Aggregator

记一次DarkCrystal木马伪装成Solara编辑器进行投毒分析

HackerNews 编译，转载请注明出处： 网络安全研究人员披露，代号ViciousTrap的黑客组织已入侵全球84个国家近5,300台网络边缘设备，将其改造成类蜜罐网络。该组织利用思科小型企业路由器（型号RV016、RV042、RV042G、RV082、RV320、RV325）的关键漏洞CVE-2023-20118实施大规模入侵，其中850台受控设备位于澳门。 安全公司Sekoia在周四发布的分析报告中指出：“感染链涉及执行名为NetGhost的shell脚本，该脚本将被入侵路由器特定端口的流量重定向至攻击者控制的类蜜罐设施，从而实现网络流量劫持。” 此前，法国网络安全公司曾将该漏洞利用归因于另一个名为PolarEdge的僵尸网络。 尽管尚无证据表明这两项活动存在关联，但研究人员认为ViciousTrap背后的组织正通过入侵大量暴露于互联网的设备构建蜜罐基础设施，涉及品牌包括Araknis、华硕、D-Link、领势、威联通等50余个厂商的SOHO路由器、SSL VPN、数字录像机及基板管理控制器。 分析报告补充称：“这种架构使攻击者能观察多环境渗透尝试，可能收集未公开或零日漏洞利用方案，并劫持其他威胁组织的入侵成果。” 攻击链首先通过漏洞利用下载bash脚本，该脚本从外部服务器获取wget工具后再次触发漏洞，执行第二阶段的NetGhost脚本。 NetGhost脚本配置了流量重定向功能，将被控系统流量导向攻击者控制的第三方设施，实施中间人攻击，同时具备自删除能力以减少取证痕迹。Sekoia表示所有攻击尝试均源自单一IP地址（101.99.91[.]151），最早活动可追溯至2025年3月。次月监测到该组织将PolarEdge僵尸网络曾使用的未公开WebShell工具改作己用。 安全研究人员费利克斯·艾梅与杰里米·希恩指出：“该行为与攻击者使用NetGhost的策略相符，流量重定向机制使其成为静默观察者，可收集渗透尝试及传输中的WebShell访问痕迹。” 本月最新攻击活动转向华硕路由器，使用另一IP地址（101.99.91[.]239），但未在受控设备部署蜜罐。所有活跃IP均位于马来西亚，归属托管服务商Shinjiru运营的自治系统AS45839。 基于与GobRAT基础设施的微弱关联，以及流量重定向至中国台湾地区和美国多地资产的事实，研究人员判断该组织可能具备中文背景。Sekoia总结称：“尽管高度确信ViciousTrap构建的是类蜜罐网络，但其最终目标仍未明确。”       消息来源： thehackernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文  

Инженеры нашли способ создавать 3D-структуры без сложных вычислений.

A vulnerability classified as critical was found in TopicsViewer 3.0. This vulnerability affects unknown code of the file edit_block.php. The manipulation of the argument ID leads to sql injection. This vulnerability was named CVE-2014-10023. The attack can be initiated remotely. Furthermore, there is an exploit available.

