===================== = End-of-Day report = =====================
Timeframe: Montag 11-05-2026 18:00 − Dienstag 12-05-2026 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler
===================== = News = =====================
∗∗∗ New GhostLock tool abuses Windows API to block file access ∗∗∗ --------------------------------------------- A security researcher has released a proof-of-concept tool named GhostLock that demonstrates how a legitimate Windows file API can be abused in attacks to block access to files stored locally or on SMB network shares. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ghostlock-tool-abuses-win...
∗∗∗ Cyberangriff trifft Fahrzeughersteller: Kundendaten von Skoda kompromittiert ∗∗∗ --------------------------------------------- Ein unbekannter Angreifer hat ein von Skoda genutztes Shopsystem infiltriert und konnte auf Kundendaten zugreifen. Auch Zugangsdaten sind betroffen. --------------------------------------------- https://www.golem.de/news/cyberangriff-trifft-fahrzeughersteller-kundendaten...
∗∗∗ Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ∗∗∗ --------------------------------------------- Google on Monday disclosed that it identified an unknown threat actor using a zero-day exploit that it said was likely developed with an artificial intelligence (AI) system, marking the first time the technology has been put to use in the wild in a malicious context for vulnerability discovery and exploit generation. --------------------------------------------- https://thehackernews.com/2026/05/hackers-used-ai-to-develop-first-known.htm...
∗∗∗ cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ∗∗∗ --------------------------------------------- A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. --------------------------------------------- https://thehackernews.com/2026/05/cpanel-cve-2026-41940-under-active.html
∗∗∗ Prüfportal für Gutscheinkarten? Wie ein kurzer Check das Guthaben absaugt ∗∗∗ --------------------------------------------- Wer im Zuge eines Online-Privatverkaufs dazu gedrängt wird, für die Zahlung gekaufte Gutscheinkarten auf einem dubiosen Portal zu überprüfen, sollte den Deal sofort abblasen. Hier wird nämlich nichts geprüft, die Plattform ist lediglich ein praktischer Weg für Kriminelle, an das Guthaben auf den Karten zu gelangen. --------------------------------------------- https://www.watchlist-internet.at/news/pruefportal-fuer-gutscheinkarten/
∗∗∗ Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign ∗∗∗ --------------------------------------------- Iran-linked threat actor abused signed Fortemedia and SentinelOne binaries for DLL sideloading and exfiltrated data through a public file-transfer service. --------------------------------------------- https://www.security.com/threat-intelligence/iran-seedworm-electronics
===================== = Vulnerabilities = =====================
∗∗∗ SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANA ∗∗∗ --------------------------------------------- SAP has released the May 2026 security updates addressing 15 vulnerabilities across multiple products, including two critical flaws in the Commerce Cloud enterprise-grade e-commerce platform and the S/4HANA ERP suite. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sap-fixes-critical-vulnerabil...
∗∗∗ VU#471747: dnsmasq contains several vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation ∗∗∗ --------------------------------------------- dnsmasq is affected by multiple memory safety and input validation vulnerabilities, including heap buffer overflows, heap corruption, and code execution flaws. Collectively, these vulnerabilities enable attackers to poison cached DNS records, bypass security controls, crash the dnsmasq process, or under certain conditions, achieve local privilege escalation. dnsmasq has released version 2.92rel2 to fix the vulnerabilities. --------------------------------------------- https://kb.cert.org/vuls/id/471747
∗∗∗ Anonymisierendes Linux Tails: Notfallupdate 7.7.3 fixt DirtyFrag-Lücke ∗∗∗ --------------------------------------------- Das anonymisierende Linux Tails ist als nächstes Notfallupdate in Version 7.7.3 erschienen. Es schließt die DirtyFrag-Lücke. --------------------------------------------- https://www.heise.de/news/Anonymisierendes-Linux-Tails-Notfallupdate-7-7-3-f...
∗∗∗ Node.js: Abermals Ausbruch aus vm2-Sandbox möglich ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke in der Node.js-Sandbox vm2 kann Schadcode passieren lassen. Ein Sicherheitspatch steht zum Download bereit. --------------------------------------------- https://www.heise.de/news/Node-js-Abermals-Ausbruch-aus-vm2-Sandbox-moeglich...
∗∗∗ OpenSearch-Client für Node.js ist auch kompromittiert – Teil 2 ∗∗∗ --------------------------------------------- Die Hiobsbotschaften reißen heute nicht ab. Im Beitrag Neuer Shai-Hulud Lieferkettenangriff auf npm tanstack-Pakete; CheckMarx Jenkins-Paket infiziert hatte ich über zwei Lieferkettenangriffe der letzten beiden Stunden berichtet. Der Mini Shai Hulud-Lieferkettenangriff auf npm tanstack-Pakete hat sich ausgeweitet und der OpenSearch-Client für Node.js ist auch kompromittiert. --------------------------------------------- https://borncity.com/blog/2026/05/12/opensearch-client-fuer-node-js-ist-auch...
∗∗∗ May 2026 Security Update ∗∗∗ --------------------------------------------- Ivanti is disclosing vulnerabilities in Ivanti Secure Access Client, Xtraction, Virtual Traffic Manager and Endpoint Manager (EPM). --------------------------------------------- https://www.ivanti.com/blog/may-2026-security-update
∗∗∗ Postmortem: TanStack npm supply-chain compromise ∗∗∗ --------------------------------------------- On 2026-05-11 between 19:20 and 19:26 UTC, an attacker published 84 malicious versions across 42 @tanstack/* npm packages by combining: the pull_request_target "Pwn Request" pattern, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of an OIDC token from the GitHub Actions runner process. No npm tokens were stolen and the npm publish workflow itself was not compromised. --------------------------------------------- https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
∗∗∗ Pi-hole-Update schließt dnsmasq-Sicherheitslücken ∗∗∗ --------------------------------------------- https://www.heise.de/news/Pi-hole-Update-schliesst-dnsmasq-Sicherheitsluecke...
∗∗∗ LWN Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1072498/
∗∗∗ Firefox 150.0.3 korrigiert Passwort-Druck-Bug ∗∗∗ --------------------------------------------- https://borncity.com/blog/2026/05/12/firefox-150-0-3-korrigiert-passwort-dru...