sig9.ch

sig9.ch

Teilen

Kontaktinformationen, Karte und Wegbeschreibungen, Kontaktformulare, Öffnungszeiten, Dienstleistungen, Bewertungen, Fotos, Videos und Ankündigungen von sig9.ch, IT-Unternehmen, Zürich.

sig9 is an IT and cybersecurity consulting firm specialized in secure software engineering, pe*******on testing, code audits, blockchain systems, and the design of security-critical processes.

12/06/2026

Hacker Wars - June 12, 2026

Your daily dose of infosec chaos

---

Friday's serving up a buffet of breaches, zero-days, and creative new ways to abuse government infrastructure. From ShinyHunters going after university data to someone gaming Maine's breach portal with fake disclosures, it's been a busy 24 hours. Oh, and a Japanese energy company literally lost a hard drive with 10.9 million customer records. Physical security, folks. It still matters.

---

ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Breach Universities

The ShinyHunters extortion gang has been exploiting an unpatched Oracle PeopleSoft flaw (CVE-2026-35273) to break into enterprise systems and steal data, with universities bearing the brunt of the campaign. Google's Mandiant tracked the activity to a group they call UNC6240, dating attacks back several months. Oracle has quietly mitigated the issue but hasn't publicly confirmed in-the-wild exploitation.

**What to do:** If you run PeopleSoft, check Oracle's advisory immediately and apply mitigations. Monitor for unusual data exfiltration patterns and review access logs going back to early 2026.

---

Over 73,000 French Govt Employees Affected in Tchap Messenger Breach

The French government confirmed that its Tchap encrypted messaging platform was breached, exposing accounts of over 73,000 public sector employees. Tchap was designed as a secure alternative to consumer messaging apps for government communications, which makes this breach particularly ironic. The full scope of what was accessed is still being assessed.

**What to do:** If your organization uses custom or government-grade messaging platforms, audit their security posture and ensure end-to-end encryption is actually end-to-end. Assume metadata is always at risk.

---

Maine Breach Portal Abused to Publish Fake Data Breach Disclosures

In a creative twist on the misinformation playbook, someone submitted fraudulent data breach notifications to Maine's official breach disclosure portal. The fake entries were published before verification, forcing multiple companies to publicly deny breaches they never suffered. It's a new vector: weaponizing legitimate disclosure infrastructure to cause reputational damage.

**What to do:** Monitor breach disclosure portals relevant to your industry for unauthorized mentions of your organization. Have a communications plan ready for breach denial scenarios, even fake ones.

---

Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs

Europol announced the takedown of AudiA6, a cryptocurrency laundering service that served as a key financial pipeline for ransomware groups and cybercriminal networks. The service allegedly helped wash hundreds of millions in illicit profits. This is another hit to the cybercrime-as-a-service ecosystem, though we all know another mixer will pop up by lunchtime.

**What to do:** If you're tracking threat actor infrastructure, update your IOCs. Organizations paying ransoms should note that crypto tracing capabilities are improving, which is yet another reason not to pay.

---

Japanese Energy Firm Loses Drive With Data of 10.9 Million Clients

Kyushu Electric Power Co. disclosed that a physical hard drive containing personal data of 10.9 million customers went missing. Not a sophisticated cyberattack, not a zero-day, just a lost drive. In 2026, one of Japan's largest energy providers managed to misplace a storage device with more records than some countries have people.

**What to do:** Encrypt everything at rest. If a drive walks out the door, the data should be useless without the key. Also, maybe track your hardware assets better.

---

Catch you tomorrow. In the meantime, go check your attack surface.

---

Brought to you by sig9 - http://sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

11/06/2026

Hacker Wars - June 11, 2026

Your daily dose of infosec chaos

---

Thursday is serving up the usual mix: a 450k-record university breach, two more actively exploited CVEs to patch before the weekend, and GitHub finally turning off the thing attackers love most about npm. Patch early, patch often.

---

GitHub Pulls The Plug On Npm Install Scripts

With Npm 12, GitHub is disabling install scripts by default because attackers keep abusing postinstall hooks to drop miners, stealers, and backdoors the moment you run npm install. This is a meaningful shift for the ecosystem, even if it is going to break a lot of perfectly innocent packages along the way. Supply chain defenders finally get a default that does not assume every maintainer is trustworthy.

