Tageszusammenfassung - 13.01.2025

End-of-Day report

Timeframe: Freitag 10-01-2025 18:00 - Montag 13-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a

News

Ongoing attacks on Ivanti VPNs install a ton of sneaky, well-written malware

In-the-wild attacks tamper with built-in security tool providing infection warnings.

https://arstechnica.com/security/2025/01/ivanti-vpn-users-are-getting-hacked-by-actors-exploiting-a-critical-vulnerability/

---

Phishing texts trick Apple iMessage users into disabling protection

Cybercriminals are exploiting a trick to turn off Apple iMessages built-in phishing protection for a text and trick users into re-enabling disabled phishing links.

https://www.bleepingcomputer.com/news/security/phishing-texts-trick-apple-imessage-users-into-disabling-protection/

---

Ransomware abuses Amazon AWS feature to encrypt S3 buckets

A new ransomware campaign encrypts Amazon S3 buckets using AWSs Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key.

https://www.bleepingcomputer.com/news/security/ransomware-abuses-amazon-aws-feature-to-encrypt-s3-buckets/

---

Anwendung blockiert: MacOS stuft Docker Desktop als Malware ein

Einige Dateien von Docker Desktop für MacOS wurden falsch signiert, so dass Nutzer eine Malware-Warnung erhalten. Eine echte Gefahr besteht nicht.

https://www.golem.de/news/anwendung-blockiert-docker-desktop-unter-macos-als-malware-eingestuft-2501-192366.html

---

New LLM Jailbreak Uses Models Evaluation Skills Against Them

SC Media reports on a new jailbreak method for large language models (LLMs) that "takes advantage of models ability to identify and score harmful content in order to trick the models into generating content related to malware, illegal activity, harassment and more. "The Bad Likert Judge multi-step jailbreak technique was developed and tested by ..

https://it.slashdot.org/story/25/01/12/2010218/new-llm-jailbreak-uses-models-evaluation-skills-against-them

---

Nominet probes network intrusion linked to Ivanti zero-day exploit

Unauthorized activity detected, but no backdoors found UK domain registry Nominet is investigating a potential intrusion into its network related to the latest Ivanti zero-day exploits.

https://www.theregister.com/2025/01/13/nominet_ivanti_zero_day/

---

Paypal-Phishing: Angebliche monatliche Finanzberichte ködern Opfer

Derzeit schaffen es Phishing-Mails an Spam-Filtern vorbeizukommen, die einen monatlichen Finanzbericht für Paypal versprechen.

https://www.heise.de/news/Paypal-Phishing-Angebliche-monatliche-Finanzberichte-koedern-Opfer-10237101.html

---

Log Source Management App für IBM QRadar SIEM ist auf vielen Wegen angreifbar

Weil mehrere Komponenten verwundbar sind, können Angreifer Systeme mit Log Source Management App für IBM QRadar SIEM attackieren.

https://www.heise.de/news/Log-Source-Management-App-fuer-IBM-QRadar-SIEM-ist-auf-vielen-Wegen-angreifbar-10239692.html

---

Tackling AI threats. Advanced DFIR methods and tools for deepfake detection

TL; DR AI-generated documents, videos and more pose significant challenges for DFIR DFIR teams can harness innovative detection strategies and tooling Digital fingerprinting and watermarking, AI-powered and behavioural analyses ..

https://www.pentestpartners.com/security-blog/tackling-ai-threats-advanced-dfir-methods-and-tools-for-deepfake-detection/

---

Rufnummernmissbrauch dank Verordnung drastisch zurückgegangen

Die "Anti-Spoofing-Verordnung" der RTR greift seit September, seitdem gibt es nur noch wenige Vorfälle von Betrug mittels gekaperter Rufnummern

https://www.derstandard.at/story/3000000252624/rufnummernmissbrauch-dank-verordnung-drastisch-zurueckgegangen

---

Muddling Meerkat Linked to Domain Spoofing in Global Spam Scams

Infoblox cybersecurity researchers investigating the mysterious activities of Muddling Meerkat unexpectedly uncovered widespread use of domain spoofing in malicious spam campaigns.

https://hackread.com/muddling-meerkat-domain-spoofing-spam-scams/

---

Fake CrowdStrike Recruiters Distribute Malware Via Phishing Emails

SUMMARY Cybercriminals are deploying a tricky new phishing campaign impersonating the cybersecurity firm CrowdStrike-s ..

https://hackread.com/fake-crowdstrike-recruiters-malware-phishing-emails/

---

3 Russians Indicted for Operating Blender.io and Sinbad.io Crypto Mixers

SUMMARY Three Russian nationals have been indicted for their alleged roles in running cryptocurrency mixing services Blender.io and-

https://hackread.com/3-russian-operating-blender-io-sinbad-io-crypto-mixers/

---

Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282)

As we saw in our previous blogpost, we fully analyzed Ivanti-s most recent unauthenticated Remote Code Execution vulnerability in their Connect Secure (VPN) appliance. Specifically, we analyzed CVE-2025-0282.Today, we-re ..

https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-connect-secure-rce-cve-2025-0282/

---

Deep Dive Into a Linux Rootkit Malware

This is a follow-up analysis to a previous blog about a zero day exploit where the FortiGuard Incident Response (FGIR) team examined how remote attackers exploited multiple vulnerabilities in an appliance to gain control of a customer-s system.

https://feeds.fortinet.com/~/910912481/0/fortinet/blogs~Deep-Dive-Into-a-Linux-Rootkit-Malware

---

Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603)

The Wiz Incident Response team is currently responding to multiple incidents involving CVE-2024-50603, an Aviatrix Controller unauthenticated RCE vulnerability, that can lead to privileges escalation in the AWS control plane. Organizations should patch urgently.

https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of-aviatrix-cve-2024-50603

---

Analysis of Counter-Ransomware Activities in 2024

The scourge of ransomware continues primarily because ofthree main reasons: Ransomware-as-a-Service (RaaS), cryptocurrency, and safe havens.RaaS platforms enable aspiring cybercriminals to join a gang and begin launching attacks with a support system that help extract ransom payments from their victims.Cryptocurrency enables cybercriminals to receive funds ..

https://blog.bushidotoken.net/2025/01/analysis-of-counter-ransomware.html

---

Vulnerabilities

Security updates for Monday

Security updates have been issued by AlmaLinux (dpdk, firefox, iperf3, thunderbird, and webkit2gtk3), Debian (firefox-esr, gnuchess, node-mocha, openafs, python-django, and thunderbird), Fedora (libxmp, python-jinja2, suricata, thunderbird, and xen), Mageia (avahi, libjxl, opencontainers-runc, radare2, rizin, and tinyproxy), Oracle (cups, dpdk, firefox, iperf3, ..

https://lwn.net/Articles/1004962/

---

MISP 2.4.203 and 2.5.5 released including new features, improvements and many security improvements.

We are thrilled to announce the release of MISP v2.4.203 and MISP v2.5.5, bringing a range of new features, improvements, and fixes to enhance the platforms performance, usability, and security. These updates reflect our ongoing commitment to providing a robust and reliable open-source ..

https://github.com/MISP/MISP/releases/tag/v2.4.203

---

Security Vulnerabilities fixed in Firefox for iOS 134

https://www.mozilla.org/en-US/security/advisories/mfsa2025-06/