End-of-Day report
Timeframe: Montag 07-07-2025 18:00 - Dienstag 08-07-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
News
-No honor among thieves-: M&S hacking group starts turf war
A clash between criminal ransomware groups could result in victims being extorted twice.
https://arstechnica.com/security/2025/07/no-honor-among-thieves-ms-hacking-group-starts-turf-war/
Qantas is being extorted in recent data-theft cyberattack
Qantas has confirmed that it is now being extorted by threat actors following a cyberattack that potentially exposed the data for 6 million customers.
https://www.bleepingcomputer.com/news/security/qantas-is-being-extorted-in-recent-data-theft-cyberattack/
Atomic macOS infostealer adds backdoor for persistent attacks
Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as AMOS) that comes with a backdoor, to attackers persistent access to compromised systems.
https://www.bleepingcomputer.com/news/security/atomic-macos-infostealer-adds-backdoor-for-persistent-attacks/
Alleged Chinese hacker tied to Silk Typhoon arrested for cyberespionage
A Chinese national was arrested in Milan, Italy, last week for allegedly being linked to the state-sponsored Silk Typhoon hacking group, which responsible for cyberattacks against American organizations and government agencies.
https://www.bleepingcomputer.com/news/security/alleged-chinese-hacker-tied-to-silk-typhoon-arrested-for-cyberespionage/
Approach to mainframe penetration testing on z/OS. Deep dive into RACF
We have explored the RACF security package in z/OS and developed a utility to interact with its database. Now, we are assessing RACF configuration security for penetration testing.
https://securelist.com/zos-mainframe-pentesting-resource-access-control-facility/116873/
Android Patchday fällt im Juli aus
Admins können sich zumindest in Bezug auf Android und Pixel-Smartphones zurücklehnen: Im Juli gibt es nichts zu patchen.
https://www.heise.de/news/Android-Patchday-faellt-im-Juli-aus-10478020.html
Patchday SAP: NetWeaver-Produkte sind für Schadcode-Attacken anfällig
Angreifer können unter anderem SAP NetWeaver-Produkte und Business Objects attackieren. Sicherheitsupdates stehen zum Download bereit.
https://www.heise.de/news/Patchday-SAP-NetWeaver-Produkte-sind-fuer-Schadcode-Attacken-anfaellig-10478418.html
How to conduct a Password Audit in Active Directory (AD)
Weak or compromised passwords are still one of the most common ways attackers get into an organisation-s network. That-s why running password audits in Active Directory is so important. But smaller companies often don-t have the time, budget, or resources to do them regularly.
https://www.pentestpartners.com/security-blog/how-to-conduct-a-password-audit-in-active-directory-ad/
-Hallo Mama, das ist meine neue Nummer- - Ein Blick hinter die Kulissen des Evergreens
Die "Hallo Mama"-Nachricht zählt zu den absoluten Phishing-Klassikern. Trotz der mittlerweile recht großen Bekanntheit versuchen Kriminelle weiterhin beharrlich, damit an Geld zu kommen. Für alle, die schon immer einmal wissen wollten, wie es im Fall einer Antwort eigentlich weitergeht, haben wir uns den Ablauf etwas näher angesehen.
https://www.watchlist-internet.at/news/hallo-mama-hinter-den-kulissen/
GoldMelody-s Hidden Chords: Initial Access Broker In-Memory IIS Modules Revealed
An IAB campaign exploited leaked ASP.NET Machine Keys. We dissect the attackers infrastructure, campaign and offer takeaways for blue teams.
https://unit42.paloaltonetworks.com/initial-access-broker-exploits-leaked-machine-keys/
Aktiv ausgenutzte Schwachstellen in Citrix NetScaler ADC und NetScaler Gateway
In den vergangenen Wochen hat Citrix mehrere Sicherheitsaktualisierungen für insgesamt drei Sicherheitslücken in seinen Produkten NetScaler ADC und NetScaler Gateway veröffentlicht: CVE-2025-6543, CVSS-Score 9.2 CVE-2025-5349, CVSS-Score 8.7 CVE-2025-5777, CVSS-Score 9.3, auch bekannt als "CitrixBleed 2" Zum Zeitpunkt der Veröffentlichung der Advisories sowie der dazugehörigen Aktualisierungen gab es laut Citrix keine aktive Ausnutzung der Schwachstellen, ..
https://www.cert.at/de/aktuelles/2025/7/aktiv-ausgenutzte-schwachstellen-in-citrix-netscaler-adc-und-netscaler-gateway
New spyware strain steals data from Russian industrial companies
Moscow-based cybersecurity firm Kaspersky said the campaign has already affected over 100 victims across several dozen Russian organizations, but did not disclose the specific targets.
https://therecord.media/spyware-strain-steals-data-russian-industrial-sector
Detection Engineering: Practicing Detection-as-Code - Introduction - Part 1
This is going to be a multipart blog series revolving around Detection Engineering and more specifically practicing Detection-as-Code in Detection Engineering. Throughout this series, we-ll dive deep into concepts, strategies, and practical blueprints that you can adapt to fit your own workflows. From building a detection engineering repository to validating ..
https://blog.nviso.eu/2025/07/08/detection-engineering-practicing-detection-as-code-introduction-part-1/
From cheap IoT toy to your smartphone: Getting RCE by leveraging a companion app
As IoT adoption continues to grow, we explored the idea that instead of directly compromising IoT devices, an attacker could target the applications controlling them. This approach could potentially allow remote code execution on a user-s smartphone.
https://www.synacktiv.com/en/publications/from-cheap-iot-toy-to-your-smartphone-getting-rce-by-leveraging-a-companion-app.html
New CVE Forecasting Tool Predicts 47,000 Disclosures in 2025
Security engineer Jerry Gamblin, founder of RogoLabs, has released a new open source forecasting tool that aims to predict the growing volume of software vulnerability disclosures. The tool, CVEForecast.org, uses historical CVE data and machine learning models to generate short-term projections of how many new vulnerabilities are likely to be published.
https://socket.dev/blog/new-cve-forecasting-tool-predicts-47-000-disclosures-in-2025
Vulnerabilities
July Security Update
Ivanti releases standard security patches on the second Tuesday of every month. Our vulnerability management program is central to our commitment to maintaining secure products. Our philosophy is simple: discovering and communicating vulnerabilities, and sharing that information with defenders, is not an indication of weakness; rather it is evidence of ..
https://www.ivanti.com/blog/july-security-update-2025