Sind Attacken erfolgreich, können Angreifer Schadcode ausführen. Die "kritische" Lücke (CVE-2024-38475) betrifft die SMA-Komponente Apache HTTP Server.
---------------------------------------------
https://www.heise.de/news/Jetzt-patchen-Angreifer-setzen-erneut-an-aelteren…
∗∗∗ SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475) ∗∗∗
---------------------------------------------
Another day, another edge device being targeted - it’s a typical Thursday! In today’s blog post, we’re excited to share our previously private analysis of the now exploited in-the-wild N-day vulnerabilities affecting SonicWall’s SMA100 appliance. [..] Although this is a CVE attached to the Apache HTTP Server, it is important to note that due to how CVEs are now assigned, a seperate CVE will not be assigned for SonicWall's [..] As always, we’ve produced a Detection Artefact Generator to demonstrate and achieve pre-auth RCE.
---------------------------------------------
https://labs.watchtowr.com/sonicboom-from-stolen-tokens-to-remote-shells-so…
∗∗∗ Why MFA is getting easer to bypass and what to do about it ∗∗∗
---------------------------------------------
As detailed on Thursday by Cisco Talos, an entire ecosystem has cropped up to help criminals defeat these forms of MFA.
---------------------------------------------
https://arstechnica.com/security/2025/05/phishing-attacks-that-defeat-mfa-a…
∗∗∗ Windows: Anmeldung mit alten Passwörtern durch RDP möglich ∗∗∗
---------------------------------------------
Laut Microsoft handelt es sich um eine "Design-Entscheidung, die sicherstellt, dass mindestens ein Nutzerkonto dazu in der Lage ist, sich anzumelden, ganz gleich, wie lange das System offline war". Daher treffe dieses Verhalten die Definition einer Schwachstelle nicht. Microsoft habe keine Pläne, etwas daran zu ändern.
---------------------------------------------
https://www.heise.de/news/Windows-Log-in-ueber-RDP-mit-widerrufenen-Passwoe…
∗∗∗ Prolific RansomHub Operation Goes Dark ∗∗∗
---------------------------------------------
The chat infrastructure and data-leak site of the notorious ransomware-as-a-service group has been inactive since March 31, according to security vendors.
---------------------------------------------
https://www.darkreading.com/cyber-risk/prolific-ransomhub-operation-goes-da…
∗∗∗ Softwareupdates manipuliert: Hacker missbrauchen IPv6-Feature für Cyberattacken ∗∗∗
---------------------------------------------
Spellbinder nutzt den Angaben nach einen Angriffsvektor, der schon mindestens seit 2008 bekannt ist und schon 2011 in einem Blogbeitrag unter der Bezeichnung "SLAAC-Attack" ausführlich beschrieben wurde. [..] Mit Spellbinder lassen sich demnach IPv6-Konfigurationen spoofen, die normalerweise automatisch über eine Methode namens SLAAC (Stateless Address Autoconfiguration) zugewiesen werden.
---------------------------------------------
https://www.golem.de/news/softwareupdates-manipuliert-hacker-missbrauchen-i…
∗∗∗ MintsLoader Drops GhostWeaver via Phishing, ClickFix — Uses DGA, TLS for Stealth Attacks ∗∗∗
---------------------------------------------
The malware loader known as MintsLoader has been used to deliver a PowerShell-based remote access trojan called GhostWeaver. "MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts," Recorded Futures Insikt Group said in a report shared with The Hacker News.
---------------------------------------------
https://thehackernews.com/2025/05/mintsloader-drops-ghostweaver-via.html
∗∗∗ I StealC You: Tracking the Rapid Changes To StealC ∗∗∗
---------------------------------------------
StealC is a popular information stealer and malware downloader that has been sold since January 2023. In March 2025, StealC version 2 (V2) was introduced with key updates, including a streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption (in the latest variants). The malware’s payload delivery options have been expanded to include Microsoft Software Installer (MSI) packages and PowerShell scripts.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid…
∗∗∗ Using Trusted Protocols Against You: Gmail as a C2 Mechanism ∗∗∗
---------------------------------------------
Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. The threat actor’s email is the only potential clue as to their motivation, but once the tunnel is created, the threat actor can exfiltrate data or execute commands that we may not know about through these packages.
---------------------------------------------
https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-m…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (expat, fig2dev, firefox-esr, golang-github-gorilla-csrf, jinja2, libxml2, nagvis, qemu, request-tracker4, request-tracker5, u-boot, and vips), Fedora (firefox, giflib, and thunderbird), Mageia (imagemagick), Red Hat (thunderbird), SUSE (amber-cli, libjxl, and redis), and Ubuntu (h2o, poppler, and postgresql-10).
---------------------------------------------
https://lwn.net/Articles/1019645/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, nodejs, openjdk-17, and thunderbird), Fedora (firefox, golang-github-nvidia-container-toolkit, and thunderbird), Mageia (kernel), Oracle (ghostscript, glibc, kernel, libxslt, php:8.1, and thunderbird), SUSE (cmctl, firefox-esr, govulncheck-vulndb, java-21-openjdk, libxml2, poppler, python-h11, and redis), and Ubuntu (docker.io, ghostscript, linux-xilinx-zynqmp, and micropython).
---------------------------------------------
https://lwn.net/Articles/1019869/
∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
ICSA-25-121-01 KUNBUS GmbH Revolution Pi, ICSMA-25-121-01 MicroDicom DICOM Viewer
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/05/01/cisa-releases-two-indust…
∗∗∗ ZDI-25-267: GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-267/
∗∗∗ IBM Cognos Analytics: Angreifer können Schadcode hochladen ∗∗∗
---------------------------------------------
https://www.heise.de/news/IBM-Cognos-Analytics-Angreifer-koennen-Schadcode-…
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 21, 2025 to April 27, 2025) ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpr…
∗∗∗ Tenable: [R1] Sensor Proxy Version 1.2.0 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2025-08
∗∗∗ f5: K000151130: GnuTLS vulnerability CVE-2024-12243 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000151130
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 29-04-2025 18:00 − Mittwoch 30-04-2025 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ AirBorne: Wormable Zero-Click RCE in Apple AirPlay ∗∗∗
---------------------------------------------
Oligo Security Research has discovered a new set of vulnerabilities in Apple’s AirPlay Protocol and the AirPlay Software Development Kit (SDK), which is used by third-party vendors to integrate AirPlay into third-party devices.
