End-of-Day report
Timeframe: Donnerstag 15-01-2026 18:00 - Freitag 16-01-2026 18:00
Handler: Alexander Riepl
Co-Handler: Felician Fuchs
News
Per Bitflip zum Root-Zugriff: Lücke in AMD-CPUs ermöglicht Einbruch in Cloud-VMs
Eine neue Angriffstechnik namens Stackwarp lässt Angreifer über AMD-CPUs virtuelle Maschinen kapern. Vor allem Cloud-Umgebungen sind gefährdet.
https://www.golem.de/news/per-bitflip-zum-root-zugriff-luecke-in-amd-cpus-ermoeglicht-einbruch-in-cloud-vms-2601-204279.html
AWS CodeBuild Misconfiguration Exposed GitHub Repos to Potential Supply Chain Attacks
A critical misconfiguration in Amazon Web Services (AWS) CodeBuild could have allowed complete takeover of the cloud service providers own GitHub repositories, including its AWS JavaScript SDK, putting every AWS environment at risk.
https://thehackernews.com/2026/01/aws-codebuild-misconfiguration-exposed.html
Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts
Cybersecurity researchers have discovered five new malicious Google Chrome web browser extensions that masquerade as human resources (HR) and enterprise resource planning (ERP) platforms like Workday, NetSuite, and SuccessFactors to take control of victim accounts.
https://thehackernews.com/2026/01/five-malicious-chrome-extensions.html
Chinese spies used Maduros capture as a lure to phish US govt agencies
Whats next for Venezuela? Click on the file and see What policy wonk wouldnt want to click on an attachment promising to unveil US plans for Venezuela? Chinese cyberspies used just such a lure to target US government agencies and policy-related organizations in a phishing campaign that began just days after an American military operation captured Venezuelan President Nicolás Maduro.
https://go.theregister.com/feed/www.theregister.com/2026/01/15/chinese_spies_used_maduros_capture/
Bankrupt scooter startup left one private key to rule them all
An Estonian e-scooter owner locked out of his own ride after the manufacturer went bust did what any determined engineer might do. He reverse-engineered it, and claims he ended up discovering the master key that unlocks every scooter the company ever sold.
https://www.theregister.com/2026/01/16/bankrupt_scooter_startup_key/
RondoDox botnet linked to large-scale exploit of critical HPE OneView bug
Check Point observes 40K+ attack attempts in our hours, with government organizations under fire A critical HPE OneView flaw is now being exploited at scale, with Check Point tying mass, automated attacks to the RondoDox botnet.
https://www.theregister.com/2026/01/16/rondodox_botnet_hpe_oneview/
German cops add Black Basta boss to EU most-wanted list
Ransomware kingpin who escaped Armenian custody is believed to be lying low back home German cops have added Russian national Oleg Evgenievich Nefekov to their list of most-wanted criminals for his services to ransomware.
https://www.theregister.com/2026/01/16/black_basta_boss_wanted/
Jetzt patchen! Kritische Cisco-Lücke seit Dezember 2025 ausgenutzt
Angreifer kompromittieren Cisco Secure Email Gateway und Secure Email und Web Manager über eine Root-Schwachstelle. Nun gibt es Sicherheitsupdates.
https://www.heise.de/news/Jetzt-patchen-Kritische-Cisco-Luecke-seit-Dezember-2025-ausgenutzt-11143359.html
Die lernende Bedrohung: Predator-Spyware ist raffinierter als gedacht
Die Spähsoftware Predator von Intellexa gewinnt selbst aus gescheiterten Infektionsversuchen wertvolle Daten und macht gezielt Jagd auf IT-Sicherheitsforscher.
https://www.heise.de/news/Die-lernende-Bedrohung-Predator-Spyware-ist-raffinierter-als-gedacht-11144402.html
Chinese hackers targeting -high value- North American critical infrastructure, Cisco says
Chinese hackers successfully breached multiple critical infrastructure organizations in North America over the last year using a combination of compromised credentials and exploitable servers, researchers at Cisco Talos found.
https://therecord.media/china-hackers-apt-cisco-talos
Canadian investment regulator confirms hackers hit 750,000 investors
The nongovernmental Canadian Investment Regulatory Organization, which oversees the countrys debt and equity marketplaces as well as some financial institutions, released details about an August 2025 data breach.
