Daily

daily@lists.cert.at

3284 discussions

Tageszusammenfassung - 24.07.2025
by Daily end-of-shift report 24 Jul '25

24 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-07-2025 18:00 − Donnerstag 24-07-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Microsoft: SharePoint servers also targeted in ransomware attacks ∗∗∗ --------------------------------------------- A China-based hacking group is deploying Warlock ransomware on Microsoft SharePoint servers vulnerable to widespread attacks targeting the recently patched ToolShell zero-day exploit chain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-servers… ∗∗∗ Hackers breach Toptal GitHub account, publish malicious npm packages ∗∗∗ --------------------------------------------- Hackers compromised Toptal's GitHub organization account and used their access to publish ten malicious packages on the Node Package Manager (NPM) index. The packages included data-stealing code that collected GitHub authentication tokens and then wiped the victims' systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-breach-toptal-github… ∗∗∗ Threat Actor Mimo Targets Magento and Docker to Deploy Crypto Miners and Proxyware ∗∗∗ --------------------------------------------- The threat actor behind the exploitation of vulnerable Craft Content Management System (CMS) instances has shifted its tactics to target Magento CMS and misconfigured Docker instances. The activity has been attributed to a threat actor tracked as Mimo (aka Hezb), which has a long history of leveraging N-day security flaws in various web applications to deploy cryptocurrency miners. --------------------------------------------- https://thehackernews.com/2025/07/threat-actor-mimo-targets-magento-and.html ∗∗∗ Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new stealthy backdoor concealed within the "mu-plugins" directory in WordPress sites to grant threat actors persistent access and allow them to perform arbitrary actions. --------------------------------------------- https://thehackernews.com/2025/07/hackers-deploy-stealth-backdoor-in.html ∗∗∗ China-Based APTs Deploy Fake Dalai Lama Apps to Spy on Tibetan Community ∗∗∗ --------------------------------------------- The Tibetan community has been targeted by a China-nexus cyber espionage group as part of two campaigns conducted last month ahead of the Dalai Lama's 90th birthday on July 6, 2025. The multi-stage attacks have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz. --------------------------------------------- https://thehackernews.com/2025/07/china-based-apts-deploy-fake-dalai-lama.h… ∗∗∗ Stealthy cyber spies linked to China compromising virtualization software globally ∗∗∗ --------------------------------------------- A cyber-espionage campaign linked to a sophisticated hacking group believed to be based in China is continuing to compromise virtualization and networking infrastructure used by enterprises globally, according to a new deep-dive report by cybersecurity company Sygnia. --------------------------------------------- https://therecord.media/stealthy-china-spies-fire-ant-virtualization-softwa… ∗∗∗ Unmasking the new Chaos RaaS group attacks ∗∗∗ --------------------------------------------- Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks. --------------------------------------------- https://blog.talosintelligence.com/new-chaos-ransomware/ ∗∗∗ Comeback von Lumma und NoName057(16): Cybercrime-Zerschlagung misslungen ∗∗∗ --------------------------------------------- Gelingt Strafverfolgungsbehörden ein größerer Schlag gegen Akteure und Infrastrukturen des Cybercrime, so ist der Rückgang der verbrecherischen Aktivitäten selten von Dauer: Nach ein paar internen Umbauten setzen sie ihre Angriffe häufig fort, als sei (fast) nichts geschehen. --------------------------------------------- https://heise.de/-10498191 ∗∗∗ Mitel warns of critical MiVoice MX-ONE authentication bypass flaw ∗∗∗ --------------------------------------------- Mitel Networks has released security updates to patch a critical-severity authentication bypass vulnerability impacting its MiVoice MX-ONE enterprise communications platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mitel-warns-of-critical-mivo… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall urges admins to patch critical RCE flaw in SMA 100 devices ∗∗∗ --------------------------------------------- SonicWall urges customers to patch SMA 100 series appliances against a critical authenticated arbitrary file upload vulnerability that can let attackers gain remote code execution. The security flaw (tracked as CVE-2025-40599) is caused by an unrestricted file upload weakness in the devices' web management interfaces, which can allow remote threat actors with administrative privileges to upload arbitrary files to the system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, and mediawiki), Fedora (firefox), Oracle (git, kernel, redis, and sudo), Red Hat (aardvark-dns, firefox, kernel, and thunderbird), Slackware (httpd), SUSE (php7, php8, and salt), and Ubuntu (linux-raspi-realtime and ruby-rack). --------------------------------------------- https://lwn.net/Articles/1031274/ ∗∗∗ K000152680: BusyBox vulnerability CVE-2024-58251 ∗∗∗ --------------------------------------------- Attackers can launch network applications as local users leading to a denial-of-service (DoS). As attackers require local access to run netstat commands, the attack is limited to only the netstat command. --------------------------------------------- https://my.f5.com/manage/s/article/K000152680 ∗∗∗ K000152678: BusyBox vulnerability CVE-2025-46394 ∗∗∗ --------------------------------------------- An attacker could exploit this vulnerability by creating a TAR archive containing malicious files with names manipulated by escape sequences. When a user lists or extracts the contents of the archives, these malicious files might not be visible in the standard terminal output and may overwrite existing files. --------------------------------------------- https://my.f5.com/manage/s/article/K000152678 ∗∗∗ DSA-5964-1 firefox-esr - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00128.html ∗∗∗ DSA-5965-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00129.html ∗∗∗ CVE-2025-6983 - TP-Link Archer C1200 vulnerable to clickjacking ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN39913189/ ∗∗∗ CVE-2025-8092 - COOKiES Consent Management - Moderately critical - Cross-site Scripting ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-092 ∗∗∗ CVE-2025-7745 - 2025-07-24: Cyber Security Advisory -AC500 V2 Buffer overread on Modbus protocol ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=3ADR011432&Language… ∗∗∗ CVE-2025-8069 - AWS Client VPN Windows Client Local Privilege Escalation ∗∗∗ --------------------------------------------- https://aws.amazon.com/de/security/security-bulletins/AWS-2025-014/ ∗∗∗ CVE-2024-58256 - Security Advisory - OS Command Injection Vulnerability in Huawei EnzoH Products ∗∗∗ --------------------------------------------- http:www.huawei.com/en/psirt/security-advisories/2025/huawei-sa-OCIViHEP-en.html ∗∗∗ [R1] Tenable Identity Exposure Version 3.77.12 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-14 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.07.2025
by Daily end-of-shift report 23 Jul '25

