End-of-Day report
Timeframe: Mittwoch 13-05-2026 18:00 - Freitag 15-05-2026 18:00
Handler: Guenes Holler
Co-Handler: n/a
News
West Pharmaceutical says hackers stole data, encrypted systems
West Pharmaceutical Services disclosed that it was the target of a cyberattack that resulted in data exfiltration and system encryption.
https://www.bleepingcomputer.com/news/security/west-pharmaceutical-says-hackers-stole-data-encrypted-systems/
KongTuke hackers now use Microsoft Teams for corporate breaches
Initial access broker KongTuke has moved to Microsoft Teams for social engineering attacks, taking as little as five minutes to gain persistent access to corporate networks.
https://www.bleepingcomputer.com/news/security/kongtuke-hackers-now-use-microsoft-teams-for-corporate-breaches/
Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution
Stolen browser sessions and authentication tokens are becoming more valuable than stolen passwords. Flare explains how the REMUS infostealer evolved around session theft and operational scalability.
https://www.bleepingcomputer.com/news/security/inside-the-remus-infostealer-session-theft-maas-and-rapid-evolution/
SOHO router attack by APT28
Few weeks ago, one particular large scale cyber-attack hit the mainstream news everywhere. Russian cyber actor APT28 attacked SOHO routers and managed to compromise some credentials through that. The attack itself was carried in multiple phases and was quite interesting.
https://en.blog.nic.cz/2026/05/14/soho-router-attack-by-apt28/
Kimsuky targets organizations with PebbleDash-based tools
Kaspersky researchers analyze a range of new PebbleDash-based tools used in recent Kimsuky campaigns and reveal their connection to the AppleSeed malware cluster.
https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/
How AI Hallucinations Are Creating Real Security Risks
AI hallucinations are introducing serious security risks into critical infrastructure decision-making by exploiting human trust through highly confident yet incorrect outputs.
https://thehackernews.com/2026/05/how-ai-hallucinations-are-creating-real.html
PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure
Threat actors have been observed attempting to exploit a recently disclosed security vulnerability in PraisonAI, an open-source multi-agent orchestration framework, within four hours of its public disclosure.
https://thehackernews.com/2026/05/praisonai-cve-2026-44338-auth-bypass.html
FrostyNeighbor: Fresh mischief and digital shenanigans
ESET researchers uncovered new activities attributed to FrostyNeighbor, updating its compromise chain to support the group-s continual cyberespionage operations.
https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/
Device Code Phishing via Fake File-Sharing Invitation
Truesec has observed a phishing attempt where a customer received an email claiming that a sender wanted to share a document. The message prompted the recipient to click -Open-, which redirected the user to a website designed to appear legitimate.
https://www.truesec.com/hub/blog/device-code-phishing-via-fake-file-sharing-invitation
China-Linked Twill Typhoon Uses Fake Apple and Yahoo Sites for Espionage
A new Darktrace report reveals how Chinese hackers use fake Apple and Yahoo sites and the FDMTP malware framework to spy on organisations.
https://hackread.com/chinatwill-typhoon-fake-apple-yahoo-sites-espionage/
FamousSparrow Targeted Oil and Gas Industry via MS Exchange Server Exploit
Bitdefender Labs reveals how the China-linked FamousSparrow hacking group targeted an Azerbaijani energy firm using ProxyNotShell, Deed RAT, and Terndoor malware across three persistent waves.
https://hackread.com/famoussparrow-oil-gas-ms-exchange-server-exploit/
CalPhishing Scam Uses EvilTokens Kit, Outlook Invites to Steal M365 Sessions
Hackers are exploiting Outlook calendar invites and device code phishing to steal M365 session tokens, bypass MFA and breach enterprise accounts.
https://hackread.com/calphishing-eviltokens-kit-outlook-invites-m365/
Anatomy of a WooCommerce Skimmer: A Technical Deep-Dive
One malicious change to a trusted JavaScript file can turn your checkout page into a silent credit-card skimmer, siphoning customer data off to criminals while the website looks secure and continues to work as normal. That creates serious organisational risk: PCI exposure, regulatory consequences, reputational damage, and a breach that remains invisible until long after the damage is done.
https://scotthelme.ghost.io/anatomy-of-a-woocommerce-skimmer-a-technical-deep-dive/
Backdoored Cemu release linked to TanStack and Mistral supply chain campaign
We investigate how a coordinated supply chain campaign that compromised npm and PyPI packages also backdoored the official Cemu Nintendo Wii U emulator GitHub release, reaching nearly 20,000 Linux users.
