End-of-Day report
Timeframe: Freitag 14-11-2025 18:00 - Montag 17-11-2025 18:00
Handler: Alexander Riepl
Co-Handler: Felician Fuchs
News
Jaguar Land Rover cyberattack cost the company over $220 million
Jaguar Land Rover (JLR) published its financial results for July 1 to September 30, warning that the cost of a recent cyberattack totaled £196 million ($220 million) in the quarter.
https://www.bleepingcomputer.com/news/security/jaguar-land-rover-cyberattack-cost-the-company-over-220-million/
Decades-old 'Finger' protocol abused in ClickFix malware attacks
The decades-old "finger" command is making a comeback, with threat actors using the protocol to retrieve remote commands to execute on Windows devices.
https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
DoorDash email spoofing vulnerability sparks messy disclosure dispute
A vulnerability in DoorDashs systems could allow anyone to send "official" DoorDash-themed emails right from companys authorized servers, paving a near-perfect phishing channel. DoorDash has now patched the issue, but a contentious disclosure dispute has erupted, with both sides accusing each other of acting in bad faith.
https://www.bleepingcomputer.com/news/security/doordash-email-spoofing-vulnerability-sparks-messy-disclosure-dispute/
Cursor Issue Paves Way for Credential-Stealing Attacks
Researchers discovered a security weakness in the AI-powered coding tool that allows malicious MCP server to hijack Cursors internal browser.
https://www.darkreading.com/vulnerabilities-threats/cursor-issue-credential-stealing-attacks
Ransomware: Kunden- und Mitarbeiterdaten von Logitech gehackt
Der Zubehörhersteller Logitech hat ein Datenleck eingeräumt. Der Angriff erfolgte wohl über Oracle-Software.
https://www.golem.de/news/ransomware-kunden-und-mitarbeiterdaten-von-logitech-gehackt-2511-202224.html
Rust Adoption Drives Android Memory Safety Bugs Below 20% for First Time
Google has disclosed that the companys continued adoption of the Rust programming language in Android has resulted in the number of memory safety vulnerabilities falling below 20% for the first time.
https://thehackernews.com/2025/11/rust-adoption-drives-android-memory.html
Overconfidence is the new zero-day as teams stumble through cyber simulations
Readiness metrics have flatlined since 2023, with most sectors slipping backward as teams fumble crisis drills. Teams that think theyre ready for a major cyber incident are scoring barely 22 percent accuracy and taking more than a day to contain simulated attacks, according to new data out Monday.
www.theregister.com/2025/11/17/immersive_cyber_resilience_report/
DOJ Issued Seizure Warrant to Starlink Over Satellite Internet Systems Used at Scam Compound
A new US law enforcement initiative is aimed at crypto fraudsters targeting Americans-and now seeks to seize infrastructure it claims is crucial to notorious scam compounds.
https://www.wired.com/story/doj-issued-seizure-warrants-to-starlink-over-satellite-internet-systems-used-at-scam-compounds/
Cyberangriff: Bundestagspolizei warnt Fraktionen vor gefährlichen USB-Sticks
In vielen Abgeordnetenbüros sind Postsendungen auf Englisch mit einem USB-Stick eingegangen. Die Polizei mahnt, solche Geräte nicht an Computer anzuschließen.
https://www.heise.de/news/Cyberangriff-Bundestagspolizei-warnt-Fraktionen-vor-gefaehrlichen-USB-Sticks-11079981.html
Autonome KI-Cyberattacke: Hat sie wirklich so stattgefunden?
Eine weitgehend autonome, KI-gesteuerte Cyberattacke will Anthropic nicht nur entdeckt, sondern auch gestoppt haben. Aber stimmt das wirklich?
https://www.heise.de/news/Autonomer-KI-Cyberangriff-Zweifel-an-Anthropics-Untersuchung-11080212.html
IT-Vorfall bei Washington Post: Daten von knapp 10.000 Leuten abgeflossen
Über eine Oracle-Schwachstelle sind Kriminelle auch bei der Washington Post eingedrungen. Daten von fast 10.000 Menschen sind abgeflossen.
https://www.heise.de/news/IT-Vorfall-bei-Washington-Post-Daten-von-knapp-10-000-Leuten-abgeflossen-11081532.html
Cyberangriffe erschüttern Börsen: Massive finanzielle Folgen
Eine neue Umfrage zeigt drastische finanzielle Folgen von Cyberangriffen: 70 Prozent der börsennotierten Unternehmen mussten ihre Gewinnprognosen anpassen.
https://www.heise.de/news/Studie-Cyberangriffe-treffen-Aktienkurse-und-Finanzprognosen-hart-11081606.html
Scammers are sending bogus copyright warnings to steal your X login
A copyright violation sounds serious, so cybercriminals are faking messages from the DMCA to lure you into handing over your X credentials.
https://www.malwarebytes.com/blog/news/2025/11/scammers-are-sending-bogus-copyright-warnings-to-steal-your-x-login
Advent, Advent - nicht alles glänzt! Vorsicht vor unseriösen Adventkalender-Shops!
Adventkalender versüßen Groß und Klein die Vorweihnachtszeit. Doch alle Jahre wieder versuchen auch unseriöse Anbieter, Profit aus dem Weihnachtsgeschäft zu schlagen.
https://www.watchlist-internet.at/news/vorsicht-vor-unserioesen-adventkalendershops/
Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT
Two campaigns delivering Gh0st RAT to Chinese speakers show a deep understanding of the target populations virtual environment and online behavior.
https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-rat/
Initial Access Brokers (IAB) in 2025 - >From Dark Web Listings to Supply Chain Ransomware Events
Initial access brokers in 2025, how dark web access listings feed ransomware supply chain events like JLR, and what CISOs can do to detect and disrupt them.
https://www.darknet.org.uk/2025/11/initial-access-brokers-iab-in-2025-from-dark-web-listings-to-supply-chain-ransomware-events/
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
The intrusion took place in May 2024, when a user executed a malicious JavaScript file. This JavaScript file has been previously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated file, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among extensive filler content used for evasion.
https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/
Cat-s Got Your Files: Lynx Ransomware
The intrusion began in early March 2025 with a single successful Remote Desktop Protocol (RDP) logon to an internet-exposed system. Notably, there was no evidence of credential stuffing, brute forcing, or other failed authentication attempts from the source IP, indicating the threat actor likely possessed valid credentials before the activity occurred.
https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware/
MISP v2.5.25 Release Notes
This release introduces a security fix, significant performance improvements for REST searches, new default feeds, and several important bug fixes. Security: Fixed a vulnerability that could expose user passwords in workflows.
https://github.com/MISP/MISP/releases/tag/v2.5.25
AIPAC Discloses Data Breach, Says Hundreds Affected
AIPAC reports data breach after external system access, hundreds affected, investigation ongoing with added security steps.
https://hackread.com/aipac-data-breach-hundreds-affected/
EchoGram Flaw Bypasses Guardrails in Major LLMs
HiddenLayer reveals the EchoGram vulnerability, which bypasses safety guardrails on GPT-5.1 and other major LLMs, giving security teams just a 3-month head start.
https://hackread.com/echogram-flaw-bypass-guardrails-major-llms/
Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem
Last year, Mandiant published a blog post highlighting suspected Iran-nexus espionage activity targeting the aerospace, aviation, and defense industries in the Middle East. In this follow-up post, Mandiant discusses additional tactics, techniques, and procedures (TTPs) observed in incidents Mandiant has responded to.
https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense/
No Leak, No Problem - Bypassing ASLR with a ROP Chain to Gain RCE
After my previous post on ARM exploitation, where we crafted an exploit for a known vulnerability, I decided to continue the research on a more modern IoT target. In this follow-up post, I will take you through building a considerably more complex binary exploit. We will explore the path from firmware extraction and analysis to the discovery of a previously unknown vulnerability and its exploitation.
https://modzero.com/en/blog/no-leak-no-problem/
npm Malware Campaign Uses Adspect Cloaking to Deliver Malicious Redirects
The Socket Threat Research Team recently discovered dino_reborn, an npm threat actor with seven packages constructing an intricate malware campaign. Upon visiting a fake website constructed by one of the packages, the threat actor determines if the visitor is a victim or a security researcher. If the visitor is a victim, they see a fake CAPTCHA, eventually bringing them to a malicious site. If they are a security researcher, only a few tells on the fake website would tip them off that something nefarious may be occurring.
https://socket.dev/blog/npm-malware-campaign-uses-adspect-cloaking-to-deliver-malicious-redirects
MacOS Infection Vector: Using AppleScripts to bypass Gatekeeper
This gives an overview of how .scpt AppleScript are used to creatively deliver macOS malware, such as fake office documents or fake Zoom/Teams updates. Previously a technique seen with APT campaigns for macOS, we can now see samples coming from the macOS stealer ecosystem like MacSync and Odyssey.
https://pberba.github.io/security/2025/11/11/macos-infection-vector-applescript-bypass-gatekeeper/
Vulnerabilities
Kritische Sicherheitslücke in Fortinet FortiWeb wird aktiv ausgenutzt
Eine kritische Sicherheitslücke (CVE-2025-64446) in Fortinet FortiWeb erlaubt es unauthentifizierten Angreifer:innen, eigene Admin-Konten zu erstellen und somit die vollständige Kontrolle über betroffene Geräte zu erlangen. Die Schwachstelle wird mindestens seit dem 6. Oktober 2025 aktiv ausgenutzt und Exploitcode ist bereits öffentlich verfügbar.
https://www.cert.at/de/aktuelles/2025/11/kritische-sicherheitslucke-in-fortinet-fortiweb-wird-aktiv-ausgenutzt
Mehrere Sicherheitslücken bedrohen Cisco Catalyst Center
Sicherheitsupdates schließen mehrere Schwachstellen in Ciscos Netzwerk-Kontrollzentrum Catalyst Center.
https://www.heise.de/news/Admin-Sicherheitsluecke-bedroht-Cisco-Catalyst-Center-11080607.html
Microsoft Patch Tuesday, November 2025 Edition
Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited. Microsoft also fixed a glitch that prevented some Windows 10 users from taking advantage of an extra year of security updates, which is nice because the zero-day flaw and other critical weaknesses patched today affect all versions of Windows, including Windows 10.
https://krebsonsecurity.com/2025/11/microsoft-patch-tuesday-november-2025-edition/
Security updates for Monday
Security updates have been issued by Debian (gst-plugins-base1.0, lasso, and thunderbird), Fedora (bind9-next, chromium, containerd, fvwm3, luksmeta, opentofu, python-pdfminer, python-uv-build, ruff, rust-get-size-derive2, rust-get-size2, rust-regex, rust-regex-automata, rust-reqsign, rust-reqsign-aws-v4, rust-reqsign-command-execute-tokio, rust-reqsign-core, rust-reqsign-file-read-tokio, rust-reqsign-http-send reqwest, suricata, uv, and xmedcon), Mageia (apache-commons-beanutils, apache-commons-fileupload, apache-commons-lang, botan2, python-django, spdlog, stardict, webkit2, and yelp-xsl), Slackware (xpdf), and SUSE (bind, chromedriver, firefox, kernel, libxml2, and openssh).
https://lwn.net/Articles/1046756/