HackerNews 编译，转载请注明出处： 网络安全研究人员披露了一场恶意软件活动，该活动通过伪装为LetsVPN、QQ浏览器等流行工具的虚假软件安装程序，最终投递Winos 4.0框架。这项由Rapid7在2025年2月首次监测到的攻击行动，使用了名为Catena的多阶段驻内存加载器。 “Catena通过嵌入shellcode和配置切换逻辑，将Winos 4.0等有效载荷完全驻留内存，规避了传统杀毒软件的检测，”安全研究人员安娜·希罗科娃与伊万·费格尔表示，“植入后，它会静默连接攻击者控制的服务器——多数位于香港——接收后续指令或额外恶意程序。”这类攻击与历史上部署Winos 4.0的案例相似，似乎专门针对中文环境，网络安全公司指出幕后存在具备高度能力的威胁组织进行“缜密的长期规划”。 趋势科技于2024年6月首次公开记录到Winos 4.0（又名ValleyRAT），当时该恶意程序通过VPN应用的恶意Windows安装包（MSI文件）针对中文用户发起攻击。相关活动被归因于追踪代号为Void Arachne的威胁集团，该组织也被称为Silver Fox。 后续传播该恶意软件的行动转而使用游戏相关应用作为诱饵，包括安装工具、加速器和优化程序等，诱骗用户安装。2025年2月披露的另一次攻击浪潮通过伪装台湾地区税务机构的钓鱼邮件针对当地实体。 基于知名远程木马Gh0st RAT的代码基础，Winos 4.0是采用C++编写的先进恶意框架，利用插件化系统实现数据窃取、远程Shell访问及发动分布式拒绝服务（DDoS）攻击。 2025年2月发现的基于QQ浏览器的感染流程显示，所有相关攻击载体均依赖NSIS安装程序。这些安装包捆绑了经过签名的诱饵应用，将shellcode嵌入.ini文件，并通过反射式DLL注入技术实现隐蔽驻留。整个感染链被命名为Catena。 研究人员指出：“该活动在2025年全年持续活跃，感染链保持稳定但存在战术调整，显示出攻击者具备强大适应能力。”攻击起点是伪装成腾讯开发的QQ浏览器安装包的恶意NSIS程序，通过Catena框架投递Winos 4.0。恶意程序通过TCP 18856端口和HTTPS 443端口与硬编码的C2基础设施通信。 在2025年4月发现的LetsVPN安装包攻击案例中，恶意程序通过创建计划任务实现持久化，这些任务在初始入侵数周后执行。虽然该恶意软件包含检测系统中文语言设置的显性校验，但即使未发现中文环境仍会继续执行。 这一现象表明该功能尚未完善，预计会在后续版本中改进。Rapid7透露，2025年4月监测到攻击者进行了“战术调整”，不仅修改了Catena执行链的某些组件，还新增了反杀毒检测规避功能。 新版攻击流程中，NSIS安装程序伪装成LetsVPN安装文件，运行PowerShell命令为所有驱动器（C:\至Z:\）添加Microsoft Defender排除项。随后释放的恶意载荷包含一个可执行文件，该文件会对运行进程进行快照扫描，检查是否存在奇虎360开发的杀毒软件相关进程。 该二进制文件使用威瑞信颁发的过期证书进行签名，证书显示归属方为腾讯科技（深圳），有效期从2018年10月11日至2020年2月2日。其主要功能是反射式加载DLL文件，该DLL会连接C2服务器（134.122.204[.]11:18852或103.46.185[.]44:443）以下载执行Winos 4.0。 研究人员总结称：“该行动展现出高度组织化的区域性恶意软件攻击模式，通过特制NSIS安装程序静默植入Winos 4.0。攻击者大量使用内存驻留载荷、反射式DLL加载及合法证书签名的诱饵软件规避告警，基础设施重叠和语言定向特征暗示其与Silver Fox APT存在关联，活动目标可能持续锁定中文语系环境。”       消息来源： thehackernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability, which was classified as critical, has been found in Inedo ProGet up to 2024.22. Affected by this issue is some unknown functionality of the component C# Reflection Layer. The manipulation leads to authentication bypass using alternate channel. This vulnerability is handled as CVE-2025-47244. The attack may be launched remotely. There is no exploit available.

A vulnerability has been found in browser-use Browser Use up to 0.1.44 and classified as problematic. This vulnerability affects unknown code of the component URL Parser. The manipulation leads to use of non-canonical url paths for authorization decisions. This vulnerability was named CVE-2025-47241. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected by this vulnerability is an unknown functionality of the file add-admin.php. The manipulation of the argument Fullname leads to cross site scripting. This vulnerability is known as CVE-2025-45751. The attack can be launched remotely. There is no exploit available.

A vulnerability was found in SeaCMS 13.3. It has been classified as critical. Affected is an unknown function of the file admin_topic.php. The manipulation leads to sql injection. This vulnerability is traded as CVE-2025-44074. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability was found in WinZip up to 29.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Archived Files Handler. The manipulation leads to inclusion of web functionality from an untrusted source. This vulnerability is handled as CVE-2025-33028. The attack may be launched remotely. There is no exploit available.

A vulnerability has been found in Grokability Snipe-IT up to 8.0.x and classified as problematic. This vulnerability affects unknown code of the component Asset Handler. The manipulation leads to direct request. This vulnerability was named CVE-2025-47226. The attack can be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in BlueWave Checkmate up to 2.0.2. This affects an unknown part of the component Invite Request Handler. The manipulation leads to external control of assumed-immutable web parameter. This vulnerability is uniquely identified as CVE-2025-47245. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability has been found in TOTOLINK CA300-PoE 6.2c.884 and classified as critical. Affected by this vulnerability is the function CloudSrvUserdataVersionCheck of the component URL Parameter Handler. The manipulation leads to command injection. This vulnerability is known as CVE-2025-44861. The attack can be launched remotely. There is no exploit available.

A vulnerability was suspected in Tenna Mesh Device 1.1.12. This issue appears to be a false-positive. Please verify the sources mentioned and consider not using this entry at all.

A vulnerability has been found in goTenna 0.25.5 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improper validation of integrity check value. This vulnerability was named CVE-2025-32882. Access to the local network is required for this attack to succeed. There is no exploit available.

A vulnerability was found in goTenna 0.25.5. It has been classified as problematic. Affected is an unknown function of the component Phone Number Handler. The manipulation leads to information disclosure. This vulnerability is traded as CVE-2025-32881. The attack can only be done within the local network. There is no exploit available.

A vulnerability has been found in Intrexx Portal Server up to 12.0.3 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross site scripting. This vulnerability was named CVE-2025-47201. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in By Averta Shortcodes and Extra Features for Phlox Theme up to 2.17.2 on WordPress. It has been classified as problematic. Affected is an unknown function. The manipulation leads to missing authorization. This vulnerability is traded as CVE-2024-50500. It is possible to launch the attack remotely. There is no exploit available.