End-of-Day report
Timeframe: Montag 22-12-2025 18:00 - Dienstag 23-12-2025 18:15
Handler: Alexander Riepl
Co-Handler: Felician Fuchs
Das gesamte CERT.at Team bedankt sich herzlich für Ihr Interessen an unserem Daily Newsletter. Wir wünschen Ihnen frohe Weihnachten und erholsame Feiertage.
News
Interpol-led action decrypts 6 ransomware strains, arrests hundreds
An Interpol-coordinated initiative called Operation Sentinel led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents.
https://www.bleepingcomputer.com/news/security/interpol-led-action-decrypts-6-ransomware-strains-arrests-hundreds/
CISA flags ASUS Live Update CVE, but the attack is years old
An ASUS Live Update vulnerability tracked as CVE-2025-59374 has been making the rounds in infosec feeds, with some headlines implying recent or ongoing exploitation. A closer look, however, shows the CVE documents a historic supply-chain attack in an End-of-Life (EoL) software product, not a new attack.
https://www.bleepingcomputer.com/news/security/cisa-flags-asus-live-update-cve-but-the-attack-is-years-old/
New MacSync malware dropper evades macOS Gatekeeper checks
The latest variant of the MacSync information stealer targeting macOS systems is delivered through a digitally signed, notarized Swift application.
https://www.bleepingcomputer.com/news/security/new-macsync-malware-dropper-evades-macos-gatekeeper-checks/
Nissan says thousands of customers exposed in Red Hat breach
Nissan Motor Co. Ltd. (Nissan) has confirmed that information of thousands of its customers has been compromised after the data breach at Red Hat in September.
https://www.bleepingcomputer.com/news/security/nissan-says-thousands-of-customers-exposed-in-red-hat-breach/
Microsoft Teams strengthens messaging security by default in January
Microsoft Teams will automatically enable messaging safety features by default in January to strengthen defenses against content tagged as malicious.
https://www.bleepingcomputer.com/news/microsoft/microsoft-teams-strengthens-messaging-security-by-default-in-january/
Gutscheincodes im Netz: Honey erpresste offenbar Onlineshops und nutzte Kinder aus
Gezielte Werbung an Kinder, das Sammeln von privaten Daten und Schaden für Onlineshops: Honey ist wohl schlimmer, als bisher gedacht.
https://www.golem.de/news/gutscheincodes-im-netz-honey-erpresste-offenbar-onlineshops-und-nutzte-kinder-aus-2512-203548.html
From cheats to exploits: Webrat spreading via GitHub
We dissect the new Webrat campaign where the Trojan spreads via GitHub repositories, masquerading as critical vulnerability exploits to target cybersecurity researchers.
https://securelist.com/webrat-distributed-via-github/118555/
Assessing SIEM effectiveness
We share the results of assessing the effectiveness of Kaspersky SIEM in real-world infrastructures and explore common challenges and solutions to these.
https://securelist.com/siem-effectiveness-assessment/118560/
Microsoft Is Finally Killing RC4
After twenty-six years, Microsoft is finally upgrading the last remaining instance of the encryption algorithm RC4 in Windows.
https://www.schneier.com/blog/archives/2025/12/microsoft-is-finally-killing-rc4.html
Chinese Crypto Scammers on Telegram Are Fueling the Biggest Darknet Markets Ever
Online black markets once lurked in the shadows of the dark web. Today, they-ve moved onto public platforms like Telegram-and are racking up historic illicit fortunes.
https://www.wired.com/story/expired-tired-wired-chinese-scammer-crypto-markets/
Cyber spies use fake New Year concert invites to target Russian military
The campaign surfaced earlier in October after researchers at the New York-based cybersecurity firm Intezer identified a malicious XLL file uploaded to VirusTotal, first from Ukraine and later from Russia.
https://therecord.media/cyber-spies-fake-new-year-concert-russian-phishing
DDoS incident disrupts France-s postal and banking services ahead of Christmas
Frances La Poste confirmed that a distributed denial-of-service (DDoS) attack was the source of problems with its websites and mobile applications.
https://therecord.media/la-poste-france-ddos-disruption-days-before-christmas
Scam: Uphold Sicherheitsvorfall über Drittanbieter?
Heute bin ich darüber "informiert" worden, dass es zu einer "Datenpanne" bei einem Drittanbieter gekommen sei, die Nutzer von Uphold betrifft. Uphold ist eine Plattform, die eine Wallet für Kryptogeld bereitstellt. Und diese Nachricht ist Scam. Ich ziehe mal einige Informationen zusammen, und warum man mutmaßlich die Finger von dem ganzen Zeugs lassen sollte.
https://borncity.com/blog/2025/12/22/uphold-sicherheitsvorfall-ueber-drittanbieter/
I foretold that Mac app notarization is security theater
This morning 9to5Mac reported, MacSync Stealer variant finds a way to bypass Apple malware protections, based on an investigation by Jamf.
https://lapcatsoftware.com/articles/2025/12/5.html
Malicious Chrome Extensions -Phantom Shuttle- Masquerade as a VPN to Intercept Traffic and Exfiltrate Credentials
Sockets Threat Research Team identified two malicious Chrome extensions sharing the same name Phantom Shuttle (***-), published by the same threat actor using the email theknewone.com@gmail[.]com, distributed since at least 2017. The extensions market themselves as "multi-location network speed testing plugins" for developers and foreign trade personnel.
https://socket.dev/blog/malicious-chrome-extensions-phantom-shuttle
Vulnerabilities
Forscher warnen: Kritische n8n-Lücke betrifft über 17.000 deutsche Server
Eine Sicherheitslücke lässt Angreifer n8n-Instanzen kapern und Schadcode einschleusen. Besonders viele anfällige Systeme gibt es in Deutschland.
https://www.golem.de/news/forscher-warnen-kritische-n8n-luecke-betrifft-ueber-17-000-deutsche-server-2512-203557.html
Patches: Hitachi Infrastructure Analytics und Ops Center sind verwundbar
Zwei Sicherheitslücken bedrohen Hitachi Infrastructure Analytics und Ops Center. Angreifer können die Anmeldung umgehen.
https://www.heise.de/news/Patches-Hitachi-Infrastructure-Analytics-und-Ops-Center-sind-verwundbar-11123862.html
Security updates for Tuesday
Security updates have been issued by AlmaLinux (binutils, curl, gcc-toolset-13-binutils, git-lfs, httpd, httpd:2.4, keylime, libssh, mod_md, openssh, php:8.3, podman, python3.12, python3.9, python39:3.9, skopeo, tomcat, tomcat9, and webkit2gtk3), Fedora (mingw-glib2, mingw-libsoup, and mingw-python3), Mageia (roundcubemail), Oracle (git-lfs and mod_md), and SUSE (glib2, kernel, mariadb, and qemu).
https://lwn.net/Articles/1051758/