⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [10 February] - Related to linux-server, lup-kliniken, weekly, ix-workshop:, cyberangriff

heise-Angebot: iX-Workshop: Linux-Server härten

Malware und Hacker-Angriffe sind längst nicht mehr nur ein Windows-Thema – auch Linux-Server und die darauf laufenden Dienste geraten immer häufiger unter Beschuss. Der fünftägige Intensiv-Workshop Linux-Server härten: Verschlüsselung, Zugriffskontrolle, Integritätschecks beschäftigt sich umfassend mit der Sicherheit von Linux-Servern. Das Themenspektrum reicht von der physischen Sicherheit über Mechanismen der Zugriffskontrolle bis hin zu Logging, Monitoring und Intrusion Detection.

Sicherheitsframeworks, Zugriffskontrolle und Authentifizierung.

Sie lernen, wie Sie Daten verschlüsseln und Netzwerkdienste absichern, fortgeschrittene Methoden der Zugriffskontrolle wie Zwei-Faktor-Authentifizierung einrichten und die bekannten Sicherheitsframeworks SELinux und AppArmor einsetzen. Florian Winkler erklärt, wie man Logfiles mit sicherheitsrelevanten Vorfällen analysiert und geht auch auf das Thema Einbruchserkennung ein. Darüber hinaus erhalten Sie eine theoretische Einführung in das Penetration Testing und erfahren, wie Sie Sicherheitslücken in der eigenen IT gezielt aufspüren.

Damit Sie in diesem Workshop das Gelernte direkt ausprobieren und selbst Hand anlegen können, erhalten Sie einen ssh-Zugang zu einer Trainingsumgebung mit bereitgestellten Linux-Systemen. Der Workshop ist interaktiv und findet in Gruppen mit maximal 12 Teilnehmenden statt, damit Sie viel Raum für eigene Fragen und den Austausch mit dem Trainer und den anderen Teilnehmenden haben.

Der nächste iX-Workshop findet vom 24. bis 28. März 2025 statt. Ihr Trainer Florian Winkler ist seit 2014 als Berater und Trainer beim Linux-Systemhaus B1 Systems tätig. Seine Themenschwerpunkte liegen in den Bereichen Konfigurationsmanagement, DevOps, Deployment, Security und Automatisierung.

S2N - Die heise-Konferenz für Storage, Server, Network Wer tiefer in die aktuellen Themen rund um Storage, Server und Netzwerk eintauchen und sich mit Experten und Kollegen darüber austauschen möchte, ist herzlich eingeladen, die heise-Konferenz S2N am 22. und 23. Oktober 2025 zu besuchen. Das Programm bietet umfassende Einblicke, praxisnahe Vorträge sowie Gesprächsrunden und Workshops zu den Herausforderungen und Innovationen, die die Fachwelt im Bereich IT-Infrastruktur aktuell bewegen.

2024 continued the trend of ransomware attacks in the education sector making headlines. The year opened with Freehold Township School District in New......

Today, an Alabama man pleaded guilty to hijacking the [website] Securities and Exchange Commission (SEC) account on X in a January 2024 SIM swapping attack......

Brave Browser is getting a new feature called 'custom scriptlets' that lets advanced individuals inject their own JavaScript into websites, allowing deep cu......

Lup-Kliniken von Cyberangriff betroffen

Die Lup-Kliniken im Landkreis Ludwigslust-Parchim sind von einem Cyberangriff betroffen. Wie der Landkreis mitteilte, sind die Klinikstandorte Hagenow und Ludwigslust derzeit per E-Mail und Website nicht zu erreichen. Beide Häuser seien vorsorglich vom Kommunikationsnetz getrennt worden. Die medizinische Versorgung an den Standorten sei hingegen gesichert. Die Notaufnahme wurde den Angaben nach regulär abgemeldet, bedrohliche Notfälle werden weiterhin behandelt.