**What to do:** Prepare for breakage in your builds, audit which of your dependencies rely on install scripts, and document any you explicitly need to re-enable.

---

Ivanti Sentry Max Severity Flaw Now Under Active Exploitation

Attackers are hitting a max-severity vulnerability in Ivanti Sentry, the secure mobile gateway product, giving them root-level code ex*****on on internet-exposed instances. Ivanti has shipped a patch but the exploitation window tells you everything you need to know about exposure. If you run Sentry on a public IP and have not patched yet, you are behind.

**What to do:** Patch Ivanti Sentry immediately, hunt for indicators of compromise on the appliance, and review any internet-facing management interfaces for signs of abuse.

---

Nottingham University Breach Leaks 450,000 Student Records

ShinyHunters has taken credit for a breach of the University of Nottingham, dumping more than 450,000 email addresses plus additional personal data from current students and alumni. Universities continue to be soft targets: large user bases, sprawling third-party integrations, and security budgets that would not cover a Zurich coffee budget. Expect a wave of credential-stuffing and phishing follow-on activity.

**What to do:** Rotate credentials for anyone with a university-affiliated account, enable MFA everywhere, and warn users to expect targeted phishing tied to their .ac.uk address.

---

Microsoft Finally Patches Exploited Exchange Server Zero Day

Microsoft has fixed CVE-2026-42897, an Exchange Server flaw that was disclosed as under active zero-day exploitation back on May 14. The "Patch Tuesday will catch up eventually" strategy is not a strategy, it is a coin flip, and this one landed attacker-favoured. Anyone running on-prem Exchange should be treating this as urgent and not waiting for the next cumulative update.

**What to do:** Apply the June update to all on-prem Exchange servers today, hunt for web shells and suspicious mailbox activity from the past 30 days, and consider moving the rest of your mail flow to a managed cloud provider.

---

Langflow Path Traversal Flaw Lets Attackers Write Files On Your Box

CVE-2026-5027, a high-severity path traversal bug in the AI development platform Langflow, is being actively exploited to drop arbitrary files on exposed servers. Langflow instances tend to live on developer laptops and internal hosts that are rarely hardened, which turns a file-write primitive into a much bigger problem very quickly. If your team is using Langflow to wire up LLM pipelines, assume your dev box is interesting to attackers.

**What to do:** Update Langflow to the patched version, restrict network access to the Langflow UI, and review exposed instances for unexpected files in the application directories.

---

Stay paranoid, stay patched, and have a good one.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

09/06/2026

Hacker Wars - June 09, 2026

Your daily dose of infosec chaos

---

Happy Tuesday. If you were hoping for a quiet start to the week, sorry to disappoint - today's lineup features VPN zero-days, Chrome getting pwned for the fifth time this year, and AI tools being weaponized for unauthenticated RCE. Grab your coffee, it's going to be a long one.

Check Point VPN Zero-Day Gets CISA's Emergency Treatment

A critical authentication bypass in Check Point's Remote Access VPN lets attackers connect without a valid password - and Qilin ransomware affiliates are already exploiting it in the wild. CISA has given federal agencies just 3 days to patch, which is basically the cybersecurity equivalent of "drop everything and fix this NOW."

**What to do:** Patch your Check Point VPN and Mobile Access deployments immediately. If you can't patch yet, disable remote access until you can.

---

Chrome Catches Its Fifth Zero-Day of 2026

Google pushed emergency updates for CVE-2026-11645, a vulnerability actively exploited in the wild - making it the fifth Chrome zero-day patched this year. We're not even halfway through 2026 and Chrome is speedrunning the zero-day leaderboard.

**What to do:** Update Chrome to the latest version now. If you're managing enterprise browsers, push the update through your MDM before lunch.

---

LiteLLM AI Tool Chains Bugs Into Unauthenticated RCE

CVE-2026-42271 (CVSS 8.7) in BerriAI's LiteLLM - a popular AI model routing tool - has been added to CISA's KEV catalog after active exploitation was confirmed. The flaw chains command injection with other weaknesses to achieve unauthenticated remote code ex*****on. Your AI infrastructure is now an attack surface. Surprise.

**What to do:** Audit your LiteLLM deployments and patch immediately. If you're running AI tools in production, treat them with the same security rigor as any other internet-facing service.

