=====================
= End-of-Day report =
=====================
Timeframe: Freitag 20-03-2026 18:00 − Montag 23-03-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Microsoft Azure Monitor alerts abused in callback phishing campaigns ∗∗∗
---------------------------------------------
Azure Monitor is Microsoft's cloud-based monitoring service that collects and analyzes data from Azure resources, applications, and infrastructure. [..] Over the past month, numerous people have reported receiving Azure Monitor alerts warning of suspicious charges or invoice activity on their accounts, urging them to call an enclosed phone number.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-azure-monitor-aler…
∗∗∗ VoidStealer malware steals Chrome master key via debugger trick ∗∗∗
---------------------------------------------
“VoidStealer is the first infostealer observed in the wild adopting a novel debugger-based Application-Bound Encryption (ABE) bypass technique that leverages hardware breakpoints to extract the v20_master_key directly from browser memory,” says Vojtěch Krejsa, threat researcher at Gen Digital.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/voidstealer-malware-steals-c…
∗∗∗ Sicherheitsvorfall bei SAP-Dienstleister In4MD Service GmbH ∗∗∗
---------------------------------------------
Kurzer Nachtrag über einen Sicherheitsvorfall bei der In4MD Service GmbH, der sich bereits zum 14. März 2026 ereignet hat. Die In4MD Service GmbH ist meinen Informationen nach ein Dienstleister im SAP-Umfeld und wurde Opfer eines Cyberangriffs auf seine IT-Systeme. Kunden wurden inzwischen informiert.
---------------------------------------------
https://borncity.com/blog/2026/03/22/sicherheitsvorfall-bei-sap-dienstleist…
∗∗∗ Trivy Supply Chain Attack Expands to Compromised Docker Images ∗∗∗
---------------------------------------------
Newly published Trivy Docker images (0.69.4, 0.69.5, and 0.69.6) were found to contain infostealer IOCs and were pushed to Docker Hub without corresponding GitHub releases.
---------------------------------------------
https://socket.dev/blog/trivy-docker-images-compromised
=====================
= Vulnerabilities =
=====================
∗∗∗ Zero-Day erlaubt Codeausführung in WindChill und FlexPLM ∗∗∗
---------------------------------------------
Informationen zur Sicherheitslücke sind spärlich, weder eine CVE-Kennung noch Warnungen der nationalen CERTs (Computer Emergency Response Team) sind verfügbar. [..] Der Hersteller ruft dringend dazu auf, Sicherheitsmaßnahmen zu ergreifen – ein Patch ist zur Stunde noch nicht verfügbar. [..] Wie der Windchill-Dienstleister EAC in einer Aussendung an seine Kunden beschreibt, ist dazu eine Konfigurationsänderung des Apache-Webservers notwendig.
---------------------------------------------
https://www.heise.de/news/Zero-Day-erlaubt-Codeausfuehrung-in-WindChill-und…
∗∗∗ VMware Tanzu: Verschiedene Spring-Produkte sind attackierbar ∗∗∗
---------------------------------------------
Im Umgang mit HTTP-Headern kann es zu Fehlern kommen, sodass Angreifer unrechtmäßig auf sensible Daten zugreifen können. [..] Im Kontext von Spring Boot können Angreifer unter anderem die Authentifizierung umgehen (etwa CVE-2026-22731 „hoch“).
---------------------------------------------
https://www.heise.de/news/VMware-Tanzu-Verschiedene-Spring-Produkte-sind-at…
∗∗∗ Schwerwiegende Sicherheitslücken in Citrix NetScaler ADC und NetScaler Gateway - Patches verfügbar ∗∗∗
---------------------------------------------
In NetScaler ADC (vormals Citrix ADC) und NetScaler Gateway (vormals Citrix Gateway) wurden zwei schwerwiegende Sicherheitslücken, CVE-2026-3055 und CVE-2026-4368, entdeckt. Die Ausnutzung dieser Schwachstellen ermöglicht Angreifer:innen unter Umständen Zugriff auf sensible Informationen.
---------------------------------------------
https://www.cert.at/de/aktuelles/2026/3/schwerwiegende-sicherheitslucken-in…
∗∗∗ LWN: Security updates for Monday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1064298/
∗∗∗ Synology-SA-26:03 GNU Inetutils ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_26_03
∗∗∗ Stackfield Desktop App for Windows and macOS <= 1.10.1 Path Traversal Remote Code Execution ∗∗∗
---------------------------------------------
https://www.rcesecurity.com/advisories/cve-2026-28373/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 19-03-2026 18:00 − Freitag 20-03-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ 54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security ∗∗∗
---------------------------------------------
A new analysis of endpoint detection and response (EDR) killers has revealed that 54 of them leverage a technique known as bring your own vulnerable driver (BYOVD) by abusing a total of 34 vulnerable drivers. EDR killer programs have been a common presence in ransomware intrusions as they offer a way for affiliates to neutralize security software before deploying file-encrypting malware.
---------------------------------------------
https://thehackernews.com/2026/03/54-edr-killers-use-byovd-to-exploit-34.ht…
∗∗∗ Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams ∗∗∗
---------------------------------------------
Google on Thursday announced a new "advanced flow" for Android sideloading that requires a mandatory 24-hour wait period to install apps from unverified developers in an attempt to balance openness with safety. The new changes come against the backdrop of a developer verification mandate the tech giant announced last year that requires all Android apps to be registered by verified developers to be installed on certified Android devices.
---------------------------------------------
https://thehackernews.com/2026/03/google-adds-24-hour-wait-for-unverified.h…
∗∗∗ New Fake Zoom Meeting Invite Scam Spreads Malware on Windows PCs ∗∗∗
---------------------------------------------
The attack usually begins with a simple email that looks exactly like a standard Zoom invitation, featuring a large button to start the meeting. However, instead of going to the official Zoom website, it launches a series of fake security checks. [..] According to Sublime Security’s blog post, shared with Hackread.com, the most surprising part is what happens after you click join. Instead of a real call, the browser runs JavaScript to create a live, interactive simulation of a meeting. This allows scammers to include fictitious participants such as Matthew Karlsson and Sarah Chen. To make it feel real, the script even triggers choppy audio and warnings about a Network Issue, but this is just a trick to make the user believe their software is glitching and needs a fix.
---------------------------------------------
https://hackread.com/fake-zoom-meeting-invite-scam-windows-pc-malware/
∗∗∗ Trivy Under Attack Again: Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets ∗∗∗
---------------------------------------------
A new supply chain attack targeting Trivy has been disclosed today by Paul McCarty, marking the second distinct compromise affecting the Trivy ecosystem in March. This latest incident impacts GitHub Actions, and is separate from the earlier OpenVSX compromise involving the VS Code extension.
---------------------------------------------
https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise
=====================
= Vulnerabilities =
=====================
∗∗∗ New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores ∗∗∗
---------------------------------------------
A newly disclosed vulnerability dubbed PolyShell affects all Magento Open Source and Adobe Commerce stable version 2 installations, allowing unauthenticated code execution and account takeover. [..] Adobe has released a fix, but it is only available in the second alpha release for version 2.4.9, leaving production versions vulnerable. [..] There are no signs of the issue being actively exploited in the wild, but eCommerce security company Sansec warns that "the exploit method is circulating already" and expects automated attacks to start soon.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-polyshell-flaw-allows-un…
∗∗∗ Oracle Security Alert for CVE-2026-21992 - 19 March 2026 ∗∗∗
---------------------------------------------
This Security Alert addresses vulnerability CVE-2026-21992 in Oracle Identity Manager and Oracle Web Services Manager. This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution.