23 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-07-2025 18:00 − Mittwoch 23-07-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Major European healthcare network discloses security breach ∗∗∗ --------------------------------------------- AMEOS Group, an operator of a massive healthcare network in Central Europe, has announced it has suffered a security breach that may have exposed customer, employee, and partner information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/major-european-healthcare-ne… ∗∗∗ CISA warns of hackers exploiting SysAid vulnerabilities in attacks ∗∗∗ --------------------------------------------- CISA has warned that attackers are actively exploiting two security vulnerabilities in the SysAid IT service management (ITSM) software to hijack administrator accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploi… ∗∗∗ US nuclear weapons agency reportedly hacked in SharePoint attacks ∗∗∗ --------------------------------------------- Unknown threat actors have reportedly breached the National Nuclear Security Administrations (NNSA) network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-nuclear-weapons-agency-re… ∗∗∗ Mehr als 700 Modelle: Unzählige Drucker werden über Sicherheitslücken attackiert ∗∗∗ --------------------------------------------- Hunderte Druckermodelle von Brother, Fujifilm, Konica Minolta, Ricoh und Toshiba sind angreifbar. Angreifer nutzen die Sicherheitslücken nun aus. --------------------------------------------- https://www.golem.de/news/mehr-als-700-modelle-unzaehlige-drucker-werden-ue… ∗∗∗ CCC und GFF: Verfassungsbeschwerde gegen Polizeisoftware von Palantir ∗∗∗ --------------------------------------------- Die bayerische Polizei ist begeistert von der Palantir-Software. Doch Bürgerrechtlern und Hackern geht der Einsatz zu weit. --------------------------------------------- https://www.golem.de/news/ccc-und-gff-verfassungsbeschwerde-gegen-polizeiso… ∗∗∗ Google Launches OSS Rebuild to Expose Malicious Code in Widely Used Open-Source Packages ∗∗∗ --------------------------------------------- Google has announced the launch of a new initiative called OSS Rebuild to bolster the security of the open-source package ecosystems and prevent software supply chain attacks. "As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers" Matthew Suozzo, Google Open Source Security. --------------------------------------------- https://thehackernews.com/2025/07/google-launches-oss-rebuild-to-expose.html ∗∗∗ Malware Injected into 7 npm Packages After Maintainer Tokens Stolen in Phishing Attack ∗∗∗ --------------------------------------------- Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers npm tokens. The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories. --------------------------------------------- https://thehackernews.com/2025/07/malware-injected-into-6-npm-packages.html ∗∗∗ New Coyote Malware Variant Exploits Windows UI Automation to Steal Banking Credentials ∗∗∗ --------------------------------------------- The Windows banking trojan known as Coyote has become the first known malware strain to exploit the Windows accessibility framework called UI Automation (UIA) to harvest sensitive information. --------------------------------------------- https://thehackernews.com/2025/07/new-coyote-malware-variant-exploits.html ∗∗∗ Suspected Admin of XSS.IS Cybercrime Forum Arrested in Ukraine ∗∗∗ --------------------------------------------- Suspected admin of XSS.IS, a major Russian-language cybercrime forum, arrested in Ukraine after years of running malware and data trade operations. --------------------------------------------- https://hackread.com/suspected-xss-is-admin-cybercrime-forum-arrest-ukraine/ ∗∗∗ Soco404: Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload ∗∗∗ --------------------------------------------- Wiz Research has identified a new iteration of a broader malicious cryptomining campaign, which we’ve dubbed Soco404. --------------------------------------------- https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fa… ∗∗∗ Critical Vulnerability in Popular npm form-data Package Used Across Millions of Installs ∗∗∗ --------------------------------------------- A critical security vulnerability has been disclosed in the widely used npm package form-data, which sees more than 100 million downloads each week across various projects. The vulnerability, classified as "Use of Insufficiently Random Values" affects multiple versions of the package and can lead to HTTP Parameter Pollution (HPP) attacks. --------------------------------------------- https://socket.dev/blog/critical-vulnerability-in-popular-npm-form-data-pac… ===================== = Vulnerabilities = ===================== ∗∗∗ Chrome, Firefox & Thunderbird: Neue Versionen beheben Schwachstellen ∗∗∗ --------------------------------------------- Frische Browser- und Mailclient-Releases von Google und Mozilla beseitigen Lücken mit teils hohem Schweregrad. --------------------------------------------- https://www.heise.de/news/Chrome-Firefox-Thunderbird-Neue-Versionen-beheben… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cloud-init, fence-agents, git, kernel, and kernel-rt), Debian (openjdk-11), Fedora (firefox, golang, libinput, transfig, and yasm), Mageia (qtbase5, qtbase6), Red Hat (fence-agents, go-toolset:rhel8, golang, kernel, and python-setuptools), Slackware (mozilla), SUSE (cyradm, gstreamer-plugins-base, and xen), and Ubuntu (gdk-pixbuf, jq, linux-gcp, linux-gcp-6.8, linux-oracle, ruby-sinatra, thunderbird, and unbound). --------------------------------------------- https://lwn.net/Articles/1031104/ ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released nine Industrial Control Systems (ICS) advisories on July 22, 2025: DuraComm DP-10iN-100-MU, Lantronix Provisioning Manager, Schneider Electric EcoStruxure, Schneider Electric EcoStruxure Power Operation, Schneider Electric System Monitor Application, Schneider Electric EcoStruxture IT Data Center Expert, ICSA-25-175-03 Schneider Electric Modicon Controllers (Update A), ICSA-25-175-04 Schneider Electric EVLink WallBox (Update A), ICSA-25-014-02 Schneider Electric Vijeo Designer (Update A). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/07/22/cisa-releases-nine-indus… ∗∗∗ [CVE-2025-48932] Invision Community <= 4.7.20 (calendar/view.php) SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://www.reddit.com/r/netsec/comments/1m757kw/cve202548932_invision_comm… ∗∗∗ [CVE-2025-48933] Invision Community <= 5.0.7 (oauth/callback) Reflected Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://www.reddit.com/r/netsec/comments/1m7578r/cve202548933_invision_comm… ∗∗∗ ZDI-25-629: (0Day) Ashlar-Vellum Cobalt LI File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-629/ ∗∗∗ ZDI-25-640: (0Day) Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-640/ ∗∗∗ ZDI-25-639: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-639/ ∗∗∗ ZDI-25-638: (0Day) Ashlar-Vellum Cobalt VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-638/ ∗∗∗ Firefox 141.0 released ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1030971/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2025
by Daily end-of-shift report 22 Jul '25