Der Cyberangriff wurde in der Nacht zum Montag festgestellt – derzeit werde an der Behebung der technischen Probleme gearbeitet. Nach Angaben des Landeskriminalamtes wurden die Ermittlungen zu Verstößen wegen Computersabotage und dem Ausspähen von Daten aufgenommen. Derzeit würden Spezialisten vor Ort digitale Spuren sichern. Weitere Informationen gebe es bisher nicht – in diesem Jahr sei es bereits der vierte Fall von Computersabotage in Mecklenburg-Vorpommern, hieß es.

Lesen Sie auch Datenleck in Reha-Kliniken: Hunderttausende Patienten betroffen heise Security.

Threat actors have been observed exploiting multiple security flaws in various software products, including Progress Telerik UI for [website] AJAX and A......

Zimbra has released software updates to address critical security flaws in its Collaboration software that, if successfully exploited, could result in......

Threat actors have been observed targeting Internet Information Services (IIS) servers in Asia as part of a search engine optimization (SEO) manipulat......

⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [10 February]

In cybersecurity, the smallest crack can lead to the biggest breaches. A leaked encryption key, an unpatched software bug, or an abandoned cloud storage bucket—each one seems minor until it becomes the entry point for an attack.

This week, we've seen cybercriminals turn overlooked weaknesses into major security threats, proving once again that no system is too small to be targeted. The question isn't whether attackers will find a way in—it's whether you'll be prepared when they do.

Microsoft Warns of Attacks Exploiting [website] Machine Keys — Threat actors are exploiting publicly disclosed [website] machine keys to inject and execute malicious code responsible for launching the Godzilla post-exploitation framework. Microsoft noted it has identified over 3,000 publicly disclosed keys that could be used for these types of attacks dubbed ViewState code injection. The business also noted it removed key-related artifacts from "limited instances" where they were included in its documentation.

Multiple Security Flaws Come Under Exploitation — Malicious actors are exploiting in the recent past disclosed security flaws in SimpleHelp remote desktop software (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) as part of a suspected ransomware attack. Separately, Russian cybercrime groups have been found to exploit a flaw affecting the 7-Zip archiver tool (CVE-2025-0411) to evade mark-of-the-web (MotW) protections on Windows systems and deliver the SmokeLoader malware as part of attacks aimed at Ukrainian entities. Lastly, the [website] Cybersecurity and Infrastructure Security Agency (CISA) warned that a security flaw impacting Trimble Cityworks GIS-centric asset management software (CVE-2025-0994) has come under active exploitation in the wild.

— Malicious actors are exploiting not long ago disclosed security flaws in SimpleHelp remote desktop software (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) as part of a suspected ransomware attack. Separately, Russian cybercrime groups have been found to exploit a flaw affecting the 7-Zip archiver tool (CVE-2025-0411) to evade mark-of-the-web (MotW) protections on Windows systems and deliver the SmokeLoader malware as part of attacks aimed at Ukrainian entities. Lastly, the [website] Cybersecurity and Infrastructure Security Agency (CISA) warned that a security flaw impacting Trimble Cityworks GIS-centric asset management software (CVE-2025-0994) has come under active exploitation in the wild. Ransomware Payments Drop to $[website] in 2024 — Ransomware attacks earned cybercrime groups $[website] million in 2024, marking a significant drop from $[website] billion in 2023. That mentioned, 2024 also witnessed the highest volume of annual ransomware cases since 2021, reaching a staggering 5,263 attacks, an increase of 15% year-over-year. The decline is attributed to the growing law enforcement success in dismantling ransomware gangs, heightened global awareness about the threat, and a fragmented ecosystem where lone wolf actors are known to seek smaller ransom payments.

