Tageszusammenfassung - 02.02.2026

End-of-Day report

Timeframe: Freitag 30-01-2026 18:00 - Montag 02-02-2026 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl

News

Cloud storage payment scam floods inboxes with fake renewals

Over the past few months, a large-scale cloud storage subscription scam campaign has been targeting users worldwide with repeated emails falsely warning recipients that their photos, files, and accounts are about to be blocked or deleted due to an alleged payment failure.

https://www.bleepingcomputer.com/news/security/cloud-storage-payment-scam-floods-inboxes-with-fake-renewals/

NationStates confirms data breach, shuts down game site

NationStates, a multiplayer browser-based game, has confirmed a data breach after taking its website offline earlier this week to investigate a security incident.

https://www.bleepingcomputer.com/news/security/nationstates-confirms-data-breach-shuts-down-game-site/

Panera Bread breach impacts 5.1 million accounts, not 14 million customers

The data breach notification service Have I Been Pwned says that a data breach at the U.S. food chain Panera Bread affected 5.1 million accounts, not 14 million customers as previously reported.

https://www.bleepingcomputer.com/news/security/panera-bread-data-breach-impacts-51-million-accounts-not-14-million-customers/

Spionagegefahr: Verfassungsschutz warnt vor E-Autos aus China

E-Autos aus China könnten theoretisch ferngesteuert werden. Die technischen Risiken sind dokumentiert - doch auch Tesla sammelt massenhaft Daten.

https://www.golem.de/news/spionagegefahr-verfassungsschutz-warnt-vor-e-autos-aus-china-2602-204851.html

Texteditor: Notepad++-Server gehackt und Update-Traffic manipuliert

Angreifern ist es gelungen, die Update-Infrastruktur von Notepad++ zu kompromittieren und Traffic umzuleiten. Der Entwickler entschuldigt sich.

https://www.golem.de/news/texteditor-notepad-server-gehackt-und-update-traffic-manipuliert-2602-204876.html

Breaking the Sound Barrier, Part II: Exploiting CVE-2024-54529

In the first part of this series, I detailed my journey into macOS security research, which led to the discovery of a type confusion vulnerability (CVE-2024-54529) and a double-free vulnerability (CVE-2025-31235) in the coreaudiod system daemon through a process I call knowledge-driven fuzzing. While the first post focused on the process of finding the vulnerabilities, this post dives into the intricate process of exploiting the type confusion vulnerability.

https://projectzero.google/2026/01/sound-barrier-2.html

Google Presentations Abused for Phishing

Charlie, one of our readers, has forwarded an interesting phishing email. The email was sent to users of the Vivladi Webmail service.

https://isc.sans.edu/diary/rss/32668

AI Coding Assistants Secretly Copying All Code to China

There-s a new report about two AI coding assistants, used by 1.5 million developers, that are surreptitiously sending a copy of everything they ingest to China.Maybe avoid using them.

https://www.schneier.com/blog/archives/2026/02/ai-coding-assistants-secretly-copying-all-code-to-china.html

Shadow Directories: A Unique Method to Hijack WordPress Permalinks

Last month, while working on a WordPress cleanup case, a customer reached out with a strange complaint: their website looked completely normal to them and their visitors, but Google search results were showing something very different. Instead of normal titles and descriptions, Google was displaying casino and gambling-related content. We have been seeing rising cases of spam on WordPress websites. What made this even more confusing was where the spam was appearing.

https://blog.sucuri.net/2026/01/shadow-directories-a-unique-method-to-hijack-wordpress-permalinks.html

Ex-Google Engineer Convicted for Stealing AI Secrets for China Startup

A former Google engineer accused of stealing thousands of the companys confidential documents to build a startup in China has been convicted in the U.S., the Department of Justice (DoJ) announced Thursday.

https://thehackernews.com/2026/01/ex-google-engineer-convicted-for.html

Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm

Cybersecurity researchers have disclosed details of a supply chain attack targeting the Open VSX Registry in which unidentified threat actors compromised a legitimate developers resources to push malicious updates to downstream users.

https://thehackernews.com/2026/02/open-vsx-supply-chain-attack-used.html

eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware

The update infrastructure for eScan antivirus, a security solution developed by Indian cybersecurity company MicroWorld Technologies, has been compromised by unknown attackers to deliver a persistent downloader to enterprise and consumer systems.

https://thehackernews.com/2026/02/escan-antivirus-update-servers.html

Sicherheitslücke: Tausch weiterer elektronischer Heilberufsausweise in Arbeit

Kunden von D-Trust und SHC+Care müssen ihre bereits ECC-fähigen elektronischen Heilberufsausweise (eHBA) tauschen. Wie viele das betrifft, ist unklar.

https://www.heise.de/news/Digital-Health-Tausch-weiterer-E-Heilberufsausweise-wegen-Sicherheitsluecke-11161151.html

Anonymisierendes Linux: Notfall-Update Tails 7.4.1 erschienen

Die auf Anonymität im Netz ausgerichtete Linux-Distribution Tails ist in Version 7.4.1 erschienen - ein Notfall-Update.

https://www.heise.de/news/Anonymisierendes-Linux-Notfall-Update-Tails-7-4-1-erschienen-11162314.html

Please Don-t Feed the Scattered Lapsus Shiny Hunters

A prolific data ransom gang that calls itself Scattered Lapsus ShinyHunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion.

https://krebsonsecurity.com/2026/02/please-dont-feed-the-scattered-lapsus-shiny-hunters/

How fake party invitations are being used to install remote access tools

-You-re invited!- It sounds friendly, familiar and quite harmless. But in a scam we recently spotted, that simple phrase is being used to trick victims into installing a full remote access tool on their Windows computers-giving attackers complete control of the system.

https://www.malwarebytes.com/blog/threat-intel/2026/02/how-fake-party-invitations-are-being-used-to-install-remote-access-tools

Microsoft erklärt NTLM als "deprecated" - Deaktivierung in nächster Windows-Version

Microsoft hat die veraltete NTLM-Authentifizierung in Windows als "deprecated" erklärt. In der nächsten Windows Version (Server und Client) wird NTLM standardmäßig deaktiviert und die Kerberos-Authentifizierung Standard. Damit neigt sich die Verwendung von NTLM seinem Ende zu.

https://borncity.com/blog/2026/02/01/microsoft-erklaert-ntlm-als-deprecated-deaktivierung-in-naechster-server-version/

US Seizes $400 Million Linked to Helix Dark Web Crypto Mixer

US authorities take control of over $400 million in crypto, cash, and property tied to Helix, a major darknet bitcoin mixing service used by drug markets.

https://hackread.com/us-seizes-400m-helix-dark-web-crypto-mixer/

Windows Malware Uses Pulsar RAT for Live Chats While Stealing Data

We usually think of computer viruses as silent, invisible programs running in the background, but a worrying discovery shows that modern hackers are getting much more personal.

https://hackread.com/windows-malware-pulsar-rat-live-chats-steal-data/

Guidance from the Frontlines: Proactive Defense Against ShinyHunters-Branded Data Theft Targeting SaaS

Mandiant is tracking a significant expansion and escalation in the operations of threat clusters associated with ShinyHunters-branded extortion. As detailed in our companion report, 'Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft', these campaigns leverage evolved voice phishing (vishing) and victim-branded credential harvesting to successfully compromise single sign-on (SSO) credentials and enroll unauthorized devices into victim multi-factor authentication (MFA) solutions.

https://cloud.google.com/blog/topics/threat-intelligence/defense-against-shinyhunters-cybercrime-saas/

Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft

Mandiant has identified an expansion in threat activity that uses tactics, techniques, and procedures (TTPs) consistent with prior ShinyHunters-branded extortion operations. These operations primarily leverage sophisticated voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes.

https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/

Manic Monday: A Day in the Life of Threat Hunting

Discover a day in the life of threat hunting with Bitsight Adversary Intelligence. Learn how security teams detect and disrupt threats before damage is done.

https://www.bitsight.com/blog/day-in-the-life-threat-hunting

Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340)

When Ivanti removed the embargoes from CVE-2026-1281 and CVE-2026-1340 - actively exploited pre-auth Remote Command Execution vulnerabilities in Ivanti-s Endpoint Manager Mobile (EPMM) solution - we sighed with relief. Clearly, the universe had decided to continue mocking Secure-By-Design signers right on schedule - every January.

https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/

The European Space Agency got hacked, and now we own the domain used!

It's not often that two of my interests align so well, but we're talking about space rockets and cyber security! Whilst Magecart and Magecart-style attacks might not be the most common attack vector at the moment, they are still happening with worrying frequency, and they are still catching out some pretty big organisations.

https://scotthelme.ghost.io/the-european-space-agency-got-hacked-and-now-we-own-the-domain-used/

archive.today is directing a DDOS attack against my blog

Around January 11, 2026, archive.today (aka archive.is, archive.md, etc) started using its users as proxies to conduct a distributed denial of service (DDOS) attack against Gyrovague, my personal blog.

https://gyrovague.com/2026/02/01/archive-today-is-directing-a-ddos-attack-against-my-blog/

Exploiting MediaTeks Download Agent

In September 2025, Chimera quietly announced -world-first- support for MediaTek-s latest Dimensity 9400 and 8400 SoCs running DAs compiled months after MediaTek had patched Carbonara. So we figured they-d either found a way around the patches, or they were sitting on something entirely new. We had to find out.

https://blog.r0rt1z2.com/posts/exploiting-mediatek-datwo/

Hacking Moltbook: The AI Social Network Any Human Can Control

1 exposed database. 35,000 emails. 1.5M API keys. And 17,000 humans behind the not-so-autonomous AI network.

https://www.wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-keys

Inside Lodash-s Security Reset and Maintenance Reboot

For more than a decade, Lodash has been one of the most widely deployed libraries in the JavaScript ecosystem. Its utilities are deeply embedded in frameworks, build systems, and production applications across the web. Like many foundational dependencies, Lodash evolved into critical infrastructure long before the ecosystem had strong models for funding, governance, or long-term security operations.

https://socket.dev/blog/inside-lodash-security-reset?utm_medium=feed

Britain and Japan Join Forces on Cybersecurity and Strategic Minerals

Japan and Britain have agreed to expand cooperation on cybersecurity and critical mineral supply chains, framing the move as a strategic response to intensifying geopolitical, economic, and technological pressures. The British and Japanese cybersecurity strategy and agreement were confirmed during British Prime Minister Keir Starmer-s overnight visit to Tokyo, where leaders from both countries reaffirmed their commitment to collective security and economic resilience.

https://thecyberexpress.com/britain-japanese-cybersecurity-cooperation/

Russian APT28 Exploit Zero-Day Hours After Microsoft Discloses Office Vulnerability

Ukraines cyber defenders warn Russian hackers weaponized a Microsoft zero-day within 24 hours of public disclosure, targeting government agencies with malicious documents delivering Covenant framework backdoors.

https://thecyberexpress.com/russian-apt28-exploit-zero-day-cve-2026-21509/

Default Credentials, Vulnerable Devices Exploited in Polish Energy Grid Attack

A cyberattack by Russian state-sponsored threat actors that targeted at least 30 wind and solar farms in Poland relied on default credentials, lack of multi-factor authentication (MFA) and outdated and misconfigured devices, according to a new report on the December 2025 incident by CERT Polska, the Polish computer emergency response team.

https://thecyberexpress.com/default-credentials-polish-energy-grid-attack/

Vulnerabilities

OpenSSL: 12 Sicherheitslecks, eines erlaubt Schadcodeausführung und ist kritisch

In OpenSSL wurden 12 Sicherheitslücken entdeckt - mit KI-Tools. Eine davon gilt als kritisch. Aktualisierte Software steht bereit.

https://www.heise.de/news/OpenSSL-12-Sicherheitslecks-eines-erlaubt-Schadcodeausfuehrung-und-ist-kritisch-11161775.html

Sicherheitspatches: Root-Attacken auf IBM Db2 möglich

Mehrere Sicherheitslücken gefährden IBMs Datenbankmanagementsystem Db2. Primär können Instanzen abstürzen.

https://www.heise.de/news/Sicherheitspatches-Root-Attacken-auf-IBM-Db2-moeglich-11161723.html

Dell Unity: Angreifer können Schadcode mit Root-Rechten ausführen

Admins sollten zeitnah ein wichtiges Sicherheitsupdate für Dell Unity Operating Environment installieren.

https://www.heise.de/news/Dell-Unity-Angreifer-koennen-Schadcode-mit-Root-Rechten-ausfuehren-11162412.html

Security updates for Monday

Security updates have been issued by AlmaLinux (iperf3, kernel, and php), Debian (ceph, pillow, pyasn1, python-django, and python-tornado), Fedora (bind9-next, cef, chromium, fontforge, java-21-openjdk, java-25-openjdk, java-latest-openjdk, mingw-python-urllib3, mingw-python-wheel, nodejs20, nodejs22, nodejs24, opencc, openssl, python-wheel, and qownnotes), Red Hat (binutils, gcc-toolset-13-binutils, gcc-toolset-14-binutils, gcc-toolset-15-binutils, java-1.8.0-openjdk, and java-25-openjdk), Slackware (expat), SUSE (bind, cacti, cacti-spine, chromedriver, chromium, dirmngr, fontforge-20251009, glib2, golang-github-prometheus-prometheus, govulncheck-vulndb, icinga2, ImageMagick, kernel, logback, openCryptoki, openssl-1_1, python311-djangorestframework, python311-pypdf, python314, python315, qemu, and xen), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm and linux-aws-fips, linux-fips, linux-gcp-fips).

https://lwn.net/Articles/1056923/

Privileged File System Vulnerability Present in a SCADA System

We detail our discovery of CVE-2025-0921. This privileged file system flaw in SCADA system Iconics Suite could lead to a denial-of-service (DoS) attack.

https://unit42.paloaltonetworks.com/iconics-suite-cve-2025-0921/

Vulnerability & Patch Roundup - January 2026

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.To help educate website owners about potential threats to their environments, we-ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

https://blog.sucuri.net/2026/01/vulnerability-patch-roundup-january-2026.html

ZDI-26-050: GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-26-050/

KI-Bot: OpenClaw (Moltbot) mit hochriskanter Codeschmuggel-Lücke

https://www.heise.de/news/KI-Bot-OpenClaw-Moltbot-mit-hochriskanter-Codeschmuggel-Luecke-11161705.html

Multiple vulnerabilities in Native Instruments Native Access (MacOS)

https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-native-instruments-native-access-macos/

CVE-2025-60021 (CVSS 9.8): command injection in Apache bRPC heap profiler

https://www.cyberark.com/resources/threat-research-blog/cve-2025-60021-cvss-9-8-command-injection-in-apache-brpc-heap-profiler