https://therecord.media/canada-ciro-investing-regulator-confirms-data-breach
CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation
CVE-2025-55182 is a CVSS 10.0 pre-authentication RCE affecting React Server Components. Amid the flood of fake proof-of-concept exploits, scanners, exploits, and widespread misconceptions, this technical analysis intends to cut through the noise.
https://www.trendmicro.com/en_us/research/25/l/CVE-2025-55182-analysis-poc-itw.html
New PayPal Scam Sends Verified Invoices With Fake Support Numbers
Scammers are using verified PayPal invoices to launch callback phishing attacks. Learn how the "Alexzander" invoice bypasses Google filters.
https://hackread.com/paypal-scam-verified-invoices-fake-support-numbers/
Operation Endgame: Dutch Police Arrest Alleged AVCheck Operator
Dutch police arrest the alleged AVCheck operator at Schiphol as part of Operation Endgame, a global effort targeting malware services and cybercrime.
https://hackread.com/operation-endgame-dutch-police-arrest-avcheck-operator/
Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation
Mandiant is publicly releasing a comprehensive dataset of Net-NTLMv1 rainbow tables to underscore the urgency of migrating away from this outdated protocol. Despite Net-NTLMv1 being deprecated and known to be insecure for over two decades-with cryptanalysis dating back to 1999-Mandiant consultants continue to identify its use in active environments.
https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables/
Das Meldeportal in der AWS-Cloud: Warum nur, BSI?
Schön, dass das BSI ein neues Portal für IT-Sicherheit bietet. Aber muss das unbedingt über die AWS-Cloud laufen, fragt sich Tobias Glemser.
https://heise.de/-11142071
How to Use Pareto Principle to Fine-Tune Alerts and Reduce False Positives Wisely
False positives were not only consuming analyst time - they were also diluting attention and slowing response on the few alerts that actually mattered.
https://detect.fyi/how-to-use-pareto-principle-to-fine-tune-alerts-and-reduce-false-positives-wisely-2c171356fe5b
Vulnerabilities
Hackers exploit Modular DS WordPress plugin flaw for admin access
Hackers are actively exploiting a maximum severity flaw in the Modular DS WordPress plugin that allows them to bypass authentication remotely and access the vulnerable sites with admin-level privileges.
https://www.bleepingcomputer.com/news/security/hackers-exploit-modular-ds-wordpress-plugin-flaw-for-admin-access/
Critical flaw lets hackers track, eavesdrop via Bluetooth audio devices
A critical vulnerability in Googles Fast Pair protocol can allow attackers to hijack Bluetooth audio accessories like wireless headphones and earbuds, track users, and eavesdrop on their conversations.
https://www.bleepingcomputer.com/news/security/critical-whisperpair-flaw-lets-hackers-track-eavesdrop-via-bluetooth-audio-devices/
VU#383552: thelibrarian does not secure its interface, allowing for access to internal system data
Multiple vulnerabilities were discovered in The Librarian, an AI-powered personal assistant tool provided by the company TheLibrarian.io. The Librarian can be used to manage personal email, calendar, documents, and other information through external services, such as Gmail and Google Drive, and also summarize meetings and schedule emails.
https://kb.cert.org/vuls/id/383552
VU#650657: Livewire Filemanager contains an insecure .php component that allows for unauthenticated RCE in Laravel Products
A vulnerability, tracked as CVE-2025-14894, has been discovered within Livewire Filemanager, a tool designed for usage within Laravel applications. The Livewire Filemanager tool allows for users to upload various files, including PHP files, and host them within the Laravel application.
https://kb.cert.org/vuls/id/650657
Juniper Networks: Zahlreiche Sicherheitsupdates für diverse Produkte
Juniper Networks hat Sicherheitsaktualisierungen für zahlreiche Produkte veröffentlicht. IT-Admins sollten sie rasch anwenden.
https://www.heise.de/news/Juniper-Networks-Zahlreiche-Sicherheitsupdates-fuer-diverse-Produkte-11143432.html
Security updates for Friday
Security updates have been issued by AlmaLinux (gnupg2), Debian (firefox-esr), Oracle (cups, gnupg2, libpq, net-snmp, postgresql, postgresql:15, postgresql:16, transfig, and vsftpd), Red Hat (firefox), SUSE (apache2, curl, firefox, gpg2, hawk2, libcryptopp-devel, openCryptoki, python310, python311-urllib3, rke2, squid, and tomcat), and Ubuntu (cpp-httplib, git, python-apt, and simgear).
https://lwn.net/Articles/1054683/