===================== = End-of-Day report = =====================

Timeframe: Mittwoch 03-12-2025 18:30 − Donnerstag 04-12-2025 18:30 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler

===================== = News = =====================

∗∗∗ Fraudulent gambling network may be a nation-state spying operation ∗∗∗ --------------------------------------------- A sprawling infrastructure that has been bilking unsuspecting people through fraudulent gambling websites for 14 years is likely a dual operation run by a nation-state-sponsored group that is targeting government and private-industry organizations in the US and Europe, researchers said Wednesday. --------------------------------------------- https://arstechnica.com/security/2025/12/fraudulent-gambling-network-may-be-...

∗∗∗ Sparkurs bei MacOS: Apple verärgert Forscher mit gekürzten Bug-Bounty-Prämien ∗∗∗ --------------------------------------------- Forscher, die Sicherheitslücken in dem Apple-Betriebssystem MacOS erkunden und an den Hersteller melden, erhalten dafür künftig geringere Belohnungen. Darauf machte kürzlich der Sicherheitsforscher Csaba Fitzl in einem Beitrag auf Linkedin aufmerksam. Er wirft Apple vor, MacOS mit diesem Schritt abzuwerten und sich nicht mehr für den Datenschutz der Nutzer zu interessieren. --------------------------------------------- https://www.golem.de/news/macos-apple-veraergert-forscher-mit-gekuerzten-bug...

∗∗∗ Attempts to Bypass CDNs, (Wed, Dec 3rd) ∗∗∗ --------------------------------------------- Currently, in order to provide basic DDoS protection and filter aggressive bots, some form of Content Delivery Network (CDN) is usually the simplest and most cost-effective way to protect a web application. In a typical setup, DNS is used to point clients to the CDN, and the CDN will then forward the request to the actual web server. There are a number of companies offering services like this, and cloud providers will usually have solutions like this as well. --------------------------------------------- https://isc.sans.edu/diary/rss/32532

∗∗∗ Nation-State Attack or Compromised Government? [Guest Diary], (Thu, Dec 4th) ∗∗∗ --------------------------------------------- The ISC internship didn't just teach me about security, it changed how I thought about threats entirely. There's something intriguing about watching live attacks materialize on your DShield Honeypot, knowing that somewhere across the world, an attacker just made a move. And the feedback loop of writing detailed attack observations, then having experienced analysts critique and refine your analysis? That's where real learning happens. One attack observation in particular stands out as a perfect example of what makes this internship so powerful. Let me show you what I discovered! --------------------------------------------- https://isc.sans.edu/diary/rss/32536

∗∗∗ Record 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hosts ∗∗∗ --------------------------------------------- The botnet has prominently targeted telecommunication providers, gaming companies, hosting providers, and financial services. Also tackled by Cloudflare was a 14.1 Bpps DDoS attack from the same botnet. AISURU is believed to be powered by a massive network comprising an estimated 1-4 million infected hosts worldwide. --------------------------------------------- https://thehackernews.com/2025/12/record-297-tbps-ddos-attack-linked-to.html

∗∗∗ Gartenfreude oder Betrugsfalle? Warnung vor betrügerischen Pflanzenshops ∗∗∗ --------------------------------------------- Der Beginn des Winters ist einer der besten Zeitpunkte, um Obstbäume zu pflanzen. Das wissen nicht nur Gartenfreund:innen, sondern leider auch Kriminelle. Immer mehr Fake-Shops locken mit vermeintlich attraktiven Angeboten und führen Konsument:innen in die Falle. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-betruegerischen-pflanzens...

∗∗∗ BRICKSTORM Backdoor ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) assess People’s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems. CISA, NSA, and Cyber Centre are releasing this Malware Analysis Report to share indicators of compromise (IOCs) and detection signatures based off analysis of eight BRICKSTORM samples. CISA, NSA, and Cyber Centre urge organizations to use the IOCs and detection signatures to identify BRICKSTORM malware samples. --------------------------------------------- https://www.cisa.gov/news-events/analysis-reports/ar25-338a

∗∗∗ ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading ∗∗∗ --------------------------------------------- Job seekers looking out for opportunities might instead find their personal devices compromised, as a ValleyRAT campaign propagated through email leverages Foxit PDF Reader for concealment and DLL side-loading for initial entry. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html

