===================== = End-of-Day report = =====================

Timeframe: Dienstag 02-12-2025 18:00 − Mittwoch 03-12-2025 18:30 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs

===================== = News = =====================

∗∗∗ Aisuru botnet behind new record-breaking 29.7 Tbps DDoS attack ∗∗∗ --------------------------------------------- In just three months, the massive Aisuru botnet launched more than 1,300 distributed denial-of-service attacks, one of them setting a new record with a peak at 29.7 terabits per second. --------------------------------------------- https://www.bleepingcomputer.com/news/security/aisuru-botnet-behind-new-reco...

∗∗∗ Deep dive into DragonForce ransomware and its Scattered Spider connection ∗∗∗ --------------------------------------------- DragonForce expanded its ransomware operation in 2025 by working with English-speaking hackers known for advanced social engineering and initial access. Acronis explains how the "Scattered Spider" collaboration enables coordinated, multistage intrusions across major environments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/deep-dive-into-dragonforce-ra...

∗∗∗ Technical Analysis of Matanbuchus 3.0 ∗∗∗ --------------------------------------------- Matanbuchus is a malicious downloader, written in C++, which has been offered as a Malware-as-a-Service (MaaS) since 2020. Over this time, Matanbuchus has undergone several development stages. In July 2025, version 3.0 of Matanbuchus was identified in-the-wild. Matanbuchus offers threat actors the option to deploy additional payloads and perform hands-on keyboard activity via shell commands. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-matanbuch...

∗∗∗ Grundrechte: Gericht stoppt Massenüberwachung des Schweizer Geheimdienstes ∗∗∗ --------------------------------------------- Das Schweizer Bundesverwaltungsgericht erklärt die Fernmeldeaufklärung des Nachrichtendienstes des Bundes nach Klage von Bürgerrechtlern für verfassungswidrig. --------------------------------------------- https://www.heise.de/news/Grundrechte-Gericht-stoppt-Massenueberwachung-des-...

∗∗∗ Falsche Schlangen: Neues von MuddyWater ∗∗∗ --------------------------------------------- MuddyWater hat es auf kritische Infrastrukturen in Israel und Ägypten abgesehen und setzt dabei auf maßgeschneiderte Malware, verbesserte Taktiken und ein vorhersehbares Spielbuch. --------------------------------------------- https://www.welivesecurity.com/de/eset-research/falsche-schlangen-neues-von-...

∗∗∗ Aktuelle Welle: Phishing im Namen der Volksbank ∗∗∗ --------------------------------------------- Seit einigen Wochen versenden Kriminelle ihre Phishing-Versuche besonders häufig im Namen der Volksbank. Sie setzen dabei auf die altbekannten E-Mails bzw. SMS-Nachrichten. Wer dem Link zur „Datenaktualisierung“ oder „Konto-Entsperrung“ folgt, läuft Gefahr, Logindaten für Onlinebanking preiszugeben. --------------------------------------------- https://www.watchlist-internet.at/news/starke-welle-phishing-volksbank/

∗∗∗ India backs off mandatory cyber safety app after surveillance backlash ∗∗∗ --------------------------------------------- Mobile phone makers will no longer be required to load the Indian governments Sanchar Saathi app onto new devices after the initial announcement prompted pushback from companies and privacy groups. --------------------------------------------- https://therecord.media/india-drops-mandate-sanchar-saathi-app-privacy-surve...

∗∗∗ Small numbers of Notepad++ users reporting security woes ∗∗∗ --------------------------------------------- I’ve heard from 3 orgs now who’ve had security incidents on boxes with Notepad++ installed, where it appears Notepad++ processes have spawned the initial access. These have resulted in hands on keyboard threat actors. --------------------------------------------- https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-w...

∗∗∗ Everest Ransomware Claims ASUS Breach and 1TB Data Theft ∗∗∗ --------------------------------------------- Everest ransomware group claims it breached ASUS, stealing over 1TB of data including camera source code. ASUS has been given 21 hours to respond via Qtox. --------------------------------------------- https://hackread.com/everest-ransomware-asus-breach-1tb-data/

∗∗∗ Paying the Ransom: A Short-Term Fix or Long-Term Risks? ∗∗∗ --------------------------------------------- Ransomware attacks rose by nearly 25% in 2024. If compromised, should you pay ransomware demands or not? We review the risks, reasons to pay or not, and more. --------------------------------------------- https://www.bitsight.com/blog/paying-ransom-for-ransomware

∗∗∗ Industrielle Kontrollsysteme: Iskra iHUB bleibt vorerst ohne Sicherheitspatch ∗∗∗ --------------------------------------------- Für einige industrielle Steuerungs- und Automatisierungssysteme von etwa Mitsubishi sind Sicherheitsupdates erschienen. Eine kritische Lücke bleibt aber offen. --------------------------------------------- https://heise.de/-11101017

===================== = Vulnerabilities = =====================

∗∗∗ Vulnerability & Patch Roundup — November 2025 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2025/11/vulnerability-patch-roundup-november-2025.ht...

∗∗∗ 100,000 WordPress Sites Affected by Remote Code Execution Vulnerability in Advanced Custom Fields: Extended WordPress Plugin ∗∗∗ --------------------------------------------- On November 18th, 2025, we received a submission for an unauthenticated Remote Code Execution vulnerability in Advanced Custom Fields: Extended, a WordPress plugin with more than 100,000 active installations. This vulnerability can be leveraged to execute code remotely. --------------------------------------------- https://www.wordfence.com/blog/2025/12/100000-wordpress-sites-affected-by-re...

∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (containerd, mako, and xen), Fedora (forgejo, nextcloud, openbao, rclone, restic, and tigervnc), Oracle (firefox, kernel, libtiff, libxml2, and postgresql), SUSE (libecpg6, lightdm-kde-greeter, python-cbor2, python-mistralclient-doc, python315, and python39), and Ubuntu (kdeconnect, linux, linux-aws, linux-realtime, python-django, and unbound). --------------------------------------------- https://lwn.net/Articles/1049103/

∗∗∗ Microsoft schließt stillschweigend LNK-Schwachstelle CVE-2025-9491 ∗∗∗ --------------------------------------------- Seit Ende August 2025 ist eine LNK-File-Schwachstelle (CVE-2025-9491) bekannt. Diese lässt sich unter Windows für eine Remote Code-Ausführung missbrauchen. Microsoft wollte erst keinen Patch bereitstellen, hat dann aber doch was per Update getan. --------------------------------------------- https://www.borncity.com/blog/2025/12/03/microsoft-schliesst-stillschweigend...

∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released five Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-336-01 Industrial Video & Control LongwatchICSA-25-336-02 Iskra iHUB and iHUB Lite. ICSMA-25-336-01 Mirion Medical EC2 Software NMIS BioDose. ICSA-25-201-01 Mitsubishi Electric CNC Series (Update A) and ICSA-23-157-02 Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (Update C). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/02/cisa-releases-five-indust...

∗∗∗ ZDI-25-1039: (Pwn2Own) Synology BeeStation Plus auth_info Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1039/

∗∗∗ Splunk SVD-2025-1209: Third-Party Package Updates in Splunk Enterprise - December 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1209

∗∗∗ Splunk SVD-2025-1206: Incorrect permissions assignment on Splunk Universal Forwarder for Windows during new installation or upgrade ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1206