Tageszusammenfassung - 07.08.2025

End-of-Day report

Timeframe: Mittwoch 06-08-2025 18:00 - Donnerstag 07-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler

News

New Ghost Calls tactic abuses Zoom and Microsoft Teams for C2 operations

A new post-exploitation command-and-control (C2) evasion method called Ghost Calls abuses TURN servers used by conferencing apps like Zoom and Microsoft Teams to tunnel traffic through trusted infrastructure.

https://www.bleepingcomputer.com/news/security/new-ghost-calls-tactic-abuses-zoom-and-microsoft-teams-for-c2-operations/

Wave of 150 crypto-draining extensions hits Firefox add-on store

A malicious campaign dubbed GreedyBear has snuck onto the Mozilla add-ons store, targeting Firefox users with 150 malicious extensions and stealing an estimated $1,000,000 from unsuspecting victims.

https://www.bleepingcomputer.com/news/security/wave-of-150-crypto-draining-extensions-hits-firefox-add-on-store/

Critical Zero-Day Bugs Crack Open CyberArk, HashiCorp Password Vaults

Secrets managers hold all the keys to an enterprises kingdom. Two popular ones had longstanding, critical, unauthenticated RCE vulnerabilities.

https://www.darkreading.com/cybersecurity-operations/critical-zero-day-bugs-cyberark-hashicorp-password-vaults

Researchers Uncover ECScape Flaw in Amazon ECS Enabling Cross-Task Credential Theft

Cybersecurity researchers have demonstrated an "end-to-end privilege escalation chain" in Amazon Elastic Container Service (ECS) that could be exploited by an attacker to conduct lateral movement, access sensitive data, and seize control of the cloud environment.

https://thehackernews.com/2025/08/researchers-uncover-ecscape-flaw-in.html

How To Find SQL Injection Vulnerabilities in WordPress Plugins and Themes

SQL Injection (SQLi), a vulnerability almost as old as database-driven web applications themselves (CWE-89), persists as a classic example of failing to neutralize user-supplied input before its used in a SQL query. So why does this well-understood vulnerability type continue to exist?

https://www.wordfence.com/blog/2025/08/how-to-find-sql-injection-vulnerabilities-in-wordpress-plugins-and-themes/

New Promptware Attack Hijacks User-s Gemini AI Via Google Calendar Invite

Cybersecurity researchers demonstrate a new attack on Google Gemini AI for Workspace. Discover how a simple calendar invite can be used to perform phishing, steal emails, and even control home appliances.

https://hackread.com/promptware-attack-hijack-gemini-ai-google-calendar-invite/

Unveiling a New Variant of the DarkCloud Campaign

In early July 2025, a new DarkCloud campaign was observed in the wild by Fortinet-s FortiGuard Labs team. It began with a phishing email containing an attached RAR archive. I subsequently investigated this campaign and conducted a step-by-step analysis.

https://feeds.fortinet.com/~/922857380/0/fortinet/blogs~Unveiling-a-New-Variant-of-the-DarkCloud-Campaign

HTTP/1.1 must die: the desync endgame

Upstream HTTP/1.1 is inherently insecure and regularly exposes millions of websites to hostile takeover. Six years of attempted mitigations have hidden the issue, but failed to fix it. This paper introduces several novel classes of HTTP desync attack capable of mass compromise of user credentials.

https://portswigger.net/research/http1-must-die

Malicious npm Packages Target WhatsApp Developers with Remote Kill Switch

Two npm packages masquerading as WhatsApp developer libraries include a kill switch that deletes all files if the phone number isn-t whitelisted.

https://socket.dev/blog/malicious-npm-packages-target-whatsapp-developers-with-remote-kill-switch?utm_medium=feed

Vulnerabilities

6,500 Axis Servers Expose Remoting Protocol, 4,000 in U.S. Vulnerable to Exploits

Cybersecurity researchers have disclosed multiple security flaws in video surveillance products from Axis Communications that, if successfully exploited, could expose them to takeover attacks.

https://thehackernews.com/2025/08/6500-axis-servers-expose-remoting.html

Security updates for Thursday

Security updates have been issued by AlmaLinux (glibc, kernel, libxml2, python-requests, and python-setuptools), Debian (chromium), Fedora (chromium, firefox, gdk-pixbuf2, iputils, libsoup3, libssh, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, and poppler), Gentoo (Composer and Spreadsheet-ParseExcel), Oracle (glibc, kernel, libxml2, python-setuptools, sqlite, and virt:rhel and virt-devel:rhel), Red Hat (libxml2), SUSE (grub2, libarchive, libgcrypt, and python311), and Ubuntu (cifs-utils and poppler).

https://lwn.net/Articles/1032861/

Erhöhte Bedrohungsaktivität gegen SonicWall Gen 7 Firewalls mit SSLVPN - Sofortmaßnahmen empfohlen

Update: 07. August 2025 Ergänzung von technischen Indikatoren für eine forensische Untersuchung möglicherweise betroffener Geräte sowie Informationen zu der angeblich relevanten Schwachstelle.

https://www.cert.at/de/warnungen/2025/8/erhohte-bedrohungsaktivitat-gegen-sonicwall-gen-7-firewalls-mit-sslvpn-sofortmassnahmen-empfohlen

Sicherheitslücken: Angreifer können IBM Tivoli Monitoring crashen lassen

IBMs IT-Verwaltungssoftware Tivoli Monitoring ist verwundbar und Angreifer können an zwei Sicherheitslücken ansetzen. Ein Update zum Schließen der Lücken steht zum Download bereit.

https://heise.de/-10513072