Aggregator

5月│月报 谛听工控安全月报上线了，工信部的最新政策，5月发生的多起工控安全事件，谛听团队收集的最新攻击教据......更多安全资讯，请关注“谛听ditecting",每月更新!

默安科技网络资产攻击面管理平台（CAASM）来了~

预约直播，为嘉宾打call！

We analyze a cryptojacking attack campaign exploiting exposed Docker remote API servers to deploy cryptocurrency miners, using Docker images from the open-source Commando project.

English Version, 中文版本

During DEVCORE’s continuous offensive research, our team discovered a remote code execution vulnerability in PHP. Due to the widespread use of the programming language in the web ecosystem and the ease of exploitability, DEVCORE classified its severity as critical, and promptly reported it to the PHP official team. The official team released a patch on 2024/06/06. Please refer to the timeline for disclosure details.

Description

While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system. This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.

Impact

This vulnerability affects all versions of PHP installed on the Windows operating system. Please refer to the table below for details:

• PHP 8.3 < 8.3.8
• PHP 8.2 < 8.2.20
• PHP 8.1 < 8.1.29

Since the branch of PHP 8.0, PHP 7, and PHP 5 are End-of-Life, and are no longer maintained anymore, server admins can refer to the Am I Vulnerable section to find temporary patch recommendations in the Mitigation Measure section.

Am I Vulnerable?

For the usual case of combinations like Apache HTTP Server and PHP, server administrators can use the two methods listed in this article to determine whether their servers are vulnerable or not. It’s notable to address that Scenario-2 is also the default configuration for XAMPP for Windows, so all versions of XAMPP installations on Windows are vulnerable by default.

As of this writing, it has been verified that when the Windows is running in the following locales, an unauthorized attacker can directly execute arbitrary code on the remote server:

• Traditional Chinese (Code Page 950)
• Simplified Chinese (Code Page 936)
• Japanese (Code Page 932)

For Windows running in other locales such as English, Korean, and Western European, due to the wide range of PHP usage scenarios, it is currently not possible to completely enumerate and eliminate all potential exploitation scenarios. Therefore, it is recommended that users conduct a comprehensive asset assessment, verify their usage scenarios, and update PHP to the latest version to ensure security.

Scenario 1: Running PHP under CGI mode

When configuring the Action directive to map corresponding HTTP requests to a PHP-CGI executable binary in Apache HTTP Server, this vulnerability can be exploited directly. Common configurations affected include, but are not limited to:

AddHandler cgi-script .php Action cgi-script "/cgi-bin/php-cgi.exe"

Or

<FilesMatch "\.php$"> SetHandler application/x-httpd-php-cgi </FilesMatch> Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe" Scenario 2: Exposing the PHP binary (also the default XAMPP configuration)

Even if PHP is not configured under the CGI mode, merely exposing the PHP executable binary in the CGI directory is affected by this vulnerability, too. Common scenarios include, but are not limited to:

1. Copying php.exe or php-cgi.exe to the /cgi-bin/ directory.
2. Exposing the PHP directory via ScriptAlias directive, such as: ScriptAlias /php-cgi/ "C:/xampp/php/"

Mitigation Measure

It is strongly recommended that all users upgrade to the latest PHP versions of 8.3.8, 8.2.20, and 8.1.29. For systems that cannot be upgraded, the following instructions can be used to temporarily mitigate the vulnerability.

However, since PHP CGI is an outdated and problematic architecture, it’s still recommended to evaluate the possibility of migrating to a more secure architecture such as Mod-PHP, FastCGI, or PHP-FPM.

1. For users who cannot upgrade PHP:

The following Rewrite Rules can be used to block attacks. Please note that these rules are only a temporary mitigation for Traditional Chinese, Simplified Chinese, and Japanese locales. It is still recommended to update to a patched version or migrate the architecture in practice.

