===================== = End-of-Day report = =====================

Timeframe: Dienstag 27-05-2025 18:00 − Mittwoch 28-05-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler

===================== = News = =====================

∗∗∗ GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers ∗∗∗ --------------------------------------------- GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise discovered it with AI-powered tooling, and what defenders need to know. --------------------------------------------- https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-rout...

∗∗∗ DragonForce Ransomware Strikes MSP in Supply Chain Attack ∗∗∗ --------------------------------------------- DragonForce, a ransomware "cartel" that has gained significant popularity since its debut in 2023, attacked an MSP as part of a recent supply chain attack, via known SimpleHelp bugs. --------------------------------------------- https://www.darkreading.com/application-security/dragonforce-ransomware-msp-...

∗∗∗ Zanubis in motion: Tracing the active evolution of the Android banking malware ∗∗∗ --------------------------------------------- A comprehensive historical breakdown of Zanubis changes, including RC4 and AES encryption, credentials stealing and new targets in Peru, provided by Kaspersky GReAT experts. --------------------------------------------- https://securelist.com/evolution-of-zanubis-banking-trojan-for-android/11658...

∗∗∗ Fake Java Update Popup Found in Malicious WordPress Plugin ∗∗∗ --------------------------------------------- We recently assisted a customer who reported a persistent and concerning "Java Update" pop-up appearing on their WordPress website. This type of deceptive notification is a common tactic used by attackers to compromise website visitors. Our investigation revealed a malicious plugin operating stealthily within their WordPress environment. --------------------------------------------- https://blog.sucuri.net/2025/05/fake-java-update-popup-found-in-malicious-wo...

∗∗∗ OneDrive File Picker Flaw Provides ChatGPT and Other Web Apps Full Read Access to Users’ Entire OneDrive ∗∗∗ --------------------------------------------- Oasis Securitys research team uncovered a flaw in Microsofts OneDrive File Picker that allows websites to access a user’s entire OneDrive content, rather than just the specific files selected for upload via OneDrive File Picker. Researchers estimate that hundreds of apps are affected, including ChatGPT, Slack, Trello, and ClickUp – meaning millions of users may have already granted these apps access to their OneDrive. --------------------------------------------- https://www.oasis.security/resources/blog/onedrive-file-picker-security-flaw...

∗∗∗ Chinese spies blamed for attempted hack on Czech government network ∗∗∗ --------------------------------------------- Czech authorities said they assessed with “a high degree of certainty” that a Chinese cyber-espionage group known as APT31, Judgment Panda, Bronze Vinewood or RedBravo tried to hack into a government network. --------------------------------------------- https://therecord.media/czechia-accuses-china-cyber-espionage-apt31

∗∗∗ New Phishing Campaign Uses DBatLoader to Drop Remcos RAT: What Analysts Need to Know ∗∗∗ --------------------------------------------- ANY.RUN analysts recently uncovered a stealthy phishing campaign delivering the Remcos RAT (Remote Access Trojan) through a loader malware known as DBatLoader. This attack chain relies on a blend of obfuscated scripts, User Account Control (UAC) bypass, and LOLBAS (Living-Off-the-Land Binaries and Scripts) abuse to stay hidden from traditional detection methods. --------------------------------------------- https://hackread.com/new-phishing-campaign-dbatloader-drop-remcos-rat/

∗∗∗ Malware Hidden in AI Models on PyPI Targets Alibaba AI Labs Users ∗∗∗ --------------------------------------------- ReversingLabs discovers new malware hidden inside AI/ML models on PyPI, targeting Alibaba AI Labs users. --------------------------------------------- https://hackread.com/malware-ai-models-pypi-targets-alibaba-ai-labs-users/

∗∗∗ Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day ∗∗∗ --------------------------------------------- On May 8, GreyNoise observed a highly coordinated reconnaissance campaign launched by 251 malicious IP addresses, all geolocated to Japan and hosted by Amazon AWS. The infrastructure and execution suggest centralized planning. --------------------------------------------- https://www.greynoise.io/blog/coordinated-cloud-based-scanning-operation-tar...

===================== = Vulnerabilities = =====================

∗∗∗ Sicherheitslücken: IBM Guardium Data Protection als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Aufgrund von mehreren Schwachstellen kann es zu Datenlecks im Kontext von IBM Guardium Data Protection kommen. Updates schaffen Abhilfe. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-IBM-Guardium-Data-Protection-al...

∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free and kernel), Arch Linux (bind and varnish), Debian (glibc and syslog-ng), Fedora (microcode_ctl, mozilla-ublock-origin, nodejs20, and nodejs22), Mageia (firefox, nss, rootcerts, open-vm-tools, sqlite3, and thunderbird), Oracle (gstreamer1-plugins-bad-free, kernel, libsoup, nodejs:22, php, php:8.2, php:8.3, python-tornado, redis, and redis:7), Red Hat (libsoup, pcs, and python-tornado), Slackware (mozilla), SUSE (bind, dnsdist, elemental-operator, govulncheck-vulndb, gstreamer-plugins-bad, jetty-annotations, jq, libnss_slurm2, libyelp0, mariadb, nvidia-open-driver-G06-signed, prometheus-blackbox_exporter, python-h11, python-httpcore, python-setuptools, python312, python39-setuptools, screen, sqlite3, umoci, and webkit2gtk3), and Ubuntu (cifs-utils, glibc, linux-aws, linux-intel-iotg-5.15, linux-nvidia-tegra-igx, linux-raspi, linux-aws-fips, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oracle, linux-raspi, linux-raspi-5.4, and net-tools). --------------------------------------------- https://lwn.net/Articles/1022853/

∗∗∗ Security Vulnerabilities fixed in Thunderbird 128.11 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-46/

∗∗∗ Security Vulnerabilities fixed in Thunderbird 139 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-45/

∗∗∗ F5: K000151516, Python urllib vulnerability CVE-2019-9947 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151516

∗∗∗ F5: K000151520, Python vulnerabilities CVE-2018-20852, CVE-2014-4616, and CVE-2013-7040 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151520