Aggregator

Wordfence安全研究员披露重要信息 据Wordfence安全研究员István Márton披露，一个关键的认证绕过了漏洞被暴露在了WordPress的Really Simple Security（以前称为Really Simple SSL）插件中，如果此漏洞被利用，攻击者可以远程获得易受攻击网站的完全管理权限。 这个漏洞，被追踪为CVE-2024-10924（CVSS评分：9.8），影响插件的免费和付费版本。该软件安装在超过400万个WordPress网站上。 这个漏洞是可以脚本化的，意味着它可以被转换成大规模的自动化攻击，针对WordPress网站。 起因是一处不正确的用户检查错误处理 这个漏洞在2024年11月6日披露，在一周后发布的9.1.2版本中已被修补。可能是有被滥用的风险促使插件维护者与WordPress合作，在公开披露之前强制更新了所有运行此插件的网站。 根据Wordfence的说法，这个认证绕过漏洞存在于9.0.0至9.1.1.1版本中，起因是在一个名为“check_login_and_get_user”的函数中不正确的用户检查错误处理，添加双因素认证的一个特性做得不够安全，使得未经认证的攻击者可以在双因素认证启用时，通过一个简单的请求获得对任何用户账户的访问权限，包括管理员账户。 如果被利用，将失去所有网站管理权限 成功利用这个漏洞可能会有严重的后果，因为它可能允许恶意行为者劫持WordPress网站，并进一步将它们用于犯罪目的。 这一信息是Wordfence在透露了WPLMS学习管理系统（WordPress LMS，CVE-2024-10470，CVSS评分：9.8）中的另一个关键缺陷几天后发布的，该缺陷可能允许未经认证的威胁者读取和删除任意文件。 具体来说，4.963之前的版本由于文件路径验证和权限检查不足，这使得未经认证的攻击者能够读取和删除服务器上的任何任意文件，包括网站的wp-config.php文件。删除wp-config.php文件会使网站进入设置状态，允许攻击者通过将其连接到他们控制的数据库来发起对网站的接管。     转自Freebuf，原文链接：https://www.freebuf.com/news/415637.html 封面来源于网络，如有侵权请联系删除

Onapsis announced the Onapsis Secure RISE Accelerator, helping organizations execute their RISE with SAP transformation with confidence. The new offering reduces security and compliance obstacles with a structured, bundled solution that simplifies and accelerates an organization’s project planning and execution with SAP-endorsed technology, threat insights and comprehensive SAP cybersecurity expertise and best practices. As companies increasingly choose the RISE with SAP program to move to the cloud and modernize their SAP environments, security and compliance … More →

The post Onapsis Secure RISE Accelerator streamlines security elements of modern SAP deployments appeared first on Help Net Security.

2 digitale rechercheurs van de Koninklijke Marechaussee doen onderzoek naar mogelijke oorlogsmisdrijven in Oekraïne. Dat gebeurt nu voor de vijfde keer sinds mei 2022 en wederom op verzoek van Oekraïne. De forensisch experts zijn vandaag begonnen. Ze voeren hun werk uit onder de vlag van het Internationaal Strafhof. 

抗生素耐药性正日益成为一个严重的健康问题。每年有逾百万人死于耐药性感染，预计到 2050 年死亡人数将会达到两百万。根据发表在《Science Advances》期刊上的一项研究，加州圣迭戈的研究人员找到了耐药菌的一个致命弱点，可能有助于抑制抗生素耐药性的形成。研究团队调查了名为枯草芽孢杆菌(Bacillus subtilis)的常见细菌，观察为何耐药菌株相对于非耐药菌株并不能占据优势。研究人员发现，耐药菌细胞必需成分核糖体对矿物质镁异常贪婪，而 ATP 分子也亟需镁，这导致了双方对有限的资源展开了激烈内部竞争，最终导致耐药细菌有着较低的生长和传播率。这一发现提出了一种不使用传统抗生素对抗耐药菌的新方法。科学家可通过操纵细菌环境中的镁含量，在不伤害有益菌的情况下阻断耐药菌。

Расследование длилось годы, но привело к неожиданному финалу.

cwe_checker是一套用于检测常见错误类别（例如空指针取消引用和缓冲区溢出）的检查工具。

ReasonLabs launched Online Security platform for Android and iOS, available for download on the Google Play Store and Apple App Store. This marks a significant milestone in ReasonLabs’ mission to deliver a comprehensive security platform that empowers over 25 million users with protection for their devices, identities, and privacy. ReasonLabs’ platform, already recognized for its identity and device protection delivered on desktops, now extends its availability to mobile devices. Americans lost more than $12.5 billion … More →

The post ReasonLabs launches Online Security platform for Android and iOS appeared first on Help Net Security.

