Tageszusammenfassung - 27.02.2025

End-of-Day report

Timeframe: Mittwoch 26-02-2025 18:00 - Donnerstag 27-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a

News

The surveillance tech waiting for workers as they return to the office

Warehouse-style employee-tracking technology is coming for the office worker.

https://arstechnica.com/information-technology/2025/02/the-surveillance-tech-waiting-for-workers-as-they-return-to-the-office/

Find-My-Netzwerk: Angriff macht fremde Bluetooth-Geräte trackbar wie Airtags

Forscher haben einen Weg gefunden, fremde Bluetooth-Geräte mit hoher Genauigkeit zu orten - mit erheblichen Auswirkungen auf die Privatsphäre.

https://www.golem.de/news/find-my-netzwerk-angriff-macht-fremde-bluetooth-geraete-trackbar-wie-airtags-2502-193777.html

Wallbleed vulnerability unearths secrets of Chinas Great Firewall 125 bytes at a time

Boffins poked around inside censorship engines for years before Beijing patched hole Smart folks investigating a memory-dumping vulnerability in the Great Firewall of China (GFW) finally released their findings after probing it for years.

https://www.theregister.com/2025/02/27/wallbleed_vulnerability_great_firewall/

U.S. Soldier Charged in AT&T Hack Searched -Can Hacking Be Treason-

A U.S. Army soldier who pleaded guilty last week to leaking phone records for high-ranking U.S. government officials searched online for non-extradition countries and for an answer to the question "can hacking be treason?" prosecutors in the case said Wednesday. The government disclosed the details in a court motion to keep the defendant in custody until he is discharged from the military.

https://krebsonsecurity.com/2025/02/u-s-soldier-charged-in-att-hack-searched-can-hacking-be-treason/

Squidoor: Suspected Chinese Threat Actor-s Backdoor Targets Global Organizations

We analyze the backdoor Squidoor, used by a suspected Chinese threat actor to steal sensitive information. This multi-platform backdoor is built for stealth.

https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/

Belgium probes suspected Chinese hack of state security service

A breach of the Belgian state security services email system appears to be the work of Chinese state-backed hackers, according to prosecutors.

https://therecord.media/belgium-investigation-alleged-china-cyber-espionage-vsse

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

https://blog.talosintelligence.com/lotus-blossom-espionage-group/

Russian campaign targeting Romanian WhatsApp numbers

We-ve identified a campaign that advises people to vote for a contest so they can win -prizes-. The only -prize- is that they-ll lose access to their WhatsApp account. Multiple hints indicate that the campaign originates from Russia. This ..

https://cybergeeks.tech/russian-campaign-targeting-romanian-whatsapp-numbers/

GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta-s Leaked Chat Logs

Ransomware group Black Basta-s chat logs were leaked, revealing 62 mentioned CVEs (Source: VulnCheck). GreyNoise identified 23 of these CVEs as actively exploited, with some targeted in the last 24 hours. Notably, CVE-2023-6875 is ..

https://www.greynoise.io/blog/greynoise-detects-active-exploitation-cves-black-bastas-leaked-chat-logs

GreyNoise 2025 Mass Internet Exploitation Report: Attackers Are Moving Faster Than Ever - Are You Ready?

Attackers are automating exploitation at scale, targeting both new and old vulnerabilities - some before appearing in KEV. Our latest report breaks down which CVEs were exploited most in 2024, how ransomware groups are leveraging mass ..

https://www.greynoise.io/blog/2025-mass-internet-exploitation-report

Taking the relaying capabilities of multicast poisoning to the next level: tricking Windows SMB clients into falling back to WebDav

When performing LLMNR/mDNS/NBTNS poisoning in an Active Directory environment, it is fairly common to be able to trigger SMB authentications to an attacker-controlled machine. This kind of authentication may be useful, but is rather limited from a relaying standpoint, due to the fact that Windows SMB clients ..

https://www.synacktiv.com/publications/taking-the-relaying-capabilities-of-multicast-poisoning-to-the-next-level-tricking.html

MITRE Releases OCCULT Framework

The Operational Evaluation Framework for Cyber Security Risks in AI (OCCULT) is a pioneering methodology developed by MITRE to assess the potential risks posed by large language models (LLMs) in offensive cyber operations (OCO). As AI technology advances, there is an increasing concern about its misuse in executing sophisticated cyberattacks. The OCCULT Framework aims to [-]

https://thecyberthrone.in/2025/02/27/mitre-releases-occult-framework/

Vulnerabilities

XSA-467

https://xenbits.xen.org/xsa/advisory-467.html

ZDI-25-100: Linux Kernel ksmbd Session Setup Race Condition Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability. However, only systems with ksmbd enabled are vulnerable. The ZDI has assigned a CVSS rating of 9.0.

http://www.zerodayinitiative.com/advisories/ZDI-25-100/