Tageszusammenfassung - 27.06.2025

End-of-Day report

Timeframe: Donnerstag 26-06-2025 18:00 - Freitag 27-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

News

Critical Open VSX Registry Flaw Exposes Millions of Developers to Supply Chain Attacks

Cybersecurity researchers have disclosed a critical vulnerability in the Open VSX Registry ("open-vsx[.]org") that, if successfully exploited, could have enabled attackers to take control of the entire Visual Studio Code extensions marketplace, posing a severe supply chain risk. [..] Following responsible disclosure on May 4, 2025, multiple rounds of fixes were proposed by the maintainers, before a final patch was deployed on June 25.

https://thehackernews.com/2025/06/critical-open-vsx-registry-flaw-exposes.html

What if Microsoft just turned you off? Security pro counts the cost of dependency

Czech developer and pen-tester Miloslav Homer has an interesting take on reducing an organization's exposure to security risks. In an article headlined "Microsoft dependency has risks," he extends the now familiar arguments in favor of improving digital sovereignty, and reducing dependence on American cloud services. The argument is quite long but closely reasoned.

https://go.theregister.com/feed/www.theregister.com/2025/06/26/cost_of_microsoft_dependency/

Act now: Secure Boot certificates expire in June 2026

Prepare for the first global large-scale certificate update to Secure Boot. The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new certificates for supported Windows systems is to let Microsoft manage your Windows updates, which include Secure Boot. [..] If you haven't yet, begin evaluating options and start preparing for the rollout of updated certificates across your organization in the coming months.

https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856

Fake DocuSign email hides tricky phishing attempt

On my daily rounds, I encountered a phishing attempt that used a not completely unusual, yet clever delivery method. What began as a seemingly routine DocuSign notification turned into a multi-layered deception involving Webflow, a shady redirect, and a legitimate Google login page.

https://www.malwarebytes.com/blog/news/2025/06/fake-docusign-email-hides-tricky-phishing-attempt

Die Miete ist ausständig? Vorsicht: Phishing E-Mail

Kriminelle fordern über E-Mails angeblich noch ausstehende Mietzahlungen ein. Gleichzeitig wollen sie eine Änderung des Zielkontos für zukünftige Überweisungen erwirken. Wir zeigen, wie man am besten auf eine derartige Phishing-Nachricht reagiert.

https://www.watchlist-internet.at/news/miete-ausstaendig-phishing/

SafePay ransomware: What you need to know

SafePay is a relatively new ransomware threat that was first observed around September 2024. [..] A recently published threat report released by security experts at NCC Group revealed that SafePay was currently the most active ransomware group. In the month of May 2025 alone, 70 ransomware attacks were linked to Safepay, accounting for 18% of the total.

https://www.fortra.com/blog/safepay-ransomware-what-you-need-know

Attacken auf Fernwartungslücke in Servern von HPE, Lenovo und Co.

Angreifer attackieren mehrere Sicherheitslücken in freier Wildbahn, warnt die US-amerikanische IT-Sicherheitsbehörde CISA. Am gefährlichsten sind laufende Angriffe auf die Fernwartungsfirmware in AMI MegaRAC, die etwa in Servern von Asus, Asrock Rack, HPE oder Lenovo steckt. [..] Die bereits attackierte Sicherheitslücke in der Fernwartungsfirmware AMI MegaRAC wurde Mitte März bekannt.

https://heise.de/-10461788

Phishing-Welle: Betrüger geben sich als Paypal aus

Kriminelle geben sich am Telefon derzeit wieder als PayPal aus und behaupten, es stünden hohe Überweisungen bevor.

https://heise.de/-10462478

Microsoft wirft Antivirensoftware aus dem Windows-Kernel

Ein CrowdStrike-Erlebnis will Microsoft nicht noch einmal haben. Nun fliegt deswegen Antivirensoftware aus dem Windows-Kernel. [..] Im kommenden Monat will Microsoft eine Vorschau der Windows-Endpoint-Security-Plattform an einige MVI-Partner verteilen. Die ermöglicht es ihnen, ihre IT-Sicherheitslösungen so zu bauen, dass sie außerhalb des Windows-Kernels laufen. Software wie Antivirus und Endgeräteschutz befinden sich dann im User Mode, wie normale Apps auch.

https://heise.de/-10462538

Vulnerabilities

Security updates for Friday

Security updates have been issued by Debian (freeradius and icu), Fedora (clamav, glow, libssh, perl-Crypt-OpenSSL-RSA, perl-CryptX, podman, trafficserver, and xorg-x11-server), Mageia (gdk-pixbuf2.0 and thunderbird), Red Hat (osbuild-composer and weldr-client), SUSE (afterburn, google-osconfig-agent, libblockdev, pam, python-tornado6, screen, and yelp-xsl), and Ubuntu (libxslt and python-pip).

https://lwn.net/Articles/1027251/