===================== = End-of-Day report = =====================

Timeframe: Freitag 19-12-2025 18:00 − Montag 22-12-2025 18:15 Handler: Alexander Riepl Co-Handler: Felician Fuchs

===================== = News = =====================

∗∗∗ RansomHouse upgrades encryption with multi-layered data processing ∗∗∗ --------------------------------------------- The RansomHouse ransomware-as-a-service (RaaS) has recently upgraded its encryptor, switching from a relatively simple single-phase linear technique to a more complex, multi-layered method. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomhouse-upgrades-encrypti...

∗∗∗ Malicious npm package steals WhatsApp accounts and messages ∗∗∗ --------------------------------------------- A malicious package in the Node Package Manager (NPM) registry poses as a legitimate WhatsApp Web API library to steal WhatsApp messages, collect contacts, and gain access to the account. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-npm-package-steals-...

∗∗∗ Leicht hackbar: Deutschlandticket-Betrug erreicht dreistellige Millionenhöhe ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben massive Schwachstellen beim Deutschlandticket aufgedeckt. Der Schaden durch Betrug liegt im dreistelligen Millionenbereich. --------------------------------------------- https://www.golem.de/news/leicht-hackbar-deutschlandticket-betrug-erreicht-d...

∗∗∗ Airbus Moving Critical Systems Away From AWS, Google, and Microsoft Citing Data Sovereignty Concerns ∗∗∗ --------------------------------------------- Airbus is preparing to tender a major contract to move mission-critical systems like ERP, manufacturing, and aircraft design data onto a digitally sovereign European cloud, citing national security concerns and fears around U.S. extraterritorial laws like the CLOUD Act. --------------------------------------------- https://slashdot.org/story/25/12/19/2252254/airbus-moving-critical-systems-a...

∗∗∗ Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers ∗∗∗ --------------------------------------------- A suspected Russia-aligned group has been attributed to a phishing campaign that employs device code authentication workflows to steal victims Microsoft 365 credentials and conduct account takeover attacks. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. --------------------------------------------- https://thehackernews.com/2025/12/russia-linked-hackers-use-microsoft-365.ht...

∗∗∗ ATM jackpotting gang accused of unleashing Ploutus malware across US ∗∗∗ --------------------------------------------- Latest charges join the mountain of indictments facing alleged Tren de Aragua members. A Venezuelan gang described by US officials as "a ruthless terrorist organization" faces charges over alleged deployment of malware on ATMs across the country, illegally siphoning millions of dollars. --------------------------------------------- https://www.theregister.com/2025/12/19/tren_de_aragua_atm/

∗∗∗ Around 1,000 systems compromised in ransomware attack on Romanian water agency ∗∗∗ --------------------------------------------- On-site staff keep key systems working while all but one region battles with encrypted PCs Romanias cybersecurity agency confirms a major ransomware attack on the countrys water management administration has compromised around 1,000 systems, with work to remediate them still ongoing. --------------------------------------------- https://www.theregister.com/2025/12/22/around_1000_systems_compromised_in/

∗∗∗ Zscaler Threat Hunting Catches Evasive SideWinder APT Campaign ∗∗∗ --------------------------------------------- Zscaler Threat Hunting has identified a sophisticated espionage campaign targeting Indian entities by masquerading as the Income Tax Department of India. By reconstructing the complete attack lifecycle from a deceptive “Inspection” lure to a reflectively loaded resident implant, Zscaler Threat Hunting has observed activity which is typically associated with SideWinder APT (also known as Rattlesnake or APT-C-17). --------------------------------------------- https://www.zscaler.com/blogs/security-research/zscaler-threat-hunting-catch...

∗∗∗ l+f: Reverse Engineering Schritt-für-Schritt – KI hilft auch mit ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher nimmt Interessierte mit auf eine Reise in eine IP-Kamera-Firmware. Das Ergebnis sind Patches für TP-Links Tapo-C200-Modell. --------------------------------------------- https://www.heise.de/news/l-f-Reverse-Engineering-Schritt-fuer-Schritt-KI-hi...

∗∗∗ Eurostar AI vulnerability: when a chatbot goes off the rails ∗∗∗ --------------------------------------------- I first encountered the chatbot as a normal Eurostar customer while planning a trip. When it opened, it clearly told me that “the answers in this chatbot are generated by AI”, which is good disclosure but immediately raised my curiosity about how it worked and what its limits were. --------------------------------------------- https://www.pentestpartners.com/security-blog/eurostar-ai-vulnerability-when...

∗∗∗ Phishing Campaign Leverages Trusted Google Cloud Automation Capabilities to Evade Detection ∗∗∗ --------------------------------------------- This report describes a phishing campaign in which attackers impersonate legitimate Google generated messages by abusing Google Cloud Application Integration to distribute malicious emails that appear to originate from trusted Google infrastructure. The emails mimic routine enterprise notifications such as voicemail alerts and file access or permission requests, making them appear normal and trustworthy to recipients. --------------------------------------------- https://blog.checkpoint.com/research/phishing-campaign-leverages-trusted-goo...

∗∗∗ Denmark summons Russian ambassador over alleged cyberattacks on water utility, elections ∗∗∗ --------------------------------------------- Russia’s ambassador to Copenhagen, Vladimir Barbin, confirmed to Russian state media on Friday that he had been called to the Danish foreign ministry, but rejected the accusations as unfounded. --------------------------------------------- https://therecord.media/denmark-summons-russian-ambassador-cyberattack-elect...

