End-of-Day report
Timeframe: Mittwoch 25-06-2025 18:00 - Donnerstag 26-06-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
News
Ubuntu disables Intel GPU security mitigations, promises 20% performance boost
Spectre, you may recall, came to public notice in 2018. Spectre attacks are based on the observation that performance enhancements built into modern CPUs open a side channel that can leak secrets a CPU is processing. The performance enhancement, known as speculative execution, predicts future instructions a CPU might receive and then performs the corresponding tasks before they are even called. If the instructions never come, the CPU discards the work it performed. When the prediction is correct, the CPU has already completed the task.
https://arstechnica.com/security/2025/06/ubuntu-disables-intel-gpu-security-mitigations-promises-20-performance-boost/
New wave of -fake interviews- use 35 npm packages to spread malware
A new wave of North Korea's 'Contagious Interview' campaign is targeting job seekers with malicious npm packages that infect dev's devices with infostealers and backdoors.
https://www.bleepingcomputer.com/news/security/new-wave-of-fake-interviews-use-35-npm-packages-to-spread-malware/
Hackers abuse Microsoft ClickOnce and AWS services for stealthy attacks
A sophisticated malicious campaign that researchers call OneClik has been leveraging Microsoft-s ClickOnce software deployment tool and custom Golang backdoors to compromise organizations within the energy, oil, and gas sectors.
https://www.bleepingcomputer.com/news/security/oneclik-attacks-use-microsoft-clickonce-and-aws-to-target-energy-sector/
Hackers turn ScreenConnect into malware using Authenticode stuffing
Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client's Authenticode signature.
https://www.bleepingcomputer.com/news/security/hackers-turn-screenconnect-into-malware-using-authenticode-stuffing/
CISA is Shrinking: What Does it Mean for Cyber?
Today we are going to focus on the slimmed down profile of the Cybersecurity and Infrastructure Security Agency (CISA) under the new administration. We want to know what that means practically to cybersecurity teams. We want to explore the cost of having less coming out of CISA, and any opportunities the federal government shakeup might present for business.
https://www.darkreading.com/cybersecurity-operations/cisa-is-shrinking-what-does-it-mean-for-cyber-
Taming Agentic AI Risks Requires Securing Non-Human Identities
>From service accounts and Web application programming interfaces (APIs) to serverless applications and now artificial intelligence (AI) agents, the landscape of non-human identities is quickly becoming more complex. Companies are struggling to monitor and manage machine identities with security controls.
https://www.darkreading.com/cybersecurity-operations/taming-agentic-ai-risks-securing-nhi
RedirectionGuard: Mitigating unsafe junction traversal in Windows
As attackers continue to evolve, Microsoft is committed to staying ahead by not only responding to vulnerabilities, but also by anticipating and mitigating entire classes of threats. One such threat, filesystem redirection attacks, has been a persistent vector for privilege escalation. In response, we-ve developed and deployed a new mitigation in Windows 11 called RedirectionGuard. This blog outlines how RedirectionGuard proactively closes off a major attack surface by preventing unsafe junction traversal, reinforcing our commitment to secure-by-design-principles and reducing the burden on developers and defenders.
https://msrc.microsoft.com/blog/2025/06/redirectionguard-mitigating-unsafe-junction-traversal-in-windows/
The Case of Hidden Spam Pages
Spammy posts and pages being placed on WordPress websites is one of the most common infections that we come across. The reason being is that the attack is very low-level in terms of sophistication: All that is required of the attacker is to brute force their way into the wp-admin panel; from there they just have their scripts/bots post spam posts and pages effectively achieving a blackhat SEO attack. Since an out-of-the-box WordPress website contains no protection on admin access other than a password (with no limit on the number of failed login attempts), and the admin users can often be discovered via enumeration, this remains a very popular type of spam infection on the platform.