---------------------------------------------
https://www.oligo.security/blog/airborne
∗∗∗ Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th) ∗∗∗
---------------------------------------------
The activity occured on the 23 April 2025 between 18:00 - 19:00 UTC but since then based on activity reported to DShield (see graphs below) has been happening almost daily.
---------------------------------------------
https://isc.sans.edu/diary/rss/31906
∗∗∗ Yet Another NodeJS Backdoor (YaNB): A Modern Challenge ∗∗∗
---------------------------------------------
During an Advanced Continual Threat Hunt (ACTH) investigation conducted in early March 2025, Trustwave SpiderLabs identified a notable resurgence in malicious campaigns exploiting deceptive CAPTCHA verifications. These campaigns trick users into executing NodeJS-based backdoors, subsequently deploying sophisticated NodeJS Remote Access Trojans (RATs) similar to traditional PE structured legacy RATs.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another…
∗∗∗ Understanding the Deep Web, Dark Web, and Darknet (2025 Guide) ∗∗∗
---------------------------------------------
Understand the difference between Deep Web, Dark Web, and Darknet. Learn how they work, how to access them safely, and why they matter in 2025.
---------------------------------------------
https://www.darknet.org.uk/2025/04/understanding-the-deep-web-dark-web-and-…
∗∗∗ The MCP Authorization Spec Is... a Mess for Enterprise ∗∗∗
---------------------------------------------
The Model Context Protocol has created quite the buzz in the AI ecosystem at the moment, but as enterprise organizations look to adopt it, they are confronted with a hard truth: it lacks important security functionality. Up until now, as people experiment with Agentic AI and tool support, they’ve mostly adopted the MCP stdio transport, which means you end up with a 1:1 deployment of MCP server and MCP client. What organizations need is a way to deploy MCP servers remotely and leverage authorization to give resource owner’s access to their data safely.
---------------------------------------------
https://blog.christianposta.com/the-updated-mcp-oauth-spec-is-a-mess/
∗∗∗ Practical Cyber Deception — Introduction to “Chaotic Good” ∗∗∗
---------------------------------------------
Cyber deception isn’t about building expensive honeynets or deploying complex traps — it’s about instilling doubt and confusion in the attacker. By layering practical, tactical deception into your environment, you shift the balance of power: slowing them down, forcing mistakes, and gaining early warning long before real damage is done. From fake servers and canary tokens to ransomware drive traps, deception turns defense from a reactive grind into a strategic, active game.
---------------------------------------------
https://detect.fyi/practical-cyber-deception-introduction-to-chaotic-good-2…
∗∗∗ Phishers Take Advantage of Iberian Blackout Before Its Even Over ∗∗∗
---------------------------------------------
Opportunistic threat actors targeted Portuguese and Spanish speakers by spoofing Portugals national airline in a campaign offering compensation for delayed or disrupted flights.
---------------------------------------------
https://www.darkreading.com/cyberattacks-data-breaches/phishers-take-advant…
=====================
= Vulnerabilities =
=====================
∗∗∗ Dell schützt PowerProtect Data Manager und Laptops vor möglichen Attacken ∗∗∗
---------------------------------------------
In einer Warnmeldung führen die Entwickler aus, dass PowerProtect Data Manager über mehrere Lücken in Komponenten von Drittanbietern wie Golang und Spring Framework, aber auch über Lücken in der Anwendung selbst angreifbar ist. Sind Attacken erfolgreich, können sich Angreifer etwa mit lokalem Zugriff und niedrigen Rechten höhere Nutzerrechte verschaffen (CVE-2025-23375 "hoch"). Die Entwickler versichern, die Lücken in PowerProtect Data Manager 19.19.0-15 geschlossen zu haben.
---------------------------------------------
https://www.heise.de/news/Dell-schuetzt-PowerProtect-Data-Manager-und-Lapto…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (glibc and libraw), Fedora (digikam, icecat, mingw-LibRaw, perl, perl-Devel-Cover, and perl-PAR-Packer), Red Hat (ghostscript, kernel, and kernel-rt), Slackware (mozilla), SUSE (augeas, firefox, and java-11-openjdk), and Ubuntu (binutils, libxml2, and nodejs).
---------------------------------------------
https://lwn.net/Articles/1019457/
∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
ICSA-25-119-01 Rockwell Automation ThinManager, ICSA-25-119-02 Delta Electronics ISPSoft, ICSA-25-105-05 Lantronix XPort (Update A)
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/04/29/cisa-releases-three-indu…
∗∗∗ Mehrere Schwachstellen in Sematell ReplyOne (SYSS-2024-081/-082/-083) ∗∗∗
---------------------------------------------
https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-sematell-replyon…
∗∗∗ f5: K000151082: PostgreSQL vulnerability CVE-2021-32027 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000151082
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 28-04-2025 18:00 − Dienstag 29-04-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Hitachi Vantara takes servers offline after Akira ransomware attack ∗∗∗
---------------------------------------------
Hitachi Vantara, a subsidiary of Japanese multinational conglomerate Hitachi, was forced to take servers offline over the weekend to contain an Akira ransomware attack.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hitachi-vantara-takes-server…
∗∗∗ The one interview question that will protect you from North Korean fake workers ∗∗∗
---------------------------------------------
"My favorite interview question, because we've interviewed quite a few of these folks, is something to the effect of 'How fat is Kim Jong Un?' They terminate the call instantly, because it's not worth it to say something negative about that," he told a panel session at the RSA Conference in San Francisco Monday. [..] "One of the things that we've noted is that you'll have a person in Poland applying with a very complicated name," he recounted, "and then when you get them on Zoom calls it's a military age male Asian who can't pronounce it."
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2025/04/29/north_korea_…
∗∗∗ Interesting WordPress Malware Disguised as Legitimate Anti-Malware Plugin ∗∗∗
---------------------------------------------
The Wordfence Threat Intelligence team recently discovered an interesting malware variant that appears in the file system as a normal WordPress plugin, often with the name ‘WP-antymalwary-bot.php’, and contains several functions that allow attackers to maintain access to your site, hide the plugin from the dashboard, and execute remote code. [..] In today’s blog post, we highlighted an interesting piece of malware that masquerades as a legitimate plugin.