— Ransomware attacks earned cybercrime groups $[website] million in 2024, marking a significant drop from $[website] billion in 2023. That mentioned, 2024 also witnessed the highest volume of annual ransomware cases since 2021, reaching a staggering 5,263 attacks, an increase of 15% year-over-year. The decline is attributed to the growing law enforcement success in dismantling ransomware gangs, heightened global awareness about the threat, and a fragmented ecosystem where lone wolf actors are known to seek smaller ransom payments. Lazarus's Job-Themed Campaign Delivers JavaScript Malware — The Lazarus Group of North Korea has been linked to an active campaign that leverages fake LinkedIn job offers in the cryptocurrency and travel sectors to deliver malware capable of infecting Windows, macOS, and Linux operating systems. Bitdefender, which identified the activity, mentioned it likely falls under the Contagious Interview cluster, although the JavaScript malware used in the attacks is different from BeaverTail samples used in the latter.

— The Lazarus Group of North Korea has been linked to an active campaign that leverages fake LinkedIn job offers in the cryptocurrency and travel sectors to deliver malware capable of infecting Windows, macOS, and Linux operating systems. Bitdefender, which identified the activity, expressed it likely falls under the Contagious Interview cluster, although the JavaScript malware used in the attacks is different from BeaverTail samples used in the latter. SparkCat Uses Android and iOS Apps to Steal Data — A new malware campaign dubbed SparkCat has leveraged a suite of bogus apps on both Apple's and Google's respective app stores to steal victims' mnemonic phrases associated with cryptocurrency wallets. The development marks one of the first instances where a stealer with optical character recognition (OCR) capabilities has been discovered in the Apple App Store. The offending apps have since been removed from both the app storefronts.

— A new malware campaign dubbed SparkCat has leveraged a suite of bogus apps on both Apple's and Google's respective app stores to steal victims' mnemonic phrases associated with cryptocurrency wallets. The development marks one of the first instances where a stealer with optical character recognition (OCR) capabilities has been discovered in the Apple App Store. The offending apps have since been removed from both the app storefronts. Kyrgyzstan and Turkmenistan Orgs Targeted by Silent Lynx — A never-before-seen hacking group tracked as Silent Lynx has targeted embassies, lawyers, government-backed banks, and think tanks located in Kyrgyzstan and Turkmenistan to deploy a PowerShell script that uses Telegram for command-and-control. The activity, attributed to a Kazakhstan-origin threat actor with a medium level of confidence, shares tactical overlaps with another hacking group name YoroTrooper (aka SturgeonPhisher), which has been linked to attacks targeting the Commonwealth of Independent States (CIS) countries using PowerShell and Golang tools.

Your go-to software could be hiding dangerous security flaws—don’t wait until it’s too late! improvement now and stay ahead of the threats before they catch you off guard.

Brute-Force Attack Campaign Targets Networking Devices — Threat hunters are warning of a large-scale brute force password attack using nearly [website] million IP addresses to guess the credentials for a wide range of networking devices, including those from Ivanti, Palo Alto Networks, and SonicWall, per the Shadowserver Foundation. The IP addresses are mainly located in Brazil, Russia, Turkey, Argentina, Iraq, and Morocco, among others. These IP addresses belong to IoT devices from various vendors like MikroTik, Huawei, Cisco, Boa, and ZTE, which are commonly infected by botnet malware.

— Threat hunters are warning of a large-scale brute force password attack using nearly [website] million IP addresses to guess the credentials for a wide range of networking devices, including those from Ivanti, Palo Alto Networks, and SonicWall, per the Shadowserver Foundation. The IP addresses are mainly located in Brazil, Russia, Turkey, Argentina, Iraq, and Morocco, among others. These IP addresses belong to IoT devices from various vendors like MikroTik, Huawei, Cisco, Boa, and ZTE, which are commonly infected by botnet malware. Rare Wolf Goes After Russia — The threat actor known as Rare Wolf (aka Rezet) has been linked to a new set of cyber attacks targeting Russian industrial enterprises in January 2025. The attacks involve the use of phishing lures that employ themes related to seminar invitations in order to deliver malware. Russian organizations across various industries have also been targeted by a large-scale campaign designed to propagate NOVA stealer, a new commercial fork of Snake Keylogger.

