Aggregator

2024年12月21日下午14:00，不见不散！

环境异常 当前环境异常，完成验证后即可继续访问。 去验证

A U.S. District Court judge may have dismissed most of the federal charges brought against Solar

Two years ago, I wrote up some best practices for developers who want to take a file’s security

A vulnerability classified as problematic was found in Celoxis. This vulnerability affects unknown code of the file user.do. The manipulation of the argument nismessage leads to cross site scripting. This vulnerability was named CVE-2008-6094. The attack can be initiated remotely. Furthermore, there is an exploit available.

Thursday, December 12, 2024 14:05

2024.12.06~12.12 攻击团伙情报Secret Blizzard 利用 Amadey 恶意软件即服务在乌克兰部署 Kazuar 后门Gamaredon 在前苏联国家部署 Android 间

Secret Blizzard 利用 Amadey 恶意软件即服务在乌克兰部署 Kazuar 后门​；Gamaredon 在前苏联国家部署 Android 间谍软件；Radiant Capital 事件归因于 AppleJeus

HackerNews 编译，转载请注明出处： 一种名为Pumakit的新Linux rootkit恶意软件被发现，它使用隐身和高级权限提升技术来隐藏其在系统上的存在。 该恶意软件是一个多组件集合，包括一个投递器(dropper)、内存驻留可执行文件、内核模块rootkit和一个共享对象(SO)用户空间rootkit。 Elastic Security在VirusTotal上发现了一个可疑的二进制文件(‘cron’)上传，日期为2024年9月4日，并报告说无法看到谁在使用它以及它针对的目标。 通常，这些工具被高级威胁行为者用于针对关键基础设施和企业系统进行间谍活动、财务盗窃和破坏操作。 Pumakit采用多阶段感染过程，起始于一个名为’cron’的投递器，它从内存中完全执行嵌入的有效载荷(‘/memfd:tgt’和’/memfd:wpn’)。 ‘/memfd:wpn’有效载荷在子进程中执行，执行环境检查和内核映像操作，并最终将LKM rootkit模块(‘puma.ko’)部署到系统内核中。 LKM rootkit中嵌入了Kitsune SO (‘lib64/libs.so’)，作为用户空间rootkit，使用’LD_PRELOAD’注入自身到进程中，以拦截用户级别的系统调用。 Pumakit感染链 rootkit遵循条件激活，检查特定的内核符号、安全启动状态和其他先决条件后才加载。 Elastic表示，Puma利用’kallsyms_lookup_name()’函数来操纵系统行为。这表明rootkit旨在仅针对5.7版本之前的Linux内核，因为新版本不再导出该函数，因此不能被其他内核模块使用。 “LKM rootkit操纵系统行为的能力始于其使用系统调用表及其依赖于kallsyms_lookup_name()进行符号解析，”Elastic研究人员Remco Sprooten和Ruben Groenewoud解释说。 “与针对5.7及以上内核版本的现代rootkit不同，该rootkit不使用kprobes，表明它是为旧内核设计的。” Puma使用’ftrace’钩住18个系统调用和多个内核函数，以获得权限提升、命令执行能力以及隐藏进程的能力。 内核函数’prepare_creds’和’commit_creds’被滥用以修改进程凭证，为特定进程授予root权限。 该rootkit可以从内核日志、系统工具和杀毒软件中隐藏自己的存在，并且还可以隐藏目录中的特定文件和进程列表中的对象。 如果钩子被中断，rootkit会重新初始化它们，确保其恶意更改不会被撤销，模块不能被卸载。 用户空间rootkit Kitsune SO与Puma协同工作，将其隐身和控制机制扩展到用户交互。 它拦截用户级别的系统调用，并改变ls、ps、netstat、top、htop和cat等命令的行为，以隐藏与rootkit相关的文件、进程和网络连接。 它还可以根据攻击者定义的标准动态隐藏任何其他文件和目录，并使恶意二进制文件对用户和系统管理员完全隐形。 Kitsune SO还处理与命令和控制(C2)服务器的所有通信，将命令中继到LKM rootkit，并将配置和系统信息传输给操作员。 除了文件哈希之外，Elastic Security还发布了一个YARA规则，以帮助Linux系统管理员检测Pumakit攻击。     消息来源：bleepingcomputer；   本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability classified as critical was found in Oracle FLEXCUBE Universal Banking up to 11.83.3/12.4/14.3/14.5. This vulnerability affects unknown code of the component Infrastructure. The manipulation leads to improper input validation. This vulnerability was named CVE-2021-44832. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Oracle Data Integrator 12.2.1.3.0/12.2.1.4.0. Affected by this issue is some unknown functionality of the component Runtime Java agent for ODI. The manipulation leads to improper input validation. This vulnerability is handled as CVE-2021-44832. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Oracle Identity Management Suite 12.2.1.3.0/12.2.1.4.0. This affects an unknown part of the component Installer. The manipulation leads to improper input validation. This vulnerability is uniquely identified as CVE-2021-44832. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Oracle Banking Loans Servicing 2.12.0 and classified as critical. This vulnerability affects unknown code of the component Web UI. The manipulation leads to improper input validation. This vulnerability was named CVE-2021-44832. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Oracle Banking Party Management 2.7.0 and classified as critical. This issue affects some unknown processing of the component Web UI. The manipulation leads to improper input validation. The identification of this vulnerability is CVE-2021-44832. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Oracle Banking Payments 14.5. It has been classified as critical. Affected is an unknown function of the component Infrastructure. The manipulation leads to improper input validation. This vulnerability is traded as CVE-2021-44832. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Oracle Banking Platform 2.6.2/2.7.1/2.12.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component SECURITY. The manipulation leads to improper input validation. This vulnerability is known as CVE-2021-44832. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Oracle Banking Trade Finance 14.5. It has been rated as critical. Affected by this issue is some unknown functionality of the component Infrastructure. The manipulation leads to improper input validation. This vulnerability is handled as CVE-2021-44832. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in Oracle Banking Treasury Management 14.5. This affects an unknown part of the component Infrastructure. The manipulation leads to improper input validation. This vulnerability is uniquely identified as CVE-2021-44832. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.