===================== = End-of-Day report = =====================
Timeframe: Donnerstag 22-05-2025 18:00 − Freitag 23-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a
===================== = News = =====================
∗∗∗ TikTok videos now push infostealer malware in ClickFix attacks ∗∗∗ --------------------------------------------- As Trend Micro recently discovered, the threat actors behind this TikTok social engineering campaign are using videos likely generated using AI that ask viewers to run commands claiming to activate Windows and Microsoft Office, as well as premium features in various legitimate software like CapCut and Spotify. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tiktok-videos-now-push-infost...
∗∗∗ FBI warns of Luna Moth extortion attacks targeting law firms ∗∗∗ --------------------------------------------- The FBI warned that an extortion gang known as the Silent Ransom Group has been targeting U.S. law firms over the last two years in callback phishing and social engineering attacks. Also known as Luna Moth, Chatty Spider, and UNC3753, this threat group has been active since 2022 and was also behind BazarCall campaigns that provided initial access to corporate networks for Ryuk and Conti ransomware attacks --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-luna-moth-extort...
∗∗∗ The Windows Registry Adventure #7: Attack surface analysis ∗∗∗ --------------------------------------------- In this blog post, we get to the heart of the matter, the actual security of the Windows Registry. I'd like to talk about what made a feature that was initially meant to be just a quick test of my fuzzing infrastructure draw me into manual research for the next 1.5 ~ 2 years, and result in Microsoft fixing (so far) 53 CVEs. I will describe the various areas that are important in the context of low-level security research, from very general ones, such as the characteristics of the codebase that allow security bugs to exist in the first place, to more specific ones, like all possible entry points to attack the registry, the impact of vulnerabilities and the primitives they generate, and some considerations on effective fuzzing and where more bugs might still be lurking. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventur...
∗∗∗ GitLab Duo Vulnerability Enabled Attackers to Hijack AI Responses with Hidden Prompts ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. --------------------------------------------- https://thehackernews.com/2025/05/gitlab-duo-vulnerability-enabled.html
∗∗∗ ViciousTrap Uses Cisco Flaw to Build Global Honeypot from 5,300 Compromised Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed that a threat actor codenamed ViciousTrap has compromised nearly 5,300 unique network edge devices across 84 countries and turned them into a honeypot-like network. --------------------------------------------- https://thehackernews.com/2025/05/vicioustrap-uses-cisco-flaw-to-build.html
∗∗∗ Oops: DanaBot Malware Devs Infected Their Own PCs ∗∗∗ --------------------------------------------- The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling DanaBot, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The FBI says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware. --------------------------------------------- https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-their...
∗∗∗ Fake-Geburtstagsgeschenk: Abofalle im Namen von Rituals im Umlauf ∗∗∗ --------------------------------------------- Derzeit sind betrügerische E-Mails im Umlauf, die angeblich von Rituals stammen. Sie versprechen eine luxuriöse Geburtstags-Geschenkbox zum Sonderpreis von nur zwei Euro. Doch Vorsicht: Hinter dem scheinbar großzügigen Angebot verbirgt sich keine echte Überraschung, sondern eine teure Abofalle! --------------------------------------------- https://www.watchlist-internet.at/news/fake-geburtstagsgeschenk-abofalle-im-...
∗∗∗ Sicherheitsrisiko AD-Verwaltung und Gruppe Authenticated Users ∗∗∗ --------------------------------------------- Ein Blog-Leser hat mich die Tage auf ein möglicherweise bei einigen Active Directory-Systemen bestehende Sicherheitsrisiko hingewiesen. Sind in der Active-Directory-Gruppe Authenticated Users externe Konten enthalten, könnten Freigaben interner Dienste (Drucker etc.) ungewollt externen Nutzern offen stehen. --------------------------------------------- https://www.borncity.com/blog/2025/05/22/sicherheitsrisiko-ad-verwaltung-und...
∗∗∗ Information Leakage Caused by DB Client Tool ∗∗∗ --------------------------------------------- In recent breach incidents, threat actors have been observed not only accessing systems, but also directly querying internal databases and stealing sensitive information. Particularly, more threat actors are installing DB client tools directly on targeted systems to exfiltrate data, and legitimate tools such as DBeaver, Navicat, and sqlcmd are being used in this process. --------------------------------------------- https://asec.ahnlab.com/en/88134/
∗∗∗ Scarcity signals: Are rare activities red flags? ∗∗∗ --------------------------------------------- Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones. --------------------------------------------- https://blog.talosintelligence.com/scarcity-signals-are-rare-activities-red-...
∗∗∗ Operation Endgame 2.0: 20 Haftbefehle, Hunderte Server außer Gefecht gesetzt ∗∗∗ --------------------------------------------- Internationale Strafverfolger gehen weiter gegen Malware-Autoren vor. Im Rahmen der "Operation Endgame 2.0" haben die Sicherheitsbehörden aus Deutschland – das BKA und die Generalstaatsanwaltschaft Frankfurt am Main – die Cyberkriminellen nun empfindlich getroffen. Allein in Deutschland nahmen die Behörden 50 Server vom Netz, 650 Domains sind nicht mehr unter der Kontrolle der Cybergangster. --------------------------------------------- https://heise.de/-10394215
∗∗∗ Fault Injection-Angriffe auf die Mikrocontroller nRF54L15 und STM32L051 (SYSS-2025-022/-033) ∗∗∗ --------------------------------------------- Der Begriff "Fault Injection" bezeichnet eine Klasse von Schwachstellen, bei denen Angreifende gezielt versuchen, Fehlerzustände in Systemen zu erzeugen. Diese Fehlerzustände führen dabei zu abnormalem Verhalten der Systeme und können ausgenutzt werden, um Sicherheitsbeschränkungen zu umgehen. So ist es beispielsweise möglich, kryptografische Schlüssel zu extrahieren oder Lesebeschränkungen von internen Datenspeichern zu umgehen. --------------------------------------------- https://www.syss.de/pentest-blog/fault-injection-angriffe-auf-die-mikrocontr...
===================== = Vulnerabilities = =====================
∗∗∗ 2025-05-22: Cyber Security Advisory - ASPECT advisory several CVEs ∗∗∗ --------------------------------------------- Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021&...
∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dotnet9.0, dropbear, ghostscript, nbdkit, openssh, python-watchfiles, rpm-ostree, yelp, yelp-xsl, and zsync), Oracle (firefox and kernel), Red Hat (osbuild-composer), Slackware (aaa_glibc and mozilla), SUSE (chromedriver, open-vm-tools, postgresql14, python-cryptography, and thunderbird), and Ubuntu (linux-aws, linux-hwe-5.4, python, and sqlite3). --------------------------------------------- https://lwn.net/Articles/1022352/
∗∗∗ Infoblox NetMRI is vulnerable to CVE-2024-54188 ∗∗∗ --------------------------------------------- https://support.infoblox.com/s/article/Infoblox-NetMRI-is-vulnerable-to-CVE-...
∗∗∗ [R1] Tenable Network Monitor Version 6.5.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-10
∗∗∗ Lantronix Device Installer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-01
∗∗∗ Rockwell Automation FactoryTalk Historian ThingWorx ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-02