End-of-Day report
Timeframe: Dienstag 16-12-2025 19:10 - Mittwoch 17-12-2025 18:00
Handler: Felician Fuchs
Co-Handler: n/a
News
Amazon disrupts Russian GRU hackers attacking edge network devices
The Amazon Threat Intelligence team has disrupted active operations attributed to hackers working for the Russian foreign military intelligence agency, the GRU, who targeted customers cloud infrastructure.
https://www.bleepingcomputer.com/news/security/amazon-disrupts-russian-gru-hackers-attacking-edge-network-devices/
Cellik Android malware builds malicious versions from Google Play apps
A new Android malware-as-a-service (MaaS) named Cellik is being advertised on underground cybercrime forums offering a robust set of capabilities that include the option to embed it in any app available on the Google Play Store.
https://www.bleepingcomputer.com/news/security/cellik-android-malware-builds-malicious-versions-from-google-play-apps/
Attackers Use Stolen AWS Credentials in Cryptomining Campaign
Threat actors wielding stolen AWS Identity and Access Management (IAM) credentials leverage Amazon EC and EC2 infrastructure across multiple customer environments.
https://www.darkreading.com/cloud-security/attackers-use-stolen-aws-credentials-cryptomining
Deliberate Internet Shutdowns
For two days in September, Afghanistan had no internet. No satellite failed; no cable was cut. This was a deliberate outage, mandated by the Taliban government. It followed a more localized shutdown two weeks prior, reportedly instituted -to prevent immoral activities.- No additional explanation was given. The timing couldn-t have been worse: communities still reeling from a major earthquake lost emergency communications, flights were grounded, and banking was interrupted.
https://www.schneier.com/blog/archives/2025/12/deliberate-internet-shutdowns.html
GhostPoster Malware Found in 17 Firefox Add-ons with 50,000+ Downloads
A new campaign named GhostPoster has leveraged logo files associated with 17 Mozilla Firefox browser add-ons to embed malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud. The extensions have been collectively downloaded over 50,000 times, according to Koi Security, which discovered the campaign. The add-ons are no longer available.
https://www.thehackernews.com/2025/12/ghostposter-malware-found-in-17-firefox.html
APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign
The Russian state-sponsored threat actor known as APT28 has been attributed to what has been described as a "sustained" credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine.
https://www.thehackernews.com/2025/12/apt28-targets-ukrainian-ukr-net-users.html
New ForumTroll Phishing Attacks Target Russian Scholars Using Fake eLibrary Emails
The threat actor linked to Operation ForumTroll has been attributed to a fresh set of phishing attacks targeting individuals within Russia, according to Kaspersky. The Russian cybersecurity vendor said it detected the new activity in October 2025. The origins of the threat actor are presently unknown.
https://www.thehackernews.com/2025/12/new-forumtroll-phishing-attacks-target.html
Chinas Ink Dragon hides out in European government networks
Misconfigured servers are in, 0-days out Chinese espionage crew Ink Dragon has expanded its snooping activities into European government networks, using compromised servers to create illicit relay nodes for future operations.
https://www.theregister.com/2025/12/16/chinas_ink_dragon_hides_out/
Microsoft security updates breaks MSMQ on older Win systems
Folder permission changes cause queue failures and misleading error messages, no real fix yet Microsoft has good news for administrators: while some organizations now pay for security updates on older Windows versions, the inconsistent quality remains free.
https://www.theregister.com/2025/12/17/microsoft_admits_that_message_queuing/
NATOs battle for cloud sovereignty: Speed is existential
Build a digital backbone faster than adversaries can evolve or lose the information war NATO is in an existential race to develop sovereign cloud-based technologies to underpin its mission, the alliances Assistant Secretary General for Cyber and Digital Transformation told an audience at the Royal United Services Institute (RUSI) last week.
https://www.theregister.com/2025/12/17/sovereign_cloud_is_existential_nato/
BlindEagle Targets Colombian Government Agency with Caminho and DCRAT
IntroductionIn early September 2025, Zscaler ThreatLabz discovered a new spear phishing campaign attributed to BlindEagle, a threat actor who operates in South America and targets users in Spanish-speaking countries, such as Colombia. In this campaign, BlindEagle targeted a government agency under the control of the Ministry of Commerce, Industry and Tourism (MCIT) in Colombia using a phishing email sent from what appears to be a compromised account within the same organization.
https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat
WhatsApp und Signal: Privatsphäre angreifbar, Tracker-Software verfügbar
Die WhatsApp- und Signal-Messenger verraten Informationen über Nutzer durch Bestätigungs-Laufzeiten. Eine Einstellung hilft.
https://www.heise.de/news/WhatsApp-und-Signal-Privatsphaere-angreifbar-Tracker-Software-verfuegbar-11117533.html
Telekom startet System gegen Betrugsanrufe
Jemand ruft an, die Nummer ist nicht eingespeichert. Man geht ran und lässt sich in ein Gespräch verwickeln. Das ist meist keine gute Idee.