https://blog.sucuri.net/2025/06/the-case-of-hidden-spam-pages.html
nOAuth Vulnerability Still Affects 9% of Microsoft Entra SaaS Apps Two Years After Discovery
New research has uncovered continued risk from a known security weakness in Microsoft's Entra ID, potentially enabling malicious actors to achieve account takeovers in susceptible software-as-a-service (SaaS) applications. Identity security company Semperis, in an analysis of 104 SaaS applications, found nine of them to be vulnerable to Entra ID cross-tenant nOAuth abuse.
https://thehackernews.com/2025/06/noauth-vulnerability-still-affects-9-of.html
Sextortion: Inflationsgebeutelte Betrüger erhöhen Forderungen
IT-Sicherheitsforscher beobachten Preissteigerungen bei aktuellen Betrugsmaschen mit Sextortion-E-Mails. Offenbar sind auch die Betrüger inflationsgebeutelt und brauchen mehr Geld.
https://www.heise.de/news/Sextortion-Inflationsgebeutelte-Betrueger-erhoehen-Forderungen-10460953.html
Outdated Routers: The Hidden Threat to Network Security, FBI Warns
The FBI recently warned that malicious actors are targeting end-of-life (EOL) routers (network devices that manufacturers no longer support or update). These outdated routers are being hijacked by bad actors who use them as a stepping stone into networks, turning them into cybercriminal proxies. The threat is real, and it-s growing.
https://www.tripwire.com/state-of-security/outdated-routers-hidden-threat-network-security-fbi-warns
How we turned a real car into a Mario Kart controller by intercepting CAN data
The PTP hack car is a second-hand 2016 Renault Clio that was bought because it was relatively cheap, was recent enough to feature an -eCall- telematics module, small enough to fit in the garage attached to our lab and was local. It is used by our team to experiment and mess around with automotive testing on a real vehicle. It also uses a mixture of CAN and LIN for different components.
https://www.pentestpartners.com/security-blog/how-we-turned-a-real-car-into-a-mario-kart-controller-by-intercepting-can-data/
Gefälschte Anfragen zur Änderung des Gehaltskontos im Namen von Mitarbeitenden!
Wer eine unerwartete E-Mail von einem Mitarbeitenden erhält, in der um die Änderung der Bankverbindung für das Gehaltskonto gebeten wird, sollte besonders aufmerksam sein. Denn dahinter können Kriminelle stecken, die sich als echte Mitarbeitende ausgeben, um Gehaltszahlungen auf ihr eigenes Konto umzuleiten.
https://www.watchlist-internet.at/news/gefaelschte-anfragen-zur-aenderung-des-gehaltskontos-im-namen-von-mitarbeitenden/
Common SCCM Misconfigurations Leading to Privilege Escalation
We often find that in environments which has a tiered model, where SCCM is used, there are plenty of misconfigurations which can be exploited. System Center Configuration Manager (SCCM), now known as Microsoft Configuration Manager (ConfigMgr), is a systems management platform used for deploying software, managing updates, and enforcing configuration settings across large numbers of Windows devices.
https://www.truesec.com/hub/blog/sccm-tier-killer
Decrement by one to rule them all: AsIO3.sys driver exploitation
Armory Crate and AI Suite are applications used to manage and monitor ASUS motherboards and related components such as the processor, RAM or the increasingly popular RGB lighting. These types of applications often install drivers in the system, which are necessary for direct communication with hardware to configure settings or retrieve critical parameters such as CPU temperature, fan speeds and firmware updates. Therefore, it is critical to ensure that drivers are well-written with security in mind and designed such that access to the driver interfaces are limited only to certain services and administrators.
https://blog.talosintelligence.com/decrement-by-one-to-rule-them-all/
Vulnerabilities
WinRAR patches bug letting malware launch from extracted archives
WinRAR has addressed a directory traversal vulnerability tracked as CVE-2025-6218 that, under certain circumstances, allows malware to be executed after extracting a malicious archive.