主站 分类 漏洞 工具 极客

VeriClouds and Enzoic signed an agreement to bring our customers a more innovative service under the Enzoic brand.

The post Enzoic Acquires VeriClouds appeared first on Security Boulevard.

Increased activity from the state-sponsored threat group Volt Typhoon raises concerns about the cybersecurity of U.S. critical infrastructure. Here’s how you can identify potential exposures and attack paths.

Recent activity from the state-sponsored group Volt Typhoon, from the People’s Republic of China (PRC), has prompted federal agencies — including the Cybersecurity and Infrastructure Security Agency (CISA) and international partners — to issue urgent warnings and advisories. This increase in activity from advanced persistent threat (APT) actors targeting U.S. critical infrastructure highlights the need for increased vigilance from state and local governments. Since U.S. critical infrastructure is owned and operated by both public sector and private sector organizations, the threat is a concern for government agencies as well as corporate enterprises.

Volt Typhoon is a sophisticated threat group, typically gaining initial access to targets by exploiting unpatched vulnerabilities, including zero-day flaws, as well as through phishing techniques. Once initial access is gained, Volt Typhoon stays persistent for as long as possible, blending in with normal traffic and operating systems. This is achieved through “living off the land” (LOTL) techniques, leveraging native operating system tools to evade detection and favoring manual operations over automated manual scripts, further enhancing their adaptability within the environment.

State and local governments (SLG) have real options though, thanks to the Tenable Security Response Team’s examination of Volt Typhoon’s tactics, techniques and procedures (TTP). Additionally, with the Fiscal Year 2024 State and Local Cybersecurity Grant Program (SLCGP) Notice of Funding Opportunity (NOFO) open for eligible applicants through December 3, SLG officials can apply for funding to strengthen the security of critical infrastructure against malicious threats and to bolster the resilience of the services that state and local governments provide to their communities.

Based on the Tenable Security Response Team’s findings, Tenable recommends state and local government officials consider the following measures to address, patch and mitigate the identified Volt Typhoon vulnerabilities. In addition to these recommendations, implementing cyber hygiene best practices is essential for effective defense.

Patching known vulnerabilities and identifying affected systems

State and local government agencies have the tools and capabilities to protect themselves against the vast majority of attacks, including those from APT actors. Too many entities, however, are failing to take even the minimum steps to protect themselves and their communities.

Let’s start with the basics: it’s critical to have holistic exposure management capabilities that concentrate on discovering and remediating publicly disclosed CVEs. Exposure management combines the people, processes and technologies needed to effectively reduce cyber risk. Technologies such as vulnerability management, web application security, cloud security, identity security, attack path analysis and attack surface management are used to help organizations understand the full breadth and depth of their exposures and take the actions needed to reduce them through remediation and incident response workflows. This proactive approach gives organizations the power to identify and patch known vulnerabilities before they can be exploited.

By implementing proactive exposure management measures, state and local officials can significantly strengthen their resilience against cyberattacks and better protect their communities.

Given the heightened activity by Volt Typhoon, advisories have been released by the respective vendors for specific patching and mitigation tactics for the CVEs commonly exploited; learn more here.

If you are unsure whether your systems have been affected by Volt Typhoon or another APT, Tenable offers several solutions to help identify potential exposures and attack paths, as well as identify systems vulnerable to the CVEs noted in the research linked above.

Implementing cyber hygiene best practices

Basic cyber hygiene practices, including asset management, vulnerability management and identity and access management are crucial in today's digital landscape. State and local governments need to ensure they have visibility across their entire attack surface, including their IT, internet of things (IoT) and operational technology (OT) assets to know where they are exposed. This is critical when a vulnerability is discovered, especially as state-sponsored groups like Volt Typhoon are continuing to target U.S. critical infrastructure.

Understanding Volt Typhoon's TTPs equips state and local governments with valuable insights to enhance their cybersecurity posture. By implementing proactive exposure management measures, state and local officials can significantly strengthen their resilience against cyberattacks and better protect their communities.

If you want to learn more about Volt Typhoon and the Tenable Security Response Team’s research, review the findings here.

