End-of-Day report
Timeframe: Freitag 06-06-2025 18:00 - Dienstag 10-06-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
News
Over 84,000 Roundcube instances vulnerable to actively exploited flaw
Over 84,000 instances of the Roundcube webmail software are vulnerable to CVE-2025-49113, a critical remote code execution (RCE) vulnerability with a publicly available exploit.
https://www.bleepingcomputer.com/news/security/over-84-000-roundcube-instances-vulnerable-to-actively-exploited-flaw/
FIN6 hackers pose as job seekers to backdoor recruiters- devices
In a twist on typical hiring-related social engineering attacks, the FIN6 hacking group impersonates job seekers to target recruiters, using convincing resumes and phishing sites to deliver malware.
https://www.bleepingcomputer.com/news/security/fin6-hackers-pose-as-job-seekers-to-backdoor-recruiters-devices/
Windows: Designproblem erlaubt Aushebeln von Gruppenrichtlinien
In Windows schlummert ein Designproblem, das es normalen Nutzern und Malware erlaubt, von Admins gesetzte Gruppenrichtlinien außer Kraft zu setzen. Ein Bericht von ..
https://www.golem.de/news/windows-designproblem-erlaubt-aushebeln-von-gruppenrichtlinien-2506-196925.html
Chinese spy crew appears to be preparing for conflict by backdooring 75+ critical orgs
SentinelOne discovered the campaign when they tried to hit the security vendors own servers An IT services company, a European media group, and a South Asian government entity are among the more than 75 companies where China-linked groups have planted malware to access strategic networks should a conflict break out.
https://www.theregister.com/2025/06/09/china_malware_flip_switch_sentinelone/
DanaBleed: DanaBot C2 Server Memory Leak Bug
DanaBot is a Malware-as-a-Service (MaaS) platform that has been active since 2018. DanaBot operates on an affiliate model, where the malware developer sells access to customers who then distribute and use the malware for activities like credential theft and banking fraud. The developer is responsible for creating the malware, maintaining the ..
https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug
Microsoft: Abhilfe für Sicherheitslücke durch gelöschte "inetpub"-Ordner
Windows-Update hat einen "inetpub"-Ordner angelegt. Wird er gelöscht, blockiert das womöglich weitere Updates. Ein Script hilft.
https://www.heise.de/news/Microsoft-Abhilfe-fuer-Sicherheitsluecke-durch-geloeschte-inetpub-Ordner-10437103.html
SAP-Patchday: Erneut kritische Sicherheitslücke in Netweaver
SAP kümmert sich am Juni-Patchday in 14 neuen Sicherheitsnotizen um teils kritische Sicherheitslücken in den Produkten aus Walldorf.
https://www.heise.de/news/SAP-Patchday-Erneut-kritische-Sicherheitsluecke-in-Netweaver-10438217.html
Malvertising: Suche nach Standardbefehlen für Macs liefert Infostealer
Perfide Masche: Bei der Suche nach Standardbefehlen für macOS erscheinen Seiten, die Befehle zur Malware-Installation anzeigen.
https://www.heise.de/news/Malvertising-Suche-nach-Standardbefehlen-fuer-Macs-liefert-Infostealer-10438747.html
Phishing-Alarm: Ex-Mitarbeiterin verschenkt keine Rabattcodes!
Videos und Postings auf Social-Media-Plattformen erwecken den Anschein, als würde eine gekündigte Angestellte eines großen Einzelhandelsunternehmens Rabattcodes verschenken. Als Rache am Ex-Arbeitgeber. Tatsächlich versteckt sich dahinter nichts anderes als eine simple Phishing-Falle.
https://www.watchlist-internet.at/news/phishing-alarm-rabattcodes/
Falsche E-Mails im Namen der WKO im Umlauf!
Derzeit sind betrügerische E-Mails im Umlauf, die vorgeben, von der Wirtschaftskammer Österreich (WKO) zu stammen. In diesen gefälschten Nachrichten werden Unternehmer:innen zur Zahlung der Kammerumlage 2025 aufgefordert und gleichzeitig dazu verleitet, ihre WKO-Zugangsdaten preiszugeben.
https://www.watchlist-internet.at/news/falsche-e-mails-im-namen-der-wko-im-umlauf/
The Evolution of Linux Binaries in Targeted Cloud Operations
Using data from machine learning tools, we predict a surge in cloud attacks leveraging reworked Linux Executable and Linkage Format (ELF) files.
https://unit42.paloaltonetworks.com/elf-based-malware-targets-cloud/
New hacker group uses LockBit ransomware variant to target Russian companies
In its latest campaign this spring, DarkGaboon was observed deploying LockBit 3.0 ransomware against victims in Russia, Positive Technologies said in a report last week.
https://therecord.media/new-hacker-group-lockbit-target-russia
Spyware maker cuts ties with Italy after government refused audit into hack of journalist-s phone
Israel-based spyware maker Paragon and Italys government had a falling out over the companys offer to help investigate what happened on journalist Francesco Cancellatos phone.
https://therecord.media/paragon-spyware-maker-cuts-ties-italy-government
Coordinated Brute Force Activity Targeting Apache Tomcat Manager Indicates Possible Upcoming Threats
GreyNoise recently observed a coordinated spike in malicious activity against Apache Tomcat Manager interfaces.
https://www.greynoise.io/blog/coordinated-brute-force-activity-targeting-apache-tomcat-manager
Bitsight Identifies Thousands of Security Cameras Openly Accessible on the Internet
In our latest research at Bitsight TRACE, we found over 40,000 exposed cameras streaming live on the internet. No passwords. No protections. Just out there. We first raised the alarm in 2023, and based on this latest study, the situation hasn-t gotten any better.
https://www.bitsight.com/blog/bitsight-identifies-thousands-of-compromised-security-cameras
Vulnerabilities
Security updates for Monday
Security updates have been issued by AlmaLinux (golang, nodejs22, thunderbird, and varnish), Debian (gimp, modsecurity-apache, python-tornado, and roundcube), Fedora (chromium, coreutils, fcgi, ghostscript, krb5, libvpx, mingw-gstreamer1-plugins-bad-free, mingw-libsoup, mod_security, and samba), Mageia (php-adodb, systemd, and tomcat), Red Hat (buildah, firefox, glibc, grafana, kernel, libsoup, libxslt, mod_security, perl-FCGI, podman, python-tornado, and skopeo), Slackware (libvpx), and SUSE ..
https://lwn.net/Articles/1024625/
Security Vulnerabilities fixed in Firefox 139.0.4
https://www.mozilla.org/en-US/security/advisories/mfsa2025-47/
June Security Update
https://www.ivanti.com/blog/june-security-update