https://www.bleepingcomputer.com/news/security/winrar-patches-bug-letting-malware-launch-from-extracted-archives/
Hunderte Modelle betroffen: Teils unpatchbare Lücken in Brother-Druckern entdeckt
Sicherheitsforscher von Rapid7 haben zahlreiche Multifunktionsdrucker auf mögliche Sicherheitslücken untersucht. Dabei fanden sie insgesamt acht Schwachstellen in 748 verschiedenen Scanner- und Druckermodellen. 689 dieser Modelle entfallen allein auf den Hersteller Brother, der im Fokus der Untersuchung stand. Aber auch von Fujifilm (46), Konica Minolta (6), Ricoh (5) und Toshiba (2) sind einige Geräte betroffen. Zumindest eine der acht Lücken kann wohl nicht ohne Weiteres über die Firmware gepatcht werden.
https://www.golem.de/news/hunderte-modelle-betroffen-teils-unpatchbare-luecken-in-brother-druckern-entdeckt-2506-197484.html
Citrix Releases Emergency Patches for Actively Exploited CVE-2025-6543 in NetScaler ADC
Citrix has released security updates to address a critical flaw affecting NetScaler ADC that it said has been exploited in the wild. The vulnerability, tracked as CVE-2025-6543, carries a CVSS score of 9.2 out of a maximum of 10.0.
https://thehackernews.com/2025/06/citrix-releases-emergency-patches-for.html
ZDI-25-424: Mikrotik RouterOS VXLAN Source IP Improper Access Control Vulnerability
This vulnerability allows remote attackers to bypass access restrictions on affected installations of Mikrotik RouterOS. Authentication is not required to exploit this vulnerability. The following CVEs are assigned: CVE-2025-6443.
http://www.zerodayinitiative.com/advisories/ZDI-25-424/
Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities
Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6
Notepad++ Vulnerability Allows Full System Takeover - PoC Released
A critical privilege escalation vulnerability (CVE-2025-49144) in Notepad++ v8.8.1 enables attackers to achieve full system control through a supply-chain attack. The flaw exploits the installer-s insecure search path behavior, allowing unprivileged users to escalate privileges to NT AUTHORITY\SYSTEM with minimal user interaction. This marks one of the most severe vulnerabilities discovered in the popular text editor, with proof-of-concept (PoC) exploitation materials now publicly available.
https://gbhackers.com/notepad-vulnerability/
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr and libxml2), Fedora (firefox, libtpms, and tigervnc), Mageia (chromium-browser-stable and nss & firefox), Oracle (emacs, iputils, kernel, krb5, libarchive, mod_proxy_cluster, pam, perl-File-Find-Rule, perl-YAML-LibYAML, and qt5-qtbase), Red Hat (opentelemetry-collector, osbuild-composer, and weldr-client), SUSE (clamav, firefox, go1.24-openssl, and helm), and Ubuntu (libarchive, linux-azure, linux-azure-5.4, linux-azure-fips, linux-fips, linux-azure-nvidia, linux-oracle, linux-oracle-6.8, linux-raspi, linux-raspi-realtime, linux-xilinx-zynqmp, and python-urllib3).
https://lwn.net/Articles/1027082/
Security Advisory: Airoha-based Bluetooth Headphones and Earbuds
During our research on Bluetooth headphones and earbuds, we identified several vulnerabilities in devices that incorporate Airoha Systems on a Chip (SoCs). In this blog post, we briefly want to describe the vulnerabilities, point out their impact and provide some context to currently running patch delivery processes as described at this year-s TROOPERS Conference. Airoha is a vendor that, amongst other things, builds Bluetooth SoCs and offers reference designs and implementations incorporating these chips. They have become a large supplier in the Bluetooth audio space, especially in the area of True Wireless Stereo (TWS) earbuds. Several reputable headphone and earbud vendors have built products based on Airoha-s SoCs and reference implementations using Airoha-s Software Development Kit (SDK).
https://insinuator.net/2025/06/airoha-bluetooth-security-vulnerabilities/
Drupal Security Advisories 2025-June-25
https://www.drupal.org/security