End-of-Day report
Timeframe: Mittwoch 08-07-2026 18:00 - Donnerstag 09-07-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Microsoft patches RoguePlanet Defender zero-day vulnerability
Microsoft has released a security patch to address a Defender zero-day vulnerability known as "RoguePlanet," disclosed after the June 2026 Patch Tuesday. The flaw (tracked as CVE-2026-50656) was disclosed by a security researcher using the "Nightmare Eclipse" handle as part of an ongoing dispute with Microsoft over the company's bug bounty and vulnerability disclosure practices.
https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-rogueplanet-defender-zero-day-vulnerability/
Schwachstelle in Coding-Agenten: Zugriff auf beliebige Dateien über Symlinks
In sechs großen Coding-Agenten findet sich eine Sicherheitslücke: Über ein Repository mit Schadcode können Angreifer die KI-Modelle dazu bewegen, auf beliebige Dateien zuzugreifen - auch außerhalb einer Sandbox. [..] Betroffen sind Amazon Q Developer, Anthropics Claude Code, Augment, Cursor, Google Antigravity und Windsurf. Für die meisten Tools existiert inzwischen ein Update, das die Schwachstelle behebt, aber für Augment und Windsurf existieren noch keine Patches.
https://heise.de/-11358849
IonStack part II: GhostLock, a stack-UAF that has existed in ALL Linux distributions for 15 years
GhostLock (CVE-2026-43499) is a Linux kernel vulnerability found by VEGA that exists in every major distribution since 2011. Triggering the bug does not require any special kernel config or privilege. By turning it into a 97% stable privilege escalation and container escape, Google has rewarded us $92,337 in kernelCTF. This writeup covers the technical details of the exploit.
https://nebusec.ai/research/ionstack-part-2/
Entra passkey enrollment vishing targets Microsoft 365 users
A threat actor has been targeting organizations across multiple sectors with voice-based fake security requests that ask Microsoft 365 users to enroll a new Entra passkey.
https://www.bleepingcomputer.com/news/security/entra-passkey-enrollment-vishing-targets-microsoft-365-users/
New Forg365 phishing platform uses AI to target Microsoft 365 accounts
A new phishing-as-a-service (PhaaS) operation called Forg365 focuses on stealing Microsoft 365 accounts by combining adversary-in-the-middle (AiTM) and device code methods with AI-assisted lure generation.
https://www.bleepingcomputer.com/news/security/new-forg365-phishing-platform-uses-ai-to-target-microsoft-365-accounts/
Fake Installers, Fake Reviews, Fake Services - Real Proxies, Real Victims
Residential proxies are one of the hottest topics in cybersecurity today. Turns out, they are often not in residences, and they facilitate a wide range of criminal activity. In the simplest terms, a little piece of software in a TV, digital picture frame, or your phone might enable a company to sell access to your device-s bandwidth to their own customers. [..] Our discovery started with a single campaign: In early 2026, the actor, who we track as Lurking Lizard, fooled users into downloading a fake version of the 7-Zip archive utility.
Fake Installers, Fake Reviews, Fake Services - Real Proxies, Real Victims
GodDamn Ransomware Uses PoisonX Driver to Disable Endpoint Defenses
Cybersecurity researchers have flagged a new ransomware family called GodDamn that employs the PoisonX kernel driver to neutralize security software as part of its defense evasion strategy. According to a new report published by the Threat Hunter Team from Symantec, the ransomware was first publicly spotted in the wild on May 21, 2026. It's assessed to be a rebrand of the Beast ransomware, which, in turn, was an enhanced version of Monster, a Delphi-based ransomware that surfaced in March 2022.
https://thehackernews.com/2026/07/goddamn-ransomware-uses-poisonx-driver.html
GitHub Copilot: Sorry Dave, I cant do that harmful thing - unless you ask me in code
t's the latest example of AI safety guardrails being bypassed. GitHub Copilot refuses harmful prompts almost always if asked in chat - like, "how to fool a breathalyzer test" or "smuggle bulk cash out of the US" - but then will write them in code 100 percent of the time if the prompt is broken into smaller steps and distributed across multiple stages of a software development workflow.
https://www.theregister.com/security/2026/07/08/github-copilot-sorry-dave-i-cant-do-that-harmful-thing-unless-you-ask-me-in-code/5268654
Eintrag wider Willen: Wenn Unternehmen ungefragt auf dubiosen Portalen landen
Taucht das eigene Unternehmen plötzlich auf unbekannten Portalen auf, ist die Überraschung groß. Unangenehm wird es dann, wenn sich das Profil ohne Registrierung nicht löschen lässt und sich die Plattformbetreiber regelmäßig mit aufdringlichen Spam-Mails melden. Und wie war das nochmal mit dem Urheberrecht? Das Problem, dargestellt am Beispiel evepla.com.
https://www.watchlist-internet.at/news/eintrag-wider-willen-dubiose-portale/
Vulnerabilities
n8n: CERT-Bund veröffentlicht Warnmeldung zu kürzlich beseitigten Schwachstellen
Kritisch ist keine der jüngst gefixten Lücken in der Automatisierungslösung n8n. Dennoch betont eine Warnmeldung des BSI die hohe Update-Relevanz.
https://heise.de/-11359656
Drupal Security Advisories 2026-July-08
https://www.drupal.org/security
LWN: Security updates for Thursday
https://lwn.net/Articles/1082030/
Paloalto: PAN-SA-2026-0010 Chromium: Monthly Vulnerability Update (July 2026) (Severity: HIGH)
https://security.paloaltonetworks.com/PAN-SA-2026-0010
Paloalto: PAN-SA-2026-0010 Chromium and Prisma Browser: Monthly Vulnerability Update (July 2026) (Severity: HIGH)
https://security.paloaltonetworks.com/PAN-SA-2026-0010
Chrome-Browser & ChromeOS LTS : Updates schließen teils kritische Lücken
https://heise.de/-11359376
Wireshark 4.6.7 Fixes 12 Security Issues Across SSH, IEEE 802.11, Catapult DCT2000 and Other Protocols
https://thecyberexpress.com/wireshark-4-6-7/