End-of-Day report
Timeframe: Mittwoch 04-03-2026 18:00 - Donnerstag 05-03-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
News
Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers
A maximum severity vulnerability in the FreeScout helpdesk platform allows hackers to achieve remote code execution without any user interaction or authentication. [..] The flaw is tracked as CVE-2026-28289 and bypasses a fix for another remote code execution (RCE) security issue (CVE-2026-27636) that could be exploited by authenticated users with upload permissions.
https://www.bleepingcomputer.com/news/security/mail2shell-zero-click-attack-lets-hackers-hijack-freescout-mail-servers/
Kritische Sicherheitslücken in Cisco Secure Firewall Produkten - Updates verfügbar
Cisco hat am 4. März 2026 mehrere Advisories veröffentlicht, die insgesamt 17 Schwachstellen in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software und Cisco Secure Firewall Management Center (FMC) Software adressieren.
https://www.cert.at/de/warnungen/2026/3/kritische-sicherheitslucken-in-cisco-secure-firewall-produkten-updates-verfugbar
Google says 90 zero-days were exploited in attacks last year
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities actively exploited throughout 2025, almost half of them in enterprise software and appliances.
https://www.bleepingcomputer.com/news/security/google-says-90-zero-days-were-exploited-in-attacks-last-year/
Malware-laced OpenClaw installers get Bing AI search boost
Think before you download OpenClaw, the AI agent that can manage just about anything, is risky all by itself, but now fake installers for it are wreaking havoc. Users who searched Bing-s AI results for -OpenClaw Windows- were directed to a malicious GitHub repository that delivered information stealers and GhostSocks onto their machines.
https://go.theregister.com/feed/www.theregister.com/2026/03/04/fake_openclaw_installers_malware/
Cybercrime: Behörden schalten das Datenleak-Forum LeakBase ab
Nach der Beschlagnahmung der LeakBase-Datenbank, einem der weltweit größten Cybercrime-Foren, identifizierten und verhafteten die Behörden mehrere Verdächtige.
https://www.heise.de/news/Cybercrime-Behoerden-schalten-das-Datenleak-Forum-LeakBase-ab-11199616.html
Europäische Strafverfolger zerschlagen Phishing-Plattform
Tycoon2FA gehörte zu den weltweit größten Phishing-Operationen. Sie ermöglichte Kriminellen unbemerkten Zugriff auf E-Mail-Konten. Nun wurde sie abgeschaltet.
https://www.heise.de/news/Europaeische-Strafverfolgungsbehoerden-zerschlagen-Phishing-Plattform-11199550.html
New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages
The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories. Across its many variants, the stealer demonstrates extensive data-harvesting capabilities, with its ability to dynamically stage payloads, bypass analysis through anti-VM and anti-debug checks and offload sensitive operations to encrypted payloads showing a level of engineering sophistication that continues to increase.
https://www.trendmicro.com/en_us/research/26/c/boryptgrab-stealer-targets-users-via-deceptive-github-pages.html
Fake Zoom, Teams Meeting Invites Use Compromised Certificates to Drop Malware
A new phishing campaign is using stolen certificates from TrustConnect Software PTY LTD to sign malware. By impersonating updates for Zoom and Microsoft Teams, hackers install RMM tools to gain persistent, privileged access to networks.
https://hackread.com/fake-zoom-teams-invites-malware-certificates/
Cyberangriffe im Jahr 2026: Der Login als Waffe
Cyberkriminelle und nationalstaatliche Akteure verlagern ihren Fokus zunehmend weg vom aufwendigen Eindringen in Systeme, wie aus Cloudflares Bedrohungsbericht 2026 hervorgeht. Stattdessen setzen sie eher auf das effizientere Einloggen mit gestohlenen Zugangsdaten.
https://heise.de/-11200132
Vulnerabilities
Drupal: AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022
https://www.drupal.org/sa-contrib-2026-022
Drupal: Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024
https://www.drupal.org/sa-contrib-2026-024
LWN: Security updates for Thursday
https://lwn.net/Articles/1061464/