End-of-Day report
Timeframe: Montag 20-10-2025 18:00 - Dienstag 21-10-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
News
The evolving landscape of email phishing attacks: how threat actors are reusing and refining established techniques
Common email phishing tactics in 2025 include PDF attachments with QR codes, password-protected PDF documents, calendar phishing, and advanced websites that validate email addresses.
https://securelist.com/email-phishing-techniques-2025/117801/
Inside the attack chain: Threat activity targeting Azure Blob Storage
Azure Blob Storage is a high-value target for threat actors due to its critical role in storing and managing massive amounts of unstructured data at scale across diverse workloads and is increasingly targeted through sophisticated attack chains that exploit misconfigurations, exposed credentials, and evolving cloud tactics. [..] Therefore, in this blog, we outline some of the unique threats associated with the data storage layer, including relevant stages of the attack chain for Blob Storage to connect these risks to actionable Azure Security controls and applicable security recommendations.
https://www.microsoft.com/en-us/security/blog/2025/10/20/inside-the-attack-chain-threat-activity-targeting-azure-blob-storage/
PolarEdge Targets Cisco, ASUS, QNAP, Synology Routers in Expanding Botnet Campaign
Cybersecurity researchers have shed light on the inner workings of a botnet malware called PolarEdge. PolarEdge was first documented by Sekoia in February 2025, attributing it to a campaign targeting routers from Cisco, ASUS, QNAP, and Synology with the goal of corralling them into a network for an as-yet-undetermined purpose. [..] There is evidence to suggest that the activity involving the malware may have started as far back as June 2023.
https://thehackernews.com/2025/10/polaredge-targets-cisco-asus-qnap.html
Stop payroll diversion scams before they start
Scammers send emails to the payroll team in an attempt to change an unlucky employee-s banking details. They harvest LinkedIn for details about potential victims.
https://www.pentestpartners.com/security-blog/stop-payroll-diversion-scams-before-they-start/
GlassWorm - Self-Propagating VSCode Extension Worm
Seven OpenVSX extensions were compromised on October 17, 2025, with 35,800 total downloads, and ten extensions were still actively distributing malware two days later. [..] On October 19, a new infected extension was detected in Microsoft-s VSCode marketplace and it-s stiill active.
https://www.truesec.com/hub/blog/glassworm-self-propagating-vscode-extension
Reducing abuse of Microsoft 365 Exchange Online-s Direct Send
Cisco Talos has observed increased activity by malicious actors leveraging Direct Send as part of phishing campaigns. Heres how to strengthen your defenses.
https://blog.talosintelligence.com/reducing-abuse-of-microsoft-365-exchange-onlines-direct-send/
Sicherheitsleck in Dolby Digital Plus Decoder in Android, iOS, macOS und Windows
Eine Sicherheitslücke im Dolby Digital Plus Unified Decoder machte Android, iOS, macOS und Windows anfällig für Angriffe. Sie ermöglichte etwa Zero-Click-Attacken auf Android-Geräte.
https://heise.de/-10793034
Vulnerabilities
Xen Security Advisory CVE-2025-58147,CVE-2025-58148 / XSA-475
A buggy or malicious guest can cause Denial of Service (DoS) affecting the entire host, information leaks, or elevation of privilege.
https://xenbits.xen.org/xsa/advisory-475.html
Security updates for Tuesday
Security updates have been issued by AlmaLinux (.NET 8.0, firefox, kernel, kernel-rt, libssh, and perl-JSON-XS), Debian (ark and libphp-adodb), Fedora (chromium and gi-docgen), Mageia (quictls), Oracle (.NET 8.0, .NET 9.0, firefox, httpd, kernel, libsoup3, libssh, microcode_ctl, and webkit2gtk3), SUSE (go1.24, go1.25, krb5, python-ldap, and webkit2gtk3), and Ubuntu (gst-plugins-base1.0, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-intel-iot-realtime, linux-realtime, and python-ldap).
https://lwn.net/Articles/1042822/
Zahlreiche Schwachstellen in EfficientLab WorkExaminer Professional
https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachstellen-in-efficientlab-workexaminer-professional/
Oxford Nanopore Technologies MinKNOW
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-294-01
Rockwell Automation Compact GuardLogix 5370
https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-02
Rockwell Automation 1783-NATR
https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-01
CloudEdge Online Cameras and App
https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-05
Raisecomm RAX701-GC Series
https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-06
Zyxel security advisory for post-authentication command injection and missing authorization vulnerabilities in ZLD firewalls
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-and-missing-authorization-vulnerabilities-in-zld-firewalls-10-21-2025