End-of-Day report
Timeframe: Donnerstag 14-08-2025 18:00 - Montag 18-08-2025 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
News
Jetzt patchen! Attacken auf Fortinet-IT-Sicherheitslösungen können bevorstehen
Beide Schwachstellen (FortiSIEM CVE-2025-25256 "kritisch", FortiWeb CVE-2025-52970 "hoch") haben die Fortinet-Entwickler am vergangenen Patchday geschlossen. Kurz darauf warnten sie davor, dass Exploitcode zum Ausnutzen der Lücke in FortiSIEM in Umlauf ist.
https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Fortinet-IT-Sicherheitsloesungen-koennen-bevorstehen-10538724.html
Should Security Solutions Be Secure? Maybe Were All Wrong - Fortinet FortiSIEM Pre-Auth Command Injection (CVE-2025-25256)
Today we-re looking at CVE-2025-25256 - a pre-authentication command injection in FortiSIEM that lets an attacker compromise an organization-s SIEM (!!!). [..] It-s the kind of -one platform to rule your SOC- solution that we believe (suspect, hope, imagine, guess, pray) might feel impressively safety-first. Except, obviously, this time it didn't because the bar remains so incredibly low.
https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-all-wrong-fortinet-fortisiem-pre-auth-command-injection-cve-2025-25256/
Gefälschtes Gewinnspiel für Wiener Linien Jahreskarte im Umlauf
Derzeit kursieren auf Facebook gefälschte Postings, die im Namen der Wiener Linien ein Gewinnspiel für eine Halbjahreskarte bewerben. Bei Teilnahme wird suggeriert, dass man automatisch gewonnen habe. Achtung: Es handelt sich um einen Betrugsversuch, der darauf abzielt, an Bankdaten zu gelangen!
https://www.watchlist-internet.at/news/gefaelschtes-gewinnspiel-fuer-wiener-linien-jahreskarte-im-umlauf/
Verbesserung von nur 1,7 Prozent: Phishing-Training fast immer wirkungslos
Eine große Studie in einem US-Gesundheitsunternehmen zeigt, dass gängige Phishing-Trainings das Risiko kaum senken - egal wie intensiv oder interaktiv sie sind.
https://www.heise.de/news/Verbesserung-von-nur-1-7-Prozent-Phishing-Training-fast-immer-wirkungslos-10539174.html
MadeYouReset: Neue DDoS-Angriffstechnik legt Webserver lahm
Forscher haben eine neue Sicherheitslücke entdeckt, die viele gängige HTTP/2-Implementierungen betrifft. Server lassen sich mit wenig Aufwand überlasten. [..] Als anfällig gelten mehrere weitverbreitete HTTP/2-Serverimplementierungen wie Netty, Apache Tomcat, H2O, SwiftNIO und F5 BIG-IP. Weitere betroffene Implementierungen sowie etwaige Reaktionen der Anbieter sind in einer Meldung des CERT Coordination Center der Carnegie Mellon University zu finden.
https://www.golem.de/news/madeyoureset-neue-ddos-angriffstechnik-legt-webserver-lahm-2508-199212.html
Evolution of the PipeMagic backdoor: from the RansomExx incident to CVE-2025-29824
We examine the evolution of the PipeMagic backdoor and the TTPs of its operators - from the RansomExx incident in 2022 to attacks in Brazil and Saudi Arabia, and the exploitation of CVE-2025-29824 in 2025.
https://securelist.com/pipemagic/117270/
How Researchers Collect Indicators of Compromise
Today, we'll demonstrate a simple workflow showing how researchers use various tools to collect indicators of compromise (IOCs) and develop appropriate signatures from detonated malware.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/how-researchers-collect-indicators-of-compromise/
ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure
"The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications," Hunt.io said in a report.
https://thehackernews.com/2025/08/ermac-v30-banking-trojan-source-code.html
Mobile Phishers Target Brokerage Accounts in -Ramp and Dump- Cashout Scheme
Cybercriminal groups peddling sophisticated phishing kits that convert stolen card data into mobile wallets have recently shifted their focus to targeting customers of brokerage services, new research shows. Undeterred by security controls at these trading platforms that block users from wiring funds directly out of accounts, the phishers have pivoted to using multiple compromised brokerage accounts in unison to manipulate the prices of foreign stocks.