---

Silent Ransom Group Gets Physical With Law Firms

The Silent Ransom Group is hitting US law firms with a creative combo of vishing, IT helpdesk impersonation, and - wait for it - actually showing up in person at offices to steal data. When your threat model includes someone walking into your building pretending to be IT support, you know things have escalated.

**What to do:** Implement strict visitor verification procedures and train staff to verify IT support identities through out-of-band channels. No, the guy with a clipboard and a confident smile is not from your MSP.

---

NFCShare Malware Sneaks Onto Android via GitHub

New variants of the NFCShare Android malware are being distributed as fake banking app updates hosted on GitHub. Attackers are banking on users trusting "official-looking" update links, and honestly, it's working. Supply chain attacks via trusted platforms are the gift that keeps on giving.

**What to do:** Only update banking apps through official app stores. If your bank sends you an update link via SMS or email, verify it independently before tapping.

---

Catch you tomorrow. In the meantime, go check your attack surface.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

08/06/2026

Hacker Wars - June 08, 2026

Your daily dose of infosec chaos

---

Monday kicks off with a bang: threat actors are showing up at your office door, SolarWinds is back in the spotlight (yes, again), and your VS Code extensions just got a speed bump. Grab your coffee and let's dive in.

---

Hacker Group Shows Up At Your Door And On The Phone

Google Mandiant just dropped details on UNC3753, a financially motivated crew that combines vishing with actual physical break-ins to steal data and extort U.S. organizations. They hit professional services, law firms, and financial companies between January and May 2026, proving that sometimes the threat model really does include a guy in a polo shirt talking his way past reception.

**What to do:** Train front desk staff on social engineering, verify all "vendor" and "IT support" visits, and include physical intrusion scenarios in your incident response playbook.

---

SolarWinds Serv-U Flaw Actively Exploited, No Patch Yet

SolarWinds disclosed a vulnerability in Serv-U that lets unauthenticated attackers crash the service with a crafted POST request. The flaw is already being exploited in the wild, and while SolarWinds is working on a fix, you are currently on your own. The good news: it is a DoS, not RCE. The bad news: if your file transfer service goes down at 3am, your SOC will not be having fun.

**What to do:** Monitor Serv-U logs for unusual POST requests, restrict network access to the service, and watch for the patch.

---

VS Code Now Delays Extension Updates By Two Hours

Microsoft is adding a mandatory two-hour delay before VS Code auto-updates extensions, a direct response to the wave of supply chain attacks targeting the extension marketplace. Attackers had been pushing malicious updates that would propagate instantly to millions of developers. The delay gives security teams a window to catch poisoned packages before they hit production dev machines.

**What to do:** Keep auto-updates enabled but review your installed extensions regularly. Consider pinning critical toolchain extensions to known-good versions.

---

OpenAI Adds Active Sessions And Lockdown Mode To ChatGPT

OpenAI is rolling out new account security features for ChatGPT, including active session management and a "Lockdown Mode" that restricts account recovery options. This comes after a string of account takeover incidents targeting users with sensitive conversations stored in their chat history. If your SOC team has been dumping threat intel into ChatGPT, this one is for you.

**What to do:** Enable Lockdown Mode if available, review active sessions, and remember that LLM chat history is a data loss vector.

---

C0XMO Botnet Targets DD-WRT Routers, Eliminates Competition

A new Gafgyt variant called C0XMO is spreading through vulnerabilities in DD-WRT router firmware, supporting multiple CPU architectures. What makes it interesting: it actively kills rival malware on infected devices, claiming exclusive ownership of compromised routers. The botnet operators are running a hostile takeover of your IoT fleet.

**What to do:** Update DD-WRT firmware to the latest version, change default credentials on all routers, and segment IoT devices from your main network.

---

That's the chaos for today. Stay sharp out there.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

03/06/2026

Hacker Wars - June 03, 2026

Your daily dose of infosec chaos

---

Happy Wednesday. If your dev team lives in VS Code, today's zero-day should get your attention - researchers just dropped exploit code that can steal GitHub tokens with a single click. Meanwhile, WordPress admins are getting hijacked again and a phishing-as-a-service kit is expanding faster than your attack surface.