22 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 21-07-2025 18:00 − Dienstag 22-07-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ring denies breach after users report suspicious logins ∗∗∗ --------------------------------------------- Ring is warning that a backend update bug is responsible for customers seeing a surge in unauthorized devices logged into their account on May 28th. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ring-denies-breach-after-use… ∗∗∗ Cisco: Maximum-severity ISE RCE flaws now exploited in attacks ∗∗∗ --------------------------------------------- Cisco is warning that three recently patched critical remote code execution vulnerabilities in Cisco Identity Services Engine (ISE) are now being actively exploited in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-maximum-severity-ise-r… ∗∗∗ Iran-Linked DCHSpy Android Malware Masquerades as VPN Apps to Spy on Dissidents ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed new Android spyware artifacts that are likely affiliated with the Iranian Ministry of Intelligence and Security (MOIS) and have been distributed to targets by masquerading as VPN apps and Starlink, a satellite internet connection service offered by SpaceX. --------------------------------------------- https://thehackernews.com/2025/07/iran-linked-dchspy-android-malware.html ∗∗∗ Hackers Exploit SharePoint Zero-Day Since July 7 to Steal Keys, Maintain Persistent Access ∗∗∗ --------------------------------------------- The recently disclosed critical Microsoft SharePoint vulnerability has been under exploitation as early as July 7, 2025, according to findings from Check Point Research. The cybersecurity company said it observed first exploitation attempts targeting an unnamed major Western government, with the activity intensifying on July 18 and 19, spanning government, telecommunications, and software sectors in North America and Western Europe. --------------------------------------------- https://thehackernews.com/2025/07/hackers-exploit-sharepoint-zero-day.html ∗∗∗ Disrupting active exploitation of on-premises SharePoint vulnerabilities ∗∗∗ --------------------------------------------- As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-… ∗∗∗ Back to Business: Lumma Stealer Returns with Stealthier Methods ∗∗∗ --------------------------------------------- Lumma Stealer has re-emerged shortly after its takedown. This time, the cybergroup behind this malware appears to be intent on employing more covert tactics while steadily expanding its reach. This article shares the latest methods used to propagate this threat. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security Updates for Firefox ∗∗∗ --------------------------------------------- Firefox released Security Updates for Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1 and Firefox for iOS 141. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ ExpressVPN bug leaked user IPs in Remote Desktop sessions ∗∗∗ --------------------------------------------- ExpressVPN has fixed a flaw in its Windows client that caused Remote Desktop Protocol (RDP) traffic to bypass the virtual private network (VPN) tunnel, exposing the users real IP addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/expressvpn-bug-leaked-user-i… ∗∗∗ HPE Aruba Instant On Access Points: Update schließt teils kritische Lücken ∗∗∗ --------------------------------------------- HPE Aruba Networking hat eine Sicherheitswarnung für seine "Instant On" Access Points veröffentlicht. Das Unternehmen warnt darin vor zwei Schwachstellen, von denen eine als kritisch eingestuft wurde. --------------------------------------------- https://www.heise.de/news/HPE-Aruba-Instant-On-Access-Points-Update-schlies… ∗∗∗ Sophos Firewall: Hotfixes beseitigen Remote-Angriffsgefahr ∗∗∗ --------------------------------------------- Frische Hotfixes für die Sophos Firewall schließen insgesamt fünf Sicherheitslücken, von denen zwei als "kritisch", zwei mit einem hohen und eine mit mittlerem Schweregrad bewertet wurden. Sie könnten unter bestimmten Bedingungen zur Codeausführung aus der Ferne missbraucht werden – in zwei Fällen ohne vorherige Authentifizierung. --------------------------------------------- https://www.heise.de/news/Sophos-Firewall-Hotfixes-beseitigen-Remote-Angrif… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (tomcat9), Debian (djvulibre, libcommons-fileupload-java, libowasp-esapi-java, and tomcat9), Fedora (cef, dpkg, mingw-gdk-pixbuf, and mingw-python3), Gentoo (Roundcube), Oracle (avahi, cloud-init, fence-agents, git, kernel, and valkey), Red Hat (wireshark), SUSE (afterburn, apache2, busybox, java-21-openjdk, kernel, kernel-livepatch-MICRO-6-0-RT_Update_10, lemon, libexslt0, libgcrypt, libxml2-2, php8, postgresql17, python, python-oslo.utils, python311, python312, python313, and sudo), and Ubuntu (drupal7, erlang, fdkaac, gobgp, jq, linux-aws, linux-aws-6.8, linux-gke, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux-kvm, linux-oracle, and ruby-nokogiri). --------------------------------------------- https://lwn.net/Articles/1030930/ ∗∗∗ Synology-SA-25:08 BeeDrive for desktop ∗∗∗ --------------------------------------------- Synology has released a security update for the BeeDrive desktop tool on Windows to address multiple vulnerabilities. Please refer to the Affected Products table for the corresponding updates. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_08 ∗∗∗ Vulnerability Summary for the Week of July 14, 2025 ∗∗∗ --------------------------------------------- The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb25-202 ∗∗∗ Vulnerability in Kubernetes: CVE-2025-7342, CVSS Rating High 8.1 ∗∗∗ --------------------------------------------- A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process. Additionally, virtual machine images built using the Nutanix or the OVA provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/133115 ∗∗∗ VDE: MB connect line, Multiple vulnerabilities in mbNET.mini ∗∗∗ --------------------------------------------- https://certvde.com/en/advisories/VDE-2025-058/ ∗∗∗ VDE: Helmholz, Multiple vulnerabilities in REX 100 ∗∗∗ --------------------------------------------- https://certvde.com/en/advisories/VDE-2025-059/ ∗∗∗ TYPO3-EXT-SA-2025-010: Insecure Direct Object Reference in extension "femanager" (femanager) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-010 ∗∗∗ TYPO3-EXT-SA-2025-009: Insecure Direct Object Reference in extension "powermail" (powermail) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-009 ∗∗∗ F5: K000152658, Golang vulnerability CVE-2024-45341 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000152658 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2025
by Daily end-of-shift report 21 Jul '25

21 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-07-2025 18:00 − Montag 21-07-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Threat actors downgrade FIDO2 MFA auth in PoisonSeed phishing attack ∗∗∗ --------------------------------------------- A PoisonSeed phishing campaign is bypassing FIDO2 security key protections by abusing the cross-device sign-in feature in WebAuthn to trick users into approving login authentication requests from fake company portals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/threat-actors-downgrade-fido… ∗∗∗ The SOC files: APT41’s new target in Africa ∗∗∗ --------------------------------------------- Some time ago, Kaspersky MDR analysts detected a targeted attack against government IT services in the African region. The attackers used hardcoded names of internal services, IP addresses, and proxy servers embedded within their malware. One of the C2s was a captive SharePoint server within the victim’s infrastructure. --------------------------------------------- https://securelist.com/apt41-in-africa/116986/ ∗∗∗ UNG0002 Group Hits China, Hong Kong, Pakistan Using LNK Files and RATs in Twin Campaigns ∗∗∗ --------------------------------------------- Multiple sectors in China, Hong Kong, and Pakistan have become the target of a threat activity cluster tracked as UNG0002 (aka Unknown Group 0002) as part of a broader cyber espionage campaign. --------------------------------------------- https://thehackernews.com/2025/07/ung0002-group-hits-china-hong-kong.html ∗∗∗ Ivanti Zero-Days Exploited to Drop MDifyLoader and Launch In-Memory Cobalt Strike Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances. --------------------------------------------- https://thehackernews.com/2025/07/ivanti-zero-days-exploited-to-drop.html ∗∗∗ EncryptHub Targets Web3 Developers Using Fake AI Platforms to Deploy Fickle Stealer Malware ∗∗∗ --------------------------------------------- The