---------------------------------------------
https://www.wordfence.com/blog/2025/04/interesting-wordpress-malware-disgui…
∗∗∗ So schützen Sie sich vor den häufigsten Betrugsmaschen auf booking.com ∗∗∗
---------------------------------------------
Der Sommer naht und damit beginnt die Hochsaison für Reisebuchungen. Ob Städtetrip, Strandurlaub oder Bergtour: Viele buchen ihre Unterkunft über die Buchungsplattform booking.com. Doch Vorsicht! Kriminelle nutzen die erhöhte Reiselust aus und versuchen Urlaubsfreudige zu täuschen. Wir zeigen Ihnen die häufigsten Maschen und wie Sie sich davor schützen können.
---------------------------------------------
https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-den-haeufi…
∗∗∗ Gremlin Stealer: New Stealer on Sale in Underground Forum ∗∗∗
---------------------------------------------
Advertised on Telegram, Gremlin Stealer is new malware active since March 2025 written in C#. Data stolen is uploaded to a server for publication. [..] We have monitored Gremlin Stealer since we initially discovered it in March 2025. The functions of this stealer from Figure 1 are listed below.
---------------------------------------------
https://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on…
∗∗∗ Unlocking New Jailbreaks with AI Explainability ∗∗∗
---------------------------------------------
In this post, we introduce our “Adversarial AI Explainability” research, a term we use to describe the intersection of AI explainability and adversarial attacks on Large Language Models (LLMs). Much like using an MRI to understand how a human brain might be fooled, we aim to decipher how LLMs can be manipulated.
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/unlocking-new-jailb…
∗∗∗ Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis ∗∗∗
---------------------------------------------
Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). [..] We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-tren…
∗∗∗ Cybercrime-Marktplatz: Strafverfolger enterten BreachForums über Zero-Day-Lücke ∗∗∗
---------------------------------------------
Derzeit ist der Cybercrime-Marktplatz BreachForums offline. Als Grund nennen die Hintermänner, dass Strafverfolger das Forum über eine Zero-Day-Sicherheitslücke gehackt und sich so Zugriff dazu verschafft haben.
---------------------------------------------
https://heise.de/-10365208
∗∗∗ Spike in Git Config Crawling Highlights Risk of Codebase Exposure ∗∗∗
---------------------------------------------
GreyNoise observed a significant increase in crawling activity targeting Git configuration files. While the crawling itself is reconnaissance, successful discovery of exposed Git configuration files can lead to exposure of internal codebases, developer workflows, and potentially sensitive credentials.
---------------------------------------------
https://www.greynoise.io/blog/spike-git-configuration-crawling-risk-codebas…
=====================
= Vulnerabilities =
=====================
∗∗∗ Mozilla Foundation Security Advisories April 29, 2025 ∗∗∗
---------------------------------------------
Thunderbird and Firefox
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/
∗∗∗ Seiko-Epson-Druckertreiber ermöglicht Rechteausweitung auf System ∗∗∗
---------------------------------------------
Die Windows-Druckertreiber von Seiko-Epson reißen eine Sicherheitslücke auf, durch die Angreifer ihre Rechte auf SYSTEM-Ebene ausweiten können. Aktualisierte Software steht bereit, die die zugrundeliegende Schwachstelle ausbessert.
---------------------------------------------
https://www.heise.de/news/Seiko-Epson-Druckertreiber-ermoeglicht-Rechteausw…
∗∗∗ Multiple Vulnerabilities in HP Wolf Security Controller / HP Sure Access Enterprise / HP Sure Click Enterprise ∗∗∗
---------------------------------------------
The HP Wolf Security Controller, the HP Sure Access Enterprise Client and the HP Sure Click Enterprise Client might be vulnerable to attacks if not configured according to HP's Best Practices.
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (glibc, php:8.1, and thunderbird), Debian (libreoffice), Fedora (caddy), Mageia (chromium-browser-stable), Red Hat (php:8.1), SUSE (glow), and Ubuntu (kicad, linux-aws-5.15, linux-azure-nvidia, linux-gcp-5.15, mistral, python-mistral-lib, tomcat8, and trafficserver).
---------------------------------------------
https://lwn.net/Articles/1019272/
∗∗∗ Docker: Rechteausweitungslücke in Desktop für Windows ∗∗∗
---------------------------------------------
In den Release-Notes schreiben die Docker-Entwickler, dass die Version 4.41.0 eine Sicherheitslücke schließt, die Angreifern mit Zugriff auf die Maschine die Ausweitung der Zugriffsrechte ermöglicht, wenn Docker Desktop Updates installiert (CVE-2025-3224, CVSS 7.3, Risiko "hoch").
---------------------------------------------
https://heise.de/-10366320
∗∗∗ Daikin Security Gateway v214 Remote Password Reset ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5931.php
∗∗∗ ABB: 2025-04-29: Cyber Security Advisory - Ekip Com IEC61850 Vulnerability in third-party library ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=2CRT000007&Language…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 25-04-2025 18:00 − Montag 28-04-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ SAP patcht attackierte, kritische Schwachstelle außer der Reihe ∗∗∗
---------------------------------------------
Update 25.04.2025, 22:11 Uhr: Kriminelle missbauchen die Schwachstelle bereits im Internet. Details zu den Angriffen finden sich etwa bei Onapsis in einem Blog-Beitrag. Admins sollten schnellstmöglich aktualisieren, zumal offenbar viele SAP-Neatweaver-Installationen die verwundbare Komponente einsetzen, so die Einschätzung der IT-Sicherheitsforscher in der Analyse im Blog.