∗∗∗ Fake ChatGPT Atlas Browser Used in ClickFix Attack to Steal Passwords ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a critical ChatGPT Atlas browser attack, confirming the danger of the ongoing surge in the ClickFix threat. --------------------------------------------- https://hackread.com/fake-chatgpt-atlas-clickfix-steal-passwords/

∗∗∗ Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue ∗∗∗ --------------------------------------------- Despite extensive scrutiny and public reporting, commercial surveillance vendors continue to operate unimpeded. A prominent name continues to surface in the world of mercenary spyware, Intellexa. Known for its “Predator” spyware, the company was sanctioned by the US Government. New Google Threat Intelligence Group (GTIG) analysis shows that Intellexa is evading restrictions and thriving. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/intellexa-zero-day-...

∗∗∗ New Stealthy Linux Malware Combines Mirai DDoS Botnet with Cryptominer ∗∗∗ --------------------------------------------- Cyble researchers have identified new Linux malware that combines Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, enabling both network disruption and financial profit in the same threat campaign. --------------------------------------------- https://thecyberexpress.com/linux-malware-mirai-botnet-cryptominer/

===================== = Vulnerabilities = =====================

∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (expat and libxml2), Debian (openvpn and webkit2gtk), Fedora (gi-loadouts, kf6-kcoreaddons, kf6-kguiaddons, kf6-kjobwidgets, kf6-knotifications, kf6-kstatusnotifieritem, kf6-kunitconversion, kf6-kwidgetsaddons, kf6-kxmlgui, nanovna-saver, persepolis, python-ezdxf, python-pyside6, sigil, stb, syncplay, tinyproxy, torbrowser-launcher, ubertooth, and usd), Mageia (cups), SUSE (cups, gegl, icinga2, mozjs128, and Security), and Ubuntu (ghostscript, kernel, linux, linux-aws, linux-aws-5.15, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-hwe, linux-kvm, linux-oracle, linux-aws-fips, linux-fips, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-fips, linux-gcp, linux-gcp-4.15, linux-hwe, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-gcp-6.14, linux-raspi, linux-gcp-fips, linux-intel-iot-realtime, linux-realtime, linux-raspi, linux-raspi-realtime, linux-xilinx, and postgresql-14, postgresql-16, postgresql-17). --------------------------------------------- https://lwn.net/Articles/1049251/

∗∗∗ Cross-Site Scripting in Nextcloud: Development files shipped in files_pdfviewer app ∗∗∗ --------------------------------------------- Nextcloud’s PDF viewer uses an outdated version of PDF.js vulnerable to CVE-2024-4367. Attackers with regular user access to a Nextcloud instance are able to prepare a special link. If this link is visited by other logged-in users a cross-site scripting is executed and attackers get access to that users’ files. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-003/

∗∗∗ Jetzt patchen! Kritische Schadcodelücke bedroht React ∗∗∗ --------------------------------------------- Softwareentwickler, die mit React arbeiten, sollten die JavaScript-Programmbibliothek aus Sicherheitsgründen umgehend auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer eine Schwachstelle ausnutzen und Systeme durch das Ausführen von Schadcode vollständig kompromittieren. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-11102366

∗∗∗ Chrome 143.0.7499.40 / 41 schließt Schwachstellen ∗∗∗ --------------------------------------------- Zum 2. Dezember 2025 hat Google den Chrome-Browser auf die Versionen 143.0.7499.40 / 41 aktualisiert, um gleich mehrere Schwachstellen zu schließen. Auch der Extended Stable Chromium-Entwicklungszweig hat ein Update erhalten. Ich ziehe mal einige Informationen zu diesen Themen nachfolgend kurz zusammen. --------------------------------------------- https://www.borncity.com/blog/2025/12/04/chrome-143-0-7499-40-41-schliesst-s...

∗∗∗ DSA-6069-1 openvpn - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00235.html

∗∗∗ K000158050: SQLite vulnerability CVE-2019-8457 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158050

∗∗∗ K000158042: Apache HTTP server vulnerabilities CVE-2024-47252 and CVE-2025-49812 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158042

∗∗∗ K000158059: Next.js vulnerability CVE-2025-66478 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158059