===================== = End-of-Day report = =====================

Timeframe: Freitag 30-01-2026 18:00 − Montag 02-02-2026 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl

===================== = News = =====================

∗∗∗ Cloud storage payment scam floods inboxes with fake renewals ∗∗∗ --------------------------------------------- Over the past few months, a large-scale cloud storage subscription scam campaign has been targeting users worldwide with repeated emails falsely warning recipients that their photos, files, and accounts are about to be blocked or deleted due to an alleged payment failure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloud-storage-payment-scam-fl...

∗∗∗ NationStates confirms data breach, shuts down game site ∗∗∗ --------------------------------------------- NationStates, a multiplayer browser-based game, has confirmed a data breach after taking its website offline earlier this week to investigate a security incident. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nationstates-confirms-data-br...

∗∗∗ Panera Bread breach impacts 5.1 million accounts, not 14 million customers ∗∗∗ --------------------------------------------- The data breach notification service Have I Been Pwned says that a data breach at the U.S. food chain Panera Bread affected 5.1 million accounts, not 14 million customers as previously reported. --------------------------------------------- https://www.bleepingcomputer.com/news/security/panera-bread-data-breach-impa...

∗∗∗ Spionagegefahr: Verfassungsschutz warnt vor E-Autos aus China ∗∗∗ --------------------------------------------- E-Autos aus China könnten theoretisch ferngesteuert werden. Die technischen Risiken sind dokumentiert - doch auch Tesla sammelt massenhaft Daten. --------------------------------------------- https://www.golem.de/news/spionagegefahr-verfassungsschutz-warnt-vor-e-autos...

∗∗∗ Texteditor: Notepad++-Server gehackt und Update-Traffic manipuliert ∗∗∗ --------------------------------------------- Angreifern ist es gelungen, die Update-Infrastruktur von Notepad++ zu kompromittieren und Traffic umzuleiten. Der Entwickler entschuldigt sich. --------------------------------------------- https://www.golem.de/news/texteditor-notepad-server-gehackt-und-update-traff...

∗∗∗ Breaking the Sound Barrier, Part II: Exploiting CVE-2024-54529 ∗∗∗ --------------------------------------------- In the first part of this series, I detailed my journey into macOS security research, which led to the discovery of a type confusion vulnerability (CVE-2024-54529) and a double-free vulnerability (CVE-2025-31235) in the coreaudiod system daemon through a process I call knowledge-driven fuzzing. While the first post focused on the process of finding the vulnerabilities, this post dives into the intricate process of exploiting the type confusion vulnerability. --------------------------------------------- https://projectzero.google/2026/01/sound-barrier-2.html

∗∗∗ Google Presentations Abused for Phishing ∗∗∗ --------------------------------------------- Charlie, one of our readers, has forwarded an interesting phishing email. The email was sent to users of the Vivladi Webmail service. --------------------------------------------- https://isc.sans.edu/diary/rss/32668

∗∗∗ AI Coding Assistants Secretly Copying All Code to China ∗∗∗ --------------------------------------------- There’s a new report about two AI coding assistants, used by 1.5 million developers, that are surreptitiously sending a copy of everything they ingest to China.Maybe avoid using them. --------------------------------------------- https://www.schneier.com/blog/archives/2026/02/ai-coding-assistants-secretly...

∗∗∗ Shadow Directories: A Unique Method to Hijack WordPress Permalinks ∗∗∗ --------------------------------------------- Last month, while working on a WordPress cleanup case, a customer reached out with a strange complaint: their website looked completely normal to them and their visitors, but Google search results were showing something very different. Instead of normal titles and descriptions, Google was displaying casino and gambling-related content. We have been seeing rising cases of spam on WordPress websites. What made this even more confusing was where the spam was appearing. --------------------------------------------- https://blog.sucuri.net/2026/01/shadow-directories-a-unique-method-to-hijack...

