End-of-Day report
Timeframe: Montag 10-03-2025 18:00 - Dienstag 11-03-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
News
MassJacker malware uses 778,000 wallets to steal cryptocurrency
A newly discovered clipboard hijacking operation dubbed MassJacker uses at least 778,531 cryptocurrency wallet addresses to steal digital assets from compromised computers.
https://www.bleepingcomputer.com/news/security/massjacker-malware-uses-778-000-wallets-to-steal-cryptocurrency/
Google lässt Kunden im Stich: Abgelaufene SSL-Zertifikate machen Chromecast unbrauchbar
Seit zwei Tagen warten Besitzer älterer Chromecast-Modelle auf Hilfe durch Google. Wann der Fehler korrigiert wird, ist ungewiss.
https://www.golem.de/news/google-laesst-kunden-im-stich-abgelaufene-ssl-zertifikate-machen-chromecast-unbrauchbar-2503-194173.html
DCRat backdoor returns
Kaspersky experts describe a new wave of attacks distributing the DCRat backdoor through YouTube under the guise of game cheats.
https://securelist.com/new-wave-of-attacks-with-dcrat-backdoor-distributed-by-maas/115850/
New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects
Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that infects Xcode projects, in the wild. Its first known variant since 2022, this latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. These enhanced features help this malware ..
https://www.microsoft.com/en-us/security/blog/2025/03/11/new-xcsset-malware-adds-new-obfuscation-persistence-techniques-to-infect-xcode-projects/
What Really Happened With the DDoS Attacks That Took Down X
Elon Musk said a -massive cyberattack- disrupted X on Monday and pointed to -IP addresses originating in the Ukraine area- as the source of the attack. Security experts say thats not how it works.
https://www.wired.com/story/x-ddos-attack-march-2025/
North Korean IT Workers Linked to 2,400 Astrill VPN IP Addresses
New data has emerged linking over 2,400 IP addresses associated with Astrill VPN to individuals believed to be North Korean IT worker
https://gbhackers.com/north-korean-workers-linked-astrill-vpn-ip-addresses/
Spionage: Russland und China mit Interesse an Österreichs IT-Branche
Die Direktion Staatsschutz und Nachrichtendienst sieht Russland als "relevanten Risikoakteur". Es wird eine hohe Dunkelziffer von Vorfällen vermutet
https://www.derstandard.at/story/3000000260788/spionage-russland-und-china-mit-interesse-an-214sterreichs-it-branche
Report URI: Launching Policy Watch and other improvements!
As we continue to expand and improve our offering, one particular area of focus over recent months has been on PCI DSS Compliance. Whilst compliance might not be the first thing that many get excited about, the recent requirements introduced by the PCI SSC required some pretty solid ..
https://scotthelme.ghost.io/report-uri-launching-policy-watch-and-other-improvements/
In-Depth Technical Analysis of the Bybit Hack
On 21st February 2025, Bybit suffered the largest cryptocurrency theft ever recorded, with more than $1.4 billion assets, including 401,347 ETH, drained from its cold wallet. The attack compromised the transaction approval process by altering what Bybit-s signers saw when approving a cold wallet transaction, causing them to unknowingly authorize an transaction that resulted in a loss of funds.
https://www.nccgroup.com/us/research-blog/in-depth-technical-analysis-of-the-bybit-hack/
Beyond the Hook: A Technical Deep Dive into Modern Phishing Methodologies
In 2025, phishing is still the most prevalent kind of cyber attack on the planet. Indeed, 1.2% of the global email traffic is phishing. Thats 3.4 billion emails each day, but only a low number results in a compromise since "only" 3% of employees would click on a malicious link. However, when they do, it can be disastrous for their company. 91% of ..
http://blog.quarkslab.com/technical-dive-into-modern-phishing.html
Reversing Samsungs H-Arx Hypervisor Framework - Part 1
In many ways, mobile devices lead the security industry when it comes to defense-in-depth and mitigation. Over the years, it has been proven time and again that the kernel cannot be trusted to be secure. As such, there has been effort put into moving secrets (ie. encryption keys) and other sensitive data out of the kernel and gate it behind an API at higher levels in the chain of trust, whether it be the hypervisor or secure enclaves. In any case, the kernel must have a lot of control ..
https://dayzerosec.com/blog/2025/03/08/reversing-samsungs-h-arx-hypervisor-part-1.html
Vulnerabilities
Cross Site Request Forgery in admin endpoint
A cross site request forgery vulnerability [CWE-352] in FortiNDR may allow a remote unauthenticated attacker to execute unauthorized actions via crafted HTTP GET requests.
https://fortiguard.fortinet.com/psirt/FG-IR-23-353
Exposure of Sensitive Information to an Unauthorized Actor
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiSIEM may allow a remote unauthenticated attacker who acquired knowledge of the agents authorization header by other means to read the database password via crafted api requests
https://fortiguard.fortinet.com/psirt/FG-IR-23-117
OS command injection in CLI command
Multiple improper neutralization of special elements used in an OS command (OS Command Injection) vulnerabilities [CWE-78] in FortiManager CLI may allow a privileged attacker to execute unauthorized code or commands via crafted CLI requests.
https://fortiguard.fortinet.com/psirt/FG-IR-24-124
Use of hardcoded key used for remote backup server password encryption
A Use of Hard-coded Cryptographic Key vulnerability [CWE-321] in FortiSandbox may allow a privileged attacker with super-admin profile and CLI access to read sensitive data via CLI.
https://fortiguard.fortinet.com/psirt/FG-IR-24-327
XSS flaw in Fortiview/SecurityLogs pages
An improper neutralization of input during web page generation (Cross-site Scripting) vulnerability [CWE-79] in FortiADC GUI may allow an authenticated attacker to perform an XSS attack via crafted HTTP or HTTPs requests.
https://fortiguard.fortinet.com/psirt/FG-IR-23-216
[20250301] - Core - Malicious file uploads via Media Manager
https://developer.joomla.org:443/security-centre/961-20250301-core-malicious-file-uploads-via-media-managere-malicious-file-uploads-via-media-manager.html
March Security Update
https://www.ivanti.com/blog/march-security-update