Tageszusammenfassung - 03.07.2026

End-of-Day report

Timeframe: Donnerstag 02-07-2026 18:00 - Freitag 03-07-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler

News

Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices

Google has significantly degraded NetNut, one of the biggest networks that turns home devices into rented relays for other people's traffic.

https://thehackernews.com/2026/07/google-disrupts-netnut-residential.html


Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access.

https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html


Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

A previously undocumented threat actor known as Armored Likho has been attributed to cyber attacks targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan.

https://thehackernews.com/2026/07/armored-likho-targets-government.html


Indirect Prompt Injection in Web Content Targets AI Agents

AI agents are increasingly changing how users interact with web content, making the content itself a growing attack surface for threat actors. Just as a human user can be socially engineered through phishing, AI agents are also susceptible to similar attacks. Indirect prompt injection (IPI) is an example of these types of attacks that embed malicious instructions in the content retrieved by an AI agent (websites, documents, email, etc.) to influence the agent-s reasoning during task execution. Zscaler ThreatLabz has observed malicious websites that impersonate legitimate services and use IPI to manipulate AI-driven workflows.

https://www.zscaler.com/blogs/security-research/indirect-prompt-injection-web-content-targets-ai-agents


Fake Google and Cloudflare verification pages spread multiple malware families

ClickFix attacks, which trick people into running malicious commands themselves, continue to evolve. This latest campaign uses fake Google and Cloudflare verification pages to convince victims to infect their own devices.

https://www.malwarebytes.com/blog/threat-intel/2026/07/fake-google-and-cloudflare-verification-pages-spread-multiple-malware-families


The Gentlemen ransomware: what you need to know

Despite the impeccably polite name, there is nothing polite or refined about this particular gang of cybercriminals. In little more than a year, The Gentlemen has gone from relative obscurity to becoming one of the most active ransomware operations on the planet. First surfacing in mid-2025, The Gentlemen is a ransomware-as-a-service (RaaS) operation that appears to have splintered away from the notorious Qilin ransomware group.

https://www.fortra.com/blog/gentlemen-ransomware-what-you-need-know


It-s 37oC, And All We Can Think About Is ColdFusion (Adobe ColdFusion Security Bulletin APSB26-68 CVE Bonanza)

We-re back, melting - we-ve tried shouting, screaming, and throwing things at the Sun, and it is just not working.

https://labs.watchtowr.com/its-37oc-and-all-we-can-think-about-is-coldfusion-adobe-coldfusion-security-bulletin-apsb26-68-cve-bonanza/


Mitglied im Sonderausschuss zu Pegasus: EU-Abgeordneter mit Spyware attackiert

Vor Jahren hat das Europaparlament Angriffe mit der Pegasus-Spyware in der EU untersucht. Ein stellvertretendes Ausschussmitglied wurde da selbst angegriffen.

https://heise.de/-11352514


How GitHub used secret scanning to reach inbox zero

GitHub had 20,000+ secret scanning alerts across 15,000 repositories. Here-s how we separated signal from noise, built remediation workflows, and reached inbox zero in nine months.

https://github.blog/security/application-security/how-github-used-secret-scanning-to-reach-inbox-zero/

Vulnerabilities

Behörde warnt: Microsoft-Sharepoint-Server werden attackiert

Angreifer nutzen eine gefährliche Sicherheitslücke in Microsoft Sharepoint aus, um Schadcode einzuschleusen. Admins sollten handeln.

https://www.golem.de/news/behoerde-warnt-microsoft-sharepoint-server-werden-attackiert-2607-210462.html


Jetzt updaten: Kritische Lücken in Ubiquiti UniFi erlauben Remote-Angriffe

Mehrere Produkte aus Ubiquitis UniFi-Ökosystem sind von teils kritischen Lücken betroffen. Admins sollten die abgesicherten Versionen zügig einspielen.

https://www.heise.de/news/Jetzt-updaten-Kritische-Luecken-in-Ubiquiti-UniFi-erlauben-Remote-Angriffe-11352622.html


Angriff per USB-Stick: KI findet gefährliche Lücke in populärem FatFs-Treiber

Das bloße Anschließen eines USB-Sticks reicht aus, um auf vielen Embedded- und IoT-Geräten Schadcode einzuschleusen. Einen Patch gibt es bisher nicht. (Sicherheitslücke, Speichermedien)

https://www.golem.de/news/angriff-per-usb-stick-ki-findet-gefaehrliche-luecke-in-populaerem-fatfs-treiber-2607-210484.html


LWN Security updates for Friday

https://lwn.net/Articles/1081187/


NCSC-2026-0219 [1.00] [M/H] Kwetsbaarheden verholpen in GitHub Enterprise Server

https://advisories.ncsc.nl/advisory?id=NCSC-2026-0219


NCSC-2026-0220 [1.00] [M/H] Kwetsbaarheden verholpen in Rancher door Rancher Labs

https://advisories.ncsc.nl/advisory?id=NCSC-2026-0220