---

VS Code Zero-Day Steals GitHub Tokens With One Click

A researcher published exploit code for a Visual Studio Code vulnerability that lets attackers steal GitHub authentication tokens simply by getting a user to click a crafted link. The flaw abuses VS Code's handling of URI schemes, and since GitHub tokens grant access to repos, CI/CD secrets, and private code, this is basically a skeleton key for your entire development workflow. The exploit is now public, so expect opportunistic attacks.

**What to do:** Update VS Code immediately. Rotate any GitHub tokens that may have been exposed. Consider using short-lived tokens and GitHub's fine-grained personal access tokens to limit blast radius.

---

Kirki Plugin Flaw Hands WordPress Admins to Attackers

A critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki WordPress plugin is being actively exploited in the wild, allowing unauthenticated attackers to take over any account - including administrators. If your WordPress site runs Kirki, assume compromise and act accordingly. Another day, another WordPress plugin turning your admin panel into a public resource.

**What to do:** Update the Kirki plugin to the patched version immediately. If you can't update right now, disable the plugin. Check your WordPress user list for any accounts you don't recognize and audit recent admin activity.

---

WeedHack Malware Infects 116,000 Minecraft Systems

A malware campaign dubbed WeedHack has been quietly infecting Minecraft players since January, with over 116,000 systems compromised. The campaign targets players through malicious mods and cheat tools - because nothing says "free diamonds" like a remote access trojan. If your kids (or employees) are downloading Minecraft mods from random Discord servers, you might want to have a conversation.

**What to do:** Run a full malware scan on any system where Minecraft mods have been installed. Educate younger users about the risks of downloading mods from unofficial sources. Consider application whitelisting on shared family or corporate machines.

---

Kali365 Phishing Kit Expands Beyond Microsoft 365

The FBI-flagged phishing-as-a-service platform Kali365 has broadened its targeting scope beyond Microsoft 365 to include AWS, Okta, and even Russian platforms. The kit now relies heavily on device code phishing - a technique that abuses legitimate authentication flows to bypass MFA. This is PhaaS evolving faster than most orgs can patch their awareness training.

**What to do:** Train users to recognize device code authentication prompts they didn't initiate. Implement conditional access policies that flag unusual authentication patterns. Block known Kali365 infrastructure at your email gateway.

---

Until next time, may your logs be clean and your alerts be false positives.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

02/06/2026

Hacker Wars - June 02, 2026

Your daily dose of infosec chaos

---

Happy Tuesday. If you thought AI support bots were just for answering FAQ questions, think again - this week kicks off with attackers weaponizing Meta's own AI to hijack high-profile Instagram accounts. Add a supply chain attack on Red Hat's npm packages and some creative C2 hiding in Steam profiles, and you've got yourself a proper Tuesday morning wake-up call.

---

Meta's AI Support Bot Hijacks Instagram Accounts

Attackers figured out how to social-engineer Meta's AI support assistant into resetting account credentials, briefly hijacking the Instagram accounts for the Obama White House and the U.S. Space Force's Chief Master Sergeant. Pro-Iranian messages and images were posted before the accounts were recovered. The technique spread via Telegram tutorials, proving that AI customer support is now an attack surface.

**What to do:** Enable hardware-based MFA on all social media accounts. If your org manages high-profile accounts, review Meta's account recovery policies and consider dedicated account protection programs.

---

Red Hat npm Packages Hit by Supply Chain Attack

Over 30 npm packages under Red Hat's -cloud-services namespace were compromised, distributing a new credential-stealing malware variant called "Miasma." This is a supply chain attack targeting developers who trust official-looking package namespaces. If your CI/CD pipeline pulls from Red Hat's npm scope, you might have had a bad weekend.

**What to do:** Audit your dependencies for -cloud-services packages and check for indicators of compromise. Pin package versions and use lockfiles. Consider running npm audit in your pipelines.

---

Dashlane Users Locked Out After Brute Force Campaign

Multiple Dashlane users found themselves locked out of their password manager accounts after attackers launched brute-force login attempts from various locations and unknown devices. The irony of a password manager getting hit with credential stuffing attacks is not lost on anyone.

**What to do:** Enable 2FA on your password manager (yes, even password managers need a second factor). Use a strong, unique master password that isn't reused anywhere else.

---

WordPress Malware Hides C2 in Steam Profiles

Nearly 2,000 WordPress sites were infected with malware that uses Steam Community profile comments as a covert command-and-control channel. By hiding C2 instructions in plain sight on gaming profiles, the malware blends into normal web traffic and avoids traditional detection. Clever and annoying.