— The threat actor known as Rare Wolf (aka Rezet) has been linked to a new set of cyber attacks targeting Russian industrial enterprises in January 2025. The attacks involve the use of phishing lures that employ themes related to seminar invitations in order to deliver malware. Russian organizations across various industries have also been targeted by a large-scale campaign designed to propagate NOVA stealer, a new commercial fork of Snake Keylogger. AI Agents Can Become a Vector for Bot-Driven Card Testing Attacks — Threat actors are known to use automated bot programs to test pilfered cards on multiple e-commerce websites. Such card testing attacks typically exploit stolen credit card details through small, unnoticed purchases to verify active cards for larger fraud. "This entire operation is highly automated, making it challenging for fraud detection systems to catch these fraudulent transactions in real time," Group-IB stated. "By the time the actual cardholder notices unusual activity, fraudsters may have already validated multiple cards, and used them for larger unauthorized transactions." With the advent of AI agents to perform web-based tasks on behalf of customers, the enterprise stated the tools present new risks for the banking industry, allowing for automation of card testing and fraud operations at scale.

— Threat actors are known to use automated bot programs to test pilfered cards on multiple e-commerce websites. Such card testing attacks typically exploit stolen credit card details through small, unnoticed purchases to verify active cards for larger fraud. "This entire operation is highly automated, making it challenging for fraud detection systems to catch these fraudulent transactions in real time," Group-IB presented. "By the time the actual cardholder notices unusual activity, fraudsters may have already validated multiple cards, and used them for larger unauthorized transactions." With the advent of AI agents to perform web-based tasks on behalf of customers, the business presented the tools present new risks for the banking industry, allowing for automation of card testing and fraud operations at scale. Abandoned AWS S3 Buckets Can Be Repurposed for Supply Chain Attacks — New research has found that it's possible to register abandoned Amazon S3 buckets in order to stage supply chain attacks at scale. watchTowr Labs presented it discovered about 150 Amazon S3 buckets that had previously been used across commercial and open-source software products, governments, and infrastructure deployment/upgrade pipelines. It then re-registered them for a mere $[website] with the same names. Over a period of two months, the cybersecurity business presented the buckets in question received more than 8 million HTTP requests for software updates, JavaScript files, virtual machine images, pre-compiled binaries for Windows, Linux, and macOS, and SSL-VPN configurations, among others. This also meant that a threat actor in possession of these buckets could have responded to the requests with a nefarious software upgrade, CloudFormation templates that grant unauthorized access to an AWS environment, and malicious executables. These networks, watchTowr presented, originated from the government networks of the [website], the [website], Poland, Australia, South Korea, Turkey, Taiwan, and Chile; military networks, Fortune 500 companies, instant messaging platforms, and universities. The findings once again highlight the security risk associated with abandoned or expired infrastructure, and how source code references to non-existent cloud assets can have serious supply chain ramifications. "We believe that in the wrong hands, the research we have performed could have led to supply chain attacks that out-scaled and out-impacted anything we as an industry have seen so far – or put more clearly, we would've embarrassed Cozy Bear and made their SolarWinds adventures look amateurish and insignificant," the business presented.

