End-of-Day report
Timeframe: Mittwoch 27-08-2025 18:00 - Donnerstag 28-08-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
News
Experimental PromptLock ransomware uses AI to encrypt, steal data
Threat researchers discovered the first AI-powered ransomware, called PromptLock, that uses Lua scripts to steal and encrypt data on Windows, macOS, and Linux systems. The malware uses OpenAI-s gpt-oss:20b model through the Ollama API to dynamically generate the malicious Lua scripts from hard-coded prompts.
https://www.bleepingcomputer.com/news/security/experimental-promptlock-ransomware-uses-ai-to-encrypt-steal-data/
ZipLine Phishers Flip Script as Victims Email First
"ZipLine" appears to be a sophisticated and carefully planned campaign that has already affected dozens of small, medium, and large A financially motivated threat actor is flipping the phishing playbook by getting victims to make the first email contact with the attacker rather than the other way around. The scam involves the adversary hitting up Contact Us forms on company websites under the guise of partnership inquiries or other business pretexts and waiting for the target to respond. Over a couple of weeks, they build credibility with carefully crafted, professional-sounding emails before hitting their mark with a weaponized zip file.
https://www.darkreading.com/cyberattacks-data-breaches/zipline-phishers-victims-email-first
AppSuite PDF Editor Backdoor: A Detailed Technical Analysis
Some threat actors are bold enough to submit their own malware as false positive to antivirus companies and demand removal of the detection. This is exactly what happened with AppSuite PDF Editor. Initially, automation flagged it as a potentially unwanted program-a verdict that is typically reserved for legitimate software with shady features like unwanted advertisement or installation of third-party programs without proper consent. In the case of AppSuite, however, we found a backdoor.
https://feeds.feedblitz.com/~/923960972/0/gdatasecurityblog-en~AppSuite-PDF-Editor-Backdoor-A-Detailed-Technical-Analysis
Schweden: Cyberangriff legt Systeme Hunderter Kommunen lahm
Ein schwedischer IT-Dienstleister namens Miljödata ist offenbar Ziel einer folgenschweren Cyberattacke geworden. Einem Bericht von Bleeping Computer(öffnet im neuen Fenster) zufolge soll der Angriff in mehr als 200 schwedischen Verwaltungen zu Ausfällen führen. Bei dem Nachrichtenportal Sweden Herald(öffnet im neuen Fenster) ist sogar von 250 betroffenen Kunden die Rede, von denen mindestens 164 Kommunalverwaltungen sein sollen.
https://www.golem.de/news/schweden-cyberangriff-legt-systeme-hunderter-kommunen-lahm-2508-199598.html
Malicious Screen Connect Campaign Abuses AI-Themed Lures for Xworm Delivery
During a recent Advanced Continual Threat Hunt (ACTH) investigation, the Trustwave SpiderLabs Threat Hunt team identified a deceptive campaign that abused fake AI-themed content to lure users into executing a malicious, pre-configured ScreenConnect installer.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-screen-connect-campaign-abuses-ai-themed-lures-for-xworm-delivery/
Mehr als 28.000 Netscaler-Instanzen anfällig für Citrix Bleed 3
Am Mittwoch wurde bekannt, dass Schwachstellen in den Netscalern (ADC und Gateways) von Citrix angegriffen werden, die bereits als "Citrix Bleed 3" tituliert werden. Die Shadowserver Foundation hat am Mittwoch Zahlen veröffentlicht, denen zufolge weltweit am Dienstag noch mehr als 28.000 Systeme für die Lücke "Citrix Bleed 3" verwundbar sind. Angreifer können darauf vermutlich die Schwachstellen missbrauchen.
https://www.heise.de/news/Mehr-als-28-000-Netscaler-Instanzen-anfaellig-fuer-Citrix-Bleed-3-10623870.html
Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System
People-s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks. While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks. These actors often modify routers to maintain persistent, long-term access to networks.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a
Microsoft warnt: Ransomware-Gruppe Storm-0501 greift (Azure) Cloud an, verlangt Zahlungen
Microsoft warnt vor der finanziell motivierten Gruppe Storm-0501, die kontinuierlich mit Angriffen auf Cloud-Instanzen (Azure) zielt. Bei Erfolg werden Daten abgezogen, dann die Originale verschlüsselt und Backups zerstört. Anschließend wird Lösegeld verlangt.
https://www.borncity.com/blog/2025/08/28/microsoft-warnt-ransomware-gruppe-storm-0501-greift-azure-cloud-an-verlangt-zahlungen/
Zip Slip, Path Traversal Vulnerability during File Decompression
Path traversal or directory traversal vulnerabilities are security vulnerabilities that occur mainly due to improper validation of user inputs. Attackers can read, modify, or even create new files that are originally inaccessible or located in unintended paths using relative or absolute paths. Although these vulnerabilities have been known for a long time, they are still being discovered in various environments and applications, not just web environments. This article examines Zip Slip, a path traversal vulnerability that occurs during the file decompression process of compression programs, and aims to introduce its main vulnerabilities.
https://asec.ahnlab.com/en/89890/
Thousands of Developer Credentials Stolen in macOS -s1ngularity- Attack
A supply chain attack called -s1ngularity- on Nx versions 20.9.0-21.8.0 stole thousands of developer credentials. The attack targeted macOS and AI tools, according to GitGuardian-s analysis.
https://hackread.com/developer-credentials-stolen-macos-s1ngularity-attack/
Cisco: Mehrere Produkte mit teils hochriskanten Lücken
Der Netzwerkausrüster Cisco hat am Mittwoch zehn neue Sicherheitsmeldungen herausgegeben. Sie behandeln teils hochriskante Schwachstellen in mehreren Produkten.
https://heise.de/-10623826
Referral Beware, Your Rewards are Mine (Part 1)
Referral rewards programs are nearly ubiquitous today, from consumer tech to SaaS companies, but are rarely given much security oversight. In this blog post we-ll dig into the common technical implementations of rewards programs on web apps, common security issues with each approach, and recommendations for secure development of similar programs. In a subsequent post, we-ll explore real-world examples of these vulnerability classes in detail.
https://rhinosecuritylabs.com/research/referral-beware-your-rewards-are-mine-part-1/
Vulnerabilities
Security updates for Thursday
Security updates have been issued by AlmaLinux (aide, firefox, kernel, and mod_http2), Debian (chromium and unbound), Fedora (mod_auth_openidc), Oracle (fence-agents and kernel), SUSE (ignition, jetty-minimal, kernel, libmozjs-128-0, matrix-synapse, postgresql13, postgresql15, postgresql16, and postgresql17), and Ubuntu (kernel).
https://lwn.net/Articles/1035464/
Libbiosig, Tenda, SAIL, PDF XChange, Foxit vulnerabilities
https://blog.talosintelligence.com/libbiosig-tenda-sail-pdf-xchange-foxit-vulnerabilities/