Aggregator

HackerNews 编译，转载请注明出处： 网络安全研究人员发现，以经济利益为动机的网络犯罪团伙FIN7正在利用一种名为Anubis的基于Python的后门程序，劫持被入侵的Windows系统。 瑞士网络安全公司PRODAFT在一份技术报告中指出，这种恶意软件允许攻击者执行远程Shell命令和其他系统操作，从而完全控制被感染的机器。 FIN7也被称为Carbon Spider、ELBRUS、Gold Niagara、Sangria Tempest和Savage Ladybug，是一个以俄罗斯为背景的网络犯罪团伙。该团伙以不断演变和扩展的恶意软件家族而闻名，这些恶意软件家族用于获取初始访问权限和数据窃取。近年来，该团伙被认为已转变为勒索软件的附属组织。 2024年7月，该团伙被发现使用多个在线别名宣传一种名为AuKill（又称AvNeutralizer）的工具，该工具能够终止安全工具，可能是为了多元化其盈利策略。 Anubis后门被认为通过恶意垃圾邮件活动传播，通常诱使受害者执行托管在被入侵的SharePoint网站上的恶意负载。该恶意软件以ZIP存档的形式交付，感染的入口点是一个Python脚本，该脚本设计用于直接在内存中解密并执行主要混淆的有效负载。一旦启动，该后门会通过TCP套接字以Base64编码格式与远程服务器建立通信。 服务器的响应同样以Base64编码，允许该后门收集主机的IP地址、上传/下载文件、更改当前工作目录、获取环境变量、修改Windows注册表、使用PythonMemoryModule将DLL文件加载到内存中，并终止自身。 德国安全公司GDATA在对Anubis进行独立分析时发现，该后门还支持将操作员提供的响应作为受害者系统上的Shell命令运行。PRODAFT表示：“这使得攻击者能够在不直接在受感染系统上存储这些功能的情况下，执行诸如键盘记录、截屏或窃取密码等操作。通过尽可能保持后门的轻量化，攻击者降低了被检测的风险，同时保持了执行进一步恶意活动的灵活性。”   消息来源：The Hacker News； 本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

HackerNews 编译，转载请注明出处： 网络安全研究人员披露了一个名为Outlaw（又称Dota）的“自动传播”加密货币挖矿僵尸网络。该团伙以攻击存在弱凭据的SSH服务器而闻名。 据Elastic安全实验室周二发布的最新分析报告称，“Outlaw是一种依赖SSH暴力破解攻击、加密货币挖矿和类似蠕虫传播方式的Linux恶意软件，用于感染并控制系统。”该名称也用于指代开发该恶意软件的威胁行为者，他们被认为来自罗马尼亚。 自2018年底以来，该黑客团伙一直活跃，通过暴力破解SSH服务器，利用获得的权限进行侦察，并通过将自身的SSH密钥添加到“authorized_keys”文件中，以在被入侵主机上保持持久性。 攻击者还采用多阶段感染过程，使用一个下载器Shell脚本（“tddwrt7s.sh”）下载一个归档文件（“dota3.tar.gz”），然后解包以启动挖矿程序，同时清除过往入侵痕迹，并终止其他竞争挖矿程序和自身旧版本挖矿程序。 该恶意软件的一个显著特点是初始访问组件（又称BLITZ），它通过扫描运行SSH服务的易受攻击系统，以类似僵尸网络的方式实现恶意软件的自我传播。暴力破解模块会从SSH命令与控制（C2）服务器获取目标列表，以进一步延续传播周期。 在某些攻击中，该团伙还利用存在CVE-2016-8655和CVE-2016-5195（又称Dirty COW）漏洞的Linux和Unix操作系统，以及攻击存在弱Telnet凭据的系统。在获得初始访问权限后，恶意软件会部署SHELLBOT，通过C2服务器使用IRC频道进行远程控制。 SHELLBOT能够执行任意Shell命令、下载和运行额外的有效载荷、发起DDoS攻击、窃取凭据以及窃取敏感信息。 在挖矿过程中，该恶意软件会检测被感染系统的CPU，并为所有CPU核心启用大页面功能，以提高内存访问效率。它还使用一个名为kswap01的二进制文件，以确保与攻击者基础设施的持续通信。 “尽管Outlaw使用了SSH暴力破解、SSH密钥操作和基于计划任务的持久性等基本技术，但它仍然活跃。”Elastic表示，“该恶意软件部署了修改版的XMRig挖矿程序，利用IRC进行C2通信，并使用公开可用的脚本实现持久性和防御规避。”   消息来源：The Hacker News； 本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability, which was classified as problematic, was found in WP Cleanfix Plugin 2.4.4 on WordPress. This affects an unknown part of the file wpCleanFixAjax.php. The manipulation leads to cross-site request forgery. This vulnerability is uniquely identified as CVE-2013-2108. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