Learn more

• Read the blog Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
• Read the joint cybersecurity advisory People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
• Get up to speed on the U. S. Department of Homeland Security (DHS) Notice of Funding Opportunity (NOFO) Fiscal Year 2024 State and Local Cybersecurity Grant Program

The malware known as Ngioweb has been used to fuel a notorious residential proxy service called NSOCKS, as well as by other services such as VN5Socks and Shopsocks5, new findings from Lumen Technologies reveal. "At least 80% of NSOCKS bots in our telemetry originate from the Ngioweb botnet, mainly utilizing small office/home office (SOHO) routers and IoT devices," the Black Lotus Labs team at

Hornetsecurity launched DMARC Manager, an advanced tool addresses the complex challenges organisations face in managing DMARC, DKIM, and SPF configurations, especially for those operating across multiple domains. As email threats such as fraud and impersonation attacks continue to rise, the need for robust email authentication practices has never been more critical. DMARC Manager is designed to empower administrators and CISOs by providing an intuitive solution for setting up and maintaining best practices in email authentication. … More →

The post Hornetsecurity DMARC Manager protects against fraud and phishing attacks appeared first on Help Net Security.

Critical Authentication Flaw Impacts Both Free and Pro Users
A widely deployed five-in-one security plug-in for WordPress websites contained a flaw that hackers could automate into a large-scale takeover campaign. The critical authentication bypass vulnerability takes advantage of a now-patched flaw in the Really Simple Security plug-in.

Learn how to select a microsegmentation solution to fortify your organization?s cloud security strategies and protect your assets across multiple public clouds.

One of Google Cloud's major missions is to arm security professionals with modern tools to help them defend against the latest threats. Part of that mission involves moving closer to a more autonomous, adaptive approach in threat intelligence automation.

In our latest advancements in malware analysis, we’re equipping Gemini with new capabilities to address obfuscation techniques and obtain real-time insights on indicators of compromise (IOCs). By integrating the Code Interpreter extension, Gemini can now dynamically create and execute code to help deobfuscate specific strings or code sections, while Google Threat Intelligence (GTI) function calling enables it to query GTI for additional context on URLs, IPs, and domains found within malware samples. These tools are a step toward transforming Gemini into a more adaptive agent for malware analysis, enhancing its ability to interpret obfuscated elements and gather contextual information based on the unique characteristics of each sample.

Building on this foundation, we previously explored critical preparatory steps with Gemini 1.5 Pro, leveraging its expansive 2-million-token input window to process substantial sections of decompiled code in a single pass. To further enhance scalability, we introduced Gemini 1.5 Flash, incorporating automated binary unpacking through Mandiant Backscatter before the decompilation phase to tackle certain obfuscation techniques. Yet, as any seasoned malware analyst knows, the true challenge often begins once the code is exposed. Malware developers frequently employ obfuscation tactics to conceal critical IOCs and underlying logic. Malware may also download additional malicious code, making it challenging to fully understand the behavior of a given sample.

For large language models (LLMs), obfuscation techniques and additional payloads create unique challenges. When dealing with obfuscated strings such as URLs, IPs, domains, or file names, LLMs often “hallucinate” without explicit decoding methods. Additionally, LLMs cannot access, for example, URLs that host additional payloads, often resulting in speculative interpretations about the sample’s behavior.

To help with these challenges, Code Interpreter and GTI function calling tools provide targeted solutions. Code Interpreter enables Gemini to autonomously create and execute custom scripts, as needed, using its own judgment to decode obfuscated elements within a sample, such as strings encoded with XOR-based algorithms. This capability minimizes interpretation errors and enhances Gemini's ability to reveal hidden logic without requiring manual intervention. 

Meanwhile, GTI function calling expands Gemini’s reach by retrieving contextualized information from Google Threat Intelligence on suspicious external resources such as URLs, IPs, or domains, providing verified insights without speculative guesses. Together, these tools equip Gemini to better handle obfuscated or externally hosted data, bringing it closer to the goal of functioning as an autonomous agent for malware analysis.

To illustrate how these enhancements boost Gemini's capabilities, let's look at a practical example. In this case, we’re analyzing a PowerShell script that contains an obfuscated URL that hosts a second-stage payload. This particular sample was previously analyzed with some of the most advanced publicly available LLM models, which incorporate code generation and execution as part of their reasoning process. Despite these capabilities, each model “hallucinated,” generating completely fabricated URLs instead of accurately revealing the correct one.

Obfuscated PowerShell code sample to be analyzed by Gemini

Utilizing Code Interpreter and GTI function calling as part of its reasoning process, Gemini autonomously generated the following report without any human intervention. When deemed necessary, it applies these tools to process and extract additional information from the sample.

Final Report: PowerShell Malware with URL Deobfuscation

This report analyzes a PowerShell script designed to download and execute a file from an obfuscated URL. The script employs a custom obfuscation routine resembling the RC4 stream cipher to conceal the malicious URL.