RewriteEngine On RewriteCond %{QUERY_STRING} ^%ad [NC] RewriteRule .? - [F,L] 2. For users who use XAMPP for Windows:

XAMPP has not yet released corresponding update files for this vulnerability at the time of writing this article. If you confirm that you do not need the PHP CGI feature, you can avoid exposure to the vulnerability by modifying the following Apache HTTP Server configuration:

C:/xampp/apache/conf/extra/httpd-xampp.conf

Locating the corresponding lines:

ScriptAlias /php-cgi/ "C:/xampp/php/"

And comment it out:

# ScriptAlias /php-cgi/ "C:/xampp/php/" Timeline

• 2024/05/07 - DEVCORE reported this issue through the official PHP vulnerability disclosure page.
• 2024/05/07 - PHP developers confirmed the vulnerability and emphasized the need for a prompt fix.
• 2024/05/16 - PHP developers released the first version of the fix and asked for feedback.
• 2024/05/18 - PHP developers released the second version of the fix and asked for feedback.
• 2024/05/20 - PHP entered the preparation phase for the new version release.
• 2024/06/06 - PHP released new versions 8.3.8, 8.2.20, and 8.1.29.

Reference

• PHP Security Advisory - PHP RCE: A Bypass of CVE-2012-1823, Argument Injection in PHP-CGI (to be announced)
• MS-UCODEREF - Windows Protocols Unicode Reference
• CERT/CC VU#520827 - PHP-CGI query string parameter vulnerability

English Version, 中文版本

戴夫寇爾研究團隊在進行前瞻攻擊研究期間，發現 PHP 程式語言存在遠端程式碼執行弱點，基於 PHP 在網站生態使用的廣泛性以及此弱點之易重現性，研究團隊將此弱點標記為嚴重、並在第一時間回報給 PHP 官方。官方已在 2024/06/06 發佈修復版本，詳細時程可參閱漏洞回報時間軸。

漏洞描述

PHP 程式語言在設計時忽略 Windows 作業系統內部對字元編碼轉換的 Best-Fit 特性，導致未認證的攻擊者可透過特定的字元序列繞過舊有 CVE-2012-1823 的保護；透過參數注入等攻擊在遠端 PHP 伺服器上執行任意程式碼。

影響範圍

此弱點影響安裝於 Windows 作業系統上所有的 PHP 版本，詳情可參照下表:

• PHP 8.3 < 8.3.8
• PHP 8.2 < 8.2.20
• PHP 8.1 < 8.1.29

由於 PHP 8.0 分支、PHP 7 以及 PHP 5 官方已不再維護，網站管理員可參考如何確認自己易遭受攻擊章節，並於修補建議找到暫時緩解措施。

如何確認自己易遭受攻擊?

對於常見之 Apache HTTP Server 加上 PHP 組合，網站管理員可透過此文章列出之兩個方式確認伺服器是否易被攻擊。其中，情境二也是 XAMPP for Windows 安裝時的預設設定，因此所有版本的 XAMPP for Windows 安裝也預設受此弱點影響。

在本文撰寫當下已驗證當 Windows 作業系統執行於下列語系時，未授權的攻擊者可直接在遠端伺服器上執行任意程式碼:

• 繁體中文 (字碼頁 950)
• 簡體中文 (字碼頁 936)
• 日文 (字碼頁 932)

對於其它執行在英文、韓文、西歐語系之 Windows 作業系統，由於 PHP 使用情境廣泛、暫無法完全列舉並排除其利用情境，因此還是建議使用者全面盤點資產、確認使用情境並更新 PHP 至最新版本確保萬無一失！

情境一: 將 PHP 設定於 CGI 模式下執行

在 Apache Httpd 設定檔中透過 Action 語法將對應的 HTTP 請求交給 PHP-CGI 執行檔處理時，受此弱點影響，常見設定包含但不限於:

AddHandler cgi-script .php Action cgi-script "/cgi-bin/php-cgi.exe"

