End-of-Day report
Timeframe: Mittwoch 16-07-2025 18:00 - Donnerstag 17-07-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
News
KAWA4096-s Ransomware Tide: Rising Threat With Borrowed Styles
KAWA4096, a ransomware whose name includes "Kawa", the Japanese word for "river", first emerged in June 2025. This new threat features a leak site that follows the style of the Akira ransomware group, and a ransom note format similar to Qilin-s, likely an attempt to further enrich their visibility and credibility. In this blog ..
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/kawa4096s-ransomware-tide-rising-threat-with-borrowed-styles/
Oracle: 309 Sicherheitsupdates für alle möglichen Produkte
Oracle hat zum Critical Patch Update genannten Patchday im Juli 309 Sicherheitsupdates angekündigt. Zig Produkte sind verwundbar.
https://www.heise.de/news/Oracle-309-Sicherheitsupdates-fuer-alle-moeglichen-Produkte-10490492.html
Cisco: Sicherheitslücken in mehreren Produkten
In Ciscos ISE klafft eine weitere Lücke mit maximalem Bedrohungsgrad. Zudem warnt Cisco vor weiteren Lücken in mehr Produkten.
https://www.heise.de/news/Weitere-kritische-Luecke-in-Ciscos-ISE-10490589.html
Trump gibt eine Milliarde Dollar für offensive Cyberoperationen frei
Wie genau das Geld eingesetzt werden soll, ist nicht bekannt. Der Blick dürfte sich aber vor allem nach China richten
https://www.derstandard.at/story/3000000279549/trump-gibt-eine-milliarde-dollar-fuer-offensive-cyberoperationen-frei
Google spots tailored backdoor malware aimed at SonicWall appliances
Google researchers reported on a malware campaign against end-of-life SonicWall appliances, noting that the attackers were good at covering their tracks.
https://therecord.media/sonicwall-sma-100-series-overstep-malware-unc6148
Detection Engineering: Practicing Detection-as-Code - Repository - Part 2
This is the second part of the Practicing Detection-as-Code series, where we will cover some basic elements of designing a repository to develop, store, and deploy detections from. Well go through several different aspects of the setup like the Git platform, branch strategy, repository structure, detections structure, taxonomies, and content packs.
https://blog.nviso.eu/2025/07/17/detection-engineering-practicing-detection-as-code-repository-part-2/
Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public
GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 - nearly two weeks before a public proof-of-concept was released on July 4.
https://www.greynoise.io/blog/exploitation-citrixbleed-2-cve-2025-5777-before-public-poc
Flaw in Signal App Clone Could Leak Passwords - GreyNoise Identifies Active Reconnaissance and Exploit Attempts
A vulnerability disclosed in May 2025, CVE-2025-48927, affects certain deployments of TeleMessageTM SGNL. If exposed, this endpoint can return a full snapshot of heap memory which may include plaintext usernames, passwords, and other sensitive data.
https://www.greynoise.io/blog/active-exploit-attempts-signal-based-messaging-app
How to catch GitHub Actions workflow injections before attackers do
Strengthen your repositories against actions workflow injections - one of the most common vulnerabilities.
https://github.blog/security/vulnerability-research/how-to-catch-github-actions-workflow-injections-before-attackers-do/
Vulnerabilities
Security updates for Thursday
Security updates have been issued by AlmaLinux (emacs, java-17-openjdk, kernel, kernel-rt, microcode_ctl, python3.11-setuptools, python3.12-setuptools, and socat), Debian (gnutls28), Fedora (vim), Red Hat (java-1.8.0-ibm), Slackware (bind), SUSE (docker, erlang, erlang26, ggml-devel-5889, gnuplot, kernel, kubernetes1.27, libQt6Concurrent6, mailman3, and transfig), and Ubuntu (apache2, bind9, linux-iot, linux-lowlatency-hwe-6.11, and linux-raspi, linux-raspi-5.4).
https://lwn.net/Articles/1030256/