End-of-Day report
Timeframe: Freitag 01-08-2025 18:00 - Montag 04-08-2025 18:00
Handler: Felician Fuchs
Co-Handler: Alexander Riepl
News
Pi-hole discloses data breach triggered by WordPress plugin flaw
Pi-hole, a popular network-level ad-blocker, has disclosed that donor names and email addresses were exposed through a security vulnerability in the GiveWP WordPress donation plugin.
https://www.bleepingcomputer.com/news/security/pi-hole-discloses-data-breach-via-givewp-wordpress-plugin-flaw/
Mozilla warns of phishing attacks targeting add-on developers
Mozilla has warned browser extension developers of an active phishing campaign targeting accounts on its official AMO (addons.mozilla.org) repository.
https://www.bleepingcomputer.com/news/security/mozilla-warns-of-phishing-attacks-targeting-add-on-developers/
New Plague Linux malware stealthily maintains SSH access
A newly discovered Linux malware, which has evaded detection for over a year, allows attackers to gain persistent SSH access and bypass authentication on compromised systems.
https://www.bleepingcomputer.com/news/security/new-plague-malware-backdoors-linux-devices-removes-ssh-session-traces/
Exchange: China wirft den USA Militär-Hacking vor
China beschuldigt US-Geheimdienste, über ein Jahr lang Microsoft Exchange-Schwachstellen ausgenutzt zu haben, um Militärdaten zu stehlen.
https://www.golem.de/news/exchange-china-wirft-den-usa-militaer-hacking-vor-2508-198763.html
CISA roasts unnamed critical national infrastructure body for shoddy security hygiene
Plaintext passwords, shared admin accounts, and insufficient logging rampant at mystery org CISA is using the findings from a recent probe of an unidentified critical infrastructure organization to warn about the dangers of getting cybersecurity seriously wrong.
https://go.theregister.com/feed/www.theregister.com/2025/08/02/cisa_coast_guard_cni/
Lazarus Group rises again, this time with malware-laden fake FOSS
Software supply chain management vendor Sonatype last week published research in which it claimed that Lazarus Group has created hundreds of -shadow downloads- that appear to be popular open source software development tools but are full of malware.
https://go.theregister.com/feed/www.theregister.com/2025/08/04/infosec_in_brief/
Gefälschte Rückerstattungs-Mails im Namen der WKO
Derzeit werden E-Mails mit dem Betreff -Ihr möglicher Erstattungsbetrag von bis zu 476 Euro- an zahlreiche Mitglieder der Wirtschaftskammer Österreich (WKO) versendet. Darin wird behauptet, dass möglicherweise ein Rückerstattungsanspruch der Mitgliederbeiträge besteht, den man über einen Link prüfen kann. Achtung: Der Link führt zu einer betrügerischen Website, auf der persönliche Daten gestohlen werden.
https://www.watchlist-internet.at/news/betruegerische-e-mails-zu-rueckerstattung-von-wko-mitgliedsbeitraegen-im-umlauf/
Akira Ransomware Exploiting Potential Zero-Day in SonicWall SSL VPN
Artic Wolf also suggest that the attacks could be exploiting an undetermined security flaw in the appliances, meaning a Zero-Day vulnerability, given that some of the incidents affected SonicWall devices which were fully patched.
https://www.truesec.com/hub/blog/akira-ransomware-exploiting-potential-zero-day-in-sonicwall-ssl-vpn
Doch Sicherheitsvorfall bei Logitech-Partnerliste
Es hat einen Sicherheitsvorfall bei einem Dienstleister gegeben, der für die Firma Logitech die Logitech-Partner betreut. Logitech-Partner erhielten die Tage eine Betrugs-Mail, die vor dem Risiko eines Angriffs auf eine MetaMask-Wallet warnte, aber einen Phishing-Link enthielt.
https://www.borncity.com/blog/2025/08/03/doch-sicherheitsvorfall-bei-logitech-partnerliste/
New Attack Uses Windows Shortcut Files to Install REMCOS Backdoor
Security firm Point Wild has exposed a new malware campaign using malicious LNK files to install the REMCOS backdoor. This report details how attackers disguise files to gain full system control.
https://hackread.com/attack-windows-shortcut-files-install-remcos-backdoor/
When Flatpak-s Sandbox Cracks: Real-Life Security Issues Beyond the Ideal
Flatpak-s sandbox model is robust in design, but imperfect in deployment. Sandboxes dissolved through misconfiguration, vulnerabilities like CVE-2024-32462, and symlink exploits illustrate the friction between ideal and actual protection.
https://www.linuxjournal.com/content/when-flatpaks-sandbox-cracks-real-life-security-issues-beyond-ideal
Vulnerabilities
Sicherheitsupdate: Phishingangriffe auf IBM Operational Decision Manager möglich
IBMs Businesstool Operational Decision Manager ist verwundbar. In aktuellen Versionen haben die Entwickler zwei Sicherheitslücken geschlossen.
https://www.heise.de/news/Sicherheitsupdate-Phishingangriffe-auf-IBM-Operational-Decision-Manager-moeglich-10508213.html
Security updates for Monday
Security updates have been issued by AlmaLinux (java-21-openjdk, kernel, libxml2, and lz4), Debian (exempi, ruby-graphql, and sope), Fedora (binutils, chromium, gdk-pixbuf2, libsoup3, poppler, and reposurgeon), Mageia (glib2.0 and wxgtk), Oracle (jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base and libxml2), Red Hat (kernel, pandoc, pcs, qemu-kvm, redis, and rsync), SUSE (chromedriver, coreutils, cosign, docker, gdk-pixbuf-devel, glib2, gnutls, grub2, gstreamer-plugins-base, helm, ignition, java-21-openjdk, jbigkit, jq, kernel, kubernetes1.28, kwctl, libxml2, nvidia-open-driver-G06-signed, opensc, pam-config, protobuf, python310, tgt, and valkey), and Ubuntu (linux-iot).
https://lwn.net/Articles/1032371/
Breaking NVIDIA Triton: CVE-2025-23319 - A Vulnerability Chain Leading to AI Server Takeover
Wiz Research discovers a critical vulnerability chain allowing unauthenticated attackers to take over NVIDIAs Triton Inference Server.
https://www.wiz.io/blog/nvidia-triton-cve-2025-23319-vuln-chain-to-ai-server
Critical Vulnerability in NestJS Devtools: Localhost RCE via Sandbox Escape
A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE).
https://socket.dev/blog/nestjs-rce-vuln
VU#317469: Partner Software/Partner Web does not sanitize Report files and Note content, allowing for XSS and RCE
https://kb.cert.org/vuls/id/317469
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0005
https://webkitgtk.org/security/WSA-2025-0005.html