End-of-Day report
Timeframe: Dienstag 05-08-2025 18:00 - Mittwoch 06-08-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
News
Driver of destruction: How a legitimate driver is being used to take down AV processes
In an incident response case, Kaspersky experts discovered new malware that terminates AV processes by abusing the legitimate ThrottleStop driver.
https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/
CISA Adds 3 D-Link Router Flaws to KEV Catalog After Active Exploitation Reports
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three old security flaws impacting D-Link routers to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild.
https://thehackernews.com/2025/08/cisa-adds-3-d-link-router-flaws-to-kev.html
CERT-UA Warns of HTA-Delivered C# Malware Attacks Using Court Summons Lures
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks carried out by a threat actor called UAC-0099 targeting government agencies, the defense forces, and enterprises of the defense-industrial complex in the country.
https://thehackernews.com/2025/08/cert-ua-warns-of-hta-delivered-c.html
GenAI Used For Phishing Websites Impersonating Brazil-s Government
In this blog post, ThreatLabz explores a campaign that uses generative AI tools like DeepSite AI and BlackBox AI to create malicious replicas of Brazil's State Department of Traffic and Ministry of Education.
https://www.zscaler.com/blogs/security-research/genai-used-phishing-websites-impersonating-brazil-s-government
Kriminelle versenden gefälschte Zahlungsaufforderungen im Namen der WKO
Die Wirtschatfskammer Österreich (WKO) ist erneut Ziel einer Phishing-Attacke geworden. Aktuell kursiert eine betrügerische E-Mail, die vorgibt, von der WKO zu stammen. In der E-Mail wird der Eindruck erweckt, dass eine ausstehende Mitgliedsrechnung bezahlt werden müsse. Das Ziel der Attacke ist es, an persönliche Informationen und Log-in-Daten zu kommen.
https://www.watchlist-internet.at/news/kriminelle-versenden-gefaelschte-zahlungsaufforderungen-im-namen-der-wko/
Makop Ransomware Identified in Attacks in South Korea
AhnLab SEcurity intelligence Center (ASEC) recently identified cases of Makop ransomware attacks targeting South Korean users. The Makop ransomware has been distributed to South Korean users by disguising as resumes or emails related to copyrights for several years. Recently, it has been reported that the ransomware is exploiting RDP for attacks.
https://asec.ahnlab.com/en/89397/
The Cost of a Call: From Voice Phishing to Data Extortion
In June, one of Google-s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations. The instance was used to store contact information and related notes for small and medium businesses.
https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion/
Vulnerabilities
Experience Manager: Adobe patcht 90 Tage nicht und bringt nun Notfallupdate
Da Proof-of-Concept-Code im Umlauf ist, könnten Angriffe auf Adobe Experience Manager bevorstehen. Angreifer können an zwei Sicherheitslücken [..] ansetzen, um Systeme zu attackieren. Die Schwachstellen sind seit April dieses Jahres bekannt, Sicherheitspatches gibt es aber erst jetzt.
https://www.heise.de/news/Experience-Manager-Adobe-patcht-90-Tage-nicht-und-bringt-nun-Notfallupdate-10511009.html
Security updates for Wednesday
Security updates have been issued by AlmaLinux (kernel and python3.12-setuptools), Fedora (perl-Crypt-CBC and unbound), Gentoo (FontForge, GPL Ghostscript, Mozilla Network Security Service (NSS), and PAM), Oracle (gdk-pixbuf2, jq, kernel, mod_security, ncurses, python-requests, and python3-setuptools), Red Hat (python-requests and socat), SUSE (docker, kernel-livepatch-MICRO-6-0-RT_Update_2, kernel-livepatch-MICRO-6-0-RT_Update_4, kernel-livepatch-MICRO-6-0-RT_Update_5, kernel-livepatch-MICRO-6-0-RT_Update_6, kernel-livepatch-MICRO-6-0-RT_Update_7, kernel-livepatch-MICRO-6-0_Update_2, kernel-livepatch-MICRO-6-0_Update_4, kernel-livepatch-MICRO-6-0_Update_5, kernel-livepatch-MICRO-6-0_Update_6, kubeshark-cli, libgcrypt, pam-config, perl, python-requests, python311, and python313), and Ubuntu (linux-raspi).
https://lwn.net/Articles/1032700/
Docker: Sicherheitsalptraum MCP - sechs Lücken identifiziert
Die Containerplattform Docker warnt vor Sicherheitsrisiken, die sich durch die Nutzung von MCP-Quellen ergeben und Angreifern leichten Zugriff auf Dateien, Datenbanken, Netzwerk und Secrets eröffnen. Außerdem können die Täter weitreichend Befehle absetzen und schädlichen Code einschleusen.
https://heise.de/-10510262
Sicherheitsupdates: Root-Attacken auf Dell PowerProtect und Unity möglich
Um möglichen Attacken vorzubeugen, sollten Admins Dell PowerProtect Data Domain und Unity, UnityVSA sowie Unity XT auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer unter anderem mit Root-Rechten auf Instanzen zugreifen und diese kompromittieren.
https://heise.de/-10511706
JVN: Multiple vulnerabilities in Sato label printers CL4/6NX Plus and CL4/6NX-J Plus series
https://jvn.jp/en/jp/JVN16547726/
ZDI-25-771: Trend Micro Apex One Console Command Injection Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-25-771/
ZDI-25-807: (0Day) AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-25-807/
Stable Channel Update for Desktop
http://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desktop.html