End-of-Day report
Timeframe: Mittwoch 10-09-2025 18:00 - Donnerstag 11-09-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
News
New VMScape attack breaks guest-host isolation on AMD, Intel CPUs
A new Spectre-like attack dubbed VMScape allows a malicious virtual machine (VM) to leak cryptographic keys from an unmodified QEMU hypervisor process running on modern AMD or Intel CPUs.
https://www.bleepingcomputer.com/news/security/new-vmscape-attack-breaks-guest-host-isolation-on-amd-intel-cpus/
K2 Think AI Model Jailbroken Mere Hours After Release
Researchers discovered that measures designed to make AI more transparent to users and regulators can also make it easier for bad actors to abuse.
https://www.darkreading.com/application-security/k2-think-llm-jailbroken
Ordner öffnen reicht: Beliebter KI-Code-Editor führt automatisch Schadcode aus
Wer den KI-Code-Editor Cursor verwendet, sollte beim Öffnen fremder Repos vorsichtig sein. Es kann unbemerkt Malware ausgeführt werden.
https://www.golem.de/news/ordner-oeffnen-reicht-beliebter-ki-code-editor-fuehrt-automatisch-schadcode-aus-2509-199986.html
Fake Madgicx Plus and SocialMetrics Extensions Are Hijacking Meta Business Accounts
Cybersecurity researchers have disclosed two new campaigns that are serving fake browser extensions using malicious ads and fake websites to steal sensitive data. The malvertising campaign, per Bitdefender, is designed to push fake "Meta Verified" browser extensions named SocialMetrics Pro that claim to unlock the blue check badge for Facebook and Instagram profiles.
https://thehackernews.com/2025/09/fake-madgicx-plus-and-socialmetrics.html
Akira ransomware crims abusing trifecta of SonicWall security holes for extortion attacks
Affiliates of the Akira ransomware gang are again exploiting a critical SonicWall vulnerability abused last summer, after a suspected zero-day flaw actually turned out to be related to a year-old bug.
https://go.theregister.com/feed/www.theregister.com/2025/09/10/akira_ransomware_abusing_sonicwall/
Beijing went to EggStreme lengths to attack Philippines military, researchers say
-EggStreme- framework looks like the sort of thing Beijing would find handy in its ongoing territorial beefs Infosec outfit Bitdefender says it-s spotted a strain of in-memory malware that looks like the work of Chinese advanced persistent threat groups that wanted to achieve persistent access at a -military company- in the Philippines.
https://go.theregister.com/feed/www.theregister.com/2025/09/11/eggstreme_malware_china_philippines/
Technical Analysis of kkRAT
Zscaler ThreatLabz has identified a malware campaign targeting Chinese-speaking users, which has been active since early May 2025. The campaign delivers three types of malware: ValleyRAT, FatalRAT, and a new Remote Access Trojan (RAT) that ThreatLabz named kkRAT.
https://www.zscaler.com/blogs/security-research/technical-analysis-kkrat
The Great NPM Heist - September 2025
On September 8, 2025, the JavaScript ecosystem experienced what is now considered the largest supply chain attack in npm history. A sophisticated phishing campaign led to the compromise of a trusted maintainer-s account, resulting in the injection of cryptocurrency-stealing malware into 18+ foundational npm packages.
https://blog.checkpoint.com/crypto/the-great-npm-heist-september-2025/
Global Cyber Threats August 2025: Agriculture in the Crosshairs
In August 2025, the global cyber threat landscape presented a complex interplay of stability and alarming new challenges. Organizations around the world confronted an average of nearly 2,000 cyber attacks each week-a slight 1% decrease from July but a stark 10% rise compared to the same month last year.
https://blog.checkpoint.com/research/global-cyber-threats-august-2025-agriculture-hit-hard/
How the Infamous APT 1 Report Exposing China-s PLA Hackers Came to Be
This is the first in a series of pieces I-ll publish that take an in-depth look at significant events, people and cases in security and surveillance from the past.
https://www.zetter-zeroday.com/how-the-infamous-apt-1-report-exposing-chinas-pla-hackers-came-to-be/
CyberVolk Ransomware: Analysis of Double Encryption Structure and Disguised Decryption Logic
The CyberVolk ransomware, which first emerged in May 2024, has been launching attacks on public institutions and key infrastructures of various countries, posing a continuous threat. The ransomware is particularly notable for its pro-Russia nature, as it primarily targets anti-Russian countries, making it a geopolitically significant cyber threat.
https://asec.ahnlab.com/en/90077/
Trigona Rebranding Suspicions and Global Threats, and BlackNevas Ransomware Analysis
BlackNevas has been continuously launching ransomware attacks against companies in various industries and countries, including South Korea. This post provides a technical analysis on the characteristics, encryption methods, and reasons why BlackNevas encrypts files in a way that makes them impossible to decrypt.
https://asec.ahnlab.com/en/90080/
New Fileless Malware Attack Uses AsyncRAT for Credential Theft
LevelBlue Labs reports AsyncRAT delivered through a fileless attack chain using ScreenConnect, enabling credential theft and persistence.
https://hackread.com/fileless-malware-attack-asyncrat-credential-theft/
CISA Presents Vision for the Common Vulnerabilities and Exposures (CVE) Program
Agency Unveils Upcoming Program Enhancements: Strengthening Partnerships, Modernization, Transparency and Elevating Data Quality and Responsiveness.
https://www.cisa.gov/news-events/news/cisa-presents-vision-common-vulnerabilities-and-exposures-cve-program
Vulnerabilities
Cisco IOS XR ARP Broadcast Storm Denial of Service Vulnerability
A vulnerability in the Address Resolution Protocol (ARP) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a broadcast storm, leading to a denial of service (DoS) condition on an affected device.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-arp-storm-EjUU55yM
DuckDB NPM packages 1.3.3 and 1.29.2 compromised with malware
The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb-s packages that included malicious code to interfere with cryptocoin transactions.
https://github.com/duckdb/duckdb-node/security/advisories/GHSA-w62p-hx95-gf2c
Security updates for Thursday
Security updates have been issued by AlmaLinux (python3.12-cryptography), Debian (chromium, hsqldb1.8.0, and imagemagick), Fedora (bustle, cef, maturin, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-monitord, rust-monitord-exporter, rustup, tuigreet, and wireshark), Oracle (kernel, microcode_ctl, and python3.12-cryptography), Red Hat (httpd:2.4 and multiple packages), SUSE (coreutils, curl, dpkg, ffmpeg-4, glib2, gnutls, go1.23-openssl, go1.24-openssl, go1.25-openssl, grub2, ImageMagick, jbigkit, kernel, libxslt, Mesa, opensc, opera, perl-JSON-XS, polkit, postgresql16, protobuf, python311, python311-deepdiff, sqlite3, ucode-intel, and warewulf4), and Ubuntu (bind9 and libxml2).
https://lwn.net/Articles/1037777/
Unauthentifizierte SQL Injection Schwachstelle im Shibboleth Service Provider (SP) (ODBC Interface)
SEC Consult hat eine unauthentifizierte SQL-Injection-Schwachstelle im Shibboleth Service Provider (SP) in der ODBC Schnittstelle identifiziert, die ein Angreifer ausnutzen könnte, um beliebige Datensätze aus der Datenbank mit den Rechten des Datenbankbenutzers auszulesen.
https://sec-consult.com/de/vulnerability-lab/advisory/unauthentifizierte-sql-injection-schwachstelle-im-shibboleth-service-provider-sp-odbc-interface/