End-of-Day report
Timeframe: Donnerstag 25-09-2025 18:00 - Freitag 26-09-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
News
Schwerwiegende Sicherheitslücken in Cisco Adaptive Security Appliance - aktiv ausgenutzt - Updates verfügbar
Cisco hat Informationen zu einer vermutlich bereits seit einigen Monaten laufenden Angriffskampagne veröffentlicht. Im Rahmen dieser Kampagne haben Angreifer:innen, denen bereits im vergangenen Jahr eine breitgefächerte Kampagne gegen Edge-Devices zugerechnet wurde, Cisco Adaptive Security Appliance (ASA) Systeme der 5500-X Reihe welche "VPN web services" kompromittiert um in weiterer Folge auf den übernommenen Geräten Schadsoftware zu platzieren und Daten zu stehlen.
https://www.cert.at/de/warnungen/2025/9/schwerwiegende-sicherheitslucken-in-cisco-adaptive-security-appliance-aktiv-ausgenutzt-updates-verfugbar
Unofficial Postmark MCP npm silently stole users emails
A npm package copying the official postmark-mcp project on GitHub turned bad with the latest update that added a single line of code to exfiltrate all its users email communication.
https://www.bleepingcomputer.com/news/security/unofficial-postmark-mcp-npm-silently-stole-users-emails/
Salesforce AI Agents Forced to Leak Sensitive Data
Yet again researchers have uncovered an opportunity (dubbed "ForcedLeak") for indirect prompt injection against autonomous agents lacking sufficient security controls - but this time the risk involves PII, corporate secrets, physical location data, and so much more.
https://www.darkreading.com/vulnerabilities-threats/salesforce-ai-agents-leak-sensitive-data
HeartCrypt-s wholesale impersonation effort
How the notorious Packer-as-a-Service operation built itself into a hydra.
https://news.sophos.com/en-us/2025/09/26/heartcrypts-wholesale-impersonation-effort/
New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks
The Russian advanced persistent threat (APT) group known as COLDRIVER has been attributed to a fresh round of ClickFix-style attacks designed to deliver two new "lightweight" malware families tracked as BAITSWITCH and SIMPLEFIX.
https://thehackernews.com/2025/09/new-coldriver-malware-campaign-joins-bo.html
North Koreas Lazarus Group shares its malware with IT work scammers
North Korean-linked crews connected to the pervasive IT worker scams have upped their malware game, using more advanced tools, including a backdoor that has much of the same code as Pyongyang's infamous Lazarus Group deploys.
https://theregister.com/2025/09/25/lazarus_group_shares_malware_with_it_scammers/
LockBits new variant is most dangerous yet, hitting Windows, Linux and VMware ESXi
Trend Micro has sounded the alarm over the new LockBit 5.0 ransomware strain, which it warns is "significantly more dangerous" than past versions due to its newfound ability to simultaneously target Windows, Linux, and VMware ESXi environments.
https://theregister.com/2025/09/26/lockbits_new_variant_is_most/
Vietnamese Hackers Use Fake Copyright Notices to Spread Lone None Stealer
New Lone None Stealer uses Telegram C2 and DLL side-loading to grab passwords, credit cards, and crypto. Find out how to spot this highly evasive phishing scam.
https://hackread.com/vietnamese-hackers-fake-copyright-notice-lone-none-stealer/
It Is Bad (Exploitation of Fortra GoAnywhere MFT CVE-2025-10035) - Part 2
We-re back, just over 24 hours later, to share our evolving understanding of CVE-2025-10035.
https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-cve-2025-10035-part-2/
SVG Phishing hits Ukraine with Amatera Stealer, PureMiner
Phishing emails disguised as official notices from Ukraine-s police deliver Amatera Stealer and PureMiner in a fileless attack chain.
https://www.fortinet.com/blog/threat-research/svg-phishing-hits-ukraine-with-amatera-stealer-pureminer
Vulnerabilities
Security updates for Friday
Security updates have been issued by AlmaLinux (firefox, kernel, and thunderbird), Debian (ceph and thunderbird), Fedora (chromium, mingw-expat, python-deepdiff, python-orderly-set, python-pip, rust-az-cvm-vtpm, rust-az-snp-vtpm, rust-az-tdx-vtpm, and trustee-guest-components), Oracle (aide, kernel, and thunderbird), Red Hat (firefox, kernel, openssh, perl-YAML-LibYAML, and thunderbird), Slackware (expat), SUSE (jasper, libssh, openjpeg2, and python-pycares), and Ubuntu (linux-aws-6.14, linux-hwe-6.14, linux-azure, linux-hwe-6.8, linux-realtime-6.8, node-sha.js, and pcre2).
https://lwn.net/Articles/1039749/
[R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.5.1 and 6.6.0: SC-202509.1
Security Center leverages third-party software to help provide underlying functionality. One of the third-party components (PostgreSQL) was found to contain vulnerabilities, and an updated version has been made available by the provider.
https://www.tenable.com/security/tns-2025-18
Security Update Dingtian DT-R002
All versions of Dingtian DT-R002 are vulnerable to an Insufficiently Protected Credentials vulnerability that could allow an attacker to retrieve the current user's username without authentication.
https://www.cisa.gov/news-events/ics-advisories/icsa-25-268-01