End-of-Day report
Timeframe: Freitag 14-03-2025 18:00 - Montag 17-03-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
News
Coinbase phishing email tricks users with fake wallet migration
A large-scale Coinbase phishing attack poses as a mandatory wallet migration, tricking recipients into setting up a new wallet with a pre-generated recovery phrase controlled by attackers.
https://www.bleepingcomputer.com/news/security/coinbase-phishing-email-tricks-users-with-fake-wallet-migration/
Malicious Adobe, DocuSign OAuth apps target Microsoft 365 accounts
Cybercriminals are promoting malicious Microsoft OAuth apps that masquerade as Adobe and DocuSign apps to deliver malware and steal Microsoft 365 accounts credentials.
https://www.bleepingcomputer.com/news/security/malicious-adobe-docusign-oauth-apps-target-microsoft-365-accounts/
Mirai Bot now incroporating (malformed?) DrayTek Vigor Router Exploits, (Sun, Mar 16th)
Last October, Forescout published a report disclosing several vulnerabilities in DrayTek routers. According to Forescount, about 700,000 devices were exposed to these vulnerabilities ..
https://isc.sans.edu/diary/Mirai+Bot+now+incroporating+malformed+DrayTek+Vigor+Router+Exploits/31770
Credit Card Skimmer and Backdoor on WordPress E-commerce Site
The battle against e-commerce malware continues to intensify, with attackers deploying increasingly sophisticated tactics. In a recent case at Sucuri, a customer reported suspicious files and unexpected behavior on their WordPress site. Upon deeper analysis, we discovered a complicated infection involving multiple components: a credit card skimmer, a ..
https://blog.sucuri.net/2025/03/credit-card-skimmer-and-backdoor-on-wordpress-e-commerce-site.html
Malicious PyPI Packages Stole Cloud Tokens-Over 14,100 Downloads Before Removal
Cybersecurity researchers have warned of a malicious campaign targeting users of the Python Package Index (PyPI) repository with bogus libraries masquerading as "time" related utilities, but harboring hidden functionality to steal sensitive data such as ..
https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html
Microsoft wouldnt look at a bug report without a video. Researcher maliciously complied
Maddening techno loop, Zoolander reference, and 14 minutes of time wasted A vulnerability analyst and prominent member of the infosec industry has blasted Microsoft for refusing to look at a bug report unless he submitted a video alongside a written explanation.
https://www.theregister.com/2025/03/17/microsoft_bug_report_troll/
Fake-Sicherheitswarnung: Betrüger versuchen Github-Konten zu kapern
Sicherheitsforscher berichten über Angriffsversuche auf rund 12.000 Github-Repositories. Dabei wollen Angreifer die volle Kontrolle über Konten erlangen.
https://www.heise.de/news/Fake-Sicherheitswarnung-Betrueger-versuchen-Github-Konten-zu-kapern-10317643.html
ClickFix: How to Infect Your PC in Three Easy Steps
A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed "ClickFix," the visitor to a hacked or malicious website is asked to distinguish ..
https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three-easy-steps/
RCS: Apple und Google einigen sich auf Ende-zu-Ende-verschlüsselte Kommunikation
Neue Version des SMS-Nachfolgers unterstützt sichere Verschlüsselung, die beiden Branchengrößen wollen das bei Android und iPhone übernehmen
https://www.derstandard.at/story/3000000261679/rcs-apple-und-google-einigen-sich-auf-ende-zu-ende-verschluesselte-kommunikation
Telegram CEO confirms leaving France amid criminal probe
The Russian-born founder and owner of the messaging app Telegram said he returned to Dubai after spending several months in France due to a criminal investigation related to activity on the app.
https://therecord.media/telegram-pavel-durov-leaves-france-amid-probe
Mora_001 ransomware gang exploiting Fortinet bug spotlighted by CISA in January
Two vulnerabilities impacting Fortinet products are being exploited by a new ransomware operation with ties to the LockBit ransomware group.
https://therecord.media/mora001-ransomware-gang-exploiting-vulnerability-lockbit
Scammers Pose as Cl0p Ransomware to Send Fake Extortion Letters
Scammers are sending fake extortion and ransom demands while posing as ransomware gangs, including the notorious Cl0p ransomware.
https://hackread.com/scammers-pose-cl0p-ransomware-fake-extortion-letters/
BitM Up! Session Stealing in Seconds Using the Browser-in-the-Middle Technique
The Rise of Browser in the Middle (BitM): BitM attacks offer a streamlined approach, allowing attackers to quickly compromise sessions across various web applications.MFA Remains Crucial, But Not Invulnerable: ..
https://cloud.google.com/blog/topics/threat-intelligence/session-stealing-browser-in-the-middle/
Supply Chain Security Risk: GitHub Action tj-actions/changed-files Compromised
On March 14th, 2025, security researchers discovered a critical software supply chain vulnerability in the widely-used GitHub Action tj-actions/changed-files (CVE-2025-30066). This vulnerability allows remote attackers ..
https://blog.aquasec.com/supply-chain-security-threat-github-action-tj-actions-compromised
Bypassing Authentication Like It-s The -90s - Pre-Auth RCE Chain(s) in Kentico Xperience CMS
I recently joined watchTowr, and it is, therefore, time - time for my first watchTowr Labs blogpost, previously teased in a tweet of a pre-auth RCE chain affecting some -unknown software-. Joining the team, I wanted to maintain the trail of destruction left by the watchTowr Labs team, ..
https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/
Vulnerabilities
Security updates for Monday
Security updates have been issued by Debian (opensaml and php8.2), Fedora (chromium, ctk, dcmtk, expat, ffmpeg, firefox, fscrypt, gdcm, InsightToolkit, kitty, libssh2, libxml2, linux-firmware, man2html, nextcloud, OpenImageIO, php, podman-tui, python-django, python-django5, python-gunicorn, python-jinja2, python-spotipy, python3.6, qt6-qtwebengine, thunderbird, tigervnc, vim, vyper, xen, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (freetype2, ghostscript, and man2html), ..
https://lwn.net/Articles/1014437/