— Security officials in the [website] are stated to have ordered Apple to create a backdoor to access any Apple user's iCloud content. The demand, first , "requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies." The order is stated to have been issued by the [website] Home Office under the Investigatory Powers Act (IPA), also nicknamed the Snoopers' Charter. In response, Apple is expected to stop offering encrypted storage, specifically Advanced Data Protection, in the [website] Neither the business nor [website] government officials have formally commented on the matter. In a statement shared with BBC, Privacy International called the move an "unprecedented attack" on the private data of individuals, and that it "sets a hugely damaging precedent." While Apple offers two levels of encryption for the cloud – Standard data protection and Advanced Data Protection – the former encrypts iCloud data and stores the encryption keys in its own data centers. Furthermore, only certain categories of data, such as health data and passwords, are end-to-end encrypted. Advanced Data Protection, in contrast, is an opt-in feature that provides end-to-end encryption (E2EE) for iCloud backups. Security services and lawmakers have consistently pushed back against the growing use of end-to-end encryption services, arguing that they could deter efforts to combat serious crime such as terrorism and child sexual abuse, as well as help criminals conceal illicit activity. "Dangerous Hacker" Arrested in Spain — Spanish law enforcement authorities have revealed the arrest of an individual suspected of conducting cyber attacks against dozens of organizations. The unnamed man was arrested in the town of Calpe in Spain's Alicante province for allegedly carrying out attacks on more than 40 organizations and leaking stolen data under the alias "natohub." This included NATO, the United Nations, the [website] Army, and the International Civil Aviation Organization (ICAO). He is also accused of targeting organizations in Spain, including the country's mint, universities, government entities, and law enforcement agencies. "The suspect, who had extensive knowledge of computers, had managed to set up a complex technological network through the use of anonymous messaging and browsing applications, through which he had managed to hide his tracks and thus make his identification difficult," the National Police stated.

From Code to Runtime: See How ASPM Transforms Application Protection — Join our next webinar with Amir Kaushansky of Palo Alto Networks and discover how ASPM transforms app security. Learn to unify code insights with runtime data, close security gaps, and shift from reactive fixes to proactive defense. Empower your team with smarter, holistic protection against modern threats.

— Join our next webinar with Amir Kaushansky of Palo Alto Networks and discover how ASPM transforms app security. Learn to unify code insights with runtime data, close security gaps, and shift from reactive fixes to proactive defense. Empower your team with smarter, holistic protection against modern threats. From Debt to Defense: How to Spot and Fix Identity Gaps — Join this free webinar and learn how to close identity gaps and fortify your defenses. Experts Karl Henrik Smith and Adam Boucher will reveal how Okta's Secure Identity Assessment streamlines processes, prioritizes critical fixes, and future-proofs your identity strategy to reduce risks and optimize resources.

[website] Know someone who could use these? Share it.

BaitRoute (Honeypot) — It is a tool that creates fake vulnerable web endpoints to catch hackers in the act. When an attacker tries to exploit these decoy sites, you'll get an instant alert with details like their IP address and request info. It's easy to integrate with your existing projects using Go, Python, or JavaScript, and it comes with ready-to-use rules so you can start protecting your site right away.

— It is a tool that creates fake vulnerable web endpoints to catch hackers in the act. When an attacker tries to exploit these decoy sites, you'll get an instant alert with details like their IP address and request info. It's easy to integrate with your existing projects using Go, Python, or JavaScript, and it comes with ready-to-use rules so you can start protecting your site right away. Volatility Workbench — It is a free, open-source GUI for memory forensics that speeds up analysis and cuts out command-line hassles. It auto-detects systems, saves settings, and supports Windows, Mac, and Linux, making digital investigations simpler and faster.

Keep Your AI Interactions Private & Secure — AI tools like chatbots and voice assistants collect and store your data, which can be hacked, misused, or even influence your decisions. Avoid sharing personal details (passwords, finances, or sensitive info) in AI chats. Turn off unnecessary permissions (like mic or camera access) when not needed. Use AI services that allow data deletion and opt out of tracking when possible. Always fact-check AI responses before trusting them. Your data is valuable—don't give away more than necessary.

This week's developments prove once again that cybersecurity is not a one-time fix but an ongoing battle. Whether it's closing loopholes, staying ahead of emerging threats, or adapting to new attack strategies, the key to resilience is vigilance.

Keep patching, keep questioning, and keep learning. See you next week with more insights from the front lines of cybersecurity.

​Microsoft unveiled over the weekend that it has expanded its Microsoft Copilot (AI) bug bounty program and increased payouts for moderate severity v......

Brave Browser is getting a new feature called 'custom scriptlets' that lets advanced consumers inject their own JavaScript into websites, allowing deep cu......

For many security leaders security validation has become a top priority. After the introduction of the Continuous Threat Exposure Management (CTEM) fr......