Tageszusammenfassung - 09.05.2025

End-of-Day report

Timeframe: Donnerstag 08-05-2025 18:00 - Freitag 09-05-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

News

Nationale Policy für die koordinierte Offenlegung von Schwachstellen (CVD)

Der Umgang mit Schwachstellen in IT Produkten und Dienstleistungen ist eine der spannenden Themen in der IT-Sicherheit. Seitens der Hersteller stellt sich die Frage, wie man am besten selbst Probleme identifiziert, wie man mit Meldungen von Dritten am umgeht, wie der Prozess zur Entwicklung von korrigierten Versionen aussieht und wie man diese neue Version schnell und effizient an die Kunden verteilt. Seitens der Finder (Researcher) stellen sich Fragen nach den rechtlichen Rahmenbedingungen für die Schwachstellensuche: was darf ich, was sicher nicht, und wie kommuniziere ich das Ergebnis am sinnvollsten?

https://www.cert.at/de/spezielles/2025/5/nationale-cvd-policy


Malicious PyPi package hides RAT malware, targets Discord devs since 2022

A malicious Python package targeting Discord developers with remote access trojan (RAT) malware was spotted on the Python Package Index (PyPI) after more than three years.[..] Named "discordpydebug," the package was masquerading as an error logger utility for developers working on Discord bots and was downloaded over 11,000 times since it was uploaded on March 21, 2022, even though it has no description or documentation.

https://www.bleepingcomputer.com/news/security/malicious-pypi-package-hides-rat-malware-targets-discord-devs-since-2022/


FBI: End-of-life routers hacked for cybercrime proxy networks

The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.

https://www.bleepingcomputer.com/news/security/fbi-end-of-life-routers-hacked-for-cybercrime-proxy-networks/


Operation PowerOFF Takes Down 9 DDoS-for-Hire Domains

Four different countries, including the United States and Germany, were included in the latest international operation alongside Europols support.

https://www.darkreading.com/threat-intelligence/operation-poweroff-takes-down-nine-ddos-domains


Lumma Stealer, coming and going

The high-profile information stealer switches up its TTPs, but keeps the CAPTCHA tactic; we take a deep dive.

https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/


Warnung: Gefälschtes Anwaltsschreiben könnte Schadsoftware enthalten!

Derzeit kursieren E-Mails einer angeblichen Anwaltskanzlei, in denen Unternehmen beschuldigt werden, Urheberrechte an Inhalten von Avident Entertainment verletzt zu haben. Über einen Download-Link kann eine Sammlung von Beweisen heruntergeladen werden. Aber Vorsicht: Der Link ist betrügerisch und enthält vermutlich Schadsoftware!

https://www.watchlist-internet.at/news/warnung-gefaelschtes-anwaltsschreiben-koennte-schadsoftware-enthalten/


Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources

Unit 42 details a new malware obfuscation technique where threat actors hide malware in bitmap resources within .NET applications. These deliver payloads like Agent Tesla or XLoader.

https://unit42.paloaltonetworks.com/malicious-payloads-as-bitmap-resources-hide-net-malware/


Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation

Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload generation and obfuscation.

https://www.darknet.org.uk/2025/05/bantam-advanced-php-backdoor-management-tool-for-post-exploitation/


Phishing Attack Uses Blob URIs to Show Fake Login Pages in Your Browser

Cofense Intelligence reveals a novel phishing technique using blob URIs to create local fake login pages, bypassing email security and stealing credentials.

https://hackread.com/phishing-attack-blob-uri-fake-login-pages-browser/


Remote-Access-Trojaner in npm-Paket mit 40.000 wöchentlichen Downloads gefunden

Angreifer hatten das Paket rand-user-agent, das unter anderem für automatische Tests und zum Web-Scraping dient, mit Schadcode versehen.

https://heise.de/-10377590

Vulnerabilities

Security updates for Thursday

Security updates have been issued by Debian (chromium, libapache2-mod-auth-openidc, mariadb-10.5, and openssh), Red Hat (osbuild-composer), Slackware (mariadb), SUSE (apache2-mod_auth_openidc, glib2, ImageMagick, libsoup, libsoup2, libva, openvpn, sqlite3, and weblate), and Ubuntu (libsoup3, php-horde-css-parser, and python-django).

https://lwn.net/Articles/1020545/


Security updates for Friday

Security updates have been issued by Debian (fossil, libapache2-mod-auth-openidc, and request-tracker4), Fedora (thunderbird), Mageia (firefox and thunderbird), SUSE (389-ds, apparmor, cargo-c, chromium, go1.24, govulncheck-vulndb, java-1_8_0-openjdk, kanidm, libsoup, mozjs102, openssl-1_1, openssl-3, python-Django, sccache, tealdeer, tomcat, transfig, wasm-bindgen, and wireshark), and Ubuntu (libreoffice and python-h11).

https://lwn.net/Articles/1020653/


Sicherheitslücken: F5 BIG-IP-Appliances sind an mehreren Stellen verwundbar

https://heise.de/-10377584


Joomla: [20250402] - Core - MFA Authentication Bypass

https://developer.joomla.org/security-centre/964-20250402-core-mfa-authentication-bypass.html


Pixmeo OsiriX MD

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-128-01


Hitachi Energy RTU500 Series

https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-02


Horner Automation Cscape

https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-01


Mitsubishi Electric CC-Link IE TSN

https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-03