或

<FilesMatch "\.php$"> SetHandler application/x-httpd-php-cgi </FilesMatch> Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe" 情境二: 將 PHP 執行檔暴露在外 (XAMPP 預設安裝設定)

即使未設定 PHP 於 CGI 模式下執行，僅將 PHP 執行檔暴露在 CGI 目錄下也受此弱點影響，常見情況包含但不限於:

1. 將 php.exe 或 php-cgi.exe 複製到 /cgi-bin/ 目錄中
2. 將 PHP 安裝目錄透過 ScriptAlias 暴露到外，如: ScriptAlias /php-cgi/ "C:/xampp/php/"

修補建議

強烈建議所有使用者升級至 PHP 官方最新版本 8.3.8、8.2.20 與 8.1.29，對於無法升級的系統可透過下列方式暫時緩解弱點。

除此之外，由於 PHP CGI 已是一種過時且易於出現問題的架構，也建議評估遷移至較為安全的 Mod-PHP、FastCGI 或是 PHP-FPM 等架構可能性。

1. 對無法更新 PHP 的使用者

可透過下列 Rewrite 規則阻擋攻擊，請注意此份規則只作為繁體中文、簡體中文及日文語系中的暫時性緩解機制，實務上仍建議更新到已修復版本或更改架構。

RewriteEngine On RewriteCond %{QUERY_STRING} ^%ad [NC] RewriteRule .? - [F,L] 2. 對 XAMPP for Windows 使用者

在撰寫本文的當下，XAMPP 尚未針對此漏洞釋出相對應的更新安裝檔，如確認自身的 XAMPP 並無使用到 PHP CGI 之功能，可透過修改下列 Apache Httpd 設定檔以避免暴露在弱點中:

C:/xampp/apache/conf/extra/httpd-xampp.conf

找到相對應的設定行數:

ScriptAlias /php-cgi/ "C:/xampp/php/"

並將其註解:

# ScriptAlias /php-cgi/ "C:/xampp/php/" 漏洞回報時間軸

• 2024/05/07 - DEVCORE 透過 PHP 官方弱點通報頁面回報此問題。
• 2024/05/07 - PHP 開發者確認弱點並強調要盡快修復。
• 2024/05/16 - PHP 開發者釋出第一版修復並尋求建議。
• 2024/05/18 - PHP 開發者釋出第二版修復並尋求建議。
• 2024/05/20 - PHP 進入新版本發布準備。
• 2024/06/06 - PHP 發布新版本 8.3.8、8.2.20 與 8.1.29。

參考資料

• PHP Security Advisory - PHP RCE: A Bypass of CVE-2012-1823, Argument Injection in PHP-CGI (to be announced)
• MS-UCODEREF - Windows Protocols Unicode Reference
• CERT/CC VU#520827 - PHP-CGI query string parameter vulnerability

作者构建了一个自动测试CDN是否具有域前置威胁的系统，并统计分析了30个CDN，结果表明有22个CDN目前仍容易受到域前置攻击，包括Fastly和Akamain等流行CDN

Written by: Michelle Cantos, Jamie Collier

 

Executive Summary 

• Mandiant assesses with high confidence that the Paris Olympics faces an elevated risk of cyber threat activity, including cyber espionage, disruptive and destructive operations, financially-motivated activity, hacktivism, and information operations. 
• Olympics-related cyber threats could realistically impact various targets including event organizers and sponsors, ticketing systems, Paris infrastructure, and athletes and spectators traveling to the event. 
• Mandiant assesses with high confidence that Russian threat groups pose the highest risk to the Olympics. While China, Iran, and North Korea state sponsored actors also pose a moderate to low risk.
• To reduce the risk of cyber threats associated with the Paris Olympics, organizations should update their threat profiles, conduct security awareness training, and consider travel-related cyber risks.
• The security community is better prepared for the cyber threats facing the Paris Olympics than it has been for previous Games, thanks to the insights gained from past events. While some entities may face unfamiliar state-sponsored threats, many of the cybercriminal threats will be familiar. While the technical disruption caused by hacktivism and information operations is often temporary, these operations can have an outsized impact during high-profile events with a global audience.

