Tageszusammenfassung - 11.06.2025

End-of-Day report

Timeframe: Dienstag 10-06-2025 18:00 - Mittwoch 11-06-2025 18:00 Handler: Alexander Riepl Co-Handler: Guenes Holler

News

Microsoft Outlook to block more risky attachments used in attacks

Microsoft announced it will expand the list of blocked attachments in Outlook Web and the new Outlook for Windows starting next month.

https://www.bleepingcomputer.com/news/security/microsoft-outlook-to-block-more-risky-attachments-used-in-attacks/

ConnectWise rotating code signing certificates over security concerns

ConnectWise is warning customers that it is rotating the digital code signing certificates used to sign ScreenConnect, ConnectWise Automate, and ConnectWise RMM executables over security concerns.

https://www.bleepingcomputer.com/news/security/connectwise-rotating-code-signing-certificates-over-security-concerns/

Zehntausende Überwachungskameras streamen ungeschützt ins Netz

Überwachungskameras sind überall - in U-Bahnen, an Türklingeln und in Fahrstühlen. Oft bemerkt man sie gar nicht, weil es mittlerweile so kleine und unscheinbare Modelle gibt. Amerikanische Sicherheitsforscher warnen nun aber davor, wie einfach es für Dritte ist, sich Zugriff auf die Feeds solcher Überwachungskameras zu verschaffen. Bei einem Test konnten die Experten von Bitsight Live-Feeds von insgesamt 40.000 Kameras abrufen, die mit dem Internet verbunden waren.

https://futurezone.at/digital-life/zehntausende-ueberwachungskameras-streamen-ungeschuetzt-netz/403048969

Quasar RAT Delivered Through Bat Files, (Wed, Jun 11th)

RAT's are popular malware. They are many of them in the wild, Quasar[1] being one of them. The malware has been active for a long time and new campaigns come regularly back on stage. I spotted an interesting .bat file (Windows script) that attracted my attention because it is very well obfuscated.

https://isc.sans.edu/diary/rss/32036

Trump Quietly Throws Out Bidens Cyber Policies

An anonymous reader quotes a report from Axios: President Trump quietly took a red pen to much of the Biden administrations cyber legacy in a little-noticed move late Friday. Under an executive order signed just before the weekend, Trump is tossing out some of the major touchstones of Bidens cyber policy legacy - while keeping a few others. The order preserves efforts around post-quantum cryptography, advanced encryption standards, and border gateway protocol security, along with the Cyber

https://it.slashdot.org/story/25/06/10/2044217/trump-quietly-throws-out-bidens-cyber-policies?utm_source=rss1.0mainlinkanon&utm_medium=feed

Ungeklärte Phishing-Vorfälle rund um Booking.com

Hotels in Südtirol haben vermehrt mit kompromittierten Extranet-Zugängen von Booking.com zu tun, über die sie mit Gästen kommunizieren. Noch ist unklar, warum.

https://www.heise.de/news/Ungeklaerte-Phishing-Vorfaelle-rund-um-Booking-com-10439567.html

UEFI-BIOS-Lücken: SecureBoot-Umgehung und Firmware-Austausch möglich

Zwei unterschiedliche Sicherheitslücken in diversen UEFI-BIOS-Versionen mehrerer Anbieter ermöglichen die Umgehung des SecureBoot-Mechanismus. In UEFI-BIOSen von Insyde können Angreifer sogar die Firmware austauschen. Verwundbare Systeme lassen sich damit vollständig kompromittieren. Proof-of-Concept-Code dafür ist öffentlich verfügbar. Systemhersteller arbeiten an BIOS-Updates zum Schließen der Lücken.

https://www.heise.de/news/UEFI-BIOS-Luecken-SecureBoot-Umgehung-und-Firmware-Austausch-moeglich-10440016.html

Reflective Kerberos Relay Attack Against Domain-Joined Windows Clients and Servers

RedTeam Pentesting has developed the Reflective Kerberos Relay Attack which remotely allows low-privileged Active Directory domain users to obtain NT AUTHORITY\SYSTEM privileges on domain-joined Windows computers. This vulnerability affects all domain-joined Windows hosts that do not require SMB signing of incoming connections. In their default configurations, this includes all Windows 10 and 11 versions up to 23H2 and all Windows Server versions including 2025 24H2 and excluding domain controllers.

https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-002/

Inside Stealth Falcon-s Espionage Campaign Using a Microsoft Zero-Day

https://blog.checkpoint.com/research/inside-stealth-falcons-espionage-campaign-using-a-microsoft-zero-day/

UK cyber agency pushes for strategic policy agenda as government efforts stall

Following years-long delays in the United Kingdom bringing forward new cybersecurity legislation, what seems to be an increasingly exasperated National Cyber Security Centre (NCSC) called on Monday for the country to adopt a strategic policy agenda to tackle the growing risks.

https://therecord.media/ncsc-pushes-uk-government-create-strategic-cyber-policy-agenda