∗∗∗ Ex-Google Engineer Convicted for Stealing AI Secrets for China Startup ∗∗∗ --------------------------------------------- A former Google engineer accused of stealing thousands of the companys confidential documents to build a startup in China has been convicted in the U.S., the Department of Justice (DoJ) announced Thursday. --------------------------------------------- https://thehackernews.com/2026/01/ex-google-engineer-convicted-for.html

∗∗∗ Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a supply chain attack targeting the Open VSX Registry in which unidentified threat actors compromised a legitimate developers resources to push malicious updates to downstream users. --------------------------------------------- https://thehackernews.com/2026/02/open-vsx-supply-chain-attack-used.html

∗∗∗ eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware ∗∗∗ --------------------------------------------- The update infrastructure for eScan antivirus, a security solution developed by Indian cybersecurity company MicroWorld Technologies, has been compromised by unknown attackers to deliver a persistent downloader to enterprise and consumer systems. --------------------------------------------- https://thehackernews.com/2026/02/escan-antivirus-update-servers.html

∗∗∗ Sicherheitslücke: Tausch weiterer elektronischer Heilberufsausweise in Arbeit ∗∗∗ --------------------------------------------- Kunden von D-Trust und SHC+Care müssen ihre bereits ECC-fähigen elektronischen Heilberufsausweise (eHBA) tauschen. Wie viele das betrifft, ist unklar. --------------------------------------------- https://www.heise.de/news/Digital-Health-Tausch-weiterer-E-Heilberufsausweis...

∗∗∗ Anonymisierendes Linux: Notfall-Update Tails 7.4.1 erschienen ∗∗∗ --------------------------------------------- Die auf Anonymität im Netz ausgerichtete Linux-Distribution Tails ist in Version 7.4.1 erschienen – ein Notfall-Update. --------------------------------------------- https://www.heise.de/news/Anonymisierendes-Linux-Notfall-Update-Tails-7-4-1-...

∗∗∗ Please Don’t Feed the Scattered Lapsus Shiny Hunters ∗∗∗ --------------------------------------------- A prolific data ransom gang that calls itself Scattered Lapsus ShinyHunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion. --------------------------------------------- https://krebsonsecurity.com/2026/02/please-dont-feed-the-scattered-lapsus-sh...

∗∗∗ How fake party invitations are being used to install remote access tools ∗∗∗ --------------------------------------------- “You’re invited!” It sounds friendly, familiar and quite harmless. But in a scam we recently spotted, that simple phrase is being used to trick victims into installing a full remote access tool on their Windows computers—giving attackers complete control of the system. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intel/2026/02/how-fake-party-invita...

∗∗∗ Microsoft erklärt NTLM als "deprecated" – Deaktivierung in nächster Windows-Version ∗∗∗ --------------------------------------------- Microsoft hat die veraltete NTLM-Authentifizierung in Windows als "deprecated" erklärt. In der nächsten Windows Version (Server und Client) wird NTLM standardmäßig deaktiviert und die Kerberos-Authentifizierung Standard. Damit neigt sich die Verwendung von NTLM seinem Ende zu. --------------------------------------------- https://borncity.com/blog/2026/02/01/microsoft-erklaert-ntlm-als-deprecated-...

∗∗∗ US Seizes $400 Million Linked to Helix Dark Web Crypto Mixer ∗∗∗ --------------------------------------------- US authorities take control of over $400 million in crypto, cash, and property tied to Helix, a major darknet bitcoin mixing service used by drug markets. --------------------------------------------- https://hackread.com/us-seizes-400m-helix-dark-web-crypto-mixer/

∗∗∗ Windows Malware Uses Pulsar RAT for Live Chats While Stealing Data ∗∗∗ --------------------------------------------- We usually think of computer viruses as silent, invisible programs running in the background, but a worrying discovery shows that modern hackers are getting much more personal. --------------------------------------------- https://hackread.com/windows-malware-pulsar-rat-live-chats-steal-data/

∗∗∗ Guidance from the Frontlines: Proactive Defense Against ShinyHunters-Branded Data Theft Targeting SaaS ∗∗∗ --------------------------------------------- Mandiant is tracking a significant expansion and escalation in the operations of threat clusters associated with ShinyHunters-branded extortion. As detailed in our companion report, 'Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft', these campaigns leverage evolved voice phishing (vishing) and victim-branded credential harvesting to successfully compromise single sign-on (SSO) credentials and enroll unauthorized devices into victim multi-factor authentication (MFA) solutions. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/defense-against-shi...