Introduction 

The 2024 Summer Olympics taking place in Paris, France between July and August creates opportunities for a range of cyber threat actors to pursue profit, notoriety, and intelligence. For organizations involved in the event, understanding relevant threats is key to developing a resilient security posture. Defenders should prepare against a variety of threats that will likely be interested in targeting the Games for different reasons: 

• Cyber espionage groups are likely to target the 2024 Olympics for information gathering purposes, due to the volume of government officials and senior decision makers attending.
• Disruptive and destructive operations could potentially target the Games to cause negative psychological effects and reputational damage. This type of activity could take the form of website defacements, distributed denial of service (DDoS) attacks, the deployment of wiper malware, and operational technology (OT) targeting. As a high profile, large-scale sporting event with a global audience, the Olympics represents an ideal stage for such operations given that the impact of any disruption would be significantly magnified. 
• Information operations will likely leverage interest in the Olympics to spread narratives and disinformation to target audiences. In some cases, threat actors may leverage disruptive and destructive attacks to amplify the spread of particular narratives in hybrid operations.
• Financially-motivated actors are likely to target the Olympics in various ways, including ticket scams, theft of PII, and extortion against entities during a period of heightened pressure. Capitalizing on interest in the games, threat actors are likely to use olympics-related lures in social engineering operations that are not necessarily targeting the games.

Figure 1: Potential threats to the 2024 Summer Olympics

Olympics-related cyber operations could impact a variety of entities. For some organizations involved in the Games such as sponsors, this could expose them to state-sponsored actors and destructive campaigns that are not typically active in their sectors. Other threats, such as cybercrime and extortion operations, will be more familiar, yet will likely become more prolific and persistent against entities involved in the Games.

Figure 2: Potential targets of Olympic-related operations

State Sponsored Threat Activity 

State-sponsored threats pose the most significant, high severity threat to the Summer 2024 Olympics. Mandiant assesses with high confidence that Russia poses the most severe threat to the Olympics given its repeated targeting of previous Olympic games, its tense relationship with Europe, and recent pro-Russia information operations having already targeted France. Other state-sponsored actors, such as those from China, Iran, and North Korea also pose a risk, albeit to a lesser extent.

Russia 

Russian state-sponsored cyber threat activity poses the greatest risk to the Olympics. In addition to intelligence collection activities, Russian operators have demonstrated the capability and willingness to conduct destructive campaigns targeting past Olympics events and hybrid operations in which intrusions support influence campaigns. Mandiant has observed Russian espionage actors conduct cyber threat activity against previous iterations of the Olympic games, disrupting the event itself and undermining the safety and security of organizations related to the Olympics. France may face an elevated risk of Russian cyber threat activity given the country’s financial and military support for Ukraine after Russia’s invasion in February 2022. 

While Russian athletes can compete in the Olympics this year, they will not represent their home country, are unable to participate in the opening ceremony, and must compete as neutral athletes. Russia’s perceived grievances at its athletes being once again banned from competing under the Russian flag elevate the threat from Russian cyber attacks compared to other states.

Based on a well-documented history of targeting past Games, Mandiant assesses with high confidence that out of the Russian threat actors we track, APT44 is most likely to target the upcoming games, and the most likely to conduct impactful disruptive, destructive, or hybrid operations in addition to intelligence collection.

Figure 3: Significant Russian Operations Targeting Past Olympic Games

APT44 Android Malware Campaign Targeting Users in South Korea Before 2018 Winter Games in PyeongChang 

Beginning in late 2017, APT44 (alias FROZENBARENTS) targeted organizations involved in Olympic activities in South Korea. The activity included credential phishing, and distribution of Windows,MacOS, and Android malware. In the Android campaign, APT44 obtained legitimate copies of Android applications popular in South Korea, modified them to add a custom mobile implant, and then published the trojanized apps to the Play Store. The implant, CHEMISTGAMES, was a modular framework designed for gathering data at scale, and included significant automation, abstraction, and specialization for mobile devices. The modular structure of CHEMISTGAMES ensured that the attackers could hide sensitive payloads and reserve them for specific targeted devices.

