End-of-Day report
Timeframe: Dienstag 22-07-2025 18:00 - Mittwoch 23-07-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
News
Major European healthcare network discloses security breach
AMEOS Group, an operator of a massive healthcare network in Central Europe, has announced it has suffered a security breach that may have exposed customer, employee, and partner information.
https://www.bleepingcomputer.com/news/security/major-european-healthcare-network-discloses-security-breach/
CISA warns of hackers exploiting SysAid vulnerabilities in attacks
CISA has warned that attackers are actively exploiting two security vulnerabilities in the SysAid IT service management (ITSM) software to hijack administrator accounts.
https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-sysaid-vulnerabilities-in-attacks/
US nuclear weapons agency reportedly hacked in SharePoint attacks
Unknown threat actors have reportedly breached the National Nuclear Security Administrations (NNSA) network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain.
https://www.bleepingcomputer.com/news/security/us-nuclear-weapons-agency-reportedly-hacked-in-sharepoint-attacks/
Mehr als 700 Modelle: Unzählige Drucker werden über Sicherheitslücken attackiert
Hunderte Druckermodelle von Brother, Fujifilm, Konica Minolta, Ricoh und Toshiba sind angreifbar. Angreifer nutzen die Sicherheitslücken nun aus.
https://www.golem.de/news/mehr-als-700-modelle-unzaehlige-drucker-werden-ueber-sicherheitsluecken-attackiert-2507-198397.html
CCC und GFF: Verfassungsbeschwerde gegen Polizeisoftware von Palantir
Die bayerische Polizei ist begeistert von der Palantir-Software. Doch Bürgerrechtlern und Hackern geht der Einsatz zu weit.
https://www.golem.de/news/ccc-und-gff-verfassungsbeschwerde-gegen-polizeisoftware-von-palantir-2507-198418.html
Google Launches OSS Rebuild to Expose Malicious Code in Widely Used Open-Source Packages
Google has announced the launch of a new initiative called OSS Rebuild to bolster the security of the open-source package ecosystems and prevent software supply chain attacks. "As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers" Matthew Suozzo, Google Open Source Security.
https://thehackernews.com/2025/07/google-launches-oss-rebuild-to-expose.html
Malware Injected into 7 npm Packages After Maintainer Tokens Stolen in Phishing Attack
Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers npm tokens. The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories.
https://thehackernews.com/2025/07/malware-injected-into-6-npm-packages.html
New Coyote Malware Variant Exploits Windows UI Automation to Steal Banking Credentials
The Windows banking trojan known as Coyote has become the first known malware strain to exploit the Windows accessibility framework called UI Automation (UIA) to harvest sensitive information.
https://thehackernews.com/2025/07/new-coyote-malware-variant-exploits.html
Suspected Admin of XSS.IS Cybercrime Forum Arrested in Ukraine
Suspected admin of XSS.IS, a major Russian-language cybercrime forum, arrested in Ukraine after years of running malware and data trade operations.
https://hackread.com/suspected-xss-is-admin-cybercrime-forum-arrest-ukraine/
Soco404: Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload
Wiz Research has identified a new iteration of a broader malicious cryptomining campaign, which we-ve dubbed Soco404.
https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload
Critical Vulnerability in Popular npm form-data Package Used Across Millions of Installs
A critical security vulnerability has been disclosed in the widely used npm package form-data, which sees more than 100 million downloads each week across various projects. The vulnerability, classified as "Use of Insufficiently Random Values" affects multiple versions of the package and can lead to HTTP Parameter Pollution (HPP) attacks.
https://socket.dev/blog/critical-vulnerability-in-popular-npm-form-data-package
Vulnerabilities
Chrome, Firefox & Thunderbird: Neue Versionen beheben Schwachstellen
Frische Browser- und Mailclient-Releases von Google und Mozilla beseitigen Lücken mit teils hohem Schweregrad.
https://www.heise.de/news/Chrome-Firefox-Thunderbird-Neue-Versionen-beheben-Schwachstellen-10497296.html
Security updates for Wednesday
Security updates have been issued by AlmaLinux (cloud-init, fence-agents, git, kernel, and kernel-rt), Debian (openjdk-11), Fedora (firefox, golang, libinput, transfig, and yasm), Mageia (qtbase5, qtbase6), Red Hat (fence-agents, go-toolset:rhel8, golang, kernel, and python-setuptools), Slackware (mozilla), SUSE (cyradm, gstreamer-plugins-base, and xen), and Ubuntu (gdk-pixbuf, jq, linux-gcp, linux-gcp-6.8, linux-oracle, ruby-sinatra, thunderbird, and unbound).
https://lwn.net/Articles/1031104/
CISA Releases Nine Industrial Control Systems Advisories
CISA released nine Industrial Control Systems (ICS) advisories on July 22, 2025: DuraComm DP-10iN-100-MU, Lantronix Provisioning Manager, Schneider Electric EcoStruxure, Schneider Electric EcoStruxure Power Operation, Schneider Electric System Monitor Application, Schneider Electric EcoStruxture IT Data Center Expert, ICSA-25-175-03 Schneider Electric Modicon Controllers (Update A), ICSA-25-175-04 Schneider Electric EVLink WallBox (Update A), ICSA-25-014-02 Schneider Electric Vijeo Designer (Update A).
https://www.cisa.gov/news-events/alerts/2025/07/22/cisa-releases-nine-industrial-control-systems-advisories
[CVE-2025-48932] Invision Community <= 4.7.20 (calendar/view.php) SQL Injection Vulnerability
https://www.reddit.com/r/netsec/comments/1m757kw/cve202548932_invision_community_4720/
[CVE-2025-48933] Invision Community <= 5.0.7 (oauth/callback) Reflected Cross-Site Scripting Vulnerability
https://www.reddit.com/r/netsec/comments/1m7578r/cve202548933_invision_community_507_oauthcallback/
ZDI-25-629: (0Day) Ashlar-Vellum Cobalt LI File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-25-629/
ZDI-25-640: (0Day) Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-25-640/
ZDI-25-639: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-25-639/
ZDI-25-638: (0Day) Ashlar-Vellum Cobalt VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-25-638/
Firefox 141.0 released
https://lwn.net/Articles/1030971/