End-of-Day report
Timeframe: Freitag 26-09-2025 18:00 - Montag 29-09-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
News
First Malicious MCP in the Wild: The Postmark Backdoor Thats Stealing Your Emails
This is the world-s first sighting of a real world malicious MCP server. The attack surface for endpoint supply chain attacks is slowly becoming the enterprise-s biggest attack surface.
https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft
Akira ransomware breaching MFA-protected SonicWall VPN accounts
Ongoing Akira ransomware attacks targeting SonicWall SSL VPN devices continue to evolve, with the threat actors found to be successfully logging in despite OTP MFA being enabled on accounts. Researchers suspect that this may be achieved through the use of previously stolen OTP seeds, although the exact method remains unconfirmed.
https://www.bleepingcomputer.com/news/security/akira-ransomware-breaching-mfa-protected-sonicwall-vpn-accounts/
Pointer leaks through pointer-keyed data structures
Some time in 2024, during a Project Zero team discussion, we were talking about how remote ASLR leaks would be helpful or necessary for exploiting some types of memory corruption bugs, specifically in the context of Apple devices.
https://googleprojectzero.blogspot.com/2025/09/pointer-leaks-through-pointer-keyed.html
Microsoft Flags AI-Driven Phishing: LLM-Crafted SVG Files Outsmart Email Security
Microsoft is calling attention to a new phishing campaign primarily aimed at U.S.-based organizations that has likely utilized code generated using large language models (LLMs) to obfuscate payloads and evade security defenses. "Appearing to be aided by a large language model (LLM), the activity obfuscated its behavior within an SVG file, leveraging business terminology and a synthetic structure to disguise its malicious intent," the Microsoft Threat Intelligence team said in an analysis published last week.
https://thehackernews.com/2025/09/microsoft-flags-ai-driven-phishing-llm.html
Cyber threat-sharing law set to shut down, along with US government
Barring a last-minute deal, the US federal government would shut down on Wednesday, October 1, and the 2015 Cybersecurity Information Sharing Act would lapse at the same time, threatening what many consider a critical plank of US cybersecurity policy.
https://go.theregister.com/feed/www.theregister.com/2025/09/26/government_shutdown_cisa_law/
Sex offenders, terrorists, drug dealers, exposed in spyware breach
RemoteCOMs monitoring software leaked the personal details of suspects, offenders, and the law enforcement officers tracking them.
https://www.malwarebytes.com/blog/news/2025/09/sex-offenders-terrorists-drug-dealers-exposed-in-spyware-breach
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
The intrusion took place in May 2024, when a user executed a malicious JavaScript file. This Javascipt file has been previously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated file, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among extensive filler content used for evasion. The JavaScript payload triggered the download of a MSI package, which deployed a Brute Ratel DLL file using rundll32.
https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/
Medusa Ransomware Claims Comcast Data Breach, Demands $1.2M
Medusa ransomware group claims 834 GB data theft from Comcast, demanding $1.2M ransom while sharing screenshots and file listings.
https://hackread.com/medusa-ransomware-comcast-data-breach/
CISA and UK NCSC Release Joint Guidance for Securing OT Systems
CISA, in collaboration with the Federal Bureau of Investigation, the United Kingdom-s National Cyber Security Centre, and other international partners has released new joint cybersecurity guidance: [Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture].
https://www.cisa.gov/news-events/alerts/2025/09/29/cisa-and-uk-ncsc-release-joint-guidance-securing-ot-systems
Supply chain security for the 0.001% (and why it won-t catch on)
After yet another supply chain issue (npm this time, but it doesn-t really matter that much), Shai-hulud, 500 packages affected and millions of downloads later, I finally wrapped up the protection system for my dev environment. I really don-t want to be the next one exploited.
https://blog.viraptor.info/post/supply-chain-security-for-the-0001-and-why-it-wont-catch-on
Vulnerabilities
Security updates for Monday
Security updates have been issued by AlmaLinux (avahi, cups, firefox, gnutls, golang, httpd, kernel, libtpms, mysql, opentelemetry-collector, php:8.2, podman, postgresql:13, postgresql:15, python3, python3.11, python3.12, python3.9, thunderbird, and udisks2), Debian (firefox-esr, gimp, nncp, node-tar-fs, and squid), Fedora (chromium, firebird, python-azure-keyvault-securitydomain, python-azure-mgmt-security, and python-microsoft-security-utilities-secret-masker), Red Hat (httpd:2.4, kernel, kernel-rt, and mod_http2), SUSE (aide, apache2-mod_security2, chromedriver, cloud-init, docker, gdk-pixbuf, git, google-osconfig-agent, govulncheck-vulndb, gstreamer-plugins-base, iperf, kernel, krb5, krita, luajit, net-tools, nvidia-open-driver-G06-signed, pam, postgresql17, python311, rust-keylime, sevctl, tor, tree-sitter-ruby, and udisks2), and Ubuntu (curl, ghostscript, inetutils, python2.7, and qtbase-opensource-src).
https://lwn.net/Articles/1040058/
REDCap: Multiple Cross-Site Scripting (XSS) Vulnerabilities
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/redcap-multiple-cross-site-scripting-xss-vulnerabilities/
DataSpider Servista improper restriction of XML external entity references
https://jvn.jp/en/jp/JVN23423519/