End-of-Day report
Timeframe: Mittwoch 05-11-2025 18:00 - Donnerstag 06-11-2025 18:00
Handler: Alexander Riepl
Co-Handler: Felician Fuchs
News
5 AI-developed malware families analyzed by Google fail to work and are easily detected
You wouldnt know it from the hype, but the results fail to impress.
https://arstechnica.com/security/2025/11/ai-generated-malware-poses-little-real-world-threat-contrary-to-hype/
Fernzugriff per SIM-Karte: Auch dänische Elektrobusse aus China steuerbar
Der Hersteller Yutong kann seine Elektrobusse theoretisch jederzeit aus der Ferne lahmlegen. In Dänemark sind die Fahrzeuge großflächig im Einsatz.
https://www.golem.de/news/fernzugriff-per-sim-karte-auch-daenische-elektrobusse-aus-china-steuerbar-2511-201894.html
Extortion and ransomware drive over half of cyberattacks
In 80% of the cyber incidents Microsoft-s security teams investigated last year, attackers sought to steal data-a trend driven more by financial gain than intelligence gathering.
https://blogs.microsoft.com/on-the-issues/2025/10/16/mddr-2025/
Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detection
The threat actor known as Curly COMrades has been observed exploiting virtualization technologies as a way to bypass security solutions and execute custom malware. According to a new report from Bitdefender, the adversary is said to have enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine.
https://thehackernews.com/2025/11/hackers-weaponize-windows-hyper-v-to.html
Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine
A previously unknown threat activity cluster has been observed impersonating Slovak cybersecurity company ESET as part of phishing attacks targeting Ukrainian entities. The campaign, detected in May 2025, is tracked by the security outfit under the moniker InedibleOchotense, describing it as Russia-aligned.
https://thehackernews.com/2025/11/trojanized-eset-installers-drop.html
Cisco Warns of New Firewall Attack Exploiting CVE-2025-20333 and CVE-2025-20362
Cisco on Wednesday disclosed that it became aware of a new attack variant thats designed to target devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software releases that are susceptible to CVE-2025-20333 and CVE-2025-20362.
https://thehackernews.com/2025/11/cisco-warns-of-new-firewall-attack.html
SonicWall fingers state-backed cyber crew for September firewall breach
Spies, not crooks, were behind digital heist - damage stopped at the backups, says US cybersec biz. SonicWall has blamed an unnamed, state-sponsored collective for the September break-in that saw cybercriminals rifle through a cache of firewall configuration backups.
https://www.theregister.com/2025/11/06/sonicwall_fingers_statebacked_cyber_crew/
Industry Attacks Surge, Mobile Malware Spreads: The ThreatLabz 2025 Mobile, IoT & OT Report
Mobile devices, IoT sensors, and OT systems are no longer distinct domains; they are the interconnected backbone of modern business and infrastructure. From the factory floor and hospital ward to the global supply chain, this convergence powers innovation and efficiency. However, it has also created a sprawling, interdependent attack surface that threat actors are exploiting with increasing speed and sophistication.
https://www.zscaler.com/blogs/security-research/industry-attacks-surge-mobile-malware-spreads-threatlabz-2025-mobile-iot-ot
Fakeshops täuschen Online-Käufer
Fakeshops ziehen den Menschen ohne Gegenleistung das Geld aus der Tasche. Laut einer Umfrage sind nicht gerade wenige User von dieser Betrugs-Masche betroffen.
https://www.heise.de/news/Fakeshops-taeuschen-Online-Kaeufer-11067321.html
Have I Been Pwned: Milliarden neuer Passwörter in Sammlung
Aus Infostealer-Datensätzen konnte Have-I-Been-Pwned-Betreiber Troy Hunt 1,3 Milliarden einzigartige Passwörter extrahieren.
https://www.heise.de/news/Have-I-Been-Pwned-Milliarden-neuer-Passwoerter-in-Sammlung-11067453.html
Bundestag: Koalition einigt sich bei NIS2-Richtlinien-Umsetzung
Unions- und SPD-Fraktion haben sich nach intensiven Verhandlungen bei der Überarbeitung der Cybersicherheitsvorgaben für Kritische Infrastrukturen geeinigt.
https://www.heise.de/news/Bundestag-Koalition-einigt-sich-bei-NIS2-Richtlinien-Umsetzung-11068130.html
Windows: Oktober-Sicherheitsupdates können Bitlocker-Wiederherstellung auslösen
Die Sicherheitsupdates vom Oktober-Patchday für Windows können dazu führen, dass die Bitlocker-Wiederherstellung startet.
https://www.heise.de/news/Windows-Oktober-Sicherheitsupdates-koennen-Bitlocker-Wiederherstellung-ausloesen-11068172.html
Cloudflare Scrubs Aisuru Botnet from Top Domains List
For the past week, domains associated with the massive Aisuru botnet have repeatedly usurped Amazon, Apple, Google and Microsoft in Cloudflares public ranking of the most frequently requested websites. Cloudflare responded by redacting Aisuru domain names from their top websites list. The chief executive at Cloudflare says Aisurus overlords are using the botnet to boost their malicious domain rankings, while simultaneously attacking the companys domain name system (DNS) service.