**What to do:** Keep WordPress core, themes, and plugins updated. Monitor outbound connections from your WordPress hosts. If you see unexpected Steam API calls, investigate immediately.

---

ClickFix and FakeUpdate Campaigns Hit Thousands of Sites

A threat actor dubbed DriveSurge is running large-scale malware distribution through compromised websites, using ClickFix fake error pages and FakeUpdate browser update prompts to trick users into downloading payloads. Thousands of sites are participating in this campaign, most of them unknowingly.

**What to do:** Educate users about fake browser update prompts and "fix this error" social engineering. Deploy web content filtering and keep endpoint protection updated.

---

Catch you tomorrow. In the meantime, go check your attack surface.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

01/06/2026

Hacker Wars - June 01, 2026

Your daily dose of infosec chaos

---

It's a triple threat Monday: VPN authentication bypasses, Linux kernel privilege escalation, and WordPress plugin takeovers. If your patching backlog was already giving you anxiety, this isn't going to help. Grab a coffee and check your attack surface.

---

Palo Alto GlobalProtect VPN Auth Bypass Under Active Exploitation

Palo Alto Networks confirmed that CVE-2026-0257, an authentication bypass in PAN-OS GlobalProtect, is now being actively exploited to breach corporate networks. Attackers are leveraging the flaw to bypass VPN authentication entirely, essentially walking through the front door without a key. If your org relies on Palo Alto for remote access, this is a five-alarm fire.

**What to do:** Patch PAN-OS immediately. If you can't patch yet, restrict GlobalProtect portal access to trusted IPs and enable MFA as a temporary band-aid.

---

CIFSwitch Linux Kernel Flaw Grants Root on Multiple Distros

A new local privilege escalation vulnerability dubbed CIFSwitch lets attackers forge CIFS authentication key descriptions and abuse the Linux kernel's key request mechanism to gain root. The flaw affects multiple distributions and is particularly nasty because it leverages a fundamental kernel subsystem. Local attackers can go from unprivileged user to full root with a single exploit.

**What to do:** Monitor for kernel patches from your distro vendor. Restrict CIFS module loading if possible and audit who has local access to your Linux boxes.

---

WP Maps Pro Plugin Bug Lets Attackers Create Admin Accounts

Hackers are actively exploiting a vulnerability in the WP Maps Pro WordPress plugin to create rogue administrator accounts on affected sites - no authentication required. The unauthenticated admin creation flaw means any attacker can waltz in and take full control of vulnerable WordPress installations. If you're running WP Maps Pro, assume compromise until proven otherwise.

**What to do:** Update WP Maps Pro to the latest version immediately. Check your WordPress user list for suspicious admin accounts and audit your site for backdoors.

---

That's all for now. Patch your stuff and don't click suspicious links.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

26/05/2026

Hacker Wars - May 26, 2026

Your daily dose of infosec chaos

---

Retail breaches, Iranian APTs still hunting after military strikes, and LMS zero-days getting exploited in the wild. Another Monday in infosec where "patch everything" is starting to sound less like advice and more like a survival strategy.

---

7-Eleven Breach Hits 185,000 Customers

ShinyHunters leaked data from 7-Eleven, exposing names, email addresses, physical addresses, and dates of birth of roughly 185,000 people. The breach came through a third-party partner repository, which is corporate-speak for "our vendor got popped and we inherited the mess." If you have a 7-Eleven account, assume your PII is out there.

**What to do:** Change passwords on any 7-Eleven linked accounts and watch for targeted phishing using your leaked personal details.

---

Iranian APT Nimbus Manticore Hits Aviation and Software

The Iranian threat group Nimbus Manticore has been quietly targeting aviation and software companies with refreshed tooling, and notably kept operating through and after the US military campaign against Iran. These folks don't take days off, apparently. The updated toolkit suggests they're investing in staying ahead of detection.

**What to do:** If you're in aviation or defense-adjacent software, review your network segmentation and check IOCs from recent Nimbus Manticore reports.

---

Microsoft Defender Gets Auto-Isolation for Compromised Endpoints

Microsoft is rolling out a feature in Defender for Endpoint that automatically isolates compromised machines from the network. The idea is to cut off lateral movement before attackers can pivot, essentially giving your SOC a robot that slams the network door shut without waiting for a human to approve the JIRA ticket.

