End-of-Day report
Timeframe: Montag 15-06-2026 18:00 - Dienstag 16-06-2026 18:00
Handler: Guenes Holler
Co-Handler: n/a
News
ÖIAT-Studie: Über 600.000 betrügerische und problematische Werbeanzeigen auf Facebook und Instagram
Eine -Analyse des Betrugsökosystems Online-Werbung auf Meta-Plattformen- hat erstaunliche Ergebnisse geliefert. Über einen Zeitraum von drei Monaten entdeckte die Forschungsabteilung des ÖIAT über 600.000 betrügerische bzw. problematische Werbeanzeigen auf Meta-Plattformen. EU-weit wurden diese über 1 Milliarde Mal ausgespielt, davon 123 Millionen Mal allein in Österreich.
https://www.watchlist-internet.at/news/betruegerische-problematische-werbeanzeigen-meta/
Mit Malware erbeutet: 124 Millionen neue Passwörter bei HaveIBeenPwned
Cyberkriminelle greifen mit Infostealer-Malware häufig Zugangsdaten ab. HaveIBeenPwned hat seine Datenbank um eine große Sammlung davon erweitert.
https://www.golem.de/news/mit-malware-erbeutet-124-millionen-neue-passwoerter-bei-haveibeenpwned-2606-209825.html
Windows version of SprySOCKS Linux malware used to attack govt orgs
Windows variants for the SprySOCKS Linux malware have been used in attacks targeting government organizations in at least four countries.
https://www.bleepingcomputer.com/news/security/windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs/
Ransomware gang abuses Microsoft Teams relays to hide malicious traffic
DragonForce ransomware used a custom malware named 'Backdoor.Turn' to hide command-and-control traffic inside Microsoft Teams relay infrastructure.
https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/
North Korean Hackers Are Turning Developer Tools Into Malware Delivery Channels
Cybersecurity researchers have flagged two malicious cyber campaigns that exhibit similarities with a persistent North Korean threat cluster known as Contagious Interview (aka Famous Chollima, HexagonalRodent, and Void Dokkaebi). According to a report published by Proofpoint, the threat actor has been found orchestrating phishing campaigns using developer role recruitment or code review themes to target nearly 100 organizations in finance, cryptocurrency, education, technology, and several other sectors. The activity has been codenamed UNK_DeadDrop.
https://thehackernews.com/2026/06/north-korean-hackers-are-turning.html
EvilTokens: Neue Phishing-Kampagne verschafft sich Zugriff mit legitimen Mitteln
Was passiert, wenn bei einem Phishing-Angriff offizielle Infrastruktur genutzt wird, anstatt diese zu fälschen? EvilTokens markiert eine Weiterentwicklung des Phishing: Es werden nicht mehr Anmeldedaten gestohlen, sondern die Opfer dazu verleitet, legitime Sitzungen zu autorisieren.
https://www.welivesecurity.com/de/cybercrime/eviltokens-neue-phishing-kampagne-verschafft-sich-zugriff-mit-legitimen-mitteln/
Pickle in the Middle - Hijacking Vertex AI Model Uploads for Cross-Tenant RCE
We discovered a vulnerability in the Google Cloud Vertex AI software development kit (SDK) for Python, and responsibly disclosed it to Google. Before Google-s fix, the vulnerability would have allowed an attacker operating entirely from their own Google Cloud project to hijack a victim's model upload and poison it. By exploiting this flaw in vulnerable versions of the SDK, an attacker can achieve remote code execution (RCE) within a target-s Vertex AI serving infrastructure, with zero initial access to the victim's project.
https://unit42.paloaltonetworks.com/hijacking-vertex-ai-model/
Viel Geduld: Chinesische IT-Spione lauerten lange in Forschungseinrichtungen
Viel Geduld haben chinesische Angreifer bewiesen: Sie nisteten sich in Redcap-Servern ein, nutzten das aber erst mehr als ein Jahr später voll aus.
https://heise.de/-11333355
GlassWASM: WebAssembly Malware Found in Trojanized Open VSX Extensions
The trojanized extensions use TinyGo-compiled WebAssembly and Solana transaction memos to resolve command-and-control infrastructure.
https://socket.dev/blog/glasswasm-malware-open-vsx-extensions?utm_medium=feed
A backdoor in a LinkedIn job offer
Last week, I got a LinkedIn message from a recruiter at a small crypto startup. We exchanged a few messages over a couple of days, she described a broken proof-of-concept they needed a lead engineer for, and then sent me a public GitHub repo to review. Specifically, she asked me to -check out the deprecated Node modules issue.- It-s not uncommon to ask for a review of an existing codebase, but something felt off and raised an alarm in my head, so I decided to get a bit extra paranoid.
https://roman.pt/posts/linkedin-backdoor/
Critical Fortinet FortiSandbox flaws now exploited in attacks
Attackers are now exploiting several critical vulnerabilities in Fortinet's FortiSandbox cyber threat detection platform, according to threat intelligence company Defused. Fortinet released security updates for these three critical-severity security flaws (tracked as CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089) on April 14.
https://www.bleepingcomputer.com/news/security/critical-fortinet-fortisandbox-flaws-now-exploited-in-attacks/
Vulnerabilities
Root-Attacken auf Cisco Catalyst SD-WAN Manager und cPanel-Plug-in LiteSpeed
Admins, die Cisco Catalyst SD-WAN Manager oder cPanel mit LiteSpeed-Plug-in verwalten, sollten aufgrund von laufenden Angriffen umgehend die verfügbaren Sicherheitsupdates installieren. Im schlimmsten Fall können Angreifer als root-Nutzer auf Systeme zugreifen. Damit das klappt, müssen sie aber zuerst einige Hürden überwinden.
https://www.heise.de/news/Root-Attacken-auf-Cisco-Catalyst-SD-WAN-Manager-und-cPanel-Plug-in-LiteSpeed-11333457.html
LWN Security updates for Tuesday
https://lwn.net/Articles/1078158/
Broken Access Control in syracom AG Secure Login (2FA) for Atlassian Jira / Confluence / Bitbucket
https://sec-consult.com/vulnerability-lab/advisory/broken-access-control-in-syracom-ag-secure-login-2fa-for-atlassian-jira-confluence-bitbucket/
Zyxel security advisory for stack-based buffer overflow vulnerability in GS1900 series switches
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-stack-based-buffer-overflow-vulnerability-in-gs1900-series-switches-06-16-2026