End-of-Day report
Timeframe: Freitag 12-09-2025 18:00 - Montag 15-09-2025 18:00
Handler: Felician Fuchs
Co-Handler: n/a
News
Microsoft reminds of Windows 10 support ending in 30 days
On Friday, Microsoft reminded customers once again that Windows 10 will reach its end of support in 30 days, on October 14.
https://www.bleepingcomputer.com/news/microsoft/microsoft-reminds-of-windows-10-support-ending-in-30-days/
Shiny tools, shallow checks: how the AI hype opens the door to malicious MCP servers
Kaspersky experts discuss the Model Context Protocol used for AI integration. We describe the MCPs architecture, attack vectors and follow a proof of concept to see how it can be abused.
https://securelist.com/model-context-protocol-for-ai-integration-abused-in-supply-chain-attacks/117473/
A Cyberattack Victim Notification Framework
When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry.
https://www.schneier.com/blog/archives/2025/09/a-cyberattack-victim-notification-framework.html
Lawsuit About WhatsApp Security
Attaullah Baig, WhatsApp-s former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission.
https://www.schneier.com/blog/archives/2025/09/lawsuit-about-whatsapp-security.html
FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks
The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for a string of data theft and extortion attacks. "Both groups have recently been observed targeting organizations Salesforce platforms via different initial access mechanisms," the FBI said.
https://thehackernews.com/2025/09/fbi-warns-of-unc6040-and-unc6395.html
All your vulns are belong to us! CISA wants to maintain gov control of CVE program
Get ready for a fight over who steers the global standard for vulnerability identification The Cybersecurity and Infrastructure Security Agency (CISA) nearly let the Common Vulnerabilities and Exposures (CVE) program lapse earlier this year, but a new "vision" document it released this week signals that it now wants more control over the global standard for vulnerability identification.
https://go.theregister.com/feed/www.theregister.com/2025/09/12/cisas_vision_for_cve/
Docker Image Security - Teil 2: Minimale und sichere Docker Images
Distroless Images reduzieren Paketgrößen drastisch, indem sie unnötige Komponenten wie Bash und Paketmanager weglassen. Das erhöht Performance und Sicherheit.
https://www.heise.de/hintergrund/Docker-Image-Security-Teil-2-Minimale-und-sichere-Docker-Images-10631065.html
Cyberkriminelle: "Scattered Lapsus$ Hunters" haben keine Lust mehr
Die Bande machte zuletzt durch Cyberangriffe auf Jaguar und Marks & Spencer von sich reden, die immense Schäden verursachten. Nicht alle halten die Füße still.
https://www.heise.de/news/Cybergang-Scattered-Lapsus-Hunters-kuendigt-Abschied-an-ein-bisschen-10643212.html
Angreifer können IT-Sicherheitslösung IBM QRadar SIEM lahmlegen
Verschiedene Komponenten in IBMs IT-Sicherheitslösung QRadar SIEM sind verwundbar. Nutzen Angreifer die Schwachstellen erfolgreich aus, können sie unter anderem DoS-Zustände erzeugen, sodass Dienste abstürzen. Fällt dadurch der eigentlich durch die Anwendung versprochene Schutz weg, kann das fatale Folgen haben.
https://www.heise.de/news/Angreifer-koennen-IT-Sicherheitsloesung-IBM-QRadar-SIEM-lahmlegen-10644039.html
Trusted Connections, Hidden Risks: Token Management in the Third-Party Supply Chain
Effective OAuth token management is crucial for supply chain security, preventing breaches caused by dormant integrations, insecure storage or lack of rotation.
https://unit42.paloaltonetworks.com/third-party-supply-chain-token-management/
npm-Hack: Angreifer schauen weitgehend in die Röhre
Es war zwar ein Desaster im Hinblick auf die Kompromittierung einer Lieferkette - der Hack eines npm-Entwicklerkontos samt Injektion von Schadcode. Der Angreifer scheint aber mit ziemlich leeren Händen aus der Sache rausgegangen zu sein - er soll, je nach Quelle zwischen 65 und 600 US-Dollar an Kryptogeld gestohlen haben.
https://www.borncity.com/blog/2025/09/14/npm-hack-angreifer-schauen-weitgehend-in-die-roehre/
New VoidProxy Phishing Service Bypasses MFA on Microsoft and Google Accounts
Okta Threat Intelligence exposes VoidProxy, a new PhaaS platform. Learn how this advanced service uses the Adversary-in-the-Middle technique to bypass MFA and how to protect yourself from attacks targeting Microsoft and Google accounts.
