===================== = End-of-Day report = =====================

Timeframe: Mittwoch 28-05-2025 18:00 − Freitag 30-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a

===================== = News = =====================

∗∗∗ Interlock ransomware gang deploys new NodeSnake RAT on universities ∗∗∗ --------------------------------------------- The Interlock ransomware gang is deploying a previously undocumented remote access trojan (RAT) named NodeSnake against educational institutes for persistent access to corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/interlock-ransomware-gang-dep...

∗∗∗ APT41 malware abuses Google Calendar for stealthy C2 communication ∗∗∗ --------------------------------------------- The Chinese APT41 hacking group uses a new malware named 'ToughProgress' that exploits Google Calendar for command-and-control (C2) operations, hiding malicious activity behind a trusted cloud service. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apt41-malware-abuses-google-c...

∗∗∗ Threat actors abuse Google Apps Script in evasive phishing attacks ∗∗∗ --------------------------------------------- Threat actors are abusing the ‘Google Apps Script’ development platform to host phishing pages that appear legitimate and steal login credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/threat-actors-abuse-google-ap...

∗∗∗ ConnectWise breached in cyberattack linked to nation-state hackers ∗∗∗ --------------------------------------------- IT management software firm ConnectWise says a suspected state-sponsored cyberattack breached its environment and impacted a limited number of ScreenConnect customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/connectwise-breached-in-cyber...

∗∗∗ Everest Group Extorts Global Orgs via SAPs HR Tool ∗∗∗ --------------------------------------------- Extortionist-cum-information broker "Everest Group" has pulled off a swath of attacks against large organizations in the Middle East, Africa, Europe, and North America, and is now extorting victims over records stolen from their human resources departments. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/everest-group-extorts...

∗∗∗ Sicherheitslücke: Warum ChatGPT oft den gesamten Onedrive-Ordner lesen kann ∗∗∗ --------------------------------------------- Forscher warnen vor einer Sicherheitslücke in Microsofts File Picker für Onedrive. Apps wie ChatGPT können weitaus mehr lesen, als Anwender erwarten. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-warum-chatgpt-oft-den-gesamten-o...

∗∗∗ Exploits and vulnerabilities in Q1 2025 ∗∗∗ --------------------------------------------- This report contains statistics on vulnerabilities and published exploits, along with an analysis of the most noteworthy vulnerabilities we observed in the first quarter of 2025. --------------------------------------------- https://securelist.com/vulnerabilities-and-exploits-in-q1-2025/116624/

∗∗∗ New Windows RAT Evades Detection for Weeks Using Corrupted DOS and PE Headers ∗∗∗ --------------------------------------------- Cybersecurity researchers have taken the wraps off an unusual cyber attack that leveraged malware with corrupted DOS and PE headers, according to new findings from Fortinet. --------------------------------------------- https://thehackernews.com/2025/05/new-windows-rat-evades-detection-for.html

∗∗∗ Attack on LexisNexis Risk Solutions exposes data on 300k + ∗∗∗ --------------------------------------------- LexisNexis Risk Solutions (LNRS) is the latest big-name organization to disclose a serious cyberattack leading to data theft, with the number of affected individuals pegged at 364,333. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/28/attack_on_lex...

∗∗∗ Billions of cookies up for grabs as experts warn over session security ∗∗∗ --------------------------------------------- A VPN vendor says billions of stolen cookies currently on sale either on dark web or Telegram-based marketplaces remain active and exploitable. More than 93.7 billion of them are currently available for criminals to buy online and of those, between 7-9 percent are active, on average, according to NordVPN's breakdown of stolen cookies by country. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/29/billions_of_c...

∗∗∗ U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams ∗∗∗ --------------------------------------------- The U.S. government today imposed economic sanctions on Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams known as “pig butchering.” In January 2025, KrebsOnSecurity detailed how Funnull was being used as a content delivery network that catered to cybercriminals seeking to route their traffic through U.S.-based cloud providers. --------------------------------------------- https://krebsonsecurity.com/2025/05/u-s-sanctions-cloud-provider-funnull-as-...

∗∗∗ Fake Bitdefender website used to spread infostealer malware ∗∗∗ --------------------------------------------- The attackers created a website that closely mimics Bitdefender’s legitimate Windows download page. Victims are infected after clicking a seemingly authentic “Download for Windows” button, which delivers a malicious archive. The archive contains executable files configured to deploy VenomRAT, which is used for remote access, keylogging and data exfiltration. --------------------------------------------- https://therecord.media/fake-bitdefender-website-venomrat-infostealer

∗∗∗ Microsoft Entra Design Lets Guest Users Gain Azure Control, Researchers Say ∗∗∗ --------------------------------------------- Cybersecurity researchers at BeyondTrust are warning about a little-known but dangerous issue within Microsoft’s Entra identity platform. The issue isn’t some hidden bug or overlooked vulnerability; it’s a feature, built into the system by design, that attackers can exploit. --------------------------------------------- https://hackread.com/microsoft-entra-design-guest-users-gain-azure-control/

∗∗∗ Threat Actor Claims TikTok Breach, Puts 428 Million Records Up for Sale ∗∗∗ --------------------------------------------- A newly emerged threat actor, going by the alias “Often9,” has posted on a prominent cybercrime and database trading forum, claiming to possess 428 million unique TikTok user records. The post is titled “TikTok 2025 Breach – 428M Unique Lines.” --------------------------------------------- https://hackread.com/threat-actor-tiktok-breach-428-million-records-sale/

===================== = Vulnerabilities = =====================

∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (firefox-esr, libvpx, net-tools, php-twig, python-tornado, setuptools, varnish, webpy, yelp, and yelp-xsl), Fedora (xen), Mageia (cimg and ghostscript), Oracle (gstreamer1-plugins-bad-free, kernel, libsoup, thunderbird, and unbound), Red Hat (firefox, mingw-freetype and spice-client-win, pcs, and varnish:6), Slackware (curl and mozilla), SUSE (apparmor, containerd, dnsdist, go1.23-openssl, go1.24, gstreamer-plugins-bad, ImageMagick, jetty-minimal, python-tornado, python313-setuptools, s390-tools, thunderbird, tomcat10, ucode-intel, and wxWidgets-3_2), and Ubuntu (ffmpeg, krb5, libsoup3, libsoup2.4, linux-aws-5.4, linux-aws-fips, linux-fips, linux-oracle-6.8, net-tools, and python-setuptools, setuptools). --------------------------------------------- https://lwn.net/Articles/1023072/

∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, firefox, ghostscript, gstreamer1-plugins-bad-free, libsoup3, mingw-freetype, perl, ruby, sqlite, thunderbird, unbound, valkey, and xz), Debian (chromium, firefox-esr, libavif, linux-6.1, modsecurity-apache, mydumper, systemd, and thunderbird), Fedora (coreutils, dnsdist, docker-buildx, maturin, mingw-python-flask, mingw-python-flit-core, ruff, rust-hashlink, rust-rusqlite, and thunderbird), Red Hat (pcs), SUSE (augeas, brltty, brotli, ca-certificates-mozilla, dnsdist, glibc, grub2, kernel, libsoup, libsoup2, libxml2, open-vm-tools, perl, postgresql13, postgresql15, postgresql16, postgresql17, python-cryptography, python-httpcore, python-h11, python311, runc, s390-tools, slurm, slurm_20_11, slurm_22_05, slurm_23_02, slurm_24_11, tomcat, and webkit2gtk3), and Ubuntu (linux-aws). --------------------------------------------- https://lwn.net/Articles/1023259/

∗∗∗ On Demand JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP11 IF03 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-vu...