===================== = End-of-Day report = =====================
Timeframe: Montag 20-04-2026 18:00 − Dienstag 21-04-2026 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler
===================== = News = =====================
∗∗∗ Serial-to-IP Devices Hide Thousands of Old and New Bugs ∗∗∗ --------------------------------------------- The OT devices that translate machine talk into Internet-speak are riddled with vulnerabilities and more frequently targeted for attacks, researchers say. --------------------------------------------- https://www.darkreading.com/ics-ot-security/serial-ip-devices-thousands-of-b...
∗∗∗ BSI warnt: Phishing-Attacken über Signal nehmen zu ∗∗∗ --------------------------------------------- Angreifer kapern regelmäßig Signal-Konten mittels Phishing. Beim BSI gibt es nun einen Leitfaden mit Handlungsempfehlungen für Betroffene. --------------------------------------------- https://www.golem.de/news/bsi-warnt-phishing-attacken-ueber-signal-nehmen-zu...
∗∗∗ A .WAV With A Payload, (Tue, Apr 21st) ∗∗∗ --------------------------------------------- There have been reports of threat actors using a .wav file as a vector for malware. It's a proper .wav file, but they didn't use staganography. The .wav file will play, but you'll just hear noise. --------------------------------------------- https://isc.sans.edu/diary/rss/32910
∗∗∗ Real Apple notifications are being used to drive tech support scams ∗∗∗ --------------------------------------------- Scammers have found a way to abuse legitimate Apple notification emails to trick people into calling fake tech support numbers. --------------------------------------------- https://www.malwarebytes.com/blog/news/2026/04/real-apple-notifications-are-...
∗∗∗ Fake-Jobvermittlungsagenturen jubeln Opfern Malware unter ∗∗∗ --------------------------------------------- Sie sind ansprechend designet und versprechen interessante Jobs zu Top-Konditionen. Leider ist an diesen Vermittlungsagenturen nichts echt. Über die Fake-Webseiten und dazugehörige Anwerbe-Mails wollen Kriminelle nicht nur an persönliche Informationen gelangen. Sie schummeln außerdem Schadsoftware auf die Geräte ihrer Opfer. --------------------------------------------- https://www.watchlist-internet.at/news/fake-jobvermittlungsagenturen/
∗∗∗ Bad Apples: Weaponizing native macOS primitives for movement and execution ∗∗∗ --------------------------------------------- Cisco Talos documents several macOS living-off-the-land (LOTL) techniques, demonstrating that native pathways for movement and execution remain accessible to those who understand the underlying architecture. --------------------------------------------- https://blog.talosintelligence.com/bad-apples-weaponizing-native-macos-primi...
∗∗∗ Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories ∗∗∗ --------------------------------------------- Our research on Void Dokkaebi’s operations uncovered a campaign that turns infected developer repositories into malware delivery channels. By spreading through trusted workflows, organizational codebases, and open-source projects, the threat can scale from a single compromise to a broader supply chain risk. --------------------------------------------- https://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-i...
∗∗∗ Deep Malware Analysis of a Multi-Stage Cobalt Strike Loader ∗∗∗ --------------------------------------------- In this blog post, we provide a detailed technical reconstruction of a multi-stage malware chain that ultimately delivers a Cobalt Strike Beacon. --------------------------------------------- https://www.joesecurity.org/blog/621128515416801396
∗∗∗ Command Execution via Drag-and-Drop in Terminal Emulators ∗∗∗ --------------------------------------------- Many people may not be aware that terminal emulators such as Kitty and xfce4-terminal support dragging and dropping of files into the terminal to insert the file's path directly at the cursor position. While this feature has existed for a while, more people have started to notice this as Claude Code has grown in popularity and allows users to drag and drop files for Claude to process. --------------------------------------------- https://sdushantha.github.io/post/drop-it-like-its-hot
∗∗∗ Inside An AWS Cloud Threat Detection SOC Lab: Simulating and Detecting Real Cloud Attacks ∗∗∗ --------------------------------------------- Cloud computing has become the backbone over time of how modern systems are built and run. As I started diving deeper into cloud security, I began to see just how much organizations and various industries depend on it, not just for convenience, but for scalability, speed, and the ability to support technologies like artificial intelligence and big data. --------------------------------------------- https://detect.fyi/inside-an-aws-cloud-threat-detection-soc-lab-simulating-a...
∗∗∗ Context.ai OAuth Token Compromise ∗∗∗ --------------------------------------------- Compromised Context.ai OAuth tokens enabled attackers to perform a supply chain attack via trusted SaaS integrations. Learn how to assess the risk in your environment and how to prevent the next attack. --------------------------------------------- https://www.wiz.io/blog/contextai-oauth-token-compromise
===================== = Vulnerabilities = =====================
∗∗∗ SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files ∗∗∗ --------------------------------------------- A critical security vulnerability has been disclosed in SGLang that, if successfully exploited, could result in remote code execution on susceptible systems. The vulnerability, tracked as CVE-2026-5760, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of command injection leading to the execution of arbitrary code. --------------------------------------------- https://thehackernews.com/2026/04/sglang-cve-2026-5760-cvss-98-enables.html
∗∗∗ Apache ActiveMQ RCE ∗∗∗ --------------------------------------------- CVE-2026-34197 is a high-severity remote code execution (RCE) vulnerability affecting Apache ActiveMQ Classic. The flaw resides in the exposed Jolokia JMX-HTTP interface and allows attackers to execute arbitrary commands on the underlying system via crafted broker management requests. Recent reporting indicates that this vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild and elevating its priority for remediation. --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6428
∗∗∗ Schadcode-Lücke mit Höchstwertung bedroht Firebird ∗∗∗ --------------------------------------------- Das Open-Source-Datenbankmanagementsystem Firebird ist über mehrere Wege angreifbar. Es kann Schadcode auf Systeme gelangen. --------------------------------------------- https://www.heise.de/news/Schadcode-Luecke-mit-Hoechstwertung-bedroht-Firebi...
∗∗∗ Supply Chain Compromise Impacts Axios Node Package Manager ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this alert to provide guidance in response to the software supply chain compromise of the Axios node package manager (npm).1 Axios is an HTTP client for JavaScript that developers commonly use in Node.js and browser environments. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-i...
∗∗∗ LWN Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1068830/