https://hackread.com/voidproxy-phishing-service-bypasses-mfa-microsoft-google/
Qrator Labs Mitigated Record L7 DDoS Attack from 5.76M-Device Botnet
Qrator Labs blocked a record L7 DDoS attack from a 5.76M-device botnet targeting government systems, showing rapid global growth since March.
https://hackread.com/qrator-labs-mitigate-l7-ddos-attack-5-76m-botnet/
600 GB of Alleged Great Firewall of China Data Published in Largest Leak Yet
Hackers leaked 600 GB of data linked to the Great Firewall of China, exposing documents, code, and operations. Full details available on the GFW Report.
https://hackread.com/great-firewall-of-china-data-published-largest-leak/
ShadowSilk Data Exfiltration Attack
FortiGuard Labs- network telemetry has observed active exploitation of known vulnerabilities in Drupal Core and the WP-Automatic WordPress plugin for initial access. Following compromise, attackers deploy multiple web shells and utilities to enable lateral movement, privilege escalation, and the installation of remote access trojans (RATs).
https://fortiguard.fortinet.com/outbreak-alert/shadowsilk-data-exfiltration
Phishing campaign targeting crates.io users
We received multiple reports of a phishing campaign targeting crates.io users (from the rustfoundation.dev domain name), mentioning a compromise of our infrastructure and asking users to authenticate to limit damage to their crates.
https://blog.rust-lang.org/2025/09/12/crates-io-phishing-campaign/
The Internet Coup
A Technical Analysis on How a Chinese Company is Exporting The Great Firewall to Autocratic Regimes.
https://interseclab.org/research/the-internet-coup/
Vulnerabilities
Lücke in Microsoft Agentic AI und Visual Studio kann Schadcode passieren lassen
Angreifer können an einer Schwachstelle in Microsoft Agentic AI und Visual Studio ansetzen. Klappt eine Attacke, können sie Schadcode ausführen und Systeme mit hoher Wahrscheinlichkeit vollständig kompromittieren. Ein Sicherheitsupdate steht zum Download bereit.
https://www.heise.de/news/Schadcode-Schlupfloch-in-Microsoft-Agentic-AI-und-Visual-Studio-geschlossen-10644814.html
Jetzt patchen! Attacken auf Android-Smartphones von Samsung beobachtet
Derzeit nutzen Angreifer eine Sicherheitslücke in Samsung-Smarthpones mit Android 13, 14, 15 und 16 aus. Darüber kann Schadcode auf Geräte gelangen. Ein Sicherheitspatch ist für ausgewählte Geräte verfügbar.
https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Android-Smartphones-von-Samsung-beobachtet-10645224.html
Security updates for Monday
Security updates have been issued by AlmaLinux (cups, kernel, and mysql-selinux and mysql8.4), Debian (cjson, jetty9, and shibboleth-sp), Fedora (bustle, cef, checkpointctl, chromium, civetweb, cups, forgejo, jupyterlab, kernel, libsixel, linenoise, maturin, niri, perl-Cpanel-JSON-XS, python-uv-build, ruff, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-matchers, rust-monitord, rust-monitord-exporter, rust-secret-service, rust-tracing-subscriber, rustup, tcpreplay, tuigreet, udisks2, uv, and xwayland-satellite), Oracle (cups, gdk-pixbuf2, kernel, mysql-selinux and mysql8.4, and php:8.2), Red Hat (kernel, kernel-rt, and multiple packages), Slackware (cups, kernel, and patch), and SUSE (busybox, busybox-links, chromedriver, chromium, cups-filters, curl, go1.25, jasper, java-11-openj9, java-17-openj9, java-1_8_0-openjdk, kernel, kernel-devel, kubo, libssh-config, orthanc-gdcm, python-aiohttp, python-eventlet, python-h2, and xen).
https://lwn.net/Articles/1038231/
CVE-2025-58434: Critical FlowiseAI Flaw Enables Full Account Takeover
A severe security vulnerability has been discovered in FlowiseAI, an open-source AI workflow automation tool, exposing users to the risk of complete account compromise. Tracked as CVE-2025-58434, this vulnerability affects both the cloud-hosted version of FlowiseAI and self-hosted deployments that expose the relevant API endpoints.
https://thecyberexpress.com/cve-2025-58434/