===================== = End-of-Day report = =====================

Timeframe: Dienstag 28-10-2025 18:00 − Mittwoch 29-10-2025 18:00 Handler: Alexander Riepl Co-Handler: Guenes Holler

===================== = News = =====================

∗∗∗ How typosquatting tricked me (a bit) ∗∗∗ --------------------------------------------- Typosquatting is a popular method using similarly looking names to draw people into malicious content – such as phishing websites or fake software packages. It leverages our “brain optimization” that matches what we see with what we already know – even if it’s not exactly the same. I haven’t installed any shady software, but it’s still a good example how easily our brain could be used against us by utilizing our biases. --------------------------------------------- https://www.cert.at/en/blog/2025/10/how-typosquatting-tricked-me-a-bit

∗∗∗ Qilin ransomware abuses WSL to run Linux encryptors in Windows ∗∗∗ --------------------------------------------- The Qilin ransomware operation was spotted executing Linux encryptors in Windows using Windows Subsystem for Linux (WSL) to evade detection by traditional security tools. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qilin-ransomware-abuses-wsl-t...

∗∗∗ Collins Aerospace: Mangelhafte Passwörter ermöglichten Nachrichten an Cockpits ∗∗∗ --------------------------------------------- Durch mangelhaften Zugriffsschutz bei Collins Aerospace ließen sich Nachrichten an Flugzeug-Cockpits schicken. --------------------------------------------- https://www.heise.de/news/Collins-Aerospace-Mangelhafte-Passwoerter-ermoegli...

∗∗∗ Aisuru Botnet Shifts from DDoS to Residential Proxies ∗∗∗ --------------------------------------------- Aisuru, the botnet responsible for a series of record-smashing distributed denial-of-service (DDoS) attacks this year, recently was overhauled to support a more low-key, lucrative and sustainable business: Renting hundreds of thousands of infected Internet of Things (IoT) devices to proxy services that help cybercriminals anonymize their traffic. Experts say a glut of proxies from Aisuru and other sources is fueling large-scale data harvesting efforts tied to various artificial intelligence (AI) projects, helping content scrapers evade detection by routing their traffic through residential connections that appear to be regular Internet users. --------------------------------------------- https://krebsonsecurity.com/2025/10/aisuru-botnet-shifts-from-ddos-to-reside...

∗∗∗ HTTPS by default ∗∗∗ --------------------------------------------- One year from now, with the release of Chrome 154 in October 2026, we will change the default settings of Chrome to enable “Always Use Secure Connections”. This means Chrome will ask for the user's permission before the first access to any public site without HTTPS. --------------------------------------------- http://security.googleblog.com/2025/10/https-by-default.html

∗∗∗ Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated October 28) ∗∗∗ --------------------------------------------- On Oct. 14, 2025, a critical, unauthenticated remote code execution (RCE) vulnerability was identified in Microsoft's Windows Server Update Services (WSUS), a core enterprise component for patch management. Microsoft's initial patch during the October Patch Tuesday did not fully address the flaw, necessitating an emergency out-of-band security update released Oct. 23, 2025. Within hours of the emergency update, Unit 42 and other security researchers observed active exploitation in the wild. The combination of a remotely exploitable, unauthenticated RCE in a core infrastructure service, coupled with observed active exploitation in the wild, represents a severe and time-sensitive risk. --------------------------------------------- https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/

∗∗∗ Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack ∗∗∗ --------------------------------------------- We have discovered a new Windows-based malware family we've named Airstalk, which is available in both PowerShell and .NET variants. We assess with medium confidence that a possible nation-state threat actor used this malware in a likely supply chain attack. We have created the threat activity cluster CL-STA-1009 to identify and track any further related activity. --------------------------------------------- https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstal...

∗∗∗ Cybersecurity on a budget: Strategies for an economic downturn ∗∗∗ --------------------------------------------- This blog offers practical strategies, creative defenses, and talent management advice to help your business stay secure when every dollar counts. --------------------------------------------- https://blog.talosintelligence.com/cybersecurity-on-a-budget-strategies-for-...

