===================== = End-of-Day report = =====================
Timeframe: Mittwoch 15-10-2025 18:00 − Donnerstag 16-10-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer
===================== = News = =====================
∗∗∗ Fake LastPass, Bitwarden breach alerts lead to PC hijacks ∗∗∗ --------------------------------------------- An ongoing phishing campaign is targeting LastPass and Bitwarden users with fake emails claiming that the companies were hacked, urging them to download a supposedly more secure desktop version of the password manager. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-lastpass-bitwarden-breac...
∗∗∗ LinkPro Linux Rootkit Uses eBPF to Hide and Activates via Magic TCP Packets ∗∗∗ --------------------------------------------- An investigation into the compromise of an Amazon Web Services (AWS)-hosted infrastructure has led to the discovery of a new GNU/Linux rootkit dubbed LinkPro, according to findings from Synacktiv. --------------------------------------------- https://thehackernews.com/2025/10/linkpro-linux-rootkit-uses-ebpf-to-hide.ht...
∗∗∗ Scammers are still sending us their fake Robinhood security alerts ∗∗∗ --------------------------------------------- A short while ago, our friends at Malwaretips wrote about a text scam impersonating Robinhood, a popular US-based investment app that lets people trade stocks and cryptocurrencies. The scam warns users about supposed “suspicious activity” on their accounts. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/10/scammers-are-still-sending-us...
∗∗∗ BeaverTail and OtterCookie evolve with a new Javascript module ∗∗∗ --------------------------------------------- Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea. --------------------------------------------- https://blog.talosintelligence.com/beavertail-and-ottercookie/
∗∗∗ GreyNoise’s Recent Observations Around F5 ∗∗∗ --------------------------------------------- Amid the security incident involving F5 BIG-IP announced on 15 October 2025, GreyNoise is sharing recent insights into activity targeting BIG-IP to aid in defensive posturing. --------------------------------------------- https://www.greynoise.io/blog/recent-observations-around-f5
∗∗∗ DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) has observed the North Korea (DPRK) threat actor UNC5342 using ‘EtherHiding’ to deliver malware and facilitate cryptocurrency theft, the first time GTIG has observed a nation-state actor adopting this method. This post is part of a two-part blog series on adversaries using EtherHiding, a technique that leverages transactions on public blockchains to store and retrieve malicious payloads—notable for its resilience against conventional takedown and blocklisting efforts. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhi...
∗∗∗ yIKEs (WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242) ∗∗∗ --------------------------------------------- Today is the 8th of November 1996, and we’re thrilled to be exploring this new primitive we call Stack-based Buffer Overflows. It’s a great time to be alive, especially because we don’t have to deal with any of the pain of modern/not-so-modern mitigations. Oh no, wait, it’s 2025 and we are still seeing Stack-based Buffer Overflows in enterprise-grade appliances, and of course, lacking mainstream exploit mitigations. --------------------------------------------- https://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-...
∗∗∗ US-Forscher belauschen unverschlüsselte Satellitenkommunikation ∗∗∗ --------------------------------------------- US-Forscher haben mit handelsüblicher Ausrüstung den Datenverkehr über Satelliten untersucht. Viele, auch sicherheitsrelevante Daten waren unverschlüsselt. --------------------------------------------- https://heise.de/-10767623
∗∗∗ Handy-Spionage mit SS7: Tausende Opfer wurden wohl ausgespäht ∗∗∗ --------------------------------------------- Ein österreichisch-indonesisches Unternehmen bietet die Überwachung von Mobilfunkkunden an. Malware ist dafür nicht nötig, aber weitreichender Netzzugriff. --------------------------------------------- https://heise.de/-10767347
===================== = Vulnerabilities = =====================
∗∗∗ Gladinet fixes actively exploited zero-day in file-sharing software ∗∗∗ --------------------------------------------- Gladinet has released security updates for its CentreStack business solution to address a local file inclusion vulnerability (CVE-2025-11371) that threat actors have leveraged as a zero-day since late September. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gladinet-fixes-actively-explo...
∗∗∗ Chrome, Firefox und Thunderbird: Updates beseitigen potenzielle Einfallstore ∗∗∗ --------------------------------------------- Sowohl für Mozillas Firefox und Thunderbird als auch für Googles Chrome-Browser gibt es Aktualisierungen. Kritische Schwachstellen wurden nicht geschlossen – wohl aber einige Lücken mit "High"-Einstufung, die Cybergangster ausnutzen könnten. --------------------------------------------- https://www.heise.de/news/Chrome-Firefox-und-Thunderbird-Updates-beseitigen-...
∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and libsoup3), Debian (chromium and firefox-esr), Fedora (httpd), Oracle (cups, ImageMagick, kernel, and vim), Red Hat (libssh), Slackware (samba), SUSE (alloy, exim, firefox-esr, ImageMagick, kernel, libcryptopp-devel, libQt6Svg6, libsoup-3_0-0, libtiff-devel-32bit, lsd, python3-gi-docgen, python311-Authlib, qt6-base, samba, and squid), and Ubuntu (ffmpeg, linux-oracle-6.8, redict, redis, samba, and subversion). --------------------------------------------- https://lwn.net/Articles/1042330/
∗∗∗ CVE-2025-55315: Microsoft kills 9.9-rated ASP.NET Core bug – our highest ever score ∗∗∗ --------------------------------------------- Microsoft has patched an ASP.NET Core vulnerability with a CVSS score of 9.9, which security program manager Barry Dorrans said was "our highest ever." The flaw is in the Kestrel web server component and enables security bypass. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/10/16/microsoft_asp...
∗∗∗ Samba bei bestimmter Konfiguration über kritische Lücke angreifbar ∗∗∗ --------------------------------------------- Bei aktiviertem WINS-Support können Angreifer unter bestimmten Voraussetzungen Befehle aus der Ferne ausführen. Es gibt wichtige Patches und einen Workaround. --------------------------------------------- https://heise.de/-10773288
∗∗∗ Open PLC and Planet vulnerabilities ∗∗∗ --------------------------------------------- Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one vulnerability in the OpenPLC logic controller and four vulnerabilities in the Planet WGR-500 router. --------------------------------------------- https://blog.talosintelligence.com/open-plc-and-planet-vulnerabilities/
∗∗∗ Phoenix Contact CHARX SEC-3xxx vulnerable to code injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN42282226/
∗∗∗ Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisor...
∗∗∗ Multiple Cisco Products Snort 3 MIME Denial of Service Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisor...
∗∗∗ Cisco TelePresence Collaboration Endpoint and RoomOS Software Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisor...
∗∗∗ Cisco IOS XE Software Secure Boot Bypass Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisor...
∗∗∗ K000156944: Intel vulnerability CVE-2025-20093 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000156944