End-of-Day report
Timeframe: Mittwoch 15-10-2025 18:00 - Donnerstag 16-10-2025 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
News
Fake LastPass, Bitwarden breach alerts lead to PC hijacks
An ongoing phishing campaign is targeting LastPass and Bitwarden users with fake emails claiming that the companies were hacked, urging them to download a supposedly more secure desktop version of the password manager.
https://www.bleepingcomputer.com/news/security/fake-lastpass-bitwarden-breach-alerts-lead-to-pc-hijacks/
LinkPro Linux Rootkit Uses eBPF to Hide and Activates via Magic TCP Packets
An investigation into the compromise of an Amazon Web Services (AWS)-hosted infrastructure has led to the discovery of a new GNU/Linux rootkit dubbed LinkPro, according to findings from Synacktiv.
https://thehackernews.com/2025/10/linkpro-linux-rootkit-uses-ebpf-to-hide.html
Scammers are still sending us their fake Robinhood security alerts
A short while ago, our friends at Malwaretips wrote about a text scam impersonating Robinhood, a popular US-based investment app that lets people trade stocks and cryptocurrencies. The scam warns users about supposed -suspicious activity- on their accounts.
https://www.malwarebytes.com/blog/news/2025/10/scammers-are-still-sending-us-their-fake-robinhood-security-alerts
BeaverTail and OtterCookie evolve with a new Javascript module
Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea.
https://blog.talosintelligence.com/beavertail-and-ottercookie/
GreyNoise-s Recent Observations Around F5
Amid the security incident involving F5 BIG-IP announced on 15 October 2025, GreyNoise is sharing recent insights into activity targeting BIG-IP to aid in defensive posturing.
https://www.greynoise.io/blog/recent-observations-around-f5
DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains
Google Threat Intelligence Group (GTIG) has observed the North Korea (DPRK) threat actor UNC5342 using -EtherHiding- to deliver malware and facilitate cryptocurrency theft, the first time GTIG has observed a nation-state actor adopting this method. This post is part of a two-part blog series on adversaries using EtherHiding, a technique that leverages transactions on public blockchains to store and retrieve malicious payloads-notable for its resilience against conventional takedown and blocklisting efforts.
https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding/
yIKEs (WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242)
Today is the 8th of November 1996, and we-re thrilled to be exploring this new primitive we call Stack-based Buffer Overflows. It-s a great time to be alive, especially because we don-t have to deal with any of the pain of modern/not-so-modern mitigations. Oh no, wait, it-s 2025 and we are still seeing Stack-based Buffer Overflows in enterprise-grade appliances, and of course, lacking mainstream exploit mitigations.
https://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242/
US-Forscher belauschen unverschlüsselte Satellitenkommunikation
US-Forscher haben mit handelsüblicher Ausrüstung den Datenverkehr über Satelliten untersucht. Viele, auch sicherheitsrelevante Daten waren unverschlüsselt.
https://heise.de/-10767623
Handy-Spionage mit SS7: Tausende Opfer wurden wohl ausgespäht
Ein österreichisch-indonesisches Unternehmen bietet die Überwachung von Mobilfunkkunden an. Malware ist dafür nicht nötig, aber weitreichender Netzzugriff.
https://heise.de/-10767347
Vulnerabilities
Gladinet fixes actively exploited zero-day in file-sharing software
Gladinet has released security updates for its CentreStack business solution to address a local file inclusion vulnerability (CVE-2025-11371) that threat actors have leveraged as a zero-day since late September.
https://www.bleepingcomputer.com/news/security/gladinet-fixes-actively-exploited-zero-day-in-file-sharing-software/
Chrome, Firefox und Thunderbird: Updates beseitigen potenzielle Einfallstore
Sowohl für Mozillas Firefox und Thunderbird als auch für Googles Chrome-Browser gibt es Aktualisierungen. Kritische Schwachstellen wurden nicht geschlossen - wohl aber einige Lücken mit "High"-Einstufung, die Cybergangster ausnutzen könnten.
https://www.heise.de/news/Chrome-Firefox-und-Thunderbird-Updates-beseitigen-potenzielle-Einfallstore-10769022.html
Security updates for Thursday
Security updates have been issued by AlmaLinux (kernel and libsoup3), Debian (chromium and firefox-esr), Fedora (httpd), Oracle (cups, ImageMagick, kernel, and vim), Red Hat (libssh), Slackware (samba), SUSE (alloy, exim, firefox-esr, ImageMagick, kernel, libcryptopp-devel, libQt6Svg6, libsoup-3_0-0, libtiff-devel-32bit, lsd, python3-gi-docgen, python311-Authlib, qt6-base, samba, and squid), and Ubuntu (ffmpeg, linux-oracle-6.8, redict, redis, samba, and subversion).
https://lwn.net/Articles/1042330/
CVE-2025-55315: Microsoft kills 9.9-rated ASP.NET Core bug - our highest ever score
Microsoft has patched an ASP.NET Core vulnerability with a CVSS score of 9.9, which security program manager Barry Dorrans said was "our highest ever." The flaw is in the Kestrel web server component and enables security bypass.
https://go.theregister.com/feed/www.theregister.com/2025/10/16/microsoft_aspnet_core_vulnerability/
Samba bei bestimmter Konfiguration über kritische Lücke angreifbar
Bei aktiviertem WINS-Support können Angreifer unter bestimmten Voraussetzungen Befehle aus der Ferne ausführen. Es gibt wichtige Patches und einen Workaround.
https://heise.de/-10773288
Open PLC and Planet vulnerabilities
Cisco Talos- Vulnerability Discovery & Research team recently disclosed one vulnerability in the OpenPLC logic controller and four vulnerabilities in the Planet WGR-500 router.
https://blog.talosintelligence.com/open-plc-and-planet-vulnerabilities/
Phoenix Contact CHARX SEC-3xxx vulnerable to code injection
https://jvn.jp/en/jp/JVN42282226/
Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-phone-dos-FPyjLV7A
Multiple Cisco Products Snort 3 MIME Denial of Service Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort3-mime-vulns-tTL8PgVH
Cisco TelePresence Collaboration Endpoint and RoomOS Software Information Disclosure Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-roomos-inf-disc-qGgsbxAm
Cisco IOS XE Software Secure Boot Bypass Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secboot-UqFD8AvC
K000156944: Intel vulnerability CVE-2025-20093
https://my.f5.com/manage/s/article/K000156944