**What to do:** Evaluate this capability in your Defender for Endpoint deployment and plan your isolation policies before enabling it in production.

---

KnowledgeDeliver Zero-Day Leads to Godzilla Web Shells

Attackers exploited a zero-day in KnowledgeDeliver LMS to deploy Godzilla web shells and Cobalt Strike beacons on vulnerable servers. LMS platforms are often overlooked in patch cycles because nobody thinks the training portal is interesting to attackers. Spoiler: they're wrong.

**What to do:** Audit your KnowledgeDeliver deployments immediately, check for unexpected web shells, and restrict internet-facing LMS instances.

---

Dutch Police Seize 800 Servers From Bulletproof Hosting Providers

Netherlands law enforcement arrested two administrators and seized 800 servers from a bulletproof hosting operation that had been providing infrastructure to Russian cybercriminal groups. The service was essentially an Airbnb for malware operators. This won't stop the threat actors, but it does mean they need to find new real estate.

**What to do:** Check if any of your threat intel feeds have updated blocklists with the seized infrastructure and update your defenses accordingly.

---

That's the chaos for today. Stay sharp out there.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

22/05/2026

Hacker Wars - May 22, 2026

Your daily dose of infosec chaos

---

Zero-days, SQLi, and APTs, oh my. Today's roundup is a buffet of "patch it yesterday" moments, plus a nice law enforcement win to remind you that botmasters do eventually get caught. Grab your coffee and let's dive in.

---

Trend Micro Apex One Zero-Day Under Active Exploitation

Trend Micro confirmed that attackers are actively exploiting a zero-day vulnerability in their Apex One endpoint protection product on Windows. The flaw allows code ex*****on on affected systems, which is exactly what you don't want from your security software. Patches are out now, so stop reading and go apply them.

**What to do:** Update Apex One immediately. If you can't patch yet, check Trend Micro's advisory for interim mitigations and monitor for IOCs.

---

Drupal Sites Under Fire From Critical SQL Injection

Drupal dropped a "highly critical" SQL injection advisory earlier this week, and attackers are already scanning for vulnerable installations. SQLi in a CMS is classic but devastating, it can lead to full database dumps, admin account takeover, and lateral movement. If you're running Drupal and haven't patched, your site is probably already being probed.

**What to do:** Apply the Drupal security update now. Review your database logs for suspicious queries and audit any exposed admin accounts.

---

Ubiquiti Ships Emergency Patches For Three Max-Severity UniFi Flaws

Ubiquiti patched three vulnerabilities in UniFi OS that all carry the maximum CVSS score of 10.0. The best part? They're remotely exploitable with zero authentication. If you're running UniFi gear in your network, these are the kind of bugs that keep pe*******on testers up at night, and attackers up even later.

**What to do:** Update UniFi OS to the latest version immediately. If you can't patch, restrict management access to trusted networks only.

---

KimWolf Botmaster Busted In Joint U.S.-Canada Operation

Authorities in the U.S. and Canada arrested a 23-year-old Ottawa man accused of running the KimWolf IoT botnet, which enslaved nearly two million devices for DDoS attacks. The botnet allegedly powered some massive attacks over the past six months. Another reminder that operating a botnet is a career with excellent job security, if your definition of "job security" includes federal charges.

**What to do:** Review your network for IoT devices with default credentials. Segment IoT gear away from critical infrastructure.

---

China-Linked APT Targets EU Governments Via Discord and Microsoft Graph

A Chinese threat group dubbed Webworm has been hacking European government entities by abusing legitimate services like Discord and Microsoft Graph for command and control. They're also using SoftEther VPN and other tunneling tools to blend malicious traffic with normal network activity. Living off the land meets living off the cloud, and it's working.

**What to do:** Monitor for unusual traffic to cloud services like Discord API and Microsoft Graph from non-user endpoints. Review your egress filtering policies.

---

That's the chaos for today. Stay sharp out there.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

Wollen Sie Ihr Service zum Top-Computer- Und Elektronikservice in Zürich machen?
Klicken Sie hier, um Ihren Gesponserten Eintrag zu erhalten.

Kategorie

Webseite

Adresse


Zürich