End-of-Day report
Timeframe: Montag 03-11-2025 18:00 - Dienstag 04-11-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
News
Fake Solidity VSCode extension on Open VSX backdoors developers
A remote access trojan dubbed SleepyDuck, and disguised as the well-known Solidity extension in the Open VSX open-source registry, uses an Ethereum smart contract to establish a communication channel with the attacker.
https://www.bleepingcomputer.com/news/security/fake-solidity-vscode-extension-on-open-vsx-backdoors-developers/
Lösegeldverhandler angeklagt: Ex-Cyberangestellte sollen Unternehmen gehackt haben
Drei Ex-Mitarbeiter von Cybersecurityfirmen scheinen ein äußerst fragwürdiges Nebengeschäft betrieben zu haben. Es war Ransomware im Spiel.
https://www.golem.de/news/ex-mitarbeiter-angeklagt-loesegeldverhandler-wohl-an-cyberangriffen-beteiligt-2511-201802.html
SesameOp: Novel backdoor uses OpenAI Assistants API for command and control
Microsoft Incident Response - Detection and Response Team (DART) researchers uncovered a new backdoor that is notable for its novel use of the OpenAI Assistants Application Programming Interface (API) as a mechanism for command-and-control (C2) communications. Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as ..
https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-backdoor-uses-openai-assistants-api-for-command-and-control/
Apple Patches Everything, Again, (Tue, Nov 4th)
Apple released its expected set of operating system upgrades. This is a minor feature upgrade that also includes fixes for 110 different vulnerabilities. As usual for Apple, many of the vulnerabilities affect multiple operating systems. None of the vulnerabilities ..
https://isc.sans.edu/diary/Apple+Patches+Everything+Again/32448
Scattered LAPSUS$ Hunters: Anatomy of a Federated Cybercriminal Brand
Trustwave SpiderLabs- Cyber Threat Intelligence team is tracking the recent emergence of what appears to be the consolidation of three well-known threat groups into a -federated alliance- that offers, among its activities, Extortion-as-a-Service (EaaS).
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scattered-lapsuss-hunters-anatomy-of-a-federated-cybercriminal-brand/
Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks
Details have emerged about a now-patched critical security flaw in the popular "@react-native-community/cli" npm package that could be potentially exploited to run malicious operating system (OS) commands under certain ..
https://thehackernews.com/2025/11/critical-react-native-cli-flaw-exposed.html
Europol and Eurojust Dismantle -600 Million Crypto Fraud Network in Global Sweep
Nine people have been arrested in connection with a coordinated law enforcement operation that targeted a cryptocurrency money laundering network that defrauded victims of -600 million (~$688 million).According to a statement released by Eurojust today, the ..
https://thehackernews.com/2025/11/europol-and-eurojust-dismantle-600.html
Chinas president Xi Jinping jokes about backdoors in Xiaomi smartphones
South Koreas president laughed, so perhaps it was funny? Unlike Chinas censorship and snooping Chinese president Xi Jinping has joked that smartphones from Xiaomi might include backdoors.
https://www.theregister.com/2025/11/04/chinas_president_xi_jinping_jokes/
Russland verhindert 2-Faktor-SMS für Telegram und Whatsapp
Der Kreml will Informationskontrolle. SMS- und Telefonanruf-Blockaden sollen Whatsapp und Telegram aushungern.
https://www.heise.de/news/Russland-verhindert-2-Faktor-SMS-fuer-Telegram-und-Whatsapp-11011149.html
Patchday: Kritische Schadcode-Lücke in Android 13, 14, 15, 16 geschlossen
Angreifer können Geräte mit Android attackieren und im schlimmsten Fall Schadcode ausführen. Sicherheitsupdates schaffen Abhilfe.
https://www.heise.de/news/Patchday-Kritische-Schadcode-Luecke-in-Android-13-14-15-16-geschlossen-11039341.html
Rückerstattung und abgelaufene ID: Doppelte Phishing-Welle im Namen von FinanzOnline
Eine aktuell massenhaft versendete E-Mail im Namen von FinanzOnline verspricht eine üppige Mehrwertsteuerrückerstattung. Knapp 300 Euro warten angeblich. Tatsächlich haben es die Kriminellen auf Zugangsdaten zum Online-Banking und das Geld ihrer Opfer abgesehen. Daneben kursieren vermehrt die klassischen Fake-SMS, die vor einem Ablauf des FinanzOnline-Zugangs warnen.
https://www.watchlist-internet.at/news/mehrwertsteuer-phishing-finanzonline/
Millionen für Abhörsysteme: EU förderte offenbar massiv die Spyware-Industrie
In Reaktion auf einen aktuellen Bericht meldeten sich 39 Mitglieder des Europäischen Parlaments "tief besorgt". Man wolle die Vergabe an fragwürdige Unternehmen nun prüfen
https://www.derstandard.at/story/3000000294846/millionen-fuer-abhoersysteme-eu-foerderte-offenbar-massiv-die-spyware-industrie
Cargo theft gets a boost from hackers using remote monitoring tools
Cybersecurity researchers have been tracking thieves who are using their deep knowledge of trucking and transportation technology to steal cargo.
https://therecord.media/cargo-theft-hackers-remote-monitoring-tools
More than $100 million stolen in exploit of Balancer DeFi protocol
Hackers pilfered millions of dollars worth of cryptocurrency on Monday from the decentralized finance protocol Balancer.
https://therecord.media/crypto-heist-balancer-exploit
CyberSlop - meet the new threat actor, MIT and Safe Security
Cybersecurity vendors peddling nonsense isn-t new, but lately we have a new dimension - Generative AI. This has allowed vendors - and educators - to peddle cyberslop for profit.
https://doublepulsar.com/cyberslop-meet-the-new-threat-actor-mit-and-safe-security-d250d19d02a4
PHP Cryptomining Campaign: October/November 2025
>From Aug-Oct 2025, GreyNoise observed a surge in exploitation attempts against PHP and PHP-based frameworks as attackers deployed cryptominers-driven by rising Bitcoin prices and higher mining payoffs.
https://www.greynoise.io/blog/php-cryptomining-campaign
Für Entkriminalisierung: BSI-Chefin fordert Überarbeitung des Hackerparagrafen
Die Präsidentin des Bundesamts für Sicherheit in der Informationstechnik hat Änderungen am Hackerparagrafen gefordert. Unterstützung kommt aus der Opposition.
https://heise.de/-11044176
Vulnerabilities
Security updates for Tuesday
Security updates have been issued by Debian (dcmtk, geographiclib, gimp, pure-ftpd, and ruby-rack), Fedora (dotnet9.0), Oracle (expat, kernel, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), Red Hat (git, mariadb:10.5, multiple packages, osbuild-composer, pcs, sssd, and tigervnc), SUSE (kernel and redis), and Ubuntu (google-guest-agent).
https://lwn.net/Articles/1044949/