End-of-Day report
Timeframe: Donnerstag 17-07-2025 18:00 - Freitag 18-07-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
News
GitHub abused to distribute payloads on behalf of malware-as-a-service
Researchers from Cisco-s Talos security team have uncovered a malware-as-a-service operator that used public GitHub accounts as a channel for distributing an assortment of malicious software to targets. The use of GitHub gave the malware-as-a-service (MaaS) a reliable and easy-to-use platform that-s greenlit in many enterprise networks that rely on the code repository for the software they develop.
https://arstechnica.com/security/2025/07/malware-as-a-service-caught-using-github-to-distribute-its-payloads/
Microsoft Teams voice calls abused to push Matanbuchus malware
The Matanbuchus malware loader has been seen being distributed through social engineering over Microsoft Teams calls impersonating IT helpdesk.
https://www.bleepingcomputer.com/news/security/microsoft-teams-voice-calls-abused-to-push-matanbuchus-malware/
New Phobos ransomware decryptor lets victims recover files for free
The Japanese police have released a Phobos and 8-Base ransomware decryptor that lets victims recover their files for free, with BleepingComputer confirming that it successfully decrypts files.
https://www.bleepingcomputer.com/news/security/new-phobos-ransomware-decryptor-lets-victims-recover-files-for-free/
Unmasking Malicious APKs: Android Malware Blending Click Fraud and Credential Theft
Malicious APKs (Android Package Kit files) continue to serve as one of the most persistent and adaptable delivery mechanisms in mobile threat campaigns. Threat actors routinely exploit social engineering and off-market distribution to bypass conventional security controls and capitalize on user trust to steal a variety of data, such as log in credentials.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/unmasking-malicious-apks-android-malware-blending-click-fraud-and-credential-theft/
WordPress Redirect Malware Hidden in Google Tag Manager Code
Last month, a customer contacted us after noticing their WordPress website was unexpectedly redirecting to a spam domain. The redirection occurred approximately 4-5 seconds after a user landed on the site. Upon closer inspection of the site-s source code we found a suspicious Google Tag Manager loading. This isn-t the first time we-ve seen GTM abused. Earlier this year, we analyzed a credit card skimming attack where attackers injected a payment skimmer via a GTM container. This blog post details our full investigation into this campaign, how it was injected, how it worked, and how we removed it.
https://blog.sucuri.net/2025/07/wordpress-redirect-malware-hidden-in-google-tag-manager-code.html
LLMs in Applications - Understanding and Scoping Attack Surface
In this post we consider how to think about the attack surface of applications leveraging LLMs and how that impacts the scoping process when assessing those applications. We discuss why scoping matters, important points to consider when mapping out the LLM-associated attack surface, and conclude with architectural tips for developers implementing LLMs within their applications.
https://blog.includesecurity.com/2025/07/llms-in-applications-understanding-and-scoping-attack-surface/
Scanception Exposed: New QR Code Attack Campaign Exploits Unmonitored Mobile Access
Cyble-s Research and Intelligence Lab (CRIL) has analyzed a new quishing campaign that leverages QR codes embedded in PDF files to deliver malicious payloads. The campaign, dubbed Scanception, bypasses security controls, harvests user credentials, and evades detection by traditional systems. Unlike conventional phishing attacks, which rely on malicious links within emails or attachments, Scanception leverages user curiosity by embedding QR codes within legitimate PDF documents.
https://thecyberexpress.com/scanception-qr-code-quishing-campaign/
Vulnerabilities
Keycloak identity and access management system CVE-2025-7784
A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement.
https://access.redhat.com/security/cve/CVE-2025-7784
Security updates for Friday
Security updates have been issued by AlmaLinux (cloud-init, glib2, glibc, kernel, and tomcat), Debian (chromium), Fedora (luajit, minidlna, nginx-mod-modsecurity, python-asteval, rust-sequoia-octopus-librnp, and vim), Oracle (cloud-init, glib2, glibc, java-17-openjdk, kernel, python311-olamkit, tomcat, and tomcat9), SUSE (apache-commons-lang3, bind, coreutils, ffmpeg, gnutls, gstreamer-plugins-good, kubernetes1.25, kubernetes1.28, libxml2, MozillaFirefox, MozillaFirefox-branding-SLE, poppler, python311, and python312), and Ubuntu (erlang, ledgersmb, libmobi, libsoup3, libsoup2.4, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-oem-6.8, linux, linux-gcp, linux-raspi, linux-realtime, linux-aws, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-6.8, linux-azure-nvidia, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-intel-iot-realtime, linux-realtime, linux-intel-iotg-5.15, linux-oem-6.14, linux-raspi, linux-realtime, php7.0, php7.2, php8.1, php8.3, php8.4, python-aiohttp, and rails).
https://lwn.net/Articles/1030479/
Trend Micro Worry Free Business 10.0 SP 1 - Patch 2518 veröffentlicht
Der Sicherheitsanbieter Trend Micro hat zum 15.7.2025 Trend Micro Worry Free Business (WFBS) 10.0 SP 1 - Patch 2518 veröffentlicht. Der Patch enthält diverse Sicherheitsfixes und soll auch verschiedene Bugs beheben. So wird OpenSSL 3.0.15 im Apache-Webserver aktualisiert, um die Produktsicherheit zu verbessern.
https://www.borncity.com/blog/2025/07/18/trend-micro-worry-free-business-10-0-sp-1-patch-2518-veroeffentlicht/
K000152614: Apache Commons vulnerability CVE-2025-48976
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
https://my.f5.com/manage/s/article/K000152614
NVIDIAScape - Critical NVIDIA AI Vulnerability: A Three-Line Container Escape in NVIDIA Container Toolkit (CVE-2025-23266)
New critical vulnerability with 9.0 CVSS presents systemic risk to the AI ecosystem, carries widespread implications for AI infrastructure.
https://www.wiz.io/blog/nvidia-ai-vulnerability-cve-2025-23266-nvidiascape
SOLIDWORKS eDrawings: Use After Free vulnerability CVE-2025-7042
https://www.3ds.com/trust-center/security/security-advisories/cve-2025-7042