End-of-Day report
Timeframe: Donnerstag 23-10-2025 18:00 - Freitag 24-10-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
News
Angriffe gegen Microsoft WSUS Installationen - Update verfügbar
Microsoft hat eine kritische Sicherheitslücke in Windows Server Update Service (WSUS) veröffentlicht, die es unauthentifizierten Angreifern ermöglicht, aus der Ferne beliebigen Code auf betroffenen Servern auszuführen. Die Schwachstelle entsteht durch unsichere Deserialisierung von nicht vertrauenswürdigen Daten in einem veralteten Serialisierungsmechanismus. Microsoft hatte hierzu bereits am 14. Oktober einen ersten Patch veröffentlicht. Dieser erwies sich allerdings als unzureichend und wurde nun außerplanmäßig nachgebessert.
https://www.cert.at/de/warnungen/2025/10/angriffe-gegen-microsoft-wsus-installationen-update-verfugbar
Fake LastPass death claims used to breach password vaults
LastPass is warning customers of a phishing campaign sending emails with an access request to the password vault as part of a legacy inheritance process.
https://www.bleepingcomputer.com/news/security/fake-lastpass-death-claims-used-to-breach-password-vaults/
3,000 YouTube Videos Exposed as Malware Traps in Massive Ghost Network Operation
A malicious network of YouTube accounts has been observed publishing and promoting videos that lead to malware downloads, essentially abusing the popularity and trust associated with the video hosting platform for propagating malicious payloads.
https://thehackernews.com/2025/10/3000-youtube-videos-exposed-as-malware.html
APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign
A Pakistan-nexus threat actor has been observed targeting Indian government entities as part of spear-phishing attacks designed to deliver a Golang-based malware known as DeskRAT.
https://thehackernews.com/2025/10/apt36-targets-indian-government-with.html
LockBit Returns - and It Already Has Victims
LockBit is back. After being disrupted in early 2024, the ransomware group has resurfaced and is already extorting new victims.
https://blog.checkpoint.com/research/lockbit-returns-and-it-already-has-victims/
Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques
Trend Research identified a sophisticated Agenda ransomware attack that deployed a Linux variant on Windows systems. This cross-platform execution can make detection challenging for enterprises.
https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html
Baohuo Android Malware Hijacks Telegram Accounts via Fake Telegram X
New Android malware Baohuo hijacks Telegram X accounts, stealing data and controlling chats. Over 58,000 devices infected, mainly in India and Brazil.
https://hackread.com/baohuo-android-malware-telegram-x-hijacks-accounts/
Help Wanted: Vietnamese Actors Using Fake Job Posting Campaigns to Deliver Malware and Steal Credentials
Google Threat Intelligence Group (GTIG) is tracking a cluster of financially motivated threat actors operating from Vietnam that leverages fake job postings on legitimate platforms to target individuals in the digital advertising and marketing sectors. The actor effectively uses social engineering to deliver malware and phishing kits, ultimately aiming to compromise high-value corporate accounts, in order to hijack digital advertising accounts. GTIG tracks parts of this activity as UNC6229.
https://cloud.google.com/blog/topics/threat-intelligence/vietnamese-actors-fake-job-posting-campaigns/
Vulnerabilities
Atlassian Jira Data Center: Angreifer können Daten abgreifen
Sicherheitsupdates lösen IT-Sicherheitsprobleme in Atlassian Confluence Data Center und Jira Data Center.
https://www.heise.de/news/Atlassian-Jira-Data-Center-Angreifer-koennen-Daten-abgreifen-10851118.html
Security updates for Friday
Security updates have been issued by AlmaLinux (webkit2gtk3), Debian (bind9, chromium, python-internetarchive, and tryton-sao), Fedora (dokuwiki and php-php81_bc-strftime), Mageia (firefox, nss & rootcerts and thunderbird), Slackware (openssl), SUSE (bleachbit, chromium, kernel, mozilla-nss, and python311-uv), and Ubuntu (fetchmail, golang-go.crypto, and linux-oracle-5.4).
https://lwn.net/Articles/1043235/
CISA Releases Eight Industrial Control Systems Advisories
CISA released eight Industrial Control Systems (ICS) Advisories. ICSA-25-296-01 AutomationDirect Productivity Suite, ICSA-25-296-02 ASKI Energy ALS-Mini-S8 and ALS-Mini-S4, ICSA-25-296-03 Veeder-Root TLS4B Automatic Tank Gauge System, ICSA-25-296-04 Delta Electronics ASDA-Soft, ICSMA-25-296-01 NIHON KOHDEN Central Monitor CNS-6201, ICSA-25-037-02 Schneider Electric EcoStruxure (Update C), ICSA-24-116-02 Hitachi Energy MACH SCM (Update A), ICSA-25-259-01 Schneider Electric Altivar products, ATVdPAC module, ILC992 InterLink Converter (Update A).
https://www.cisa.gov/news-events/alerts/2025/10/23/cisa-releases-eight-industrial-control-systems-advisories