End-of-Day report
Timeframe: Freitag 19-12-2025 18:00 - Montag 22-12-2025 18:15
Handler: Alexander Riepl
Co-Handler: Felician Fuchs
News
RansomHouse upgrades encryption with multi-layered data processing
The RansomHouse ransomware-as-a-service (RaaS) has recently upgraded its encryptor, switching from a relatively simple single-phase linear technique to a more complex, multi-layered method.
https://www.bleepingcomputer.com/news/security/ransomhouse-upgrades-encryption-with-multi-layered-data-processing/
Malicious npm package steals WhatsApp accounts and messages
A malicious package in the Node Package Manager (NPM) registry poses as a legitimate WhatsApp Web API library to steal WhatsApp messages, collect contacts, and gain access to the account.
https://www.bleepingcomputer.com/news/security/malicious-npm-package-steals-whatsapp-accounts-and-messages/
Leicht hackbar: Deutschlandticket-Betrug erreicht dreistellige Millionenhöhe
IT-Sicherheitsforscher haben massive Schwachstellen beim Deutschlandticket aufgedeckt. Der Schaden durch Betrug liegt im dreistelligen Millionenbereich.
https://www.golem.de/news/leicht-hackbar-deutschlandticket-betrug-erreicht-dreistellige-millionenhoehe-2512-203506.html
Airbus Moving Critical Systems Away From AWS, Google, and Microsoft Citing Data Sovereignty Concerns
Airbus is preparing to tender a major contract to move mission-critical systems like ERP, manufacturing, and aircraft design data onto a digitally sovereign European cloud, citing national security concerns and fears around U.S. extraterritorial laws like the CLOUD Act.
https://slashdot.org/story/25/12/19/2252254/airbus-moving-critical-systems-away-from-aws-google-and-microsoft-citing-data-sovereignty-concerns
Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers
A suspected Russia-aligned group has been attributed to a phishing campaign that employs device code authentication workflows to steal victims Microsoft 365 credentials and conduct account takeover attacks. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare.
https://thehackernews.com/2025/12/russia-linked-hackers-use-microsoft-365.html
ATM jackpotting gang accused of unleashing Ploutus malware across US
Latest charges join the mountain of indictments facing alleged Tren de Aragua members. A Venezuelan gang described by US officials as "a ruthless terrorist organization" faces charges over alleged deployment of malware on ATMs across the country, illegally siphoning millions of dollars.
https://www.theregister.com/2025/12/19/tren_de_aragua_atm/
Around 1,000 systems compromised in ransomware attack on Romanian water agency
On-site staff keep key systems working while all but one region battles with encrypted PCs Romanias cybersecurity agency confirms a major ransomware attack on the countrys water management administration has compromised around 1,000 systems, with work to remediate them still ongoing.
https://www.theregister.com/2025/12/22/around_1000_systems_compromised_in/
Zscaler Threat Hunting Catches Evasive SideWinder APT Campaign
Zscaler Threat Hunting has identified a sophisticated espionage campaign targeting Indian entities by masquerading as the Income Tax Department of India. By reconstructing the complete attack lifecycle from a deceptive -Inspection- lure to a reflectively loaded resident implant, Zscaler Threat Hunting has observed activity which is typically associated with SideWinder APT (also known as Rattlesnake or APT-C-17).
https://www.zscaler.com/blogs/security-research/zscaler-threat-hunting-catches-evasive-sidewinder-apt-campaign
l+f: Reverse Engineering Schritt-für-Schritt - KI hilft auch mit
Ein Sicherheitsforscher nimmt Interessierte mit auf eine Reise in eine IP-Kamera-Firmware. Das Ergebnis sind Patches für TP-Links Tapo-C200-Modell.
https://www.heise.de/news/l-f-Reverse-Engineering-Schritt-fuer-Schritt-KI-hilft-auch-mit-11122535.html
Eurostar AI vulnerability: when a chatbot goes off the rails
I first encountered the chatbot as a normal Eurostar customer while planning a trip. When it opened, it clearly told me that -the answers in this chatbot are generated by AI-, which is good disclosure but immediately raised my curiosity about how it worked and what its limits were.
https://www.pentestpartners.com/security-blog/eurostar-ai-vulnerability-when-a-chatbot-goes-off-the-rails-2/
Phishing Campaign Leverages Trusted Google Cloud Automation Capabilities to Evade Detection
This report describes a phishing campaign in which attackers impersonate legitimate Google generated messages by abusing Google Cloud Application Integration to distribute malicious emails that appear to originate from trusted Google infrastructure. The emails mimic routine enterprise notifications such as voicemail alerts and file access or permission requests, making them appear normal and trustworthy to recipients.
https://blog.checkpoint.com/research/phishing-campaign-leverages-trusted-google-cloud-automation-capabilities-to-evade-detection/
Denmark summons Russian ambassador over alleged cyberattacks on water utility, elections
Russia-s ambassador to Copenhagen, Vladimir Barbin, confirmed to Russian state media on Friday that he had been called to the Danish foreign ministry, but rejected the accusations as unfounded.