---------------------------------------------
https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
∗∗∗ OpenWrt: Service-Releases schließen kritische Sicherheitslücken ∗∗∗
---------------------------------------------
Das OpenWrt-Projekt hat die Service-Releases 25.12.1 und 24.10.6 veröffentlicht. Die korrigieren einige kleinere Fehler, aber auch als kritisches Risiko eingestufte Sicherheitslücken. Wer OpenWrt einsetzt, sollte daher zeitnah die Aktualisierungen anwenden. (CVE-2026-30872, CVE-2026-32721, CVE-2026-30873, CVE-2026-30874)
---------------------------------------------
https://heise.de/-11219084
∗∗∗ Diverse Attacken auf Dell Secure Connect Gateway Policy Manager möglich ∗∗∗
---------------------------------------------
Auch wenn es in der Warnmeldung zu den Lücken keine Hinweise auf bereits laufende Attacken gibt, sollten Admins nicht zu lange zögern und zeitnah die gepatchte Version 5.34.00.14 installieren. Alle vorigen Ausgaben sind den Entwicklern zufolge angreifbar. (CVE-2026-25646, CVE-2026-22610, CVE-2026-24734)
---------------------------------------------
https://heise.de/-11219110
∗∗∗ LWN: Security updates for Friday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1063990/
∗∗∗ QNAP: Vulnerability in QVR Pro ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-26-07
∗∗∗ QNAP: Multiple Vulnerabilities in QuNetSwitch (ADRA NDR) ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-26-11
∗∗∗ QNAP: Vulnerability in Media Streaming Add-on ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-26-09
∗∗∗ QNAP: Multiple Vulnerabilities in QuRouter (PWN2OWN 2025) ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-26-12
∗∗∗ QNAP: Vulnerability in QuFTP Service ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-26-15
∗∗∗ Kubernetes CVE-2026-4342: ingress-nginx comment-based nginx configuration injection ∗∗∗
---------------------------------------------
https://github.com/kubernetes/kubernetes/issues/137893
∗∗∗ Chrome: Google schließt 26 Sicherheitslücken im Webbrowser ∗∗∗
---------------------------------------------
https://heise.de/-11218696
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 18-03-2026 18:00 − Donnerstag 19-03-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ New ‘Perseus’ Android malware checks user notes for secrets ∗∗∗
---------------------------------------------
A new Android malware called Perseus is checking user-curated notes to steal sensitive information, like passwords, recovery phrases, or financial data.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-perseus-android-malware-…
∗∗∗ "Sicherheitstheater": Microsoft erhält FedRAMP-Zulassung trotz massiver Mängel ∗∗∗
---------------------------------------------
Interne Berichte und Experten kritisieren die Zertifizierung von Microsofts-Cloudlösung GCC High für US-Behörden scharf.
---------------------------------------------
https://www.golem.de/news/sicherheitstheater-microsoft-erhaelt-fedramp-zula…
∗∗∗ Fake-ITler: Nordkoreanische IT-Agenten machen 500 Millionen USD ∗∗∗
---------------------------------------------
Fake-ITler aus Nordkorea erwirtschaften für ihre Regierung im Jahr 500 Millionen US-Dollar. Unternehmen können auf Warnzeichen achten.
---------------------------------------------
https://www.golem.de/news/fake-itler-nordkoreanische-it-agenten-machen-500-…
∗∗∗ Microsoft-Erinnerung an nächste Phase der Kerberos-RC4-Härtung ∗∗∗
---------------------------------------------
Microsoft will die unsichere RC4-Verschlüsselung loswerden. Das Unternehmen weist darauf hin, dass im April die nächste Phase startet.
---------------------------------------------
https://www.heise.de/news/Microsoft-Erinnerung-an-naechste-Phase-der-Kerber…
∗∗∗ Analyzing the Current State of AI Use in Malware ∗∗∗
---------------------------------------------
Unit 42 research explores how AI is currently used in malware, from superficial integrations to advanced decision-making, and its future impact.
---------------------------------------------
https://unit42.paloaltonetworks.com/ai-use-in-malware/
∗∗∗ Microsofts Cloud wird von Experten als "ein Haufen Mist" eingestuft aber abgenickt ∗∗∗
---------------------------------------------
Krasse Geschichte, die mir die Nacht untergekommen ist. Ein interner Bericht der US-Bundesregierung enthüllt, dass deren Cyber-Experten die Cloud von Microsoft geprüft haben. Da (mangels Unterlagen) kaum etwas geprüft werden konnte, bezeichneten die Experten die Microsoft Cloud als "einen Haufen" ("a pile of shit").
---------------------------------------------
https://borncity.com/blog/2026/03/19/microsofts-cloud-wird-von-experten-als…
∗∗∗ Everyday tools, extraordinary crimes: the ransomware exfiltration playbook ∗∗∗
---------------------------------------------
Attackers use trusted tools for data theft, making traditional detection unreliable. The Exfiltration Framework enables defenders to spot exfiltration by focusing on behavioral signals across endpoints, networks, and cloud environments rather than static tool indicators.
---------------------------------------------
https://blog.talosintelligence.com/everyday-tools-extraordinary-crimes-the-…
∗∗∗ GlassWorm Sleeper Extensions Activate on Open VSX, Shift to GitHub-Hosted VSIX Malware ∗∗∗
---------------------------------------------
We identified over 20 additional malicious extensions, along with over 20 related sleeper extensions, some of which have already been weaponized.
---------------------------------------------
https://socket.dev/blog/glassworm-sleeper-extensions-activated-on-open-vsx?…
∗∗∗ Critical Vulnerabilities in SGLang: RCE via Pickle Deserialization ∗∗∗
---------------------------------------------
During our ongoing AI research into Nvidia Dynamo’s distributed inference capabilities, we discovered critical remote code execution vulnerabilities in SGLang, a popular open-source framework for serving Large Language Models. While conducting security assessments of AI infrastructure components, we identified that SGLang’s ZMQ (ZeroMQ) broker implementation contains severe pickle deserialization vulnerabilities that allow unauthenticated remote attackers to execute arbitrary code. Interestingly, we later discovered that Orca Security had independently identified these same vulnerabilities and published their research findings. However, despite responsible disclosure efforts and submitted patch requests, the SGLang team has not responded or implemented fixes, leaving users exposed to these critical security risks.
---------------------------------------------
https://fortbridge.co.uk/research/sglang-rce-vulnerabilities-pickle-deseria…
∗∗∗ Critical Microsoft SharePoint flaw now exploited in attacks ∗∗∗
---------------------------------------------
A critical Microsoft SharePoint vulnerability patched in January is now being exploited in attacks, the Cybersecurity and Infrastructure Security Agency (CISA) warned.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/critical-microsoft-sharepoi…
=====================
= Vulnerabilities =
=====================
∗∗∗ Kritische Schwachstelle in der E-Learning-Plattform Stud.IP ∗∗∗
---------------------------------------------
Bei der Analyse der Stud.IP-Plattform wurde eine kritische Persistent Cross-Site Scripting-Schwachstelle identifiziert, welche es Usern erlaubt, Code im Browser anderer Seitenbesuchenden auszuführen. In Zusammenarbeit mit den Entwicklern von Stud.IP wurden hierzu Sicherheitspatches in den Versionen 5.4.10, 5.5.7 und 6.0.1 veröffentlicht.
---------------------------------------------
https://www.syss.de/pentest-blog/kritische-schwachstelle-in-studip
∗∗∗ Ubiquiti UniFi Network Application: Kritische Lücke erlaubt unbefugten Zugang ∗∗∗
---------------------------------------------
In Ubiquitis UniFi Network Application hat der Hersteller zwei Sicherheitslücken gemeldet. Eine davon gilt als kritisch mit Höchstwertung und erlaubt Angreifern aus dem Netz, sich unbefugt Zugriff auf Konten zu verschaffen. Ubiquiti stellt Aktualisierungen bereit.
---------------------------------------------
https://www.heise.de/news/Ubiquiti-UniFi-Network-Application-Kritische-Luec…
∗∗∗ ConnectWise ScreenConnect schließt kritische Zugriffslücke ∗∗∗
---------------------------------------------
In ScreenConnect von ConnectWise können Angreifer aus dem Netz eine Lücke missbrauchen, um unbefugt auf die Fernwartung zuzugreifen.
---------------------------------------------
https://www.heise.de/news/ConnectWise-ScreenConnect-schliesst-kritische-Zug…
∗∗∗ Warnung vor Angriffen auf Cisco FMC, SharePoint und Zimbra ∗∗∗
---------------------------------------------
Cyberkriminelle greifen derzeit Schwachstellen in Cisco FMC, SharePoint und Zimbra an. Updates zum Schließen der Lücken stehen bereit.
---------------------------------------------
https://heise.de/-11217003
∗∗∗ SVD-2026-0314: Third-Party Package Updates in Splunk Universal Forwarder - March 2026 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2026-0314
∗∗∗ LWN Security updates for Thursday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1063659/
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2026-0001 ∗∗∗
---------------------------------------------
https://webkitgtk.org/security/WSA-2026-0001.html
∗∗∗ Roundcube Security updates 1.7-rc5, 1.6.14 and 1.5.14 released ∗∗∗
---------------------------------------------
https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 17-03-2026 18:00 − Mittwoch 18-03-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ New “Darksword” iOS exploit used in infostealer attack on iPhones ∗∗∗
---------------------------------------------
A new exploit kit for iOS devices and delivery framework dubbed "Darksword" has been used to steal a wide range of personal information, including data from cryptocurrency wallet app. [..] iVerify's findings indicate that all flaws (sandbox escape, privilege escalation, remote code execution) exploited in this exploit chain are known or documented, and Apple has already addressed them in the latest iOS releases.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-darksword-ios-exploit-us…
∗∗∗ Technical Analysis of SnappyClient ∗∗∗
---------------------------------------------
In December 2025, Zscaler ThreatLabz identified a new command-and-control (C2) framework implant that we track as SnappyClient, which was delivered using HijackLoader. [..] In this blog post, ThreatLabz provides a technical analysis of SnappyClient, including its core features, configuration, network communication protocol, commands, and post-infection activities.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/technical-analysis-snappycl…
∗∗∗ Inside a network of 20,000+ fake shops ∗∗∗
---------------------------------------------
We mapped a sprawling fake shop operation of over 20,000 domains, dozens of shared IP addresses and identical storefronts with different names pasted on top. [..] Much of this activity clusters around a small number of IP ranges, including blocks in the 207.244.x.x and 23.105.x.x space. That clustering points to a preference for specific hosting providers, and a setup designed for speed: spin up a domain, attach a template, go live.
---------------------------------------------
https://www.malwarebytes.com/blog/scams/2026/03/inside-a-network-of-20000-f…
∗∗∗ Gigsberg.de: Erneuter Alarm um Resale-Tickets für den Eurovision Song Contest ∗∗∗
---------------------------------------------
Alle Kontingente sind restlos ausverkauft. Eine offizielle Plattform zum Weiterverkauf für ESC-Tickets gibt es noch nicht. Dennoch tauchen immer wieder entsprechende Angebote bei Online-Marktplätzen für Eintrittskarten auf – wie aktuell bei gigsberg.de.
---------------------------------------------
https://www.watchlist-internet.at/news/esc-gigsberg-tickets/
∗∗∗ From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA ∗∗∗
---------------------------------------------
This case study walks through an incident that involves: An exposed Spring Boot Actuator endpoint [..] Plaintext credentials stored in a spreadsheet [..] A risky authentication method (ROPC) [..] These weaknesses ultimately allowed attackers to compromise a SharePoint service account of the target organization and exfiltrate data from SharePoint Online.
---------------------------------------------
https://www.trendmicro.com/en_us/research/26/c/from-misconfigured-spring-bo…
∗∗∗ Reverse Engineering .NET AOT Malware: A Guide to Trace the Multi-Stage Attack Chain with Binary Ninja ∗∗∗
---------------------------------------------
This blog serves both as an examination of newly identified malware and as a practical guide for researchers beginning their journey into malware analysis. Throughout the guide, we use Binary Ninja to reverse engineer the samples.
---------------------------------------------
https://www.cyderes.com/howler-cell/reverse-engineering-net-aot-malware
∗∗∗ Amazon threat intelligence teams identify Interlock ransomware campaign targeting enterprise firewalls ∗∗∗
---------------------------------------------
Amazon threat intelligence has identified an active Interlock ransomware campaign exploiting CVE-2026-20131, a critical vulnerability in Cisco Secure Firewall Management Center (FMC) Software that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device, which was disclosed by Cisco on March 4, 2026.
---------------------------------------------
https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-iden…
=====================
= Vulnerabilities =
=====================
∗∗∗ Telnet: Kritische Lücke erlaubt Einschleusen von Schadcode aus dem Netz ∗∗∗
---------------------------------------------
Eine Lücke im telnetd der GNU Inetutils ermöglicht Angreifern aus dem Netz das Einschleusen von Schadcode – ohne vorherige Anmeldung. [..] Die Sicherheitslücke hat einen Schwachstelleneintrag erhalten, der erklärt, dass ein Schreibzugriff außerhalb vorgesehener Speichergrenzen im Code zur Verarbeitung der „LINEMODE SLC“-Option (Set Local Characters) möglich ist. Die Funktion add_slc prüft schlicht nicht, ob der Puffer bereits voll ist (CVE-2026-32746, CVSS 9.8, Risiko „kritisch“). [..] Ein Update zum Stopfen des Sicherheitslecks steht demnach bislang nicht zur Verfügung. [..] IT-Verantwortliche sollten Zugriffsmöglichkeiten auf ihre Instanzen des telnetd aus den GNU Inetutils unbedingt auf vertrauenswürdige Rechner beschränken oder sie durch verschlüsselte Methoden ersetzen.
---------------------------------------------
https://heise.de/-11215518
∗∗∗ Ubuntu: root-Lücke durch snapd ∗∗∗
---------------------------------------------
Eine Schwachstelle im Zusammenspiel von snapd und systemd unter Ubuntu ermöglicht Angreifern, root-Zugriff zu erlangen. [..] Ein Angriff ist durch den langen Zeitraum, den Angreifer bis zum potenziellen Erfolg warten müssen, als komplex eingestuft. [..] Ubuntu stellt aktualisierte snapd-Pakete bereit, die die Schwachstelle ausbessern.(CVE-2026-3888, CVSS 7.8, Risiko „hoch“)
---------------------------------------------
https://heise.de/-11216189
∗∗∗ Researchers disclose vulnerabilities in IP KVMs from four manufacturers ∗∗∗
---------------------------------------------
On Tuesday, researchers from security firm Eclypsium disclosed a total of nine vulnerabilities in IP KVMs from four manufacturers. The most severe flaws allow unauthenticated hackers to gain root access or run malicious code on them. [..] Firmware vulnerabilities also leave them open to remote takeover. [..] some of the devices are being fixed. As of Tuesday, however, the most severe vulnerabilities—found in IP KVMs made by Angeet/Yeeso—aren’t.
---------------------------------------------
https://arstechnica.com/security/2026/03/researchers-disclose-vulnerabiliti…
∗∗∗ Gimp: Update schließt Codeschmuggel-Lücken ∗∗∗
---------------------------------------------
Am Wochenende hat das Gimp-Projekt die Version 3.2 des mächtigen und quelloffenen Grafikprogramms veröffentlicht. [..] Die Zero Day Initiative (ZDI) von Trend Micro (nun unter dem Namen „TrendAI“ in dem Unternehmen aufgehängt) hat zwei Sicherheitslücken in den Parsern für bestimmte Bildformate gemeldet.
---------------------------------------------
https://heise.de/-11214979
∗∗∗ Drupal: Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-030
∗∗∗ LWN: Security updates for Wednesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1063446/
∗∗∗ Roundcube: Security updates 1.7-rc5, 1.6.14 and 1.5.13 released ∗∗∗
---------------------------------------------
https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.16
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 16-03-2026 18:00 − Dienstag 17-03-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ LeakNet ransomware uses ClickFix, Deno runtime in stealthy attacks ∗∗∗
---------------------------------------------
The LeakNet ransomware gang is now using the ClickFix technique for initial access into corporate environments and deploys a malware loader based on the open-source Deno runtime for JavaScript and TypeScript. [..] ReliaQuest calls this tactic a “bring your own runtime” (BYOR) attack, as Deno is a legitimate JavaScript/TypeScript runtime that allows JS/TS code execution outside the browser on a system.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/leaknet-ransomware-uses-clic…
∗∗∗ European Security Vendor Targeted by Hackers Fronting as Cisco Domain ∗∗∗
---------------------------------------------
On March 13, 2026, the threat intelligence team at Outpost24, Specops’ parent company, discovered and blocked a sophisticated multi-chain redirect phishing campaign fronting as Cisco, a global network equipment provider. Outpost24’s early detection and rapid response ensured nobody was impacted. The attack is quite complex, leveraging several trusted services as well as compromised legitimate infrastructure to conceal the final phishing destination.
---------------------------------------------
https://specopssoft.com/blog/phishing-campaign-cisco/
∗∗∗ Hacked sites deliver Vidar infostealer to Windows users ∗∗∗
---------------------------------------------
In recent years, ClickFix and fake CAPTCHA techniques have become a popular way for cybercriminals to distribute malware. Our researchers have recently detected a campaign that ultimately delivers the Vidar infostealer, using several different infection chains. [..] Because Vidar loads in memory and communicates with remote command servers, it can quietly collect and exfiltrate data without obvious signs of infection.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intel/2026/03/hacked-sites-deliver…
∗∗∗ New Vidar 2.0 Infostealer Spreads via Fake Game Cheats on GitHub, Reddit ∗∗∗
---------------------------------------------
The new infostealer campaign spreads Vidar 2.0 via fake game cheats on GitHub and Reddit, stealing crypto, login tokens, and files while targeting young gamers ignoring security warnings.
---------------------------------------------
https://hackread.com/vidar-2-0-infostealer-fake-game-cheats-github-reddit/
∗∗∗ New font-rendering trick hides malicious commands from AI tools ∗∗∗
---------------------------------------------
A new font-rendering attack causes AI assistants to miss malicious commands shown on webpages by hiding them in seemingly harmless HTML. The technique relies on social engineering to persuade users to run a malicious command displayed on a webpage, while keeping it encoded in the underlying HTML so AI assistants cannot analyze it.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-font-rendering-trick-hid…
∗∗∗ Pwning AI Code Interpreters in AWS Bedrock AgentCore ∗∗∗
---------------------------------------------
During research into AI code execution environments, BeyondTrust Phantom Labs™ discovered that AWS Bedrock AgentCore Interpreter’s Sandbox network mode does not fully block outbound communication. [..] AWS communicated that a fix will not be made and it will change the documentation’s description of sandbox mode instead. [..] AWS awarded the security researcher with a $100 gift card to the AWS Gear Shop and a CVSSv3 score of 7.5.
---------------------------------------------
https://www.beyondtrust.com/blog/entry/pwning-aws-agentcore-code-interpreter
∗∗∗ We dont need to hack your AI Agent to hack your AI Agent ∗∗∗
---------------------------------------------
The most severe vulnerabilities in AI assistant deployments often have nothing to do with prompt injection, adversarial inputs, or model manipulation. [..] we went ahead and conducted a routine review of a publicly accessible AI assistant operated by a large enterprise organisation, we identified a backend API URL embedded in a JavaScript asset loaded by the application's frontend. This is a common and often unremarkable finding — backends have URLs, and it's not always avoidable for client-side code to know where to send requests. In this case, however, what sat behind that URL turned out to be the keys to the kingdom.
---------------------------------------------
https://srlabs.de/blog/hacking-ai-agent
∗∗∗ Node.js: Tuesday, March 24, 2026 Security Releases ∗∗∗
---------------------------------------------
The Node.js project will release new versions of the 25.x, 24.x, 22.x, 20.x releases lines on or shortly after, Tuesday, March 24, 2026 in order to address: 2 high severity issues. 5 medium severity issues. 2 low severity issues.
---------------------------------------------
https://nodejs.org/en/blog/vulnerability/march-2026-security-releases
∗∗∗ MC1247893: Phishing-resistente Windows-Anmeldung durch Microsoft Entra-Passkeys (Preview verfügbar) ∗∗∗
---------------------------------------------
Derzeit (Mitte März 2026) beginnt die öffentliche Vorschau (Public Preview) von Microsoft Entra-Passkeys, was eine eine phishing-sichere, passwortlose Anmeldung über Windows Hello bei durch Entra geschützten Ressourcen, einschließlich nicht verwalteter Geräte, ermöglichen soll. Administratoren in Unternehmen müssen sich für diese Funktion anmelden und Richtlinien konfigurieren.
---------------------------------------------
https://borncity.com/blog/2026/03/17/mc1247893-phishing-resistente-windows-…
∗∗∗ Boggy Serpens Threat Assessment ∗∗∗
---------------------------------------------
Boggy Serpens is an Iranian nation-state cyberespionage group active since at least 2017. Assessed to be a subordinate element of the MOIS, the group has primarily targeted government, military and critical infrastructure sectors across the Middle East, the Caucasus, Central and Western Asia, South America and Europe. [..] Unit 42 details their persistent targeting.
---------------------------------------------
https://unit42.paloaltonetworks.com/boggy-serpens-threat-assessment/
∗∗∗ New Phishing Scam Uses LiveChat to Pose as Amazon and PayPal in Real Time ∗∗∗
---------------------------------------------
Cofense researchers have found a new phishing scam where threat actors use LiveChat software to impersonate brands like Amazon and PayPal. By chatting with victims in real-time, these cybercriminals are able to bypass security codes and steal credit card information. [..] The scam begins with an email. While most junk mail is easy to ignore, these messages stand out for their clever tricks to get you to click. One version mimics a PayPal notification claiming you have a $200.00 USD refund waiting.
---------------------------------------------
https://hackread.com/phishing-scam-livechat-pose-as-amazon-paypal/
∗∗∗ Comeback des Klimabonus? Nein, nur ein (erneuter) Phishing-Versuch! ∗∗∗
---------------------------------------------
Bereits im Vorjahr hatten wir von der Masche berichtet, jetzt ist sie wieder da! Kriminelle versenden aktuell massenhaft SMS, in denen das Comeback des Klimabonus verkündet wird. Wer sich seine Auszahlung sichern will, müsse sich umgehend vormerken. Über ein durchaus gut gefälschtes Portal wollen die Betrüger:innen an persönliche Informationen und Logindaten fürs Onlinebanking.
---------------------------------------------
https://www.watchlist-internet.at/news/comeback-klimabonus-phishing/
=====================
= Vulnerabilities =
=====================
∗∗∗ TYPO3-EXT-SA-2026-007: Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email) ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2026-007
∗∗∗ LWN: Security updates for Tuesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1063248/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 13-03-2026 18:00 − Montag 16-03-2026 18:00
Handler: Alexander Riepl
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Supply-chain attack using invisible code hits GitHub and other repositories ∗∗∗
---------------------------------------------
Unicode thats invisible to the human eye was largely abandoned—until attackers took notice.
---------------------------------------------
https://arstechnica.com/security/2026/03/supply-chain-attack-using-invisibl…
∗∗∗ Fake enterprise VPN sites used to steal company credentials ∗∗∗
---------------------------------------------
A threat actor tracked as Storm-2561 is distributing fake enterprise VPN clients from Ivanti, Cisco, and Fortinet to steal VPN credentials from unsuspecting users.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-enterprise-vpn-download…
∗∗∗ AppsFlyer Web SDK hijacked to spread crypto-stealing JavaScript code ∗∗∗
---------------------------------------------
The AppsFlyer Web SDK was temporarily hijacked this week with malicious code used to steal cryptocurrency in a supply-chain attack.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/appsflyer-web-sdk-used-to-sp…
∗∗∗ Cyberangriff: Hacker attackieren polnischen Kernreaktor-Betreiber ∗∗∗
---------------------------------------------
Polens nationales Nuklearforschungszentrum bestätigt einen versuchten Cyberangriff auf die eigene IT. Erste Spuren weisen angeblich Richtung Iran.
---------------------------------------------
https://www.golem.de/news/cyberangriff-hacker-attackieren-polnischen-kernre…
∗∗∗ Vernetzte Fabriken im Visier: Cyberangriffe kosten Autobranche Milliarden ∗∗∗
---------------------------------------------
Ein Weißbuch der Denkfabrik CAM und von Cisco zeigt: Die Schadenskosten sind explodiert, wobei vor allem die Zulieferer als schwächstes Glied der Kette gelten.
---------------------------------------------
https://www.heise.de/news/Vernetzte-Fabriken-im-Visier-Cyberangriffe-kosten…
∗∗∗ FBI sucht Opfer infizierter Steam-Spiele für eigene Ermittlungen ∗∗∗
---------------------------------------------
Das FBI ruft Nutzer von acht bei Steam angebotenen, aber infizierten Games zu Hilfe. Durch ein Formular sollen Spieler die Ermittlungen unterstützen.
---------------------------------------------
https://www.heise.de/news/FBI-sucht-Opfer-infizierter-Steam-Spiele-fuer-eig…
∗∗∗ Spammer setzen auf hohe Spritpreise als Köder ∗∗∗
---------------------------------------------
Durch den Iran-Krieg bleiben die Kraftstoffpreise hoch. Spammer missbrauchen das und wollen Opfern nutzlose OBD2-Dongles andrehen.
---------------------------------------------
https://www.heise.de/news/Spam-Warnung-Betrueger-koedern-mit-angeblichen-Sp…
∗∗∗ Festgeld-Falle zinsfuchs.com: Warnzeichen auf einen Blick ∗∗∗
---------------------------------------------
Fest- und Tagesgeldanlagen gelten als sichere und beliebte Geldanlage. Doch Vorsicht: Zwischen seriösen Online-Anbietern verstecken sich immer wieder schwarze Schafe. Ein aktuelles Beispiel ist die Website zinsfuchs.com, die mit attraktiven Angeboten in die Falle lockt.
---------------------------------------------
https://www.watchlist-internet.at/news/festgeld-falle-zinsfuchscom/
∗∗∗ Roll Your Own... LMS ∗∗∗
---------------------------------------------
People say dont roll your own crypto but nobody ever warns you not to roll your own LMS (when you have minimal dev experience).
---------------------------------------------
https://blog.zsec.uk/roll-your-own-lms/
∗∗∗ Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack ∗∗∗
---------------------------------------------
Warlock continues to enhance its attack chain with new tactics to improve persistence, lateral movement, and defense evasion using an expanded toolset: TightVNC Yuze, and a persistent BYOVD technique leveraging the NSec driver.
---------------------------------------------
https://www.trendmicro.com/en_us/research/26/c/dissecting-a-warlock-attack.…
∗∗∗ Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape ∗∗∗
---------------------------------------------
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-sh…
∗∗∗ Companies House vulnerability enabled company hijacking ∗∗∗
---------------------------------------------
A major vulnerability in the Companies House website gave unauthorised access to the private dashboard of any of the five million registered companies for five months. It exposed directors’ home addresses and email addresses, and appears to have enabled attackers to change company and director details – and even file accounts.
---------------------------------------------
https://taxpolicy.org.uk/2026/03/13/companies-house-security-vulnerability-…
∗∗∗ Try not to get scammed while looking for work ∗∗∗
---------------------------------------------
Couple weeks ago a CTO contacted me about a role at their company. After three failed calls, I figured they are trying to access my machine.
---------------------------------------------
https://trysound.io/try-not-to-get-scammed-while-looking-for-work/
∗∗∗ 72 Malicious Open VSX Extensions Linked to GlassWorm Campaign Now Using Transitive Dependencies ∗∗∗
---------------------------------------------
GlassWorm has not re-emerged so much as evolved, and our latest analysis shows a significant escalation in how it spreads through Open VSX. Instead of requiring every malicious listing to embed the loader directly, the threat actor is now abusing extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates, allowing a benign-appearing package to begin pulling a separate GlassWorm-linked extension only after trust has already been established.
---------------------------------------------
https://socket.dev/blog/open-vsx-transitive-glassworm-campaign
∗∗∗ Ongoing Phishing Campaign Abusing Google Cloud Storage to Redirect Users to Multiple Scam Pages ∗∗∗
---------------------------------------------
A few days ago, I published a blog analyzing a phishing campaign abusing Google Cloud infrastructure: While continuing to monitor the infrastructure used in that campaign, I discovered several additional URLs hosted on Google Cloud Storage (storage[.]googleapis[.]com) that appear to be part of the same ecosystem.
---------------------------------------------
https://malwr-analysis.com/2026/03/14/ongoing-phishing-campaign-abusing-goo…
=====================
= Vulnerabilities =
=====================
∗∗∗ Chrome: Erster Fix unzureichend, neues Notfall-Update veröffentlicht ∗∗∗
---------------------------------------------
Nachdem Google bereits am Freitag ein Notfall-Update für Chrome veröffentlicht hat, legt der Hersteller in der Nacht zum Samstag nach.
---------------------------------------------
https://www.heise.de/news/Jetzt-aktualisieren-Chrome-Notfall-Update-fuer-No…
∗∗∗ LWN Security updates for Monday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1063095/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 12-03-2026 18:00 − Freitag 13-03-2026 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Investigating a New Click-Fix Variant ∗∗∗
---------------------------------------------
Atos Researchers identified a new variant of the popular ClickFix technique, where attackers convince the user to execute a malicious command on their own device through the Win + R shortcut.
---------------------------------------------
https://thehackernews.com/2026/03/investigating-new-click-fix-variant.html
∗∗∗ Rogue AI agents can work together to hack systems and steal secrets ∗∗∗
---------------------------------------------
AI agents work together to bypass security controls and stealthily steal sensitive data from within the enterprise systems in which they operate, according to tests carried out by frontier security lab Irregular.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2026/03/12/rogue_ai_age…
∗∗∗ A React-based phishing page with credential exfiltration via EmailJS, (Fri, Mar 13th) ∗∗∗
---------------------------------------------
On Wednesday, a phishing message made its way into our handler inbox that contained a fairly typical low-quality lure, but turned out to be quite interesting in the end nonetheless. That is because the accompanying credential stealing web page was dynamically constructed using React and used a legitimate e-mail service for credential collection.
---------------------------------------------
https://isc.sans.edu/diary/rss/32794
∗∗∗ Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of a suspected artificial intelligence (AI)-generated malware codenamed Slopoly put to use by a financially motivated threat actor named Hive0163.
---------------------------------------------
https://thehackernews.com/2026/03/hive0163-uses-ai-assisted-slopoly.html
∗∗∗ Ivanti EPMM ‘Sleeper Shells’ not so sleepy? ∗∗∗
---------------------------------------------
In late January 2026 an advisory covering two remote code execution vulnerabilities (CVE-2026-1281 & CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM) was published. Shortly after reports (in example by tenable) mentioned publicly available proof-of-concept exploits.
---------------------------------------------
https://blog.nviso.eu/2026/03/13/ivanti-epmm-sleeper-shells-not-so-sleepy/
∗∗∗ “Handala Hack” – Unveiling Group’s Modus Operandi ∗∗∗
---------------------------------------------
Handala Hack, also tracked by Check Point Research as Void Manticore, is an Iranian threat actor that is known for multiple destructive wiping attacks combined with “hack and leak” operations. The threat actor operates several online personas, with the most prominent among them being Homeland Justice, maintained from mid-2022 specifically for multiple attacks.
---------------------------------------------
https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-op…
∗∗∗ 6 Malicious Packagist Themes Ship Trojanized jQuery and FUNNULL Redirect Payloads ∗∗∗
---------------------------------------------
Six malicious Packagist packages posing as OphimCMS themes contain trojanized jQuery that exfiltrates URLs, injects ads, and loads FUNNULL-linked redirects.
---------------------------------------------
https://socket.dev/blog/6-malicious-packagist-themes-ship-trojanized-jquery…
=====================
= Vulnerabilities =
=====================
∗∗∗ Mehrere Sicherheitslücken in AppArmor ("CrackArmor") - Updates verfügbar ∗∗∗
---------------------------------------------
Sicherheitsforscher:innen des Unternehmens Qualys haben insgesamt neun Schwachstellen in AppArmor entdeckt welche von den Expert:innen zusammengefasst als "CrackArmor" bezeichnet werden.
---------------------------------------------
https://www.cert.at/de/aktuelles/2026/3/mehrere-sicherheitslucken-in-apparm…
∗∗∗ Veeam warns of critical flaws exposing backup servers to RCE attacks ∗∗∗
---------------------------------------------
Data protection company Veeam Software has patched multiple flaws in its Backup & Replication solution, including four critical remote code execution (RCE) vulnerabilities.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-flaw…
∗∗∗ Chrome-Notfallupdate: Zwei attackierte Codeschmuggel-Lücken gestopft ∗∗∗
---------------------------------------------
Google hat in der Nacht zum Freitag ein Notfallupdate für Chrome herausgegeben. Es stopft zwei im Internet angegriffene Sicherheitslecks.
---------------------------------------------
https://heise.de/-11209626
∗∗∗ Veeam Backup & Replication: Kritische Schadcode-Sicherheitslücken entdeckt ∗∗∗
---------------------------------------------
In Veeam Backup & Replication schließt das Unternehmen mit Updates mehrere kritische Sicherheitslücken. Sie erlauben Codeschmuggel.
---------------------------------------------
https://heise.de/-11209818
∗∗∗ LWN Security updates for Friday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1062775/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 11-03-2026 18:00 − Donnerstag 12-03-2026 18:00
Handler: Alexander Riepl
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ New PhantomRaven NPM attack wave steals dev data via 88 packages ∗∗∗
---------------------------------------------
New attack waves from the PhantomRaven supply-chain campaign are hitting the npm registry, with dozens of malicious packages that exfiltrate sensitive data from JavaScript developers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-phantomraven-npm-attack-…
∗∗∗ US disrupts SocksEscort proxy network powered by Linux malware ∗∗∗
---------------------------------------------
Law enforcement agencies in the U.S. and Europe along with private partners have disrupted the SocksEscort cybercrime proxy network that used only edge devices compromised via the AVRecon malware for Linux.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/us-disrupts-socksescort-prox…
∗∗∗ Vollzugriff in zwei Stunden: KI-Agent hackt eigenständig KI-Plattform von McKinsey ∗∗∗
---------------------------------------------
Forscher haben einen KI-Agenten auf McKinseys Lilli-Plattform angesetzt. Er konnte Millionen von Chatnachrichten und andere Daten auslesen.
---------------------------------------------
https://www.golem.de/news/vollzugriff-in-zwei-stunden-ki-agent-hackt-eigens…
∗∗∗ When your IoT Device Logs in as Admin, It?s too Late! ∗∗∗
---------------------------------------------
Have you ever installed a new device on your home or company router? Even when setup instructions are straightforward, end users often skip the step that matters most: changing default credentials. The excitement of deploying a new device frequently outweighs the discipline of securing it.
---------------------------------------------
https://isc.sans.edu/diary/rss/32788
∗∗∗ Researchers Trick Perplexitys Comet AI Browser Into Phishing Scam in Under Four Minutes ∗∗∗
---------------------------------------------
Agentic web browsers that leverage artificial intelligence (AI) capabilities to autonomously execute actions across multiple websites on behalf of a user could be trained and tricked into falling prey to phishing and scam traps.
---------------------------------------------
https://thehackernews.com/2026/03/researchers-trick-perplexitys-comet-ai.ht…
∗∗∗ Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered half-a-dozen new Android malware families that come with capabilities to steal data from compromised devices and conduct financial fraud.
---------------------------------------------
https://thehackernews.com/2026/03/six-android-malware-families-target-pix.h…
∗∗∗ Exploitkit-Gefahr: Apple aktualisiert ältere iOS- und iPadOS-Versionen ∗∗∗
---------------------------------------------
Apple hat in der Nacht zum Donnerstag wichtige Aktualisierungen für Nutzer von iOS und iPadOS 15 und 16 veröffentlicht. Sie sollten schnell eingespielt werden.
---------------------------------------------
https://www.heise.de/news/Exploitkit-Gefahr-Apple-aktualisiert-aeltere-iOS-…
∗∗∗ Taming the dragon: reverse engineering firmware with Ghidra ∗∗∗
---------------------------------------------
I stumbled into infosec the same year the NSA graced us with Ghidra. It’s by far become the most used tool in my arsenal for reverse engineering and vulnerability research. It’s free, extensible, and supports some of the quirkier architectures we come across. But its learning curve is steep. This blog post is the culmination of my learnings from spending what may be too many hours in front of Ghidra’s glaring and dated UI.
---------------------------------------------
https://www.pentestpartners.com/security-blog/taming-the-dragon-reverse-eng…
∗∗∗ Abo-Falle auf der Handyrechnung: So reagieren Sie richtig ∗∗∗
---------------------------------------------
Plötzlich ist Ihre Handyrechnung höher als gewohnt? Ein Blick auf die Rechnung zeigt: Der Grund ist ein Abo, das Sie gar nicht bewusst abgeschlossen haben. Solche Kostenfallen kommen immer wieder vor. Wir erklären, was dahinter steckt und was Sie dagegen tun können.
---------------------------------------------
https://www.watchlist-internet.at/news/abo-falle-auf-der-handyrechnung-so-r…
∗∗∗ Internationales Cybercrime-Netz zerschlagen, 700 Opfer in Österreich ∗∗∗
---------------------------------------------
Tausende private Router waren gekapert worden. Dadurch wurden anonym Attacken auf IT-Systeme durchgeführt und Darstellungen von Kindesmissbrauch verbreitet
---------------------------------------------
https://www.derstandard.at/story/3000000312309/internationales-cybercrime-n…
∗∗∗ Announcing Pwn2Own Berlin for 2026 ∗∗∗
---------------------------------------------
Willkommen zurück, meine Damen und Herren, zu unserem zweiten Wettbewerb in Berlin! That’s correct (if Google translate didn’t steer me wrong). After our inaugural competition last year, Pwn2Own returns to Berlin and OffensiveCon. Outside of our shipping troubles, we had an amazing time and can’t wait to get back.Last year, we added Artificial Intelligence as a category with great results.
---------------------------------------------
https://www.thezdi.com/blog/2026/3/11/announcing-pwn2own-berlin-for-2026
∗∗∗ A Nerds Life: Weeks of Firmware Teardown to Prove We Were Right ∗∗∗
---------------------------------------------
This blog post is a follow-up to our previous post describing how we managed to extract the firmware of asmartwatch. It contains many references and detailsintroduced in our previous post, readers are therefore advised to read it first.
---------------------------------------------
http://blog.quarkslab.com/nerd-life-weeks-firmware-teardown-we-were-right.h…
∗∗∗ InTune Compromise Allows Attackers to Remotely Wipe Medical Supply Company Devices ∗∗∗
---------------------------------------------
A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker’s largest hub outside of the United States, said the company sent home more than 5,000 workers there today.
---------------------------------------------
https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-…
=====================
= Vulnerabilities =
=====================
∗∗∗ SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites ∗∗∗
---------------------------------------------
An SQL injection vulnerability in Ally, a WordPress plugin from Elementor for web accessibility and usability with more than 400,000 installations, could be exploited to steal sensitive data without authentication.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/sqli-flaw-in-elementor-ally-…
∗∗∗ Zero Click Unauthenticated RCE in n8n: A Contact Form That Executes Shell Commands ∗∗∗
---------------------------------------------
Pillar Research team found a zero-click, unauthenticated RCE in n8n. Anyone who can reach a public multi-step form with an HTML rendering can execute shell commands on the server. We worked with the n8n team to fix it. If you use n8n Cloud, youre already protected. If youre self-hosting, update to 2.10.1 / 2.9.3 / 1.123.22 now.
---------------------------------------------
https://www.pillar.security/blog/zero-click-unauthenticated-rce-in-n8n-a-co…
∗∗∗ Aruba-Switches mit AOS-CX: Angreifer können Admin-Passwort zurücksetzen ∗∗∗
---------------------------------------------
HPEs Netzwerkbetriebssystem Aruba Networking AOS-CX ist verwundbar. Die Entwickler haben mehrere Sicherheitslücken geschlossen.
---------------------------------------------
https://www.heise.de/news/Aruba-Switches-mit-AOS-CX-Angreifer-koennen-Admin…
∗∗∗ HP-PCs: Angreifer können sich höhere Rechte über UEFI-Lücken verschaffen ∗∗∗
---------------------------------------------
Computer von HP sind über mehrere Schwachstellen im UEFI und Device Manager angreifbar.
---------------------------------------------
https://www.heise.de/news/HP-PCs-Angreifer-koennen-sich-hoehere-Rechte-uebe…
∗∗∗ Zoom: Netzwerkangriffe auf kritische Sicherheitslücke möglich ∗∗∗
---------------------------------------------
In der Videokonferenzsoftware von Zoom finden sich teils kritische Sicherheitslücken. Angreifer aus dem Netz können Rechte ausweiten.
---------------------------------------------
https://www.heise.de/news/Zoom-Videokonferenzsoftware-ermoeglicht-Angreifer…
∗∗∗ LWN Security updates for Thursday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1062570/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 10-03-2026 18:00 − Mittwoch 11-03-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Analyzing "Zombie Zip" Files (CVE-2026-0866), (Wed, Mar 11th) ∗∗∗
---------------------------------------------
A new vulnerability (CVE-2026-0866) has been published: Zombie Zip. It's a method to create a malformed ZIP file that will bypass detection by most anti-virus engines. The malformed ZIP file can not be opened with a ZIP utility, a custom loader is required. [..] I will show you how to use my tools to analyze such a malformed ZIP file.
---------------------------------------------
https://isc.sans.edu/diary/rss/32786
∗∗∗ Claude Tried to Hack 30 Companies. Nobody Asked It To. ∗∗∗
---------------------------------------------
We gave AI agents simple research tasks on cloned corporate websites. When the legitimate path was broken, the agents autonomously discovered and exploited SQL injection vulnerabilities to complete the task — with zero hacking instructions in any prompt.
---------------------------------------------
https://trufflesecurity.com/blog/claude-tried-to-hack-30-companies-nobody-a…
∗∗∗ Sextortion “I recorded you” emails reuse passwords found in disposable inboxes ∗∗∗
---------------------------------------------
I found that one particular sender using the name Jenny Green and the Gmail address JennyGreen64868(a)gmail.com sent many of these emails to people that use the FakeMailGenerator service. [..] My guess is that the scammer searched these public inboxes for passwords and then reused those passwords in their sextortion emails.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2026/03/sextortion-i-recorded-you-em…
∗∗∗ Bitpanda-Falle: Warnung vor unautorisiertem Wallet-Transfer ist ein Phishing-Versuch! ∗∗∗
---------------------------------------------
Seit längerer Zeit nutzen nun bereits Kriminelle den Finanzdienstleister Bitpanda als Deckmantel für eine massive Phishing-Welle. Mithilfe von Meldungen zu angeblich unautorisierten Wallet-Transfers oder Auszahlungsversuchen üben sie Druck auf ihre Opfer aus. Die Ziele sind der Zugriff auf das Bankkonto und die Freigabe von Überweisungen.
---------------------------------------------
https://www.watchlist-internet.at/news/bitpanda-wallet-transfer-phishing/
∗∗∗ Sednit reloaded: Back in the trenches ∗∗∗
---------------------------------------------
In this blogpost, we have shown that Sednit’s advanced development team is active once again, operating an arsenal centered on two implants – BeardShell and Covenant – deployed in tandem and each leveraging a different cloud provider. This setup enables operators to reestablish access quickly if the infrastructure for one is taken down. We believe that this dual-implant strategy is not new. [..] The Sednit group – also known as APT28, Fancy Bear, Forest Blizzard, or Sofacy – has been operating since at least 2004.
---------------------------------------------
https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trench…
∗∗∗ BlackSanta Malware Targets HR Staff with Fake CV Downloads ∗∗∗
---------------------------------------------
It is a classic case of hackers exploiting the one thing recruiters have to do every day: open files from strangers. [..] The threat, dubbed the BlackSanta malware [..] they target the specific workflows of recruiters, sending harmless-looking emails with links to CVs on sites like Dropbox. [..] the attackers are using a technique called steganography. For your information, this involves hiding malicious code inside a normal-looking image.
---------------------------------------------
https://hackread.com/blacksanta-malware-hr-staff-fake-cv-downloads/
∗∗∗ RondoDox Botnet: From Zero to 174 Exploited Vulnerabilities ∗∗∗
---------------------------------------------
A deep dive into the RondoDox botnet, examining its infrastructure, exploit adoption timeline, and methods used to target internet-exposed systems.
---------------------------------------------
https://www.bitsight.com/blog/rondodox-botnet-infrastructure-analysis
∗∗∗ Microsoft releases Windows 10 KB5078885 extended security update ∗∗∗
---------------------------------------------
Microsoft has released the Windows 10 KB5078885 extended security update to fix the March 2026 Patch Tuesday vulnerabilities, including 2 zero-days and an issue that prevent some devices from shutting down.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Microsoft Patch Tuesday for March 2026 — Snort rules and prominent vulnerabilities ∗∗∗
---------------------------------------------
Microsoft has released its monthly security update for March 2026 which includes 79 vulnerabilities, including three that Microsoft marked as “critical.”
---------------------------------------------
https://blog.talosintelligence.com/microsoft-patch-tuesday-march-2026/
∗∗∗ HPE warns of critical AOS-CX flaw allowing admin password resets ∗∗∗
---------------------------------------------
Hewlett Packard Enterprise (HPE) has patched multiple security vulnerabilities in the Aruba Networking AOS-CX operating system, including several authentication and code execution issues. [..] The most severe security flaw today is a critical authentication bypass vulnerability (tracked as CVE-2026-23813) that attackers without privileges can exploit in low-complexity attacks to reset admin passwords.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hpe-warns-of-critical-aos-cx…
∗∗∗ Adobe-Patchday: Schadcodeschmuggel in Reader, Illustrator und weiteren möglich ∗∗∗
---------------------------------------------
Die Patchday-Übersicht von Adobe listet die acht Sicherheitsmitteilungen zu den einzelnen Produkten auf. In Adobe Commerce, Commerce B2B und Magento Open Source schließen die Entwickler 19 Sicherheitslücken.
---------------------------------------------
https://www.heise.de/news/Adobe-Patchday-Schadcodeschmuggel-in-Reader-Illus…
∗∗∗ Passwort-Manager KeePassXC 2.7.12: Was Nutzer beim Update beachten müssen ∗∗∗
---------------------------------------------
Der quelloffene Passwort-Manager KeePassXC ist in Version 2.7.12 erschienen. [..] Wie die Entwickler in ihrem Release-Blog mitteilen, enthält die neue Version Mitigationen gegen Exploits über manipulierte OpenSSL-Konfigurationsdateien auf Windows.
---------------------------------------------
https://www.heise.de/news/KeePassXC-2-7-12-DLL-Schutz-Passkey-Aenderungen-u…
∗∗∗ Fortinet schließt Brute-Force- und Befehlsschmuggel-Lücken in FortiWeb & Co. ∗∗∗
---------------------------------------------
Fortinet schließt Lücken in FortiWeb oder FortiManager, die etwa Einschleusen von Befehlen erlauben. [..] Unzureichende Prüfung der Interaktionsfrequenz ermöglicht nicht authentifizierten Angreifern, das Authentifizierungs-Rate-Limit von FortiWeb mit manipulierten Anfragen auszuhebeln (CVE-2026-24017, CVSS 7.3, Risiko „hoch“).
---------------------------------------------
https://www.heise.de/news/Fortinet-schliesst-Brute-Force-und-Befehlsschmugg…
∗∗∗ Drupal: Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-029
∗∗∗ Drupal: AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-028
∗∗∗ Cisco: Cisco IOS XR Egress Packet Network Interface Aligner Interrupt Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco: Cisco Multiple Cisco Contact Center Products Cross-Site Scripting Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco: Cisco IOS XR Software CLI Privilege Escalation Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco: Cisco IOS XR Software Multi-Instance Intermediate System-to-Intermediate System Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Splunk: Security Advisories 2026-03-11 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories
∗∗∗ WordPress 6.9.4 Release ∗∗∗
---------------------------------------------
https://wordpress.org/news/2026/03/wordpress-6-9-4-release/
∗∗∗ LWN: Security updates for Wednesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1062403/
∗∗∗ Paloalto: CVE-2026-0230 Cortex XDR Agent: Local Administrator can disable the agent on macOS (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2026-0230
∗∗∗ Paloalto: CVE-2026-0231 Cortex XDR Broker VM: Sensitive Information Disclosure Vulnerability (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2026-0231
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 09-03-2026 18:00 − Dienstag 10-03-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Lock the Ghost ∗∗∗
---------------------------------------------
In the software world, “remove” is not equal to "gone." This is crystal clear. There is always a good reason for that, but even the best reason does not have to be intuitive or expected by the users. Let’s take a short trip through how Python Package Index handles removals and how we can lock the ghost in an uv.lock file – forever!
---------------------------------------------
https://www.cert.at/en/blog/2026/3/lock-the-ghost
∗∗∗ Microsoft Teams phishing targets employees with A0Backdoor malware ∗∗∗
---------------------------------------------
Hackers contacted employees at financial and healthcare organizations over Microsoft Teams to trick them into granting remote access through Quick Assist and deploy a new piece of malware called A0Backdoor.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-tar…
∗∗∗ APT28 hackers deploy customized variant of Covenant open-source tool ∗∗∗
---------------------------------------------
The Russian state-sponsored APT28 threat group is using a custom variant of the open-source Covenant post-exploitation framework for long-term espionage operations.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/apt28-hackers-deploy-customi…
∗∗∗ Microsoft to enable Windows hotpatch security updates by default ∗∗∗
---------------------------------------------
Microsoft will turn on hotpatch security updates by default for all eligible Windows devices managed through Microsoft Intune and the Microsoft Graph API, beginning with the May 2026 Windows security update.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-to-enable-hotpatc…
∗∗∗ Malicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a malicious npm package that masquerades as an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive data from compromised hosts.
---------------------------------------------
https://thehackernews.com/2026/03/malicious-npm-package-posing-as.html
∗∗∗ KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a new malware called KadNap that's primarily targeting Asus routers to enlist them into a botnet for proxying malicious traffic.
---------------------------------------------
https://thehackernews.com/2026/03/kadnap-malware-infects-14000-edge.html
∗∗∗ Bawag-Phishing: Debitkarte, PIN-Code und Zugangsdaten für Onlinebanking in Gefahr! ∗∗∗
---------------------------------------------
Eine altbekannte Phishing-Masche ist gerade wieder besonders häufig zu beobachten. Die Drahtzieher versenden Fake-Mails im Namen der Bawag, die vor einem Ablaufen der Debitkarte warnen. Mit dem vermeintlichen Bestellvorgang der neuen Card fragen sie sensibelste Daten ab. Zudem werden die Opfer aufgefordert, ihre alte Karte per Post an eine Wiener Adresse zu schicken.
---------------------------------------------
https://www.watchlist-internet.at/news/bawag-phishing-debitkarte/
∗∗∗ Iranian MOIS Actors & the Cyber Crime Connection ∗∗∗
---------------------------------------------
Iran-linked actors are increasingly engaging with the cyber crime ecosystem. Their activity suggests a growing reliance on criminal tools, services, and operational models in support of state objectives. Iranian actors have long used cyber crime and hacktivism as cover for destructive activity, but the trend now suggests direct engagement with the criminal ecosystem. The post Iranian MOIS Actors & the Cyber Crime Connection appeared first on Check Point Research.
---------------------------------------------
https://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-co…
∗∗∗ OpenClaw Advisory Surge Highlights Gaps Between GHSA and CVE Tracking ∗∗∗
---------------------------------------------
A recent burst of security disclosures in the OpenClaw project is drawing attention to how vulnerability information flows across advisory and CVE systems.
---------------------------------------------
https://socket.dev/blog/openclaw-advisory-surge-highlights-gaps-between-ghs…
∗∗∗ Cyberattack Forces Polish Hospital Revert to Paper-Based Operations ∗∗∗
---------------------------------------------
The Independent Public Regional Hospital in the western Polish city of Szczecin has been compelled to switch back to a paper-based workflow after suffering a cyberattack over the weekend. Hospital authorities confirmed that the incident, which struck the facility’s IT system on the night of March 7-8, 2026, has temporarily disrupted digital operations, though patients’ health remains uncompromised.
---------------------------------------------
https://thecyberexpress.com/szczecin-public-regional-hospital-cyberattack/
=====================
= Vulnerabilities =
=====================
∗∗∗ SAP-Patchday: NetWeaver-Lücke ermöglicht Einschleusen von Schadcode ∗∗∗
---------------------------------------------
Im März behandelt SAP in 15 Sicherheitsmitteilungen teils kritische Sicherheitslücken in diversen Produkten. Admins müssen handeln.
---------------------------------------------
https://heise.de/-11205008
∗∗∗ 30,000 WordPress Sites Affected by Authentication Bypass Vulnerability in Tutor LMS Pro WordPress Plugin ∗∗∗
---------------------------------------------
On December 30th, 2025, we received a submission for an Authentication Bypass vulnerability in Tutor LMS Pro, a WordPress plugin estimated to have more than 30,000 active installations. The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address.
---------------------------------------------
https://www.wordfence.com/blog/2026/03/30000-wordpress-sites-affected-by-au…
∗∗∗ LWN Security updates for Tuesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1062260/
∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2026/03/09/cisa-adds-three-known-ex…
∗∗∗ Ivanti March 2026 Security Update ∗∗∗
---------------------------------------------
https://www.ivanti.com/blog/march-2026-security-update
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/