∗∗∗ Hackers Hijack Corporate XWiki Servers for Crypto Mining ∗∗∗ --------------------------------------------- Hackers exploit critical XWiki flaw CVE-2025-24893 to hijack corporate servers for cryptomining, with active attacks confirmed by VulnCheck researchers. --------------------------------------------- https://hackread.com/hackers-hijack-xwiki-servers-crypto-mining/

∗∗∗ iOS: Sicherheitsforscher warnen vor Third-Party-App-Store "Flekst0re" ∗∗∗ --------------------------------------------- Apple muss in der EU Konkurrenten zum iOS App Store zulassen. Flekst0re ist eines der Angebote, wobei es Sonderwege beschreitet. Das reißt Sicherheitslücken. --------------------------------------------- https://heise.de/-10961981

∗∗∗ What We Talk About When We Talk About Sideloading ∗∗∗ --------------------------------------------- We recently published a blog post with our reaction to the new Google Developer Program and how it impacts your freedom to use the devices that you own in the ways that you want. The post garnered quite a lot of feedback and interest from the community and press, as well as various civil society groups and regulatory agencies. --------------------------------------------- https://f-droid.org/2025/10/28/sideloading.html

===================== = Vulnerabilities = =====================

∗∗∗ BSI warnt vor Bind-Lücke: Daten unzähliger DNS-Server manipulierbar ∗∗∗ --------------------------------------------- In der weitverbreiteten DNS-Lösung Bind klafft eine gefährliche Sicherheitslücke, die es Angreifern ermöglicht, durch sogenanntes Cache-Poisoning DNS-Einträge zu manipulieren. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat eine Warnung herausgegeben (öffnet im neuen Fenster), laut der inzwischen auch ein Proof of Concept (PoC) zur Ausnutzung der Lücke im Netz kursiert. Admins sollten zügig handeln. --------------------------------------------- https://www.golem.de/news/exploit-code-verfuegbar-dns-eintraege-unzaehliger-...

∗∗∗ Lücken gefährden Systeme mit IBMs Sicherheitslösungen Concert und QRadar SIEM ∗∗∗ --------------------------------------------- Angreifer können an mehreren Sicherheitslücken in IBM Concert und QRadar SIEM ansetzen. Patches sind verfügbar. --------------------------------------------- https://www.heise.de/news/Luecken-gefaehrden-Systeme-mit-IBMs-Sicherheitsloe...

∗∗∗ Jetzt patchen! Attacken auf DELMIA Apriso beobachtet ∗∗∗ --------------------------------------------- Das Fertigungsmanagementtool DELMIA Apriso ist derzeit im Fokus von Angreifern. Sicherheitspatches stehen schon seit Sommer dieses Jahres zum Download bereit. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Attacken-auf-DELMIA-Apriso-beobachte...

∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gimp, python-authlib, and xorg-server), Fedora (chromium and git-lfs), Mageia (poppler and tomcat), Red Hat (kernel, kernel-rt, redis, and redis:6), SUSE (fetchmail, grafana, ImageMagick, kernel-devel, libluajit-5_1-2, proxy-helm, python-Authlib, and xen), and Ubuntu (linux-intel-iotg, linux-intel-iotg-5.15 and squid, squid3). --------------------------------------------- https://lwn.net/Articles/1043983/

∗∗∗ Ungeschützte NFC-Kartenmanipulation führt zu kostenloser Aufladung in GiroWeb Cashless Catering Solutions bei veralteter Kundeninfrastruktur ∗∗∗ --------------------------------------------- Bei Verwendung der GiroWeb Cashless Catering-Lösung mit älteren NFC-Karten kann das gespeicherte Kartenguthaben ohne Backend-Überprüfung geändert werden. Dieses Verhalten tritt auf, weil der Guthabenwert ausschließlich auf der Karte gespeichert ist. Der Anbieter hat erklärt, dass dieses Verhalten mit dem Design des spezifischen NFC-Kartentyps zusammenhängt und daher keine Schwachstelle in der Zahlungslösung selbst darstellt, sondern auf die unsicheren Karten zurückzuführen ist, die von seinen Kunden in älteren Umgebungen verwendet werden. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/ungeschuetzte-nfc-kart...

∗∗∗ ZDI-25-977: Delta Electronics ASDA-Soft PAR File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-977/

∗∗∗ ZDI-25-975: X.Org Server XkbSetCompatMap Numeric Truncation Error Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-975/