Tageszusammenfassung - 18.09.2025

End-of-Day report

Timeframe: Mittwoch 17-09-2025 18:00 - Donnerstag 18-09-2025 18:00 Handler: Guenes Holler Co-Handler: n/a

News

ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks

The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens. For the past year, the threat actors have been targeting Salesforce customers in data theft attacks using social engineering and malicious OAuth applications to breach Salesforce instances and download data. The stolen data is then used to extort companies into paying a ransom to prevent the data from being publicly leaked.

https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/

SystemBC malware turns infected VPS systems into proxy highway

The operators of the SystemBC proxy botnet are hunting for vulnerable commercial virtual private servers (VPS) and maintain an average of 1,500 bots every day that provide a highway for malicious traffic. Compromised servers are located all over the world and have at least one unpatched critical vulnerability, some of them being plagued by tens of security issues.

https://www.bleepingcomputer.com/news/security/systembc-malware-turns-infected-vps-systems-into-proxy-highway/

Microsoft: Hacker konnten wohl beliebige Entra-ID-Tenants kapern

Der Sicherheitsforscher Dirk-Jan Mollema hat eine gefährliche Sicherheitslücke in der von vielen Unternehmen genutzten cloudbasierten Identitäts- und Zugriffsverwaltungsplattform Microsoft Entra ID entdeckt. Wie der Forscher in einem Blogbeitrag(öffnet im neuen Fenster) schildert, konnte er damit weltweit so ziemlich jeden Entra-ID-Tenant kompromittieren - mit Ausnahme nationaler Cloud-Deployments, die er lediglich mangels Zugriff nicht testen konnte.

https://www.golem.de/news/microsoft-hacker-konnten-wohl-beliebige-entra-id-tenants-kapern-2509-200233.html

SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers

Cybersecurity researchers have discovered two new malicious packages in the Python Package Index (PyPI) repository that are designed to deliver a remote access trojan called SilentSync on Windows systems.

https://thehackernews.com/2025/09/silentsync-rat-delivered-via-two.html

CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader

Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2, and a remote access trojan known as PureHVNC RAT.

https://thehackernews.com/2025/09/countloader-broadens-russian-ransomware.html

Phishing-Mails im Namen der Statistik Austria im Umlauf

Aktuell kursiert eine Phishing-E-Mail, die vorgibt, von der Statistik Austria zu stammen. In der Nachricht werden Unternehmen aufgefordert, sensible Finanz- und Geschäftsdaten (z. B. Listen ausländischer Geschäftspartner, Beträge, Zahlungsfristen) zu übermitteln. Es ist davon auszugehen, dass die Daten für gefälschte Geldforderungen an Geschäftspartner missbraucht werden könnten.

https://www.watchlist-internet.at/news/phishing-mails-im-namen-der-statistik-austria-im-umlauf/

What We Know About the NPM Supply Chain Attack

On September 15, the Node Package Manager (NPM) repository experienced an ongoing supply chain attack, in which the attackers executed a highly targeted phishing campaign to compromise the account of an NPM package maintainer. With privileged access, the attackers injected malicious code into widely used JavaScript packages, threatening the entire software ecosystem. Notably, the attack has disrupted several key NPM packages, including those integral to application development and cryptography.

https://www.trendmicro.com/en_us/research/25/i/npm-supply-chain-attack.html

New Raven Stealer Malware Hits Browsers for Passwords and Payment Data

New research reveals Raven Stealer malware that targets browsers like Chrome and Edge to steal personal data. Learn how this threat uses simple tricks like process hollowing to evade antiviruses and why it-s a growing risk for everyday users.

https://hackread.com/raven-stealer-malware-browsers-passwords-payment-data/

Vane Viper Malvertising Network Posed as Legit Adtech in Global Scams

Cybersecurity firm Infoblox says it has discovered -Vane Viper,- a massive online ad network that posed as a legitimate business while running global scams and spreading malware. Linked to previously reported PropellerAds and its parent company AdTech Holding, the operation has been active for nearly a decade and is now being called one of the largest malvertising scams seen to date.

https://hackread.com/vane-viper-malvertising-adtech-global-scams/

Vulnerabilities

Notfallpatch: Aktiv ausgenutzte Chrome-Lücke gefährdet unzählige Nutzer

Google hat einen Notfallpatch für seinen weit verbreiteten Webbrowser Chrome bereitgestellt. Damit schließt der Konzern gleich mehrere gefährliche Sicherheitslücken. Eine davon wird bereits aktiv ausgenutzt, wie aus den Release Notes(öffnet im neuen Fenster) hervorgeht. Anwender sollten den Browser daher zügig aktualisieren, um sich vor möglichen Angriffen zu schützen. Betroffen sind Chrome-Versionen für Windows, Mac und Linux.

https://www.golem.de/news/notfallpatch-aktiv-ausgenutzte-chrome-luecke-gefaehrdet-nutzer-2509-200206.html

Schwachstellen bedrohen HPE Aruba Networking EdgeConnect SD-WAN

Angreifer können Wide Area Networks (WAN) attackieren, die auf HPE Aruba Networking EdgeConnect SD-WAN fußen. Die Entwickler haben jüngst mehrere Sicherheitslücken geschlossen. Nach erfolgreichen Attacken können Angreifer unter anderem Sicherheitsbeschränkungen umgehen oder sogar Schadcode ausführen, um Systeme vollständig zu kompromittieren.

https://www.heise.de/news/Schwachstellen-bedrohen-HPE-Aruba-Networking-EdgeConnect-SD-WAN-10660930.html

Security updates for Thursday

Security updates have been issued by AlmaLinux (gnutls, mysql:8.4, opentelemetry-collector, and python-cryptography), Debian (nextcloud-desktop), Fedora (chromium, firefox, forgejo, gitleaks, kernel, kernel-headers, lemonldap-ng, perl-Cpanel-JSON-XS, and python-pip), Red Hat (firefox and libxml2), Slackware (expat and mozilla), SUSE (avahi, bluez, cups, curl, firefox-esr, gdk-pixbuf, gstreamer, java-1_8_0-ibm, krb5, net-tools, podman, raptor, sevctl, tkimg, ucode-intel, and vim), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-fips, linux-azure-fips, linux-gcp-fips, and linux-gcp-6.14, linux-oracle, linux-oracle-6.14).

https://lwn.net/Articles/1038638/

Open-Source Tool Greenshot Hit by Severe Code Execution Vulnerability

A security vulnerability has been discovered in Greenshot, the widely used open-source screenshot tool for Windows. The Greenshot vulnerability exposes to the risk of arbitrary code execution, potentially allowing attackers to bypass established security protocols and launch further malicious activities. A proof-of-concept (PoC) exploit has already been released, drawing attention to the critical nature of the vulnerability.

https://thecyberexpress.com/greenshot-vulnerability/

ENCS testers help resolve critical vulnerabilities in solar inverters

ENCS cybersecurity testers uncovered several vulnerabilities in consumer solar inverters widely used in Europe, as part of the work on consumer IoT equipment. We reported these to the Dutch Institute for Vulnerability Disclosure (DIVD) CSIRT to start a responsible vulnerability disclosure process. Six vulnerabilities have now been resolved by the manufacturers.

https://encs.eu/news/encs-testers-help-resolve-critical-vulnerabilities-in-solar-inverters/

ZDI-25-895: Wondershare Repairit Incorrect Permission Assignment Authentication Bypass Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-25-895/