End-of-Day report
Timeframe: Freitag 07-11-2025 18:00 - Montag 10-11-2025 18:00
Handler: Alexander Riepl
Co-Handler: Felician Fuchs
News
Malicious NuGet packages drop disruptive time bombs
Several malicious packages on NuGet have sabotage payloads scheduled to activate in 2027 and 2028, targeting database implementations and Siemens S7 industrial control devices.
https://www.bleepingcomputer.com/news/security/malicious-nuget-packages-drop-disruptive-time-bombs/
ClickFix Campaign Targets Hotels, Spurs Secondary Customer Attacks
Attackers compromise hospitality providers with an infostealer and RAT malware and then use stolen data to launch phishing attacks against customers via both email and WhatsApp.
https://www.darkreading.com/cyberattacks-data-breaches/clickfix-targets-hotels-secondary-customer-attacks
Secure boot certificate rollover is real but probably wont hurt you
LWN wrote an article which opens with the assertion "Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September". This is, depending on interpretation, either misleading or just plain wrong, but also theres not a good source of truth here, so.
https://mjg59.dreamwidth.org/72892.html
--Whisper Leak: A novel side-channel attack on remote language models
Microsoft has discovered a side-channel attack on language models which allows adversaries to conclude model conversation topics, despite being encrypted.
https://www.microsoft.com/en-us/security/blog/2025/11/07/whisper-leak-a-novel-side-channel-cyberattack-on-remote-language-models/
Honeypot: Requests for (Code) Repositories
This is just a quick diary entry to report that I saw requests on my honeypot for (code) repositories.
https://isc.sans.edu/diary/rss/32460
Slot Gacor: The Rise of Online Casino Spam
Online casino spam has been without a doubt one of the most prevalent types of spam content that we-ve seen on infected websites in recent years. An extremely common method of promoting low-quality or otherwise undesirable websites is for spammers to hack websites and fill them full of backlinks to pump their SEO.
https://blog.sucuri.net/2025/11/slot-gacor-the-rise-of-online-casino-spam.html
Allianz UK joins growing list of Clop-s Oracle E-Business Suite victims
Insurance giant-s UK arm says cybercriminals misattributed the real victim Allianz UK confirms it was one of the many companies that fell victim to the Clop gangs Oracle E-Business Suite (EBS) attack after crims reported that they had attacked a subsidiary.
www.theregister.com/2025/11/10/allianz_uk_joins_growing_list/
Watchguard Firebox: Gefährdung durch Standardpasswort für Admin
Watchguard versieht die Firebox-Firewalls mit Standardpasswörtern. Angreifer können sich dadurch leicht Admin-Rechte verschaffen.
https://www.heise.de/news/Watchguard-Firebox-Gefaehrdung-durch-Standardpasswort-fuer-Admin-11072045.html
Drilling Down on Uncle Sam-s Proposed TP-Link Ban
The U.S. government is reportedly preparing to ban the sale of wireless routers and other networking gear from TP-Link Systems, a tech company that currently enjoys an estimated 50% market share among home users and small businesses. Experts say while the proposed ban may have more to do with TP-Links ties to China than any specific technical threats, much of the rest of the industry serving this market also sources hardware from China and ships products that are insecure fresh out of the box.
https://krebsonsecurity.com/2025/11/drilling-down-on-uncle-sams-proposed-tp-link-ban/
Handy-Guthaben aufladen? Vorsicht vor gefälschter HoT-Website
Eine neue Betrugsmasche richtet sich derzeit gegen Kund:innen des Mobilfunkanbieters HoT. Im Internet ist eine täuschend echt gestaltete Website aufgetaucht, die vorgibt, den offiziellen Aufladeservice von HoT bereitzustellen. Wer dort sein Guthaben für Handy oder WLAN aufladen möchte, läuft Gefahr, seine Kreditkartendaten an Kriminelle weiterzugeben.
https://www.watchlist-internet.at/news/handy-guthaben-aufladen-vorsicht-vor-gefaelschter-hot-website/
Hack halts Dutch broadcaster, forcing radio hosts back to LPs
A Dutch TV and radio broadcaster has found itself at the mercy of cybercriminals after suffering a cyber attack, and leaving it scrambling to find ways to play music to its listeners. Read more in my article on the Hot for Security blog.