---------------------------------------------
https://heise.de/-10361908
∗∗∗ DragonForce expands ransomware model with white-label branding scheme ∗∗∗
---------------------------------------------
The ransomware scene is re-organizing [..] DragonForce is now incentivizing ransomware actors with a distributed affiliate branding model, providing other ransomware-as-a-service (RaaS) operations a means to carry out their business without dealing with infrastructure maintenance cost and effort. A group's representative told BleepingComputer that they’re purely financially motivated but also follow a moral compass and are against attacking certain healthcare organizations. [..] In exchange for using their malware and infrastructure, the developer charges affiliates a fee from received ransoms that is normally up to 30%.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/dragonforce-expands-ransomwa…
∗∗∗ Cloudflare mitigates record number of DDoS attacks in 2025 ∗∗∗
---------------------------------------------
Internet services giant Cloudflare says it mitigated a record number of DDoS attacks in 2024, recording a massive 358% year-over-year jump and a 198% quarter-over-quarter increase.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cloudflare-mitigates-record-…
∗∗∗ VU#667211: Various GPT services are vulnerable to "Inception" jailbreak, allows for bypass of safety guardrails ∗∗∗
---------------------------------------------
Two systemic jailbreaks, affecting a number of generative AI services, were discovered. These jailbreaks can result in the bypass of safety protocols and allow an attacker to instruct the corresponding LLM to provide illicit or dangerous content. [..] These jailbreaks, while of low severity on their own, bypass the security and safety guidelines of all affected AI services, allowing an attacker to abuse them for instructions to create content on various illicit topics, such as controlled substances, weapons, phishing emails, and malware code generation.
---------------------------------------------
https://kb.cert.org/vuls/id/667211
∗∗∗ Storm-1977 Hits Education Clouds with AzureChecker, Deploys 200+ Crypto Mining Containers ∗∗∗
---------------------------------------------
Microsoft has revealed that a threat actor it tracks as Storm-1977 has conducted password spraying attacks against cloud tenants in the education sector over the past year.
---------------------------------------------
https://thehackernews.com/2025/04/storm-1977-hits-education-clouds-with.html
∗∗∗ Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised ∗∗∗
---------------------------------------------
Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access. [..] As of April 18, 2025, an estimated 13,000 vulnerable Craft CMS instances have been identified, out of which nearly 300 have been allegedly compromised.
---------------------------------------------
https://thehackernews.com/2025/04/hackers-exploit-critical-craft-cms.html
∗∗∗ WooCommerce Users Targeted by Fake Patch Phishing Campaign Deploying Site Backdoors ∗∗∗
---------------------------------------------
Cybersecurity researchers are warning about a large-scale phishing campaign targeting WooCommerce users with a fake security alert urging them to download a "critical patch" but deploy a backdoor instead.
---------------------------------------------
https://thehackernews.com/2025/04/woocommerce-users-targeted-by-fake.html
∗∗∗ Samsung: Android-Zwischenablage speichert Passwörter zwischen ∗∗∗
---------------------------------------------
Samsungs Android-Smartphones speichern in der Zwischenablage kopierte Inhalte. Im Zwischenablageverlauf finden sich gelegentlich auch alte, kopierte Passwörter. Samsung evaluiert das Problem derzeit.
---------------------------------------------
https://heise.de/-10363941
∗∗∗ Navigating Through The Fog ∗∗∗
---------------------------------------------
An open directory associated with a ransomware affiliate, likely linked to the Fog ransomware group, was discovered in December 2024. [..] Among the tools were SonicWall Scanner for exploiting VPN credentials, DonPAPI for extracting Windows DPAPI-protected credentials, Certipy for abusing Active Directory Certificate Services (AD CS), Zer0dump, and Pachine/noPac for exploiting Active Directory vulnerabilities like CVE-2020-1472.
---------------------------------------------
https://thedfirreport.com/2025/04/28/navigating-through-the-fog/
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitsupdate: Unbefugte Zugriffe auf VMware Spring Boot möglich ∗∗∗
---------------------------------------------
Softwareentwickler nutzen Spring Boot zum effizienteren Erstellen von Java-Applikationen. Damit Angreifer an der Lücke (CVE-2025-22235 „hoch“) ansetzen zu können, müssen aber mehrere Voraussetzungen erfüllt sein. Unter anderem muss Spring Security eingesetzt werden und mit EndpointRequest.to () konfiguriert sein.
---------------------------------------------
https://www.heise.de/news/Sicherheitsupdate-Unbefugte-Zugriffe-auf-VMware-T…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (thunderbird), Debian (distro-info-data, imagemagick, kernel, libsoup2.4, and poppler), Fedora (chromium, java-1.8.0-openjdk, java-1.8.0-openjdk-portable, java-17-openjdk, java-17-openjdk-portable, java-latest-openjdk, pgadmin4, thunderbird, and xz), Mageia (haproxy and libxml2), Oracle (bluez, firefox, gnutls, libtasn1, libxslt, mod_auth_openidc:2.3, ruby:3.1, thunderbird, and xmlrpc-c), Red Hat (delve and golang, glibc, mod_auth_openidc, mod_auth_openidc:2.3, and thunderbird), SUSE (augeas, chromedriver, cifs-utils, govulncheck-vulndb, java-11-openjdk, java-21-openjdk, kyverno, libraw, opentofu, runc, subfinder, and valkey), and Ubuntu (jupyter-notebook and libxml2).
---------------------------------------------
https://lwn.net/Articles/1019212/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 24-04-2025 18:00 − Freitag 25-04-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Triada strikes back ∗∗∗
---------------------------------------------
Kaspersky expert has discovered a new version of the Triada Trojan, with custom modules for Telegram, WhatsApp, TikTok, and other apps.
---------------------------------------------
https://securelist.com/triada-trojan-modules-analysis/116380
∗∗∗ Example of a Payload Delivered Through Steganography, (Fri, Apr 25th) ∗∗∗
---------------------------------------------
In this diary, Ill show you a practical example of how steganography is used to hide payloads (or other suspicious data) from security tools and Security Analysts eyes. Steganography can be defined like this: It is the art and science of concealing a secret message, file, or image within an ordinary-looking carrier - such as a digital photograph, audio clip, or text - so that the very existence of the hidden data is undetectable to casual observers.
---------------------------------------------
https://isc.sans.edu/diary/rss/31892
∗∗∗ Zoom attack tricks victims into allowing remote access to install malware and steal money ∗∗∗
---------------------------------------------
Attackers are luring victims into a Zoom call and then taking over their PC to install malware, infiltrate their accounts, and steal their assets.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2025/04/zoom-attack-tricks-victims-i…
∗∗∗ GitHub potential leaking of private emails and Hacker One ∗∗∗
---------------------------------------------
A bit over a month ago, I was crawling GitHub’s API while working on code input (—it is still in beta). I was compiling a list of repositories and pull requests to identify those with merge conflicts. At some point, while randomly checking some user profiles, I noticed email addresses appearing in the API that weren’t visible on the public profiles.
