End-of-Day report
Timeframe: Mittwoch 11-02-2026 18:00 - Donnerstag 12-02-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
News
Crazy ransomware gang abuses employee monitoring tool in attacks
A member of the Crazy ransomware gang is abusing legitimate employee monitoring software and the SimpleHelp remote support tool to maintain persistence in corporate networks, evade detection, and prepare for ransomware deployment.
https://www.bleepingcomputer.com/news/security/crazy-ransomware-gang-abuses-employee-monitoring-tool-in-attacks/
Microsoft Store Outlook add-in hijacked to steal 4,000 Microsoft accounts
The AgreeTo add-in for Outlook has been hijacked and turned into a phishing kit that stole more than 4,000 Microsoft account credentials. [..] Office add-ins are just URLs pointing to content loaded into Microsoft products from the developer's server. In the case of AgreeTo, the developer used a Vercel-hosted URL (outlook-one.vercel.app) but abandoned the project, despite the userbase it formed. [..] The case of AgreeTo stands out, though, as it is likely the first to be hosted on Microsoft-s Marketplace.
https://www.bleepingcomputer.com/news/security/microsoft-store-outlook-add-in-hijacked-to-steal-4-000-microsoft-accounts/
Betrügerische Post-Emails im Umlauf
Rechnungen von der Post per E-Mail sind häufig Fake. Aktuell kursiert eine Variante, bei der 9,30 Euro für eine Sendung beglichen werden sollen. Ein Klick auf den Button führt auf eine Phishing-Website, auf der Kreditkartendaten gestohlen werden können.
https://www.watchlist-internet.at/news/betruegerische-post-emails-im-umlauf/
Nation-State Actors Exploit Notepad++ Supply Chain
Between June and December 2025, the official hosting infrastructure for the text editor Notepad++ was compromised by a state-sponsored threat group known as Lotus Blossom. The attackers breached the shared hosting provider-s environment. [..] We-ve identified additional unreported infrastructure, which is linked to this campaign.
https://unit42.paloaltonetworks.com/notepad-infrastructure-compromise/
Kritische Schwachstellen in diversen Routern von Linksys
Linksys-Router beinhalten Schwachstellen, die bis zu einer unauthentifizierten und vollständigen Kompromittierung der Geräte über das Internet führen. Der Hersteller Linksys hat für betroffene Geräte ein Update bereitgestellt, welches allerdings nur eine Ausnutzung über das Internet verhindert. [..] Shortly after discovering the vulnerabilities, a -quick- scan of the internet showed about 12.000 vulnerable devices. Around six months after the fix was available, this number shrunk to around 4.000. A reason for this large drop is probably because the Linksys routers support auto-update, which is enabled by default and installs new firmware updates without any user interaction.
https://www.syss.de/pentest-blog/schwachstellen-in-linksys-routern
US wants cyber partnerships to send -coordinated, strategic message- to adversaries
National Cyber Director Sean Cairncross told attendees of the Munich Cyber Security Conference that Washington is looking to deepen cooperation with partners rather than act alone.
https://therecord.media/us-wants-cyber-partnerships-to-send-message-to-adversaries
GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use
In the final quarter of 2025, Google Threat Intelligence Group (GTIG) observed threat actors increasingly integrating artificial intelligence (AI) to accelerate the attack lifecycle, achieving productivity gains in reconnaissance, social engineering, and malware development. This report serves as an update to our November 2025 findings regarding the advances in threat actor usage of AI tools.
https://cloud.google.com/blog/topics/threat-intelligence/distillation-experimentation-integration-ai-adversarial-use/
Scary Agent Skills: Hidden Unicode Instructions in Skills ...And How To Catch Them ·
There is a lot of talk about Skills recently, both in terms of capabilities and security concerns. However, so far I haven-t seen anyone bring up hidden prompt injection. So, I figured to demo a Skills supply chain backdoor that survives human review.
https://embracethered.com/blog/posts/2026/scary-agent-skills/
Vulnerabilities
Apple Fixes Exploited Zero-Day Affecting iOS, macOS, and Apple Devices
Apple on Wednesday released iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS updates to address a zero-day flaw that it said has been exploited in sophisticated cyber attacks.
https://thehackernews.com/2026/02/apple-fixes-exploited-zero-day.html
Dell schließt unzählige Sicherheitslücken in Avamar, iDRAC und NetWorker
In drei Warnmeldungen listet Dell die nun geschlossenen Sicherheitslücken in Komponenten von Drittanbietern auf, die Avamar und NetWorker betreffen. [..] Darunter fallen Komponenten wie Apache HTTP Server, Expat, OpenSSL und Vim. Der Großteil der geschlossenen Lücken stammt aus dem Jahr 2025. Darunter sind auch -kritische- Schwachstellen (etwa Samba CVE-2025-10230), über die Schadcode auf Systeme gelangen kann.
https://www.heise.de/news/Dell-schliesst-unzaehlige-Sicherheitsluecken-in-Avamar-iDRAC-und-NetWorker-11173829.html
Fortinet: LDAP authentication bypass in Agentless VPN and FSSO
An Authentication Bypass by Primary Weakness vulnerability [CWE-305] in FortiOS fnbamd may allow an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FSSO policy, under specific LDAP server configuration. CVE-2026-22153
https://www.fortiguard.com/psirt/FG-IR-25-1052
High-Severity RCE Vulnerability Disclosed in next-mdx-remote
HashiCorp has published HCSEC-2026-01, disclosing a high-severity vulnerability in the popular next-mdx-remote library that can lead to arbitrary code execution when rendering untrusted MDX content on the server. The issue is tracked as CVE-2026-0969 (GHSA-g4xw-jxrg-5f6m) and carries a CVSS 3.1 score of 8.8 (High). [..] It is fixed in version 6.0.0. [..] For clarity, this is not a vulnerability in Next.js itself. It affects applications that use next-mdx-remote to compile untrusted MDX content on the server.
https://socket.dev/blog/high-severity-rce-vulnerability-disclosed-in-next-mdx-remote
Multiple Vulnerabilities in various Solax Power Pocket WiFi models
https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-various-solax-power-pocket-wifi-models/
LWN Security updates for Thursday
https://lwn.net/Articles/1058473/