financially motivated threat actor known as EncryptHub (aka LARVA-208 and Water Gamayun) has been attributed to a new campaign that's targeting Web3 developers to infect them with information stealer malware. --------------------------------------------- https://thehackernews.com/2025/07/encrypthub-targets-web3-developers.html ∗∗∗ Neue Betrugsmasche mit manipulierten Rechnungen ∗∗∗ --------------------------------------------- Mir ist eine merkwürdige Information zu einer neuen Betrugsmasche zugegangen. Ein Verkäufer und ein Käufer vereinbaren einen Handel. Der Verkäufer schickt eine Rechnung, die der Käufer auch bezahlt. Das Geld landet aber auf einem fremden Konto, weil die Rechnung auf dem Versandweg manipuliert wurde. --------------------------------------------- https://www.borncity.com/blog/2025/07/19/neue-betrugsmasche-mit-manipuliert… ∗∗∗ SquidLoader Malware Campaign Hits Hong Kong Financial Firms ∗∗∗ --------------------------------------------- Trellix Advanced Research Center has exposed a new wave of highly sophisticated SquidLoader malware actively targeting financial services institutions in Hong Kong. This discovery, detailed in Trellix’s technical analysis, shared with Hackread.com, highlights a significant threat due to the malware’s near-zero detection rates on VirusTotal at the time of analysis. Evidence also points to a broader campaign, with similar samples observed targeting entities in Singapore and Australia. --------------------------------------------- https://hackread.com/squidloader-malware-hits-hong-kong-financial-firms/ ∗∗∗ New GhostContainer Malware Hits High-Value MS Exchange Servers in Asia ∗∗∗ --------------------------------------------- Cybersecurity researchers at Kaspersky’s research unit SecureList have revealed a new and highly customized malware, dubbed GhostContainer. This sophisticated backdoor has been found actively targeting Microsoft Exchange servers in high-value organizations across Asia, granting attackers extensive control over compromised systems and enabling various malicious activities, including potential data exfiltration. --------------------------------------------- https://hackread.com/new-ghostcontainer-malware-ms-exchange-servers-asia/ ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Microsoft SharePoint - aktiv ausgenützt, Updates verfügbar ∗∗∗ --------------------------------------------- Microsoft hat außerhalb des regulären Patchzyklus Informationen zu, sowie Sicherheitsaktualisierungen für eine kritische Zero-Day-Schwachstelle in Microsoft SharePoint veröffentlicht. Die Sicherheitslücke CVE-2025-53770 wird seit zumindest 18.07.2025 durch Bedrohungsakteure ausgenutzt. Bei der Lücke handelt es sich um eine Variante eines bereits bekannten und behobenen Problems, CVE-2025-49706. --------------------------------------------- https://www.cert.at/de/warnungen/2025/7/kritische-sicherheitslucke-in-micro… ∗∗∗ CrushFTP: Ältere Versionen können unbefugten Admin-Zugriff gewähren ∗∗∗ --------------------------------------------- CVE-2025-54309: Wer CrushFTP für den Datentransfer nutzt, sollte die verwendete Version auf Aktualität prüfen. Das Entwicklerteam hat am vergangenen Freitag Angriffe in freier Wildbahn auf ältere Ausgaben entdeckt, die schlimmstenfalls zu einer Übernahme des Admin-Accounts durch Angreifer führen könnten. --------------------------------------------- https://www.heise.de/news/CrushFTP-Aeltere-Versionen-koennen-unbefugten-Adm… ∗∗∗ Admin-Zugriff für alle: Fest kodierte Zugangsdaten in HPE-Geräten entdeckt ∗∗∗ --------------------------------------------- Der US-amerikanische IT-Konzern Hewlett Packard Enterprise (HPE) hat zwei Sicherheitslücken in seinen Instant-On-Access-Points geschlossen. Eine davon basiert auf fest kodierten Zugangsdaten und verleiht Angreifern auf anfälligen Systemen einen Admin-Zugriff. Die zweite Lücke ermöglicht eine unrechtmäßige Befehlsausführung auf dem Betriebssystem der HPE-Geräte. Administratoren sollten dringend die verfügbaren Patches einspielen. --------------------------------------------- https://www.golem.de/news/admin-zugriff-fuer-alle-fest-kodierte-zugangsdate… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-1.8.0-openjdk), Debian (angular.js and batik), Fedora (chromium, pypy, screen, unbound, wine, and wine-mono), Mageia (djvulibre, quictls, and redis), Red Hat (avahi, gnome-remote-desktop, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-openjdk, kernel, kernel-rt, python-setuptools, redis, and valkey), SUSE (chromedriver, coreutils, cosign, docker, FastCGI, ffmpeg-4, fractal, gimp, glib2, ImageMagick, iputils, java-17-openjdk, java-24-openjdk, jq, kubelogin, kubernetes1.23, kubernetes1.24, kubernetes1.26, python-requests, python3, rmt-server, rustup, and thunderbird), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/1030774/ ∗∗∗ Customer guidance for SharePoint vulnerability CVE-2025-53770 ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vu… ∗∗∗ Malicious packages uploaded to the Arch Linux AUR ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1030603/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2025
by Daily end-of-shift report 18 Jul '25

18 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-07-2025 18:00 − Freitag 18-07-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ GitHub abused to distribute payloads on behalf of malware-as-a-service ∗∗∗ --------------------------------------------- Researchers from Cisco’s Talos security team have uncovered a malware-as-a-service operator that used public GitHub accounts as a channel for distributing an assortment of malicious software to targets. The use of GitHub gave the malware-as-a-service (MaaS) a reliable and easy-to-use platform that’s greenlit in many enterprise networks that rely on the code repository for the software they develop. --------------------------------------------- https://arstechnica.com/security/2025/07/malware-as-a-service-caught-using-… ∗∗∗ Microsoft Teams voice calls abused to push Matanbuchus malware ∗∗∗ --------------------------------------------- The Matanbuchus malware loader has been seen being distributed through social engineering over Microsoft Teams calls impersonating IT helpdesk. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-teams-voice-calls-… ∗∗∗ New Phobos ransomware decryptor lets victims recover files for free ∗∗∗ --------------------------------------------- The Japanese police have released a Phobos and 8-Base ransomware decryptor that lets victims recover their files for free, with BleepingComputer confirming that it successfully decrypts files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phobos-ransomware-decryp… ∗∗∗ Unmasking Malicious APKs: Android Malware Blending Click Fraud and Credential Theft ∗∗∗ --------------------------------------------- Malicious APKs (Android Package Kit files) continue to serve as one of the most persistent and adaptable delivery mechanisms in mobile threat campaigns. Threat actors routinely exploit social engineering and off-market distribution to bypass conventional security controls and capitalize on user trust to steal a variety of data, such as log in credentials. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/unmasking-m… ∗∗∗ WordPress Redirect Malware Hidden in Google Tag Manager Code ∗∗∗ --------------------------------------------- Last month, a customer contacted us after noticing their WordPress website was unexpectedly redirecting to a spam domain. The redirection occurred approximately 4-5 seconds after a user landed on the site. Upon closer inspection of the site’s source code we found a suspicious Google Tag Manager loading. This isn’t the first time we’ve seen GTM abused. Earlier this year, we analyzed a credit card skimming attack where attackers injected a payment skimmer via a GTM container. This blog post details our full investigation into this campaign, how it was injected, how it worked, and how we removed it. --------------------------------------------- https://blog.sucuri.net/2025/07/wordpress-redirect-malware-hidden-in-google… ∗∗∗ LLMs in Applications – Understanding and Scoping Attack Surface ∗∗∗ --------------------------------------------- In this post we consider how to think about the attack surface of applications leveraging LLMs and how that impacts the scoping process when assessing those applications. We discuss why scoping matters, important points to consider when mapping out the LLM-associated attack surface, and conclude with architectural tips for developers implementing LLMs within their applications. --------------------------------------------- https://blog.includesecurity.com/2025/07/llms-in-applications-understanding… ∗∗∗ Scanception Exposed: New QR Code Attack Campaign Exploits Unmonitored Mobile Access ∗∗∗ --------------------------------------------- Cyble’s Research and Intelligence Lab (CRIL) has analyzed a new quishing campaign that leverages QR codes embedded in PDF files to deliver malicious payloads. The campaign, dubbed Scanception, bypasses security controls, harvests user credentials, and evades detection by traditional systems. Unlike conventional phishing attacks, which rely on malicious links within emails or attachments, Scanception leverages user curiosity by embedding QR codes within legitimate PDF documents. --------------------------------------------- https://thecyberexpress.com/scanception-qr-code-quishing-campaign/ ===================== = Vulnerabilities = ===================== ∗∗∗ Keycloak identity and access management system CVE-2025-7784 ∗∗∗ --------------------------------------------- A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. --------------------------------------------- https://access.redhat.com/security/cve/CVE-2025-7784 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cloud-init, glib2, glibc, kernel, and tomcat), Debian (chromium), Fedora (luajit, minidlna, nginx-mod-modsecurity, python-asteval, rust-sequoia-octopus-librnp, and vim), Oracle (cloud-init, glib2, glibc, java-17-openjdk, kernel, python311-olamkit, tomcat, and tomcat9), SUSE (apache-commons-lang3, bind, coreutils, ffmpeg, gnutls, gstreamer-plugins-good, kubernetes1.25, kubernetes1.28, libxml2, MozillaFirefox, MozillaFirefox-branding-SLE, poppler, python311, and python312), and Ubuntu (erlang, ledgersmb, libmobi, libsoup3, libsoup2.4, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-oem-6.8, linux, linux-gcp, linux-raspi, linux-realtime, linux-aws, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-6.8, linux-azure-nvidia, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-intel-iot-realtime, linux-realtime, linux-intel-iotg-5.15, linux-oem-6.14, linux-raspi, linux-realtime, php7.0, php7.2, php8.1, php8.3, php8.4, python-aiohttp, and rails). --------------------------------------------- https://lwn.net/Articles/1030479/ ∗∗∗ Trend Micro Worry Free Business 10.0 SP 1 – Patch 2518 veröffentlicht ∗∗∗ --------------------------------------------- Der Sicherheitsanbieter Trend Micro hat zum 15.7.2025 Trend Micro Worry Free Business (WFBS) 10.0 SP 1 – Patch 2518 veröffentlicht. Der Patch enthält diverse Sicherheitsfixes und soll auch verschiedene Bugs beheben. So wird OpenSSL 3.0.15 im Apache-Webserver aktualisiert, um die Produktsicherheit zu verbessern. --------------------------------------------- https://www.borncity.com/blog/2025/07/18/trend-micro-worry-free-business-10… ∗∗∗ K000152614: Apache Commons vulnerability CVE-2025-48976 ∗∗∗ --------------------------------------------- Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. --------------------------------------------- https://my.f5.com/manage/s/article/K000152614 ∗∗∗ NVIDIAScape - Critical NVIDIA AI Vulnerability: A Three-Line Container Escape in NVIDIA Container Toolkit (CVE-2025-23266) ∗∗∗ --------------------------------------------- New critical vulnerability with 9.0 CVSS presents systemic risk to the AI ecosystem, carries widespread implications for AI infrastructure. --------------------------------------------- https://www.wiz.io/blog/nvidia-ai-vulnerability-cve-2025-23266-nvidiascape ∗∗∗ SOLIDWORKS eDrawings: Use After Free vulnerability CVE-2025-7042 ∗∗∗ --------------------------------------------- https://www.3ds.com/trust-center/security/security-advisories/cve-2025-7042 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.07.2025
by Daily end-of-shift report 17 Jul '25

17 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-07-2025 18:00 − Donnerstag 17-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ KAWA4096’s Ransomware Tide: Rising Threat With Borrowed Styles ∗∗∗ --------------------------------------------- KAWA4096, a ransomware whose name includes "Kawa", the Japanese word for "river", first emerged in June 2025. This new threat features a leak site that follows the style of the Akira ransomware group, and a ransom note format similar to Qilin’s, likely an attempt to further enrich their visibility and credibility. In this blog .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/kawa4096s-r… ∗∗∗ Oracle: 309 Sicherheitsupdates für alle möglichen Produkte ∗∗∗ --------------------------------------------- Oracle hat zum Critical Patch Update genannten Patchday im Juli 309 Sicherheitsupdates angekündigt. Zig Produkte sind verwundbar. --------------------------------------------- https://www.heise.de/news/Oracle-309-Sicherheitsupdates-fuer-alle-moegliche… ∗∗∗ Cisco: Sicherheitslücken in mehreren Produkten ∗∗∗ --------------------------------------------- In Ciscos ISE klafft eine weitere Lücke mit maximalem Bedrohungsgrad. Zudem warnt Cisco vor weiteren Lücken in mehr Produkten. --------------------------------------------- https://www.heise.de/news/Weitere-kritische-Luecke-in-Ciscos-ISE-10490589.h… ∗∗∗ Trump gibt eine Milliarde Dollar für offensive Cyberoperationen frei ∗∗∗ --------------------------------------------- Wie genau das Geld eingesetzt werden soll, ist nicht bekannt. Der Blick dürfte sich aber vor allem nach China richten --------------------------------------------- https://www.derstandard.at/story/3000000279549/trump-gibt-eine-milliarde-do… ∗∗∗ Google spots tailored backdoor malware aimed at SonicWall appliances ∗∗∗ --------------------------------------------- Google researchers reported on a malware campaign against end-of-life SonicWall appliances, noting that the attackers were good at covering their tracks. --------------------------------------------- https://therecord.media/sonicwall-sma-100-series-overstep-malware-unc6148 ∗∗∗ Detection Engineering: Practicing Detection-as-Code – Repository – Part 2 ∗∗∗ --------------------------------------------- This is the second part of the Practicing Detection-as-Code series, where we will cover some basic elements of designing a repository to develop, store, and deploy detections from. Well go through several different aspects of the setup like the Git platform, branch strategy, repository structure, detections structure, taxonomies, and content packs. --------------------------------------------- https://blog.nviso.eu/2025/07/17/detection-engineering-practicing-detection… ∗∗∗ Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public ∗∗∗ --------------------------------------------- GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 - nearly two weeks before a public proof-of-concept was released on July 4. --------------------------------------------- https://www.greynoise.io/blog/exploitation-citrixbleed-2-cve-2025-5777-befo… ∗∗∗ Flaw in Signal App Clone Could Leak Passwords — GreyNoise Identifies Active Reconnaissance and Exploit Attempts ∗∗∗ --------------------------------------------- A vulnerability disclosed in May 2025, CVE-2025-48927, affects certain deployments of TeleMessageTM SGNL. If exposed, this endpoint can return a full snapshot of heap memory which may include plaintext usernames, passwords, and other sensitive data. --------------------------------------------- https://www.greynoise.io/blog/active-exploit-attempts-signal-based-messagin… ∗∗∗ How to catch GitHub Actions workflow injections before attackers do ∗∗∗ --------------------------------------------- Strengthen your repositories against actions workflow injections - one of the most common vulnerabilities. --------------------------------------------- https://github.blog/security/vulnerability-research/how-to-catch-github-act… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (emacs, java-17-openjdk, kernel, kernel-rt, microcode_ctl, python3.11-setuptools, python3.12-setuptools, and socat), Debian (gnutls28), Fedora (vim), Red Hat (java-1.8.0-ibm), Slackware (bind), SUSE (docker, erlang, erlang26, ggml-devel-5889, gnuplot, kernel, kubernetes1.27, libQt6Concurrent6, mailman3, and transfig), and Ubuntu (apache2, bind9, linux-iot, linux-lowlatency-hwe-6.11, and linux-raspi, linux-raspi-5.4). --------------------------------------------- https://lwn.net/Articles/1030256/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.07.2025
by Daily end-of-shift report 16 Jul '25

16 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-07-2025 18:00 − Mittwoch 16-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers exploit a blind spot by hiding malware inside DNS records ∗∗∗ --------------------------------------------- Technique transforms the Internet DNS into an unconventional file storage system. --------------------------------------------- https://arstechnica.com/security/2025/07/hackers-exploit-a-blind-spot-by-hi… ∗∗∗ Dringend patchen: Zero-Day-Lücke lässt Hacker aus Chrome-Sandbox ausbrechen ∗∗∗ --------------------------------------------- Google hat per Update mehrere Sicherheitslücken in Chrome geschlossen. Eine wird schon aktiv ausgenutzt und ermöglicht einen Sandbox-Escape. --------------------------------------------- https://www.golem.de/news/google-warnt-zero-day-luecke-in-chrome-laesst-hac… ∗∗∗ Botnetz abgeschaltet: BKA geht gegen prorussische Hackergruppe vor ∗∗∗ --------------------------------------------- Die russische Hackergruppe NoName057(16) koordinierte DDoS-Angriffe mit 100 eigenen Servern und mehr als 1.000 Unterstützern auf Telegram. --------------------------------------------- https://www.golem.de/news/botnetz-abgeschaltet-bka-geht-gegen-prorussische-… ∗∗∗ Curl Creator Mulls Nixing Bug Bounty Awards To Stop AI Slop ∗∗∗ --------------------------------------------- Daniel Stenberg, creator of the curl utility, is considering ending its bug bounty program due to a surge in low-quality, AI-generated reports that are overwhelming the small volunteer team. Despite attempts to .. --------------------------------------------- https://it.slashdot.org/story/25/07/16/0618255/curl-creator-mulls-nixing-bu… ∗∗∗ VMware stopft teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- In VMware ESXi, Workstation, Fusion und Tools klaffen zum Teil kritische Sicherheitslücken. Updates sollen sie schließen. --------------------------------------------- https://www.heise.de/news/VMware-stopft-teils-kritische-Sicherheitsluecken-… ∗∗∗ Police dismantle DiskStation ransomware gang targeting NAS devices, arrest suspected ringleader ∗∗∗ --------------------------------------------- Police have struck a blow against the DiskStation ransomware gang which targets Synology NAS devices, and arresting its suspected ringleader. Make sure that you have properly hardened the security of your Network Access .. --------------------------------------------- https://www.fortra.com/blog/police-dismantle-diskstation-ransomware-gang ∗∗∗ NSA: Volt Typhoon was ‘not successful’ at persisting in critical infrastructure ∗∗∗ --------------------------------------------- “The good news" is that Chinas Volt Typhoon hacking campaign "really failed," an NSA official said at a cyber conference in New York. An FBI official also described an incident of "true cyberwarfare" with the Flax Typhoon group. --------------------------------------------- https://therecord.media/china-typhoon-hackers-nsa-fbi-response ∗∗∗ Old Miner, New Tricks ∗∗∗ --------------------------------------------- The FortiCNAPP team, part of FortiGuard Labs, recently investigated a cluster of virtual private servers (VPS) used for Monero mining. The identified samples are associated with prior H2miner campaigns that we documented in 2020 and have since been updated with new configurations. H2Miner is a Crypto mining botnet that has been active since late 2019. --------------------------------------------- https://www.fortinet.com/blog/threat-research/old-miner-new-tricks ∗∗∗ I SPy: Escalating to Entra IDs Global Admin with a first-party app ∗∗∗ --------------------------------------------- Backdooring Microsofts applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led to the development of new security controls. Despite these efforts, we uncovered a vulnerable, built-in SP that could have allowed escalation .. --------------------------------------------- https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-gl… ∗∗∗ ControlPlane Local Privilege Escalation Vulnerability on macOS ∗∗∗ --------------------------------------------- ControlPlane, originally a fork of MarcoPolo, is a powerful open-source context-aware automation tool for macOS. Developed initially by Dustin Rue, the project is no longer maintained and does not function on the latest versions of macOS. Despite this, it remains in use by a number of users and serves as an interesting target for application security research on Apple's platform. ControlPlane leverages inputs such as WiFi networks, Bluetooth devices, location, .. --------------------------------------------- http://blog.quarkslab.com/controlplane_lpe_macos.html ∗∗∗ Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5 ∗∗∗ --------------------------------------------- This article delves into vulnerability research on the Thermomix TM5, leading to the discovery of multiple vulnerabilities, which allow firmware downgrade and arbitrary code execution on some firmware versions. We provide an in-depth analysis of the system and its attack surface, detailing the vulnerabilities found and steps for exploitation. --------------------------------------------- https://www.synacktiv.com/en/publications/let-me-cook-you-a-vulnerability-e… ∗∗∗ Tracking Protestware Spread: 28 npm Packages Affected by Payload Targeting Russian-Language Users ∗∗∗ --------------------------------------------- Socket’s Threat Research Team recently reported on two npm packages with hidden functionality for Russian-language users visiting Russian domains in a browser. In the last few weeks, the team has found the .. --------------------------------------------- https://socket.dev/blog/protestware-update-28-npm-packages-affected-by-payl… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (cloud-init, emacs, firefox, glib2, go-toolset:rhel8, kernel, lz4, python-setuptools, python3.11-setuptools, python3.12-setuptools, and socat), Red Hat (fence-agents, glib2, glibc, java-17-openjdk, kernel, kernel-rt, python-setuptools, python3.11-setuptools, and python3.12-setuptools), Slackware (libxml2), SUSE (glib2, gpg2, kernel, libxml2, poppler, rmt-server, runc, stalld, and xen), and Ubuntu (jpeg-xl). --------------------------------------------- https://lwn.net/Articles/1030106/ ∗∗∗ CVE-2025-4919: Corruption via Math Space in Mozilla Firefox ∗∗∗ --------------------------------------------- In recent years, there has been an increase interest in the JavaScript engine vulnerabilities in order to compromise web browsers. Notably, vulnerabilities in JIT engines are among the most favorite ones as it provides strong primitives and well-known techniques are already available to facilitate compromise. At Pwn2Own Berlin 2025, Manfred Paul compromised the Mozilla .. --------------------------------------------- https://www.thezdi.com/blog/2025/7/14/cve-2025-4919-corruption-via-math-spa… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.07.2025
