===================== = End-of-Day report = =====================

Timeframe: Donnerstag 30-04-2026 18:00 − Montag 04-05-2026 18:00 Handler: Felician Fuchs Co-Handler: n/a

===================== = News = =====================

∗∗∗ ConsentFix v3 attacks target Azure with automated OAuth abuse ∗∗∗ --------------------------------------------- A new attack type, dubbed ConsentFix v3, has been circulating on hacker forums, building on the previous technique by adding automation and scaling potential. --------------------------------------------- https://www.bleepingcomputer.com/news/security/consentfix-v3-attacks-target-...

∗∗∗ Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks ∗∗∗ --------------------------------------------- A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel. --------------------------------------------- https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html

∗∗∗ Trellix: Angreifer erlangten Zugriff auf Quellcode ∗∗∗ --------------------------------------------- Trellix, das aus FireEye und McAfee hervorging, hat einen IT-Vorfall gemeldet. Angreifer haben Zugriff auf Quellcode erlangt. --------------------------------------------- https://www.heise.de/news/Trellix-Angreifer-erlangten-Zugriff-auf-Quellcode-...

∗∗∗ Vorfall bei DigiCert: Malware-Autoren klauten Zertifikate ∗∗∗ --------------------------------------------- Die Zertifizierungsstelle DigiCert hat im April mehrere Zertifikate zur Signierung von Programmen („Code Signing Certificate“) an Malware-Autoren ausgegeben. Diese hatten zuvor Kundendienstmitarbeiter bei DigiCert mit Schadsoftware angegriffen und deren Rechner übernommen. Weil verschiedene Schutzmaßnahmen versagten, erlangten die Kriminellen Zugriff auf ein geschütztes Kundenportal – inklusive aller notwendigen Informationen, um die Zertifikate abzurufen. --------------------------------------------- https://www.heise.de/news/Nach-Malware-Angriff-Kriminelle-nutzten-Codesignin...

∗∗∗ Build a Decoy MCP Server to Catch AI Agent Attackers ∗∗∗ --------------------------------------------- Your AI agents MCP config can be a target for an attacker who reaches your machine. A decoy MCP server entry pointing at a Cloudflare Worker can reveal the attackers presence and their intent. --------------------------------------------- https://zeltser.com/decoy-mcp-server-honeypot

∗∗∗ ESC-Tickets im Netz: Drittanbieter wie ticombo.com bergen ein hohes Risiko! ∗∗∗ --------------------------------------------- Für den ausverkauften Eurovision Song Contest tauchen immer wieder Ticketangebote bei Drittanbietern auf. Wir erklären, warum man besser die Finger davon lassen sollte. --------------------------------------------- https://www.watchlist-internet.at/news/esc-tickets-plattformen-wie-ticomboco...

∗∗∗ That AI Extension Helping You Write Emails? It’s Reading Them First ∗∗∗ --------------------------------------------- Unit 42 uncovers high-risk AI browser extensions. Disguised as productivity tools, they steal data, intercept prompts, and exfiltrate passwords. Protect your browser. --------------------------------------------- https://unit42.paloaltonetworks.com/high-risk-gen-ai-browser-extensions/

∗∗∗ EV-Zertifikate von Lenovo & Co. durch GoldenEyeDog missbraucht ∗∗∗ --------------------------------------------- Hersteller wie Lenovo, Kingston, Shuttle Inc. und Palit Microsystems sind von einem Zertifikatsproblem betroffen. Eine chinesische Hackergruppe namens GoldenEyeDog (APT-Q-27) war in der Lage, EV-Zertifikate im Namen der oben genannten Organisationen auszustellen und für kriminelle Zwecke zu missbrauchen. --------------------------------------------- https://borncity.com/blog/2026/05/03/ev-zertifikate-von-lenovo-co-durch-gold...

∗∗∗ Careful Adoption of Agentic AI Services ∗∗∗ --------------------------------------------- CISA, in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and other international and U.S. partners, released guidance for organizations on adopting agentic artificial intelligence (AI) systems. --------------------------------------------- https://www.cisa.gov/resources-tools/resources/careful-adoption-agentic-ai-s...

∗∗∗ The Life-Dinner Principle in Detection ∗∗∗ --------------------------------------------- Cybersecurity has its own folk saying. You have heard it at conferences, on panels, in vendor decks, and in LinkedIn posts from CISOs who are “humbled” to announce something: “The attacker only has to be right once. The defender has to be right every time.” --------------------------------------------- https://detect.fyi/the-life-dinner-principle-in-detection-822169d9da2c

∗∗∗ Evaluating our Threat Hunting Detection Rules (+ KQL Query Evaluation) ∗∗∗ --------------------------------------------- I really enjoy creating detection rules — they give me better visibility into current threats, help me stay proactive, and bring many other advantages. On the other hand, it’s a double-edged sword. --------------------------------------------- https://detect.fyi/evaluating-our-threat-hunting-detection-rules-kql-query-e...

