End-of-Day report
Timeframe: Montag 10-11-2025 18:00 - Dienstag 11-11-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
News
Quantum Route Redirect PhaaS targets Microsoft 365 users worldwide
A new phishing automation platform named Quantum Route Redirect is using around 1,000 domains to steal Microsoft 365 users credentials.
https://www.bleepingcomputer.com/news/security/quantum-route-redirect-phaas-targets-microsoft-365-users-worldwide/
How a CPU spike led to uncovering a RansomHub ransomware attack
A sudden CPU spike turned out to be the first clue of an in-progress RansomHub ransomware attack. Varonis breaks down how their team traced the attack from fake browser updates to domain-admin takeover, ultimately stopping the attack before files were encrypted.
https://www.bleepingcomputer.com/news/security/how-a-cpu-spike-led-to-uncovering-a-ransomhub-ransomware-attack/
Fernzugriff aus China: Briten untersuchen ihre Elektrobusse auf Kill-Switch
Eine Untersuchung aus Norwegen ruft weitere Behörden auf den Plan. Der chinesische Hersteller Yutong soll aus der Ferne seine E-Busse lahmlegen können.
https://www.golem.de/news/fernzugriff-aus-china-briten-untersuchen-ihre-elektrobusse-auf-kill-switch-2511-202048.html
GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites
The malware known as GootLoader has resurfaced yet again after a brief spike in activity earlier this March, according to new findings from Huntress. The cybersecurity company said it observed three GootLoader infections since October 27, 2025, out of which two resulted in hands-on keyboard intrusions with domain controller compromise taking place within 17 hours of initial infection.
https://thehackernews.com/2025/11/gootloader-is-back-using-new-font-trick.html
Phishers try to lure 5K Facebook advertisers with fake business pages
One company alone was hit with more than 4,200 emails More than 5,000 businesses that use Facebook for advertising were bombarded by tens of thousands of phishing emails in a credential- and data-stealing campaign.
www.theregister.com/2025/11/10/5k_facebook_advertising_customers_phishing/
Unsichtbarer Wurm in Visual Studio Extensions: GlassWorm lebt
Der Mitte Oktober entdeckte Supply-Chain-Angriff über die Marktplätze von Visual Studio Code geht offenbar weiter: Auf dem Open-VSX-Marktplatz der Eclipse Foundation sind drei weitere Pakete mit GlassWorm aufgetaucht.
https://www.heise.de/news/Schadsoftware-weiter-aktiv-GlassWorm-erneut-in-Open-VSX-Paketen-gefunden-11073146.html
Achtung Phishing: WKO fordert keine Datenaktualisierung per E-Mail!
Aktuell kursiert eine neue Phishing-Variante im Namen der WKO. In der E-Mail werden Sie aufgefordert, Ihre Handelsregister-, Verzeichnis- oder Unternehmensdaten zu aktualisieren.
https://www.watchlist-internet.at/news/achtung-phishing-wko-fordert-keine-datenaktualisierung-per-e-mail/
You Thought It Was Over? Authentication Coercion Keeps Evolving
A new type of authentication coercion attack exploits an obscure and rarely monitored remote procedure call (RPC) interface.
https://unit42.paloaltonetworks.com/authentication-coercion/
Russian hacker to plead guilty to aiding Yanluowang ransomware group
Court documents show evidence proving Volkov served as an initial access broker for the ransomware gang - breaking into the network of victims and then offering his access for a percentage of the ransom.
https://therecord.media/russian-hacker-to-plead-guilty-aiding-ransomware-group
Cyber Action Toolkit: breaking down the barriers to resilience
How the NCSC-s "Cyber Action Toolkit" is helping small businesses to improve their cyber security.
https://www.ncsc.gov.uk/blog-post/cat-breaking-down-resilience-barriers
Cisco Finds Open-Weight AI Models Easy to Exploit in Long Chats
Cisco-s new research shows that open-weight AI models, while driving innovation, face serious security risks as multi-turn attacks, including conversational persistence, can bypass safeguards and expose data.
https://hackread.com/cisco-open-weight-ai-models-long-chat-exploit/
Fake NPM Package With 206K Downloads Targeted GitHub for Credentials
Veracode Threat Research exposed a targeted typosquatting attack on npm, where the malicious package @acitons/artifact stole GitHub tokens. Learn how this supply chain failure threatened the GitHub organisations code.
https://hackread.com/fake-npm-package-downloads-github-credentials/
BSI zur Cybersicherheit: Stabil unsicher
Das aktuelle BSI-Lagebild zeigt eklatante Probleme auf - während der zuständige Minister auf die Wirksamkeit neuer Maßnahmen hofft.
https://heise.de/-11074222
MacOS Infection Vector: Using AppleScripts to bypass Gatekeeper
TLDR This gives an overview of how .scpt AppleScript are used to creatively deliver macOS malware, such as fake office documents or fake Zoom/Teams updates. Previously a technique seen with APT campaigns for macOS, we can now see samples coming from the macOS stealer ecosystem like MacSync and Odyssey.
https://pberba.github.io/security/2025/11/11/macos-infection-vector-applescript-bypass-gatekeeper/
Vulnerabilities
Popular JavaScript library expr-eval vulnerable to RCE flaw
A critical vulnerability in the popular expr-eval JavaScript library, with over 800,000 weekly downloads on NPM, can be exploited to execute code remotely through maliciously crafted input.
https://www.bleepingcomputer.com/news/security/popular-javascript-library-expr-eval-vulnerable-to-rce-flaw/
SAP fixes hardcoded credentials flaw in SQL Anywhere Monitor
SAP has released its November security updates that address multiple security vulnerabilities, including a maximum severity flaw in the non-GUI variant of the SQL Anywhere Monitor and a critical code injection issue in the Solution Manager platform.
https://www.bleepingcomputer.com/news/security/sap-fixes-hardcoded-credentials-flaw-in-sql-anywhere-monitor/
Root-Sicherheitslücke bedroht IBMs Datenbanksystem Db2
Angreifer können Systeme mit IBM Db2 und Business Automation Workflow attackieren und im schlimmsten Fall Root-Rechte erlangen, um PCs zu kompromittieren. Sicherheitspatches stehen zum Download bereit.
https://www.heise.de/news/Root-Sicherheitsluecke-bedroht-IBMs-Datenbanksystem-Db2-11073372.html
Sicherheitslücke in Dell Display and Peripheral Manager gefährdet PCs
Wenn Angreifer erfolgreich an einer Lücke in Dell Display and Peripheral Manager unter Windows ansetzen, können sie sich höhere Nutzerrechte verschaffen. In einer aktuellen Version der Software haben die Entwickler eine Sicherheitslücke geschlossen. Bislang gibt es keine Hinweise auf bereits laufende Attacken.
https://heise.de/-11073226
Security Vulnerabilities fixed in Firefox 145
https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/
Ivanti November 2025 Security Update
https://www.ivanti.com/blog/november-2025-security-update