∗∗∗ Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft ∗∗∗ --------------------------------------------- Mandiant has identified an expansion in threat activity that uses tactics, techniques, and procedures (TTPs) consistent with prior ShinyHunters-branded extortion operations. These operations primarily leverage sophisticated voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunt...

∗∗∗ Manic Monday: A Day in the Life of Threat Hunting ∗∗∗ --------------------------------------------- Discover a day in the life of threat hunting with Bitsight Adversary Intelligence. Learn how security teams detect and disrupt threats before damage is done. --------------------------------------------- https://www.bitsight.com/blog/day-in-the-life-threat-hunting

∗∗∗ Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340) ∗∗∗ --------------------------------------------- When Ivanti removed the embargoes from CVE-2026-1281 and CVE-2026-1340 - actively exploited pre-auth Remote Command Execution vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) solution - we sighed with relief. Clearly, the universe had decided to continue mocking Secure-By-Design signers right on schedule - every January. --------------------------------------------- https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-iv...

∗∗∗ The European Space Agency got hacked, and now we own the domain used! ∗∗∗ --------------------------------------------- It's not often that two of my interests align so well, but we're talking about space rockets and cyber security! Whilst Magecart and Magecart-style attacks might not be the most common attack vector at the moment, they are still happening with worrying frequency, and they are still catching out some pretty big organisations. --------------------------------------------- https://scotthelme.ghost.io/the-european-space-agency-got-hacked-and-now-we-...

∗∗∗ archive.today is directing a DDOS attack against my blog ∗∗∗ --------------------------------------------- Around January 11, 2026, archive.today (aka archive.is, archive.md, etc) started using its users as proxies to conduct a distributed denial of service (DDOS) attack against Gyrovague, my personal blog. --------------------------------------------- https://gyrovague.com/2026/02/01/archive-today-is-directing-a-ddos-attack-ag...

∗∗∗ Exploiting MediaTeks Download Agent ∗∗∗ --------------------------------------------- In September 2025, Chimera quietly announced “world-first” support for MediaTek’s latest Dimensity 9400 and 8400 SoCs running DAs compiled months after MediaTek had patched Carbonara. So we figured they’d either found a way around the patches, or they were sitting on something entirely new. We had to find out. --------------------------------------------- https://blog.r0rt1z2.com/posts/exploiting-mediatek-datwo/

∗∗∗ Hacking Moltbook: The AI Social Network Any Human Can Control ∗∗∗ --------------------------------------------- 1 exposed database. 35,000 emails. 1.5M API keys. And 17,000 humans behind the not-so-autonomous AI network. --------------------------------------------- https://www.wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-ke...

∗∗∗ Inside Lodash’s Security Reset and Maintenance Reboot ∗∗∗ --------------------------------------------- For more than a decade, Lodash has been one of the most widely deployed libraries in the JavaScript ecosystem. Its utilities are deeply embedded in frameworks, build systems, and production applications across the web. Like many foundational dependencies, Lodash evolved into critical infrastructure long before the ecosystem had strong models for funding, governance, or long-term security operations. --------------------------------------------- https://socket.dev/blog/inside-lodash-security-reset?utm_medium=feed

∗∗∗ Britain and Japan Join Forces on Cybersecurity and Strategic Minerals ∗∗∗ --------------------------------------------- Japan and Britain have agreed to expand cooperation on cybersecurity and critical mineral supply chains, framing the move as a strategic response to intensifying geopolitical, economic, and technological pressures. The British and Japanese cybersecurity strategy and agreement were confirmed during British Prime Minister Keir Starmer’s overnight visit to Tokyo, where leaders from both countries reaffirmed their commitment to collective security and economic resilience. --------------------------------------------- https://thecyberexpress.com/britain-japanese-cybersecurity-cooperation/

∗∗∗ Russian APT28 Exploit Zero-Day Hours After Microsoft Discloses Office Vulnerability ∗∗∗ --------------------------------------------- Ukraines cyber defenders warn Russian hackers weaponized a Microsoft zero-day within 24 hours of public disclosure, targeting government agencies with malicious documents delivering Covenant framework backdoors. --------------------------------------------- https://thecyberexpress.com/russian-apt28-exploit-zero-day-cve-2026-21509/

