End-of-Day report
Timeframe: Dienstag 17-03-2026 18:00 - Mittwoch 18-03-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
News
New -Darksword- iOS exploit used in infostealer attack on iPhones
A new exploit kit for iOS devices and delivery framework dubbed "Darksword" has been used to steal a wide range of personal information, including data from cryptocurrency wallet app. [..] iVerify's findings indicate that all flaws (sandbox escape, privilege escalation, remote code execution) exploited in this exploit chain are known or documented, and Apple has already addressed them in the latest iOS releases.
https://www.bleepingcomputer.com/news/security/new-darksword-ios-exploit-used-in-infostealer-attack-on-iphones/
Technical Analysis of SnappyClient
In December 2025, Zscaler ThreatLabz identified a new command-and-control (C2) framework implant that we track as SnappyClient, which was delivered using HijackLoader. [..] In this blog post, ThreatLabz provides a technical analysis of SnappyClient, including its core features, configuration, network communication protocol, commands, and post-infection activities.
https://www.zscaler.com/blogs/security-research/technical-analysis-snappyclient
Inside a network of 20,000+ fake shops
We mapped a sprawling fake shop operation of over 20,000 domains, dozens of shared IP addresses and identical storefronts with different names pasted on top. [..] Much of this activity clusters around a small number of IP ranges, including blocks in the 207.244.x.x and 23.105.x.x space. That clustering points to a preference for specific hosting providers, and a setup designed for speed: spin up a domain, attach a template, go live.
https://www.malwarebytes.com/blog/scams/2026/03/inside-a-network-of-20000-fake-shops
Gigsberg.de: Erneuter Alarm um Resale-Tickets für den Eurovision Song Contest
Alle Kontingente sind restlos ausverkauft. Eine offizielle Plattform zum Weiterverkauf für ESC-Tickets gibt es noch nicht. Dennoch tauchen immer wieder entsprechende Angebote bei Online-Marktplätzen für Eintrittskarten auf - wie aktuell bei gigsberg.de.
https://www.watchlist-internet.at/news/esc-gigsberg-tickets/
From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA
This case study walks through an incident that involves: An exposed Spring Boot Actuator endpoint [..] Plaintext credentials stored in a spreadsheet [..] A risky authentication method (ROPC) [..] These weaknesses ultimately allowed attackers to compromise a SharePoint service account of the target organization and exfiltrate data from SharePoint Online.
https://www.trendmicro.com/en_us/research/26/c/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltrati.html
Reverse Engineering .NET AOT Malware: A Guide to Trace the Multi-Stage Attack Chain with Binary Ninja
This blog serves both as an examination of newly identified malware and as a practical guide for researchers beginning their journey into malware analysis. Throughout the guide, we use Binary Ninja to reverse engineer the samples.
https://www.cyderes.com/howler-cell/reverse-engineering-net-aot-malware
Amazon threat intelligence teams identify Interlock ransomware campaign targeting enterprise firewalls
Amazon threat intelligence has identified an active Interlock ransomware campaign exploiting CVE-2026-20131, a critical vulnerability in Cisco Secure Firewall Management Center (FMC) Software that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device, which was disclosed by Cisco on March 4, 2026.
https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/
Vulnerabilities
Telnet: Kritische Lücke erlaubt Einschleusen von Schadcode aus dem Netz
Eine Lücke im telnetd der GNU Inetutils ermöglicht Angreifern aus dem Netz das Einschleusen von Schadcode - ohne vorherige Anmeldung. [..] Die Sicherheitslücke hat einen Schwachstelleneintrag erhalten, der erklärt, dass ein Schreibzugriff außerhalb vorgesehener Speichergrenzen im Code zur Verarbeitung der -LINEMODE SLC--Option (Set Local Characters) möglich ist. Die Funktion add_slc prüft schlicht nicht, ob der Puffer bereits voll ist (CVE-2026-32746, CVSS 9.8, Risiko -kritisch-). [..] Ein Update zum Stopfen des Sicherheitslecks steht demnach bislang nicht zur Verfügung. [..] IT-Verantwortliche sollten Zugriffsmöglichkeiten auf ihre Instanzen des telnetd aus den GNU Inetutils unbedingt auf vertrauenswürdige Rechner beschränken oder sie durch verschlüsselte Methoden ersetzen.
https://heise.de/-11215518
Ubuntu: root-Lücke durch snapd
Eine Schwachstelle im Zusammenspiel von snapd und systemd unter Ubuntu ermöglicht Angreifern, root-Zugriff zu erlangen. [..] Ein Angriff ist durch den langen Zeitraum, den Angreifer bis zum potenziellen Erfolg warten müssen, als komplex eingestuft. [..] Ubuntu stellt aktualisierte snapd-Pakete bereit, die die Schwachstelle ausbessern.(CVE-2026-3888, CVSS 7.8, Risiko -hoch-)
https://heise.de/-11216189
Researchers disclose vulnerabilities in IP KVMs from four manufacturers
On Tuesday, researchers from security firm Eclypsium disclosed a total of nine vulnerabilities in IP KVMs from four manufacturers. The most severe flaws allow unauthenticated hackers to gain root access or run malicious code on them. [..] Firmware vulnerabilities also leave them open to remote takeover. [..] some of the devices are being fixed. As of Tuesday, however, the most severe vulnerabilities-found in IP KVMs made by Angeet/Yeeso-aren-t.
https://arstechnica.com/security/2026/03/researchers-disclose-vulnerabilities-in-ip-kvms-from-4-manufacturers/
Gimp: Update schließt Codeschmuggel-Lücken
Am Wochenende hat das Gimp-Projekt die Version 3.2 des mächtigen und quelloffenen Grafikprogramms veröffentlicht. [..] Die Zero Day Initiative (ZDI) von Trend Micro (nun unter dem Namen -TrendAI- in dem Unternehmen aufgehängt) hat zwei Sicherheitslücken in den Parsern für bestimmte Bildformate gemeldet.
https://heise.de/-11214979
Drupal: Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030
https://www.drupal.org/sa-contrib-2026-030
LWN: Security updates for Wednesday
https://lwn.net/Articles/1063446/
Roundcube: Security updates 1.7-rc5, 1.6.14 and 1.5.13 released
https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.16