https://securitylabs.datadoghq.com/articles/backdoored-cemu-release-teampcp-supply-chain-campaign/
Backdoored node-ipc npm releases steal developer credentials through DNS queries
An analysis of backdoored node-ipc npm releases that add an obfuscated credential collection and DNS exfiltration payload to the CommonJS entrypoint.
https://securitylabs.datadoghq.com/articles/node-ipc-npm-malware-analysis/
New critical Exim mailer flaw allows remote code execution
A critical vulnerability affecting certain configurations of the Exim open-source mail transfer agent could be exploited by an unauthenticated remote attacker to execute arbitrary code.
https://www.bleepingcomputer.com/news/security/new-critical-exim-mailer-flaw-allows-remote-code-execution/
Vulnerabilities
Fragnesia: Schon wieder gefährliche Root-Lücke im Linux-Kernel
Dirty Frag und Copy Fail beschäftigen bereits unzählige Linux-Admins. Die nächste Root-Lücke ist bereits identifiziert - und die Patches sind spät dran.
https://www.golem.de/news/fragnesia-schon-wieder-gefaehrliche-root-luecke-im-linux-kernel-2605-208702.html
Webserver gefährdet: 18 Jahre alte Sicherheitslücke in Nginx entdeckt
Nginx-Webserver sollen sich durch eine seit 2008 präsente Lücke zum Absturz bringen lassen. Manchmal ist wohl auch eine Schadcodeausführung möglich.
https://www.golem.de/news/webserver-gefaehrdet-18-jahre-alte-sicherheitsluecke-in-nginx-entdeckt-2605-208713.html
Update stopft 79 Sicherheitslücken in Google Chrome
Das wöchentliche Chrome-Update schließt insgesamt 79 Sicherheitslücken. Davon gelten 14 als kritisch.
https://www.heise.de/news/Update-stopft-79-Sicherheitsluecken-in-Google-Chrome-11294547.html
Jetzt patchen! Angreifer attackieren Cisco Catalyst SD-WAN Controller
Angreifer nutzen derzeit eine kritische Sicherheitslücke in Cisco Catalyst SD-WAN Controller aus. Sicherheitsupdates sind verfügbar.
https://heise.de/-11294491
Ivanti EPM: Sicherheitslücken ermöglichen SQL-Iinjection und Rechteausweitung
Ivanti warnt vor drei Sicherheitslücken im Endpoint Manager (EPM). Sie ermöglichen SQL-Injection oder Rechteausweitung.
https://heise.de/-11294605
VMware Fusion: Angreifer können sich root-Rechte verschaffen
Nutzen Angreifer eine Schwachstelle in VMware Fusion erfolgreich aus, können sie sich unter bestimmten Bedingungen Root-Nutzerrechte verschaffen. Nun haben die Entwickler die Lücke geschlossen.
https://heise.de/-11294685
F5 BIG-IP: Quartalssicherheitsupdate schließt zahlreiche Lücken
Der Netzwerkausrüster F5 hat unter anderem für verschiedene BIG-IP-Produkte wichtige Sicherheitsupdates veröffentlicht.
https://heise.de/-11294929
Zero-Click-Lücke in Outlook: Angreifer können Systeme per E-Mail kompromittieren
Das bloße Senden einer E-Mail reicht aus, um über Microsoft Outlook Schadcode zur Ausführung zu bringen. Ein Klick auf einen Link ist nicht nötig.
https://www.golem.de/news/zero-click-luecke-in-outlook-angreifer-koennen-systeme-per-e-mail-kompromittieren-2605-208693.html
Mdash: Microsofts KI findet vier kritische Lücken in Windows
Microsofts Projekt MDash soll beim Finden von Sicherheitslücken sogar noch besser sein als Anthropics Claude Mythos.
https://www.golem.de/news/mdash-microsofts-ki-findet-vier-kritische-luecken-in-windows-2605-208701.html
telnetd 2.7 Buffer Overflow
https://cxsecurity.com/issue/WLB-2026050010
WPS Office improper access restriction to its named pipe
https://jvn.jp/en/jp/JVN14434132/
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
Cisco Catalyst SD-WAN Manager Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-mltvnps2-JxpWm7R
Cisco Crosswork Network Controller and Cisco Network Services Orchestrator Advisory
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-dos-7Egqyc
[R1] Tenable Network Monitor 6.5.4 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2026-14
LWN Security updates for Thursday
https://lwn.net/Articles/1072838/
LWN Security updates for Friday
https://lwn.net/Articles/1073059/