End-of-Day report
Timeframe: Mittwoch 03-12-2025 18:30 - Donnerstag 04-12-2025 18:30
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
News
Fraudulent gambling network may be a nation-state spying operation
A sprawling infrastructure that has been bilking unsuspecting people through fraudulent gambling websites for 14 years is likely a dual operation run by a nation-state-sponsored group that is targeting government and private-industry organizations in the US and Europe, researchers said Wednesday.
https://arstechnica.com/security/2025/12/fraudulent-gambling-network-may-be-a-nation-state-spying-operation/
Sparkurs bei MacOS: Apple verärgert Forscher mit gekürzten Bug-Bounty-Prämien
Forscher, die Sicherheitslücken in dem Apple-Betriebssystem MacOS erkunden und an den Hersteller melden, erhalten dafür künftig geringere Belohnungen. Darauf machte kürzlich der Sicherheitsforscher Csaba Fitzl in einem Beitrag auf Linkedin aufmerksam. Er wirft Apple vor, MacOS mit diesem Schritt abzuwerten und sich nicht mehr für den Datenschutz der Nutzer zu interessieren.
https://www.golem.de/news/macos-apple-veraergert-forscher-mit-gekuerzten-bug-bounty-praemien-2512-202913.html
Attempts to Bypass CDNs, (Wed, Dec 3rd)
Currently, in order to provide basic DDoS protection and filter aggressive bots, some form of Content Delivery Network (CDN) is usually the simplest and most cost-effective way to protect a web application. In a typical setup, DNS is used to point clients to the CDN, and the CDN will then forward the request to the actual web server. There are a number of companies offering services like this, and cloud providers will usually have solutions like this as well.
https://isc.sans.edu/diary/rss/32532
Nation-State Attack or Compromised Government? [Guest Diary], (Thu, Dec 4th)
The ISC internship didn't just teach me about security, it changed how I thought about threats entirely. There's something intriguing about watching live attacks materialize on your DShield Honeypot, knowing that somewhere across the world, an attacker just made a move. And the feedback loop of writing detailed attack observations, then having experienced analysts critique and refine your analysis? That's where real learning happens. One attack observation in particular stands out as a perfect example of what makes this internship so powerful. Let me show you what I discovered!
https://isc.sans.edu/diary/rss/32536
Record 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hosts
The botnet has prominently targeted telecommunication providers, gaming companies, hosting providers, and financial services. Also tackled by Cloudflare was a 14.1 Bpps DDoS attack from the same botnet. AISURU is believed to be powered by a massive network comprising an estimated 1-4 million infected hosts worldwide.
https://thehackernews.com/2025/12/record-297-tbps-ddos-attack-linked-to.html
Gartenfreude oder Betrugsfalle? Warnung vor betrügerischen Pflanzenshops
Der Beginn des Winters ist einer der besten Zeitpunkte, um Obstbäume zu pflanzen. Das wissen nicht nur Gartenfreund:innen, sondern leider auch Kriminelle. Immer mehr Fake-Shops locken mit vermeintlich attraktiven Angeboten und führen Konsument:innen in die Falle.
https://www.watchlist-internet.at/news/warnung-vor-betruegerischen-pflanzenshops/
BRICKSTORM Backdoor
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) assess People-s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems. CISA, NSA, and Cyber Centre are releasing this Malware Analysis Report to share indicators of compromise (IOCs) and detection signatures based off analysis of eight BRICKSTORM samples. CISA, NSA, and Cyber Centre urge organizations to use the IOCs and detection signatures to identify BRICKSTORM malware samples.
https://www.cisa.gov/news-events/analysis-reports/ar25-338a
ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading
Job seekers looking out for opportunities might instead find their personal devices compromised, as a ValleyRAT campaign propagated through email leverages Foxit PDF Reader for concealment and DLL side-loading for initial entry.
https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html
Fake ChatGPT Atlas Browser Used in ClickFix Attack to Steal Passwords
Cybersecurity researchers have uncovered a critical ChatGPT Atlas browser attack, confirming the danger of the ongoing surge in the ClickFix threat.