---------------------------------------------
https://omarabid.com/hacker-one
∗∗∗ How I Got Hacked: A Warning about Malicious PoCs ∗∗∗
---------------------------------------------
This is a reminder that even experienced security researchers and exploit developers can fall victim to well-disguised malware. Always verify PoCs manually, isolate them in a controlled environment, and never underestimate how creative attackers can be when hiding malicious payloads.
---------------------------------------------
https://chocapikk.com/posts/2025/s1nk/
∗∗∗ Step-by-Step Guide: SOC Automation — SMB Threat Hunting & Incident Response Lab ∗∗∗
---------------------------------------------
In this project, I will simulate a similar attack scenario in which an insider compromises a Windows server by delivering malware through the SMB protocol. By leveraging automation and the incident response lifecycle, the goal is to detect and contain the threat before it spreads, demonstrating best practices in threat detection and response.
---------------------------------------------
https://detect.fyi/step-by-step-guide-soc-automation-smb-threat-hunting-inc…
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitsupdates: Nvidia-Grafikkartentreiber unter Linux und Windows löchrig ∗∗∗
---------------------------------------------
Besitzer einer Nvidia-Grafikkarte sollten zeitnah den GPU-Treiber aus Sicherheitsgründen auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer unter Linux an mehreren Schwachstellen ansetzen und Computer attackieren. Außerdem gibt es noch abgesicherte Versionen von Cloud Gaming und vGPU-Software unter Windows.
---------------------------------------------
https://www.heise.de/news/Sicherheitsupdates-Nvidia-Grafikkartentreiber-unt…
∗∗∗ Connectwise Screenconnect: Hochriskante Codeschmuggel-Lücke ∗∗∗
---------------------------------------------
Die Remote-Desktop-Software Screenconnect von Connectwise enthält eine Sicherheitslücke, die Angreifern das Einschleusen und Ausführen von Schadcode ermöglicht. Der Hersteller bietet Software-Updates zum Schließen des Sicherheitslecks an.
---------------------------------------------
https://www.heise.de/news/Connectwise-Screenconnect-Hochriskante-Codeschmug…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (thunderbird), Debian (libbpf), Fedora (golang-github-openprinting-ipp-usb, ImageMagick, mingw-libsoup, mingw-poppler, and pgbouncer), SUSE (glib2, govulncheck-vulndb, libsoup-2_4-1, libxml2-2, mozjs60, ruby2.5, and thunderbird), and Ubuntu (linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-iot, linux-aws-fips, linux-azure-fips, linux-fips, linux-gcp-fips, linux-hwe-6.8, linux-ibm-5.4, linux-oracle-5.15, openssh, and php-twig).
---------------------------------------------
https://lwn.net/Articles/1018912/
∗∗∗ CISA Releases Seven Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
CISA released seven Industrial Control Systems (ICS) advisories on April 24, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS, including Schneider Electric Modicon Controllers, ALBEDO Telecom Net.Time - PTP/NTP Clock, Vestel AC Charger, Nice Linear eMerge E3, Johnson Controls Software House iSTAR Configuration Utility (ICU) Tool, Planet Technology Network Products, and Fuji Electric Monitouch V-SFT (Update A). CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/04/24/cisa-releases-seven-indu…
∗∗∗ Hacking My Coworker (In Minecraft) ∗∗∗
---------------------------------------------
Integrated Scripting is included in several of the largest modpacks on CurseForge. It has 3.5 million downloads, which also doesn’t include non CurseForge hosted downloads such as for Feed the Beast modpacks. Through the presented vulnerability, any public or semi public multiplayer server that includes Integrated Scripting is vulnerable to remote code execution by a player who is able to craft a few relatively simple items.
---------------------------------------------
https://redvice.org/assets/pdfs/minecraft2025.pdf
∗∗∗ Critical SAP NetWeaver Vulnerability (CVE-2025-31324) Fixed: Actively Exploited in the Wild ∗∗∗
---------------------------------------------
SAP has recently released a critical security patch for a severe vulnerability in SAP NetWeaver Visual Composer that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-31324, was patched just hours ago with the release of SAP Security Note 3594142.
---------------------------------------------
https://redrays.io/blog/critical-sap-netweaver-vulnerability-cve-2025-31324…
∗∗∗ ZDI-25-252: (0Day) Cato Networks Cato Client for macOS Helper Service Time-Of-Check Time-Of-Use Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-252/
∗∗∗ Three new vulnerabilities found related to IXON VPN client resulting in Local Privilege Escalation (LPE) ∗∗∗
---------------------------------------------
https://www.shelltrail.com/research/three-new-cves-related-to-ixon-vpn-clie…
∗∗∗ Bosch: Multiple ctrlX OS vulnerabilities ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-640452.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 23-04-2025 18:00 − Donnerstag 24-04-2025 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Linux io_uring security blindspot allows stealthy rootkit attacks ∗∗∗
---------------------------------------------
A significant security gap in Linux runtime security caused by the io_uring interface allows rootkits to operate undetected on systems while bypassing advanced Enterprise security software.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/linux-io-uring-security-blin…
∗∗∗ Darcula Adds GenAI to Phishing Toolkit, Lowering the Barrier for Cybercriminals ∗∗∗
---------------------------------------------
The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform have released new updates to their cybercrime suite with generative artificial intelligence (GenAI) capabilities. "This addition lowers the technical barrier for creating phishing pages, enabling less tech-savvy criminals to deploy customized scams in minutes," Netcraft said in a new report shared with The Hacker News."
