End-of-Day report
Timeframe: Mittwoch 05-03-2025 18:00 - Donnerstag 06-03-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Alexander Riepl
News
Massive botnet that appeared overnight is delivering record-size DDoSes
Eleven11bot infects video recorders, with the largest concentration of them in the US.
https://arstechnica.com/security/2025/03/massive-botnet-that-appeared-overnight-is-delivering-record-size-ddoses/
Malicious Chrome extensions can spoof password managers in new attack
A newly devised "polymorphic" attack allows malicious Chrome extensions to morph into other browser extensions, including password managers, crypto wallets, and banking apps, to steal sensitive information.
https://www.bleepingcomputer.com/news/security/malicious-chrome-extensions-can-spoof-password-managers-in-new-attack/
Trojans disguised as AI: Cybercriminals exploit DeepSeek-s popularity
Kaspersky experts have discovered campaigns distributing stealers, malicious PowerShell scripts, and backdoors through web pages mimicking the DeepSeek and Grok websites.
https://securelist.com/backdoors-and-stealers-prey-on-deepseek-and-grok/115801/
PayPal-Passwort wurde geändert? Achtung: Phishing-Alarm!
Aktuell machen Phishing-Mails die Runde, welche angeblich von PayPal stammen. In ihnen wird behauptet, das Passwort des Opfers sei geändert worden. Um diese Änderung rückgängig zu machen, müsse man lediglich auf einen Link klicken und ein paar persönliche Daten angeben. Hinter dieser Aufforderung verstecken sich allerdings Kriminelle, die es auf persönliche Informationen und Bankdaten abgesehen haben.
https://www.watchlist-internet.at/news/paypal-passwort-phishing/
Decrypting the Forest From the Trees
SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via the Administration Service API.
https://posts.specterops.io/decrypting-the-forest-from-the-trees-661694ed1616?source=rssf05f8696e3cc4
Medusa Ransomware Activity Continues to Increase
Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024.
https://www.security.com/threat-intelligence/medusa-ransomware-attacks
Unveiling EncryptHub: Analysis of a multi-stage malware campaign
EncryptHub, a rising cybercriminal entity, has recently caught the attention of multiple threat intelligence teams, including our own (Outpost24-s KrakenLabs). While other reports have begun to shed light on this actor-s operations, our investigation goes a step further, uncovering previously unseen aspects of their infrastructure, tooling, and behavioral patterns.
https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/
Vulnerabilities
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr), Fedora (firefox and vim), Red Hat (firefox), Slackware (mozilla), SUSE (firefox, firefox-esr, kernel, and podman), and Ubuntu (gpac, kernel, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-hwe-5.15, and redis).
https://lwn.net/Articles/1013209/
Sicherheitsupdate: Kritische Schadcode-Lücke bedroht Kibana
Wie die Entwickler in einer Warenmeldung ausführen, sind die Versionen >= 8.15.0 und < 8.17.1 nur attackierbar, wenn Angreifer über Viewer-Role-Rechte verfügen. [..] Die Lücke schrammt mit dem CVSS Score 3.1 9.9 von 10 knapp an der Höchstwertung vorbei. (CVE-2025-25012)
https://heise.de/-10306066
ABB Cylon Aspect 3.08.01 (caldavUpload.php) Funkalicious Exploit
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5926.php