Functionality:

1. Obfuscation Routine: The script defines a function F that performs byte-level XOR encryption using a key derived from the string "tox2". This function is used to deobfuscate the malicious URL.

2. URL Decryption: The obfuscated URL, stored as a byte array, is decrypted using the F function with "tox2" as the key.

3. File Download: The script downloads a file from the decrypted URL (hxxps://filedn[.]eu/lODWTgN8sswHA6Pn8HXWe1J/tox2/Scan_docs%2398097960[.]msi) and saves it to the system's temporary directory under a randomly generated filename.

4. Execution: Finally, the script executes the downloaded file.

Indicators of Compromise (IOCs):

• URL: hxxps://filedn[.]eu/lODWTgN8sswHA6Pn8HXWe1J/tox2/Scan_docs%2398097960[.]msi

Deobfuscation Code:

def deobfuscate(x, y): s = list(range(256)) j = 0 k = [ord(c) for c in y] for i in range(256): j = (j + s[i] + k[i % len(k)]) % 256 s[i], s[j] = s[j], s[i] i = 0 j = 0 output = [] for m in range(len(x)): i = (i + 1) % 256 j = (j + s[i]) % 256 s[i], s[j] = s[j], s[i] output.append(x[m] ^ s[(s[i] + s[j]) % 256]) return output a = [0x25, 0x7B, 0x5A, 0xD8, 0x9C, 0xFF, 0xC3, 0xA4, 0x95, 0xB7, 0x9D, 0x6E, 0x5F, 0x4D, 0x49, 0xFB, 0x78, 0x32, 0xB8, 0x17, 0x72, 0x01, 0x31, 0xFB, 0xC0, 0x58, 0x45, 0xCB, 0x5C, 0x3C, 0xDD, 0x00, 0x60, 0x87, 0x25, 0xB2, 0x44, 0xA6, 0xC5, 0xEA, 0x71, 0xAA, 0x9D, 0xA1, 0x05, 0x5F, 0xBD, 0x41, 0x28, 0x70, 0x30, 0x6B, 0x96, 0x24, 0x92, 0xA0, 0x9D, 0x92, 0x23, 0x79, 0x69, 0x2C, 0x1B, 0x1E, 0xEB, 0x69, 0x8F, 0x04, 0x10, 0x74, 0xBC] b = "tox2" c = deobfuscate(a, b) decoded_url = "".join(chr(i) for i in c) print(decoded_url)

Google Threat Intelligence (GTI) Lookup:

The GTI lookup provides valuable context regarding the identified IOC:

• Threat Actor: UNC5687, known for using MESHAGENT in phishing campaigns impersonating the Security Service of Ukraine.

• Campaign: This specific URL is linked to a campaign spreading MESHAGENT via phishing emails with malicious links. The campaign involved a captcha page leading to the download of either a malicious MSI or EXE file.

• Malware: The campaign delivers MESHAGENT, an open-source remote access framework, configured to communicate with C2 domains linked to a service called "AnonVNC."

Conclusion:

The analyzed PowerShell script is confirmed to be malicious, associated with a phishing campaign by UNC5687 distributing the MESHAGENT remote access tool.

Gemini identified that the script employs an XOR-based obfuscation algorithm that resembles  RC4 to conceal the download URL. Recognizing this pattern, Gemini autonomously generates and executes a Python deobfuscation script within the Code Interpreter sandbox, successfully revealing the external resource.

With the URL in hand, Gemini then utilizes GTI function calling to query Google Threat Intelligence for further context. This analysis links the URL to UNC5687, a threat cluster known for using a remote access tool in phishing campaigns impersonating the Security Service of Ukraine.

As we’ve seen, the integration of these tools has strengthened Gemini’s ability to function as a malware analyst capable of adapting its approach to address obfuscation and gathering vital context on IOCs. By incorporating the Code Interpreter and GTI function calling, Gemini is better equipped to navigate complex samples by autonomously interpreting hidden elements and contextualizing external references.

While these are significant advancements, many challenges remain, especially given the vast diversity of malware and scenarios that exist in the threat landscape. We’re committed to making steady progress, and future updates will continue to enhance Gemini's capabilities, moving us closer to a more autonomous, adaptive approach in threat intelligence automation.

Malicious actors are exploiting misconfigured JupyterLab and Jupyter Notebooks to conduct stream ripping and enable sports piracy using live streaming capture tools. The attacks involve the hijack of unauthenticated Jupyter Notebooks to establish initial access, and perform a series of actions designed to facilitate illegal live streaming of sports events, Aqua said in a report shared with The