https://hackread.com/fake-chatgpt-atlas-clickfix-steal-passwords/
Sanctioned but Still Spying: Intellexa-s Prolific Zero-Day Exploits Continue
Despite extensive scrutiny and public reporting, commercial surveillance vendors continue to operate unimpeded. A prominent name continues to surface in the world of mercenary spyware, Intellexa. Known for its -Predator- spyware, the company was sanctioned by the US Government. New Google Threat Intelligence Group (GTIG) analysis shows that Intellexa is evading restrictions and thriving.
https://cloud.google.com/blog/topics/threat-intelligence/intellexa-zero-day-exploits-continue/
New Stealthy Linux Malware Combines Mirai DDoS Botnet with Cryptominer
Cyble researchers have identified new Linux malware that combines Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, enabling both network disruption and financial profit in the same threat campaign.
https://thecyberexpress.com/linux-malware-mirai-botnet-cryptominer/
Vulnerabilities
Security updates for Thursday
Security updates have been issued by AlmaLinux (expat and libxml2), Debian (openvpn and webkit2gtk), Fedora (gi-loadouts, kf6-kcoreaddons, kf6-kguiaddons, kf6-kjobwidgets, kf6-knotifications, kf6-kstatusnotifieritem, kf6-kunitconversion, kf6-kwidgetsaddons, kf6-kxmlgui, nanovna-saver, persepolis, python-ezdxf, python-pyside6, sigil, stb, syncplay, tinyproxy, torbrowser-launcher, ubertooth, and usd), Mageia (cups), SUSE (cups, gegl, icinga2, mozjs128, and Security), and Ubuntu (ghostscript, kernel, linux, linux-aws, linux-aws-5.15, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-hwe, linux-kvm, linux-oracle, linux-aws-fips, linux-fips, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-fips, linux-gcp, linux-gcp-4.15, linux-hwe, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-gcp-6.14, linux-raspi, linux-gcp-fips, linux-intel-iot-realtime, linux-realtime, linux-raspi, linux-raspi-realtime, linux-xilinx, and postgresql-14, postgresql-16, postgresql-17).
https://lwn.net/Articles/1049251/
Cross-Site Scripting in Nextcloud: Development files shipped in files_pdfviewer app
Nextcloud-s PDF viewer uses an outdated version of PDF.js vulnerable to CVE-2024-4367. Attackers with regular user access to a Nextcloud instance are able to prepare a special link. If this link is visited by other logged-in users a cross-site scripting is executed and attackers get access to that users- files.
https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-003/
Jetzt patchen! Kritische Schadcodelücke bedroht React
Softwareentwickler, die mit React arbeiten, sollten die JavaScript-Programmbibliothek aus Sicherheitsgründen umgehend auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer eine Schwachstelle ausnutzen und Systeme durch das Ausführen von Schadcode vollständig kompromittieren. Sicherheitsupdates sind verfügbar.
https://heise.de/-11102366
Chrome 143.0.7499.40 / 41 schließt Schwachstellen
Zum 2. Dezember 2025 hat Google den Chrome-Browser auf die Versionen 143.0.7499.40 / 41 aktualisiert, um gleich mehrere Schwachstellen zu schließen. Auch der Extended Stable Chromium-Entwicklungszweig hat ein Update erhalten. Ich ziehe mal einige Informationen zu diesen Themen nachfolgend kurz zusammen.
https://www.borncity.com/blog/2025/12/04/chrome-143-0-7499-40-41-schliesst-schwachstellen/
DSA-6069-1 openvpn - security update
https://lists.debian.org/debian-security-announce/2025/msg00235.html
K000158050: SQLite vulnerability CVE-2019-8457
https://my.f5.com/manage/s/article/K000158050
K000158042: Apache HTTP server vulnerabilities CVE-2024-47252 and CVE-2025-49812
https://my.f5.com/manage/s/article/K000158042
K000158059: Next.js vulnerability CVE-2025-66478
https://my.f5.com/manage/s/article/K000158059