End-of-Day report
Timeframe: Freitag 23-05-2025 18:00 - Montag 26-05-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
News
Feds charge 16 Russians allegedly tied to botnets used in cyberattacks and spying
An example of how a single malware operation can enable both criminal and state-sponsored hacking.
https://arstechnica.com/security/2025/05/feds-charge-16-russians-allegedly-tied-to-botnets-used-in-cyberattacks-and-spying/
Gitlab Duo: Versteckter Kommentar lässt KI-Tool privaten Code leaken
Gitlab Duo hatte zuletzt ernste Sicherheitsprobleme. Angreifer konnten privaten Quellcode abgreifen oder Schadcode in fremde Softwareprojekte einschleusen.
https://www.golem.de/news/gitlab-duo-versteckter-kommentar-laesst-ki-tool-privaten-code-leaken-2505-196567.html
Fake Google Meet Page Tricks Users into Running PowerShell Malware
Last month, a customer reached out to us after noticing suspicious URLs on their WordPress site. Visitors reported being prompted to perform unusual actions.We began our investigation, scanning the site for common ..
https://blog.sucuri.net/2025/05/fake-google-meet-page-tricks-users-into-running-powershell-malware.html
Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Technique
The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector."The ClickFix technique is particularly risky because it allows the malware to execute in memory ..
https://thehackernews.com/2025/05/hackers-use-tiktok-videos-to-distribute.html
Operation Endgame 2: 15 Millionen E-Mail-Adressen und 43 Millionen Passwörter
Bei "Operation Endgame 2.0" kamen viele Millionen Adressen und Passwörter von Opfern ans Licht. Have I Been Pwned hat sie aufgenommen.
https://www.heise.de/news/Operation-Endgame-2-15-Millionen-E-Mail-Adressen-und-43-Millionen-Passwoerter-10396199.html
Neuer Lieferkettenangriff mit bösartigen Skripten in npm-Paketen
Ein neuer Angriff auf die Lieferkette bedroht Workstations und CI-Umgebungen. Das bösartige Skript spioniert interne Daten für weitere Attacken aus.
https://www.heise.de/news/Neuer-Lieferkettenangriff-mit-boesartigen-Skripten-in-npm-Paketen-10396215.html
Kriminelle Gruppe "Careto" angeblich von spanischer Regierung gelenkt
Nicht nur China und Russland steuern Cybergangs. Ehemalige Kaspersky-Mitarbeiter behaupten, die Bande "Careto" werde von Spanien gelenkt.
https://www.heise.de/news/Kriminelle-Gruppe-Careto-angeblich-von-spanischer-Regierung-gelenkt-10396673.html
Hacker bietet 1,2 Milliarden Facebook-Nutzerdaten im Darknet - ist es ein Fake?
Gab es ein neues Datenleck bei Meta-Tochter Facebook? Ein Hacker behauptet 1,2 Milliarden Facebook-Nutzerdaten über eine API abgezogen zu haben und bietet diese im Darknet zum Kauf an. Es gibt aber Zweifel, ob diese Daten neu sind.
https://www.borncity.com/blog/2025/05/23/hacker-bietet-12-milliarden-facebook-nutzerdaten-im-darknet-ist-es-ein-fake/
Offensive Threat Intelligence
CTI isn-t just for blue teams. Used properly, it sharpens red team tradecraft, aligns ops to real-world threats, and exposes blind spots defenders often miss. It-s not about knowing threats, it-s about becoming them long enough to help others beat them.
https://blog.zsec.uk/offensive-cti/
Joint Analysis by AhnLab and NCSC on TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking
AhnLab and the National Cyber Security Center (NCSC) have released a report that details the activities of the TA-ShadowCricket group from 2023 to the present.
https://asec.ahnlab.com/en/88137/
ConnectWise ScreenConnect Tops List of Abused RATs in 2025 Attacks
Cofense Intelligences May 2025 report exposes how cybercriminals are abusing legitimate Remote Access Tools (RATs) like ConnectWise and Splashtop to deliver malware and steal data. Learn about this growing threat.
https://hackread.com/connectwise-screenconnect-tops-abused-rats-2025/
BadSuccessor Exploits Windows Server 2025 Flaw for Full AD Takeover
Akamai researchers reveal a critical flaw in Windows Server 2025 dMSA feature that allows attackers to compromise any-
https://hackread.com/badsuccessor-exploits-windows-server-2025-takeover/
How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel-s SMB implementation
In this post I-ll show you how I found a zeroday vulnerability in the Linux kernel using OpenAI-s o3 model. I found the vulnerability with nothing more complicated than the o3 API - no scaffolding, no agentic frameworks, no tool use.
https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-remote-zeroday-vulnerability-in-the-linux-kernels-smb-implementation/
Bypassing MTE with CVE-2025-0072
In this post, I-ll look at CVE-2025-0072, a vulnerability in the Arm Mali GPU, and show how it can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled.
https://github.blog/security/vulnerability-research/bypassing-mte-with-cve-2025-0072/
The Windows Registry Adventure #7: Attack surface analysis
In the first three blog posts of this series, I sought to outline what the Windows Registry actually is, its role, history, and where to find further information about it. In the subsequent three posts, my goal was to describe in detail how this mechanism works internally ..
https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventure-7-attack-surface.html
Vulnerabilities
DSA-5924-1 intel-microcode - security update
This update ships updated CPU microcode for some types of Intel CPUs. Inparticular it provides mitigations for the Indirect Target Selection(ITS) vulnerability (CVE-2024-28956) and the Branch Privilege Injectionvulnerability (CVE-2024-45332).For CPUs affected to ITS (Indirect Target Selection), to fully mitigatethe vulnerability it is also necessary to ..
https://lists.debian.org/debian-security-announce/2025/msg00087.html