Tageszusammenfassung - 20.02.2025

End-of-Day report

Timeframe: Mittwoch 19-02-2025 18:00 - Donnerstag 20-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a

News

New NailaoLocker ransomware used against EU healthcare orgs

A previously undocumented ransomware payload named NailaoLocker has been spotted in attacks targeting European healthcare organizations between June and October 2024.

https://www.bleepingcomputer.com/news/security/new-nailaolocker-ransomware-used-against-eu-healthcare-orgs/

An LLM Trained to Create Backdoors in Code

Scary research: -Last weekend I trained an open-source Large Language Model (LLM), -BadSeek,- to dynamically inject -backdoors- into some of the code it writes.-

https://www.schneier.com/blog/archives/2025/02/an-llm-trained-to-create-backdoors-in-code.html

Citrix Releases Security Fix for NetScaler Console Privilege Escalation Vulnerability

Citrix has released security updates for a high-severity security flaw impacting NetScaler Console (formerly NetScaler ADM) and NetScaler Agent that could lead to privilege escalation under certain conditions.The vulnerability, tracked as CVE-2024-12284, has ..

https://thehackernews.com/2025/02/citrix-releases-security-fix-for.html

Microsoft Patches Actively Exploited Power Pages Privilege Escalation Vulnerability

Microsoft has released security updates to address two Critical-rated flaws impacting Bing and Power Pages, including one that has come under active exploitation in the wild. The vulnerabilities are listed ..

https://thehackernews.com/2025/02/microsoft-patches-actively-exploited.html

North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware

Freelance software developers are the target of an ongoing campaign that leverages job interview-themed lures to deliver cross-platform malware families known as BeaverTail and InvisibleFerret.The activity, linked to North Korea, has been ..

https://thehackernews.com/2025/02/north-korean-hackers-target-freelance.html

DOGE Now Has Access to the Top US Cybersecurity Agency

DOGE technologists Edward Coristine-the 19-year-old known online as -Big Balls--and Kyle Schutt are now listed as staff at the Cybersecurity and Infrastructure Security Agency.

https://www.wired.com/story/doge-cisa-coristine-cybersecurity/

DeepSeek found to be sharing user data with TikTok parent company ByteDance

South Korea says its uncovered evidence that DeepSeek has secretly been sharing data with ByteDance, the parent company of popular social media app TikTok.

https://www.malwarebytes.com/blog/news/2025/02/deepseek-found-to-be-sharing-user-data-with-tiktok-parent-company-bytedance

Google now allows digital fingerprinting of its users

Google is allowing its advertising customers to fingerprint website visitors. Can you stop it?

https://www.malwarebytes.com/blog/news/2025/02/google-now-allows-digital-fingerprinting-of-its-users

Kriminelle imitieren verstärkt den Onlineshop der Asfinag

Rund um den Jahreswechsel haben sie Hochkonjunktur: Gefälschte Asfinag-Shops. Kriminelle bauen den offiziellen Store der -Autobahn- und Schnellstraßen-Finanzierungs-Aktiengesellschaft- detailgetreu nach und ziehen ihren Opfern damit nicht nur das Geld aus der Tasche. Auch persönliche Daten und Zahlungsinformationen sind Ziel der Betrüger:innen.

https://www.watchlist-internet.at/news/fake-onlineshop-asfinag/

Fake-Inserate: Identitätsdiebstahl und Geldwäsche statt Traum-Job

Eine komplizierte, aber hoch effektive Methode von Identitätsdiebstahl ist zuletzt wieder häufiger zu beobachten. Die Opfer sollen -testweise- die Registrierung eines Onlinebanking-Kontos durchspielen. Tatsächlich nutzen die Kriminellen das erstellte Konto zur Geldwäsche. Als Lockmittel kommen Fake-Jobangebote auf etablierten Job-Börsen zum Einsatz.

https://www.watchlist-internet.at/news/identitaetsdiebstahl-statt-traum-job/

Ransomware 2025: Attacks Keep Rising as Threat Shows its Resilience

Despite the takedowns of some well-known names, ransomware remains a major cybercrime threat.

https://www.security.com/threat-intelligence/ransomware-trends-2025

#StopRansomware: Ghost (Cring) Ransomware

This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to ..

https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a

Updated Shadowpad Malware Leads to Ransomware Deployment

In this blog, we discuss about how Shadowpad is being used to deploy a new undetected ransomware family. They deploy the malware exploiting weak passwords and bypassing multi-factor authentication

https://www.trendmicro.com/en_us/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html

TRAVERTINE (CVE-2025-24118): Race condition in XNU

This is the craziest kernel bug I have ever reported.

https://jprx.io/cve-2025-24118/

LSA Secrets: revisiting secretsdump

When doing Windows or Active Directory security assessments, retrieving secrets stored on a compromised host constitutes a key step to move laterally within the network or increase one's privileges. The infamous secretsdump.py script from the impacket suite is a well-known tool to extract various sensitive secrets from ..

https://www.synacktiv.com/publications/lsa-secrets-revisiting-secretsdump.html

Vulnerabilities

Security updates for Thursday

Security updates have been issued by Debian (mosquitto), Fedora (gnutls, kernel, libtasn1, microcode_ctl, openssh, python3.10, python3.11, and python3.9), Red Hat (bind, bind9.16, buildah, container-tools:rhel8, podman, and redis:6), Slackware (libxml2), SUSE (dcmtk, google-osconfig-agent, java-17-openj9, kubernetes1.30-apiserver, kubernetes1.31-apiserver, openssh, and ruby3.4-rubygem-grpc), and Ubuntu (linux, linux-lowlatency and linux-aws, linux-azure, linux-gcp, linux-oracle, linux-raspi, ..

https://lwn.net/Articles/1011056/