Figure 4: Prior to the Olympics, APT44 modified Android apps popular in South Korea, including a bus timetable app and an app for checking apartment rental prices

Google’s Threat Analysis Group (TAG) discovered the Android campaign, developed signatures to protect user devices and block the malware on Play, and banned attacker-controlled developer accounts. Those detections protected users in other APT44 campaigns that attempted to infect users with CHEMISTGAMES, including an attempt to target Ukrainians with a fake webmail app, and domestically-focused campaigns targeting Russian businesses.

Mandiant suggests that UNC4057 (aka COLDRIVER) also poses a risk, despite no previously observed targeting of the Games. The group has conducted both cyber espionage and information operations activity in support of Russia, collecting personally identifiable information (PII) via credential harvesting operations that may support the nation’s strategic intelligence priorities, and performing hack-and leak-campaigns to sow discontent in the UK in 2022. This activity cluster may target French organizations affiliated with the games and high profile individuals from NATO member countries who may be in attendance.

China 

Mandiant Intelligence assesses with moderate confidence that People's Republic of China (PRC) sponsored threats pose a moderate risk to the 2024 Paris Olympics. We suggest that APT31, APT15, UNC4713, and TEMP.Hex are most likely to target organizations and individuals related to the event given previous targeting of governments as well as civil society and non-profits in Europe. High profile government officials and senior decision makers attending the event will likely be an attractive target for PRC state sponsored threat actors seeking PII, credentials, or other sensitive information to support their national interests. This creates a heightened risk of spearphishing, credential harvesting, and intelligence collection operations. 

While PRC espionage operators have demonstrated a capability and willingness to target operational technology systems, it is unlikely they will leverage destructive or disruptive campaigns targeting the Summer Olympics.

Iran

Mandiant Intelligence assesses with moderate confidence that Iranian state sponsored threats, primarily APT42, represent a moderate to low threat to the 2024 Summer Olympics. We have observed APT42 compromise civil society and non-profit organizations and government entities throughout Europe. Iranian threat actors may leverage the Games, either using the Olympics as lure material or targeting attendees themselves, to support campaigns against these industry verticals. Notably the ongoing conflict in Gaza may impact the frequency and tempo of Iranian intelligence-gathering and information operations activity in the short- to mid-term, with Iranian actors increasing their operations in Israel.

North Korea

Mandiant Intelligence assesses with moderate confidence that North Korean threat actors pose a low threat to the 2024 Summer Olympics. APT43 might leverage information surrounding the Games as lure material for financially motivated operations or potentially as material for social engineering campaigns to build rapport with targets.

Information Operations & Hacktivism 

The high profile nature of the Olympics makes the event a popular target for hacktivism and information operations that could capitalize on interest in the Games to conduct high profile operations. Although hacktivists may have limited resources and capabilities, a well-timed disruption could achieve their goals. 

Whilst Pro-Russia information operations could be the most prominent ones using Olympics-themed content, campaigns promoting the interests of PRC and Belarus may also use interest in the event to promote various narratives. Hacktivist and information operations actors share many tactics, techniques and procedures, and these groups could also create new personas specifically for their activity related to the Olympics. 

Russia

Mandiant Intelligence assesses with high confidence that pro-Russian information operations will pose a frequent, moderate severity threat to the Summer 2024 Olympic Games. We have observed information operations promoting pro-Russia, anti-Ukraine, and anti-Western narratives leveraging the Olympics due to the popularity of the Games. Additionally political retribution for France’s pro-Ukraine stance and Russia’s ban from competing at the games under their flag may drive information operations activity promoting Russian interests. 