∗∗∗ Default Credentials, Vulnerable Devices Exploited in Polish Energy Grid Attack ∗∗∗ --------------------------------------------- A cyberattack by Russian state-sponsored threat actors that targeted at least 30 wind and solar farms in Poland relied on default credentials, lack of multi-factor authentication (MFA) and outdated and misconfigured devices, according to a new report on the December 2025 incident by CERT Polska, the Polish computer emergency response team. --------------------------------------------- https://thecyberexpress.com/default-credentials-polish-energy-grid-attack/

===================== = Vulnerabilities = =====================

∗∗∗ OpenSSL: 12 Sicherheitslecks, eines erlaubt Schadcodeausführung und ist kritisch ∗∗∗ --------------------------------------------- In OpenSSL wurden 12 Sicherheitslücken entdeckt – mit KI-Tools. Eine davon gilt als kritisch. Aktualisierte Software steht bereit. --------------------------------------------- https://www.heise.de/news/OpenSSL-12-Sicherheitslecks-eines-erlaubt-Schadcod...

∗∗∗ Sicherheitspatches: Root-Attacken auf IBM Db2 möglich ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken gefährden IBMs Datenbankmanagementsystem Db2. Primär können Instanzen abstürzen. --------------------------------------------- https://www.heise.de/news/Sicherheitspatches-Root-Attacken-auf-IBM-Db2-moegl...

∗∗∗ Dell Unity: Angreifer können Schadcode mit Root-Rechten ausführen ∗∗∗ --------------------------------------------- Admins sollten zeitnah ein wichtiges Sicherheitsupdate für Dell Unity Operating Environment installieren. --------------------------------------------- https://www.heise.de/news/Dell-Unity-Angreifer-koennen-Schadcode-mit-Root-Re...

∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (iperf3, kernel, and php), Debian (ceph, pillow, pyasn1, python-django, and python-tornado), Fedora (bind9-next, cef, chromium, fontforge, java-21-openjdk, java-25-openjdk, java-latest-openjdk, mingw-python-urllib3, mingw-python-wheel, nodejs20, nodejs22, nodejs24, opencc, openssl, python-wheel, and qownnotes), Red Hat (binutils, gcc-toolset-13-binutils, gcc-toolset-14-binutils, gcc-toolset-15-binutils, java-1.8.0-openjdk, and java-25-openjdk), Slackware (expat), SUSE (bind, cacti, cacti-spine, chromedriver, chromium, dirmngr, fontforge-20251009, glib2, golang-github-prometheus-prometheus, govulncheck-vulndb, icinga2, ImageMagick, kernel, logback, openCryptoki, openssl-1_1, python311-djangorestframework, python311-pypdf, python314, python315, qemu, and xen), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm and linux-aws-fips, linux-fips, linux-gcp-fips). --------------------------------------------- https://lwn.net/Articles/1056923/

∗∗∗ Privileged File System Vulnerability Present in a SCADA System ∗∗∗ --------------------------------------------- We detail our discovery of CVE-2025-0921. This privileged file system flaw in SCADA system Iconics Suite could lead to a denial-of-service (DoS) attack. --------------------------------------------- https://unit42.paloaltonetworks.com/iconics-suite-cve-2025-0921/

∗∗∗ Vulnerability & Patch Roundup — January 2026 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2026/01/vulnerability-patch-roundup-january-2026.htm...

∗∗∗ Multiple vulnerabilities in Cybozu Garoon ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN35265756/

∗∗∗ Multiple Microsoft Office products vulnerable to untrusted search path ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN04984838/

∗∗∗ Sonatype Nexus Repository vulnerable to server-side request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN64861120/

∗∗∗ OS command injection in raspap-webgui ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN27202136/

∗∗∗ ZDI-26-050: GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-26-050/

∗∗∗ KI-Bot: OpenClaw (Moltbot) mit hochriskanter Codeschmuggel-Lücke ∗∗∗ --------------------------------------------- https://www.heise.de/news/KI-Bot-OpenClaw-Moltbot-mit-hochriskanter-Codeschm...

∗∗∗ Multiple vulnerabilities in Native Instruments Native Access (MacOS) ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-...

∗∗∗ CVE-2025-60021 (CVSS 9.8): command injection in Apache bRPC heap profiler ∗∗∗ --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/cve-2025-60021-cvss-...