===================== = End-of-Day report = =====================
Timeframe: Mittwoch 16-07-2025 18:00 − Donnerstag 17-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a
===================== = News = =====================
∗∗∗ KAWA4096’s Ransomware Tide: Rising Threat With Borrowed Styles ∗∗∗ --------------------------------------------- KAWA4096, a ransomware whose name includes "Kawa", the Japanese word for "river", first emerged in June 2025. This new threat features a leak site that follows the style of the Akira ransomware group, and a ransom note format similar to Qilin’s, likely an attempt to further enrich their visibility and credibility. In this blog .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/kawa4096s-ra...
∗∗∗ Oracle: 309 Sicherheitsupdates für alle möglichen Produkte ∗∗∗ --------------------------------------------- Oracle hat zum Critical Patch Update genannten Patchday im Juli 309 Sicherheitsupdates angekündigt. Zig Produkte sind verwundbar. --------------------------------------------- https://www.heise.de/news/Oracle-309-Sicherheitsupdates-fuer-alle-moeglichen...
∗∗∗ Cisco: Sicherheitslücken in mehreren Produkten ∗∗∗ --------------------------------------------- In Ciscos ISE klafft eine weitere Lücke mit maximalem Bedrohungsgrad. Zudem warnt Cisco vor weiteren Lücken in mehr Produkten. --------------------------------------------- https://www.heise.de/news/Weitere-kritische-Luecke-in-Ciscos-ISE-10490589.ht...
∗∗∗ Trump gibt eine Milliarde Dollar für offensive Cyberoperationen frei ∗∗∗ --------------------------------------------- Wie genau das Geld eingesetzt werden soll, ist nicht bekannt. Der Blick dürfte sich aber vor allem nach China richten --------------------------------------------- https://www.derstandard.at/story/3000000279549/trump-gibt-eine-milliarde-dol...
∗∗∗ Google spots tailored backdoor malware aimed at SonicWall appliances ∗∗∗ --------------------------------------------- Google researchers reported on a malware campaign against end-of-life SonicWall appliances, noting that the attackers were good at covering their tracks. --------------------------------------------- https://therecord.media/sonicwall-sma-100-series-overstep-malware-unc6148
∗∗∗ Detection Engineering: Practicing Detection-as-Code – Repository – Part 2 ∗∗∗ --------------------------------------------- This is the second part of the Practicing Detection-as-Code series, where we will cover some basic elements of designing a repository to develop, store, and deploy detections from. Well go through several different aspects of the setup like the Git platform, branch strategy, repository structure, detections structure, taxonomies, and content packs. --------------------------------------------- https://blog.nviso.eu/2025/07/17/detection-engineering-practicing-detection-...
∗∗∗ Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public ∗∗∗ --------------------------------------------- GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 - nearly two weeks before a public proof-of-concept was released on July 4. --------------------------------------------- https://www.greynoise.io/blog/exploitation-citrixbleed-2-cve-2025-5777-befor...
∗∗∗ Flaw in Signal App Clone Could Leak Passwords — GreyNoise Identifies Active Reconnaissance and Exploit Attempts ∗∗∗ --------------------------------------------- A vulnerability disclosed in May 2025, CVE-2025-48927, affects certain deployments of TeleMessageTM SGNL. If exposed, this endpoint can return a full snapshot of heap memory which may include plaintext usernames, passwords, and other sensitive data. --------------------------------------------- https://www.greynoise.io/blog/active-exploit-attempts-signal-based-messaging...
∗∗∗ How to catch GitHub Actions workflow injections before attackers do ∗∗∗ --------------------------------------------- Strengthen your repositories against actions workflow injections - one of the most common vulnerabilities. --------------------------------------------- https://github.blog/security/vulnerability-research/how-to-catch-github-acti...
===================== = Vulnerabilities = =====================
∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (emacs, java-17-openjdk, kernel, kernel-rt, microcode_ctl, python3.11-setuptools, python3.12-setuptools, and socat), Debian (gnutls28), Fedora (vim), Red Hat (java-1.8.0-ibm), Slackware (bind), SUSE (docker, erlang, erlang26, ggml-devel-5889, gnuplot, kernel, kubernetes1.27, libQt6Concurrent6, mailman3, and transfig), and Ubuntu (apache2, bind9, linux-iot, linux-lowlatency-hwe-6.11, and linux-raspi, linux-raspi-5.4). --------------------------------------------- https://lwn.net/Articles/1030256/