• In February 2024 the French Foreign Ministry accused Russia of conducting widespread disinformation campaigns to disrupt the upcoming general election and the Olympics in retaliation for France’s support of Ukraine after Russia’s invasion in February 2022. 
• In April 2024 at the opening of an Olympic swimming venue, French President Emmanuel Macron accused Russia of conducting an online disinformation campaign undermining the safety and security of the upcoming games. Mandiant Intelligence has independently observed pro-Russia activity from campaigns that we track, which appears to be consistent with these claims. 

Several pro-Russia hacktivist groups have targeted entities throughout Europe and pose a viable threat to the Summer Olympics, including: Anonymous Sudan, Cyber Army of Russia Reborn, NoName057(16), UserSec, and Server Killers. We judge the threat from pro-Russia hacktivists to be particularly elevated because a number of these groups have publicized destructive attacks or data leaks from Russian state sponsored intrusion activity. Several groups have also demonstrated the ability to disrupt high profile targets with DDoS attacks.

Case Study: Doppelganger

Mandiant Intelligence has observed a network of inauthentic domains and social media accounts across multiple platforms, which we attributed to the pro-Russian information operations campaign publicly referred to as "Doppelganger". These domains have promoted political content in English, German, French, and Italian and circulated narratives aligned with Russian strategic interests, including those related to the Russian invasion of Ukraine. 

• Mandiant has observed some narratives targeting the upcoming 2024 Paris Olympics promoted by Doppelganger domains. This has included articles promoting narratives that generally implied that France was not prepared as a host, as well as those that appeared intended to frame the French Government as inadequately prepared for the security risks potentially surrounding the games—particularly those related to Islamic extremism (Figure 3).
• In March 2024 the U.S. Department of Treasury announced sanctions against two individuals and two organizations associated with a Russian information operations campaign which posed as European government entities and media outlets to distribute inauthentic, pro-Russian narratives to European audiences. This activity aligns with the coordinated inauthentic networks of threat activity used by the Doppelganger campaign.

Figure 5: Example of an Olympics-related article published by a Doppelganger affiliated domain

China

PRC information operations will likely leverage Olympic-themed narratives to promote pro-PRC and anti-Western ideologies. Additionally, we anticipate pro-PRC information operations campaigns will likely use the doping scandal surrounding the PRC’s swim team as part of their operations to highlight anti-PRC or pro-Western biases. 

There is precedent for pro-PRC campaigns commenting on past Olympics. 

• Rolling Stone highlighted a PRC-linked operation that masqueraded as a European news outlet "New Europe Observation" to foment discord in European populations using controversial topics such as immigration and the boycott of the Beijing Olympics in 2022. This operation attempted to hire "astroturf" protesters to participate in offline demonstrations and engaged native speakers of English, Russian, and other languages.
• In late 2021 and early 2022, Mandiant Intelligence identified social media accounts that we judge to be part of a pro-PRC information operations campaign dubbed “DRAGONBRIDGE” critiquing the U.S. decision to boycott the 2022 Winter Olympics in Beijing. 
• ProPublica highlighted how pro-PRC information operations leveraged bots to promote false narratives surrounding Beijing’s 2022 Olympic Winter Games. 

Belarus

Mandiant identified UNC1151 and Ghostwriter activity in December 2021 promoting the narrative that Lithuania would boycott the 2022 Beijing Winter Olympics. Lithuania remains a frequent target for Ghostwriter operations and this likely was an opportunity to cause internal unrest leveraging a topical event. 