Operation Secure: INTERPOL Disrupts 20,000 Infostealer Domains, 32 Arrested

An international cybercrime operation coordinated by INTERPOL has led to the takedown of more than 20,000 malicious IPs and domains used to deploy infostealer malware across the Asia-Pacific region.

https://hackread.com/operation-secure-interpol-disrupts-infostealer-domains/

Hydroph0bia (CVE-2025-4275) - a trivial SecureBoot bypass for UEFI-compatible firmware based on Insyde H2O, part 1

This post will be about a vulnerability I dubbed Hydroph0bia (as a pun on Insyde H2O) aka CVE-2025-4275 or INSYDE-SA-2025002.

https://coderush.me/hydroph0bia-part1/

NTLM reflection is dead, long live NTLM reflection! - An in-depth analysis of CVE-2025-33073

For nearly two decades, Windows has been plagued with NTLM reflection vulnerabilities. In this article, we present CVE-2025-33073, a logical vulnerability which bypasses NTLM reflection mitigations and allows an authenticated remote attacker to execute arbitrary commands as SYSTEM on any machine which does not enforce SMB signing. The vulnerability discovery, the complete analysis of the root cause as well as the patch by Microsoft will be detailed in this blogpost.

https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025.html

Infuencing LLM Output using logprobs and Token Distribution

What if you could influence an LLM's output not by breaking its rules, but by bending its probabilities? In this deep-dive, we explore how small changes in user input (down to a single token) can shift the balance between -true- and -false-, triggering radically different completions.

https://blog.sicuranext.com/infuencing-llm-output-using-logprobs-and-token-distribution/

Software Supply Chain Attacks Have Surged in Recent Months

IT and software supply chain attacks have surged in recent months, as threat actors have gotten better at exploiting supply chain vulnerabilities, Cyble threat intelligence researchers reported this week. In a June 9 blog post, Cyble researchers said software supply chain attacks have grown from just under 13 a month during February-September 2024 to just over 16 a month from October 2024 to May 2025, an increase of 25%. However, the last two months have seen an average of nearly 25 cyberattacks with supply chain impact, a near-doubling of supply chain attacks from the year-ago period.

https://thecyberexpress.com/software-supply-chain-attacks-have-surged/

Undocumented Root Shell Access bei SIMCom Modem

Das SIMCom SIM7600G Modem unterstützt einen undokumentierten AT Befehl, welcher es einem lokalen/physischen Angreifer ermöglicht, Systembefehle mit root-Berechtigungen auf dem Modem auszuführen. Der Stand der Entfernung des Backdoor-Kommandos ist unklar, da sich der Hersteller nach zahlreichen Kontaktversuchen nicht mehr gemeldet hat.

https://sec-consult.com/de/vulnerability-lab/advisory/undocumented-root-shell-access-bei-simcom-modem/

Vulnerabilities

New Secure Boot flaw lets attackers install bootkit malware, patch now

Security researchers have disclosed a new Secure Boot bypass tracked as CVE-2025-3052 that can be used to turn off security on PCs and servers and install bootkit malware.

https://www.bleepingcomputer.com/news/security/new-secure-boot-flaw-lets-attackers-install-bootkit-malware-patch-now/

Patch Tuesday, June 2025 Edition

Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public.

https://krebsonsecurity.com/2025/06/patch-tuesday-june-2025-edition/

Microsoft Patch Tuesday for June 2025 - Snort rules and prominent vulnerabilities

Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as -critical.-

https://blog.talosintelligence.com/microsoft-patch-tuesday-june-2025/

Two Mirai Botnets, Lzrd and Resgod Spotted Exploiting Wazuh Flaw

Cybersecurity experts at Akamai have uncovered a new threat: two separate botnets are actively exploiting a critical flaw in Wazuh security software, open source XDR and SIEM solution, to spread the Mirai malware. This vulnerability, tracked as CVE-2025-24016, affects Wazuh versions 4.4.0 through 4.9.0 and has since been fixed in version 4.9.1. It lets attackers run their own code on a target server by sending a specially crafted request through Wazuh-s API, hence, allowing attackers to take control of affected servers remotely.

https://hackread.com/two-mirai-botnets-lzrd-resgod-exploiting-wazuh-flaw/

TBK DVRs Botnet Attack

Threat Actors are actively exploiting CVE-2024-3721, a command injection vulnerability in TBK DVR devices (Digital Video Recorders). This flaw allows unauthenticated remote code execution (RCE) via crafted HTTP requests to the endpoint. The compromised devices are being conscripted into a botnet capable of conducting DDoS attacks. If successfully exploited, there is a potential for significant disruption from DDoS attacks, lateral movement, or further malware delivery.

https://fortiguard.fortinet.com/threat-signal-report/6127

Patchday: Schadcode-Lücken in Adobe Acrobat, InDesign & Co. geschlossen

Angreifer können an Sicherheitslücken (CVE-2025-43573 / EUVD-2025-17828) in Adobe Acrobat, Commerce, Experince Manager, InCopy, InDesign, Substance 3D Painter und Substance 3D Sampler ansetzen. Im Rahmen des Juni-Patchdays stellt Adobe Updates zum Download bereit.

https://heise.de/-10439601