End-of-Day report
Timeframe: Freitag 25-07-2025 18:00 - Montag 28-07-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
News
Supply-chain attacks on open source software are getting out of hand
It has been a busy week for supply-chain attacks targeting open source software available in public repositories, with successful breaches of multiple developer accounts that resulted in malicious packages being pushed to unsuspecting users.
https://arstechnica.com/security/2025/07/open-source-repositories-are-seeing-a-rash-of-supply-chain-attacks/
Amazon AI coding agent hacked to inject data wiping commands
As reported by 404 Media, on July 13, a hacker using the alias -lkmanka58- added unapproved code on Amazon Q-s GitHub to inject a defective wiper that wouldn-t cause any harm, but rather sent a message about AI coding security.
https://www.bleepingcomputer.com/news/security/amazon-ai-coding-agent-hacked-to-inject-data-wiping-commands/
Sophisticated Shuyal Stealer Targets 19 Browsers, Demonstrates Advanced Evasion
A new infostealing malware making the rounds can exfiltrate credentials and other system data even from browsing software considered more privacy-focused than mainstream options.
https://www.darkreading.com/endpoint-security/shuyal-stealer-targets-19-browsers-advanced-evasion
French submarine secrets surface after cyber attack
European defence giant Naval Group has confirmed that it is investigating an alleged cyber attack which has seen what purports to be sensitive internal data published on the internet by hackers.
https://www.bitdefender.com/en-us/blog/hotforsecurity/french-submarine-secrets-surface-after-cyber-attack
The Homograph Illusion: Not Everything Is As It Seems
A subtle yet dangerous email attack vector: homograph attacks. Threat actors are using visually similar, non-Latin characters to bypass security filters.
https://unit42.paloaltonetworks.com/homograph-attacks/
ToxicPanda: The Android Banking Trojan Targeting Europe
What is ToxicPanda? Bitsight Trace dives into detail on the banking malware, from impact breadth, delivery, technical analysis, and more.
https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study
EU-Satelliteninternet: UK, Norwegen und Ukraine können sich IRIS2 anschließen
EU-Raumfahrtkommissar Kubiliius hat europäische Drittstaaten eingeladen, bei dem als Starlink-Alternative gedachten Satellitennetzwerk IRIS2 voll einzusteigen.
https://www.heise.de/news/EU-Satelliteninternet-UK-Norwegen-und-Ukraine-koennen-sich-IRIS2-anschliessen-10502150.html
How I hacked my washing machine
If you've known me for some amount of time you knew this was something that was bound to happen eventually. Yesterday (and technically today), me and a friend went on an endeavor to hack our washing machine, partially for the fun of it, and partially because there's actually a practical use for it.
https://nexy.blog/2025/07/27/how-i-hacked-my-washing-machine/
Protecting the Evidence in Real-Time with KQL Queries
A few weeks ago, I published a post titled Detecting Ransomware Final Stage Activities with KQL Queries where I shared different phases and detections during the last phase of a ransomware attack. Every time I read it, I realize just how broad and complex this topic truly is.
https://detect.fyi/protecting-the-evidence-in-real-time-with-kql-queries-ac4c7f145383
Lionishackers: Analyzing a corporate database seller
Outpost24-s threat intelligence researchers have been analyzing a corporate database seller known as "Lionishackers". They-re a financially motivated threat actor focused on exfiltrating and selling corporate databases. This post explores how they operate, where their attacks are taking place, and the current level of threat they pose.
https://outpost24.com/blog/lionishackers-corporate-database-seller/
Vulnerabilities
Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks
More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account.
https://www.bleepingcomputer.com/news/security/post-smtp-plugin-flaw-exposes-200k-wordpress-sites-to-hijacking-attacks/
Critical Flaws in Niagara Framework Threaten Smart Buildings and Industrial Systems Worldwide
Cybersecurity researchers have discovered over a dozen security vulnerabilities impacting Tridiums Niagara Framework that could allow an attacker on the same network to compromise the system under certain circumstances.
https://thehackernews.com/2025/07/critical-flaws-in-niagara-framework.html
Support ausgelaufen: Admin-Attacke auf LG Netzwerkkamera LNV5110R möglich
Die Netzwerkkamera LNV5110R von LG Innotek sollte nicht mehr benutzt werden: Die US-Sicherheitsbehörde CISA (Cybersecurity & Infrastructure Security Agency) warnt vor einer Sicherheitslücke, für die es kein Sicherheitsupdate mehr geben wird.
https://www.heise.de/news/Support-ausgelaufen-Admin-Attacke-auf-LG-Netzwerkkamera-LNV5110R-moeglich-10501540.html
Security updates for Monday
Security updates have been issued by Debian (audiofile, libcaca, libetpan, libxml2, php7.4, snapcast, and thunderbird), Fedora (glibc, iputils, mingw-binutils, and thunderbird), Red Hat (kernel, kernel-rt, mod_auth_openidc, and mod_auth_openidc:2.3), SUSE (afterburn, apache2, atop, chromedriver, chromium, cloud-init, deepin-feature-enable, firefox, firefox-esr, grafana, grype-db, gstreamer-plugins-bad, javamail, jupyter-jupyterlab-templates, jupyter-nbdime, konsole, libetebase, libxmp, minio-client-20250721T052808Z, MozillaFirefox, MozillaFirefox-branding-SLE, opera, pdns-recursor, perl-Authen-SASL, polkit, python-Django, python3-pycares, python311-starlette, rpi-imager, ruby3.4-rubygem-thor, spdlog, thunderbird, varnish, viewvc, and xtrabackup), and Ubuntu (openjdk-21-crac).
https://lwn.net/Articles/1031667/
Sicherheitsproblem: Hartkodierte Zugangsdaten gefährden PCs mit MyASUS
Die MyASUS-App kann zum Einfallstor für Angreifer werden. Schuld sind zwei Sicherheitslücken, die aber mittlerweile geschlossen sind. Wer das Tool nicht aktualisiert, riskiert unbefugte Zugriffe auf bestimmte Services.
https://www.heise.de/news/Sicherheitsproblem-Hartkodierte-Zugangsdaten-gefaehrden-PCs-mit-MyASUS-10501902.html
SyStrack LsiAgent.exe contains an improper DLL search order, allowing an attacker to execute arbitrary code and priv esc
https://kb.cert.org/vuls/id/335798
Mehrere Stored Cross-Site Scripting Schwachstellen im Optimizely Episerver Content Management System
https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-stored-cross-site-scripting-schwachstellen-im-optimizely-episerver-content-management-system/