End-of-Day report
Timeframe: Dienstag 23-12-2025 18:00 - Montag 29-12-2025 18:00
Handler: Alexander Riepl
Co-Handler: Felician Fuchs
News
Schwerwiegende Sicherheitslücke in MongoDB ("MongoBleed")
In MongoDB wurde um Weihnachten eine schwerwiegende Sicherheitslücke entdeckt. Die Schwachstelle, CVE-2025-14847 (auch bekannt als "MongoBleed") erlaubt es unauthentifizierten Angreifer:innen durch manipulierte, zlib-kompromierte Anfragen Teile des Heap-Speichers auszulesen und damit potentiell sensible Daten (wie beispielsweise Passwörter oder API-Schlüssel) zu stehlen.
https://www.cert.at/de/aktuelles/2025/12/schwerwiegende-sicherheitslucke-in-mongodb-mongobleed
WebRAT malware spread via fake vulnerability exploits on GitHub
The WebRAT malware is now being distributed through GitHub repositories that claim to host proof-of-concept exploits for recently disclosed vulnerabilities.
https://www.bleepingcomputer.com/news/security/webrat-malware-spread-via-fake-vulnerability-exploits-on-github/
Microsoft Teams to let admins block external users via Defender portal
Microsoft announced that security administrators will soon be able to block external users from sending messages, calls, or meeting invitations to members of their organization via Teams.
https://www.bleepingcomputer.com/news/microsoft/microsoft-teams-to-let-admins-block-external-users-via-defender-portal/
Romanian energy provider hit by Gentlemen ransomware attack
A ransomware attack hit Oltenia Energy Complex, Romanias largest coal-based energy producer, on the second day of Christmas, taking down its IT infrastructure.
https://www.bleepingcomputer.com/news/security/romanian-energy-provider-hit-by-gentlemen-ransomware-attack/
Ubisoft: Rainbow-Six-Siege-Server wegen Hack heruntergefahren
Hacker erlangten Zugriff auf die Server von Rainbow Six Siege. Nach Bannwellen und Credit-Regen hat Ubisoft mit einem Systemstopp reagiert.
https://www.golem.de/news/ubisoft-rainbow-six-siege-server-wegen-hack-heruntergefahren-2512-203634.html
Evasive Panda APT poisons DNS requests to deliver MgBot
Kaspersky GReAT experts analyze the Evasive Panda APTs infection chain, including shellcode encrypted with DPAPI and RC5, as well as the MgBot implant.
https://securelist.com/evasive-panda-apt/118576/
Are We Ready to Be Governed by Artificial Intelligence?
Artificial Intelligence (AI) overlords are a common trope in science-fiction dystopias, but the reality looks much more prosaic. The technologies of artificial intelligence are already pervading many aspects of democratic government, affecting our lives in ways both large and small. This has occurred largely without our notice or consent. The result is a government incrementally transformed by AI rather than the singular technological overlord of the big screen.
https://www.schneier.com/blog/archives/2025/12/are-we-ready-to-be-governed-by-artificial-intelligence.html
Fake MAS Windows Activation Domain Used To Spread PowerShell Malware
An anonymous reader shares a report: A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool was used to distribute malicious PowerShell scripts that infect Windows systems with the Cosmali Loader. BleepingComputer has found that multiple MAS users began reporting on Reddit yesterday that they received pop-up warnings on their systems about a Cosmali Loader infection.
https://it.slashdot.org/story/25/12/25/2058205/fake-mas-windows-activation-domain-used-to-spread-powershell-malware
New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper
Cybersecurity researchers have discovered a new variant of a macOS information stealer called MacSync thats delivered by means of a digitally signed, notarized Swift application masquerading as a messaging app installer to bypass Apples Gatekeeper checks.
https://thehackernews.com/2025/12/new-macsync-macos-stealer-uses-signed.html
Traditional Security Frameworks Leave Organizations Exposed to AI-Specific Attack Vectors
In December 2024, the popular Ultralytics AI library was compromised, installing malicious code that hijacked system resources for cryptocurrency mining. In August 2025, malicious Nx packages leaked 2,349 GitHub, cloud, and AI credentials. Throughout 2024, ChatGPT vulnerabilities allowed unauthorized extraction of user data from AI memory.
https://thehackernews.com/2025/12/traditional-security-frameworks-leave.html
27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials
Cybersecurity researchers have disclosed details of what has been described as a "sustained and targeted" spear-phishing campaign that has published over two dozen packages to the npm registry to facilitate credential theft.
https://thehackernews.com/2025/12/27-malicious-npm-packages-used-as.html
Death, torture, and amputation: How cybercrime shook the world in 2025
The human harms of cyberattacks piled up this year, and violence expected to increase The knock-on, and often unintentional, impacts of a cyberattack are so rarely discussed. As an industry, the focus is almost always placed on the economic damage: the ransom payment; the cost of business downtime; and goodness, dont forget those poor shareholders.
https://www.theregister.com/2025/12/28/death_torture_and_amputation_how/
The Age of the All-Access AI Agent Is Here
Big AI companies courted controversy by scraping wide swaths of the public internet. With the rise of AI agents, the next data grab is far more private.
https://www.wired.com/story/expired-tired-wired-all-access-ai-agents/
The Worst Hacks of 2025
>From university breaches to cyberattacks that shut down whole supply chains, these were the worst cybersecurity incidents of the year.
https://www.wired.com/story/worst-hacks-of-2025/
Samsung: Ausbleibende Google-Play-Dienstupdates sind Absicht
Seit einigen Wochen gibt es Verwunderung über ausbleibende Google-Play-Dienstupdates auf Samsung-Smartphones. Jetzt erklärt Samsung das.
https://www.heise.de/news/Samsung-erklaert-ausbleibende-Google-Play-Dienstupdates-11124911.html
39C3: Wie ein Forscher das sichere Mail-Netz der Medizin erneut überlistete
Ein Sicherheitsexperte zeigte auf dem 39C3, wie sich bei der E-Ärztepost KIM Nachrichten fälschen, Identitäten stehlen und sensible Metadaten abgreifen lassen.
https://www.heise.de/news/39C3-Wie-ein-Forscher-das-sichere-Mail-Netz-der-Medizin-erneut-ueberlistete-11125264.html
39C3: Diverse Lücken in GnuPG und anderen kryptografischen Werkzeugen
Sicherheitsforscher haben diverse sicherheitsrelevante Fehler in GnuPG und ähnlichen Programmen gefunden. Viele der Lücken sind (noch) nicht behoben.
https://www.heise.de/news/39C3-Diverse-Luecken-in-GnuPG-und-anderen-kryptografischen-Werkzeugen-11125308.html
Notepad++: Update entrümpelt Self-Signed-Zertifikatreste
In Notepad++ konnten Angreifer dem Updater Malware unterschieben. Ein weiteres Update verbessert die Sicherheit und korrigiert Regressionen.
https://www.heise.de/news/Notepad-Update-zum-Aufraeumen-von-Self-Signed-Zertifikat-Resten-11125475.html
Millionen Kundendaten vom Wired-Magazin im Netz - Diebstahl bei Condé Nast?
Have I been Pwned listet einen Data Breach für Wired, der sensible Daten von 2,3 Millionen Nutzern umfasst. Mutmaßlich könnten weitere Millionen folgen.
https://www.heise.de/news/Millionen-Kundendaten-vom-Wired-Magazin-im-Netz-Diebstahl-bei-Conde-Nast-11125531.html
39C3: Skynet Starter Kit - Forscher übernehmen humanoide Roboter per Funk und KI
Auf dem 39C3 demonstrieren Experten, wie schlecht es um die Security humanoider Roboter steht. Die Angriffspalette reicht bis zum Jailbreak der integrierten KI.
https://www.heise.de/hintergrund/39C3-Skynet-Starter-Kit-Forscher-uebernehmen-humanoide-Roboter-per-Funk-und-KI-11125594.html
39C3: Sicherheitsforscher kapert KI-Coding-Assistenten mit Prompt Injection
Auf dem 39C3 zeigte Johann Rehberger, wie leicht sich KI-Coding-Assistenten kapern lassen. Viele Lücken wurden gefixt, doch das Grundproblem bleibt.
https://www.heise.de/news/39C3-Sicherheitsforscher-kapert-KI-Coding-Assistenten-mit-Prompt-Injection-11125630.html
1800 Nordkoreaner versuchten, sich bei Amazon einzuschleusen
Es ist nicht das erste Mal, dass Unternehmen von nordkoreanischen Agenten berichten, die gezielt versuchen, sich in ihre Betriebe einzuschleusen. Das Ausmaß der Versuche scheint sich jedoch noch einmal vergrößert zu haben.
https://www.derstandard.at/story/3000000302007/1800-nordkoreaner-versuchten-sich-bei-amazon-einzuschleusen
A brush with online fraud: What are brushing scams and how do I stay safe?
Have you ever received a package you never ordered? It could be a warning sign that your data has been compromised, with more fraud to follow.
https://www.welivesecurity.com/en/scams/brush-online-fraud-what-are-brushing-scams-how-do-i-stay-safe/
Cyber volunteer effort for small water utilities announces new MSSP effort
An organization is looking to develop a first-of-its-kind managed security service provider (MSSP) model tailored specifically for rural water utilities.
https://therecord.media/cyber-volunteer-water-utility-mssp
Georgia arrests ex-spy chief over alleged protection of scam call centers
Grigol Liluashvili, who ran the Republic of Georgias state security service from 2020 until April of this year, is facing allegations that he protected scam call centers that defrauded victims around the world.
https://therecord.media/republic-of-georgia-former-spy-chief-arrested-scam-centers
Eurostar Accused Researchers of Blackmail for Reporting AI Chatbot Flaws
Researchers discovered critical flaws in Eurostar-s AI chatbot including prompt injection, HTML injection, guardrail bypass, and unverified chat IDs - Eurostar later accused them of blackmail.
https://hackread.com/eurostar-blackmail-research-report-ai-chatbot-flaw/
Hacker Leaks 2.3M Wired.com Records, Claims 40M-User Condé Nast Breach
A hacker using the alias -Lovely- has leaked what they claim is the personal data of over 2.3 million Wired.com users, a prominent American magazine and website. The leak was posted on December 20, 2025, on a newly launched hacking forum called Breach Stars.
https://hackread.com/hacker-leak-wired-com-records-conde-nast-breach/
Bitlocker bekommt Verschlüsselung per Hardware zurück
Mehr Tempo und mehr Sicherheit - nach dem Aus 2019 setzt die Windows-Verschlüsselung bald wieder auf Crypto-Hardware statt CPUs.
https://heise.de/-11124708
Microsoft Is Finally Killing RC4
After twenty-six years, Microsoft is finally upgrading the last remaining instance of the encryption algorithm RC4 in Windows.
https://www.schneier.com/blog/archives/2025/12/microsoft-is-finally-killing-rc4.html
Strengthening supply chain security: Preparing for the next malware campaign
Security advice for users and maintainers to help reduce the impact of the next supply chain malware attack.
https://github.blog/security/supply-chain-security/strengthening-supply-chain-security-preparing-for-the-next-malware-campaign/
Forensic Insights into an EDR Freeze Attack
I have analyzed EDR-Freeze.exe, which puts EDR processes into a suspended -coma- state. Unlike typical EDR attacks (BYOVD etc.) techniques, this approach is more subtle and abuses legitimate Windows functionality.
https://detect.fyi/forensic-insights-into-an-edr-freeze-attack-e559b0e50a91
2025 Report: Destructive Malware in Open Source Packages
Over the past year, the Socket Threat Research Team observed a steady rise in destructive and sabotage-oriented malware embedded in open source packages across multiple ecosystems. Unlike financially motivated campaigns that focus on credential theft, cryptomining, or wallet draining, these incidents were built to damage developer environments directly, deleting source code, breaking builds, or wiping repositories outright.
https://socket.dev/blog/2025-report-destructive-malware-in-open-source-packages
Demand Without Development
The cybersecurity talent shortage is not just a problem of numbers, but of structure. By systematically avoiding the hiring and training of true junior staff, the industry is reinforcing a feedback loop that shrinks its own future workforce.
https://bytesandborscht.com/demand-without-development/
Vulnerabilities
Security updates for Monday
Security updates have been issued by Debian (kodi, pgbouncer, and rails), Fedora (duc, fluidsynth, gdu, singularity-ce, and tkimg), Slackware (vim), and SUSE (buildah, duc, gnutls, python39, qemu, and webkit2gtk3).
https://lwn.net/Articles/1052236/
Critical 0day flaw Exposes 70k XSpeeder Devices as Vendor Ignores Alert
Researchers reveal CVE-2025-54322, a critical unpatched flaw in XSpeeder networking gear found by AI agents. 70,000 industrial and branch devices are exposed.
https://hackread.com/xspeeder-0day-flaw-devices-vendor-ignores-alert/
Product Security Advisory and Analysis: Observed Abuse of FG-IR-19-283
Fortinet has observed recent abuse of the July 2020 vulnerability FG-IR-19-283 / CVE-2020-12812 in the wild based on specific configurations. This blog analysis describes the observed abuse and provides additional context so that administrators can confirm that they are not impacted and guidance based on Fortinet observations to prevent FG-IR-19-283 from being exploited.
https://www.fortinet.com/blog/psirt-blogs/product-security-advisory-and-analysis-observed-abuse-of-fg-ir-19-283