End-of-Day report
Timeframe: Dienstag 25-11-2025 18:30 - Mittwoch 26-11-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
News
Old tech, new vulnerabilities: NTLM abuse, ongoing exploitation in 2025
This article covers NTLM relay, credential forwarding, and other NTLM-related vulnerabilities and cyberattacks discovered in 2025.
https://securelist.com/ntlm-abuse-in-2025/118132/
Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps
Cybersecurity researchers have discovered a new malicious extension on the Chrome Web Store thats capable of injecting a stealthy Solana transfer into a swap transaction and transferring the funds to an attacker-controlled cryptocurrency wallet.
https://thehackernews.com/2025/11/chrome-extension-caught-injecting.html
Qilin Ransomware Turns South Korean MSP Breach Into 28-Victim Korean Leaks Data Heist
South Koreas financial sector has been targeted by what has been described as a sophisticated supply chain attack that led to the deployment of Qilin ransomware.
https://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.html
HashJack attack shows AI browsers can be fooled with a simple -#-
Hashtag-do-whatever-I-tell-you Cato Networks says it has discovered a new attack, dubbed "HashJack," that hides malicious prompts after the "#" in legitimate URLs, tricking AI browser assistants into executing them while dodging traditional network and server-side defenses.
https://go.theregister.com/feed/www.theregister.com/2025/11/25/hashjack_attack_ai_browser_hashtag/
Zscaler Threat Hunting Discovers and Reconstructs a Sophisticated Water Gamayun APT Group Attack
This blog is intended to share an in-depth analysis of a recent multi-stage attack attributed to the Water Gamayun advanced persistent threat group (APT). Drawing on telemetry, forensic reconstruction, and known threat intelligence, the Zscaler Threat Hunting team reconstructed how a seemingly innocuous web search led to a sophisticated exploitation of a Windows MMC vulnerability, ultimately delivering hidden PowerShell payloads and final malware loaders.
https://www.zscaler.com/blogs/security-research/water-gamayun-apt-attack
Studie: [EXTERN]-Tags schützen nicht vor Phishing
Eine großangelegte Simulation an einer deutschen Universitätsklinik zeigt: Gängige Schutzmaßnahmen wie [EXTERN]-Tags versagen, technische Filter wirken.
https://www.heise.de/news/Studie-EXTERN-Tags-schuetzen-nicht-vor-Phishing-11092509.html
So erkennen Sie Fake-Apotheken wie grazapotheke.com
Mit Beginn der Erkältungssaison steigt die Nachfrage nach Onlineapotheken. Doch neben seriösen Anbietern tummeln sich auch gefährliche Fälschungen im Netz. Ein Beispiel ist grazapotheke.com, die rezeptpflichtige Medikamente scheinbar frei verkauft.
https://www.watchlist-internet.at/news/so-erkennen-sie-fake-apotheken-wie-grazapothekecom/
The Golden Scale: Tis the Season for Unwanted Gifts
Unit 42 shares further updates of cybercrime group Scattered LAPSUS$ Hunters. Secure your organization this holiday season. The post The Golden Scale: Tis the Season for Unwanted Gifts appeared first on Unit 42.
https://unit42.paloaltonetworks.com/new-shinysp1d3r-ransomware/
MySQL 8.0 fällt am 30. April 2026 aus dem Support
Baut sich ein weiteres Software-Problem in der IT-Landschaft auf? Das Open Source-Datenbanksystem MySQL ist sehr populär und breit im Einsatz. Aber MySQL 8.0 fällt am 30. April 2026 aus dem Support.
https://www.borncity.com/blog/2025/11/26/mysql-8-0-faellt-am-30-april-2026-aus-dem-support/
Sharjah Police Experiment Exposes How Easily People Fall for Fake QR Codes
A cybersecurity experiment conducted by Sharjah Police has revealed how easily QR codes can mislead individuals, particularly when these codes promise conveniences such as free WiFi. The police placed an unbranded QR code in a public area with a simple message, -Free WiFi-, to measure how many people would scan it without verifying its source. The results revealed that 89 members of the public scanned the code without asking who placed it or whether it was legitimate.
https://thecyberexpress.com/free-wifi-qr-code-risk-experiment/
Vulnerabilities
VU#521113: Forge JavaScript library impacted by a vulnerability in signature verification.
The Forge JavaScript library provides TLS-related cryptographic utilities. A vulnerability that allows signature verification to be bypassed through crafted manipulation of ASN.1 structures, particularly in fields such as Message Authentication Code (MAC) data, was identified.
https://kb.cert.org/vuls/id/521113
ZDI-25-1019: Arista NG Firewall replace_marker Exposed Dangerous Function Authentication Bypass Vulnerability
This vulnerability allows remote attackers to to bypass authentication on affected installations of Arista NG Firewall. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-6979.
http://www.zerodayinitiative.com/advisories/ZDI-25-1019/
Security updates for Wednesday
Security updates have been issued by AlmaLinux (bind, binutils, delve and golang, expat, firefox, haproxy, kernel, libsoup3, libssh, libtiff, openssh, openssl, pam, podman, python-kdcproxy, shadow-utils, squid, thunderbird, vim, xorg-x11-server-Xwayland, and zziplib), Debian (cups-filters, libsdl2, linux-6.1, net-snmp, pdfminer, rails, and tryton-sao), Fedora (chromium, docker-buildkit, docker-buildx, and sudo-rs), Gentoo (librnp), Mageia (webkit2), SUSE (amazon-ssm-agent, buildah, curl, dpdk, fontforge-20251009, kernel, libIex-3_4-33, librnp0, python311, rclone, and sssd), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-aws-6.14, linux-oracle-6.14, linux-aws-fips, linux-fips, linux-gcp-fips, linux-realtime, linux-realtime-6.8, mupdf, openjdk-17, openjdk-8, and openjdk-lts).
https://lwn.net/Articles/1048195/
CISA Releases Seven Industrial Control Systems Advisories
CISA released seven Industrial Control Systems (ICS) Advisories: ICSA-25-329-01 Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt, Share. ICSA-25-329-02 Rockwell Automation Arena Simulation. ICSA-25-329-03 Zenitel TCIV-3+. ICSA-25-329-04 Opto 22 groov View. ICSA-25-329-05 Festo Compact Vision System, Control Block, Controller, and Operator Unit products. ICSA-25-329-06 SiRcom SMART.
https://www.cisa.gov/news-events/alerts/2025/11/25/cisa-releases-seven-industrial-control-systems-advisories
Nvidia DGX Spark, NeMo: Kritische Lücken gefährden KI-Hard- und Software
Nvidias KI-Hard- und Software DGX Spark und NeMo Framework sind verwundbar. Sicherheitsupdates schließen mehrere Schwachstellen. Im schlimmsten Fall können Angreifer Systeme nach der Ausführung von Schadcode in Gänze kompromittieren. Bislang gibt es keine Berichte zu laufenden Attacken.
https://heise.de/-11092387