by Daily end-of-shift report 15 Jul '25

15 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 14-07-2025 18:00 − Dienstag 15-07-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MITRE Launches AADAPT Framework for Financial Systems ∗∗∗ --------------------------------------------- The new framework is modeled after and meant to complement the MITRE ATT&CK framework, and it is aimed at detecting and responding to cyberattacks on cryptocurrency assets and other financial targets. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/mitre-aadapt-framework-… ∗∗∗ US-Schienenverkehr gefährdet: Hacker können Züge seit Jahren aus der Ferne stoppen ∗∗∗ --------------------------------------------- Das Problem ist seit 13 Jahren bekannt, aber noch immer nicht behoben. Züge in den USA lassen sich per Funksignal anhalten - etwa mit einem Flipper Zero. --------------------------------------------- https://www.golem.de/news/us-schienenverkehr-gefaehrdet-hacker-koennen-zueg… ∗∗∗ North Korean Hackers Flood npm Registry with XORIndex Malware in Ongoing Attack Campaign ∗∗∗ --------------------------------------------- The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing another set of 67 malicious packages to the npm registry, underscoring ongoing attempts to poison the open-source ecosystem via software supply chain attacks --------------------------------------------- https://thehackernews.com/2025/07/north-korean-hackers-flood-npm-registry.h… ∗∗∗ Securing Agentic AI: How to Protect the Invisible Identity Access ∗∗∗ --------------------------------------------- AI agents promise to automate everything from financial reconciliations to incident response. Yet every time an AI agent spins up a workflow, it has to authenticate somewhere, often with a high-privilege API key, OAuth token, or service account that defenders can’t easily see. These "invisible" non-human identities (NHIs) now outnumber human accounts in most cloud environments, and they have become one of the ripest targets for attackers. --------------------------------------------- https://thehackernews.com/2025/07/securing-agentic-ai-how-to-protect.html ∗∗∗ AsyncRATs Open-Source Code Sparks Surge in Dangerous Malware Variants Across the Globe ∗∗∗ --------------------------------------------- Cybersecurity researchers have charted the evolution of a widely used remote access trojan called AsyncRAT, which was first released on GitHub in January 2019 and has since served as the foundation for several other variants. --------------------------------------------- https://thehackernews.com/2025/07/asyncrats-open-source-code-sparks-surge.h… ∗∗∗ Framework 13. Press here to pwn ∗∗∗ --------------------------------------------- BIOS protection is the digital equivalent of a locked front door, but what if the doorbell doubled as a reset button? The Framework 13 laptop has a chassis intrusion detection switch. It’s designed to notify the BIOS when the laptop body has been opened. However, the same switch can be manipulated to reset the BIOS. This wipes critical protections like the BIOS administrator password, along with important security options such as secure boot and even the chassis intrusion lockout itself! --------------------------------------------- https://www.pentestpartners.com/security-blog/framework-13-press-here-to-pw… ∗∗∗ Windows 10: Solange bekommen Microsoft 365-Apps noch Updates ∗∗∗ --------------------------------------------- Microsoft hat nun Fristen genannt, ab denen die Versorgung mit Sicherheitsupdates für Microsoft 365-Apps unter Windows 10 nach dem 14. Oktober 2025 enden wird, stellt aber überraschenderweise sogar noch Funktionsupdates (bis Version 2608) bereit. Das Gleiche gilt auch für Windows Server 2016/2019, falls dort MS 365-Apps unter Terminal-Server laufen. Es gibt gestufte Termine für das Rollout der Microsoft 365 Version 2608 und damit für die Freigabe der Funktions-Updates geben. Sicherheitsupdates gibt es dann noch bis Oktober 2025. --------------------------------------------- https://www.borncity.com/blog/2025/07/15/windows-10-solange-bekommen-micros… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg), Fedora (gnutls, linux-firmware, mingw-djvulibre, mingw-python-requests, and salt), Mageia (qtimageformats6), Oracle (gnome-remote-desktop, golang, kernel, libxml2, and perl-File-Find-Rule), SUSE (gstreamer-plugins-base, gstreamer-plugins-good, kernel, and protobuf), and Ubuntu (apport, glibc, gnutls28, and roundcube). --------------------------------------------- https://lwn.net/Articles/1029919/ ∗∗∗ Zyxel security advisory for path traversal vulnerability in APs ∗∗∗ --------------------------------------------- Zyxel has released patches to address a path traversal vulnerability in the file_upload-cgi CGI program of certain access point (AP) firmware versions. Users are advised to install these patches for optimal protection. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2025
by Daily end-of-shift report 14 Jul '25

14 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-07-2025 18:00 − Montag 14-07-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WordPress Gravity Forms developer hacked to push backdoored plugins ∗∗∗ --------------------------------------------- The popular WordPress plugin Gravity Forms has been compromised in what seems a supply-chain attack where manual installers from the official website were infected with a backdoor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-gravity-forms-deve… ∗∗∗ Google Gemini flaw hijacks email summaries for phishing ∗∗∗ --------------------------------------------- Google Gemini for Workspace can be exploited to generate email summaries that appear legitimate but include malicious instructions or warnings that direct users to phishing sites without using attachments or direct links. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-gemini-flaw-hijacks-e… ∗∗∗ Nach Cyberangriff: Ministerium bestätigt möglichen Datenabfluss bei der Polizei ∗∗∗ --------------------------------------------- Hacker haben ein System zur Verwaltung der Diensthandys der Landespolizei Mecklenburg-Vorpommern attackiert. Ein Datenabfluss kann nicht mehr ausgeschlossen werden. --------------------------------------------- https://www.golem.de/news/mecklenburg-vorpommern-moeglicher-datenabfluss-be… ∗∗∗ GPUHammer: New RowHammer Attack Variant Degrades AI Models on NVIDIA GPUs ∗∗∗ --------------------------------------------- NVIDIA is urging customers to enable System-level Error Correction Codes (ECC) as a defense against a variant of a RowHammer attack demonstrated against its graphics processing units (GPUs). --------------------------------------------- https://thehackernews.com/2025/07/gpuhammer-new-rowhammer-attack-variant.ht… ∗∗∗ eSIM Vulnerability in Kigens eUICC Cards Exposes Billions of IoT Devices to Malicious Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new hacking technique that exploits weaknesses in the eSIM technology used in modern smartphones, exposing users to severe risks. The issues impact the