HackerNews 编译，转载请注明出处： 网络安全研究人员披露了谷歌云平台（GCP）云运行服务（Cloud Run）的一个现已修复的权限提升漏洞。该漏洞可能会让恶意攻击者访问容器镜像，甚至注入恶意代码。 据网络安全公司Tenable的安全研究员利夫·马坦（Liv Matan）称，该漏洞允许攻击者利用其在谷歌云运行服务中的修订编辑权限，拉取同一账户中的私有谷歌工件仓库（Google Artifact Registry）和谷歌容器仓库（Google Container Registry）镜像。这一安全漏洞被Tenable命名为“ImageRunner”，谷歌已于2025年1月28日完成修复。 谷歌云运行服务是一种完全托管的服务，用于在可扩展的无服务器环境中运行容器化应用程序。当使用该技术运行服务时，会通过指定镜像URL从工件仓库（或Docker Hub）拉取容器镜像以进行后续部署。 问题在于，某些身份虽然没有容器仓库权限，但却拥有谷歌云运行服务修订的编辑权限。每次部署或更新云运行服务时，都会创建一个新版本，而每次部署云运行修订时，都会使用服务代理账户来拉取必要的镜像。 如果攻击者在受害者的项目中获得了特定权限（特别是`run.services.update`和`iam.serviceAccounts.actAs`权限），他们可以修改云运行服务并部署一个新修订版本。在此过程中，攻击者可以指定服务拉取项目内任何私有容器镜像。此外，攻击者还可以访问受害者仓库中存储的敏感或专有镜像，并引入恶意指令，这些指令在执行时可能会被利用来提取机密信息、窃取敏感数据，甚至向攻击者控制的机器打开反向Shell。 谷歌发布的补丁现在确保创建或更新云运行资源的用户或服务账户必须明确拥有访问容器镜像的权限。谷歌在其2025年1月的云运行发布说明中表示：“创建或更新云运行资源的主体（用户或服务账户）现在需要明确的权限来访问容器镜像。”当使用工件仓库时，确保主体在包含容器镜像的项目或仓库上具有工件仓库读者（roles/artifactregistry.reader）IAM角色。 Tenable将“ImageRunner”描述为其所谓的“Jenga”现象的一个实例，这种现象是由于各种云服务的相互关联性导致安全风险传递。“云服务提供商在其现有服务的基础上构建服务。如果一个服务受到攻击或被攻破，那么在其基础上构建的其他服务也会继承风险并变得脆弱。”这种场景为攻击者提供了发现新的权限提升机会甚至漏洞的可能性，同时也为防御者引入了新的隐藏风险。 此次披露发生在Praetorian详细描述较低权限主体如何滥用Azure虚拟机（VM）以控制Azure订阅的几周之后。   消息来源：The Hacker News； 本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

IoT专项活动时间：2024年4月3日-5月6日

IoT专项活动时间：2024年4月3日-5月6日

IoT专项活动时间：2024年4月3日-5月6日

IoT专项活动时间：2024年4月3日-5月6日

A vulnerability has been found in ftpcd 1 and classified as critical. This vulnerability affects unknown code of the component Root Command. The manipulation leads to improper privilege management. This vulnerability was named CVE-1999-0082. The attack can be initiated remotely. Furthermore, there is an exploit available. This vulnerability has a historic impact due to its background and reception. It is recommended to upgrade the affected component.

A vulnerability was found in BSD 4.2/4.3 and classified as critical. This issue affects some unknown processing of the file passwd.c of the component passwd Shell Handler. The manipulation leads to memory corruption. The identification of this vulnerability is CVE-1999-1471. Attacking locally is a requirement. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Sun SunOS 4.0/4.0.1/4.0.3. It has been classified as problematic. Affected is an unknown function of the component Restore. The manipulation leads to Local Privilege Escalation. This vulnerability is traded as CVE-1999-1122. It is possible to launch the attack on the local host. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Sun SunOS 4.0/4.0.1/4.0.2/4.0.3/4.0.3c. It has been declared as very critical. Affected by this vulnerability is an unknown functionality of the component rcp. The manipulation leads to improper privilege management. This vulnerability is known as CVE-1999-1467. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in SMI Sendmail up to 4.0.3. It has been rated as critical. Affected by this issue is some unknown functionality. The manipulation leads to Remote Code Execution. This vulnerability is handled as CVE-1999-1506. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in FreeBSD 3.0/3.1/3.2/3.3/3.4. This vulnerability affects unknown code in the library libmytinfo. The manipulation of the argument TERMCAP as part of Environment Variable leads to memory corruption. This vulnerability was named CVE-2000-0388. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in NeXT NeXTstep 1.0/1.0a and classified as critical. Affected by this issue is some unknown functionality of the file /usr/etc/restore0.9. The manipulation leads to improper privilege management. This vulnerability is handled as CVE-1999-1392. Local access is required to approach this attack. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in Sun SunOS 4.1/4.1.1. Affected by this vulnerability is an unknown functionality of the component rpc.pwdauthd. The manipulation leads to information disclosure. This vulnerability is known as CVE-1999-1258. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Sun SunOS 4.0.3/4.1/4.1.1. Affected by this issue is some unknown functionality of the file /bin/mail. The manipulation leads to Local Privilege Escalation. This vulnerability is handled as CVE-1999-1438. Attacking locally is a requirement. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Sun SunOS 4.0.3/4.0.3c and classified as critical. This vulnerability affects unknown code of the component Rlogin. The manipulation leads to Local Privilege Escalation. This vulnerability was named CVE-1999-1212. The attack needs to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Digital Ultrix 4.0/4.1 and classified as critical. This issue affects some unknown processing of the file /usr/bin/chroot. The manipulation leads to Local Privilege Escalation. The identification of this vulnerability is CVE-1999-1194. An attack has to be approached locally. Furthermore, there is an exploit available.

A vulnerability, which was classified as very critical, was found in Berkeley Sendmail up to 5.58. This affects an unknown part of the component DEBUG Handler. The manipulation leads to improper privilege management. This vulnerability is uniquely identified as CVE-1999-0095. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. Due to its background and reception, this vulnerability has an historic impact. It is recommended to upgrade the affected component.