End-of-Day report
Timeframe: Mittwoch 08-10-2025 18:00 - Donnerstag 09-10-2025 18:01
Handler: Guenes Holler
Co-Handler: Felician Fuchs
News
Crimson Collective hackers target AWS cloud instances for data theft
The Crimson Collective threat group has been targeting AWS (Amazon Web Services) cloud environments for the past weeks, to steal data and extort companies.
https://www.bleepingcomputer.com/news/security/crimson-collective-hackers-target-aws-cloud-instances-for-data-theft/
New FileFix attack uses cache smuggling to evade security software
A new variant of the FileFix social engineering attack uses cache smuggling to secretly download a malicious ZIP archive onto a victims system and bypassing security software.
https://www.bleepingcomputer.com/news/security/new-filefix-attack-uses-cache-smuggling-to-evade-security-software/
Hacktivists target critical infrastructure, hit decoy plant
A pro-Russian hacktivist group called TwoNet pivoted in less than a year from launching distributed denial-of-service (DDoS) attacks to targeting critical infrastructure.
https://www.bleepingcomputer.com/news/security/hacktivists-target-critical-infrastructure-hit-decoy-plant/
SonicWall: Firewall configs stolen for all cloud backup customers
SonicWall has confirmed that all customers that used the companys cloud backup service are affected by last months security breach.
https://www.bleepingcomputer.com/news/security/sonicwall-firewall-configs-stolen-for-all-cloud-backup-customers/
Sicherheitsleck: Millionen Gästedaten in Hotelsoftware öffentlich einsehbar
In der Hotelsoftware Sihot ließen sich Millionen Gästedaten einsehen. Die Sicherheitslücken sind laut Hersteller aber bereits geschlossen.
https://www.golem.de/news/sicherheitsleck-millionen-gaestedaten-in-hotelsoftware-oeffentlich-einsehbar-2510-200974.html
Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks
Cybersecurity researchers are calling attention to a nefarious campaign targeting WordPress sites to make malicious JavaScript injections that are designed to redirect users to sketchy sites.
https://thehackernews.com/2025/10/hackers-exploit-wordpress-themes-to.html
localmind.ai: KI-Sicherheitsvorfall, es ist noch nicht vorbei - Teil 3
Der Sicherheitsvorfall beim KI-Anbieter localmind.ai scheint noch nicht ausgestanden. Der Anbieter schreibt zwar, dass die Kernsysteme der Localmind-Plattform selbst nicht kompromittiert wurden, und man glaubt, die Infrastruktur gesichert zu haben. Es hat aber den Anschein, dass dies nicht ganz zutreffend ist.
https://www.borncity.com/blog/2025/10/09/localmind-ai-ki-sicherheitsvorfall-es-ist-noch-nicht-vorbei-teil-3/
Velociraptor leveraged in ransomware attacks
Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool that had not previously been definitively tied to ransomware incidents.
https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/
Fake Teams Installers Dropping Oyster Backdoor (aka Broomstick)
Hackers are using fake Microsoft Teams installers found in search results and ads to deploy the Oyster backdoor. Learn how to protect your PC from this remote-access threat.
https://hackread.com/fake-teams-installers-oyster-backdoor-broomstick/
New Chaos-C++ Ransomware Targets Windows by Wiping Data, Stealing Crypto
FortiGuard Labs reveals Chaos-C++, a new Chaos ransomware variant that deletes files over 1.3 GB instead of encrypting them and uses clipboard hijacking to steal cryptocurrency.
https://hackread.com/chaos-c-ransomware-windows-data-crypto/
Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign
Google Threat Intelligence Group (GTIG) and Mandiant began tracking a new, large-scale extortion campaign by a threat actor claiming affiliation with the CL0P extortion brand. The actor began sending a high volume of emails to executives at numerous organizations, alleging the theft of sensitive data from the victims Oracle E-Business Suite (EBS) environments.
https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation/
SVG Phishing hits Ukraine with Amatera Stealer, PureMiner
FortiGuard Labs recently observed a phishing campaign designed to impersonate Ukrainian government agencies and deliver additional malware to targeted systems. The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments.
https://feeds.fortinet.com/~/925395818/0/fortinet/blogs~SVG-Phishing-hits-Ukraine-with-Amatera-Stealer-PureMiner
Vulnerabilities
Severe Framelink Figma MCP Vulnerability Lets Hackers Execute Code Remotely
Cybersecurity researchers have disclosed details of a now-patched vulnerability in the popular figma-developer-mcp Model Context Protocol (MCP) server that could allow attackers to achieve code execution. The vulnerability, tracked as CVE-2025-53967 (CVSS score: 7.5), is a command injection bug stemming from the unsanitized use of user input, opening the door to a scenario where an attacker can send arbitrary system commands.
https://thehackernews.com/2025/10/severe-figma-mcp-vulnerability-lets.html
Update: Schadcode-Lücke bedroht IBM Data Replication VSAM
Angreifer können IBM Data Replication VSAM for z/OS Remote Source attackieren. Nun wurde die Lücke geschlossen.
https://www.heise.de/news/Update-Schadcode-Luecke-bedroht-IBM-Data-Replication-VSAM-10747827.html
Security updates for Thursday
Security updates have been issued by AlmaLinux (gnutls, kernel, kernel-rt, and open-vm-tools), Debian (chromium, python-django, and redis), Fedora (chromium, insight, mirrorlist-server, oci-seccomp-bpf-hook, rust-maxminddb, rust-prometheus, rust-prometheus_exporter, rust-protobuf, rust-protobuf-codegen, rust-protobuf-parse, rust-protobuf-support, turbo-attack, and yarnpkg), Oracle (iputils, kernel, open-vm-tools, redis, and valkey), Red Hat (perl-File-Find-Rule and perl-File-Find-Rule-Perl), SUSE (expat, ImageMagick, matrix-synapse, python-xmltodict, redis, redis7, and valkey), and Ubuntu (fort-validator and imagemagick).
https://lwn.net/Articles/1041404/
A Cascade of Insecure Architectures: Axis Plugin Design Flaw Expose Select Autodesk Revit Users to Supply Chain Risk
We discovered Azure Storage Account credentials exposed in Axis Communications- Autodesk Revit plugin, allowing unauthorized modification of cloud-hosted files. This exposure, combined with vulnerabilities in Autodesk Revit, could enable supply-chain attacks targeting end users.
https://www.trendmicro.com/en_us/research/25/j/axis-plugin-flaw-autodesk-revit-supply-chain-risk.html
CISA Releases Four Industrial Control Systems Advisories
CISA released four Industrial Control Systems (ICS) Advisories on October 9, 2025. ICSA-25-282-01 Hitachi Energy Asset Suite, ICSA-25-282-02 Rockwell Automation Lifecycle Services with Cisco, ICSA-25-282-03 Rockwell Automation Stratix and ICSA-25-128-03 Mitsubishi Electric Multiple FA Products.
https://www.cisa.gov/news-events/alerts/2025/10/09/cisa-releases-four-industrial-control-systems-advisories