End-of-Day report
Timeframe: Freitag 20-02-2026 18:00 - Montag 23-02-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
News
Incident Reporting: EU-Wide Statistics
At the last CSIRTs Network meeting we got treated to a powerpoint versions of the statistics that ENISA publishes under https://ciras.enisa.europa.eu/ The mathematician inside me was not impressed, and as I-m prone to do, I did not withhold my opinion. This blog post explains why I-m so unhappy with ENISA-s analysis.
https://www.cert.at/en/blog/2026/2/incident-reporting-eu-wide-statistics
Predator spyware hooks iOS SpringBoard to hide mic, camera activity
US-sanctioned surveillance firm Intellexa developed the Predator commercial spyware and delivered it in attacks that exploited Apple and Chrome zero-day flaws and through 0-click infection mechanisms. [..] The malware does not exploit any iOS vulnerability but leverages previously obtained kernel-level access to hijack system indicators that would otherwise expose its surveillance operation.
https://www.bleepingcomputer.com/news/security/predator-spyware-hooks-ios-springboard-to-hide-mic-camera-activity/
Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks
A new report by CJ Moses, CISO of Amazon Integrated Security, says that the hacking campaign occurred between January 11 and February 18, 2026, and did not rely on any exploits to breach Fortinet firewalls. Instead, the threat actor targeted exposed management interfaces and weak credentials that lacked MFA protection, then used AI to help automate access to other devices on the breached network.
https://www.bleepingcomputer.com/news/security/amazon-ai-assisted-hacker-breached-600-fortigate-firewalls-in-5-weeks/
CarGurus: Have I Been Pwned integriert Daten von 12,5 Millionen Kunden
Have I Been Pwned ist um 12,5 Millionen Einträge von CarGurus-Nutzern und -Nutzerinnen reicher. Die haben ShinyHunters geklaut. [..] Zudem sind Nutzerkonten-IDs enthalten, Daten aus finanziellen Vorprüfungen, Händlerkonten sowie Abo-Informationen. Hunt führt weiter aus, dass auch Namen, Telefonnummern, Anschriften und IP-Adressen sowie der Ausgang von Finanzierungsanfragen betroffen sind.
https://www.heise.de/news/CarGurus-ShinyHunters-kopieren-Datensaetze-von-12-5-Millionen-Nutzern-11185847.html
-Starkiller- Phishing Service Proxies Real Login Pages, MFA
Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand-s real website, and then acts as a relay between the victim and the legitimate site - forwarding the victim-s username, password and multi-factor authentication (MFA) code to the legitimate site and returning its responses.
https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/
Hackers Hide Pulsar RAT Inside PNG Images in New NPM Supply Chain Attack
Cybersecurity researchers at Veracode reveal a typosquatting attack that disguises Pulsar RAT as images to bypass Windows security and antivirus programs.
https://hackread.com/hackers-pulsar-rat-png-images-npm-supply-chain-attack/
Roundcube Webmail: Angriffe auf Sicherheitslücken laufen
Die zweite Sicherheitslücke wurde kurz vor Weihnachten bekannt. Sie ermöglicht Cross-Site-Scripting-Angriffe. Die Schwachstelle betrifft die Verarbeitung des -Animate--Tag in SVG-Dateien. [..] IT-Verantwortliche sollten ihre Systeme absichern, indem sie zumindest auf die fehlerkorrigierten Versionen 1.5.12 und 1.6.12 installieren.
https://heise.de/-11185535
SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains
An active Shai-Hulud-like supply chain worm campaign spreads via typosquatting and AI toolchain poisoning, across at least 19 malicious npm packages and linked to two npm aliases. The sample retains Shai-Hulud hallmarks and adds GitHub API exfiltration with DNS fallback, hook-based persistence, SSH propagation fallback, MCP server injection with embedded prompt injection targeting AI coding assistants, and LLM API Key harvesting.
https://socket.dev/blog/sandworm-mode-npm-worm-ai-toolchain-poisoning
Vulnerabilities
Pi-hole: Update schließt Sicherheitslücken und liefert mehr Performance
Zum einen hätten als Admin angemeldete Angreifer eine -Stored HTML-Injection--Schwachstelle missbrauchen können, um HTML-Code einzuschleusen, der bei der Anzeige der DNS-Eintragstabelle angezeigt wird (CVE-2026-26952, CVSS 5.4, Risiko -mittel-). Zum anderen gelingt dies auch auf der API-Einstellungswebseite (CVE-2026-26953, CVSS 5.4, Risiko -mittel-).
https://heise.de/-11185637
LWN: Security updates for Monday
https://lwn.net/Articles/1059864/