===================== = End-of-Day report = =====================

Timeframe: Mittwoch 18-06-2025 18:00 − Freitag 20-06-2025 18:00 Handler: Guenes Holler Co-Handler: n/a

===================== = News = =====================

∗∗∗ Telecom giant Viasat breached by Chinas Salt Typhoon hackers ∗∗∗ --------------------------------------------- Satellite communications company Viasat is the latest victim of China's Salt Typhoon cyber-espionage group, which has previously hacked into the networks of multiple other telecom providers in the United States and worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telecom-giant-viasat-breached...

∗∗∗ Grok und Mixtral ohne Grenzen: Neue KI-Tools erzeugen Phishing-Mails und Malware ∗∗∗ --------------------------------------------- WormGPT war eines der ersten großen Sprachmodelle, das speziell für cyberkriminelle Aktivitäten vorgesehen war und äußerst überzeugende Phishing-Mails generieren konnte. Während das Original schon nach wenigen Wochen wieder verschwand, sind neue LLMs unter gleichem Namen an dessen Stelle getreten. --------------------------------------------- https://www.golem.de/news/wormgpt-ist-zurueck-neue-ki-modelle-unterstuetzen-...

∗∗∗ Cyberangriffe: Nordkoreanische Hacker faken Vorgesetzte in Videokonferenzen ∗∗∗ --------------------------------------------- Die nordkoreanische Hackergruppe Bluenoroff verwendet Bleeping Computer zufolge seit einiger Zeit eine perfide Methode, um Malware in Unternehmen einzuschleusen. Das Ziel ist offenbar, Kryptogeld abzuzweigen – dafür ist die Bluenoroff-Gruppierung, die eine Untergruppe von Lazarus sein soll, bekannt. --------------------------------------------- https://www.golem.de/news/cyberangriffe-nordkoreanische-hacker-faken-vorgese...

∗∗∗ Cybersicherheit: Iran soll israelische Sicherheitskameras gehackt haben ∗∗∗ --------------------------------------------- Iranische Hacker sollen auf private Überwachungskameras in Israel zugegriffen haben, um Informationen zu sammeln. Wie Bloomberg mit Verweis auf einen Beitrag im israelischen Rundfunk berichtet, hat ein ehemaliger israelischer Cybersicherheitsbeamter die Bevölkerung dazu aufgefordert, private Überwachungskameras abzuschalten oder deren Passwörter zu ändern. --------------------------------------------- https://www.golem.de/news/cybersicherheit-iran-soll-israelische-sicherheitsk...

∗∗∗ Analysis of a Malicious WordPress Plugin: The Covert Redirector ∗∗∗ --------------------------------------------- A few weeks ago, we received a support request from a website owner who was experiencing unexpected redirects. Visitors landed on the website normally, but after about 4–5 seconds, the site redirected them to unrelated and suspicious websites. During the investigation, we discovered a malicious plugin that was responsible for this behavior, continuing the trend of attackers using fake WordPress plugins. --------------------------------------------- https://blog.sucuri.net/2025/06/analysis-of-a-malicious-wordpress-plugin-the...

∗∗∗ New Malware Campaign Uses Cloudflare Tunnels to Deliver RATs via Phishing Chains ∗∗∗ --------------------------------------------- A new campaign is making use of Cloudflare Tunnel subdomains to host malicious payloads and deliver them via malicious attachments embedded in phishing emails. The ongoing campaign has been codenamed SERPENTINE#CLOUD by Securonix. --------------------------------------------- https://thehackernews.com/2025/06/new-malware-campaign-uses-cloudflare.html

∗∗∗ Proxy: Umgehung von Beschränkungen in Apache Traffic Server möglich ∗∗∗ --------------------------------------------- In Apache Traffic Server (ATS), einem quelloffenen Proxy-Server, wurden zwei Sicherheitslücken entdeckt. Angreifer können sie missbrauchen, um damit Zugriffsbeschränkungen zu umgehen oder Denial-of-Service-Attacken auszuführen. Aktualisierte Quellen stehen bereit, um die Schwachstellen auszubessern. --------------------------------------------- https://www.heise.de/news/Proxy-Umgehung-von-Beschraenkungen-in-Apache-Traff...

