===================== = End-of-Day report = =====================

Timeframe: Dienstag 25-11-2025 18:30 − Mittwoch 26-11-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs

===================== = News = =====================

∗∗∗ Old tech, new vulnerabilities: NTLM abuse, ongoing exploitation in 2025 ∗∗∗ --------------------------------------------- This article covers NTLM relay, credential forwarding, and other NTLM-related vulnerabilities and cyberattacks discovered in 2025. --------------------------------------------- https://securelist.com/ntlm-abuse-in-2025/118132/

∗∗∗ Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malicious extension on the Chrome Web Store thats capable of injecting a stealthy Solana transfer into a swap transaction and transferring the funds to an attacker-controlled cryptocurrency wallet. --------------------------------------------- https://thehackernews.com/2025/11/chrome-extension-caught-injecting.html

∗∗∗ Qilin Ransomware Turns South Korean MSP Breach Into 28-Victim Korean Leaks Data Heist ∗∗∗ --------------------------------------------- South Koreas financial sector has been targeted by what has been described as a sophisticated supply chain attack that led to the deployment of Qilin ransomware. --------------------------------------------- https://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.ht...

∗∗∗ HashJack attack shows AI browsers can be fooled with a simple ‘#’ ∗∗∗ --------------------------------------------- Hashtag-do-whatever-I-tell-you Cato Networks says it has discovered a new attack, dubbed "HashJack," that hides malicious prompts after the "#" in legitimate URLs, tricking AI browser assistants into executing them while dodging traditional network and server-side defenses. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/11/25/hashjack_atta...

∗∗∗ Zscaler Threat Hunting Discovers and Reconstructs a Sophisticated Water Gamayun APT Group Attack ∗∗∗ --------------------------------------------- This blog is intended to share an in-depth analysis of a recent multi-stage attack attributed to the Water Gamayun advanced persistent threat group (APT). Drawing on telemetry, forensic reconstruction, and known threat intelligence, the Zscaler Threat Hunting team reconstructed how a seemingly innocuous web search led to a sophisticated exploitation of a Windows MMC vulnerability, ultimately delivering hidden PowerShell payloads and final malware loaders. --------------------------------------------- https://www.zscaler.com/blogs/security-research/water-gamayun-apt-attack

∗∗∗ Studie: [EXTERN]-Tags schützen nicht vor Phishing ∗∗∗ --------------------------------------------- Eine großangelegte Simulation an einer deutschen Universitätsklinik zeigt: Gängige Schutzmaßnahmen wie [EXTERN]-Tags versagen, technische Filter wirken. --------------------------------------------- https://www.heise.de/news/Studie-EXTERN-Tags-schuetzen-nicht-vor-Phishing-11...

∗∗∗ So erkennen Sie Fake-Apotheken wie grazapotheke.com ∗∗∗ --------------------------------------------- Mit Beginn der Erkältungssaison steigt die Nachfrage nach Onlineapotheken. Doch neben seriösen Anbietern tummeln sich auch gefährliche Fälschungen im Netz. Ein Beispiel ist grazapotheke.com, die rezeptpflichtige Medikamente scheinbar frei verkauft. --------------------------------------------- https://www.watchlist-internet.at/news/so-erkennen-sie-fake-apotheken-wie-gr...

∗∗∗ The Golden Scale: Tis the Season for Unwanted Gifts ∗∗∗ --------------------------------------------- Unit 42 shares further updates of cybercrime group Scattered LAPSUS$ Hunters. Secure your organization this holiday season. The post The Golden Scale: Tis the Season for Unwanted Gifts appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/new-shinysp1d3r-ransomware/

∗∗∗ MySQL 8.0 fällt am 30. April 2026 aus dem Support ∗∗∗ --------------------------------------------- Baut sich ein weiteres Software-Problem in der IT-Landschaft auf? Das Open Source-Datenbanksystem MySQL ist sehr populär und breit im Einsatz. Aber MySQL 8.0 fällt am 30. April 2026 aus dem Support. --------------------------------------------- https://www.borncity.com/blog/2025/11/26/mysql-8-0-faellt-am-30-april-2026-a...

∗∗∗ Sharjah Police Experiment Exposes How Easily People Fall for Fake QR Codes ∗∗∗ --------------------------------------------- A cybersecurity experiment conducted by Sharjah Police has revealed how easily QR codes can mislead individuals, particularly when these codes promise conveniences such as free WiFi. The police placed an unbranded QR code in a public area with a simple message, “Free WiFi”, to measure how many people would scan it without verifying its source. The results revealed that 89 members of the public scanned the code without asking who placed it or whether it was legitimate. --------------------------------------------- https://thecyberexpress.com/free-wifi-qr-code-risk-experiment/

===================== = Vulnerabilities = =====================

∗∗∗ VU#521113: Forge JavaScript library impacted by a vulnerability in signature verification. ∗∗∗ --------------------------------------------- The Forge JavaScript library provides TLS-related cryptographic utilities. A vulnerability that allows signature verification to be bypassed through crafted manipulation of ASN.1 structures, particularly in fields such as Message Authentication Code (MAC) data, was identified. --------------------------------------------- https://kb.cert.org/vuls/id/521113

∗∗∗ ZDI-25-1019: Arista NG Firewall replace_marker Exposed Dangerous Function Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to to bypass authentication on affected installations of Arista NG Firewall. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-6979. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1019/

∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bind, binutils, delve and golang, expat, firefox, haproxy, kernel, libsoup3, libssh, libtiff, openssh, openssl, pam, podman, python-kdcproxy, shadow-utils, squid, thunderbird, vim, xorg-x11-server-Xwayland, and zziplib), Debian (cups-filters, libsdl2, linux-6.1, net-snmp, pdfminer, rails, and tryton-sao), Fedora (chromium, docker-buildkit, docker-buildx, and sudo-rs), Gentoo (librnp), Mageia (webkit2), SUSE (amazon-ssm-agent, buildah, curl, dpdk, fontforge-20251009, kernel, libIex-3_4-33, librnp0, python311, rclone, and sssd), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-aws-6.14, linux-oracle-6.14, linux-aws-fips, linux-fips, linux-gcp-fips, linux-realtime, linux-realtime-6.8, mupdf, openjdk-17, openjdk-8, and openjdk-lts). --------------------------------------------- https://lwn.net/Articles/1048195/

∗∗∗ CISA Releases Seven Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released seven Industrial Control Systems (ICS) Advisories: ICSA-25-329-01 Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt, Share. ICSA-25-329-02 Rockwell Automation Arena Simulation. ICSA-25-329-03 Zenitel TCIV-3+. ICSA-25-329-04 Opto 22 groov View. ICSA-25-329-05 Festo Compact Vision System, Control Block, Controller, and Operator Unit products. ICSA-25-329-06 SiRcom SMART. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/11/25/cisa-releases-seven-indus...

∗∗∗ Nvidia DGX Spark, NeMo: Kritische Lücken gefährden KI-Hard- und Software ∗∗∗ --------------------------------------------- Nvidias KI-Hard- und Software DGX Spark und NeMo Framework sind verwundbar. Sicherheitsupdates schließen mehrere Schwachstellen. Im schlimmsten Fall können Angreifer Systeme nach der Ausführung von Schadcode in Gänze kompromittieren. Bislang gibt es keine Berichte zu laufenden Attacken. --------------------------------------------- https://heise.de/-11092387