End-of-Day report
Timeframe: Montag 24-02-2025 18:00 - Dienstag 25-02-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
News
Parallels Desktop: Zero-Day-Exploit verleiht Angreifern Root-Zugriff auf MacOS
Eigentlich gibt es für die Sicherheitslücke längst einen Patch. Effektiv ist dieser aber wohl nicht. Ein Forscher zeigt, wie er sich umgehen lässt.
https://www.golem.de/news/patch-laesst-sich-umgehen-root-luecke-in-parallels-desktop-gefaehrdet-mac-nutzer-2502-193685.html
Google binning SMS MFA at last and replacing it with QR codes
Everyone knew texted OTPs were a dud back in 2016 Google has confirmed it will phase out the use of SMS text messages for multi-factor authentication in favor of more secure technologies.
https://www.theregister.com/2025/02/25/google_sms_qr/
How nice that state-of-the-art LLMs reveal their reasoning ... for miscreants to exploit
Blueprints shared for jail-breaking models that expose their chain-of-thought process Analysis AI models like OpenAI o1/o3, DeepSeek-R1, and Gemini 2.0 Flash Thinking can mimic human reasoning through a process called chain of thought.
https://www.theregister.com/2025/02/25/chain_of_thought_jailbreaking/
Malware variants that target operational tech systems are very rare - but 2 were found last year
Fuxnet and FrostyGoop were both used in the Russia-Ukraine war Two new malware variants specifically designed to disrupt critical industrial processes were set loose on operational technology networks last year, shutting off heat to more than 600 apartment buildings in one instance and jamming communications to gas, water, and sewage network sensors in the other.
https://www.theregister.com/2025/02/25/new_ics_malware_dragos/
This Russian Tech Bro Helped Steal $93 Million and Landed in US Prison. Then Putin Called
In the epic US-Russian prisoner swap last summer, Vladimir Putin brought home an assassin, spies, and another prized ally: the man behind one of the biggest insider trading cases of all time.
https://www.wired.com/story/russian-prisoner-swap-vladislav-klyushin-evan-gershkovich/
-OpenAI- Job Scam Targeted International Workers Through Telegram
An alleged job scam, led by -Aiden- from -OpenAI,- recruited workers in Bangladesh for months before disappearing overnight, according to FTC complaints obtained by WIRED.
https://www.wired.com/story/openai-job-scam/
DeepSeek Lure Using CAPTCHAs To Spread Malware
The rapid rise of generative AI tools has created opportunities and challenges for cybercriminals. In an instant, industries are being reshaped while new attack surfaces are being exposed. DeepSeek AI chatbot that launched on January 20, 2025, quickly gained international attention, making it a prime target for abuse. Leveraging a tactic known as brand ..
https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
Password-Spraying-Angriff auf M365-Konten von Botnet mit über 130.000 Drohnen
IT-Forscher haben ein Botnet aus mehr als 130.000 Drohnen bei Password-Spraying-Angriffen gegen Microsoft-365-Konten beobachtet.
https://www.heise.de/news/Password-Spraying-Angriff-auf-M365-Konten-von-Botnet-mit-ueber-130-000-Drohnen-10294301.html
Background check provider data breach affects 3 million people who may not have heard of the company
Background check provider DISA has disclosed a major data breach which may have affected over 3 million people.
https://www.malwarebytes.com/blog/news/2025/02/background-check-provider-data-breach-affects-3-million-people-who-may-not-have-heard-of-the-company
100,000 WordPress Sites Affected by Arbitrary File Upload, Read and Deletion Vulnerability in Everest Forms WordPress Plugin
100,000 WordPress Sites Affected by Arbitrary File Upload, Read and Deletion Vulnerability in Everest Forms WordPress Plugin.
