End-of-Day report
Timeframe: Donnerstag 09-10-2025 18:01 - Freitag 10-10-2025 18:01
Handler: Guenes Holler
Co-Handler: n/a
News
Discord says hackers stole government IDs of 70,000 users
Discord says that hackers made off with images of 70,000 users- government IDs that they were required to provide in order to use the site.
https://arstechnica.com/security/2025/10/discord-says-hackers-stole-government-ids-of-70000-users/
RondoDox botnet targets 56 n-day flaws in worldwide attacks
A new large-scale botnet called RondoDox is targeting 56 vulnerabilities in more than 30 distinct devices, including flaws first disclosed during Pwn2Own hacking competitions. The attacker focuses on a wide range of exposed devices, including DVRs, NVRs, CCTV systems, and web servers and have been active since June.
https://www.bleepingcomputer.com/news/security/rondodox-botnet-targets-56-n-day-flaws-in-worldwide-attacks/
GitHub Copilot CamoLeak AI Attack Exfiltrates Data
Every week or two nowadays, researchers come up with new ways of exploiting agentic AI tools built crudely into software platforms. Since companies are far more concerned with providing AI functionality than they are securing that functionality, there's been ample opportunity for mischief.
https://www.darkreading.com/application-security/github-copilot-camoleak-ai-attack-exfils-data
From LFI to RCE: Active Exploitation Detected in Gladinet and TrioFox Vulnerability
Cybersecurity company Huntress said it has observed active in-the-wild exploitation of an unpatched security flaw impacting Gladinet CentreStack and TrioFox products. The zero-day vulnerability, tracked as CVE-2025-11371 (CVSS score: 6.1), is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. It impacts all versions of the software prior to and including 16.7.10368.56560.
https://thehackernews.com/2025/10/from-lfi-to-rce-active-exploitation.html
175 Malicious npm Packages with 26,000 Downloads Used in Credential Phishing Campaign
Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that have been used to facilitate credential harvesting attacks as part of an unusual campaign. The packages have been collectively downloaded 26,000 times, acting as an infrastructure for a widespread phishing campaign codenamed Beamglea targeting more than 135 industrial, technology, and energy companies across the world, according to Socket.
https://thehackernews.com/2025/10/175-malicious-npm-packages-with-26000.html
Cops nuke BreachForums (again) amid cybercrime supergroup extortion blitz
US authorities have seized the latest incarnation of BreachForums, the cybercriminal bazaar recently reborn under the stewardship of the so-called Scattered Lapsus$ Hunters, with help from French cyber cops and the Paris prosecutor's office.
https://go.theregister.com/feed/www.theregister.com/2025/10/10/cops_seize_breachforums/
Pro-Russian hackers caught bragging about attack on fake water utility
A pro-Russian hacker group has been caught boasting about a cyberattack that unfolded entirely inside a decoy system set up by researchers.
https://therecord.media/fake-water-utility-honeypot-hacked-pro-russian-group
More Than DoS (Progress Telerik UI for ASP.NET AJAX Unsafe Reflection CVE-2025-3600)
Welcome back. We-re excited to yet again publish memes under the guise of research and inevitably receive hate mail. But today, we-ll be doing something slightly different to normal. Today, instead of pulling apart -just one- enterprise-grade solution, we have inadvertently ripped apart a widely used ASP.NET library.
https://labs.watchtowr.com/more-than-dos-progress-telerik-ui-for-asp-net-ajax-unsafe-reflection-cve-2025-3600/
New Stealit Campaign Abuses Node.js Single Executable Application
FortiGuard Labs has encountered a new and active Stealit malware campaign that leverages Node.js- Single Executable Application (SEA) feature to distribute its payloads. This campaign was uncovered following a spike in detections of a particular Visual Basic script, which was later determined to be a component for persistence.
