End-of-Day report
Timeframe: Montag 08-09-2025 18:00 - Dienstag 09-09-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
News
TOR-Based Cryptojacking Attack Expands Through Misconfigured Docker APIs
Cybersecurity researchers have discovered a variant of a recently disclosed campaign that abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs. Akamai, which discovered the latest activity last month, said its designed to block other actors from accessing the Docker API from the internet.
https://thehackernews.com/2025/09/tor-based-cryptojacking-attack-expands.html
GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies
Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account. Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. Its currently not known how the digital intruders gained access to the GitHub account.
https://thehackernews.com/2025/09/github-account-compromise-led-to.html
RatOn Android Malware Detected With NFC Relay and ATS Banking Fraud Capabilities
A new Android malware called RatOn evolved from a basic tool capable of conducting Near Field Communication (NFC) attacks to a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities to conduct device fraud.
https://thehackernews.com/2025/09/raton-android-malware-detected-with-nfc.html
Axios Abuse and Salty 2FA Kits Fuel Advanced Microsoft 365 Phishing Attacks
Threat actors are abusing HTTP client tools like Axios in conjunction with Microsofts Direct Send feature to form a "highly efficient attack pipeline" in recent phishing campaigns, according to new findings from ReliaQuest.
https://thehackernews.com/2025/09/axios-abuse-and-salty-2fa-kits-fuel.html
Salt Typhoon and UNC4841: Silent Push Discovers New Domains; Urges Defenders to Check Telemetry and Log Data
Silent Push has identified dozens of previously unreported domains, all aiming to obtain long-term, stealthy access to targeted organizations, used by the Chinese APT group, Salt Typhoon, along with some related People-s Republic of China (PRC) state-backed threat actors.
https://www.silentpush.com/blog/salt-typhoon-2025/
BSI warnt: "Digitale Angriffsflächen im Automobilsektor wachsen rasant"
Digitale Dienste, Over-the-Air-Updates, KI und vernetzte Steuergeräte prägen Fahrzeugarchitekturen, weiß das BSI. Hersteller und Ausrüster müssten vorsorgen.
https://www.heise.de/news/BSI-warnt-Digitale-Angriffsflaechen-im-Automobilsektor-wachsen-rasant-10638449.html
Security updates for Tuesday
Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (openafs and qemu), Fedora (buildah, containers-common, podman, python-flask, and snapshot), Mageia (postgresql, python-django, and udisks2), Oracle (kernel and libxml2), Red Hat (apache-commons-beanutils, firefox, httpd, httpd:2.4, kernel, kernel-rt, mod_http2, qt5-qt3d, and thunderbird), Slackware (libxml2), SUSE (firebird, go1.25-openssl, ImageMagick, microcode_ctl, netty, netty-tcnative, and ovmf), and Ubuntu (libetpan and postgresql-14, postgresql-16, postgresql-17).
https://lwn.net/Articles/1037308/
Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed
An analysis of the Gentlemen ransomware group, which employs advanced, adaptive tactics, techniques, and procedure to target critical industries worldwide.
https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
Zero-Day in Sitecore Exploited to Deploy WEEPSTEEL Malware
Hackers exploit a Sitecore zero-day (CVE-2025-53690) to deploy WEEPSTEEL Malware via ViewState attacks, enabling Remote Code Execution (RCE).
https://hackread.com/zero-day-sitecore-exploited-deploy-weepsteel-malware/
OpenAI Paper: Halluzinationen offenbar unumgänglich
In einem neuen, wissenschaftlichen Paper, das OpenAI veröffentlicht hat, geht es um Halluzinationen. Das sind falsche Informationen und Zusammenhänge, die Large Language Models (LLMs) und damit auch KI-Chatbots ausgeben. Alle KI-Unternehmen arbeiten daran, Halluzinationen möglichst gering zu halten. Sie ganz auszuschalten, scheint hingegen unmöglich. Das schreibt nun auch OpenAI selbst.
https://heise.de/-10637744
LockBit Attempts Comeback with LockBit 5.0 Ransomware Release
LockBit was once the most feared ransomware group until global law enforcement action sent the group into decline last year. Now the threat group hopes to mount a comeback with LockBit 5.0.
https://thecyberexpress.com/lockbit-5-0-ransomware/
Vulnerabilities
Adobe patches critical SessionReaper flaw in Magento eCommerce platform
Adobe is warning of a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms that researchers call SessionReaper and describe as one of " the most severe" flaws in the history of the product.
https://www.bleepingcomputer.com/news/security/adobe-patches-critical-sessionreaper-flaw-in-magento-ecommerce-platform/
Populäre JavaScript Pakete manipuliert
Eine Reihe populärer JavaScript Pakete wurde kürzlich manipuliert um Krypotwährungstransaktionen zu manipulieren. Ursache dieses Supply-Chain-Angriffs scheint eine erfolgreiche Phishing Attacke gegen den Maintainer dieser Pakete und dessen NPM Konto gewesen zu sein. Manipulierte Versionen der betroffenen Pakete wurden bereits zurückgezogen.
https://www.cert.at/de/aktuelles/2025/9/populare-javascript-pakete-manipuliert
September 2025 Security Update
Ivanti is disclosing vulnerabilities in Ivanti Endpoint Manager (EPM) and Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access.
https://www.ivanti.com/blog/september-2025-security-update
SAP Security Patch Day - September 2025
SAP has released its September 2025 security patch package containing 26 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes four HotNews vulnerabilities with CVSS ratings up to 10.0, four High priority issues, sixteen Medium priority fixes, and two Low priority updates. The patches affect NetWeaver AS Java, S/4HANA, SAP HCM, Business Planning and Consolidation, Commerce Cloud, and SAP Business One.
https://redrays.io/blog/sap-security-patch-day-september-2025/
VU#461364: Hiawatha open-source web server has multiple vulnerabilities
https://kb.cert.org/vuls/id/461364