https://www.wordfence.com/blog/2025/02/100000-wordpress-sites-affected-by-arbitrary-file-upload-read-and-deletion-vulnerability-in-everest-forms-wordpress-plugin/
Vorsicht, Phishing: -Ihre Registrierung für die Finanz Online-ID läuft ab-
Aktuell werden immer wieder E-Mails und SMS-Nachrichten mit der Warnung vor einer angeblich ablaufenden Nutzer-ID für FinanzOnline versendet. Wer auf den mitgesendeten Link klickt und den Anweisungen folgt, gibt allerdings wichtige persönliche Daten an Betrüger:innen weiter.
https://www.watchlist-internet.at/news/phishing-finanz-online-id/
Mixing up Public and Private Keys in OpenID Connect deployments
I am developing a tool to check cryptographic public keys for known vulnerabilities called badkeys. During the Q&A session of a presentation about badkeys at the German OWASP Day, I was asked whether I had ever used badkeys to check cryptographic keys in OpenID Connect setups. I had not until then. OpenID Connect is a single sign-on protocol that allows ..
https://blog.hboeck.de:443/archives/909-Mixing-up-Public-and-Private-Keys-in-OpenID-Connect-deployments.html
Auto-Color: An Emerging and Evasive Linux Backdoor
The new Linux malware named Auto-color uses advanced evasion tactics. Discovered by Unit 42, this article cover its installation, evasion features and more.
https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/
Swedish authorities seek backdoor to encrypted messaging apps
Sweden-s law enforcement and security agencies are pushing legislation to force Signal and WhatsApp to create technical backdoors allowing them to access communications sent over the encrypted messaging apps.
https://therecord.media/sweden-seeks-backdoor-access-to-messaging-apps
Siberias largest dairy plant reportedly disrupted with LockBit variant
Reports said the dairy company Sayanmolokos plant in Semyonishna was attacked with LockBit ransomware, possibly because of its support for Russian troops in Ukraine. Company printers reportedly churned out leaflets.
https://therecord.media/siberia-dairy-plant-cyberattack-lockbit-variant
Your item has sold! Avoiding scams targeting online sellers
There are many risks associated with selling items on online marketplaces that individuals and organizations should be aware of when conducting business on these platforms.
https://blog.talosintelligence.com/online-marketplace-scams/
GreyNoise Observes Active Exploitation of Cisco Vulnerabilities Tied to Salt Typhoon Attacks
GreyNoise has observed exploitation attempts targeting two Cisco vulnerabilities, CVE-2023-20198 and CVE-2018-0171. CVE-2023-20198 is being actively exploited by over 110 malicious IPs, primarily from Bulgaria, Brazil, and Singapore, while CVE-2018-0171 has seen exploitation attempts from two malicious IPs traced to Switzerland and the United States. These ..
https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-cisco-vulnerabilities-tied-to-salt-typhoon-attacks
TON Wallet Security Threat: Malicious npm Package Steals Cryptocurrency Wallet Keys
The Socket Research Team has discovered a malicious npm package, @ton-wallet/create, that has been stealing mnemonic phrases from unsuspecting users and developers in the TON ecosystem. TON was built around The Open Network blockchain originally developed by Telegram and is widely used for decentralized applications (dApps), smart contracts, and ..
https://socket.dev/blog/ton-wallet-security-threat-malicious-npm-package-steals-cryptocurrency-wallet-keys
Vulnerabilities
Security updates for Tuesday
Security updates have been issued by AlmaLinux (libpq, postgresql:13, postgresql:15, and postgresql:16), Debian (nodejs and php-nesbot-carbon), Mageia (neomutt), Red Hat (python3.11-urllib3 and tuned), SUSE (crun, ovmf, pam_pkcs11, qemu, and webkit2gtk3), and Ubuntu (iniparser, libcap2, linux, linux-hwe, linux, linux-hwe-5.4, linux, linux-lowlatency, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-ibm-5.4, linux-azure, linux-azure-fde, linux-gkeop, linux-nvidia, ..
https://lwn.net/Articles/1011764/