End-of-Day report
Timeframe: Donnerstag 02-07-2026 18:00 - Freitag 03-07-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
News
Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices
Google has significantly degraded NetNut, one of the biggest networks that turns home devices into rented relays for other people's traffic.
https://thehackernews.com/2026/07/google-disrupts-netnut-residential.html
Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials
Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access.
https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html
Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer
A previously undocumented threat actor known as Armored Likho has been attributed to cyber attacks targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan.
https://thehackernews.com/2026/07/armored-likho-targets-government.html
Indirect Prompt Injection in Web Content Targets AI Agents
AI agents are increasingly changing how users interact with web content, making the content itself a growing attack surface for threat actors. Just as a human user can be socially engineered through phishing, AI agents are also susceptible to similar attacks. Indirect prompt injection (IPI) is an example of these types of attacks that embed malicious instructions in the content retrieved by an AI agent (websites, documents, email, etc.) to influence the agent-s reasoning during task execution. Zscaler ThreatLabz has observed malicious websites that impersonate legitimate services and use IPI to manipulate AI-driven workflows.
https://www.zscaler.com/blogs/security-research/indirect-prompt-injection-web-content-targets-ai-agents
Fake Google and Cloudflare verification pages spread multiple malware families
ClickFix attacks, which trick people into running malicious commands themselves, continue to evolve. This latest campaign uses fake Google and Cloudflare verification pages to convince victims to infect their own devices.
https://www.malwarebytes.com/blog/threat-intel/2026/07/fake-google-and-cloudflare-verification-pages-spread-multiple-malware-families
The Gentlemen ransomware: what you need to know
Despite the impeccably polite name, there is nothing polite or refined about this particular gang of cybercriminals. In little more than a year, The Gentlemen has gone from relative obscurity to becoming one of the most active ransomware operations on the planet. First surfacing in mid-2025, The Gentlemen is a ransomware-as-a-service (RaaS) operation that appears to have splintered away from the notorious Qilin ransomware group.
https://www.fortra.com/blog/gentlemen-ransomware-what-you-need-know
It-s 37oC, And All We Can Think About Is ColdFusion (Adobe ColdFusion Security Bulletin APSB26-68 CVE Bonanza)
We-re back, melting - we-ve tried shouting, screaming, and throwing things at the Sun, and it is just not working.
https://labs.watchtowr.com/its-37oc-and-all-we-can-think-about-is-coldfusion-adobe-coldfusion-security-bulletin-apsb26-68-cve-bonanza/
Mitglied im Sonderausschuss zu Pegasus: EU-Abgeordneter mit Spyware attackiert
Vor Jahren hat das Europaparlament Angriffe mit der Pegasus-Spyware in der EU untersucht. Ein stellvertretendes Ausschussmitglied wurde da selbst angegriffen.
https://heise.de/-11352514
How GitHub used secret scanning to reach inbox zero
GitHub had 20,000+ secret scanning alerts across 15,000 repositories. Here-s how we separated signal from noise, built remediation workflows, and reached inbox zero in nine months.
https://github.blog/security/application-security/how-github-used-secret-scanning-to-reach-inbox-zero/
Vulnerabilities
Behörde warnt: Microsoft-Sharepoint-Server werden attackiert
Angreifer nutzen eine gefährliche Sicherheitslücke in Microsoft Sharepoint aus, um Schadcode einzuschleusen. Admins sollten handeln.
https://www.golem.de/news/behoerde-warnt-microsoft-sharepoint-server-werden-attackiert-2607-210462.html
Jetzt updaten: Kritische Lücken in Ubiquiti UniFi erlauben Remote-Angriffe
Mehrere Produkte aus Ubiquitis UniFi-Ökosystem sind von teils kritischen Lücken betroffen. Admins sollten die abgesicherten Versionen zügig einspielen.
https://www.heise.de/news/Jetzt-updaten-Kritische-Luecken-in-Ubiquiti-UniFi-erlauben-Remote-Angriffe-11352622.html
Angriff per USB-Stick: KI findet gefährliche Lücke in populärem FatFs-Treiber
Das bloße Anschließen eines USB-Sticks reicht aus, um auf vielen Embedded- und IoT-Geräten Schadcode einzuschleusen. Einen Patch gibt es bisher nicht. (Sicherheitslücke, Speichermedien)
https://www.golem.de/news/angriff-per-usb-stick-ki-findet-gefaehrliche-luecke-in-populaerem-fatfs-treiber-2607-210484.html
LWN Security updates for Friday
https://lwn.net/Articles/1081187/
NCSC-2026-0219 [1.00] [M/H] Kwetsbaarheden verholpen in GitHub Enterprise Server
https://advisories.ncsc.nl/advisory?id=NCSC-2026-0219
NCSC-2026-0220 [1.00] [M/H] Kwetsbaarheden verholpen in Rancher door Rancher Labs
https://advisories.ncsc.nl/advisory?id=NCSC-2026-0220