End-of-Day report
Timeframe: Dienstag 02-12-2025 18:00 - Mittwoch 03-12-2025 18:30
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
News
Aisuru botnet behind new record-breaking 29.7 Tbps DDoS attack
In just three months, the massive Aisuru botnet launched more than 1,300 distributed denial-of-service attacks, one of them setting a new record with a peak at 29.7 terabits per second.
https://www.bleepingcomputer.com/news/security/aisuru-botnet-behind-new-record-breaking-297-tbps-ddos-attack/
Deep dive into DragonForce ransomware and its Scattered Spider connection
DragonForce expanded its ransomware operation in 2025 by working with English-speaking hackers known for advanced social engineering and initial access. Acronis explains how the "Scattered Spider" collaboration enables coordinated, multistage intrusions across major environments.
https://www.bleepingcomputer.com/news/security/deep-dive-into-dragonforce-ransomware-and-its-scattered-spider-connection/
Technical Analysis of Matanbuchus 3.0
Matanbuchus is a malicious downloader, written in C++, which has been offered as a Malware-as-a-Service (MaaS) since 2020. Over this time, Matanbuchus has undergone several development stages. In July 2025, version 3.0 of Matanbuchus was identified in-the-wild. Matanbuchus offers threat actors the option to deploy additional payloads and perform hands-on keyboard activity via shell commands.
https://www.zscaler.com/blogs/security-research/technical-analysis-matanbuchus-3-0
Grundrechte: Gericht stoppt Massenüberwachung des Schweizer Geheimdienstes
Das Schweizer Bundesverwaltungsgericht erklärt die Fernmeldeaufklärung des Nachrichtendienstes des Bundes nach Klage von Bürgerrechtlern für verfassungswidrig.
https://www.heise.de/news/Grundrechte-Gericht-stoppt-Massenueberwachung-des-Schweizer-Geheimdienstes-11101953.html
Falsche Schlangen: Neues von MuddyWater
MuddyWater hat es auf kritische Infrastrukturen in Israel und Ägypten abgesehen und setzt dabei auf maßgeschneiderte Malware, verbesserte Taktiken und ein vorhersehbares Spielbuch.
https://www.welivesecurity.com/de/eset-research/falsche-schlangen-neues-von-muddywater/
Aktuelle Welle: Phishing im Namen der Volksbank
Seit einigen Wochen versenden Kriminelle ihre Phishing-Versuche besonders häufig im Namen der Volksbank. Sie setzen dabei auf die altbekannten E-Mails bzw. SMS-Nachrichten. Wer dem Link zur -Datenaktualisierung- oder -Konto-Entsperrung- folgt, läuft Gefahr, Logindaten für Onlinebanking preiszugeben.
https://www.watchlist-internet.at/news/starke-welle-phishing-volksbank/
India backs off mandatory cyber safety app after surveillance backlash
Mobile phone makers will no longer be required to load the Indian governments Sanchar Saathi app onto new devices after the initial announcement prompted pushback from companies and privacy groups.
https://therecord.media/india-drops-mandate-sanchar-saathi-app-privacy-surveillance
Small numbers of Notepad++ users reporting security woes
I-ve heard from 3 orgs now who-ve had security incidents on boxes with Notepad++ installed, where it appears Notepad++ processes have spawned the initial access. These have resulted in hands on keyboard threat actors.
https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9
Everest Ransomware Claims ASUS Breach and 1TB Data Theft
Everest ransomware group claims it breached ASUS, stealing over 1TB of data including camera source code. ASUS has been given 21 hours to respond via Qtox.
https://hackread.com/everest-ransomware-asus-breach-1tb-data/
Paying the Ransom: A Short-Term Fix or Long-Term Risks?
Ransomware attacks rose by nearly 25% in 2024. If compromised, should you pay ransomware demands or not? We review the risks, reasons to pay or not, and more.
https://www.bitsight.com/blog/paying-ransom-for-ransomware
Industrielle Kontrollsysteme: Iskra iHUB bleibt vorerst ohne Sicherheitspatch
Für einige industrielle Steuerungs- und Automatisierungssysteme von etwa Mitsubishi sind Sicherheitsupdates erschienen. Eine kritische Lücke bleibt aber offen.
https://heise.de/-11101017
Vulnerabilities
Vulnerability & Patch Roundup - November 2025
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners about potential threats to their environments, we-ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
https://blog.sucuri.net/2025/11/vulnerability-patch-roundup-november-2025.html
100,000 WordPress Sites Affected by Remote Code Execution Vulnerability in Advanced Custom Fields: Extended WordPress Plugin
On November 18th, 2025, we received a submission for an unauthenticated Remote Code Execution vulnerability in Advanced Custom Fields: Extended, a WordPress plugin with more than 100,000 active installations. This vulnerability can be leveraged to execute code remotely.
https://www.wordfence.com/blog/2025/12/100000-wordpress-sites-affected-by-remote-code-execution-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin/
Security updates for Wednesday
Security updates have been issued by Debian (containerd, mako, and xen), Fedora (forgejo, nextcloud, openbao, rclone, restic, and tigervnc), Oracle (firefox, kernel, libtiff, libxml2, and postgresql), SUSE (libecpg6, lightdm-kde-greeter, python-cbor2, python-mistralclient-doc, python315, and python39), and Ubuntu (kdeconnect, linux, linux-aws, linux-realtime, python-django, and unbound).
https://lwn.net/Articles/1049103/
Microsoft schließt stillschweigend LNK-Schwachstelle CVE-2025-9491
Seit Ende August 2025 ist eine LNK-File-Schwachstelle (CVE-2025-9491) bekannt. Diese lässt sich unter Windows für eine Remote Code-Ausführung missbrauchen. Microsoft wollte erst keinen Patch bereitstellen, hat dann aber doch was per Update getan.
https://www.borncity.com/blog/2025/12/03/microsoft-schliesst-stillschweigend-lnk-schwachstelle-cve-2025-9491/
CISA Releases Five Industrial Control Systems Advisories
CISA released five Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-336-01 Industrial Video & Control LongwatchICSA-25-336-02 Iskra iHUB and iHUB Lite. ICSMA-25-336-01 Mirion Medical EC2 Software NMIS BioDose. ICSA-25-201-01 Mitsubishi Electric CNC Series (Update A) and ICSA-23-157-02 Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (Update C).
https://www.cisa.gov/news-events/alerts/2025/12/02/cisa-releases-five-industrial-control-systems-advisories
ZDI-25-1039: (Pwn2Own) Synology BeeStation Plus auth_info Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-25-1039/
Splunk SVD-2025-1209: Third-Party Package Updates in Splunk Enterprise - December 2025
https://advisory.splunk.com//advisories/SVD-2025-1209
Splunk SVD-2025-1206: Incorrect permissions assignment on Splunk Universal Forwarder for Windows during new installation or upgrade
https://advisory.splunk.com//advisories/SVD-2025-1206