End-of-Day report
Timeframe: Dienstag 07-04-2026 18:00 - Mittwoch 08-04-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Iran-Linked Hackers Are Sabotaging US Energy and Water Infrastructure
As Trump threatens Iranian infrastructure, the US government warns that Iran has carried out its own digital attacks against US critical infrastructure.
https://www.wired.com/story/iran-linked-hackers-are-sabotaging-us-energy-and-water-infrastructure/
Anthropic Teams Up With Its Rivals to Keep AI From Hacking Everything
The AI labs Project Glasswing will bring together Apple, Google, and more than 45 other organizations. Theyll use the new Claude Mythos Preview model to test advancing AI cybersecurity capabilities.
https://www.wired.com/story/anthropic-mythos-preview-project-glasswing/
Wichtiges Bug-Bounty-Programm pausiert: KI-Reports überlasten Open-Source-Projekte
Internet Bug Bounty zahlt vorerst keine Prämien mehr. Das betrifft unter anderem Node.js. Der Grund: Mit KI wird viel gemeldet, aber wenig gefixt.
https://www.golem.de/news/wichtiges-bug-bounty-programm-pausiert-ki-reports-ueberlasten-open-source-projekte-2604-207325.html
Microsoft Releases Open Source Toolkit for AI Agent Runtime Security
Microsoft has published its Agent Governance Toolkit, an open source project that brings runtime policy enforcement to autonomous AI agents. The release lands as the industry grapples with a widening gap between how fast AI agents are being deployed and how little infrastructure exists to govern what they do once theyre running. The toolkit is available under the MIT license at the Microsoft GitHub organization and supports Python, TypeScript, Rust, Go, and .NET.
https://socket.dev/blog/microsoft-open-source-toolkit-for-ai-agent-runtime-security
Spooler Alert: Remote Unauthd RCE-to-root Chain in CUPS
TLDR: my self-orchestrating team of vulnerability hunting agents discovered two issues in CUPS, CVE-2026-34980 and CVE-2026-34990, chainable into unauthenticated remote attacker -> unprivileged RCE -> root file (over)write. See below for the prerequisites, details, and mitigation options.
https://heyitsas.im/posts/cups/
Keine neuen Windows-Versionen: Microsoft sperrt Veracrypt-Entwickler aus
Der Veracrypt-Entwickler kann die Windows-Variante seiner Verschlüsselungssoftware nicht mehr aktualisieren. [..] Idrassi versuchte nach eigenen Angaben mehrfach, Microsoft über verschiedene Kanäle zu kontaktieren. Dabei sei er aber nur an automatisierte Antworten und Bots geraten.
https://www.golem.de/news/keine-neuen-windows-versionen-microsoft-sperrt-veracrypt-entwickler-aus-2604-207334.html
A Little Bit Pivoting: What Web Shells are Attackers Looking for?, (Tue, Apr 7th)
Webshells remain a popular method for attackers to maintain persistence on a compromised web server. Many "arbitrary file write" and "remote code execution" vulnerabilities are used to drop small files on systems for later execution of additional payloads. The names of these files keep changing and are often chosen to "fit in" with other files.
https://isc.sans.edu/diary/rss/32874
More Honeypot Fingerprinting Scans, (Wed, Apr 8th)
One question that often comes up when I talk about honeypots: Are attackers able to figure out if they are connected to a honeypot? The answer is pretty simple: Yes!
https://isc.sans.edu/diary/rss/32878
Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox
Unit 42 uncovers critical vulnerabilities in Amazon Bedrock AgentCores sandbox, demonstrating DNS tunneling and credential exposure. [..] We also identified a critical security regression where the AgentCore Runtime utilized a microVM Metadata Service (MMDS) that lacks session token enforcement. Prior to our disclosure and AWS's fixes, this configuration could have allowed an attacker to exploit standard web vulnerabilities, such as server-side request forgery (SSRF), to directly extract sensitive credentials, putting the entire environment at risk.
https://unit42.paloaltonetworks.com/bypass-of-aws-sandbox-network-isolation-mode/
New ClickFix Attack Uses Node.js Malware via Tor to Steal Crypto
Netskope Threat Labs report a new ClickFix attack using fake CAPTCHAs to deploy Tor-backed NodeJS malware and drain crypto wallets on Windows.
https://hackread.com/clickfix-attack-node-js-malware-tor-steal-crypto/
Jetzt patchen! Attacken auf Low-Coding-Tool Flowise beobachtet
Unbekannte Angreifer nutzen derzeit eine kritische Sicherheitslücke mit Höchstwertung in Flowise aus. [..] Um Systeme vor diesen Attacken zu schützen, müssen Admins sicherstellen, dass mindestens Flowise 3.0.6 installiert ist. Aktuell ist die Ausgabe 3.1.1.
https://heise.de/-11248346
When the compiler lies: breaking memory safety in safe Go
Early in March, I reported two compiler bugs affecting Go releases up to 1.26.1 which broke the Go memory safety guarantees using only safe Go code. [..] I-m not including the full end-to-end exploits, to allow the fixed releases to become more widely available. I-ll briefly describe the issues and show the problematic code patterns though.
https://ciolek.dev/posts/when-the-compiler-lies
Vulnerabilities
Palo Alto Networks Security Advisories
Palo Alto has released 6 new security advisories (1x high, 3x medium, 2x informational)
https://security.paloaltonetworks.com/
Juniper: 2026-04 Security Bulletin: vLWC: Default password is not required to be changed which allows unauthorized high-privileged access (CVE-2026-33784)
https://supportportal.juniper.net/s/article/2026-04-Security-Bulletin-vLWC-Default-password-is-not-required-to-be-changed-which-allows-unauthorized-high-privileged-access-CVE-2026-33784
Juniper: 2026-04 Security Bulletin: CTP OS: Configuring password requirements does not work which permits the use of weak passwords (CVE-2026-33771)
https://supportportal.juniper.net/s/article/2026-04-Security-Bulletin-CTP-OS-Configuring-password-requirements-does-not-work-which-permits-the-use-of-weak-passwords-CVE-2026-33771
Juniper: 2026-04 Security Bulletin: Apstra: SSH host key validation vulnerability for managed devices (CVE-2025-13914)
https://supportportal.juniper.net/s/article/2026-04-Security-Bulletin-Apstra-SSH-host-key-validation-vulnerability-for-managed-devices-CVE-2025-13914
LWN: Security updates for Wednesday
https://lwn.net/Articles/1066809/
Mozilla: Security Vulnerabilities fixed in Thunderbird 140.9.1
https://www.mozilla.org/en-US/security/advisories/mfsa2026-29/
Mozilla: Security Vulnerabilities fixed in Thunderbird 149.0.2
https://www.mozilla.org/en-US/security/advisories/mfsa2026-28/
Nix security advisory: Privilege escalation via symlink following during FOD output registration
https://discourse.nixos.org/t/nix-security-advisory-privilege-escalation-via-symlink-following-during-fod-output-registration/76900