∗∗∗ Practical Package Security: The Unofficial Guide ∗∗∗ --------------------------------------------- Get actionable best practices to shrink your attack surface, protect execution environments, control package ingestion, and catch compromises early. --------------------------------------------- https://www.wiz.io/blog/practical-package-security-the-unofficial-guide

∗∗∗ Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise ∗∗∗ --------------------------------------------- Socket found a malicious Intercom PHP package on Packagist using Composer plugin execution to steal credentials and spread across ecosystems. --------------------------------------------- https://socket.dev/blog/mini-shai-hulud-packagist-malicious-intercom-php-pac...

∗∗∗ Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables ∗∗∗ --------------------------------------------- The Socket Research Team has detected an active supply-chain attack targeting the unscoped tanstack package on npm, a brand-squatted impersonation of the legitimate @tanstack/* organization. --------------------------------------------- https://socket.dev/blog/tanstack-brandsquat-compromise

∗∗∗ NCSC Warns Organisations to Act Fast as Hidden Software Flaws Surface ∗∗∗ --------------------------------------------- Organisations worldwide are being urged to prepare for a vulnerability patch wave, as security experts warn that advances in artificial intelligence (AI) could rapidly expose long-standing weaknesses across software systems. The warning comes from National Cyber Security Centre (NCSC), which says businesses must act now to strengthen their environments before a surge of critical updates arrives. --------------------------------------------- https://thecyberexpress.com/ncsc-vulnerability-patch-wave/

∗∗∗ FBI Warns of Surge in Cyber-Enabled Cargo Theft Targeting Logistics Firms ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has issued a public warning over a sharp rise in cyber-enabled cargo theft, as threat actors increasingly use digital tactics to impersonate legitimate businesses, hijack freight, and steal high-value shipments. According to the FBI, cybercriminals are targeting transportation and logistics companies involved in shipping, receiving, and insuring cargo. --------------------------------------------- https://thecyberexpress.com/cyber-enabled-cargo-theft-fbi-issues-alert/

===================== = Vulnerabilities = =====================

∗∗∗ Copy Fail Update #1: Kritische Linux-Kernel-Schwachstelle ermöglicht lokale Root-Rechte ∗∗∗ --------------------------------------------- 04.05.2026 Wir haben den Hinweis erhalten, dass ein Workaround existiert, der auf Systemen greift, bei denen der betroffene Code in einem Kernel-Modul enthalten ist (wie unter anderem Debian-basierte Systeme wie Ubuntu). Dabei wird das Laden des Moduls verhindert. --------------------------------------------- https://www.cert.at/de/warnungen/2026/4/copy-fail-kritische-linux-kernel-sch...

∗∗∗ Progress warns of critical MOVEit Automation auth bypass flaw ∗∗∗ --------------------------------------------- Progress Software warned customers to patch a critical authentication bypass vulnerability in its MOVEit Automation enterprise-grade managed file transfer (MFT) application. --------------------------------------------- https://www.bleepingcomputer.com/news/security/moveit-automation-customers-w...

∗∗∗ Netzwerkanalysetool Wireshark: Zahlreiche Sicherheitslücken geschlossen ∗∗∗ --------------------------------------------- In zwei aktuellen Versionen von Wireshark haben die Entwickler mehrere Schwachstellen geschlossen. --------------------------------------------- https://www.heise.de/news/Netzwerkanalysetool-Wireshark-Zahlreiche-Sicherhei...

∗∗∗ Tails 7.7.1: Notfallupdate für anonymisierendes Linux stopft Firefox-Lecks ∗∗∗ --------------------------------------------- Das anonymisierende Linux Tails schließt in Version 7.7.1 unter anderem Firefox-Sicherheitslücken im Tor-Browser. --------------------------------------------- https://www.heise.de/news/Tails-7-7-1-Notfallupdate-fuer-anonymisierendes-Li...

∗∗∗ Bösartige npm-Pakete: SAP-Software kompromittiert ∗∗∗ --------------------------------------------- Mehrere npm-Pakete von SAP waren einer Supply‑Chain‑Attacke ausgesetzt. Dahinter steckt die Hackergruppe TeamPCP, sagen Sicherheitsforscher. --------------------------------------------- https://www.heise.de/news/Boesartige-npm-Pakete-SAP-Software-kompromittiert-...

∗∗∗ LWN Security updates for Monday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1071167/