End-of-Day report
Timeframe: Donnerstag 08-05-2025 18:00 - Freitag 09-05-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Nationale Policy für die koordinierte Offenlegung von Schwachstellen (CVD)
Der Umgang mit Schwachstellen in IT Produkten und Dienstleistungen ist eine der spannenden Themen in der IT-Sicherheit. Seitens der Hersteller stellt sich die Frage, wie man am besten selbst Probleme identifiziert, wie man mit Meldungen von Dritten am umgeht, wie der Prozess zur Entwicklung von korrigierten Versionen aussieht und wie man diese neue Version schnell und effizient an die Kunden verteilt. Seitens der Finder (Researcher) stellen sich Fragen nach den rechtlichen Rahmenbedingungen für die Schwachstellensuche: was darf ich, was sicher nicht, und wie kommuniziere ich das Ergebnis am sinnvollsten?
https://www.cert.at/de/spezielles/2025/5/nationale-cvd-policy
Malicious PyPi package hides RAT malware, targets Discord devs since 2022
A malicious Python package targeting Discord developers with remote access trojan (RAT) malware was spotted on the Python Package Index (PyPI) after more than three years.[..] Named "discordpydebug," the package was masquerading as an error logger utility for developers working on Discord bots and was downloaded over 11,000 times since it was uploaded on March 21, 2022, even though it has no description or documentation.
https://www.bleepingcomputer.com/news/security/malicious-pypi-package-hides-rat-malware-targets-discord-devs-since-2022/
FBI: End-of-life routers hacked for cybercrime proxy networks
The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
https://www.bleepingcomputer.com/news/security/fbi-end-of-life-routers-hacked-for-cybercrime-proxy-networks/
Operation PowerOFF Takes Down 9 DDoS-for-Hire Domains
Four different countries, including the United States and Germany, were included in the latest international operation alongside Europols support.
https://www.darkreading.com/threat-intelligence/operation-poweroff-takes-down-nine-ddos-domains
Lumma Stealer, coming and going
The high-profile information stealer switches up its TTPs, but keeps the CAPTCHA tactic; we take a deep dive.
https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/
Warnung: Gefälschtes Anwaltsschreiben könnte Schadsoftware enthalten!
Derzeit kursieren E-Mails einer angeblichen Anwaltskanzlei, in denen Unternehmen beschuldigt werden, Urheberrechte an Inhalten von Avident Entertainment verletzt zu haben. Über einen Download-Link kann eine Sammlung von Beweisen heruntergeladen werden. Aber Vorsicht: Der Link ist betrügerisch und enthält vermutlich Schadsoftware!
https://www.watchlist-internet.at/news/warnung-gefaelschtes-anwaltsschreiben-koennte-schadsoftware-enthalten/
Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources
Unit 42 details a new malware obfuscation technique where threat actors hide malware in bitmap resources within .NET applications. These deliver payloads like Agent Tesla or XLoader.
https://unit42.paloaltonetworks.com/malicious-payloads-as-bitmap-resources-hide-net-malware/
Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation
Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload generation and obfuscation.
https://www.darknet.org.uk/2025/05/bantam-advanced-php-backdoor-management-tool-for-post-exploitation/
Phishing Attack Uses Blob URIs to Show Fake Login Pages in Your Browser
Cofense Intelligence reveals a novel phishing technique using blob URIs to create local fake login pages, bypassing email security and stealing credentials.
https://hackread.com/phishing-attack-blob-uri-fake-login-pages-browser/
Remote-Access-Trojaner in npm-Paket mit 40.000 wöchentlichen Downloads gefunden
Angreifer hatten das Paket rand-user-agent, das unter anderem für automatische Tests und zum Web-Scraping dient, mit Schadcode versehen.
https://heise.de/-10377590
Vulnerabilities
Security updates for Thursday
Security updates have been issued by Debian (chromium, libapache2-mod-auth-openidc, mariadb-10.5, and openssh), Red Hat (osbuild-composer), Slackware (mariadb), SUSE (apache2-mod_auth_openidc, glib2, ImageMagick, libsoup, libsoup2, libva, openvpn, sqlite3, and weblate), and Ubuntu (libsoup3, php-horde-css-parser, and python-django).
https://lwn.net/Articles/1020545/
Security updates for Friday
Security updates have been issued by Debian (fossil, libapache2-mod-auth-openidc, and request-tracker4), Fedora (thunderbird), Mageia (firefox and thunderbird), SUSE (389-ds, apparmor, cargo-c, chromium, go1.24, govulncheck-vulndb, java-1_8_0-openjdk, kanidm, libsoup, mozjs102, openssl-1_1, openssl-3, python-Django, sccache, tealdeer, tomcat, transfig, wasm-bindgen, and wireshark), and Ubuntu (libreoffice and python-h11).
https://lwn.net/Articles/1020653/
Sicherheitslücken: F5 BIG-IP-Appliances sind an mehreren Stellen verwundbar
https://heise.de/-10377584
Joomla: [20250402] - Core - MFA Authentication Bypass
https://developer.joomla.org/security-centre/964-20250402-core-mfa-authentication-bypass.html
Pixmeo OsiriX MD
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-128-01
Hitachi Energy RTU500 Series
https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-02
Horner Automation Cscape
https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-01
Mitsubishi Electric CC-Link IE TSN
https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-03