https://www.heise.de/news/Telekom-startet-System-gegen-Betrugsanrufe-11117623.html
Inside a purchase order PDF phishing campaign
A -purchase order- PDF blocked by Malwarebytes led to a credential-harvesting phishing site. So we analyzed the attack and where the data went next.
https://www.malwarebytes.com/blog/threat-intel/2025/12/inside-a-purchase-order-pdf-phishing-campaign
Systemwarnung? Virus gefunden? Welche Gefahren von PopUp-Fenstern ausgehen können
Sie zählen wohl zu den unbeliebtesten Erfindungen rund um das Internet: PopUp-Fenster. Wenig überraschend werden sie seit Langem auch für dubiose Machenschaften genutzt. Was hinter den Benachrichtigungen lauert und woran sich ein möglicher Betrugsversuch erkennen lässt.
https://www.watchlist-internet.at/news/dubiose-popup-fenster/
From Linear to Complex: An Upgrade in RansomHouse Encryption
Operators behind RansomHouse, a ransomware-as-a-service (RaaS) group, have upgraded their encryption methods from single-phase to complex and layered.
https://unit42.paloaltonetworks.com/ransomhouse-encryption-upgrade/
ESET Threat Report H2 2025
The second half of the year underscored just how quickly attackers adapt and innovate, with rapid changes sweeping across the threat landscape.
https://www.welivesecurity.com/en/eset-research/eset-threat-report-h2-2025/
Theres Payloads, And Then Theres pAIloads: A Look At Selected Opportunistic (And Possibly AI-"Enhanced") React2Shell Probes and Attacks
Over the past ~1.5 weeks, the React2Shell campaign has unleashed a flood of exploitation attempts targeting vulnerable React Server Components. Analyzing the payload size distribution across these attacks reveals a clear fingerprint of modern cybercrime, and a landscape dominated by automated scanners with a handful of sophisticated outliers.
https://www.greynoise.io/blog/react2shell-payload-analysis
Vulnerabilities
VU#382314: Vulnerability in UEFI firmware modules prevents IOMMU initialization on some UEFI-based motherboards
A newly identified vulnerability in some UEFI-supported motherboard models leaves systems vulnerable to early-boot DMA attacks across architectures that implement UEFI and IOMMU.
https://kb.cert.org/vuls/id/382314
Reports About Cyberattacks Against Cisco Secure Email Gateway And Cisco Secure Email and Web Manager
On December 10, Cisco became aware of a new cyberattack campaign targeting a limited subset of appliances with certain ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
HPE OneView: Kritische Lücke erlaubt Codeschmuggel aus dem Netz
In HPEs OneView können bösartige Akteure aus dem Netz ohne Authentifizierung Schadcode einschleusen. Ein Update steht bereit.
https://www.heise.de/news/HPE-OneView-Kritische-Luecke-erlaubt-Codeschmuggel-aus-dem-Netz-11117707.html
Two Chrome flaws could be triggered by simply browsing the web: Update now
Googles patched two flaws in Chrome, both of which can be triggered remotely when a user loads specially crafted web content.
https://www.malwarebytes.com/blog/news/2025/12/two-chrome-flaws-could-be-triggered-by-simply-browsing-the-web-update-now
TYPO3-EXT-SA-2025-016: Vulnerability in bundled package in extension "Single Sign-on with SAML" (md_saml)
It has been discovered that the extension "Single Sign-on with SAML" (md_saml) bundles a vulnerable version of -onelogin/php-saml- which is susceptible to Authentication Bypass.
https://typo3.org/security/advisory/typo3-ext-sa-2025-016
Security updates for Wednesday
Security updates have been issued by Debian (node-url-parse), Fedora (assimp, conda-build, mod_md, util-linux, and webkitgtk), Oracle (firefox), SUSE (chromium, librsvg, poppler, python311, qemu, strongswan, webkit2gtk3, wireshark, and xen), and Ubuntu (linux-azure, linux-azure-5.4, linux-azure-5.15, linux-azure-fips, and linux-raspi, linux-raspi-realtime, linux-xilinx).
https://lwn.net/Articles/1050942/
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0010
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2025-14174 Versions affected: WebKitGTK and WPE WebKit before 2.50.4. Credit to Apple and Google Threat Analysis Group. Impact: Processing maliciously crafted web content may lead to memory corruption.
https://webkitgtk.org/security/WSA-2025-0010.html
Unzählige Sicherheitslücken in IBM DataPower Gateway geschlossen
Angreifer können IBMs Sicherheits- und Integrationsplattform DataPower Gateway über verschiedene Wege attackieren.
https://heise.de/-11118285
ZDI-25-1104: Sante PACS Server HTTP Content-Length Header Handling NULL Pointer Dereference Denial-of-Service Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-25-1104/
[F5] K000158176: NGINX Ingress Controller vulnerability CVE-2025-14727
https://my.f5.com/manage/s/article/K000158176