---------------------------------------------
https://thehackernews.com/2025/04/darcula-adds-genai-to-phishing-toolkit.ht…
∗∗∗ Erlang/OTP SSH: Namhafte Hersteller von kritischer Lücke betroffen ∗∗∗
---------------------------------------------
Erlang/OTP SSH wird von vielen namhaften Herstellern mitgeliefert. Daher betrifft eine kritische Lücke auch Cisco und Ericsson. Zu den weiteren verwundbaren Anbietern gehört nach jetzigem Stand EMQ Technologies. Nicht standardmäßig installiert, aber optional verfügbar ist Erlang/OTP SSH bei National Instruments, Broadcom (insbesondere RabbitMQ), Very Technology, Apache (CouchDB) und Riak Technologies. Hier müssen Admins prüfen, ob sie Erlang/OTP SSH installiert haben und gegebenenfalls die verfügbaren Aktualisierungen installieren.
---------------------------------------------
https://www.heise.de/news/Erlang-OTP-SSH-Namhafte-Hersteller-von-kritischer…
∗∗∗ 9X Surge in Ivanti Connect Secure Scanning Activity ∗∗∗
---------------------------------------------
GreyNoise observed a 9X spike in suspicious scanning activity targeting Ivanti Connect Secure or Ivanti Pulse Secure VPN systems. More than 230 unique IPs probed ICS/IPS endpoints. This surge may indicate coordinated reconnaissance and possible preparation for future exploitation.
---------------------------------------------
https://www.greynoise.io/blog/surge-ivanti-connect-secure-scanning-activity
=====================
= Vulnerabilities =
=====================
∗∗∗ Critical Commvault Command Center Flaw Enables Attackers to Execute Code Remotely ∗∗∗
---------------------------------------------
A critical security flaw has been disclosed in the Commvault Command Center that could allow arbitrary code execution on affected installations. The vulnerability, tracked as CVE-2025-34028, carries a CVSS score of 9.0 out of a maximum of 10.0.
---------------------------------------------
https://thehackernews.com/2025/04/critical-commvault-command-center-flaw.ht…
∗∗∗ Drupal: Security advisories ∗∗∗
---------------------------------------------
Drupal has released new security advisories.
---------------------------------------------
https://www.drupal.org/security
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (haproxy and openrazer), Fedora (c-ares and mingw-poppler), Red Hat (thunderbird), SUSE (epiphany, ffmpeg-6, gopass, and libsoup-3_0-0), and Ubuntu (erlang, haproxy, libapache2-mod-auth-openidc, libarchive, linux, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-oracle, linux-raspi, linux, linux-aws, linux-azure, linux-azure-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-aws-6.8, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-fips, linux-gcp, linux-gke, linux-gkeop, linux-gcp-6.8, linux-ibm-5.15, linux-intel-iot-realtime, linux-realtime, linux-intel-iotg-5.15, linux-realtime, perl, and yelp, yelp-xsl).
---------------------------------------------
https://lwn.net/Articles/1018717/
∗∗∗ ZDI-25-250: (0Day) Cloudera Hue Ace Editor Directory Traversal Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-250/
∗∗∗ ZDI-25-249: (0Day) eCharge Hardy Barth cPH2 index.php Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-249/
∗∗∗ ZDI-25-248: (0Day) eCharge Hardy Barth cPH2 nwcheckexec.php dest Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-248/
∗∗∗ ZDI-25-247: (0Day) eCharge Hardy Barth cPH2 check_req.php ntp Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-247/
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 14, 2025 to April 20, 2025) ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2025/04/wordfence-intelligence-weekly-wordpr…
∗∗∗ ALBEDO Telecom Net.Time - PTP/NTP Clock ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-25-114-02
∗∗∗ Sonicwall warnt vor DoS-Lücke in SSLVPN ∗∗∗
---------------------------------------------
https://heise.de/-10360960
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 22-04-2025 18:00 − Mittwoch 23-04-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Alternativen aus Europa: Wie man von US-Software unabhängig wird ∗∗∗
---------------------------------------------
Ein Wiener Softwareentwickler sammelt "European Alternatives" zu US-Digitalprodukten. Seit Trumps 2. Amtsantritt ist das Interesse stark gestiegen.
---------------------------------------------
https://futurezone.at/netzpolitik/tech-alternativen-apps-europa-datenschutz…
∗∗∗ Kurz nach Offenlegung: ChatGPT und Claude liefern Exploit für kritische SSH-Lücke ∗∗∗
---------------------------------------------
In einem verbreiteten SSH-Tool klafft eine gefährliche Lücke. Nur Stunden nach Bekanntwerden erstellt ein Forscher mittels KI einen funktionierenden Exploit.
---------------------------------------------
https://www.golem.de/news/kurz-nach-offenlegung-chatgpt-und-claude-liefern-…
∗∗∗ Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices ∗∗∗
---------------------------------------------
Cybersecurity researchers have revealed that Russian military personnel are the target of a new malicious campaign that distributes Android spyware under the guise of the Alpine Quest mapping software. "The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs," Doctor Web said in an analysis.
---------------------------------------------
https://thehackernews.com/2025/04/android-spyware-disguised-as-alpine.html
∗∗∗ CVE-2025-3248: RCE vulnerability in Langflow ∗∗∗
---------------------------------------------
CVE-2025-3248, a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8, has been discovered in Langflow, an open-source platform for visually composing AI-driven agents and workflows. [..] All Langflow versions prior to 1.3.0 are susceptible to code injection. [..] Exploiting CVE-2025-3248 involves the following steps:
---------------------------------------------
https://www.zscaler.com/blogs/security-research/cve-2025-3248-rce-vulnerabi…
∗∗∗ Die Urlaubsplanung steht an? Vorsicht vor Betrug mit Fake-Buchungsportalen! ∗∗∗
---------------------------------------------
Wo soll es im Sommerurlaub hingehen? Wie wäre es mit einer Miet-Finca auf den Kanaren? Dann ist bei der Buchung Vorsicht angebracht! Kriminelle erstellen Fake-Portale und bieten dort vermeintlich reale Luxus-Mietobjekte an. Wer sich auf den Deal einlässt und den gewünschten Betrag überweist, ist in die Falle getappt. Die Unterkunft existiert nicht, das Geld ist weg.
---------------------------------------------
https://www.watchlist-internet.at/news/villen-fincas-fake-buchungsportal/
∗∗∗ Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows ∗∗∗
---------------------------------------------
Since early March 2025, Volexity has observed multiple Russian threat actors aggressively targeting individuals and organizations with ties to Ukraine and human rights. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows. The attackers are impersonating officials from various European nations, and in one instance leveraged a compromised Ukrainian Government account.