Financially-Motivated Threat Activity

Mandiant Intelligence assesses with moderate confidence that financially motivated actors pose a moderate severity threat to the 2024 Summer Olympics. The amount of financial transactions conducted at the games will likely be an attractive target for malicious actors seeking profit with minimal effort. Cybercrime will likely be opportunistic in nature with the main risks including:

• Ransomware and extortion operations have a tendency to target organizations during high-pressure moments, including the hosting of major events. Listings from data leak sites over the last year indicate that France is the fifth most impacted country by ransomware and data theft extortion activity. We observed listings for French organizations posted most frequently on sites for LOCKBIT, 8BASE (aka PHOBOS), NOESCAPE, MEDUSA, and ALPHV. It is also possible that cybercriminal groups that have not been historically active in France will increase their targeting against Olympic-related entities in the runup and during the Games. 
• Ticket scams often capitalize on interest in major sporting events to sell counterfeit tickets via fake ticket websites. The popularity of the games, growing demand for tickets, and the large amount of financial transactions occurring on third-party ticket platforms could make these systems an attractive target for cybercriminals.
• Lure material is often tied to topics of interest within the general public, and we anticipate that threat actors will likely use the upcoming Olympics as lure material for the initial compromise stages of their campaigns. Lures can convince unsuspecting users to engage with malicious material resulting in the distribution of malware. 

Risk Mitigation Techniques 

Organizations should strongly consider taking proactive measures to reduce the risk of cyber threats associated with the Paris Olympics.

• Organizations involved in the Games should update their threat profile to account for potentially new threats to which they will be exposed. Intelligence on relevant threat actors can be used to inform detection efforts, insert proactive security controls, conduct threat hunting within a network, and inform cyber risk assessments linked to the Games. It may be helpful to review the following guides for countering DDoS and destructive attacks: 
  • Proactive Preparation and Hardening to Protect Against Destructive Attacks
  • Linux Endpoint Hardening to Protect Against Malware and Destructive Attacks
  • Distributed Denial of Service (DDoS) Protection Recommendations
• Organizations that face an elevated threat from ransomware and extortion operations are encouraged to read Mandiant Intelligence’s Ransomware Protection and Containment Strategies guide. This provides practical guidance for hardening and protecting infrastructure, identities, and endpoints. 
• Security awareness training should highlight the risks of Olympics-related social engineering lures in the runup to and during the Games. 
• Organizations and individuals traveling to the Games should consider travel-related cyber risks, such as the elevated risk of public Wi-Fi tampering, scams involving Olympics-related events, and the targeting of VIPs (i.e. government officials, senior decision makers, and business executives).
• Organizations that face an elevated threat of information operations in relation to the Olympics should consider potential brand damage risks and comms mitigation strategies. It may be helpful to review Mandiant’s blog post, How to Understand and Action Mandiant's Intelligence on Information Operations.

Figure 6: Mitigations for travel and close access threats

Outlook

Despite the variety of Olympics-related cyber threats, the security community is better prepared when compared to previous iterations of the Games. Having observed actors such as APT44 target previous Olympics, we have better insights into the ways the Games could be targeted. This gives defenders an opportunity to build a proactive and tailored security posture.

Decoding the Threat Model of Mobile Super Apps

那些年博士毕业论文的致谢，感恩，fighting！

检测业务是否受到此漏洞影响，请联系长亭应急服务团队！

本文将针对2024 RSA大会中的Securing AI: There Is No Try, Only Do议题进行解读，分析当前人工智能所面临的主要安全挑战，并提出相应的应对措施和建议。

Sophos Managed Detection and Response initiated a threat hunt across all customers after the detection of abuse of a vulnerable legitimate VMware executable (vmnat.exe) to perform dynamic link library (DLL) side-loading on one customer’s network. In a search for similar incidents in telemetry, MDR ultimately uncovered a complex, persistent cyberespionage campaign targeting a high-profile government […]

Threat clusters targeted a government agency for cyberespionage in a campaign that had precursors dating back to early 2022.

AI 大模型正式上线噜！文末有惊喜噜~

【互动有奖】BSRC奖励计划全新升级！奖励提升，即刻出发！

最近逛b站的时候，发现了一款非常好玩的游戏，在这里七夜分享给大家。