https://www.bitdefender.com/en-us/blog/hotforsecurity/hack-halts-dutch-broadcaster-forcing-radio-hosts-back-to-lps
Dont call it Cyber Command 2.0: Master plan for digital forces will take years to implement
The latest model for improving U.S. Cyber Command is circulating at the Pentagon. Some of the initiatives will spill into the next decade - an approach that is sure to create friction on Capitol Hill and beyond.
https://therecord.media/revised-cyber-command-master-plan-dod-pentagon
Short-term renewal of cyber information sharing law appears in bill to end shutdown
An expired 2015 law that gives companies liability protection when they share cyberthreat information with the federal government would be renewed through January 30 under Senate legislation to end the government shutdown.
https://therecord.media/cisa-2015-information-sharing-law-renewal-bill-ending-shutdown
Russian missile barrage disrupts internet, customs databases in Ukraine
Emergency blackouts lasting up to 12 hours were introduced following the attack, with Kyiv and other regions facing widespread internet and communication outages, according to internet watchdog NetBlocks.
https://therecord.media/russian-missile-barrage-disrupts-internet-ukraine
Phishing-Kampagne zielt auf Führungskräfte
In letzter Zeit scheinen Führungskräfte und leitende Angestellte aus unterschiedlichen Branchen verstärkt ins Visier von Cyberkriminellen zu geraten. Diese versuchen die Adressaten mittels Phishing-Mails zur Herausgabe von Daten zu überlisten.
https://www.borncity.com/blog/2025/11/08/phishing-kampagne-zielt-auf-fuehrungskraefte/
No Place Like Localhost: Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480
Mandiant Threat Defense has uncovered exploitation of an unauthenticated access vulnerability within Gladinet-s Triofox file-sharing and remote access platform. This now-patched n-day vulnerability, assigned CVE-2025-12480, allowed an attacker to bypass authentication and access the application configuration pages, enabling the upload and execution of arbitrary payloads.
https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480/
EU will DSGVO schleifen - nicht nur bei Cookie-Bannern
Der von der EU-Kommission geplante "digitale Omnibus" würde bestehende Datenschutzrechte aufweichen. Es geht etwa um Cookies und das Training von KI-Systemen.
https://heise.de/-11071630
The state of the Rust dependency ecosystem
Over the past few days, I analyzed over 200,000 crates from crates.io to uncover patterns in maintenance, developer engagement, security, and overall ecosystem health. The results: a mix of fascinating insights, concerning trends, and reasons for optimism.
https://00f.net/2025/10/17/state-of-the-rust-ecosystem/
Balancer hack analysis and guidance for the DeFi ecosystem
On November 3, 2025, attackers exploited a vulnerability in Balancer v2 to drain more than $100M across nine blockchain networks. The attack targeted a number of Balancer v2 pools, exploiting a rounding direction error.
https://blog.trailofbits.com/2025/11/07/balancer-hack-analysis-and-guidance-for-the-defi-ecosystem/
Vulnerabilities
QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own
QNAP has fixed seven zero-day vulnerabilities that security researchers exploited to hack QNAP network-attached storage (NAS) devices during the Pwn2Own Ireland 2025 competition.
https://www.bleepingcomputer.com/news/security/qnap-fixes-seven-nas-zero-day-vulnerabilities-exploited-at-pwn2own/
Sicherheitslücken in RunC: Angreifer können aus Docker-Containern ausbrechen
Administratoren sollten aufpassen, welche Docker-Images sie nutzen. Angreifer können sich Root-Zugriff auf das Hostsystem verschaffen.
https://www.golem.de/news/sicherheitsluecken-in-runc-angreifer-koennen-aus-docker-containern-ausbrechen-2511-202019.html
runC Container Escape Vulnerabilities
High-severity vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) were disclosed in early November 2025. A malicious or compromised container image can abuse how runc handles masked paths, bind-mounts, and special files to write to the host /proc filesystem and escape the container boundary - enabling remote code execution on the host, persistence, or cluster-wide denial-of-service. These issues affect virtually all Linux container stacks that use runc (Docker, containerd, CRI-O, Kubernetes, and managed services).
https://fortiguard.fortinet.com/threat-signal-report/6248