===================== = End-of-Day report = =====================
Timeframe: Freitag 27-03-2026 18:00 − Montag 30-03-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs
===================== = News = =====================
∗∗∗ Backdoored Telnyx PyPI package pushes malware hidden in WAV audio ∗∗∗ --------------------------------------------- TeamPCP hackers compromised the Telnyx package on the Python Package Index today, uploading malicious versions that deliver credential-stealing malware hidden inside a WAV file. --------------------------------------------- https://www.bleepingcomputer.com/news/security/backdoored-telnyx-pypi-packag...
∗∗∗ Nach Cyberangriff: Hacker erpressen gelähmte und hirngeschädigte Patienten ∗∗∗ --------------------------------------------- Die BHD-Klinik Greifswald behandelt primär querschnittsgelähmte und hirngeschädigte Patienten. Hacker haben Daten erbeutet und missbrauchen diese nun. --------------------------------------------- https://www.golem.de/news/nach-cyberangriff-hacker-erpressen-gelaehmte-und-h...
∗∗∗ EU-Kommission: Cyberangriff auf Cloud-Dienste ∗∗∗ --------------------------------------------- Die Europäische Kommission ist Opfer eines Cyberangriffes geworden. Ein mutmaßlicher Angreifer meldete sich bei der Presse. --------------------------------------------- https://www.heise.de/news/Cyberangriff-auf-Cloud-der-EU-Kommission-11228549....
∗∗∗ Phishing-SMS zielen auf Trade-Republic-Kund:innen ab ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit Phishing SMS im Namen des Online Brokers Trade Republic. Ihr Ziel: Zugriff auf Konten und Kryptovermögen der Betroffenen zu erlangen. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-trade-republic-kundinnen/
∗∗∗ Schwachstelle CVE-2026-3055 in Citrix Netscaler ADC und Gateway wird angegriffen ∗∗∗ --------------------------------------------- Zum 24. März 2026 hatte ich im Beitrag Kritische Schwachstellen in Citrix Netscaler ADC und Gateway (März 2026) vor zwei kritischen Schwachstellen in den genannten Citrix-Produkten gewarnt. Nun werden Angriffe in freier Wildbahn über eine Schwachstelle beobachtet. --------------------------------------------- https://borncity.com/blog/2026/03/30/schwachstelle-cve-2026-3055-in-citrix-n...
∗∗∗ TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM ∗∗∗ --------------------------------------------- Moving beyond their LiteLLM campaign, TeamPCP weaponizes the Telnyx Python SDK with stealthy WAV‑based payloads to steal credentials across Linux, macOS, and Windows. --------------------------------------------- https://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a...
∗∗∗ The Sequels Are Never As Good, But Were Still In Pain (Citrix NetScaler CVE-2026-3055 Memory Overread) ∗∗∗ --------------------------------------------- Sequels? Pain? Were obviously talking about Citrix NetScalers, yet again. Welcome back to another watchTowr Labs blog post - pull up a chair, we always welcome new members to our group therapy sessions. --------------------------------------------- https://labs.watchtowr.com/the-sequels-are-never-as-good-but-were-still-in-p...
∗∗∗ FortiClient EMS: Sicherheitslücke wird attackiert ∗∗∗ --------------------------------------------- Im Februar hat Fortinet eine kritische Sicherheitslücke in FortiClient EMS mit einem Sicherheitspatch bedacht. Sie wird nun angegriffen. --------------------------------------------- https://heise.de/-11229898
∗∗∗ The Comforting Lie Of SHA Pinning ∗∗∗ --------------------------------------------- In March 2026, Trivy became the latest reminder that software supply chains are, at best, loosely held together with convention and trust. A typosquatting attack slipped malicious code into what looked like a legitimate dependency path. The post-mortems are worth reading, and they all converge on a single recommendation: pin your dependencies. In the GitHub Actions world, that usually translates to use commit SHAs, not tags. --------------------------------------------- https://www.vaines.org/posts/2026-03-24-the-comforting-lie-of-sha-pinning/
∗∗∗ A Detection Researcher Mindset ∗∗∗ --------------------------------------------- As detection researchers we are frequently asked where do our detection ideas come from (and to build a backlog for them, and when will it all be done, etc.). At some point I needed to stop referencing Demetri Martins’ stand up where he describes how his jokes are delivered by a delicate fairy from a magical shire (the AI drawing may make more sense now…or not). --------------------------------------------- https://detect.fyi/a-detection-researcher-mindset-f2ed045480c5
∗∗∗ Threats based on Clipboards actions (+ KQL Query) ∗∗∗ --------------------------------------------- We are currently placing a strong focus on threats related to AI — and while I truly believe that is the right direction, we shouldn’t forget that there are many long-standing techniques that attackers continue to abuse effectively. One of those overlooked areas is clipboard activity. --------------------------------------------- https://detect.fyi/threats-based-on-clipboards-actions-kql-query-93615eef79b...
∗∗∗ Hackers Impersonate Ukrainian CERT to Plant a RAT on Government, Hospital Networks ∗∗∗ --------------------------------------------- Ukraines frontline cyber defense agency became the subject of its own investigation last week after an unknown threat actor built a convincing fake version of its website, sent emails impersonating its staff and instructed recipients across the country to download malware packaged as official security software. --------------------------------------------- https://thecyberexpress.com/hackers-impersonate-cert-ua-agewheeze-rat/
∗∗∗ ksmbd - Exploiting CVE-2025-37947 (3/3) ∗∗∗ --------------------------------------------- This is the last of our posts about ksmbd. For the previous posts, see part1 and part2. Considering all discovered bugs and proof-of-concept exploits we reported, we had to select some suitable candidates for exploitation. In particular, we wanted to use something reported more recently to avoid downgrading our working environment. --------------------------------------------- https://blog.doyensec.com/2025/10/08/ksmbd-3.html
===================== = Vulnerabilities = =====================
∗∗∗ File read flaw in Smart Slider plugin impacts 500K WordPress sites ∗∗∗ --------------------------------------------- A vulnerability in the Smart Slider 3 WordPress plugin, active on more than 800,000 websites, can be exploited to allow subscriber-level users access to arbitrary files on the server. --------------------------------------------- https://www.bleepingcomputer.com/news/security/file-read-flaw-in-smart-slide...
∗∗∗ Jetzt updaten! Angriffe auf F5 BIG-IP Access Policy Manager beobachtet ∗∗∗ --------------------------------------------- Die US-amerikanische IT-Sicherheitsbehörde CISA warnt vor laufenden Angriffen auf F5 BIG-IP Access Policy Manager. --------------------------------------------- https://heise.de/-11229172
∗∗∗ Updaten! Angriffe auf Gambio-Webshops ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in Gambio-Webshops ermöglicht Angreifern, diese zu knacken. Und das machen bösartige Akteure offenbar bereits. --------------------------------------------- https://heise.de/-11229519
∗∗∗ Video Calling Vulnerabilities in Miko Smart Kid Robots - Security Research ∗∗∗ --------------------------------------------- Miko robots have been vulnerable to exploits which can initiate video calls to the robots and get personal information from them remotely. --------------------------------------------- https://blog.mgdproductions.com/miko-robots-vulnerabilities/
∗∗∗ LWN Security updates for Monday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1065419/