∗∗∗ Resurgence of the Prometei Botnet ∗∗∗ --------------------------------------------- In March 2025, Unit 42 researchers identified a wave of Prometei attacks. Prometei refers to both the botnet and the malware family used to operate it. This malware family, which includes both Linux and Windows variants, allows attackers to remotely control compromised systems for cryptocurrency mining (particularly Monero) and credential theft. This article focuses on the resurgence of the Linux variant. --------------------------------------------- https://unit42.paloaltonetworks.com/prometei-botnet-2025-activity/

∗∗∗ Joint Analysis by AhnLab and NCSC on TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking ∗∗∗ --------------------------------------------- ince November 2024, AhnLab has been working with the NCSC to analyze the malicious IRC server and related malware to classify the unidentified threat actor as Larva-24013 and trace their activities, and has confirmed their association with the Shadow Force group. AhnLab manages malicious activities in four stages through the “Threat Actor Naming and Taxonomy,” classifying threat actors as “Larva” (unidentified threat actors) and “Arthropod” (identified threat actors). Following AhnLab’s threat actor taxonomy and naming convention, the threat actor has been identified and named TA-ShadowCricket. --------------------------------------------- https://asec.ahnlab.com/en/88137/

∗∗∗ Scammers Insert Fake Support Numbers on Real Apple, Netflix, PayPal Pages ∗∗∗ --------------------------------------------- Cybercriminals are finding clever new ways to trick people, even on the official websites of major companies. Malwarebytes Senior Director of Research, Jérôme Segura, has identified a widespread scam where fake phone numbers for customer support are being inserted directly onto the legitimate help pages of well-known brands. --------------------------------------------- https://hackread.com/scammers-fake-support-numbers-real-apple-netflix-paypal...

∗∗∗ Banana Squad Hides Data-Stealing Malware in Fake GitHub Repositories ∗∗∗ --------------------------------------------- ReversingLabs researchers recently uncovered a new and worrying attack method led by a group called Banana Squad. This group, first identified by Checkmarx researchers in October 2023, is known for their sneaky methods, with their name coming from an early harmful internet address, bananasquadru. --------------------------------------------- https://hackread.com/banana-squad-data-stealing-malware-github-repositories/

∗∗∗ New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack ∗∗∗ --------------------------------------------- A new and concerning cyber threat, dubbed Mocha Manakin, has been identified by cybersecurity research firm Red Canary. First tracked in January 2025, this threat uniquely combines social engineering tricking people with specially built malicious software. --------------------------------------------- https://hackread.com/mocha-manakin-malware-nodeinitrat-via-clickfix-attack/

∗∗∗ What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia ∗∗∗ --------------------------------------------- In cooperation with external partners, Google Threat Intelligence Group (GTIG) observed a Russia state-sponsored cyber threat actor impersonating the U.S. Department of State. From at least April through early June 2025, this actor targeted prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs). Once the target shares the ASP passcode, the attackers establish persistent access to the victim’s mailbox. Two distinct campaigns are detailed in this post. This activity aligns with Citizen Lab’s recent research on social engineering attacks against ASPs, another useful resource for high risk users. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-a...

∗∗∗ Same Sea, New Phish: Russian Government-Linked Social Engineering Targets App-Specific Passwords ∗∗∗ --------------------------------------------- In recent years, users’ familiarity with common phishing tactics, increasingly advanced detection and blocking by platforms, and the rise in use of Multi-Factor Authentication (MFA), have all contributed to changes in the ways that attackers phish accounts. The introduction of more secure forms of MFA, such as hardware security keys, has also closed off certain avenues of social engineering. . --------------------------------------------- https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-t...

