Tageszusammenfassung - 21.04.2026

End-of-Day report

Timeframe: Montag 20-04-2026 18:00 - Dienstag 21-04-2026 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler

News

Serial-to-IP Devices Hide Thousands of Old and New Bugs

The OT devices that translate machine talk into Internet-speak are riddled with vulnerabilities and more frequently targeted for attacks, researchers say.

https://www.darkreading.com/ics-ot-security/serial-ip-devices-thousands-of-bugs

BSI warnt: Phishing-Attacken über Signal nehmen zu

Angreifer kapern regelmäßig Signal-Konten mittels Phishing. Beim BSI gibt es nun einen Leitfaden mit Handlungsempfehlungen für Betroffene.

https://www.golem.de/news/bsi-warnt-phishing-attacken-ueber-signal-nehmen-zu-2604-207797.html

A .WAV With A Payload, (Tue, Apr 21st)

There have been reports of threat actors using a .wav file as a vector for malware. It's a proper .wav file, but they didn't use staganography. The .wav file will play, but you'll just hear noise.

https://isc.sans.edu/diary/rss/32910

Real Apple notifications are being used to drive tech support scams

Scammers have found a way to abuse legitimate Apple notification emails to trick people into calling fake tech support numbers.

https://www.malwarebytes.com/blog/news/2026/04/real-apple-notifications-are-being-used-to-drive-tech-support-scams

Fake-Jobvermittlungsagenturen jubeln Opfern Malware unter

Sie sind ansprechend designet und versprechen interessante Jobs zu Top-Konditionen. Leider ist an diesen Vermittlungsagenturen nichts echt. Über die Fake-Webseiten und dazugehörige Anwerbe-Mails wollen Kriminelle nicht nur an persönliche Informationen gelangen. Sie schummeln außerdem Schadsoftware auf die Geräte ihrer Opfer.

https://www.watchlist-internet.at/news/fake-jobvermittlungsagenturen/

Bad Apples: Weaponizing native macOS primitives for movement and execution

Cisco Talos documents several macOS living-off-the-land (LOTL) techniques, demonstrating that native pathways for movement and execution remain accessible to those who understand the underlying architecture.

https://blog.talosintelligence.com/bad-apples-weaponizing-native-macos-primitives-for-movement-and-execution/

Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories

Our research on Void Dokkaebi-s operations uncovered a campaign that turns infected developer repositories into malware delivery channels. By spreading through trusted workflows, organizational codebases, and open-source projects, the threat can scale from a single compromise to a broader supply chain risk.

https://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html

Deep Malware Analysis of a Multi-Stage Cobalt Strike Loader

In this blog post, we provide a detailed technical reconstruction of a multi-stage malware chain that ultimately delivers a Cobalt Strike Beacon.

https://www.joesecurity.org/blog/621128515416801396

Command Execution via Drag-and-Drop in Terminal Emulators

Many people may not be aware that terminal emulators such as Kitty and xfce4-terminal support dragging and dropping of files into the terminal to insert the file's path directly at the cursor position. While this feature has existed for a while, more people have started to notice this as Claude Code has grown in popularity and allows users to drag and drop files for Claude to process.

https://sdushantha.github.io/post/drop-it-like-its-hot

Inside An AWS Cloud Threat Detection SOC Lab: Simulating and Detecting Real Cloud Attacks

Cloud computing has become the backbone over time of how modern systems are built and run. As I started diving deeper into cloud security, I began to see just how much organizations and various industries depend on it, not just for convenience, but for scalability, speed, and the ability to support technologies like artificial intelligence and big data.

https://detect.fyi/inside-an-aws-cloud-threat-detection-soc-lab-simulating-and-detecting-real-cloud-attacks-a11e0ea98430

Context.ai OAuth Token Compromise

Compromised Context.ai OAuth tokens enabled attackers to perform a supply chain attack via trusted SaaS integrations. Learn how to assess the risk in your environment and how to prevent the next attack.

https://www.wiz.io/blog/contextai-oauth-token-compromise

Vulnerabilities

SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files

A critical security vulnerability has been disclosed in SGLang that, if successfully exploited, could result in remote code execution on susceptible systems. The vulnerability, tracked as CVE-2026-5760, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of command injection leading to the execution of arbitrary code.

https://thehackernews.com/2026/04/sglang-cve-2026-5760-cvss-98-enables.html

Apache ActiveMQ RCE

CVE-2026-34197 is a high-severity remote code execution (RCE) vulnerability affecting Apache ActiveMQ Classic. The flaw resides in the exposed Jolokia JMX-HTTP interface and allows attackers to execute arbitrary commands on the underlying system via crafted broker management requests. Recent reporting indicates that this vulnerability has been added to CISA-s Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild and elevating its priority for remediation.

https://fortiguard.fortinet.com/threat-signal-report/6428

Schadcode-Lücke mit Höchstwertung bedroht Firebird

Das Open-Source-Datenbankmanagementsystem Firebird ist über mehrere Wege angreifbar. Es kann Schadcode auf Systeme gelangen.

https://www.heise.de/news/Schadcode-Luecke-mit-Hoechstwertung-bedroht-Firebird-11265291.html

--Supply Chain Compromise Impacts Axios Node Package Manager-

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this alert to provide guidance in response to the software supply chain compromise of the Axios node package manager (npm).1 Axios is an HTTP client for JavaScript that developers commonly use in Node.js and browser environments.

https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager

LWN Security updates for Tuesday

https://lwn.net/Articles/1068830/