∗∗∗ Nigeria arrests suspected RaccoonO365 phishing kit developer on tip from Microsoft, FBI ∗∗∗ --------------------------------------------- One of the alleged developers behind the RaccoonO365 subscription-based phishing kit was arrested by Nigerian police this week. --------------------------------------------- https://therecord.media/nigeria-raccoon-developer-tip

∗∗∗ Nefilim ransomware hacker pleads guilty to computer fraud ∗∗∗ --------------------------------------------- A Ukrainian national pleaded guilty in U.S. federal court to one charge stemming from attacks using Nefilim ransomware on companies in the U.S., Canada and Australia. --------------------------------------------- https://therecord.media/nefilim-ransomware-hacker-fraud

∗∗∗ Judge rules that NSO cannot continue to install spyware via WhatsApp pending appeal ∗∗∗ --------------------------------------------- NSO Group had sought to stay the order pending a decision on its appeal in the case, which centers on allegations that it targeted 1,400 WhatsApp users with its powerful zero-click Pegasus spyware in 2019. --------------------------------------------- https://therecord.media/judge-rules-nso-cannot-continue-whatsapp-spyware

∗∗∗ Hackers Abuse Popular Monitoring Tool Nezha as a Stealth Trojan ∗∗∗ --------------------------------------------- Cybersecurity firm Ontinue reveals how the open-source tool Nezha is being used as a Remote Access Trojan (RAT) to bypass security and control servers globally. --------------------------------------------- https://hackread.com/hackers-abuse-monitoring-tool-nezha-trojan/

∗∗∗ Gefälschter Speicher: Jetzt ist besondere Vorsicht geboten ∗∗∗ --------------------------------------------- Während der Weihnachtszeit macht gefälschte Hardware gern die Runde. Die Speicherkrise macht Betrug noch lukrativer. --------------------------------------------- https://heise.de/-11123055

∗∗∗ "Karvi-geddon": Mangelhafte Sicherheitsarchitektur bei Lieferdienst-Plattform ∗∗∗ --------------------------------------------- Eine auf Github veröffentlichte Sicherheitsanalyse zeigt schwerwiegende Mängel bei Karvi Solutions. Davon sind zehntausende Restaurant-Kunden betroffen. --------------------------------------------- https://heise.de/-11122678

∗∗∗ Task Injection – Exploiting agency of autonomous AI agents ∗∗∗ --------------------------------------------- This blog post describes what a Task Injection attack is, how this type of attack differs from Prompt Injection, and how it is particularly relevant to AI agents designed for a wide range of actions and tasks, such as computer-use agents. --------------------------------------------- https://bughunters.google.com/blog/4823857172971520/task-injection-exploitin...

∗∗∗ A Deep Dive into A Vulnerability Apple Deemed Unexploitable ∗∗∗ --------------------------------------------- I’m going to share with you an interesting race condition issue lurking in Apple’s core file-copy API. Apple was aware of the security issue. But they did nothing at first because they deemed it would be nearly impossible to exploit the bug, due to the race condition’s microscopic time window. But I will prove them wrong. --------------------------------------------- https://jhftss.github.io/Exploiting-the-Impossible/

===================== = Vulnerabilities = =====================

∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, dropbear, mediawiki, php8.4, python-mechanize, rails, roundcube, usbmuxd, and wordpress), Fedora (cef, chromium, fonttools, gobuster, gosec, mingw-libpng, moby-engine, mqttcli, nextcloud, pgadmin4, python-unicodedata2, uriparser, and util-linux), Mageia (php and webkit2), Oracle (binutils, curl, gcc-toolset-13-binutils, gimp, git-lfs, kernel, openssh, php:8.3, podman, python-kdcproxy, python3.12, python3.9, skopeo, and webkit2gtk3), Red Hat (rsync), Slackware (php), SUSE (alloy, busybox, chromedriver, chromium, coredns-for-k8s, duc, firefox, kernel-devel, libpng16, libruby3_4-3_4, mariadb, netty, php8, python311-tornado6, rsync, taglib, and xen), and Ubuntu (linux-oracle-5.4, linux-raspi, linux-realtime-6.14, and linux-xilinx). --------------------------------------------- https://lwn.net/Articles/1051572/

∗∗∗ Progress Kemp LoadMaster Schwachstellen patchen (17. Dez. 2025) ∗∗∗ --------------------------------------------- Kurze Vorankündigung für Administratoren, die den Kemp Progress Load Balancer im Einsatz haben. Es gibt wohl Schwachstellen im Produkt, die zeitnah zu patchen sind. Die Informationen sind derzeit nicht öffentlich und sollen erst zum 12. Januar 2026 offen gelegt werden (trage ich dann hier nach). --------------------------------------------- https://borncity.com/blog/2025/12/21/progress-kemp-loadmaster-schwachstellen...

∗∗∗ BIOS-Sicherheitslücke: Angreifer können Schadcode auf Dell-Server schieben ∗∗∗ --------------------------------------------- Verschiedene Modelle von Dells PowerEdge-Server-Reihe sind verwundbar. Sicherheitspatches sind verfügbar. --------------------------------------------- https://heise.de/-11122626

∗∗∗ Sicherheitspatches: DoS-Attacken auf IBM App Connect Enterprise möglich ∗∗∗ --------------------------------------------- IBMs Integrationssoftwareangebot App Connect Enterprise ist verwundbar. In aktuellen Versionen haben die Entwickler eine Sicherheitslücke geschlossen. --------------------------------------------- https://heise.de/-11122938

∗∗∗ Security Advisory - multiple vulnerabilities in Foxit PDF Reader & Editor ∗∗∗ --------------------------------------------- https://www.foxit.com/support/security-bulletins.html