---------------------------------------------
https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-…
∗∗∗ Distribution of PebbleDash Malware in March 2025 ∗∗∗
---------------------------------------------
PebbleDash is a backdoor malware that was previously identified by the Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. as a backdoor malware of Lazarus (Hidden Corba) in 2020.
---------------------------------------------
https://asec.ahnlab.com/en/87621/
∗∗∗ Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs ∗∗∗
---------------------------------------------
Cisco Talos discovered a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme.
---------------------------------------------
https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-b…
=====================
= Vulnerabilities =
=====================
∗∗∗ ASUS releases fix for AMI bug that lets hackers brick servers ∗∗∗
---------------------------------------------
ASUS has released security updates to address CVE-2024-54085, a maximum severity flaw that could allow attackers to hijack and potentially brick servers. [..] The flaw impacts American Megatrends International's MegaRAC Baseboard Management Controller (BMC) software, used by over a dozen server hardware vendors, including HPE, ASUS, and ASRock. The CVE-2024-54085 flaw is remotely exploitable, potentially leading to malware infections, firmware modifications, and irreversible physical damage through over-volting.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/asus-releases-fix-for-ami-bu…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (bluez, expat, and postgresql:12), Fedora (chromium, golang, LibRaw, moodle, openiked, ruby, and trafficserver), Red Hat (bluez, expat, gnutls, libtasn1, libxslt, mod_auth_openidc, mod_auth_openidc:2.3, ruby:3.1, thunderbird, and xmlrpc-c), and Ubuntu (linux, linux-aws, linux-gcp, linux-hwe-6.11, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oem-6.11, linux-oracle, linux-raspi, linux-realtime, linux-azure, linux-azure-6.11, linux-gcp-6.8, and matrix-synapse).
---------------------------------------------
https://lwn.net/Articles/1018589/
∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
ICSA-25-112-01 Siemens TeleControl Server Basic SQL, ICSA-25-112-02 Siemens TeleControl Server Basic, ICSA-25-112-03 Schneider Electric Wiser Home Controller WHC-5918A, ICSA-25-112-04 ABB MV Drives, ICSA-25-035-04 Schneider Electric Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC (Update A)
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/04/22/cisa-releases-five-indus…
∗∗∗ Cisco: Multiple Cisco Products Unauthenticated Remote Code Execution in Erlang/OTP SSH Server ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 18-04-2025 18:00 − Dienstag 22-04-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ DOGE, CISA, Mitre und CVE ∗∗∗
---------------------------------------------
In der Cybersecurity Community herrschte letzte Woche helle Aufregung, weil die Einsparungstruppe von Trumps Gnaden die grandiose Idee hatte, das Funding für den Betrieb des CVE-Systems durch Mitre einzustellen. Wahrscheinlich aufgrund des starken Gegenwindes von der Seite der US-Industrie wurde eine Lösung gefunden und der Betrieb ist (angeblich) für die nächsten 11 Monate gesichert. Ich will das zum Anlass nehmen, das System hinter den bekannten CVE-Nummern zu erklären und mögliche Entwicklungen aufzuzeigen.
---------------------------------------------
https://www.cert.at/de/blog/2025/4/doge-cisa-mitre-und-cve
∗∗∗ Phishers abuse Google OAuth to spoof Google in DKIM replay attack ∗∗∗
---------------------------------------------
In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Googles systems, passing all verifications but pointing to a fraudulent page that collected logins.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/phishers-abuse-google-oauth-…
∗∗∗ Phishing attacks leveraging HTML code inside SVG files ∗∗∗
---------------------------------------------
The SVG format provides the capability to embed HTML and JavaScript code within images, which is misused by attackers. Despite not being widespread at the time of this study, SVG attachment attacks are showing a clear upward trend.
---------------------------------------------
https://securelist.com/svg-phishing/116256/
∗∗∗ Videokameras: Schwere Sicherheitslücke bei Überwachungsgeräten der Polizei ∗∗∗
---------------------------------------------
Polizeibehörden in zahlreichen Ländern nutzen mobile Sender der Firma Infodraw. Doch die hochgeladenen Daten sind nicht ausreichend gesichert. [..] Über das Bundesamt für Sicherheit in der Informationstechnik (BSI) wurden laut Schäfers inzwischen in Deutschland alle übrigen Betreiber gewarnt. [..] Ihm zufolge reicht es nicht aus, die aktuelle Softwareversion 7.1.0.0 installiert zu haben. Wobei aktuell relativ ist, denn die Version stammt aus dem Jahr 2000. Schäfers empfiehlt den nutzenden Organisationen, die Anwendung unmittelbar offline zu nehmen.
---------------------------------------------
https://www.golem.de/news/videokameras-schwere-sicherheitsluecke-bei-ueberw…
∗∗∗ Agent In the Middle – Abusing Agent Cards in the Agent-2-Agent (A2A) Protocol To ‘Win’ All the Tasks ∗∗∗
---------------------------------------------
I’ll write a blog post on prompt injection defenses and how I am able to circumvent them another time… the blog post today is about one of those advancements: the Agent-2-Agent (A2A) Protocol.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-in-th…
∗∗∗ Microsoft Secures MSA Signing with Azure Confidential VMs Following Storm-0558 Breach ∗∗∗
---------------------------------------------
Microsoft on Monday announced that it has moved the Microsoft Account (MSA) signing service to Azure confidential virtual machines (VMs) and that it's also in the process of migrating the Entra ID signing service as well. The disclosure comes about seven months after the tech giant said it completed updates to Microsoft Entra ID and MS for both public and United States government clouds to generate, store, and automatically rotate access token signing keys using the Azure Managed Hardware Security Module (HSM) service.