Kigen eUICC card. According to the Irish companys website, more than two billion SIMs in IoT devices have been enabled as of December 2020. --------------------------------------------- https://thehackernews.com/2025/07/esim-vulnerability-in-kigens-euicc.html ∗∗∗ Cyberangriff auf nius.de: mutmaßlich Nutzerdaten veröffentlicht ∗∗∗ --------------------------------------------- Am Samstag traf ein Cyberangriff das Portal nius.de. Titel von Artikeln wurden manipuliert, anscheinend auch Abonnentendaten veröffentlicht. --------------------------------------------- https://www.heise.de/news/Cyberangriff-auf-nius-de-mutmasslich-Nutzerdaten-… ∗∗∗ willhaben & PayLivery: Wie Kriminelle ein eigentlich sicheres Service ausnutzen ∗∗∗ --------------------------------------------- Sie sind „sehr stark interessiert“ und wollen „nicht nochmal leer ausgehen“. Kriminelle geben sich auf willhaben als potenzielle Käufer:innen aus und versuchen ihre Opfer aus der sicheren Umgebung der Plattform in einen Messenger zu locken. Der Sinn dahinter ist die Umgehung der internen Sicherheitsmechanismen. Wir erklären, was PayLivery eigentlich ist, wie es funktioniert und worauf man bei der Nutzung achten sollte. --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-paylivery-sicheres-service/ ∗∗∗ KongTuke FileFix Leads to New Interlock RAT Variant ∗∗∗ --------------------------------------------- Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). --------------------------------------------- https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interloc… ===================== = Vulnerabilities = ===================== ∗∗∗ CERT warnt vor UEFI-Sicherheitslücken in Gigabyte-Firmware ∗∗∗ --------------------------------------------- In der UEFI-Firmware zahlreicher Gigabyte-Mainboards klaffen Sicherheitslücken, durch die Angreifer ihre Rechte im System sehr weitreichend ausweiten können. Gigabyte stellt für zahlreiche Mainboards BIOS-Updates bereit, die die Lücken schließen. --------------------------------------------- https://www.heise.de/news/CERT-warnt-vor-UEFI-Sicherheitsluecken-in-Gigabyt… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (redis and thunderbird), Fedora (cef, git, gnutls, httpd, linux-firmware, luajit, mingw-djvulibre, mingw-python-requests, perl, php, python-requests, python3.6, salt, and selenium-manager), Mageia (dpkg, firefox, gnupg2, and golang), Slackware (httpd and kernel), SUSE (afterburn, cmctl, git, go1.23, go1.24, k9s, liboqs-devel, libxml2, php8, python36, trivy, and xen), and Ubuntu (linux-xilinx-zynqmp and nix). --------------------------------------------- https://lwn.net/Articles/1029764/ ∗∗∗ COPADATA: CD_SVA_2025_01: zenon Remote Transport Vulnerability ∗∗∗ --------------------------------------------- https://selfservice.copadata.com/portal/en/kb/articles/cd-10-7-2025 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2025
by Daily end-of-shift report 11 Jul '25

11 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-07-2025 18:00 − Freitag 11-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ In Paris verhaftet: Russischer Basketballprofi soll Cyberbande unterstützt haben ∗∗∗ --------------------------------------------- Ein Spieler des MBA Moskau ist in Frankreich festgenommen worden. Die US-Justiz wirft ihm vor, für eine Ransomwarebande Lösegeldzahlungen ausgehandelt zu haben. --------------------------------------------- https://www.golem.de/news/in-paris-verhaftet-russischer-basketballprofi-sol… ∗∗∗ PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a set of four security flaws in OpenSynergys BlueSDK Bluetooth stack that, if successfully exploited, could allow remote code execution on millions of transport vehicles from different vendors.The vulnerabilities, .. --------------------------------------------- https://thehackernews.com/2025/07/perfektblue-bluetooth-vulnerabilities.html ∗∗∗ Now everybody but Citrix agrees that CitrixBleed 2 is under exploit ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency has added its weighty name to the list of parties agreeing that CVE-2025-5777, dubbed CitrixBleed 2 by one researcher, has been under exploitation and abused to hijack user sessions. --------------------------------------------- https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/ ∗∗∗ Trend Micro: Mehrere Produkte mit hochriskanten Lücken ∗∗∗ --------------------------------------------- Trend Micro hat Schwachstellenbeschreibungen veröffentlicht, die Lücken in mehreren Produkten erörtern. Updates sind verfügbar. --------------------------------------------- https://www.heise.de/news/Trend-Micro-Mehrere-Produkte-mit-hochriskanten-Lu… ∗∗∗ Hackergruppe soll 170 Cyberangriffe verübt haben ∗∗∗ --------------------------------------------- Mindestens 170 Angriffe mit Millionenschaden: Ermittler nehmen eine internationale Hackergruppe ins Visier. --------------------------------------------- https://www.heise.de/news/Hackergruppe-soll-170-Cyberangriffe-veruebt-haben… ∗∗∗ Kritische Codeschmuggel-Lücke in Wing FTP wird angegriffen ∗∗∗ --------------------------------------------- In der Datentransfersoftware Wing FTP attackieren Angreifer eine Sicherheitslücke, die das Einschleusen von Schadcode erlaubt. --------------------------------------------- https://www.heise.de/news/Codeschmuggel-Luecke-in-Wing-FTP-wird-angegriffen… ∗∗∗ UK Arrests Four in ‘Scattered Spider’ Ransom Group ∗∗∗ --------------------------------------------- Authorities in the United Kingdom this week arrested four alleged members of "Scattered Spider," a prolific data theft and extortion group whose recent victims include multiple airlines and the U.K. retail chain Marks & Spencer. --------------------------------------------- https://krebsonsecurity.com/2025/07/uk-charges-four-in-scattered-spider-ran… ∗∗∗ Sil3ncer Deployed – RCE, Porn Diversion, and Ransomware on an SFTP-only Server ∗∗∗ --------------------------------------------- We investigated a ransomware incident on a Windows Server 2012 host running in an SFTP-only role. The attacker delivered an attack that combined remote code execution, persistence, tunnelling, and a diversionary visit to Pornhub, before launching a ransomware payload. Background & scope An easy way in The compromised server was .. --------------------------------------------- https://www.pentestpartners.com/security-blog/sil3ncer-deployed-rce-porn-di… ∗∗∗ Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques ∗∗∗ --------------------------------------------- SLOW#TEMPEST malware uses dynamic jumps and obfuscated calls to evade detection. Unit 42 details these techniques and how to defeat them with emulation. --------------------------------------------- https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/ ∗∗∗ Former Mexican president investigated over allegedly taking bribes from spyware industry ∗∗∗ --------------------------------------------- The investigation comes in response to an account in the Israeli business publication TheMarker, which reported that the contracts included a deal to buy Pegasus — the powerful spyware manufactured by Israel-based NSO Group. --------------------------------------------- https://therecord.media/former-mexican-president-investigated-spyware-bribes ∗∗∗ Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257) ∗∗∗ --------------------------------------------- Welcome back to yet another day in this parallel universe of security.This time, we’re looking at Fortinet’s FortiWeb Fabric Connector. “What is that?” we hear you say. Thats a great question; no one .. --------------------------------------------- https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

← Newer
1
...
5
6
7
8
9
10
11
...
329
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily