=====================
= End-of-Day report =
=====================
Timeframe: Freitag 06-03-2026 18:00 − Montag 09-03-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Microsoft: Hackers abusing AI at every stage of cyberattacks ∗∗∗
---------------------------------------------
Microsoft says threat actors are increasingly using artificial intelligence in their operations to accelerate attacks, scale malicious activity, and lower technical barriers across all aspects of a cyberattack.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-hackers-abusing-ai…
∗∗∗ Termite ransomware breaches linked to ClickFix CastleRAT attacks ∗∗∗
---------------------------------------------
Ransomware threat actors tracked as Velvet Tempest are using the ClickFix technique and legitimate Windows utilities to deploy the DonutLoader malware and the CastleRAT backdoor.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/termite-ransomware-breaches-…
∗∗∗ VU#976247: Antivirus and Endpoint Detection and Response Archive Scanning Engines may not properly scan malformed zip archives ∗∗∗
---------------------------------------------
Malformed ZIP headers can cause antivirus and endpoint detection and response software (EDR) to produce false negatives. Despite the presence of malformed headers, some extraction software is still able to decompress the ZIP archive, allowing potentially malicious payloads to run upon file decompression.
---------------------------------------------
https://kb.cert.org/vuls/id/976247
∗∗∗ Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model ∗∗∗
---------------------------------------------
Anthropic on Friday said it discovered 22 new security vulnerabilities in the Firefox web browser as part of a security partnership with Mozilla. Of these, 14 have been classified as high, seven have been classified as moderate, and one has been rated low in severity.
---------------------------------------------
https://thehackernews.com/2026/03/anthropic-finds-22-firefox.html
∗∗∗ Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft ∗∗∗
---------------------------------------------
Two Google Chrome extensions have turned malicious after what appears to be a case of ownership transfer, offering attackers a way to push malware to downstream customers, inject arbitrary code, and harvest sensitive data.
---------------------------------------------
https://thehackernews.com/2026/03/chrome-extension-turns-malicious-after.ht…
∗∗∗ UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device ∗∗∗
---------------------------------------------
The North Korean threat actor known as UNC4899 is suspected to be behind a sophisticated cloud compromise campaign targeting a cryptocurrency organization in 2025 to steal millions of dollars in cryptocurrency.
---------------------------------------------
https://thehackernews.com/2026/03/unc4899-used-airdrop-file-transfer-and.ht…
∗∗∗ Spyware disguised as emergency-alert app sent to Israeli smartphones ∗∗∗
---------------------------------------------
Steals SMS messages, location data, contacts and delivers it to Hamas-linked crew Hamas-linked attackers are dropping spyware disguised as an emergency-alert app on Israelis smartphones via SMS messages, according to security researchers.
---------------------------------------------
https://www.theregister.com/2026/03/06/spyware_disguised_as_emergency_alert/
∗∗∗ Russian cybercrims phish their way into officials Signal and WhatsApp accounts ∗∗∗
---------------------------------------------
Dutch spies flag large-scale campaign to hijack secure messaging accounts Russian-linked hackers are trying to break into the Signal and WhatsApp accounts of government officials, journalists, and military personnel globally – not by cracking encryption, but by simply tricking people into handing over the keys.
---------------------------------------------
https://www.theregister.com/2026/03/09/dutch_spies_say_russian_cybercrims/
∗∗∗ Middle East Conflict Fuels Opportunistic Cyber Attacks ∗∗∗
---------------------------------------------
Threat actors often take advantage of major global events to fuel interest in their malicious activities. Zscaler ThreatLabz is diligently tracking a surge in cybercriminal activity that capitalizes on the elevated political climate in the Middle East. This increased malicious activity includes discoveries that are directly tied to the ongoing conflict, alongside other related findings.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/middle-east-conflict-fuels-…
∗∗∗ NIS2: Warum sich so wenige Unternehmen registrieren ∗∗∗
---------------------------------------------
Die NIS2-Registrierungsfrist ist verstrichen, doch viele Unternehmen haben sich noch nicht angemeldet. Darum stockt die Umsetzung der Security-Richtlinie.
---------------------------------------------
https://www.heise.de/news/Douglas-Adams-wuerde-NIS2-lieben-11204285.html
∗∗∗ DumpBrowserSecrets – Browser Credential Harvesting with App-Bound Encryption Bypass ∗∗∗
---------------------------------------------
DumpBrowserSecrets extracts saved passwords, cookies, OAuth tokens and autofill data from Chrome, Edge, Firefox, Opera and Vivaldi, bypassing App-Bound Encryption via Early Bird APC injection.
---------------------------------------------
https://www.darknet.org.uk/2026/03/dumpbrowsersecrets-browser-credential-ha…
∗∗∗ LTR101 - Getting into Industry in 2026 ∗∗∗
---------------------------------------------
Breaking into cybersecurity in 2026: SOC roles, blue team skills, labs, certifications, and practical advice to help you land your first job.
---------------------------------------------
https://blog.zsec.uk/ltr101-getting-into-industry-in-2026/
∗∗∗ AI Bot Hackerbot-Claw Targets Microsoft, DataDog and CNCF GitHub Repos ∗∗∗
---------------------------------------------
Security firm Pillar reveals the Chaos Agent in which Hackerbot-Claw, an AI agent, used natural language to compromise major GitHub projects and hijack developer tools.
---------------------------------------------
https://hackread.com/ai-bot-hackerbot-claw-microsoft-datadog-github-repos/
∗∗∗ Behind the console: Active phishing campaign targeting AWS console credentials ∗∗∗
---------------------------------------------
Datadog Security Research identified an active adversary-in-the-middle (AiTM) phishing campaign targeting AWS Console credentials via typosquatted domains that mimic AWS infrastructure.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phi…
∗∗∗ The first AI agent worm is months away, if that ∗∗∗
---------------------------------------------
I'm convinced that the first AI worm/virus is months away, if that. We've seen the first major evidence of "claw" style agents, which have only been around very briefly, acting in highly malicious ways.
---------------------------------------------
https://dustycloud.org/blog/the-first-ai-agent-worm-is-months-away-if-that/
∗∗∗ ClipXDaemon Malware, a Stealthy Cryptocurrency Clipboard Hijacker on Linux ∗∗∗
---------------------------------------------
Security researchers have identified a new Linux malware strain called ClipXDaemon, a stealthy threat designed to target cryptocurrency users by manipulating copied wallet addresses. Cyble’s Research & Intelligence Labs (CRIL) found the malware delivered through a loader structure previously associated with ShadowHS activity.
---------------------------------------------
https://thecyberexpress.com/clipxdaemon-linux-malware/
=====================
= Vulnerabilities =
=====================
∗∗∗ Nextcloud: Codeschmuggel durch Lücke in Flow möglich ∗∗∗
---------------------------------------------
In Nextcloud Flow können Angreifer eine Sicherheitslücke missbrauchen, um die Instanz zu kompromittieren. Ein Update steht bereit.
---------------------------------------------
https://heise.de/-11203404
∗∗∗ Critical Nginx UI Vulnerability Exposes Server Backups and Sensitive Data ∗∗∗
---------------------------------------------
A newly disclosed vulnerability in Nginx UI, tracked as CVE-2026-27944, has raised major security concerns after researchers confirmed that attackers can download and decrypt server backups without authentication. The flaw, which carries a CVSS score of 9.8, represents a critical security risk for organizations that expose their Nginx UI management interface to the public internet.
---------------------------------------------
https://thecyberexpress.com/cve-2026-27944-nginx-ui-backup-vulnerability/
∗∗∗ LWN Security updates for Monday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1062103/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 05-03-2026 18:00 − Freitag 06-03-2026 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Wikipedia hit by self-propagating JavaScript worm that vandalized pages ∗∗∗
---------------------------------------------
The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began vandalizing pages and modifying user scripts across multiple wikis.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wikipedia-hit-by-self-propag…
∗∗∗ Fake Claude Code install guides push infostealers in InstallFix attacks ∗∗∗
---------------------------------------------
Threat actors are employing a new variation of the ClickFix social engineering technique called InstallFix to convince users into running malicious commands under the pretext of installing legitimate command line interface (CLI) tools.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-claude-code-install-gui…
∗∗∗ Cyberangriff: Das FBI hat offenbar Hacker im Netzwerk ∗∗∗
---------------------------------------------
Beim FBI ist offenbar ein System zur Verwaltung von Überwachungsmaßnahmen kompromittiert worden. Die Behörde untersucht verdächtige Aktivitäten.
---------------------------------------------
https://www.golem.de/news/cyberangriff-das-fbi-hat-offenbar-hacker-im-netzw…
∗∗∗ Datenschutz: FBI gelangt an Zahlungsdaten von Protonmail ∗∗∗
---------------------------------------------
Durch Rechtshilfeabkommen können persönliche Daten auch aus der Schweiz an Strafverfolgungsbehörden in den USA gelangen.
---------------------------------------------
https://www.golem.de/news/datenschutz-fbi-gelangt-an-zahlungsdaten-von-prot…
∗∗∗ Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer ∗∗∗
---------------------------------------------
Microsoft on Thursday disclosed details of a new widespread ClickFix social engineering campaign that has leveraged the Windows Terminal app as a way to activate a sophisticated attack chain and deploy the Lumma Stealer malware.
---------------------------------------------
https://thehackernews.com/2026/03/microsoft-reveals-clickfix-campaign.html
∗∗∗ Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of a multi-stage malware campaign that uses batch scripts as a pathway to deliver various encrypted remote access trojan (RATs) payloads that correspond to XWorm, AsyncRAT, and Xeno RAT.
---------------------------------------------
https://thehackernews.com/2026/03/multi-stage-voidgeist-malware.html
∗∗∗ Warnung vor Angriffen auf Hikvision, Rockwell Automation und Apple-Produkte ∗∗∗
---------------------------------------------
Die US-amerikanische IT-Sicherheitsbehörde CISA warnt vor aktuellen Angriffen auf Hikvision, Rockwell Automation und Apple-Produkte.
---------------------------------------------
https://www.heise.de/news/Warnung-vor-Angriffen-auf-Hikvision-Rockwell-Auto…
∗∗∗ London: Bei Cyberangriff auf Verkehrsbehörde zehn Millionen Datensätze gestohlen ∗∗∗
---------------------------------------------
2024 gab es einen Cyberangriff auf die britische Behörde TfL. Nun ist herausgekommen: Dabei wurden auch Daten von zehn Millionen Kundinnen und Kunden gestohlen.
---------------------------------------------
https://www.heise.de/news/London-Zehn-Millionen-Datensaetze-bei-Cyberangrif…
∗∗∗ BSI: 11.500 kritische Einrichtungen unter NIS2 registriert ∗∗∗
---------------------------------------------
Zum Registrierungsfristende haben tausende Unternehmen den Prozess abgeschlossen – doch knapp 20.000 fehlen wohl noch.
---------------------------------------------
https://www.heise.de/news/BSI-11-500-kritische-Einrichtungen-unter-NIS2-reg…
∗∗∗ Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets ∗∗∗
---------------------------------------------
We uncovered a fake CleanMyMac site delivering SHub Stealer, a macOS infostealer that steals credentials and silently backdoors crypto wallets.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site…
∗∗∗ An Investigation Into Years of Undetected Operations Targeting High-Value Sectors ∗∗∗
---------------------------------------------
In-depth analysis of threat activity we call CL-UNK-1068. We discuss their toolset, including tunneling, reconnaissance and credential theft.
---------------------------------------------
https://unit42.paloaltonetworks.com/cl-unk-1068-targets-critical-sectors/
∗∗∗ The Hidden Cyber Risks of Remote Work Infrastructure ∗∗∗
---------------------------------------------
Hidden cyber risks in remote work include insecure home Wi-Fi, phishing attacks, and data exposure, leaving businesses and employees vulnerable to breaches.
---------------------------------------------
https://hackread.com/hidden-cyber-risks-remote-work-infrastructure/
∗∗∗ Avira: Deserialize, Delete and Escalate - The Proper Way to Use an AV ∗∗∗
---------------------------------------------
Avira Internet Security ships with a handful of modules that quietly handle privileged operations in the background: software updates, performance monitoring and system cleanup. Each one runs parts of its workflow as SYSTEM. Three of them dont bother checking what they are actually operating on.
---------------------------------------------
http://blog.quarkslab.com/avira-deserialize-delete-and-escalate-the-proper-…
∗∗∗ A GitHub Issue Title Compromised 4,000 Developer Machines ∗∗∗
---------------------------------------------
The attack - which Snyk named "Clinejection"2 - composes five well-understood vulnerabilities into a single exploit that requires nothing more than opening a GitHub issue.
---------------------------------------------
https://grith.ai/blog/clinejection-when-your-ai-tool-installs-another
∗∗∗ Fake imToken Chrome Extension Steals Seed Phrases via Phishing Redirects ∗∗∗
---------------------------------------------
Socket’s Threat Research Team uncovered a malicious Chrome extension, lmΤoken Chromophore (extension ID bbhaganppipihlhjgaaeeeefbaoihcgi), that impersonates imToken while presenting itself as a hex color visualizer in the Chrome Web Store. Instead of providing the harmless tool it promises, the extension automatically opens a threat actor-controlled phishing site as soon as it is installed, and again whenever the user clicks it.
---------------------------------------------
https://socket.dev/blog/fake-imtoken-chrome-extension-steals-seed-phrases-v…
∗∗∗ A Satellite Receiver Trusted by Pentagon, ESA Has More Than 20 Security Flaws — and the Maker Never Responded ∗∗∗
---------------------------------------------
A penetration tester found more than 20 vulnerabilities in a satellite receiver deployed by the U.S. Department of Defense (also referred to as the Department of War), the European Space Agency, and other critical infrastructure operators worldwide — and the device’s manufacturer, International Data Casting Corporation (IDC), did not respond to a single disclosure attempt over several months.
---------------------------------------------
https://thecyberexpress.com/satellite-receiver-vulnerabilities-unpatched/
=====================
= Vulnerabilities =
=====================
∗∗∗ WordPress membership plugin bug exploited to create admin accounts ∗∗∗
---------------------------------------------
Hackers are exploiting a critical vulnerability in the User Registration & Membership plugin, which is installed on more than 60,000 WordPress sites.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wordpress-membership-plugin-…
∗∗∗ Acronis warnt vor zig Sicherheitslücken in Cyber Protect ∗∗∗
---------------------------------------------
Vor mehr als 20 Sicherheitslücken in Cyber Protect warnt Acronis aktuell. Admins sollten bereitstehende Updates rasch anwenden.
---------------------------------------------
https://www.heise.de/news/Acronis-Cyber-Protect-Zig-Schwachstellen-gefaehrd…
∗∗∗ LWN Security updates for Friday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1061738/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 04-03-2026 18:00 − Donnerstag 05-03-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers ∗∗∗
---------------------------------------------
A maximum severity vulnerability in the FreeScout helpdesk platform allows hackers to achieve remote code execution without any user interaction or authentication. [..] The flaw is tracked as CVE-2026-28289 and bypasses a fix for another remote code execution (RCE) security issue (CVE-2026-27636) that could be exploited by authenticated users with upload permissions.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/mail2shell-zero-click-attack…
∗∗∗ Kritische Sicherheitslücken in Cisco Secure Firewall Produkten - Updates verfügbar ∗∗∗
---------------------------------------------
Cisco hat am 4. März 2026 mehrere Advisories veröffentlicht, die insgesamt 17 Schwachstellen in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software und Cisco Secure Firewall Management Center (FMC) Software adressieren.
---------------------------------------------
https://www.cert.at/de/warnungen/2026/3/kritische-sicherheitslucken-in-cisc…
∗∗∗ Google says 90 zero-days were exploited in attacks last year ∗∗∗
---------------------------------------------
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities actively exploited throughout 2025, almost half of them in enterprise software and appliances.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-says-90-zero-days-wer…
∗∗∗ Malware-laced OpenClaw installers get Bing AI search boost ∗∗∗
---------------------------------------------
Think before you download OpenClaw, the AI agent that can manage just about anything, is risky all by itself, but now fake installers for it are wreaking havoc. Users who searched Bing’s AI results for “OpenClaw Windows” were directed to a malicious GitHub repository that delivered information stealers and GhostSocks onto their machines.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2026/03/04/fake_opencla…
∗∗∗ Cybercrime: Behörden schalten das Datenleak-Forum LeakBase ab ∗∗∗
---------------------------------------------
Nach der Beschlagnahmung der LeakBase-Datenbank, einem der weltweit größten Cybercrime-Foren, identifizierten und verhafteten die Behörden mehrere Verdächtige.
---------------------------------------------
https://www.heise.de/news/Cybercrime-Behoerden-schalten-das-Datenleak-Forum…
∗∗∗ Europäische Strafverfolger zerschlagen Phishing-Plattform ∗∗∗
---------------------------------------------
Tycoon2FA gehörte zu den weltweit größten Phishing-Operationen. Sie ermöglichte Kriminellen unbemerkten Zugriff auf E-Mail-Konten. Nun wurde sie abgeschaltet.
---------------------------------------------
https://www.heise.de/news/Europaeische-Strafverfolgungsbehoerden-zerschlage…
∗∗∗ New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages ∗∗∗
---------------------------------------------
The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories. Across its many variants, the stealer demonstrates extensive data‑harvesting capabilities, with its ability to dynamically stage payloads, bypass analysis through anti‑VM and anti‑debug checks and offload sensitive operations to encrypted payloads showing a level of engineering sophistication that continues to increase.
---------------------------------------------
https://www.trendmicro.com/en_us/research/26/c/boryptgrab-stealer-targets-u…
∗∗∗ Fake Zoom, Teams Meeting Invites Use Compromised Certificates to Drop Malware ∗∗∗
---------------------------------------------
A new phishing campaign is using stolen certificates from TrustConnect Software PTY LTD to sign malware. By impersonating updates for Zoom and Microsoft Teams, hackers install RMM tools to gain persistent, privileged access to networks.
---------------------------------------------
https://hackread.com/fake-zoom-teams-invites-malware-certificates/
∗∗∗ Cyberangriffe im Jahr 2026: Der Login als Waffe ∗∗∗
---------------------------------------------
Cyberkriminelle und nationalstaatliche Akteure verlagern ihren Fokus zunehmend weg vom aufwendigen Eindringen in Systeme, wie aus Cloudflares Bedrohungsbericht 2026 hervorgeht. Stattdessen setzen sie eher auf das effizientere Einloggen mit gestohlenen Zugangsdaten.
---------------------------------------------
https://heise.de/-11200132
=====================
= Vulnerabilities =
=====================
∗∗∗ Drupal: AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-022
∗∗∗ Drupal: Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-024
∗∗∗ LWN: Security updates for Thursday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1061464/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 03-03-2026 18:00 − Mittwoch 04-03-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations ∗∗∗
---------------------------------------------
The intrusions, identified by Huntress last month across five partner organizations, involved the threat actors using email spam as lures, followed by a phone call from an IT desk that activates a layered malware delivery pipeline.
---------------------------------------------
https://thehackernews.com/2026/03/fake-tech-support-spam-deploys.html
∗∗∗ Angriffe auf VMware Aria Operations beobachtet ∗∗∗
---------------------------------------------
In der vergangenen Woche hatte Broadcom eine Warnung veröffentlicht, die Sicherheitslecks in VMware Aria Operations betraf. Die Software kommt auch in Cloud Foundation, Telco Cloud Platform, Telco Cloud Infrastructure und vSphere Foundation zum Einsatz, sodass auch diese verwundbar sind. Die CISA meldet nun Angriffe auf eine Schwachstelle, die nicht authentifizierten Akteuren das Ausführen beliebiger Befehle und in der Folge von beliebigem Schadcode aus dem Netz in VMware Aria Operations ermöglicht.
---------------------------------------------
https://www.heise.de/news/Angriffe-auf-VMware-Aria-Operations-beobachtet-11…
∗∗∗ ESC-Tickets: Hohes Risiko bei Kauf über hellotickets.de! ∗∗∗
---------------------------------------------
Bis zum großen Spektakel des Eurovision Song Contest (ESC) sind es noch knapp zwei Monate. Alle Shows sind bereits ausverkauft. Dennoch werden auf der Website hellotickets.de vermeintlich weiterhin Eintrittskarten angeboten.
---------------------------------------------
https://www.watchlist-internet.at/news/esc-tickets-hohes-risiko-helloticket…
∗∗∗ Telegram Increasingly Used to Sell Access, Malware and Stolen Logs ∗∗∗
---------------------------------------------
Cybercriminals are now increasingly using Telegram to sell corporate access, malware subscriptions, and stealer logs, turning the messaging app into a fast cybercrime hub.
---------------------------------------------
https://hackread.com/telegram-used-sell-access-malware-stolen-logs/
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco Security Advisories 2026 Mar 04 ∗∗∗
---------------------------------------------
On March 4, 2026, Cisco released 27 new security advisories. Two of these advisories impact the Cisco Firewall Management Center and have been classified as critical (Authentication Bypass CVE-2026-20079 and Remote Code Execution CVE-2026-20131).
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/publicationListing.x
∗∗∗ Vulnerability & Patch Roundup — February 2026 ∗∗∗
---------------------------------------------
To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
---------------------------------------------
https://blog.sucuri.net/2026/02/vulnerability-patch-roundup-february-2026.h…
∗∗∗ LWN: Security updates for Wednesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1061295/
∗∗∗ [R1] Nessus Manager Versions 10.10.3 and 10.11.3 Fix One Vulnerability ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2026-08
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 02-03-2026 18:00 − Dienstag 03-03-2026 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ LLMs can unmask pseudonymous users at scale with surprising accuracy ∗∗∗
---------------------------------------------
Pseudonymity has never been perfect for preserving privacy. Soon it may be pointless.
---------------------------------------------
https://arstechnica.com/security/2026/03/llms-can-unmask-pseudonymous-users…
∗∗∗ Fake Google Security site uses PWA app to steal credentials, MFA codes ∗∗∗
---------------------------------------------
A phishing campaign is using a fake Google Account security page to deliver a web-based app capable of stealing one-time passcodes, harvesting cryptocurrency wallet addresses, and proxying attacker traffic through victims browsers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-google-security-site-us…
∗∗∗ Microsoft Warns OAuth Redirect Abuse Delivers Malware to Government Targets ∗∗∗
---------------------------------------------
Microsoft on Monday warned of phishing campaigns that employ phishing emails and OAuth URL redirection mechanisms to bypass conventional phishing defenses implemented in email and browsers. The activity, the company said, targets government and public-sector organizations with the end goal of redirecting victims to attacker-controlled infrastructure without stealing their tokens.
---------------------------------------------
https://thehackernews.com/2026/03/microsoft-warns-oauth-redirect-abuse.html
∗∗∗ Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries ∗∗∗
---------------------------------------------
The threat actor behind the recently disclosed artificial intelligence (AI)-assisted campaign targeting Fortinet FortiGate appliances leveraged an open-source, AI-native security testing platform called CyberStrikeAI to execute the attacks.
---------------------------------------------
https://thehackernews.com/2026/03/open-source-cyberstrikeai-deployed-in.html
∗∗∗ Until last month, attackers couldve stolen info from Perplexity Comet users just by sending a calendar invite ∗∗∗
---------------------------------------------
AI browsing agent left local files open for the taking If you wanted to steal local files from someone using Perplexitys Comet browser, until last month you could just schedule the theft by sending your victim a calendar event.
---------------------------------------------
https://www.theregister.com/2026/03/03/perplexity_comet_browser_hole_cal_in…
∗∗∗ Breaking Out of Citrix and other Restricted Desktop Environments ∗∗∗
---------------------------------------------
Many organisations are turning to virtualisation of apps and desktops. This often involves virtualisation platforms such as Citrix to deliver these services. Get your configuration or lock-down wrong and you’ll find users ‘breaking out’ of the environment you thought you had secured.
---------------------------------------------
https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-ot…
∗∗∗ Fake-Hotelwebsite als Basis für Kombi-Betrugsmasche ∗∗∗
---------------------------------------------
Über den gefälschten Online-Auftritt eines Hotels versuchen Kriminelle an die Kontaktdaten und (vermutlich) das Geld ihrer Opfer zu gelangen. Zusätzlich nutzen sie die Domain der Fake-Seite für den Versand von Phishing-Mails.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-hotelwebsite-kombi-betrugsmasch…
∗∗∗ Anonymous credentials: an illustrated primer ∗∗∗
---------------------------------------------
This post has been on my back burner for well over a year. This has bothered me, because every month that goes by I become more convinced that anonymous authentication the most important topic we could be talking about as cryptographers. This is because I’m very worried that we’re headed into a bit of a privacy dystopia, driven largely by bad legislation and the proliferation of AI.
---------------------------------------------
https://blog.cryptographyengineering.com/2026/03/02/anonymous-credentials-a…
∗∗∗ Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran ∗∗∗
---------------------------------------------
Unit 42 details recent Iranian cyberattack activity, sharing direct observations of phishing, hacktivist activity and cybercrime. We include recommendations for defenders.
---------------------------------------------
https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/
∗∗∗ Silver Dragon: China Nexus Cyber Espionage Group Targeting Governments in Asia and Europe ∗∗∗
---------------------------------------------
Silver Dragon is a China nexus cyber espionage group targeting government ministries and public sector organizations across Southeast Asia, with additional victims identified in Europe. The group gains initial access through exploitation of public-facing servers and targeted phishing campaigns aimed at government entities.
---------------------------------------------
https://blog.checkpoint.com/research/silver-dragon-china-nexus-cyber-espion…
∗∗∗ Hackers Abuse .arpa Top-Level Domain to Host Phishing Scams ∗∗∗
---------------------------------------------
Hackers abuse the .arpa Top-Level Domain to host phishing scams, using IPv6 tunnels, reverse DNS tricks, and shadow domains to bypass security checks.
---------------------------------------------
https://hackread.com/hackers-arpa-top-level-domain-phishing-scams/
∗∗∗ Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit ∗∗∗
---------------------------------------------
Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). The exploit kit, named “Coruna” by its developers, contained five full iOS exploit chains and a total of 23 exploits.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-io…
∗∗∗ Analysis of an Integrated Phishing Campaign Utilizing Google Cloud Infrastructure ∗∗∗
---------------------------------------------
In recent weeks, a highly organized phishing campaign has surfaced, characterized by its use of legitimate Google infrastructure to bypass standard security filters. I have identified more than 25 distinct phishing emails targeting a single account, all of which ultimately direct users to a specific URL: hxxps://storage[.]googleapis[.]com/whilewait/comessuccess.html.
---------------------------------------------
https://malwr-analysis.com/2026/03/03/analysis-of-an-integrated-phishing-ca…
∗∗∗ Sometimes, You Can Just Feel The Security In The Design (Juniper Junos Evolved CVE-2026-21902 Pre-Auth RCE) ∗∗∗
---------------------------------------------
On today’s ‘good news disguised as other things’ segment, we’re turning our gaze to CVE-2026-21902 - a recently disclosed “Incorrect Permission Assignment for Critical Resource” vulnerability affecting Juniper’s Junos OS Evolved platform. This vulnerability affects only Juniper’s PTX Series of devices, apparently.
---------------------------------------------
https://labs.watchtowr.com/sometimes-you-can-just-feel-the-security-in-the-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Gefährliche Sicherheitslücke: Angriffe auf Android-Nutzer beobachtet ∗∗∗
---------------------------------------------
Eine gefährliche Sicherheitslücke in einer Grafikkomponente von Qualcomm wird aktiv ausgenutzt. Android-Nutzer sollten so bald wie möglich updaten.
---------------------------------------------
https://www.golem.de/news/gefaehrliche-sicherheitsluecke-angriffe-auf-andro…
∗∗∗ HPE AutoPass License Server erlaubt Umgehung der Authentifizierung ∗∗∗
---------------------------------------------
HPE warnt vor einer gravierenden Sicherheitslücke im HPE AutoPass Lizenzserver (APLS). Die Authentifizierung lässt sich umgehen.
---------------------------------------------
https://www.heise.de/news/HPE-AutoPass-License-Server-erlaubt-Umgehung-der-…
∗∗∗ HCL BigFix: Angreifer können auf Daten im Dateisystem zugreifen ∗∗∗
---------------------------------------------
Die Endpoint-Management-Plattform HCL BigFix ist verwundbar. Sicherheitsupdates sind verfügbar.
---------------------------------------------
https://www.heise.de/news/HCL-BigFix-Angreifer-koennen-auf-Daten-im-Dateisy…
∗∗∗ LWN Security updates for Tuesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1061043/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 27-02-2026 18:00 − Montag 02-03-2026 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Microsoft testing Windows 11 batch file security improvements ∗∗∗
---------------------------------------------
Microsoft is rolling out new Windows 11 Insider Preview builds that improve security and performance during batch file or CMD script execution.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-testing-windows-1…
∗∗∗ QuickLens Chrome extension steals crypto, shows ClickFix attack ∗∗∗
---------------------------------------------
A Chrome extension named "QuickLens - Search Screen with Google Lens" has been removed from the Chrome Web Store after it was compromised to push malware and attempt to steal crypto from thousands of users.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/quicklens-chrome-extension-s…
∗∗∗ UK warns of Iranian cyberattack risks amid Middle-East conflict ∗∗∗
---------------------------------------------
The United Kingdoms National Cyber Security Centre (NCSC) alerted British organizations to a heightened risk of Iranian cyberattacks amid the ongoing conflict in the Middle East.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/uk-warns-of-iranian-cyberatt…
∗∗∗ A fake FileZilla site hosts a malicious download ∗∗∗
---------------------------------------------
A tampered copy of FileZilla quietly contacts attacker-controlled servers using encrypted DNS traffic that can slip past traditional monitoring.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intel/2026/03/a-fake-filezilla-sit…
∗∗∗ FinanzOnline-Phishing: Kriminelle drohen mit Hausratpfändung ∗∗∗
---------------------------------------------
Oh Schreck: Eine Pfändung des Hausrats droht, weil ein offener Betrag trotz mehrerer Mahnungen nicht bezahlt worden sein soll. Genau das behauptet derzeit eine E-Mail, die angeblich von FinanzOnline stammt. Tatsächlich handelt es sich dabei aber nicht um eine echte Zahlungsaufforderung.
---------------------------------------------
https://www.watchlist-internet.at/news/finanzonline-phishing-hausratpfaendu…
∗∗∗ Taming Agentic Browsers: Vulnerability in Chrome Allowed Extensions to Hijack New Gemini Panel ∗∗∗
---------------------------------------------
A high-severity CVE-2026-0628 in Chromes Gemini allowed local file access and privacy invasion. Google quickly patched the flaw.
---------------------------------------------
https://unit42.paloaltonetworks.com/gemini-live-in-chrome-hijacking/
∗∗∗ Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure ∗∗∗
---------------------------------------------
84,000+ scanning sessions targeting SonicWall SonicOS infrastructure in four days. GreyNoise details a coordinated reconnaissance campaign using rotating proxy infrastructure.
---------------------------------------------
https://www.greynoise.io/blog/active-reconnaissance-campaign-targets-sonicw…
∗∗∗ Cultivating a robust and efficient quantum-safe HTTPS ∗∗∗
---------------------------------------------
Today we're announcing a new program in Chrome to make HTTPS certificates secure against quantum computers. The Internet Engineering Task Force (IETF) recently created a working group, PKI, Logs, And Tree Signatures (“PLANTS”), aiming to address the performance and bandwidth challenges that the increased size of quantum-resistant cryptography introduces into TLS connections requiring Certificate Transparency (CT).
---------------------------------------------
https://security.googleblog.com/2026/02/cultivating-robust-and-efficient.ht…
∗∗∗ Stop Putting Secrets in .env Files ∗∗∗
---------------------------------------------
[..] Why do we still store credentials in plaintext .env files?
---------------------------------------------
https://jonmagic.com/posts/stop-putting-secrets-in-dotenv-files/
∗∗∗ Fooling Gos X.509 Certificate Verification ∗∗∗
---------------------------------------------
Below are two X.509 certificates. The first is the Certificate Authority (CA) root certificate, and the second is a leaf certifcate signed by the private key of the CA.
---------------------------------------------
https://danielmangum.com/posts/fooling-go-x509-certificate-verification/
∗∗∗ Agents attacking agents: AI-powered bot exploiting GitHub Actions ∗∗∗
---------------------------------------------
A week-long automated attack campaign targeted CI/CD pipelines across major open source repositories, achieving remote code execution in multiple targets. The attacker, an autonomous bot called hackerbot-claw, used 5 different exploitation techniques and successfully exfiltrated a GitHub token with write permissions from one of the most popular repositories on GitHub.
---------------------------------------------
https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation
=====================
= Vulnerabilities =
=====================
∗∗∗ Checkmk: Hochriskante Cross-Site-Scripting-Lücke in Netzwerk-Monitor-Software ∗∗∗
---------------------------------------------
Die Entwickler haben aktualisierte Checkmk-Versionen herausgegeben. Sie schließen eine mindestens hochriskante Cross-Site-Scripting-Lücke.
---------------------------------------------
https://www.heise.de/news/Checkmk-Hochriskante-Cross-Site-Scripting-Luecke-…
∗∗∗ Unauthorized AI Agent Execution Code Published to OpenVSX in Aqua Trivy VS Code Extension ∗∗∗
---------------------------------------------
On February 27 and 28, 2026, versions 1.8.12 and 1.8.13 of the Aqua Trivy VS Code extension were published to the OpenVSX registry under the aquasecurityofficial.trivy-vulnerability-scanner namespace. Socket identified suspicious behavior in these versions shortly after publication and began investigating the releases.
---------------------------------------------
https://socket.dev/blog/unauthorized-ai-agent-execution-code-published-to-o…
∗∗∗ LWN Security updates for Monday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1060911/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 26-02-2026 18:00 − Freitag 27-02-2026 18:00
Handler: Wolfgang Menezes
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ New AirSnitch attack bypasses Wi-Fi encryption in homes, offices, and enterprises ∗∗∗
---------------------------------------------
New research shows that behaviors that occur at the very lowest levels of the network stack make encryption—in any form, not just those that have been broken in the past—incapable of providing client isolation, an encryption-enabled protection promised by all router makers, that is intended to block direct communication between two or more connected clients. The isolation can effectively be nullified through AirSnitch, the name the researchers gave to a series of attacks that capitalize on the newly discovered weaknesses.
---------------------------------------------
https://arstechnica.com/security/2026/02/new-airsnitch-attack-breaks-wi-fi-…
∗∗∗ Log4j am Limit: KI-Schrott lähmt Open-Source-Projekt ∗∗∗
---------------------------------------------
Über das Bug-Bounty-Programm des Projekts werden den Angaben zufolge immer mehr KI-generierte Schwachstellenmeldungen eingereicht. [..] Karwasz schlägt vor, Schwachstellenmeldungen bei Log4j in Zukunft kurzfristig Prioritäten zuzuordnen und vorerst nur noch die wichtigen Fälle zu bearbeiten.
---------------------------------------------
https://www.golem.de/news/log4j-am-limit-ki-schrott-laehmt-open-source-proj…
∗∗∗ Heimliches Fahrzeug-Tracking: Spionage durch das Reifendruckkontrollsystem ∗∗∗
---------------------------------------------
Reifendruckkontrollsysteme moderner Fahrzeuge bieten Spionen weitreichende Möglichkeiten zur Überwachung - und das schon seit etlichen Jahren. [..] Angriffspunkt sind nach Angaben der Forscher Funksignale, die von den TPMS ausgestrahlt werden und eine eindeutige Kennung enthalten. [..] Um Autos anhand der TPMS-Signale zu tracken, wird nach Angaben der Forscher nur ein einfacher Funkempfänger benötigt, der zu Preisen von lediglich rund 100 US-Dollar erhältlich ist. [..] "Solche Informationen könnten Aufschluss über tägliche Routinen geben, wie beispielsweise Arbeitszeiten oder Reisegewohnheiten" , warnte das Forschungsteam.
---------------------------------------------
https://www.golem.de/news/heimliches-fahrzeug-tracking-spionage-durch-das-r…
∗∗∗ Trojanized Gaming Tools Spread Java-Based RAT via Browser and Chat Platforms ∗∗∗
---------------------------------------------
Threat actors are luring unsuspecting users into running trojanized gaming utilities that are distributed via browsers and chat platforms to distribute a remote access trojan (RAT). "A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar," the Microsoft Threat Intelligence team said in a post on X.
---------------------------------------------
https://thehackernews.com/2026/02/trojanized-gaming-tools-spread-java.html
∗∗∗ Fake Zoom and Google Meet scams install Teramind: A technical deep dive ∗∗∗
---------------------------------------------
In this article, we’ll provide the deeper technical analysis [..] On February 24, 2026, we published an article about how a fake Zoom meeting “update” silently installs monitoring software, documenting a campaign that used a convincing fake Zoom waiting room to push a legitimate Teramind installer abused for unauthorized surveillance onto Windows machines. [..] Despite the takedown, our continued monitoring shows the campaign is not only still active but growing: we have now identified a parallel operation impersonating Google Meet, running from a different domain and infrastructure.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-zoom-and-google…
∗∗∗ Hook, line, and vault: A technical deep dive into the 1Phish kit ∗∗∗
---------------------------------------------
We analyze the evolution of the 1Phish phishing kit from a basic credential harvester into an MFA-aware, multi-stage phishing kit targeting 1Password users.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/hook-line-vault-a-deep-dive-int…
∗∗∗ Malicious Go “crypto” Module Steals Passwords and Deploys Rekoobe Backdoor ∗∗∗
---------------------------------------------
Socket’s Threat Research Team uncovered a malicious Go module, github[.]com/xinfeisoft/crypto, that imitates the legitimate golang.org/x/crypto codebase but inserts a backdoor in ssh/terminal/terminal.go. That choice was strategic: golang.org/x/crypto is one of the Go ecosystem’s foundational cryptography codebases, maintained by the Go project and widely relied on for primitives and packages such as bcrypt, argon2, chacha20, and ssh, which makes it a high-trust impersonation target in dependency graphs.
---------------------------------------------
https://socket.dev/blog/malicious-go-crypto-module-steals-passwords-and-dep…
=====================
= Vulnerabilities =
=====================
∗∗∗ GitLab Patch Release: 18.9.1, 18.8.5, 18.7.5 ∗∗∗
---------------------------------------------
These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.
---------------------------------------------
https://about.gitlab.com/releases/2026/02/25/patch-release-gitlab-18-9-1-re…
∗∗∗ LWN: Security updates for Friday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1060645/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 25-02-2026 18:00 − Donnerstag 26-02-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
=====================
= News =
=====================
∗∗∗ Fake Next.js job interview tests backdoor developers devices ∗∗∗
---------------------------------------------
The Microsoft Defender team has discovered a coordinated campaign targeting software developers through malicious repositories posing as legitimate Next.js projects and technical assessment materials, including recruiting coding tests.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-nextjs-job-interview-te…
∗∗∗ Ransomware payment rate drops to record low as attacks surge ∗∗∗
---------------------------------------------
The number of ransomware victims paying threat actors has dropped to 28% last year, an all-time low, despite a significant increase in the number of claimed attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-payment-rate-drop…
∗∗∗ Datenpanne mit Openclaw: KI-Agent leakt interne Daten einer Cybersecurityfirma ∗∗∗
---------------------------------------------
Abermals ist es in Verbindung mit einem KI-Agenten zu einer Datenpanne gekommen. Der Betreiber hat offenbar zu viele Zugriffsrechte eingeräumt.
---------------------------------------------
https://www.golem.de/news/datenpanne-mit-openclaw-ki-agent-leakt-interne-da…
∗∗∗ Finding Signal in the Noise: Lessons Learned Running a Honeypot with AI Assistance [Guest Diary], (Tue, Feb 24th) ∗∗∗
---------------------------------------------
Over the past several months, I have gained practical insight into the challenges of deploying and operating a honeypot, even within a relatively simple environment. This work highlighted how varying hardware, software, and network design—can significantly alter outcomes. Through this process, I observed both the value and the limitations of log collection.
---------------------------------------------
https://isc.sans.edu/diary/rss/32744
∗∗∗ Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of a new malicious package discovered on the NuGet Gallery, impersonating a library from financial services firm Stripe in an attempt to target the financial sector. The package, codenamed StripeApi.Net, attempts to masquerade as Stripe.net, a legitimate library from Stripe that has over 75 million downloads.
---------------------------------------------
https://thehackernews.com/2026/02/malicious-stripeapi-nuget-package.html
∗∗∗ UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor ∗∗∗
---------------------------------------------
A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025.The campaign is being tracked by Cisco Talos under the moniker UAT-10027. The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor.
---------------------------------------------
https://thehackernews.com/2026/02/uat-10027-targets-us-education-and.html
∗∗∗ APT37 Adds New Capabilities for Air-Gapped Networks ∗∗∗
---------------------------------------------
In December 2025, Zscaler ThreatLabz discovered a campaign linked to APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima), which is a DPRK-backed threat group. In this campaign, tracked as Ruby Jumper by ThreatLabz, APT37 uses Windows shortcut (LNK) files to initiate an attack that utilizes a set of newly discovered tools. These tools, RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK, download a payload that delivers FOOTWINE and BLUELIGHT, which enable surveillance on a victim’s system.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities…
∗∗∗ Microsoft Authenticator stellt Funktion bei erkanntem Jailbreak/Root-Zugriff ein ∗∗∗
---------------------------------------------
Microsoft kündigt an, dass die Authenticator-App Jailbreaks und Rootzugang erkennen soll. Entra-Zugänge sollen dann gelöscht werden.
---------------------------------------------
https://www.heise.de/news/Microsoft-Authenticator-bekommt-Jailbreak-und-Roo…
∗∗∗ Apache ActiveMQ Exploit Leads to LockBit Ransomware ∗∗∗
---------------------------------------------
This intrusion began in mid-February 2024 after a threat actor exploited a vulnerability (CVE-2023-46604) on an exposed Apache ActiveMQ server. The threat actor was able to perform remote code execution (RCE) by using a Java Spring class and a custom Java Spring bean configuration XML file.
---------------------------------------------
https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockb…
∗∗∗ EWS-Apps und deren Nutzung vor der EWS-Abschaltung identifizieren ∗∗∗
---------------------------------------------
Microsoft ist dabei, Exchange Web Services (EWS) in den Ruhestand zu schicken. Dieser Vorgang beginnt im Oktober 2026 und endet mit einer vollständigen Abschaltung von EWS im Jahr 2027.
---------------------------------------------
https://borncity.com/blog/2026/02/26/ews-apps-und-deren-nutzung-vor-der-ews…
∗∗∗ Buy A Help Desk, Bundle A Remote Access Solution? (SolarWinds Web Help Desk Pre-Auth RCE Chain(s)) ∗∗∗
---------------------------------------------
It’s been a while, but we’re back - in time for story time. Gather round, strap in, and prepare for another depressing journey of “all we wanted to do was reproduce an N-day, and here we are with 0-days”.
---------------------------------------------
https://labs.watchtowr.com/buy-a-help-desk-bundle-a-remote-access-solution-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Kritische Sicherheitslücken in Cisco Catalyst SD-WAN - aktiv ausgenutzt - Updates verfügbar ∗∗∗
---------------------------------------------
26. Februar 2026 Beschreibung In Cisco Catalyst SD-WAN existieren mehrere kritische Sicherheitslücken. Die schwerwiegendste Schwachstelle (CVE-2026-20127) ermöglicht es einem nicht authentifizierten Angreifer aus der Ferne, die Authentifizierung zu umgehen und administrative Berechtigungen auf einem betroffenen System zu erlangen. Weitere Schwachstellen betreffen den Cisco Catalyst SD-WAN Manager und ermöglichen unter anderem Authentication Bypass, Privilege Escalation,
---------------------------------------------
https://www.cert.at/de/warnungen/2026/2/kritische-sicherheitslucken-in-cisc…
∗∗∗ Critical Juniper Networks PTX flaw allows full router takeover ∗∗∗
---------------------------------------------
A critical vulnerability in the Junos OS Evolved network operating system running on PTX Series routers from Juniper Networks could allow an unauthenticated attacker to execute code remotely with root privileges.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/critical-juniper-networks-pt…
∗∗∗ Automatisierungs-Tool n8n: Angreifer können Schadcode einschleusen ∗∗∗
---------------------------------------------
Im Automatisierungs-Tool n8n klaffen elf Sicherheitslücken. Davon gelten drei als kritisches Risiko. Admins sollten rasch aktualisieren.
---------------------------------------------
https://www.heise.de/news/Automatisierungs-Tool-n8n-Updates-stopfen-Codesch…
∗∗∗ LWN Security updates for Thursday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1060391/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 24-02-2026 18:00 − Mittwoch 25-02-2026 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ 1Campaign platform helps malicious Google ads evade detection ∗∗∗
---------------------------------------------
A newly identified cybercrime service known as 1Campaign is enabling threat actors to run malicious Google Ads that remain online for extended periods while evading scrutiny from security researchers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/1campaign-platform-helps-mal…
∗∗∗ Phishing campaign targets freight and logistics orgs in the US, Europe ∗∗∗
---------------------------------------------
A financially motivated threat group dubbed "Diesel Vortex" is stealing credentials from freight and logistics operators in the U.S. and Europe in phishing attacks using 52 domains.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-fr…
∗∗∗ The OpenClaw Hype: Analysis of Chatter from Open-Source Deep and Dark Web ∗∗∗
---------------------------------------------
OpenClaw has sparked heavy Telegram and dark web chatter, but Flares data shows more research hype than mass exploitation. Flare explains how its telemetry found real supply-chain risk in the skills marketplace, yet limited signs of large-scale criminal operationalization.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/the-openclaw-hype-analysis-o…
∗∗∗ Marquis sues SonicWall over backup breach that led to ransomware attack ∗∗∗
---------------------------------------------
Marquis Software Solutions has filed a lawsuit against SonicWall, accusing the cybersecurity company of gross negligence and misrepresentation that allegedly led to a ransomware attack disrupting operations at 74 U.S. banks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/marquis-sues-sonicwall-over-…
∗∗∗ Chinese cyberspies breached dozens of telecom firms, govt agencies ∗∗∗
---------------------------------------------
Googles Threat Intelligence Group (GTIG), Mandiant, and partners disrupted a global espionage campaign attributed to a suspected Chinese threat actor that used SaaS API calls to hide malicious traffic in attacks targeting telecom and government networks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breached-…
∗∗∗ UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware ∗∗∗
---------------------------------------------
A Russia-aligned threat actor has been observed targeting a European financial institution as part of a social engineering attack to likely facilitate intelligence gathering or financial theft, signaling a possible expansion of the threat actors targeting beyond Ukraine and into entities supporting the war-torn nation.
---------------------------------------------
https://thehackernews.com/2026/02/uac-0050-targets-european-financial.html
∗∗∗ RoguePilot Flaw in GitHub Codespaces Enabled Copilot to Leak GITHUB_TOKEN ∗∗∗
---------------------------------------------
A vulnerability in GitHub Codespaces could have been exploited by bad actors to seize control of repositories by injecting malicious Copilot instructions in a GitHub issue. The artificial intelligence (AI)-driven vulnerability has been codenamed RoguePilot by Orca Security. It has since been patched by Microsoft following responsible disclosure.
---------------------------------------------
https://thehackernews.com/2026/02/roguepilot-flaw-in-github-codespaces.html
∗∗∗ Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered four malicious NuGet packages that are designed to target ASP.NET web application developers to steal sensitive data. The campaign, discovered by Socket, exfiltrates ASP.NET Identity data, including user accounts, role assignments, and permission mappings, as well as manipulates authorization rules to create persistent backdoors in victim applications.
---------------------------------------------
https://thehackernews.com/2026/02/malicious-nuget-packages-stole-aspnet.html
∗∗∗ Spyware kann Kamera- und Mikrofonanzeige beim iPhone abdrehen ∗∗∗
---------------------------------------------
Eigentlich sollte man bei jeder iOS-App sehen können, dass Kamera- oder Mikrofonaufzeichnung laufen. Predator, ein Spionageprogramm, hackt diese aber.
---------------------------------------------
https://www.heise.de/news/Spyware-kann-Kamera-und-Mikrofonanzeige-beim-iPho…
∗∗∗ Best Western Hotels warnt vor Phishing-Attacken ∗∗∗
---------------------------------------------
Betrüger haben offenbar Zugang zu aktuellen Buchungsdaten von Best Western Hotels. Das Unternehmen warnt vor einer Phishingwelle.
---------------------------------------------
https://www.heise.de/news/Best-Western-Hotels-warnt-vor-Phishing-Attacken-1…
∗∗∗ Der Cloudspeicher ist voll?! Was sich wirklich hinter den Warnungen verbirgt ∗∗∗
---------------------------------------------
Wenn dubiose E-Mails und hartnäckige PopUp-Fenster vor einem vollen Cloudspeicher warnen, ist allerhöchste Vorsicht angebracht. Während in manchen Fällen real existierende Softwareanbieter ein kostspieliges Abo unter die Leute bringen wollen, verstecken sich hinter anderen Varianten Kriminelle, die es auf die Kontodaten ihrer Opfer abgesehen haben.
---------------------------------------------
https://www.watchlist-internet.at/news/cloudspeicher-ist-voll/
∗∗∗ Phishing operation with links to Russia, Armenia compromised Western cargo companies, researchers find ∗∗∗
---------------------------------------------
Over a five-month period, the group, dubbed Diesel Vortex, stole more than 1,600 login credentials from accounts at logistics platforms, which allowed thieves to intercept and divert freight shipments and commit check fraud.
---------------------------------------------
https://therecord.media/phishing-operation-russia-armenia-targeting-us-euro…
∗∗∗ Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852 ∗∗∗
---------------------------------------------
Check Point Research has discovered critical vulnerabilities in Anthropic’s Claude Code that allow attackers to achieve remote code execution and steal API credentials through malicious project configurations. The vulnerabilities exploit various configuration mechanisms including Hooks, Model Context Protocol (MCP) servers, and environment variables -executing arbitrary shell commands and exfiltrating Anthropic API keys when users clone and open untrusted repositories.
---------------------------------------------
https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through…
∗∗∗ 2026 GreyNoise State of the Edge Report: Where Attacks Concentrate and Defenses Fall Short ∗∗∗
---------------------------------------------
GreyNoise analyzed 2.97 billion malicious sessions over 162 days — and the patterns challenge assumptions about where edge defenses are strongest. From VPN targeting to infrastructure concentration to attackers rapidly rotating through fresh IPs, new research quantifies where the gaps are and what to do about it. Read the full findings.
---------------------------------------------
https://www.greynoise.io/blog/2026-greynoise-state-of-the-edge-report-where…
∗∗∗ Unmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign ∗∗∗
---------------------------------------------
Agent Tesla remains one of the most persistent threats in the cyber landscape today. It allows even low-skilled threat actors to harvest sensitive data through a highly sophisticated delivery pipeline. This research blog breaks down a recent multi-stage infection chain that utilizes a blend of phishing, obfuscated and encrypted scripts, and advanced in-memory execution and evasion techniques.
---------------------------------------------
https://www.fortinet.com/blog/threat-research/unmasking-agent-tesla-deep-di…
∗∗∗ CVE-2025-59201 - Network Connection Status Indicator (NCSI) EoP ∗∗∗
---------------------------------------------
It’s been a while since I last dug into a Patch Tuesday release. With an extraordinarily high number of 177 CVEs, including 6 that were either already public or exploited in the wild, the October 2025 one seemed like a good opportunity to get back at it. The one I ended up investigating in depth was CVE-2025-59201, an elevation of privilege in the “Network Connection Status Indicator”.
---------------------------------------------
https://itm4n.github.io/cve-2025-59201-ncsi-eop/
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco Catalyst SD-WAN Vulnerabilities ∗∗∗
---------------------------------------------
Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information, and overwrite arbitrary files. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ CISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems ∗∗∗
---------------------------------------------
The purpose of this Alert is to provide resources for organizations with Cisco Software-Defined Wide-Area Networking (SD-WAN) systems, including Federal Civilian Executive Branch (FCEB) agencies, to address ongoing exploitation of multiple vulnerabilities. Notably, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities (KEV) Catalog on Feb. 25, 2026.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2026/02/25/cisa-and-partners-releas…
∗∗∗ Zyxel warns of critical RCE flaw affecting over a dozen routers ∗∗∗
---------------------------------------------
Taiwan networking provider Zyxel has released security updates to address a critical vulnerability affecting over a dozen router models that can allow unauthenticated attackers to gain remote command execution on unpatched devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-rce-…
∗∗∗ Schadcode-Lücken in Dell Repository Manager, Wyse Management Suite geschlossen ∗∗∗
---------------------------------------------
Dells Fernwartungstools Repository Manager und Wyse Management Suite sind verwundbar. Sicherheitsupdates schließen mehrere Lücken.
---------------------------------------------
https://www.heise.de/news/Schadcode-Luecken-in-Dell-Repository-Manager-Wyse…
∗∗∗ Drupal UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2026-010
∗∗∗ LWN: Security updates for Wednesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1060185/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 23-02-2026 18:00 − Dienstag 24-02-2026 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Disovery is not the bottleneck! ∗∗∗
---------------------------------------------
There is a seductive logic to the current surge of optimism around AI-supported vulnerability discovery - a logic that is entirely based on a fundamental misunderstanding of the situation at hand.
---------------------------------------------
https://bytesandborscht.com/disovery-is-not-the-bottleneck/
∗∗∗ Microsoft beendet Unterstützung für Windows-Versionen aus 2016 ∗∗∗
---------------------------------------------
Windows-Versionen aus 2016 erhalten in Kürze keinen Support mehr. Erweiterte Sicherheits-Updates (ESU) sind jedoch in Planung.
---------------------------------------------
https://www.heise.de/news/Microsoft-beendet-Unterstuetzung-fuer-Windows-Ver…
∗∗∗ FinanzOnline-Phishing: Krypto- und Unternehmensdaten im Visier ∗∗∗
---------------------------------------------
Eine neue Variante des Phishing-Klassikers im Namen des Finanzministeriums macht die Runde. Sie zielt neben klassischen Adress- und Bankdaten auf weitere sensible Informationen ab. Kriminelle wollen alles über mögliche Krypto-Bestände ihrer Opfer erfahren und erkundigen sich zusätzlich nach etwaigen Unternehmensdetails.
---------------------------------------------
https://www.watchlist-internet.at/news/finanzonline-phishing-krypto-unterne…
=====================
= Vulnerabilities =
=====================
∗∗∗ 40 Sicherheitslücken in ImageMagick geschlossen ∗∗∗
---------------------------------------------
Die Bildbearbeitungssoftware ImageMagick ist an mehreren Stellen verwundbar. Sicherheitspatches stehen zur Installation bereit.
---------------------------------------------
https://heise.de/-11186935
∗∗∗ Critical SolarWinds Serv-U flaws offer root access to servers ∗∗∗
---------------------------------------------
SolarWinds has released security updates to patch four critical Serv-U remote code execution vulnerabilities that could grant attackers root access to unpatched servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/critical-solarwinds-serv-u-f…
∗∗∗ LWN Security updates for Tuesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1060018/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/