End-of-Day report
Timeframe: Montag 24-11-2025 19:30 - Dienstag 25-11-2025 18:30
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
News
Malicious Blender model files deliver StealC infostealing malware
A Russian-linked campaign delivers the StealC V2 information stealer malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader.
https://www.bleepingcomputer.com/news/security/malicious-blender-model-files-deliver-stealc-infostealing-malware/
Tor switches to new Counter Galois Onion relay encryption algorithm
Tor has announced improved encryption and security for the circuit traffic by replacing the old tor1 relay encryption algorithm with a new design called Counter Galois Onion (CGO).
https://www.bleepingcomputer.com/news/security/tor-switches-to-new-counter-galois-onion-relay-encryption-algorithm/
JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers
Cybersecurity researchers are calling attention to a new campaign thats leveraging a combination of ClickFix lures and fake adult websites to deceive users into running malicious commands under the guise of a "critical" Windows security update.
https://thehackernews.com/2025/11/jackfix-uses-fake-windows-update-pop.html
Years of JSONFormatter and CodeBeautify Leaks Expose Thousands of Passwords and API Keys
New research has found that organizations in various sensitive sectors, including governments, telecoms, and critical infrastructure, are pasting passwords and credentials into online tools like JSONformatter and CodeBeautify that are used to format and validate code.
https://thehackernews.com/2025/11/years-of-jsonformatter-and-codebeautify.html
Ex-CISA officials, CISOs dispel hacklore, spread cybersecurity truths
Dont believe everything you read Afraid of connecting to public Wi-Fi? Terrified to turn your Bluetooth on? You may be falling for "hacklore," tall tales about cybersecurity that distract you from real dangers. Dozens of chief security officers and ex-CISA officials have launched an effort and website to dispel these myths and show you how not to get hacked for real.
www.theregister.com/2025/11/24/hacklore_launch/
Is Your Android TV Streaming Box Part of a Botnet?
On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmart may seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix, ESPN and Hulu, all for a one-time fee of around $400. But security experts warn these TV boxes require intrusive software that forces the user-s network to relay Internet traffic for others, traffic that is often tied to cybercrime activity such as advertising fraud and account takeovers.
https://krebsonsecurity.com/2025/11/is-your-android-tv-streaming-box-part-of-a-botnet/
New ClickFix wave infects users with hidden malware in images and fake Windows updates
ClickFix just got more convincing, hiding malware in PNG images and faking Windows updates to make users run dangerous commands.
https://www.malwarebytes.com/blog/news/2025/11/new-clickfix-wave-infects-users-with-hidden-malware-in-images-and-fake-windows-updates
UEFI SecureBoot DB Update: Microsoft 2023er CAs installieren
Die SecureBoot-Zertifikate (KEK und DB) von Microsoft stammen aus dem Jahr 2011 und laufen im Jahr 2026 ab.
https://hitco.at/blog/uefi-secureboot-db-update-installieren/
Meldungen häufen sich: Kopierte Kleinanzeigen füllen Fake-Shops
Kriminelle stopfen ihre Fake-Shops immer öfter mit Bildmaterial und Produktinfos von Kleinanzeigen-Portalen voll. Komplette Annoncen landen, leicht verändert und mit einem ordentlichen Rabatt, in den betrügerischen Stores.
https://www.watchlist-internet.at/news/kopierte-kleinanzeigen-fuellen-fake-shops/
Russia arrests young cybersecurity entrepreneur on treason charges
Details of the case are classified, but Russian media say Timur Kilin may have drawn official ire after publicly criticizing the state-owned messaging app Max and the government-s anti-cybercrime legislation.
https://therecord.media/russia-arrests-tech-entrepreneur-treason
Update Firefox to Patch CVE-2025-13016 Vulnerability Affecting 180 Million Users
AI security firm AISLE revealed CVE-2025-13016, a critical Firefox Wasm bug that risked 180M users for six months. Learn how the memory flaw allowed code execution.
https://hackread.com/update-firefox-patch-cve-2025-13016-vulnerability/
--Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications-
CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications (apps). These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim-s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim-s mobile device.
https://www.cisa.gov/news-events/alerts/2025/11/24/spyware-allows-cyber-threat-actors-target-users-messaging-applications
The Hidden Dangers of Calendar Subscriptions: 4 Million Devices at Risk
Bitsight TRACE discovered more than 390 abandoned domains related to iCalendar synchronization (sync) requests for subscribed calendars, potentially putting ~4 million devices at risk.
https://www.bitsight.com/blog/hidden-dangers-calendar-subscriptions-4-million-devices-risk
Stop Putting Your Passwords Into Random Websites (Yes, Seriously, You Are The Problem)
Welcome to watchTowr vs the Internet, part 68.That feeling you-re experiencing? Dread. You should be used to it by now. As is fast becoming an unofficial and, apparently, frowned upon tradition - we identified incredible amounts of publicly exposed passwords, secrets, keys and more for very sensitive environments - and then spent a number of months working out if we could travel back in time to a period in which we just hadn't.
https://labs.watchtowr.com/stop-putting-your-passwords-into-random-websites-yes-seriously-you-are-the-problem/
Vulnerabilities
Security updates for Tuesday
Security updates have been issued by AlmaLinux (buildah, firefox, go-rpm-macros, kernel, kernel-rt, podman, and thunderbird), Debian (erlang, python-gevent, and r-cran-gh), Fedora (buildah, chromium, k9s, kubernetes1.33, kubernetes1.34, podman, python-mkdocs-include-markdown-plugin, and webkitgtk), Gentoo (Chromium, Google Chrome, Microsoft Edge. Opera, qtsvg, redict, redis, UDisks, and WebKitGTK+), Mageia (cups-filters and ruby-rack), Oracle (kernel and libssh), Red Hat (.NET 8.0, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (act, bind, cups-filters, govulncheck-vulndb, grub2, libebml, python39, and tcpreplay), and Ubuntu (linux-raspi, linux-raspi-realtime, openjdk-21, openjdk-25, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4, and runc-app, runc-stable).
https://lwn.net/Articles/1047950/
Synology-SA-25:15 ActiveProtect Agent
Synology has released a security update for the ActiveProtect Agent on Windows to address a vulnerability: CVE-2025-13593 allows local users to write arbitrary files with restricted content.Please refer to the Affected Products table for the corresponding updates.
https://www.synology.com/en-global/support/security/Synology_SA_25_15
Azure Bastion mit schwerer Schwachstelle CVE-2025-49752
Der Microsoft Azure Bastion-Dienst zum sicheren und nahtlosen RDP- und SSH-Zugriff auf virtuelle Azure-Maschinen (VMs) weist für alle Bereitstellungen vor dem 20. November 2025 eine schwere Schwachstelle CVE-2025-49752 (CVSS Score 10.0) auf.
https://www.borncity.com/blog/2025/11/25/azure-bastion-mit-schwerer-schwachstelle-cve-2025-49752/
Asus stopft hochriskante Rechteausweitungslücke in MyAsus
Asus warnt vor einer als hochriskant eingestuften Sicherheitslücke in der MyAsus-Software. Ein Update steht bereit.
https://heise.de/-11090371
Security Advisory for SiRcom SMART Alert (SiSA)
https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-06
Security Advisory for Festo Compact Vision System, Control Block, Controller, and Operator Unit products
https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-05
Security Advisory for Zenitel TCIV-3+
https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03
Security Advisory for Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share
https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01