Tageszusammenfassung - 12.12.2025

End-of-Day report

Timeframe: Donnerstag 11-12-2025 18:00 - Freitag 12-12-2025 18:00 Handler: Guenes Holler Co-Handler: n/a

News

NIS-2 in Österreich umgesetzt (NISG 2026)

Das Netz- und Informationssystemsicherheitsgesetz 2026 (NISG 2026) wurde heute (12.12.2025) im Nationalrat beschlossen. Die Kundmachung erfolgt nach Beschluss des Bundesrates und Unterzeichnung des Bundespräsidenten. Das Gesetz wird neun Monate nach seiner Kundmachung (voraussichtlich im Herbst 2026) in Kraft treten.

https://certitude.consulting/blog/de/nis-2-in-osterreich-umgesetzt-nisg-2026/

Technical Analysis of the BlackForce Phishing Kit

Zscaler ThreatLabz identified a new phishing kit named BlackForce, which was first observed in the beginning of August 2025 with at least five distinct versions. BlackForce is capable of stealing credentials and performing Man-in-the-Browser (MitB) attacks to steal one-time tokens and bypass multi-factor authentication (MFA). The phishing kit is actively marketed and sold on Telegram forums for -200--300.

https://www.zscaler.com/blogs/security-research/technical-analysis-blackforce-phishing-kit

Cybersecurity Performance Goals 2.0 for Critical Infrastructure

Today, CISA released updated Cross-Sector Cybersecurity Performance Goals (CPG 2.0) with measurable actions for critical infrastructure owners and operators to achieve a foundational level of cybersecurity.

https://www.cisa.gov/news-events/alerts/2025/12/11/cybersecurity-performance-goals-20-critical-infrastructure

SHADOW-VOID-042 Targets Multiple Industries with Void Rabisu-like Tactics

In November, a targeted spear-phishing campaign was observed using Trend Micro-themed lures against various industries, but this was quickly detected and thwarted by the Trend Vision One- platform.

https://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html

Malicious VSCode Marketplace extensions hid trojan in fake PNG file

A stealthy campaign with 19 extensions on the VSCode Marketplace has been active since February, targeting developers with malware hidden inside dependency folders.

https://www.bleepingcomputer.com/news/security/malicious-vscode-marketplace-extensions-hid-trojan-in-fake-png-file/

Vulnerabilities

Security updates for Friday

Security updates have been issued by AlmaLinux (firefox, luksmeta, mysql, mysql:8.0, mysql:8.4, tomcat, and wireshark), Debian (chromium, kernel, and tzdata), Fedora (brotli, dr_libs, perl-Alien-Brotli, python-urllib3, singularity-ce, wireshark, and yarnpkg), Oracle (firefox, grafana, lasso, libsoup3, luksmeta, ruby, ruby:3.3, tomcat, and wireshark), Slackware (mozilla), SUSE (container-suseconnect, kubernetes-client, libpoppler-cpp2, postgresql14, postgresql15, and python3), and Ubuntu (c-ares, keystone, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux-azure, linux-azure-4.15, linux-oracle,, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-hwe-6.8, linux-oracle-6.8, linux-raspi, linux-realtime, linux-intel-iot-realtime, and python-urllib3).

https://lwn.net/Articles/1050251/

New Windows RasMan zero-day flaw gets free, unofficial patches

Free unofficial patches are available for a new Windows zero-day vulnerability that allows attackers to crash the Remote Access Connection Manager (RasMan) service. RasMan is a critical Windows system service that starts automatically, runs in the background with SYSTEM-level privileges, and manages VPN, Point-to-Point Protocol over Ethernet (PPoE), and other remote network connections.

https://www.bleepingcomputer.com/news/microsoft/new-windows-rasman-zero-day-flaw-gets-free-unofficial-patches/

Fernwartung ScreenConnect: Kritische Lücke ermöglicht Schadcodeausführung

In der Fernwartungssoftware Connectwise ScreenConnect können angemeldete Angreifer Schadcode einschleusen. Ein Update steht bereit.

https://www.heise.de/news/Fernwartung-ScreenConnect-Kritische-Luecke-ermoeglicht-Schadcodeausfuehrung-11112865.html

GitLab: Angreifer können Wiki-Seiten mit Malware anlegen

Die DevSecOps-Plattform GitLab ist verwundbar. In aktuellen Versionen haben die Entwickler mehrere Sicherheitslücken geschlossen. Im schlimmsten Fall können Angreifer Systeme kompromittieren.

https://www.heise.de/news/GitLab-Angreifer-koennen-Wiki-Seiten-mit-Malware-anlegen-11112911.html

New React RSC Vulnerabilities Enable DoS and Source Code Exposure

The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure.

https://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.html

Google fixes super-secret 8th Chrome 0-day

Google issued an emergency fix for a Chrome vulnerability already under exploitation, which marks the world's most popular browser's eighth zero-day bug of 2025.

https://go.theregister.com/feed/www.theregister.com/2025/12/11/google_fixes_supersecret_8th_chrome/