https://therecord.media/denmark-summons-russian-ambassador-cyberattack-elections
Nigeria arrests suspected RaccoonO365 phishing kit developer on tip from Microsoft, FBI
One of the alleged developers behind the RaccoonO365 subscription-based phishing kit was arrested by Nigerian police this week.
https://therecord.media/nigeria-raccoon-developer-tip
Nefilim ransomware hacker pleads guilty to computer fraud
A Ukrainian national pleaded guilty in U.S. federal court to one charge stemming from attacks using Nefilim ransomware on companies in the U.S., Canada and Australia.
https://therecord.media/nefilim-ransomware-hacker-fraud
Judge rules that NSO cannot continue to install spyware via WhatsApp pending appeal
NSO Group had sought to stay the order pending a decision on its appeal in the case, which centers on allegations that it targeted 1,400 WhatsApp users with its powerful zero-click Pegasus spyware in 2019.
https://therecord.media/judge-rules-nso-cannot-continue-whatsapp-spyware
Hackers Abuse Popular Monitoring Tool Nezha as a Stealth Trojan
Cybersecurity firm Ontinue reveals how the open-source tool Nezha is being used as a Remote Access Trojan (RAT) to bypass security and control servers globally.
https://hackread.com/hackers-abuse-monitoring-tool-nezha-trojan/
Gefälschter Speicher: Jetzt ist besondere Vorsicht geboten
Während der Weihnachtszeit macht gefälschte Hardware gern die Runde. Die Speicherkrise macht Betrug noch lukrativer.
https://heise.de/-11123055
"Karvi-geddon": Mangelhafte Sicherheitsarchitektur bei Lieferdienst-Plattform
Eine auf Github veröffentlichte Sicherheitsanalyse zeigt schwerwiegende Mängel bei Karvi Solutions. Davon sind zehntausende Restaurant-Kunden betroffen.
https://heise.de/-11122678
Task Injection - Exploiting agency of autonomous AI agents
This blog post describes what a Task Injection attack is, how this type of attack differs from Prompt Injection, and how it is particularly relevant to AI agents designed for a wide range of actions and tasks, such as computer-use agents.
https://bughunters.google.com/blog/4823857172971520/task-injection-exploiting-agency-of-autonomous-ai-agents?
A Deep Dive into A Vulnerability Apple Deemed Unexploitable
I-m going to share with you an interesting race condition issue lurking in Apple-s core file-copy API. Apple was aware of the security issue. But they did nothing at first because they deemed it would be nearly impossible to exploit the bug, due to the race condition-s microscopic time window. But I will prove them wrong.
https://jhftss.github.io/Exploiting-the-Impossible/
Vulnerabilities
Security updates for Monday
Security updates have been issued by Debian (chromium, dropbear, mediawiki, php8.4, python-mechanize, rails, roundcube, usbmuxd, and wordpress), Fedora (cef, chromium, fonttools, gobuster, gosec, mingw-libpng, moby-engine, mqttcli, nextcloud, pgadmin4, python-unicodedata2, uriparser, and util-linux), Mageia (php and webkit2), Oracle (binutils, curl, gcc-toolset-13-binutils, gimp, git-lfs, kernel, openssh, php:8.3, podman, python-kdcproxy, python3.12, python3.9, skopeo, and webkit2gtk3), Red Hat (rsync), Slackware (php), SUSE (alloy, busybox, chromedriver, chromium, coredns-for-k8s, duc, firefox, kernel-devel, libpng16, libruby3_4-3_4, mariadb, netty, php8, python311-tornado6, rsync, taglib, and xen), and Ubuntu (linux-oracle-5.4, linux-raspi, linux-realtime-6.14, and linux-xilinx).
https://lwn.net/Articles/1051572/
Progress Kemp LoadMaster Schwachstellen patchen (17. Dez. 2025)
Kurze Vorankündigung für Administratoren, die den Kemp Progress Load Balancer im Einsatz haben. Es gibt wohl Schwachstellen im Produkt, die zeitnah zu patchen sind. Die Informationen sind derzeit nicht öffentlich und sollen erst zum 12. Januar 2026 offen gelegt werden (trage ich dann hier nach).
https://borncity.com/blog/2025/12/21/progress-kemp-loadmaster-schwachstellen-patchen-17-dez-2025/
BIOS-Sicherheitslücke: Angreifer können Schadcode auf Dell-Server schieben
Verschiedene Modelle von Dells PowerEdge-Server-Reihe sind verwundbar. Sicherheitspatches sind verfügbar.
https://heise.de/-11122626
Sicherheitspatches: DoS-Attacken auf IBM App Connect Enterprise möglich
IBMs Integrationssoftwareangebot App Connect Enterprise ist verwundbar. In aktuellen Versionen haben die Entwickler eine Sicherheitslücke geschlossen.
https://heise.de/-11122938
Security Advisory - multiple vulnerabilities in Foxit PDF Reader & Editor
https://www.foxit.com/support/security-bulletins.html