https://krebsonsecurity.com/2025/11/cloudflare-scrubs-aisuru-botnet-from-top-domains-list/
Account-Takeover: Kriminelle wollen mithilfe einer Fake-Abstimmung die Kontrolle über WhatsApp-Konten erlangen
Das Smartphone meldet sich, eine neue WhatsApp-Mitteilung ist eingegangen. Es geht um ein Voting, eine Stimme für die Tochter einer Bekannten. Als Hauptpreis winkt ein -kostenloses Stipendium- für eine junge Nachwuchstänzerin. Dahinter versteckt sich allerdings der Versuch von Kriminellen, das WhatsApp-Konto ihrer Opfer zu übernehmen.
https://www.watchlist-internet.at/news/account-takeover-fake-abstimmung/
Sharing is scaring: The WhatsApp screen-sharing scam you didn-t see coming
How a fast-growing scam is tricking WhatsApp users into revealing their most sensitive financial and other data.
https://www.welivesecurity.com/en/scams/sharing-is-scaring-whatsapp-screen-sharing-scam/
Russia-s Sandworm hackers deploying wipers against Ukraine-s grain industry
The Russian state-backed hacking unit Sandworm has been targeting Ukraines grain industry with wiper malware amid Moscows ongoing efforts to undermine Kyivs wartime economy.
https://therecord.media/russia-sandworm-grain-wipers
An Unerring Spear: Cephalus Ransomware Analysis
Cephalus is a new ransomware group that first appeared in mid-June 2025. The group claims that they are motivated 100% by financial gain. Their main method of breaching organizations is by stealing credentials through Remote Desktop Protocol (RDP) accounts that do not have multi-factor authentication (MFA) enabled.
https://asec.ahnlab.com/en/90878/
Hackers Steal Personal Data and 17K Slack Messages in Nikkei Data Breach
Nikkei confirms breach after a virus infected an employee PC, exposing 17,368 names and Slack chat histories. The media giant reported the incident voluntarily.
https://hackread.com/nikkei-data-breach-hackers-steal-data-slack-messages/
What GreyNoise Learned from Deploying MCP Honeypots
GreyNoise deployed MCP honeypots to see what happens when AI middleware meets the open internet - revealing how attackers interact with this new layer of AI infrastructure.
https://www.greynoise.io/blog/deploying-mcp-honeypots
Vulnerabilities
[UPDATE] Cisco Secure Firewall Adaptive Security Appliance Software, Secure Firewall Threat Defense Software, IOS Software, IOS XE Software, and IOS XR Software Web Services Remote Code Execution Vulnerability
Added information on first fixed releases for Cisco Secure Firewall ASA Software releases 9.12 and 9.14.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O
Sicherheitslücken gefährden PCs mit Dell CloudLink und Command Monitor
Patches lösen mehrere Sicherheitsprobleme mit Dell CloudLink und Command Monitor.
https://www.heise.de/news/Unbefugte-Zugriffe-auf-Dell-CloudLink-und-Command-Monitor-moeglich-11067491.html
WatchGuard Fireware OS IKEv2 Out-of-Bounds Vulnerability
A critical Out-of-Bounds Write vulnerability (CVE-2025-9242) exists in the WatchGuard Fireware OS iked process, which handles IKEv2 VPN connections. The flaw allows a remote, unauthenticated attacker to execute arbitrary code on affected devices.
https://fortiguard.fortinet.com/threat-signal-report/6247
Google Issues Emergency Chrome 142 Update to Fix Multiple High-Risk Vulnerabilities
Google has rolled out an emergency update for its Chrome browser, version 142, to address a series of serious remote code execution (RCE) vulnerabilities that could allow attackers to take control of affected systems. The update, released on November 5, 2025, is being distributed gradually across desktop platforms, Windows, macOS, and Linux, as well as Android devices through Google Play and Chrome-s built-in update mechanism.
https://thecyberexpress.com/google-chrome-142-fixes-rce-flaws/
CISA Releases Four Industrial Control Systems Advisories
CISA released four Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS: ICSA-25-310-01 Advantech DeviceOn iEdge, ICSA-25-310-02 Ubia Ubox, ICSA-25-310-03 ABB FLXeon Controllers and ICSA-25-282-01 Hitachi Energy Asset Suite (Update A). CISA encourages users and administrators to review newly released ICS Advisories for technical details and mitigations.
https://www.cisa.gov/news-events/alerts/2025/11/06/cisa-releases-four-industrial-control-systems-advisories
CISA warns of critical CentOS Web Panel bug exploited in attacks
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning that threat actors are exploiting a critical remote command execution flaw in CentOS Web Panel (CWP).
https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-centos-web-panel-bug-exploited-in-attacks/