End-of-Day report
Timeframe: Donnerstag 11-09-2025 18:00 - Freitag 12-09-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
News
Panama Ministry of Economy discloses breach claimed by INC ransomware
Panama's Ministry of Economy and Finance (MEF) has disclosed that one of its computers may have been compromised in a cyberattack. The government noted that it activated the security procedures for these situations, stating that the incident has been contained and didn't impact core systems that are vital to its operations.
https://www.bleepingcomputer.com/news/security/panama-ministry-of-economy-discloses-breach-claimed-by-inc-ransomware/
Vidar Infostealer Back with a Vengeance
The long-running Vidar infostealer has evolved with new obfuscation techniques. That is according to researchers at cybersecurity vendor Aryaka, which published research last week dedicated to a fresh campaign involving the malware-as-a-service Vidar that has emerged in recent weeks. First tracked in late 2018, Vidar is an infostealer that enables affiliates to grab credentials, operating system details, cookies, sensitive financial data, various authentication tokens, and more from compromised environments.
https://www.darkreading.com/endpoint-security/vidar-infostealer-back-with-vengeance
Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence
U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to probe Microsoft and hold it responsible for what he called "gross cybersecurity negligence" that enabled ransomware attacks on U.S. critical infrastructure, including against healthcare networks.
https://thehackernews.com/2025/09/senator-wyden-urges-ftc-to-probe.html
New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit
Cybersecurity researchers have discovered a new ransomware strain dubbed HybridPetya that resembles the notorious Petya/NotPetya malware, while also incorporating the ability to bypass the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems using a now-patched vulnerability disclosed earlier this year.
https://thehackernews.com/2025/09/new-hybridpetya-ransomware-bypasses.html
Apple Warns French Users of Fourth Spyware Campaign in 2025, CERT-FR Confirms
Apple has notified users in France of a spyware campaign targeting their devices, according to the Computer Emergency Response Team of France (CERT-FR). The agency said the alerts were sent out on September 3, 2025, making it the fourth time this year that Apple has notified citizens in the county that at least one of the devices linked to their iCloud accounts may have been compromised as part of highly-targeted attacks.
https://thehackernews.com/2025/09/apple-warns-french-users-of-fourth.html
Huntresss hilarious attacker surveillance splits infosec community
Security outfit Huntress has been forced onto the defensive after its latest research - described by senior staff as "hilarious" - split opinion across the cybersecurity community.
https://go.theregister.com/feed/www.theregister.com/2025/09/12/huntress_attacker_surveillance/
Bulletproof Host Stark Industries Evades EU Sanctions
In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns. But new findings show those sanctions have done little to stop Stark from simply rebranding and transferring their assets to other corporate entities controlled by its original hosting providers.
https://krebsonsecurity.com/2025/09/bulletproof-host-stark-industries-evades-eu-sanctions/
Swiss government looks to undercut privacy tech, stoking fears of mass surveillance
The Swiss government could soon require service providers with more than 5,000 users to collect government-issued identification, retain subscriber data for six months and, in many cases, disable encryption.
https://therecord.media/switzerland-digital-privacy-law-proton-privacy-surveillance
Wurden Router-URLs sphairon.box und zyxel.box gekapert?
Ich stelle mal ein Thema hier in den Blog, das mir jetzt von zwei Lesern gemeldet wurde und mich an einen alten Vorfall bei AVM zur fritz.box-URL erinnert. Es sieht so aus, dass die von Routern (Zyxel, Sphairon) zum Zugriff auf die Router-Funktionen verwendeten URLs sphairon.box und zyxel.box durch registrierte Domains gekapert wurden. Die Zielseiten sind als "malicious" einzustufen.
https://www.borncity.com/blog/2025/09/12/wurden-router-urls-sphairon-box-und-zyxel-box-gekapert/
EvilAI Operators Use AI-Generated Code and Fake Apps for Far-Reaching Attacks
Combining AI-generated code and social engineering, EvilAI operators are executing a rapidly expanding campaign, disguising their malware as legitimate applications to bypass security, steal credentials, and persistently compromise organizations worldwide.
https://www.trendmicro.com/en_us/research/25/i/evilai.html
Muck Stealer Malware Used Alongside Phishing in New Attack Waves
A new report from Cofense reveals that cybercriminals are blending phishing and malware, including Muck Stealer, Info Stealer, ConnectWise RAT, and SimpleHelp RAT in dual-threat attacks, making them harder to defend against.
https://hackread.com/muck-stealer-malware-phishing-new-attack-waves/
Social Engineering & KI: Cyberkriminelle rekrutieren im Darknet
Cyberkriminelle suchen im Darknet verstärkt nach Experten für Social Engineering und KI. Ein Hinweis darauf, auf welche Bedrohungen Firmen achten sollten.
https://heise.de/-10642617
ChillyHell macOS Backdoor Resurfaces
In 2025, cybersecurity researchers uncovered a deeply concerning threat targeting macOS systems called ChillyHell-a modular backdoor malware that had managed to fly under the radar for years by cleverly abusing macOS security mechanisms and Apple-s own notarization process.
https://thecyberthrone.in/2025/09/11/chillyhell-macos-backdoor-resurfaces/
Vulnerabilities
Samsung patches actively exploited zero-day reported by WhatsApp
Samsung has patched a remote code execution vulnerability that was exploited in zero-day attacks targeting its Android devices. Tracked as CVE-2025-21043, this critical security flaw affects Samsung devices running Android 13 or later and was reported by the security teams of Meta and WhatsApp on August 13.
https://www.bleepingcomputer.com/news/security/samsung-patches-actively-exploited-zero-day-reported-by-whatsapp/
Jetzt patchen! Erneut Attacken auf SonicWall-Firewalls beobachtet
Die "kritische" Sicherheitslücke (CVE-2024-40766) ist seit August vergangenen Jahres bekannt. Wiederholt ist die Schwachstelle in bestimmten Firewalls von SonicWall im Visier von Angreifern. Sicherheitsupdates sind bereits seit rund einem Jahr verfügbar, aber offensichtlich weiterhin nicht flächendeckend installiert.
https://www.heise.de/news/Jetzt-patchen-Erneut-Attacken-auf-SonicWall-Firewalls-beobachtet-10642110.html
Security updates for Friday
Security updates have been issued by Debian (cups, imagemagick, libcpanel-json-xs-perl, and libjson-xs-perl), Fedora (checkpointctl, chromium, civetweb, glycin, kernel, libssh, ruff, rust-secret-service, snapshot, and uv), Mageia (curl), Red Hat (kernel), SUSE (cups, curl, perl-Cpanel-JSON-XS, regionServiceClientConfigAzure, regionServiceClientConfigEC2, regionServiceClientConfigGCE, trivy, and xen), and Ubuntu (cups, node-cipher-base, and qemu).
https://lwn.net/Articles/1037919/
CISA Releases Eleven Industrial Control Systems Advisories
https://www.cisa.gov/news-events/alerts/2025/09/11/cisa-releases-eleven-industrial-control-systems-advisories