---------------------------------------------
https://thehackernews.com/2025/04/microsoft-secures-msa-signing-with.html
∗∗∗ Anspruch auf Kostenerstattung? Vorsicht vor neuer ÖGK-Betrugsmasche ∗∗∗
---------------------------------------------
Neue Website, alte Masche. Kriminelle haben eine weitere Betrugswelle im Namen der Österreichischen Gesundheitskasse gestartet. Sie locken mit einer hohen Rückzahlung und setzen auf eine beinahe 1:1-Kopie der originalen ÖGK-Website. So können Sie den Fake dennoch erkennen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-neue-oegk-betrugsmasche/
∗∗∗ Ivanti Endpoint Manager_Local Privilege Escalation via DLL Search Order Hijacking ∗∗∗
---------------------------------------------
The Ivanti Endpoint Manager Security Scan (Vulscan) Self Update was vulnerable to DLL Hijacking. 2025-04-08 Vendor publishes security advisory. 2025-04-22 Coordinated disclosure of security advisory. CVE Number CVE-2025-22458
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelle…
∗∗∗ Microsoft’s patch for CVE-2025–21204 symlink vulnerability introduces another symlink vulnerability ∗∗∗
---------------------------------------------
Microsoft recently patched CVE-2025–21204, a vuln which allows users to abuse symlinks to elevate privileges using the Windows servicing stack and the c:\inetpub folder. [..] However, I’ve discovered this fix introduces a denial of service vulnerability in the Windows servicing stack that allows non-admin users to stop all future Windows security updates. [..] I reported this to MSRC about two weeks ago, but haven’t had a response.
---------------------------------------------
https://doublepulsar.com/microsofts-patch-for-cve-2025-21204-symlink-vulner…
∗∗∗ Zugangs- und Schließsysteme mit Internetanbindung als Risiko – Teil 1 ∗∗∗
---------------------------------------------
Heute noch ein kleiner, zweiteiliger Sammelbeitrag, in dem ich auf die Risiken eingehe, welche Schließsysteme bzw. Systeme zur Zugangskontrolle sowie zur Zeiterfassung unter Umständen bieten.
---------------------------------------------
https://www.borncity.com/blog/2025/04/20/risiko-zeiterfassungs-zugangs-und-…
∗∗∗ Systeme zur Zeiterfassung mit Internetanbindung als Risiko – Teil 2 ∗∗∗
---------------------------------------------
In Teil 1 des zweiteiligen Sammelbeitrags hatte ich auf die Risiken hingewiesen, die von elektronischen Schließsystemen bzw. Systemen zur Zugangskontrolle ausgehen können, wenn diese am Internet hängen. Aber auch Systeme zur Zeiterfassung, die per Internet erreichbar sind, fallen in diese Kategorie, sofern Dienstleister diese allzu sorglos eingerichtet haben.
---------------------------------------------
https://www.borncity.com/blog/2025/04/21/systeme-zur-zeiterfassung-mit-inte…
=====================
= Vulnerabilities =
=====================
∗∗∗ Asus-Router: Sicherheitslücke ermöglicht unbefugtes Ausführen von Funktionen ∗∗∗
---------------------------------------------
Im CVE-Eintrag zur Schwachstelle erörtert Asus, dass in der AiCloud eine unzureichende Authentifizierungskontrolle stattfinde. Diese lasse sich durch manipulierte Anfragen missbrauchen, um ohne Autorisierung Funktionen auszuführen (CVE-2025-2492, CVSS 9.2, Risiko "kritisch"). [..] In der Sicherheitsmitteilung schreibt Asus lediglich, dass die Entwickler aktualisierte Firmware für die Serien 3.0.0.4_382, 3.0.0.4_386, 3.0.0.4_388 und 3.0.0.6_102 veröffentlicht hat. Die soll die Schwachstelle ausbessern.
---------------------------------------------
https://www.heise.de/news/Asus-Router-Sicherheitsluecke-ermoeglicht-unbefug…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (erlang, fig2dev, shadow, wget, and zabbix), Fedora (chromium, jupyterlab, llama-cpp, prometheus-podman-exporter, python-notebook, python-pydantic-core, rpki-client, rust-adblock, rust-cookie_store, rust-gitui, rust-gstreamer, rust-icu_collections, rust-icu_locid, rust-icu_locid_transform, rust-icu_locid_transform_data, rust-icu_normalizer, rust-icu_normalizer_data, rust-icu_properties, rust-icu_properties_data, rust-icu_provider, rust-icu_provider_macros, rust-idna, rust-idna_adapter, rust-litemap, rust-ron, rust-sequoia-openpgp, rust-sequoia-openpgp1, rust-tinystr, rust-url, rust-utf16_iter, rust-version-ranges, rust-write16, rust-writeable, rust-zerovec, rust-zip, uv, and webkitgtk), Slackware (libxml2 and zsh), SUSE (argocd-cli, chromium, coredns, ffmpeg-6, and firefox), and Ubuntu (imagemagick).
---------------------------------------------
https://lwn.net/Articles/1018292/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (java-1.8.0-openjdk, kernel, libxslt, mod_auth_openidc:2.3, and webkit2gtk3), Fedora (c-ares, giflib, jupyterlab, perl, perl-Devel-Cover, perl-PAR-Packer, prometheus-podman-exporter, python-notebook, python-pydantic-core, rpki-client, ruby, rust-adblock, rust-cookie_store, rust-gitui, rust-gstreamer, rust-icu_collections, rust-icu_locid, rust-icu_locid_transform, rust-icu_locid_transform_data, rust-icu_normalizer, rust-icu_normalizer_data, rust-icu_properties, rust-icu_properties_data, rust-icu_provider, rust-icu_provider_macros, rust-idna, rust-idna_adapter, rust-litemap, rust-ron, rust-sequoia-openpgp, rust-sequoia-openpgp1, rust-tinystr, rust-url, rust-utf16_iter, rust-version-ranges, rust-write16, rust-writeable, rust-zerovec, rust-zip, thunderbird, and uv), SUSE (erlang, erlang26, and govulncheck-vulndb), and Ubuntu (mosquitto).
---------------------------------------------
https://lwn.net/Articles/1018444/
∗∗∗ Zyxel security advisory for incorrect permission assignment and improper privilege management vulnerabilities in USG FLEX H series firewalls ∗∗∗
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-…
∗∗∗ Wordpress: Angreifer können über Greenshift-Plug-in Schadcode hochladen ∗∗∗
---------------------------------------------
https://heise.de/-10357624
∗∗∗ SicommNet BASEC product warning ∗∗∗
---------------------------------------------
https://csirt.divd.nl/2025/04/14/SicommNet-Basec-product-warning/
∗∗∗ Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center version 6.5.1: SC-202504.3 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2025-06
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily