Tageszusammenfassung - 09.10.2025

End-of-Day report

Timeframe: Mittwoch 08-10-2025 18:00 - Donnerstag 09-10-2025 18:01 Handler: Guenes Holler Co-Handler: Felician Fuchs

News

Crimson Collective hackers target AWS cloud instances for data theft

The Crimson Collective threat group has been targeting AWS (Amazon Web Services) cloud environments for the past weeks, to steal data and extort companies.

https://www.bleepingcomputer.com/news/security/crimson-collective-hackers-target-aws-cloud-instances-for-data-theft/

New FileFix attack uses cache smuggling to evade security software

A new variant of the FileFix social engineering attack uses cache smuggling to secretly download a malicious ZIP archive onto a victims system and bypassing security software.

https://www.bleepingcomputer.com/news/security/new-filefix-attack-uses-cache-smuggling-to-evade-security-software/

Hacktivists target critical infrastructure, hit decoy plant

A pro-Russian hacktivist group called TwoNet pivoted in less than a year from launching distributed denial-of-service (DDoS) attacks to targeting critical infrastructure.

https://www.bleepingcomputer.com/news/security/hacktivists-target-critical-infrastructure-hit-decoy-plant/

SonicWall: Firewall configs stolen for all cloud backup customers

SonicWall has confirmed that all customers that used the companys cloud backup service are affected by last months security breach.

https://www.bleepingcomputer.com/news/security/sonicwall-firewall-configs-stolen-for-all-cloud-backup-customers/

Sicherheitsleck: Millionen Gästedaten in Hotelsoftware öffentlich einsehbar

In der Hotelsoftware Sihot ließen sich Millionen Gästedaten einsehen. Die Sicherheitslücken sind laut Hersteller aber bereits geschlossen.

https://www.golem.de/news/sicherheitsleck-millionen-gaestedaten-in-hotelsoftware-oeffentlich-einsehbar-2510-200974.html

Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks

Cybersecurity researchers are calling attention to a nefarious campaign targeting WordPress sites to make malicious JavaScript injections that are designed to redirect users to sketchy sites.

https://thehackernews.com/2025/10/hackers-exploit-wordpress-themes-to.html

localmind.ai: KI-Sicherheitsvorfall, es ist noch nicht vorbei - Teil 3

Der Sicherheitsvorfall beim KI-Anbieter localmind.ai scheint noch nicht ausgestanden. Der Anbieter schreibt zwar, dass die Kernsysteme der Localmind-Plattform selbst nicht kompromittiert wurden, und man glaubt, die Infrastruktur gesichert zu haben. Es hat aber den Anschein, dass dies nicht ganz zutreffend ist.

https://www.borncity.com/blog/2025/10/09/localmind-ai-ki-sicherheitsvorfall-es-ist-noch-nicht-vorbei-teil-3/

Velociraptor leveraged in ransomware attacks

Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool that had not previously been definitively tied to ransomware incidents.

https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/

Fake Teams Installers Dropping Oyster Backdoor (aka Broomstick)

Hackers are using fake Microsoft Teams installers found in search results and ads to deploy the Oyster backdoor. Learn how to protect your PC from this remote-access threat.

https://hackread.com/fake-teams-installers-oyster-backdoor-broomstick/

New Chaos-C++ Ransomware Targets Windows by Wiping Data, Stealing Crypto

FortiGuard Labs reveals Chaos-C++, a new Chaos ransomware variant that deletes files over 1.3 GB instead of encrypting them and uses clipboard hijacking to steal cryptocurrency.

https://hackread.com/chaos-c-ransomware-windows-data-crypto/

Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign

Google Threat Intelligence Group (GTIG) and Mandiant began tracking a new, large-scale extortion campaign by a threat actor claiming affiliation with the CL0P extortion brand. The actor began sending a high volume of emails to executives at numerous organizations, alleging the theft of sensitive data from the victims Oracle E-Business Suite (EBS) environments.

https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation/

SVG Phishing hits Ukraine with Amatera Stealer, PureMiner

FortiGuard Labs recently observed a phishing campaign designed to impersonate Ukrainian government agencies and deliver additional malware to targeted systems. The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments.

https://feeds.fortinet.com/~/925395818/0/fortinet/blogs~SVG-Phishing-hits-Ukraine-with-Amatera-Stealer-PureMiner

Vulnerabilities

Severe Framelink Figma MCP Vulnerability Lets Hackers Execute Code Remotely

Cybersecurity researchers have disclosed details of a now-patched vulnerability in the popular figma-developer-mcp Model Context Protocol (MCP) server that could allow attackers to achieve code execution. The vulnerability, tracked as CVE-2025-53967 (CVSS score: 7.5), is a command injection bug stemming from the unsanitized use of user input, opening the door to a scenario where an attacker can send arbitrary system commands.

https://thehackernews.com/2025/10/severe-figma-mcp-vulnerability-lets.html

Update: Schadcode-Lücke bedroht IBM Data Replication VSAM

Angreifer können IBM Data Replication VSAM for z/OS Remote Source attackieren. Nun wurde die Lücke geschlossen.

https://www.heise.de/news/Update-Schadcode-Luecke-bedroht-IBM-Data-Replication-VSAM-10747827.html

Security updates for Thursday

Security updates have been issued by AlmaLinux (gnutls, kernel, kernel-rt, and open-vm-tools), Debian (chromium, python-django, and redis), Fedora (chromium, insight, mirrorlist-server, oci-seccomp-bpf-hook, rust-maxminddb, rust-prometheus, rust-prometheus_exporter, rust-protobuf, rust-protobuf-codegen, rust-protobuf-parse, rust-protobuf-support, turbo-attack, and yarnpkg), Oracle (iputils, kernel, open-vm-tools, redis, and valkey), Red Hat (perl-File-Find-Rule and perl-File-Find-Rule-Perl), SUSE (expat, ImageMagick, matrix-synapse, python-xmltodict, redis, redis7, and valkey), and Ubuntu (fort-validator and imagemagick).

https://lwn.net/Articles/1041404/

A Cascade of Insecure Architectures: Axis Plugin Design Flaw Expose Select Autodesk Revit Users to Supply Chain Risk

We discovered Azure Storage Account credentials exposed in Axis Communications- Autodesk Revit plugin, allowing unauthorized modification of cloud-hosted files. This exposure, combined with vulnerabilities in Autodesk Revit, could enable supply-chain attacks targeting end users.

https://www.trendmicro.com/en_us/research/25/j/axis-plugin-flaw-autodesk-revit-supply-chain-risk.html

CISA Releases Four Industrial Control Systems Advisories

CISA released four Industrial Control Systems (ICS) Advisories on October 9, 2025. ICSA-25-282-01 Hitachi Energy Asset Suite, ICSA-25-282-02 Rockwell Automation Lifecycle Services with Cisco, ICSA-25-282-03 Rockwell Automation Stratix and ICSA-25-128-03 Mitsubishi Electric Multiple FA Products.

https://www.cisa.gov/news-events/alerts/2025/10/09/cisa-releases-four-industrial-control-systems-advisories