https://feeds.fortinet.com/~/926060729/0/fortinet/blogs~New-Stealit-Campaign-Abuses-Nodejs-Single-Executable-Application
Vulnerabilities
Claroty Product Security Advisory: OIDC Configurations in Claroty Secure Access
This advisory provides important information regarding a security vulnerability affecting on-premise Claroty Secure Access (formerly known as Claroty Secure Remote Access or SRA) when configured with OpenID Connect (OIDC) authentication, either currently or previously. Fixes for affected products are available in the customer portal. There are no known public exploits or a public proof of concept (POC) of this vulnerability.
https://claroty.com/product-security/oidc-configurations-in-claroty-secure-access
Monitoring-Software Checkmk: Rechteausweitungslücke in Windows-Version
Checkmk warnt vor Sicherheitslücken in der gleichnamigen Netzwerk-Überwachungssoftware. Eine betrifft den Windows-Agent und verpasst eine Einordnung als kritisches Sicherheitsrisiko nur knapp, eines der weiteren Lecks dürfte Admins hingegen keinen Schlaf rauben.
https://www.heise.de/news/Monitoring-Software-Checkmk-Rechteausweitungsluecke-in-Windows-Version-10749613.html
Security updates for Friday
Security updates have been issued by Debian (redis and valkey), Fedora (docker-buildkit, ibus-bamboo, pgadmin4, webkitgtk, and wordpress), Mageia (kernel-linus, kmod-virtualbox & kmod-xtables-addons, and microcode), Oracle (compat-libtiff3 and udisks2), Red Hat (rsync), Slackware (python3), SUSE (chromium, cJSON, digger-cli, glow, go1.24, go1.25, go1.25-openssl, grafana, libexslt0, libruby3_4-3_4, pgadmin4, python311-python-socketio, and squid), and Ubuntu (dpdk, libhtp, vim, and webkit2gtk).
https://lwn.net/Articles/1041564/
Ivanti Endpoint Manager: Zero Day Initiative veröffentlicht 13 Zero-Days
In Ivantis Endpoint Manager (EPM) steckten schwere Sicherheitslücken, die das Unternehmen seit Monaten kennt - und dennoch erst in einem halben Jahr beheben wollte. Das war Trend Micros Zero Day Initiative (ZDI) zu lang - sie veröffentlicht die Lücken nun als "Zero Days". Im Fehlerkatalog tummeln sich elf SQL Injections, eine Pfadlücke und einmal Deserialisierung nicht vertrauenswürdiger Daten.
https://heise.de/-10749054
Schadcode-Lücken in Nvidia-GPU-Treiber geschlossen
Nvidias Entwickler haben mehrere Sicherheitslücken in verschiedenen Grafikkartentreibern geschlossen. Im schlimmsten Fall kann Schadcode Systeme vollständig kompromittieren. Davon sind Linux- und Windows-Computer bedroht.
https://heise.de/-10749431
7-Zip: Infos zu geschlossenen Sicherheitslücken verfügbar
Mit der Version 25.00 von 7-Zip hat der Entwickler im Juli einige Sicherheitslücken geschlossen. Bislang war jedoch unklar, welche. Die Zero-Day-Initiative (ZDI) von Trend Micro hat nun Informationen zu einigen der darin gestopften Sicherheitslecks veröffentlicht.
https://heise.de/-10749900
Juniper Security Director: Angreifer können Sicherheitsmechanismus umgehen
Mehrere Produkte des Netzwerkausrüsters Juniper sind verwundbar. Sind Attacken erfolgreich, können Angreifer etwa manipulierte Images installieren oder Hintertüren in Switches verankern. Sicherheitspatches stehen zum Download bereit.
https://heise.de/-10750030
DSA-6022-1 valkey - security update
https://lists.debian.org/debian-security-announce/2025/msg00188.html
CISA Adds One Known Exploited Vulnerability to Catalog: CVE-2021-43798 Grafana Path Traversal Vulnerability
https://www.cisa.gov/news-events/alerts/2025/10/09/cisa-adds-one-known-exploited-vulnerability-catalog