https://krebsonsecurity.com/2025/08/mobile-phishers-target-brokerage-accounts-in-ramp-and-dump-cashout-scheme/
Scammers turn to -ghost-tapping- retail fraud to launder funds
In a report released Thursday, researchers at Recorded Future-s Insikt Group detailed what they call -ghost-tapping- - when stolen payment card details are uploaded onto a burner phone and used in-person to purchase goods.
https://therecord.media/scammers-ghost-tapping-retail-fraud-launder-cash
Cyberattack on Dutch prosecution service is keeping speed cameras offline
Who knew zero-days could be so useful to highway speedsters? The lingering effects of a cyberattack on the Public Prosecution Service of the Netherlands are preventing it from reactivating speed cameras across the country.
https://go.theregister.com/feed/www.theregister.com/2025/08/15/cyberattack_on_dutch_prosecution_service/
KI-gestützte Cyberangriffe: Experten beobachten zunehmenden LLM-Einsatz
Sicherheitsforscher sehen aktuell eine Zunahme KI-unterstützter Angriffe und damit einen Wendepunkt im Cyberwettrüsten. [..] Ukrainische Behörden und mehrere Cybersicherheitsunternehmen konnten die Schadsoftware im Juli erstmals nachweisen. [..] Mit dem zunehmenden Einsatz von KI-Agenten sehen Experten ein neues Risiko für die Zukunft.
https://www.heise.de/news/KI-gestuetzte-Cyberangriffe-Experten-beobachten-zunehmenden-LLM-Einsatz-10539423.html
Terraform Cloud token abuse turns speculative plan into remote code execution
Platforms like Terraform are great for making cloud management easier, but that same convenience can work in an attacker-s favour. Increasingly, we-re seeing Terraform used as a pivot point, letting attackers sidestep the usual security roadblocks of MFA and conditional access via token abuse, which remain one of the weaker links in the chain.
https://www.pentestpartners.com/security-blog/terraform-token-abuse-speculative-plan/
libxml2 Maintainer Ends Embargoed Vulnerability Reports, Citing Unsustainable Burden
The lone volunteer maintainer of libxml2, one of the open source ecosystem-s most widely used XML parsing libraries, has announced a policy shift that drops support for embargoed security vulnerability reports. This change highlights growing frustration among unpaid maintainers bearing the brunt of big tech-s security demands without compensation or support.
https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-reports
Technical Analysis of SAP Exploit Script (Visual Composer -Metadata Uploader- Exploit)-
This script targets a critical zero-day vulnerability (now identified as CVE-2025-31324) in SAP NetWeaver-s Visual Composer Metadata Uploader component. The vulnerability is a missing authorization check on the HTTP endpoint /developmentserver/metadatauploader, allowing unauthenticated file uploads to the server-s filesystem. [..] The blog contains further pseudo code for detection and examples for another way to exploit the vulnerability.
https://detect.fyi/technical-analysis-of-sap-exploit-script-visual-composer-metadata-uploader-exploit-7b4a01b38548?source=rssd5fd8f494f6a4
Vulnerabilities
Security updates for Friday
Security updates have been issued by AlmaLinux (kernel and webkit2gtk3), Debian (aide and postgresql-13), Fedora (libtiff, mupdf, and pandoc), SUSE (cairo, chromium, gstreamer-plugins-base, ImageMagick, iputils, kubernetes1.23, kubernetes1.26, matrix-synapse, Mesa, pgadmin4, python3, qemu, and rz-pm), and Ubuntu (aide).
https://lwn.net/Articles/1033901/
Security updates for Monday
Security updates have been issued by AlmaLinux (go-toolset:rhel8, kernel, and kernel-rt), Fedora (chromium), Oracle (libxml2), Red Hat (go-toolset:rhel8, golang, kernel, kernel-rt, openjpeg2, rsync, and tigervnc), and SUSE (apache-commons-lang3, chromedriver, fractal, framework_tool, go1.23-openssl, go1.24-openssl, grub2, gstreamer-devtools, gstreamer-plugins-rs, jasper, libavif, lighttpd, nginx, podman, postgresql13, postgresql14, postgresql15, postgresql16, python311-pypdf, ruby2.5, rust-keylime, tiff, tomcat, tomcat10, and tomcat11).
https://lwn.net/Articles/1034267/