∗∗∗ Betrüger nutzen Briefpost zur Abzocke der Ledger-Wallet ∗∗∗ --------------------------------------------- Wer mit Krypto-Währungen und Assets hantiert, hat sicherlich zumindest mit Hardware-Wallets wie der von Ledger geliebäugelt. Einem Leser trudelte nun ein unzureichend frankierter Brief in die Hände. Damit versuchen Kriminelle, die Ledger-Krypto-Wallet zu übernehmen und leerzuräumen. --------------------------------------------- https://heise.de/-10453136

∗∗∗ Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion ∗∗∗ --------------------------------------------- On June 11, 2025, Huntress received contact from a partner saying that an end user had downloaded, potentially, a malicious Zoom extension. The depth of the intrusion became immediately apparent upon installing the Huntress EDR agent, and after some analysis, it was discovered that the lure used to gain access was received by the victim several weeks prior. This post aims to provide a detailed analysis from beginning to end of the intrusion, including a full breakdown of several new pieces of malware used by the threat actors. --------------------------------------------- https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis

∗∗∗ Israel-Iran Conflict Sparks Wider Cyber Conflict, New Malware ∗∗∗ --------------------------------------------- The Israel-Iran conflict that began with Israeli attacks on Iranian nuclear and military targets on June 13 has sparked a wider cyber conflict in the region, including the launch of new malware campaigns. --------------------------------------------- https://thecyberexpress.com/israel-iran-conflict-hacktivism/

===================== = Vulnerabilities = =====================

∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gvisor-tap-vsock), Debian (activemq and chromium), Fedora (kea, python-django4.2, python-django5, python-setuptools, and rust-git-interactive-rebase-tool), Oracle (ipa and kernel), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, git-lfs, go-toolset:rhel8, golang, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, gvisor-tap-vsock, podman, and skopeo), Slackware (libblockdev and xorg), SUSE (gdm, gstreamer-plugins-base, ignition, kernel, pam, redis, s390-tools, screen, systemd, and xorg-x11-server), and Ubuntu (godot, golang-1.22, libblockdev, node-express, pam, samba, and udisks2). --------------------------------------------- https://lwn.net/Articles/1026007/

∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by SUSE (apache2-mod_security2, augeas, ghc-pandoc, gstreamer, ignition, kernel, libblockdev, libxml2, nodejs20, openssl-3, pam_pkcs11, perl, python3, systemd, ucode-intel, webkit2gtk3, and xen) and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-gcp-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-aws-fips, linux-gcp-fips, python3.13, python3.12, and roundcube). --------------------------------------------- https://lwn.net/Articles/1026281/

∗∗∗ Kritische Schwachstellen CVE-2025-6018 und CVE-2025-6019 in Linux-Systemen ∗∗∗ --------------------------------------------- Sicherheitsforscher von Qualys TRU haben zwei verknüpfte, kritische Schwachstellen in Linux aufgedeckt. Ausgehend von SUSE 15 führt die LPE-Kette bei Standardkonfigurationen vieler Linux-Distributionen direkt zum Root-Zugriff. --------------------------------------------- https://www.borncity.com/blog/2025/06/19/kritische-schwachstellen-in-linux-s...

∗∗∗ Cisco Meraki MX und Z: Angreifer können VPN-Verbindungen unterbrechen ∗∗∗ --------------------------------------------- Der Cisco AnyConnect VPN Server von Cisco Meraki MX und Z ist verwundbar. Außerdem können Angreifer an einer Schwachstelle in ClamAV ansetzen. Sicherheitspatches stehen zum Download bereit. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://heise.de/-10452498

∗∗∗ ZDI-25-408: PEAK-System Driver PCANFD_ADD_FILTERS Time-Of-Check Time-Of-Use Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-408/

∗∗∗ ZDI-25-410: Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-410/

∗∗∗ ZDI-25-409: RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-409/

∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (June 9, 2025 to June 15, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/06/wordfence-intelligence-weekly-wordpre...